From 657e1e4697c22f4f82985844b3d8ad2535e6ec49 Mon Sep 17 00:00:00 2001
From: William <baduhai@proton.me>
Date: Mon, 16 Feb 2026 00:07:36 -0300
Subject: [PATCH] fix forgejo on trantor

---
 aspects/hosts/_trantor/forgejo.nix | 7 ++++++-
 aspects/hosts/_trantor/nginx.nix   | 2 --
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/aspects/hosts/_trantor/forgejo.nix b/aspects/hosts/_trantor/forgejo.nix
index 1112622..6d702e2 100644
--- a/aspects/hosts/_trantor/forgejo.nix
+++ b/aspects/hosts/_trantor/forgejo.nix
@@ -21,6 +21,8 @@ in
           ROOT_URL = "https://git.baduhai.dev";
           OFFLINE_MODE = true; # disable use of CDNs
           SSH_DOMAIN = "git.baduhai.dev";
+          SSH_USER = "forgejo";
+          SSH_PORT = lib.head config.services.openssh.ports;
         };
         log.LEVEL = "Warn";
         mailer.ENABLED = false;
@@ -67,5 +69,8 @@ in
   };
 
   # Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories
-  systemd.services.forgejo.serviceConfig.PrivateMounts = lib.mkForce false;
+  systemd.services.forgejo.serviceConfig = {
+    PrivateMounts = lib.mkForce false;
+    ProtectSystem = lib.mkForce false;
+  };
 }
diff --git a/aspects/hosts/_trantor/nginx.nix b/aspects/hosts/_trantor/nginx.nix
index eccfb12..24f96c3 100644
--- a/aspects/hosts/_trantor/nginx.nix
+++ b/aspects/hosts/_trantor/nginx.nix
@@ -8,10 +8,8 @@
 let
   services = inputs.self.services;
 
-  # Get all unique domains from shared services on trantor (host = "trantor")
   localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "trantor") services));
 
-  # Generate ACME cert configs for all local domains
   acmeCerts = lib.genAttrs localDomains (domain: {
     group = "nginx";
   });