I’ve moved SSH on my machine to a different port and am now trying to let gitea listen on 22 for git push.
I don’t see any information about how to allow a non-root user to open a low-numbered port in nixos. What do I need to do?
CAP_NET_BIND_SERVICE
Random example: https://github.com/NixOS/nixpkgs/blob/aeeed6a5176df8e44098761e74e64a13d88b8aa9/nixos/modules/services/web-servers/caddy.nix
ah, neat! How would I go about that as a user of the gitea config? I’m not sure what overrides I’d need to specify.
I have never used the gitea builtin ssh server but after taking a quick glance at the documentation you probably have something like this in your configuration.nix already:
services.gitea.extraConfig = ''
[server]
START_SSH_SERVER = true
SSH_LISTEN_PORT = 22
'';
Assuming gitea doesn’t have a separate executable for the builtin ssh server you should add something like this to your configuration.nix:
systemd.services.gitea.serviceConfig = {
AmbientCapabilities = "cap_net_bind_service";
CapabilityBoundingSet = "cap_net_bind_service";
};
Let me know if it works 
1 Like
thank you so much, that works great 
I forgot that you can merge stuff like that! So great.