ssh config for git

modules/services/gitea.nix

@@ -27,7 +27,7 @@ in
         service.DISABLE_REGISTRATION = true;
         server.DOMAIN = cfg.fqdn;
         server.ROOT_URL = "https://${cfg.fqdn}";
-        server.DISABLE_SSH = true;
+        #server.DISABLE_SSH = true;
       };
     };
     services.nginx.virtualHosts."${cfg.fqdn}" = {

systems/amd-server-vm/configuration.nix

@@ -157,6 +157,17 @@
     };
   };
 
+  services.openssh.extraConfig = ''
+    # Internal network: allow everyone
+    Match Address 192.168.2.0/24,192.168.0.0/24
+        AllowUsers *
+
+    # Everything else (internet): only git user
+    Match Address *,!192.168.2.0/24,!192.168.0.0/24
+        PermitRootLogin no
+        AllowUsers gitea
+  '';
+
   virtualisation.vmware.guest.enable = true;
   services.xserver.videoDrivers = [ "vmware" ];
   environment.systemPackages = with pkgs; [