You might consider keeping your repo in an web/http directory for pulling and having your other users submit patches to you via eg email. That way you don't need ssh exposed to the public internet at all. That's how I have my self hosted git repos set up anyway.
On Thu, Jul 27, 2023 at 09:24:56AM +0900, lain. wrote: > I have a pretty nifty network setup that allows me to host from home via > WireGuard. > But there's one thing I'm struggling with. > Because for security reasons, I made it impossible for people outside > the network to connect via SSH, but for Git to function properly, I need > to allow SSH only for git@(DOMAIN) or git@(PUBLIC IP), and redirect that > to my home network so they can do stuff like "git pull", "git push", and > all the other fancy stuff. > > My pf.conf rules look like this: > > pass in quick on wg0 proto tcp from 192.168.0.0/24 to any port 22 > > pass in on $externalinterface proto tcp from any to $externalip port 22 > > rdr-to $internalip > > block in quick on egress proto tcp from any to any port 22 > > And my sshd_config: > > AllowUsers firstname.lastname@example.org/24 > > AllowUsers git@(DOMAIN) > > AllowUsers git@(PUBLIC IP) > > Where exactly am I doing wrong here?