Hello all! Yesterday I started hosting forgejo, and in order to clone repos outside my home network through ssh://, I seem to need to open a port for it in my router. Is that safe to do? I can’t use a vpn because I am sharing this with a friend. Here’s a sample docker compose file:

version: "3"

networks:
  forgejo:
    external: false

services:
  server:
    image: codeberg.org/forgejo/forgejo:7
    container_name: forgejo
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - FORGEJO__database__DB_TYPE=postgres
      - FORGEJO__database__HOST=db:5432
      - FORGEJO__database__NAME=forgejo
      - FORGEJO__database__USER=forgejo
      - FORGEJO__database__PASSWD=forgejo
    restart: always
    networks:
      - forgejo
    volumes:
      - ./forgejo:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "3000:3000"
      - "222:22" # <- port 222 is the one I'd open, in this case
    depends_on:
      - db

  db:
    image: postgres:14
    restart: always
    environment:
      - POSTGRES_USER=forgejo
      - POSTGRES_PASSWORD=forgejo
      - POSTGRES_DB=forgejo
    networks:
      - forgejo
    volumes:
      - ./postgres:/var/lib/postgresql/data

And to clone I’d do

git clone ssh://git@<my router ip>:<the port I opened, in this case 222>/path/to/repo

Is that safe?

EDIT: Thank you for your answers. I have come to the conclusion that, regardless of whether it is safe, it doesn’t make sense to increase the attack surface when I can just use https and tokens, so that’s what I am going to do.

  • rutrum@lm.paradisus.day
    link
    fedilink
    English
    arrow-up
    7
    ·
    6 months ago

    You can also use p2p mesh vpn services like zerotier or tailscale to establish a direct connection without opening any port in the router at all.

    • gurapoku@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      6 months ago

      A good suggestion, but it would still be hasslesome to setup. Plus, my friend would have to connect to the vpn whenever he wants to push/pull the repo

      • BearOfaTime@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        6 months ago

        Tailscale has the Funnel feature which doesn’t require your friends use the client.

      • rutrum@lm.paradisus.day
        link
        fedilink
        English
        arrow-up
        1
        ·
        6 months ago

        Yes everyone would need a client (probably?) but after having recently set it up the first time, its incredibly simple.