feat(provision): open :22 for the canonical git endpoint

The VM's admin sshd is on :222, so :22 is free for Forgejo's git-over-SSH. Opening
it makes the scp-form clone `git@git.olsitec.net:olsitec/...` work — Forgejo's sshd
ForceCommands `serv`, so :22 only ever does git (like github.com:22). :2222 stays
open too (CONTRACT_001 forgeSshPort).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andreas Niemann 2026-06-30 22:31:13 +02:00
parent 3a297d021e
commit d5c53ce9a2

View file

@ -76,6 +76,10 @@ const firewall = new hcloud.Firewall(
{ direction: "in", protocol: "tcp", port: "443", sourceIps: ["0.0.0.0/0", "::/0"] }, { direction: "in", protocol: "tcp", port: "443", sourceIps: ["0.0.0.0/0", "::/0"] },
// Forgejo git-over-SSH (CONTRACT_001 forgeSshPort) // Forgejo git-over-SSH (CONTRACT_001 forgeSshPort)
{ direction: "in", protocol: "tcp", port: "2222", sourceIps: ["0.0.0.0/0", "::/0"] }, { direction: "in", protocol: "tcp", port: "2222", sourceIps: ["0.0.0.0/0", "::/0"] },
// Forgejo git-over-SSH on :22 too — the VM's admin sshd is on 222, so :22 is
// free for the canonical git endpoint, making the scp-form clone
// `git@git.olsitec.net:olsitec/...` work (Forgejo sshd ForceCommands `serv`).
{ direction: "in", protocol: "tcp", port: "22", sourceIps: ["0.0.0.0/0", "::/0"] },
{ direction: "in", protocol: "icmp", sourceIps: ["0.0.0.0/0", "::/0"] }, { direction: "in", protocol: "icmp", sourceIps: ["0.0.0.0/0", "::/0"] },
], ],
}, },