From bfa119df31f2fabb2395d46d8a497433d14be218 Mon Sep 17 00:00:00 2001
From: Mohammad Rafiq <rafiq@rrv.sh>
Date: Fri, 20 Jun 2025 08:26:01 +0800
Subject: [PATCH] feat(nixos/forgejo): open firewall if enabled

---
 modules/nixos/server/web-apps/forgejo/default.nix | 3 ++-
 systems/x86_64-linux/apollo/default.nix           | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/nixos/server/web-apps/forgejo/default.nix b/modules/nixos/server/web-apps/forgejo/default.nix
index 7f6cd9a..e7f4d9f 100644
--- a/modules/nixos/server/web-apps/forgejo/default.nix
+++ b/modules/nixos/server/web-apps/forgejo/default.nix
@@ -1,6 +1,6 @@
 { config, lib, ... }:
 let
-  inherit (lib) singleton;
+  inherit (lib) singleton optional;
   inherit (lib.pantheon) mkPortOption;
   inherit (lib.pantheon.modules) mkWebApp;
   cfg = config.server.web-apps.forgejo;
@@ -18,6 +18,7 @@ mkWebApp {
     sshPort = mkPortOption 2222;
   };
   extraConfig = {
+    networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.sshPort;
     services.forgejo = {
       enable = true;
       settings = {
diff --git a/systems/x86_64-linux/apollo/default.nix b/systems/x86_64-linux/apollo/default.nix
index 79f9ac3..8a7ca24 100644
--- a/systems/x86_64-linux/apollo/default.nix
+++ b/systems/x86_64-linux/apollo/default.nix
@@ -34,6 +34,7 @@
       librechat.domain = "chat.bwfiq.com";
       forgejo.enable = true;
       forgejo.domain = "git.rrv.sh";
+      forgejo.openFirewall = true;
       glance.enable = true;
       glance.domain = "glance.bwfiq.com";
     };