From a00a888676b60376d780bcc1e31f0d10cb0fd6e8 Mon Sep 17 00:00:00 2001
From: Nathan <nathanblunkall5@gmail.com>
Date: Sun, 1 Feb 2026 08:15:13 -0600
Subject: [PATCH] route gitea ssh through traefik

---
 .../virtualization/containers/gitea/default.nix   | 13 -------------
 .../docker/traefik/config/routing.yml             | 15 ++++++++++++++-
 .../docker/traefik/config/traefik.yml             |  2 ++
 system/virtualization/docker/traefik/default.nix  |  3 ++-
 4 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/system/virtualization/containers/gitea/default.nix b/system/virtualization/containers/gitea/default.nix
index baf70bd..c839643 100644
--- a/system/virtualization/containers/gitea/default.nix
+++ b/system/virtualization/containers/gitea/default.nix
@@ -8,8 +8,6 @@
     config = lib.mkIf config.sysconfig.containers.gitea.enable {
 
         networking = {
-            hosts."192.168.100.20" = [ "gitea.esotericbytes.com" ];
-
             nat.internalInterfaces = [ "ve-gitea" ];
         };
         
@@ -17,10 +15,6 @@
             "gitea/dbpass" = {};
         };
 
-        networking.firewall.allowedTCPPorts = [
-            2222
-        ];
-
         containers.gitea = {
 
             autoStart = true;
@@ -28,13 +22,6 @@
             hostAddress = "192.168.100.10";
             localAddress = "192.168.100.20";
 
-            forwardPorts = [
-                {
-                    containerPort = 2222;
-                    hostPort = 2222;
-                }
-            ];
-
             bindMounts = {
                 "/etc/gitea/data" = {
                     hostPath = "/ssd1/Gitea/data";
diff --git a/system/virtualization/docker/traefik/config/routing.yml b/system/virtualization/docker/traefik/config/routing.yml
index f770930..288981c 100644
--- a/system/virtualization/docker/traefik/config/routing.yml
+++ b/system/virtualization/docker/traefik/config/routing.yml
@@ -42,4 +42,17 @@ http:
       loadBalancer:
         servers: 
           - url: "http://192.168.100.20:3000"
-     
+
+tcp:
+  routers:
+    gitea-ssh:
+      entryPoints:
+        - "gitea-ssh"
+      rule: "HostSNI(`*`)"
+      service: "gitea-ssh"
+
+  services:
+    gitea-ssh:
+      loadBalancer:
+        servers:
+          - address: "192.168.100.20:2222"
diff --git a/system/virtualization/docker/traefik/config/traefik.yml b/system/virtualization/docker/traefik/config/traefik.yml
index 8b94a2a..a22c5bf 100644
--- a/system/virtualization/docker/traefik/config/traefik.yml
+++ b/system/virtualization/docker/traefik/config/traefik.yml
@@ -52,6 +52,8 @@ entryPoints:
           main: "esotericbytes.com"
           sans:
             - "*.esotericbytes.com" 
+  gitea-ssh:
+    address: ":2222"
 
 log: 
   level: "INFO"
diff --git a/system/virtualization/docker/traefik/default.nix b/system/virtualization/docker/traefik/default.nix
index b69d930..f9c5b2b 100644
--- a/system/virtualization/docker/traefik/default.nix
+++ b/system/virtualization/docker/traefik/default.nix
@@ -7,7 +7,7 @@
 
     config = lib.mkIf (config.sysconfig.docker.traefik.enable && config.sysconfig.docker.enable) {
             
-        networking.firewall.allowedTCPPorts = [ 80 81 443 444 ];
+        networking.firewall.allowedTCPPorts = [ 80 81 443 444 2222 ];
 
         sops.secrets = {
             "traefik/cf_email" = {};
@@ -60,6 +60,7 @@
                 "81:81"
                 "443:443"
                 "444:444"
+                "2222:2222"
             ];
 
             labels = {