services/gitlab: init ssh

services/gitlab.nix

@@ -41,6 +41,8 @@
         port = 443;
 
         statePath = "/persist/gitlab";
+        user = "git";
+        databaseUsername = "git";
 
         initialRootPasswordFile = "/persist/secrets/gitlab-root";
         secrets.secretFile = "/persist/secrets/gitlab-secret";
@@ -113,6 +115,16 @@
         };
       };
 
+      services.openssh.enable = true;
+      services.openssh.passwordAuthentication = false;
+
+      users.users.git = {
+        isSystemUser = true;
+        group = "gitlab";
+        home = "/persist/gitlab/home";
+        uid = 165;
+      };
+
       services.coredns = {
         enable = true;
         config = ''
@@ -124,6 +136,12 @@
     })).config.system.build.toplevel;
   };
 
+  hexchen.nftables.nat.forwardPorts = [{
+    ports = [ 22 ];
+    destination = "${config.containers.gitlab.localAddress}:22";
+    proto = "tcp";
+  }];
+
   services.nginx.virtualHosts."gitlab.infra4future.de" = {
     locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80";
     locations."/".extraConfig = ''