From 64843087be312a15bf876082cf26265b813afd9f Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Fri, 29 May 2026 12:58:12 +0900
Subject: [PATCH] kommode/gitea: only allow webhooks to external hosts

We don't have any servers with intranet IPs, and we want webhooks that
hook back to kommode to pass through its firewall.
---
 hosts/kommode/services/gitea/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hosts/kommode/services/gitea/default.nix b/hosts/kommode/services/gitea/default.nix
index d27b194..afd9778 100644
--- a/hosts/kommode/services/gitea/default.nix
+++ b/hosts/kommode/services/gitea/default.nix
@@ -139,6 +139,9 @@ in {
         AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
       };
       actions.ENABLED = true;
+      webhook.ALLOWED_HOST_LIST = lib.concatStringsSep "," [
+        "external"
+      ];
     };
 
     dump = {