2026-02-08 02:36:19 -08:00
|
|
|
worker_processes auto;
|
|
|
|
|
|
|
|
|
|
events {
|
|
|
|
|
worker_connections 1024;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
http {
|
|
|
|
|
include /etc/nginx/mime.types;
|
|
|
|
|
default_type application/octet-stream;
|
|
|
|
|
|
2026-02-08 10:05:38 -08:00
|
|
|
# JSON access log for Alloy to tail → Loki + metric extraction
|
|
|
|
|
log_format json_log escape=json
|
|
|
|
|
'{'
|
|
|
|
|
'"time":"$time_iso8601",'
|
|
|
|
|
'"remote_addr":"$remote_addr",'
|
2026-02-09 11:02:06 -08:00
|
|
|
'"client_ip":"$http_fly_client_ip",'
|
2026-02-08 10:05:38 -08:00
|
|
|
'"request_method":"$request_method",'
|
|
|
|
|
'"request_uri":"$request_uri",'
|
|
|
|
|
'"status":$status,'
|
|
|
|
|
'"body_bytes_sent":$body_bytes_sent,'
|
|
|
|
|
'"request_time":$request_time,'
|
|
|
|
|
'"upstream_response_time":"$upstream_response_time",'
|
|
|
|
|
'"upstream_cache_status":"$upstream_cache_status",'
|
|
|
|
|
'"http_host":"$http_host",'
|
|
|
|
|
'"http_user_agent":"$http_user_agent"'
|
|
|
|
|
'}';
|
|
|
|
|
access_log /var/log/nginx/access.json.log json_log;
|
|
|
|
|
|
2026-02-08 02:36:19 -08:00
|
|
|
# Rate limiting zones — define per-service zones as needed
|
2026-04-10 19:00:33 -07:00
|
|
|
limit_req_zone $http_fly_client_ip zone=general:10m rate=10r/s;
|
2026-02-08 02:36:19 -08:00
|
|
|
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
# Forge-specific rate limit keyed on real client IP (Fly-Client-IP header).
|
|
|
|
|
# $binary_remote_addr is Fly's internal proxy IP — all clients share one
|
|
|
|
|
# bucket. $http_fly_client_ip has the actual client IP.
|
|
|
|
|
limit_req_zone $http_fly_client_ip zone=forge_auth:10m rate=3r/s;
|
|
|
|
|
|
|
|
|
|
# fail2ban deny list — banned IPs are written here by fail2ban and
|
|
|
|
|
# checked via the $forge_banned variable. The file is touched at
|
|
|
|
|
# container start to ensure it exists.
|
|
|
|
|
geo $http_fly_client_ip $forge_banned {
|
|
|
|
|
default 0;
|
|
|
|
|
include /etc/nginx/forge-deny.conf;
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-08 02:36:19 -08:00
|
|
|
# Proxy cache: 200MB, evict after 24h of no access
|
|
|
|
|
proxy_cache_path /tmp/cache levels=1:2 keys_zone=services:10m
|
|
|
|
|
max_size=200m inactive=24h;
|
|
|
|
|
|
2026-02-09 07:01:58 -08:00
|
|
|
# MagicDNS resolver — using a variable in proxy_pass defers upstream DNS
|
2026-02-09 11:34:19 -08:00
|
|
|
# resolution to request time (not config time). Results are cached for
|
|
|
|
|
# 30s per worker to avoid per-request DNS lookups.
|
2026-02-09 07:01:58 -08:00
|
|
|
resolver 100.100.100.100 valid=30s;
|
|
|
|
|
resolver_timeout 5s;
|
|
|
|
|
|
2026-02-08 02:36:19 -08:00
|
|
|
# --- docs.eblu.me (static site) ---
|
|
|
|
|
server {
|
|
|
|
|
listen 8080;
|
|
|
|
|
server_name docs.eblu.me;
|
|
|
|
|
|
|
|
|
|
limit_req zone=general burst=20 nodelay;
|
|
|
|
|
|
2026-02-09 12:01:24 -08:00
|
|
|
# Serve a friendly error page when upstreams are unreachable
|
|
|
|
|
# (indri offline, Tailscale tunnel down, emergency shutoff, etc.)
|
|
|
|
|
# proxy_cache_use_stale still takes priority when cached content exists.
|
|
|
|
|
error_page 502 503 504 /error.html;
|
|
|
|
|
location = /error.html {
|
|
|
|
|
root /usr/share/nginx/html;
|
|
|
|
|
internal;
|
|
|
|
|
}
|
2026-02-08 02:36:19 -08:00
|
|
|
location / {
|
2026-02-09 07:01:58 -08:00
|
|
|
set $upstream_docs https://docs.tail8d86e.ts.net;
|
|
|
|
|
proxy_pass $upstream_docs$request_uri;
|
2026-02-08 02:36:19 -08:00
|
|
|
proxy_ssl_verify off;
|
|
|
|
|
proxy_ssl_server_name on;
|
2026-02-09 12:01:24 -08:00
|
|
|
proxy_intercept_errors on;
|
2026-02-08 02:36:19 -08:00
|
|
|
|
|
|
|
|
# Cache aggressively — static site only.
|
|
|
|
|
# Do NOT use these settings for dynamic services.
|
|
|
|
|
proxy_cache services;
|
|
|
|
|
proxy_cache_valid 200 1d;
|
|
|
|
|
proxy_cache_valid 404 1m;
|
|
|
|
|
proxy_cache_use_stale error timeout updating;
|
|
|
|
|
proxy_cache_lock on;
|
|
|
|
|
|
|
|
|
|
# Prevent cache-busting: ignore query strings and
|
|
|
|
|
# client cache-control headers.
|
|
|
|
|
# Safe for static sites; breaks dynamic services.
|
|
|
|
|
proxy_cache_key $host$uri;
|
|
|
|
|
proxy_ignore_headers Cache-Control Set-Cookie;
|
|
|
|
|
|
|
|
|
|
add_header X-Cache-Status $upstream_cache_status;
|
2026-02-12 17:08:22 -08:00
|
|
|
add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
|
2026-02-08 02:36:19 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-12 14:05:00 -08:00
|
|
|
# --- cv.eblu.me (static site) ---
|
|
|
|
|
server {
|
|
|
|
|
listen 8080;
|
|
|
|
|
server_name cv.eblu.me;
|
|
|
|
|
|
|
|
|
|
limit_req zone=general burst=20 nodelay;
|
|
|
|
|
|
|
|
|
|
error_page 502 503 504 /error.html;
|
|
|
|
|
location = /error.html {
|
|
|
|
|
root /usr/share/nginx/html;
|
|
|
|
|
internal;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
location / {
|
|
|
|
|
set $upstream_cv https://cv.tail8d86e.ts.net;
|
|
|
|
|
proxy_pass $upstream_cv$request_uri;
|
|
|
|
|
proxy_ssl_verify off;
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_intercept_errors on;
|
|
|
|
|
|
|
|
|
|
proxy_cache services;
|
|
|
|
|
proxy_cache_valid 200 1d;
|
|
|
|
|
proxy_cache_valid 404 1m;
|
|
|
|
|
proxy_cache_use_stale error timeout updating;
|
|
|
|
|
proxy_cache_lock on;
|
|
|
|
|
proxy_cache_key $host$uri;
|
|
|
|
|
proxy_ignore_headers Cache-Control Set-Cookie;
|
|
|
|
|
|
|
|
|
|
add_header X-Cache-Status $upstream_cache_status;
|
2026-02-12 17:08:22 -08:00
|
|
|
add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
|
2026-02-12 14:05:00 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
# --- forge.eblu.me (dynamic, authenticated) ---
|
|
|
|
|
server {
|
|
|
|
|
listen 8080;
|
|
|
|
|
server_name forge.eblu.me;
|
|
|
|
|
|
|
|
|
|
# Block fail2ban-banned IPs
|
|
|
|
|
if ($forge_banned) {
|
|
|
|
|
return 403 "Temporarily blocked. Try again later.\n";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# General rate limit — higher burst for git operations and CI webhooks
|
|
|
|
|
limit_req zone=general burst=50 nodelay;
|
|
|
|
|
|
|
|
|
|
# Git LFS and repo uploads can be large
|
|
|
|
|
client_max_body_size 512m;
|
|
|
|
|
|
|
|
|
|
# Security headers
|
|
|
|
|
add_header X-Frame-Options "DENY" always;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
|
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
|
|
|
|
|
|
|
|
error_page 502 503 504 /error.html;
|
|
|
|
|
location = /error.html {
|
|
|
|
|
root /usr/share/nginx/html;
|
|
|
|
|
internal;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Block swagger API docs — use forge.ops.eblu.me from tailnet
|
|
|
|
|
location /swagger {
|
|
|
|
|
return 403 "API documentation is only available at forge.ops.eblu.me (tailnet).\n";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Rate-limit authentication endpoints
|
|
|
|
|
location ~ ^/user/(login|sign_up|forgot_password) {
|
|
|
|
|
limit_req zone=forge_auth burst=5 nodelay;
|
|
|
|
|
|
|
|
|
|
set $upstream_forge https://forge.tail8d86e.ts.net;
|
|
|
|
|
proxy_pass $upstream_forge$request_uri;
|
|
|
|
|
proxy_ssl_verify off;
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_intercept_errors on;
|
|
|
|
|
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $http_fly_client_ip;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Selectively cache static assets only
|
|
|
|
|
location ~* \.(css|js|png|jpg|svg|woff2?)$ {
|
|
|
|
|
set $upstream_forge_static https://forge.tail8d86e.ts.net;
|
|
|
|
|
proxy_pass $upstream_forge_static$request_uri;
|
|
|
|
|
proxy_ssl_verify off;
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
|
|
|
|
|
proxy_cache services;
|
|
|
|
|
proxy_cache_valid 200 7d;
|
|
|
|
|
proxy_cache_key $host$uri;
|
|
|
|
|
|
|
|
|
|
add_header X-Cache-Status $upstream_cache_status;
|
|
|
|
|
add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
location / {
|
|
|
|
|
set $upstream_forge https://forge.tail8d86e.ts.net;
|
|
|
|
|
proxy_pass $upstream_forge$request_uri;
|
|
|
|
|
proxy_ssl_verify off;
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_intercept_errors on;
|
|
|
|
|
|
|
|
|
|
# NO proxy_cache — dynamic content with sessions
|
|
|
|
|
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $http_fly_client_ip;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
|
|
|
|
|
# WebSocket support (Forgejo uses it for live updates)
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
|
|
|
|
|
|
add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-08 02:36:19 -08:00
|
|
|
# Catch-all: reject unknown hosts, but serve health check
|
|
|
|
|
server {
|
|
|
|
|
listen 8080 default_server;
|
|
|
|
|
|
|
|
|
|
location /healthz {
|
|
|
|
|
return 200 "ok\n";
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-08 10:05:38 -08:00
|
|
|
location /stub_status {
|
|
|
|
|
stub_status;
|
|
|
|
|
allow 127.0.0.1;
|
|
|
|
|
deny all;
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-08 02:36:19 -08:00
|
|
|
location / {
|
|
|
|
|
return 444;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|