From 397d4fcc4826d25253af8b47a4aa18d992802d7e Mon Sep 17 00:00:00 2001
From: Nelis <nelisvolschenk@gmail.com>
Date: Sat, 28 Mar 2026 10:51:33 +0000
Subject: [PATCH] Fix Forgejo SSH passthrough: use -u git and correct app.ini
 path

docker exec needs -u git to avoid running as root (Forgejo refuses root),
and the config path inside the container is /data/gitea/conf/app.ini.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 playbook.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/playbook.yml b/playbook.yml
index 4ceab28..f09dbdf 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -252,7 +252,7 @@
         mode: '0755'
         content: |
           #!/bin/sh
-          /usr/bin/docker exec -i --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" forgejo sh "$@"
+          /usr/bin/docker exec -i -u git --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" forgejo sh "$@"
 
     - name: Create git user for Forgejo
       ansible.builtin.user:
@@ -281,7 +281,7 @@
         content: |
           Match User git
             AuthorizedKeysCommandUser git
-            AuthorizedKeysCommand /usr/bin/docker exec -i forgejo /usr/local/bin/gitea keys -c /etc/gitea/app.ini -e git -u %u -t %t -k %k
+            AuthorizedKeysCommand /usr/bin/docker exec -i -u git forgejo /usr/local/bin/gitea keys -c /data/gitea/conf/app.ini -e git -u %u -t %t -k %k
       notify: restart sshd
 
     - name: Generate Pangolin secret