2026-02-08 02:36:19 -08:00
|
|
|
worker_processes auto;
|
|
|
|
|
|
|
|
|
|
events {
|
|
|
|
|
worker_connections 1024;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
http {
|
|
|
|
|
include /etc/nginx/mime.types;
|
|
|
|
|
default_type application/octet-stream;
|
|
|
|
|
|
2026-02-08 10:05:38 -08:00
|
|
|
# JSON access log for Alloy to tail → Loki + metric extraction
|
|
|
|
|
log_format json_log escape=json
|
|
|
|
|
'{'
|
|
|
|
|
'"time":"$time_iso8601",'
|
|
|
|
|
'"remote_addr":"$remote_addr",'
|
2026-02-09 11:02:06 -08:00
|
|
|
'"client_ip":"$http_fly_client_ip",'
|
2026-02-08 10:05:38 -08:00
|
|
|
'"request_method":"$request_method",'
|
|
|
|
|
'"request_uri":"$request_uri",'
|
|
|
|
|
'"status":$status,'
|
|
|
|
|
'"body_bytes_sent":$body_bytes_sent,'
|
|
|
|
|
'"request_time":$request_time,'
|
|
|
|
|
'"upstream_response_time":"$upstream_response_time",'
|
|
|
|
|
'"upstream_cache_status":"$upstream_cache_status",'
|
|
|
|
|
'"http_host":"$http_host",'
|
|
|
|
|
'"http_user_agent":"$http_user_agent"'
|
|
|
|
|
'}';
|
|
|
|
|
access_log /var/log/nginx/access.json.log json_log;
|
|
|
|
|
|
2026-02-08 02:36:19 -08:00
|
|
|
# Rate limiting zones — define per-service zones as needed
|
2026-04-10 19:00:33 -07:00
|
|
|
limit_req_zone $http_fly_client_ip zone=general:10m rate=10r/s;
|
2026-02-08 02:36:19 -08:00
|
|
|
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
# Forge-specific rate limit keyed on real client IP (Fly-Client-IP header).
|
|
|
|
|
# $binary_remote_addr is Fly's internal proxy IP — all clients share one
|
|
|
|
|
# bucket. $http_fly_client_ip has the actual client IP.
|
|
|
|
|
limit_req_zone $http_fly_client_ip zone=forge_auth:10m rate=3r/s;
|
|
|
|
|
|
C1: deploy adelaide-baby-shower-app to ringtail k3s (#349)
## Summary
Brings up the Adelaide / Heidi / Addie baby shower app on ringtail k3s with the public/private split that the app's hosting contract calls for: `shower.eblu.me` (public, via Fly proxy) and `shower.ops.eblu.me` (tailnet). App is consumed as a wheel from the Forgejo PyPI index — source lives at [`adelaide-baby-shower-app`](https://forge.eblu.me/eblume/adelaide-baby-shower-app).
### What's included
- **ArgoCD app + manifests** under `argocd/manifests/shower/` (deployment, service, ProxyGroup ingress, ConfigMap for `DJANGO_DEBUG`/`DJANGO_ADMIN_URL`, ExternalSecret for `DJANGO_SECRET_KEY` from 1Password item `Shower (blumeops)`, NFS PV on sifaka, RWX media PVC, RWO local-path data PVC for SQLite). Recreate rollout because SQLite is single-writer.
- **Public surface** (`fly/`): new `shower.eblu.me` server block proxying to `shower.ops.eblu.me`. `/admin/` returns 403 at the edge except `/admin/login/` and `/admin/logout/`, which are rate-limited via a new `shower_auth` zone. `X-Clacks-Overhead` on. GNU Terry Pratchett.
- **fail2ban** filter (`shower-admin-login.conf`) matching 401/403/429 on `/admin/login/` and jail (`shower.conf`) with `maxretry=5/findtime=600/bantime=3600`. The `nginx-deny` action was generalized to take a per-jail `nginx_deny_file` so the shower has its own deny list (forge keeps using the legacy default).
- **Caddy** route on indri (`shower.ops.eblu.me` → `https://shower.tail8d86e.ts.net`).
- **Pulumi** Gandi CNAME `shower.eblu.me → blumeops-proxy.fly.dev.`.
- **Grafana** APM dashboard `configmap-shower-apm.yaml` (request rate, error rate, failed admin login count, latency percentiles, bandwidth, access logs) mirroring `docs-apm.json` with a `host="shower.eblu.me"` filter.
- **Container** `containers/shower/default.nix` — `dockerTools.buildLayeredImage` with a nixpkgs Python and a startup wrapper that creates `/app/data/.venv`, pip-installs `adelaide-baby-shower-app==1.0.0` from the forge PyPI index on first boot, runs migrations + collectstatic, and execs gunicorn. A `local_settings.py` shim pins `DATABASES.NAME`/`MEDIA_ROOT`/`STATIC_ROOT` to absolute paths so they don't end up in site-packages.
- **Docs** runbook at `docs/how-to/operations/shower-app.md` linked from the apps registry, plus changelog fragments.
### Defense layers on the public surface
1. fly nginx geo+fail2ban `$shower_banned` (per-service deny list)
2. fly nginx `limit_req zone=shower_auth` (3 r/s per Fly-Client-IP)
3. django-axes (5 fails / 1h, keyed on username+ip_address)
4. edge `/admin/` block (returns 403 for anything that isn't login/logout)
## Prerequisites for the user to do (NOT in this PR)
Halted on these per request — they touch shared/manual systems:
- [x] **NFS share** on sifaka: `/volume1/shower`, NFS rule for ringtail RW, `chown 1000:1000`
- [ ] **1Password item** `Shower (blumeops)` in the blumeops vault with a freshly minted `secret-key` field (`openssl rand -base64 48`) — do NOT reuse anything that has lived in git
- [ ] **Container build**: `mise run container-build-and-release shower`, then update `images[].newTag` in `argocd/manifests/shower/kustomization.yaml` to the resulting `v1.0.0-<sha>-nix`
- [x] **DNS**: `mise run dns-up` after merge
- [x] **Fly cert**: `fly certs add shower.eblu.me -a blumeops-proxy`
- [ ] **Caddy push**: `mise run provision-indri -- --tags caddy`
- [ ] **Fly redeploy** to pick up the new nginx block + fail2ban jail: `mise run fly-deploy`
- [ ] **ArgoCD sync**: `argocd app set shower --revision shower-app-deploy && argocd app sync shower` to test from this branch before merging
## Test plan
- [ ] Container builds successfully on nix-container-builder runner
- [ ] Pod starts, migrations run, gunicorn answers on :8000
- [ ] `kubectl --context=k3s-ringtail -n shower logs deploy/shower` clean
- [ ] `curl -sf https://shower.ops.eblu.me/` returns the splash page (tailnet)
- [ ] `curl -I -H "Host: shower.eblu.me" https://blumeops-proxy.fly.dev/` returns 200 (pre-DNS verification)
- [ ] `curl -I -H "Host: shower.eblu.me" https://blumeops-proxy.fly.dev/admin/users/` returns 403 (edge block)
- [ ] `curl -I -H "Host: shower.eblu.me" https://blumeops-proxy.fly.dev/admin/login/` returns a Django login response
- [ ] After DNS is up: `curl -I https://shower.eblu.me/` returns 200 with `X-Clacks-Overhead`
- [ ] Grafana dashboard "Shower APM" appears and starts showing traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/349
2026-05-11 13:47:18 -07:00
|
|
|
# Shower-specific zone: loose enough that ~30 guests sharing a single
|
|
|
|
|
# venue-wifi NAT'd public IP can all scan the QR and load the splash
|
|
|
|
|
# (HTML + a handful of static asset hits each) without anyone tripping
|
|
|
|
|
# the limit. 50r/s + burst=200 covers the simultaneous-load spike;
|
|
|
|
|
# exploit scanners still trip it (e.g. the .env-sweeping bot we saw
|
|
|
|
|
# fired ~30 req in 2s — that pattern stays caught). See the
|
|
|
|
|
# shower.eblu.me server block for the matching `limit_req`.
|
|
|
|
|
limit_req_zone $http_fly_client_ip zone=shower_general:10m rate=50r/s;
|
|
|
|
|
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
# fail2ban deny list — banned IPs are written here by fail2ban and
|
|
|
|
|
# checked via the $forge_banned variable. The file is touched at
|
|
|
|
|
# container start to ensure it exists.
|
|
|
|
|
geo $http_fly_client_ip $forge_banned {
|
|
|
|
|
default 0;
|
|
|
|
|
include /etc/nginx/forge-deny.conf;
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-08 02:36:19 -08:00
|
|
|
# Proxy cache: 200MB, evict after 24h of no access
|
|
|
|
|
proxy_cache_path /tmp/cache levels=1:2 keys_zone=services:10m
|
|
|
|
|
max_size=200m inactive=24h;
|
|
|
|
|
|
2026-04-17 15:27:40 -07:00
|
|
|
# WebSocket-aware Connection header. Only send "upgrade" when the client
|
2026-04-17 16:39:52 -07:00
|
|
|
# actually requests a protocol switch; otherwise empty string to preserve
|
|
|
|
|
# upstream keepalive connections.
|
2026-04-17 15:27:40 -07:00
|
|
|
map $http_upgrade $connection_upgrade {
|
2026-04-17 16:39:52 -07:00
|
|
|
default "";
|
2026-04-17 15:27:40 -07:00
|
|
|
websocket upgrade;
|
|
|
|
|
}
|
|
|
|
|
|
2026-04-18 09:40:20 -07:00
|
|
|
# --- Upstream ---
|
|
|
|
|
# DNS resolved via Tailscale MagicDNS at config load.
|
2026-04-17 16:39:52 -07:00
|
|
|
resolver 100.100.100.100 valid=30s;
|
|
|
|
|
resolver_timeout 5s;
|
|
|
|
|
|
2026-04-18 09:40:20 -07:00
|
|
|
# All services route through Caddy on indri. Indri's host-level Tailscale
|
|
|
|
|
# can establish direct WireGuard peering, avoiding the DERP relay
|
|
|
|
|
# bottleneck that k8s-hosted Tailscale Ingress pods cannot escape.
|
|
|
|
|
upstream indri_backend {
|
|
|
|
|
server indri.tail8d86e.ts.net:443;
|
|
|
|
|
keepalive 16;
|
2026-04-17 16:39:52 -07:00
|
|
|
}
|
|
|
|
|
|
2026-02-08 02:36:19 -08:00
|
|
|
# --- docs.eblu.me (static site) ---
|
|
|
|
|
server {
|
|
|
|
|
listen 8080;
|
|
|
|
|
server_name docs.eblu.me;
|
|
|
|
|
|
|
|
|
|
limit_req zone=general burst=20 nodelay;
|
|
|
|
|
|
2026-02-09 12:01:24 -08:00
|
|
|
# Serve a friendly error page when upstreams are unreachable
|
|
|
|
|
# (indri offline, Tailscale tunnel down, emergency shutoff, etc.)
|
|
|
|
|
# proxy_cache_use_stale still takes priority when cached content exists.
|
|
|
|
|
error_page 502 503 504 /error.html;
|
|
|
|
|
location = /error.html {
|
|
|
|
|
root /usr/share/nginx/html;
|
|
|
|
|
internal;
|
|
|
|
|
}
|
2026-02-08 02:36:19 -08:00
|
|
|
location / {
|
2026-04-18 09:40:20 -07:00
|
|
|
proxy_pass https://indri_backend$request_uri;
|
2026-02-08 02:36:19 -08:00
|
|
|
proxy_ssl_verify off;
|
|
|
|
|
proxy_ssl_server_name on;
|
2026-04-18 09:40:20 -07:00
|
|
|
proxy_ssl_name docs.ops.eblu.me;
|
|
|
|
|
proxy_set_header Host docs.ops.eblu.me;
|
2026-02-09 12:01:24 -08:00
|
|
|
proxy_intercept_errors on;
|
2026-02-08 02:36:19 -08:00
|
|
|
|
2026-04-17 16:39:52 -07:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Connection $connection_upgrade;
|
|
|
|
|
|
2026-02-08 02:36:19 -08:00
|
|
|
# Cache aggressively — static site only.
|
|
|
|
|
# Do NOT use these settings for dynamic services.
|
|
|
|
|
proxy_cache services;
|
|
|
|
|
proxy_cache_valid 200 1d;
|
|
|
|
|
proxy_cache_valid 404 1m;
|
|
|
|
|
proxy_cache_use_stale error timeout updating;
|
|
|
|
|
proxy_cache_lock on;
|
|
|
|
|
|
|
|
|
|
# Prevent cache-busting: ignore query strings and
|
|
|
|
|
# client cache-control headers.
|
|
|
|
|
# Safe for static sites; breaks dynamic services.
|
|
|
|
|
proxy_cache_key $host$uri;
|
|
|
|
|
proxy_ignore_headers Cache-Control Set-Cookie;
|
|
|
|
|
|
|
|
|
|
add_header X-Cache-Status $upstream_cache_status;
|
2026-02-12 17:08:22 -08:00
|
|
|
add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
|
2026-02-08 02:36:19 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-12 14:05:00 -08:00
|
|
|
# --- cv.eblu.me (static site) ---
|
|
|
|
|
server {
|
|
|
|
|
listen 8080;
|
|
|
|
|
server_name cv.eblu.me;
|
|
|
|
|
|
|
|
|
|
limit_req zone=general burst=20 nodelay;
|
|
|
|
|
|
|
|
|
|
error_page 502 503 504 /error.html;
|
|
|
|
|
location = /error.html {
|
|
|
|
|
root /usr/share/nginx/html;
|
|
|
|
|
internal;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
location / {
|
2026-04-18 09:40:20 -07:00
|
|
|
proxy_pass https://indri_backend$request_uri;
|
2026-02-12 14:05:00 -08:00
|
|
|
proxy_ssl_verify off;
|
|
|
|
|
proxy_ssl_server_name on;
|
2026-04-18 09:40:20 -07:00
|
|
|
proxy_ssl_name cv.ops.eblu.me;
|
|
|
|
|
proxy_set_header Host cv.ops.eblu.me;
|
2026-02-12 14:05:00 -08:00
|
|
|
proxy_intercept_errors on;
|
|
|
|
|
|
2026-04-17 16:39:52 -07:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Connection $connection_upgrade;
|
|
|
|
|
|
2026-02-12 14:05:00 -08:00
|
|
|
proxy_cache services;
|
|
|
|
|
proxy_cache_valid 200 1d;
|
|
|
|
|
proxy_cache_valid 404 1m;
|
|
|
|
|
proxy_cache_use_stale error timeout updating;
|
|
|
|
|
proxy_cache_lock on;
|
|
|
|
|
proxy_cache_key $host$uri;
|
|
|
|
|
proxy_ignore_headers Cache-Control Set-Cookie;
|
|
|
|
|
|
|
|
|
|
add_header X-Cache-Status $upstream_cache_status;
|
2026-02-12 17:08:22 -08:00
|
|
|
add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
|
2026-02-12 14:05:00 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
# --- forge.eblu.me (dynamic, authenticated) ---
|
|
|
|
|
server {
|
|
|
|
|
listen 8080;
|
|
|
|
|
server_name forge.eblu.me;
|
|
|
|
|
|
|
|
|
|
# Block fail2ban-banned IPs
|
|
|
|
|
if ($forge_banned) {
|
|
|
|
|
return 403 "Temporarily blocked. Try again later.\n";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# General rate limit — higher burst for git operations and CI webhooks
|
|
|
|
|
limit_req zone=general burst=50 nodelay;
|
|
|
|
|
|
|
|
|
|
# Git LFS and repo uploads can be large
|
|
|
|
|
client_max_body_size 512m;
|
|
|
|
|
|
|
|
|
|
# Security headers
|
|
|
|
|
add_header X-Frame-Options "DENY" always;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
|
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
|
|
|
|
|
|
|
|
error_page 502 503 504 /error.html;
|
|
|
|
|
location = /error.html {
|
|
|
|
|
root /usr/share/nginx/html;
|
|
|
|
|
internal;
|
|
|
|
|
}
|
|
|
|
|
|
2026-04-17 14:21:22 -07:00
|
|
|
# Serve robots.txt directly — block crawlers from expensive endpoints
|
2026-04-16 15:39:48 -07:00
|
|
|
location = /robots.txt {
|
|
|
|
|
default_type text/plain;
|
2026-04-17 14:34:24 -07:00
|
|
|
return 200 "User-agent: *\nDisallow: /mirrors/\nDisallow: /user/\nDisallow: /users/\nDisallow: /*/archive/\nDisallow: /*/releases/download/\n";
|
2026-04-16 15:39:48 -07:00
|
|
|
}
|
|
|
|
|
|
C1: deploy adelaide-baby-shower-app to ringtail k3s (#349)
## Summary
Brings up the Adelaide / Heidi / Addie baby shower app on ringtail k3s with the public/private split that the app's hosting contract calls for: `shower.eblu.me` (public, via Fly proxy) and `shower.ops.eblu.me` (tailnet). App is consumed as a wheel from the Forgejo PyPI index — source lives at [`adelaide-baby-shower-app`](https://forge.eblu.me/eblume/adelaide-baby-shower-app).
### What's included
- **ArgoCD app + manifests** under `argocd/manifests/shower/` (deployment, service, ProxyGroup ingress, ConfigMap for `DJANGO_DEBUG`/`DJANGO_ADMIN_URL`, ExternalSecret for `DJANGO_SECRET_KEY` from 1Password item `Shower (blumeops)`, NFS PV on sifaka, RWX media PVC, RWO local-path data PVC for SQLite). Recreate rollout because SQLite is single-writer.
- **Public surface** (`fly/`): new `shower.eblu.me` server block proxying to `shower.ops.eblu.me`. `/admin/` returns 403 at the edge except `/admin/login/` and `/admin/logout/`, which are rate-limited via a new `shower_auth` zone. `X-Clacks-Overhead` on. GNU Terry Pratchett.
- **fail2ban** filter (`shower-admin-login.conf`) matching 401/403/429 on `/admin/login/` and jail (`shower.conf`) with `maxretry=5/findtime=600/bantime=3600`. The `nginx-deny` action was generalized to take a per-jail `nginx_deny_file` so the shower has its own deny list (forge keeps using the legacy default).
- **Caddy** route on indri (`shower.ops.eblu.me` → `https://shower.tail8d86e.ts.net`).
- **Pulumi** Gandi CNAME `shower.eblu.me → blumeops-proxy.fly.dev.`.
- **Grafana** APM dashboard `configmap-shower-apm.yaml` (request rate, error rate, failed admin login count, latency percentiles, bandwidth, access logs) mirroring `docs-apm.json` with a `host="shower.eblu.me"` filter.
- **Container** `containers/shower/default.nix` — `dockerTools.buildLayeredImage` with a nixpkgs Python and a startup wrapper that creates `/app/data/.venv`, pip-installs `adelaide-baby-shower-app==1.0.0` from the forge PyPI index on first boot, runs migrations + collectstatic, and execs gunicorn. A `local_settings.py` shim pins `DATABASES.NAME`/`MEDIA_ROOT`/`STATIC_ROOT` to absolute paths so they don't end up in site-packages.
- **Docs** runbook at `docs/how-to/operations/shower-app.md` linked from the apps registry, plus changelog fragments.
### Defense layers on the public surface
1. fly nginx geo+fail2ban `$shower_banned` (per-service deny list)
2. fly nginx `limit_req zone=shower_auth` (3 r/s per Fly-Client-IP)
3. django-axes (5 fails / 1h, keyed on username+ip_address)
4. edge `/admin/` block (returns 403 for anything that isn't login/logout)
## Prerequisites for the user to do (NOT in this PR)
Halted on these per request — they touch shared/manual systems:
- [x] **NFS share** on sifaka: `/volume1/shower`, NFS rule for ringtail RW, `chown 1000:1000`
- [ ] **1Password item** `Shower (blumeops)` in the blumeops vault with a freshly minted `secret-key` field (`openssl rand -base64 48`) — do NOT reuse anything that has lived in git
- [ ] **Container build**: `mise run container-build-and-release shower`, then update `images[].newTag` in `argocd/manifests/shower/kustomization.yaml` to the resulting `v1.0.0-<sha>-nix`
- [x] **DNS**: `mise run dns-up` after merge
- [x] **Fly cert**: `fly certs add shower.eblu.me -a blumeops-proxy`
- [ ] **Caddy push**: `mise run provision-indri -- --tags caddy`
- [ ] **Fly redeploy** to pick up the new nginx block + fail2ban jail: `mise run fly-deploy`
- [ ] **ArgoCD sync**: `argocd app set shower --revision shower-app-deploy && argocd app sync shower` to test from this branch before merging
## Test plan
- [ ] Container builds successfully on nix-container-builder runner
- [ ] Pod starts, migrations run, gunicorn answers on :8000
- [ ] `kubectl --context=k3s-ringtail -n shower logs deploy/shower` clean
- [ ] `curl -sf https://shower.ops.eblu.me/` returns the splash page (tailnet)
- [ ] `curl -I -H "Host: shower.eblu.me" https://blumeops-proxy.fly.dev/` returns 200 (pre-DNS verification)
- [ ] `curl -I -H "Host: shower.eblu.me" https://blumeops-proxy.fly.dev/admin/users/` returns 403 (edge block)
- [ ] `curl -I -H "Host: shower.eblu.me" https://blumeops-proxy.fly.dev/admin/login/` returns a Django login response
- [ ] After DNS is up: `curl -I https://shower.eblu.me/` returns 200 with `X-Clacks-Overhead`
- [ ] Grafana dashboard "Shower APM" appears and starts showing traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/349
2026-05-11 13:47:18 -07:00
|
|
|
# Block the package registry at the public edge. Forgejo's per-user
|
|
|
|
|
# visibility model treats packages as world-readable when the owner
|
|
|
|
|
# has Visibility=Public — which means anyone on the internet can
|
|
|
|
|
# enumerate and download every wheel/sdist/generic artifact, even
|
|
|
|
|
# for private-repo releases (the sdist contains full source). We
|
|
|
|
|
# like keeping eblume's profile public, so we close the hole here
|
|
|
|
|
# at the proxy instead: WAN sees 403, tailnet (forge.ops.eblu.me)
|
|
|
|
|
# stays open for legitimate consumers (CI workflows, gilbert).
|
|
|
|
|
# See docs/tutorials/expose-service-publicly.md for the broader
|
|
|
|
|
# threat model on this proxy.
|
|
|
|
|
location /api/packages/ {
|
|
|
|
|
return 403 "Package downloads are tailnet-only — use forge.ops.eblu.me.\n";
|
|
|
|
|
}
|
|
|
|
|
location /api/v1/packages {
|
|
|
|
|
return 403 "Package enumeration is tailnet-only — use forge.ops.eblu.me.\n";
|
|
|
|
|
}
|
|
|
|
|
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
# Block swagger API docs — use forge.ops.eblu.me from tailnet
|
|
|
|
|
location /swagger {
|
|
|
|
|
return 403 "API documentation is only available at forge.ops.eblu.me (tailnet).\n";
|
|
|
|
|
}
|
2026-06-01 20:52:20 -07:00
|
|
|
|
|
|
|
|
# Black-hole the mirror repositories on WAN. These are mirrors of
|
|
|
|
|
# already-public upstreams (tailscale, prometheus, mealie, …) kept
|
|
|
|
|
# for supply-chain control; CI, gilbert, and tailnet clients consume
|
|
|
|
|
# them via forge.ops.eblu.me. Their web UI served no public purpose
|
|
|
|
|
# but AI scrapers, which crawled the near-infinite git-history URL
|
|
|
|
|
# space (src/commit, commits, blame, raw) and drove ~70% of Fly
|
|
|
|
|
# egress (1.24 TB/30d → a surprise bill) plus enough upstream load to
|
|
|
|
|
# time out Forgejo. robots.txt already Disallows /mirrors/, but
|
|
|
|
|
# meta-externalagent and GPTBot ignore it — so enforce at the edge.
|
|
|
|
|
# `^~` makes this win over the regex locations below (e.g. *.css), so
|
|
|
|
|
# static assets under /mirrors/ can't leak through. We also name and
|
|
|
|
|
# shame: blocked requests get a "roll of dishonour" page (403 status
|
|
|
|
|
# preserved) and an X-Naughty-Scrapers header. See
|
|
|
|
|
# docs/explanation/ai-scraper-mitigation.md.
|
|
|
|
|
location ^~ /mirrors/ {
|
|
|
|
|
error_page 403 /naughty.html;
|
|
|
|
|
return 403;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Roll of dishonour — served on the /mirrors/ 403, status kept at 403.
|
|
|
|
|
location = /naughty.html {
|
|
|
|
|
internal;
|
|
|
|
|
root /usr/share/nginx/html;
|
|
|
|
|
add_header X-Naughty-Scrapers "OpenAI/GPTBot, Meta/meta-externalagent, Amazonbot, ByteDance/Bytespider — robots.txt ignorers" always;
|
|
|
|
|
add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
|
|
|
|
|
}
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
|
2026-04-17 14:21:22 -07:00
|
|
|
# Redirect archive endpoints to tailnet — archive requests generate full
|
|
|
|
|
# git bundles on demand. Unauthenticated crawlers hitting unique commit
|
|
|
|
|
# SHAs cause unbounded CPU and disk usage (DoS vector). Legitimate users
|
|
|
|
|
# can download via forge.ops.eblu.me on the tailnet.
|
|
|
|
|
location ~ ^/[^/]+/[^/]+/archive/ {
|
|
|
|
|
default_type text/html;
|
|
|
|
|
return 302 https://forge.ops.eblu.me$request_uri;
|
|
|
|
|
}
|
|
|
|
|
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
# Rate-limit authentication endpoints
|
|
|
|
|
location ~ ^/user/(login|sign_up|forgot_password) {
|
|
|
|
|
limit_req zone=forge_auth burst=5 nodelay;
|
|
|
|
|
|
2026-04-18 09:40:20 -07:00
|
|
|
proxy_pass https://indri_backend$request_uri;
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
proxy_ssl_verify off;
|
|
|
|
|
proxy_ssl_server_name on;
|
2026-04-18 09:40:20 -07:00
|
|
|
proxy_ssl_name forge.ops.eblu.me;
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
proxy_intercept_errors on;
|
|
|
|
|
|
2026-04-18 09:40:20 -07:00
|
|
|
proxy_set_header Host forge.ops.eblu.me;
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
proxy_set_header X-Real-IP $http_fly_client_ip;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
2026-04-17 15:27:40 -07:00
|
|
|
proxy_set_header Connection $connection_upgrade;
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
}
|
|
|
|
|
|
2026-04-17 14:21:22 -07:00
|
|
|
# Cache release artifact downloads — immutable files keyed by tag+filename.
|
|
|
|
|
# Avoids hammering Forgejo when crawlers or users re-download the same asset.
|
|
|
|
|
location ~ ^/[^/]+/[^/]+/releases/download/ {
|
2026-04-18 09:40:20 -07:00
|
|
|
proxy_pass https://indri_backend$request_uri;
|
2026-04-17 14:21:22 -07:00
|
|
|
proxy_ssl_verify off;
|
|
|
|
|
proxy_ssl_server_name on;
|
2026-04-18 09:40:20 -07:00
|
|
|
proxy_ssl_name forge.ops.eblu.me;
|
2026-04-17 16:39:52 -07:00
|
|
|
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Connection $connection_upgrade;
|
2026-04-17 14:21:22 -07:00
|
|
|
|
|
|
|
|
proxy_cache services;
|
|
|
|
|
proxy_cache_valid 200 7d;
|
|
|
|
|
proxy_cache_key $host$uri;
|
|
|
|
|
|
2026-04-18 09:40:20 -07:00
|
|
|
proxy_set_header Host forge.ops.eblu.me;
|
2026-04-17 14:21:22 -07:00
|
|
|
proxy_set_header X-Real-IP $http_fly_client_ip;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
|
|
|
|
|
add_header X-Cache-Status $upstream_cache_status;
|
|
|
|
|
add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
|
|
|
|
|
}
|
|
|
|
|
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
# Selectively cache static assets only
|
|
|
|
|
location ~* \.(css|js|png|jpg|svg|woff2?)$ {
|
2026-04-18 09:40:20 -07:00
|
|
|
proxy_pass https://indri_backend$request_uri;
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
proxy_ssl_verify off;
|
|
|
|
|
proxy_ssl_server_name on;
|
2026-04-18 09:40:20 -07:00
|
|
|
proxy_ssl_name forge.ops.eblu.me;
|
2026-04-17 16:39:52 -07:00
|
|
|
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Connection $connection_upgrade;
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
|
2026-04-18 16:00:56 -07:00
|
|
|
proxy_set_header Host forge.ops.eblu.me;
|
|
|
|
|
proxy_set_header X-Real-IP $http_fly_client_ip;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
proxy_cache services;
|
|
|
|
|
proxy_cache_valid 200 7d;
|
|
|
|
|
proxy_cache_key $host$uri;
|
|
|
|
|
|
|
|
|
|
add_header X-Cache-Status $upstream_cache_status;
|
|
|
|
|
add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
location / {
|
2026-04-18 09:40:20 -07:00
|
|
|
proxy_pass https://indri_backend$request_uri;
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
proxy_ssl_verify off;
|
|
|
|
|
proxy_ssl_server_name on;
|
2026-04-18 09:40:20 -07:00
|
|
|
proxy_ssl_name forge.ops.eblu.me;
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
proxy_intercept_errors on;
|
|
|
|
|
|
|
|
|
|
# NO proxy_cache — dynamic content with sessions
|
|
|
|
|
|
2026-04-18 09:40:20 -07:00
|
|
|
proxy_set_header Host forge.ops.eblu.me;
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
proxy_set_header X-Real-IP $http_fly_client_ip;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
|
|
|
|
|
# WebSocket support (Forgejo uses it for live updates)
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
2026-04-17 15:27:40 -07:00
|
|
|
proxy_set_header Connection $connection_upgrade;
|
Expose Forgejo publicly at forge.eblu.me (#278)
## Summary
Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.
- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)
## Deployment Order
1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync
## Verification Checklist
- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278
2026-03-03 08:40:41 -08:00
|
|
|
|
|
|
|
|
add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
C1: deploy adelaide-baby-shower-app to ringtail k3s (#349)
## Summary
Brings up the Adelaide / Heidi / Addie baby shower app on ringtail k3s with the public/private split that the app's hosting contract calls for: `shower.eblu.me` (public, via Fly proxy) and `shower.ops.eblu.me` (tailnet). App is consumed as a wheel from the Forgejo PyPI index — source lives at [`adelaide-baby-shower-app`](https://forge.eblu.me/eblume/adelaide-baby-shower-app).
### What's included
- **ArgoCD app + manifests** under `argocd/manifests/shower/` (deployment, service, ProxyGroup ingress, ConfigMap for `DJANGO_DEBUG`/`DJANGO_ADMIN_URL`, ExternalSecret for `DJANGO_SECRET_KEY` from 1Password item `Shower (blumeops)`, NFS PV on sifaka, RWX media PVC, RWO local-path data PVC for SQLite). Recreate rollout because SQLite is single-writer.
- **Public surface** (`fly/`): new `shower.eblu.me` server block proxying to `shower.ops.eblu.me`. `/admin/` returns 403 at the edge except `/admin/login/` and `/admin/logout/`, which are rate-limited via a new `shower_auth` zone. `X-Clacks-Overhead` on. GNU Terry Pratchett.
- **fail2ban** filter (`shower-admin-login.conf`) matching 401/403/429 on `/admin/login/` and jail (`shower.conf`) with `maxretry=5/findtime=600/bantime=3600`. The `nginx-deny` action was generalized to take a per-jail `nginx_deny_file` so the shower has its own deny list (forge keeps using the legacy default).
- **Caddy** route on indri (`shower.ops.eblu.me` → `https://shower.tail8d86e.ts.net`).
- **Pulumi** Gandi CNAME `shower.eblu.me → blumeops-proxy.fly.dev.`.
- **Grafana** APM dashboard `configmap-shower-apm.yaml` (request rate, error rate, failed admin login count, latency percentiles, bandwidth, access logs) mirroring `docs-apm.json` with a `host="shower.eblu.me"` filter.
- **Container** `containers/shower/default.nix` — `dockerTools.buildLayeredImage` with a nixpkgs Python and a startup wrapper that creates `/app/data/.venv`, pip-installs `adelaide-baby-shower-app==1.0.0` from the forge PyPI index on first boot, runs migrations + collectstatic, and execs gunicorn. A `local_settings.py` shim pins `DATABASES.NAME`/`MEDIA_ROOT`/`STATIC_ROOT` to absolute paths so they don't end up in site-packages.
- **Docs** runbook at `docs/how-to/operations/shower-app.md` linked from the apps registry, plus changelog fragments.
### Defense layers on the public surface
1. fly nginx geo+fail2ban `$shower_banned` (per-service deny list)
2. fly nginx `limit_req zone=shower_auth` (3 r/s per Fly-Client-IP)
3. django-axes (5 fails / 1h, keyed on username+ip_address)
4. edge `/admin/` block (returns 403 for anything that isn't login/logout)
## Prerequisites for the user to do (NOT in this PR)
Halted on these per request — they touch shared/manual systems:
- [x] **NFS share** on sifaka: `/volume1/shower`, NFS rule for ringtail RW, `chown 1000:1000`
- [ ] **1Password item** `Shower (blumeops)` in the blumeops vault with a freshly minted `secret-key` field (`openssl rand -base64 48`) — do NOT reuse anything that has lived in git
- [ ] **Container build**: `mise run container-build-and-release shower`, then update `images[].newTag` in `argocd/manifests/shower/kustomization.yaml` to the resulting `v1.0.0-<sha>-nix`
- [x] **DNS**: `mise run dns-up` after merge
- [x] **Fly cert**: `fly certs add shower.eblu.me -a blumeops-proxy`
- [ ] **Caddy push**: `mise run provision-indri -- --tags caddy`
- [ ] **Fly redeploy** to pick up the new nginx block + fail2ban jail: `mise run fly-deploy`
- [ ] **ArgoCD sync**: `argocd app set shower --revision shower-app-deploy && argocd app sync shower` to test from this branch before merging
## Test plan
- [ ] Container builds successfully on nix-container-builder runner
- [ ] Pod starts, migrations run, gunicorn answers on :8000
- [ ] `kubectl --context=k3s-ringtail -n shower logs deploy/shower` clean
- [ ] `curl -sf https://shower.ops.eblu.me/` returns the splash page (tailnet)
- [ ] `curl -I -H "Host: shower.eblu.me" https://blumeops-proxy.fly.dev/` returns 200 (pre-DNS verification)
- [ ] `curl -I -H "Host: shower.eblu.me" https://blumeops-proxy.fly.dev/admin/users/` returns 403 (edge block)
- [ ] `curl -I -H "Host: shower.eblu.me" https://blumeops-proxy.fly.dev/admin/login/` returns a Django login response
- [ ] After DNS is up: `curl -I https://shower.eblu.me/` returns 200 with `X-Clacks-Overhead`
- [ ] Grafana dashboard "Shower APM" appears and starts showing traffic
- [ ] `mise run services-check` passes
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/349
2026-05-11 13:47:18 -07:00
|
|
|
# --- shower.eblu.me (Adelaide baby shower — guest-only public surface) ---
|
|
|
|
|
# Only the guest paths (`/`, `/prizes/<token>/`, /static/, /media/) are
|
|
|
|
|
# exposed on WAN. /host/, /admin/, and Django's login views are blocked
|
|
|
|
|
# at the edge with a 403 pointing at the tailnet hostname — staff sign
|
|
|
|
|
# in on shower.ops.eblu.me, which is reachable from any device with
|
|
|
|
|
# Tailscale installed. Defense layers reduce to: general per-IP rate
|
|
|
|
|
# limit + django-axes (5 fails / 1h) on the tailnet-side login. No
|
|
|
|
|
# fail2ban needed here because the public surface no longer takes
|
|
|
|
|
# credentials of any kind.
|
|
|
|
|
server {
|
|
|
|
|
listen 8080;
|
|
|
|
|
server_name shower.eblu.me;
|
|
|
|
|
|
|
|
|
|
# Per-IP rate limit. shower_general (50r/s, burst=200) instead of
|
|
|
|
|
# the global `general` zone because at the party, guests on the
|
|
|
|
|
# venue's wifi all NAT through a single Fly-Client-IP — 30 guests
|
|
|
|
|
# scanning the QR at once would each fetch HTML + a few static
|
|
|
|
|
# assets, easily clearing 20 burst on `general`. Exploit scanners
|
|
|
|
|
# still trip it (sustained ≫ 50r/s patterns).
|
|
|
|
|
limit_req zone=shower_general burst=200 nodelay;
|
|
|
|
|
|
|
|
|
|
# Image uploads from /host/'s prize cropper are ~150-300 KiB JPEGs.
|
|
|
|
|
# The host page itself isn't reachable here, but /media/ reads can
|
|
|
|
|
# be larger than 1 MiB so set the cap to 5 MiB to match Django.
|
|
|
|
|
client_max_body_size 5m;
|
|
|
|
|
|
|
|
|
|
# Security headers — HSTS matches Django's SECURE_HSTS_SECONDS.
|
|
|
|
|
add_header X-Frame-Options "DENY" always;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
|
|
|
add_header Referrer-Policy "same-origin" always;
|
|
|
|
|
# GNU Terry Pratchett — keep the name moving.
|
|
|
|
|
add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
|
|
|
|
|
|
|
|
|
|
error_page 502 503 504 /error.html;
|
|
|
|
|
location = /error.html {
|
|
|
|
|
root /usr/share/nginx/html;
|
|
|
|
|
internal;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Reject indexers — there's nothing here we want crawled.
|
|
|
|
|
location = /robots.txt {
|
|
|
|
|
default_type text/plain;
|
|
|
|
|
return 200 "User-agent: *\nDisallow: /\n";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Admin surface: tailnet-only. Anything under /admin/ — login,
|
|
|
|
|
# logout, CRUD UI, password reset — returns 403 with a pointer to
|
|
|
|
|
# the tailnet host. Django's `staff_member_required` will redirect
|
|
|
|
|
# /host/ to /admin/login/, which lands on this 403 if a guest
|
|
|
|
|
# device wanders into it. Staff hit the tailnet host directly.
|
|
|
|
|
location /admin/ {
|
|
|
|
|
return 403 "Authentication is tailnet-only — visit shower.ops.eblu.me.\n";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Operator console: tailnet-only. Same rationale as /admin/.
|
|
|
|
|
location /host/ {
|
|
|
|
|
return 403 "The host console is tailnet-only — visit shower.ops.eblu.me.\n";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Static assets — WhiteNoise + CompressedManifestStaticFilesStorage
|
|
|
|
|
# gives content-hashed filenames, so cache aggressively. Hashed
|
|
|
|
|
# names make cache invalidation automatic on app upgrades.
|
|
|
|
|
location /static/ {
|
|
|
|
|
proxy_pass https://indri_backend$request_uri;
|
|
|
|
|
proxy_ssl_verify off;
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_ssl_name shower.ops.eblu.me;
|
|
|
|
|
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Connection $connection_upgrade;
|
|
|
|
|
proxy_set_header Host shower.ops.eblu.me;
|
|
|
|
|
proxy_set_header X-Real-IP $http_fly_client_ip;
|
|
|
|
|
proxy_set_header X-Forwarded-For $http_fly_client_ip;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
|
|
|
|
|
proxy_cache services;
|
|
|
|
|
proxy_cache_valid 200 1y;
|
|
|
|
|
proxy_cache_valid 404 1m;
|
|
|
|
|
proxy_cache_use_stale error timeout updating;
|
|
|
|
|
proxy_cache_lock on;
|
|
|
|
|
proxy_cache_key $host$uri;
|
|
|
|
|
proxy_ignore_headers Cache-Control Set-Cookie;
|
|
|
|
|
|
|
|
|
|
add_header X-Cache-Status $upstream_cache_status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Prize photo uploads. Shorter TTL than /static/ because filenames
|
|
|
|
|
# aren't content-hashed — operators can re-upload a prize photo
|
|
|
|
|
# and we want guests to see the new image within a day.
|
|
|
|
|
location /media/ {
|
|
|
|
|
proxy_pass https://indri_backend$request_uri;
|
|
|
|
|
proxy_ssl_verify off;
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_ssl_name shower.ops.eblu.me;
|
|
|
|
|
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Connection $connection_upgrade;
|
|
|
|
|
proxy_set_header Host shower.ops.eblu.me;
|
|
|
|
|
proxy_set_header X-Real-IP $http_fly_client_ip;
|
|
|
|
|
proxy_set_header X-Forwarded-For $http_fly_client_ip;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
|
|
|
|
|
proxy_cache services;
|
|
|
|
|
proxy_cache_valid 200 1d;
|
|
|
|
|
proxy_cache_valid 404 1m;
|
|
|
|
|
proxy_cache_use_stale error timeout updating;
|
|
|
|
|
proxy_cache_lock on;
|
|
|
|
|
proxy_cache_key $host$uri;
|
|
|
|
|
proxy_ignore_headers Cache-Control Set-Cookie;
|
|
|
|
|
|
|
|
|
|
add_header X-Cache-Status $upstream_cache_status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
location / {
|
|
|
|
|
proxy_pass https://indri_backend$request_uri;
|
|
|
|
|
proxy_ssl_verify off;
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_ssl_name shower.ops.eblu.me;
|
|
|
|
|
proxy_intercept_errors on;
|
|
|
|
|
|
|
|
|
|
# No proxy_cache — dynamic content with sessions and CSRF.
|
|
|
|
|
|
|
|
|
|
proxy_set_header Host shower.ops.eblu.me;
|
|
|
|
|
proxy_set_header X-Real-IP $http_fly_client_ip;
|
|
|
|
|
proxy_set_header X-Forwarded-For $http_fly_client_ip;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
|
proxy_set_header Connection $connection_upgrade;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-08 02:36:19 -08:00
|
|
|
# Catch-all: reject unknown hosts, but serve health check
|
|
|
|
|
server {
|
|
|
|
|
listen 8080 default_server;
|
|
|
|
|
|
|
|
|
|
location /healthz {
|
|
|
|
|
return 200 "ok\n";
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-08 10:05:38 -08:00
|
|
|
location /stub_status {
|
|
|
|
|
stub_status;
|
|
|
|
|
allow 127.0.0.1;
|
|
|
|
|
deny all;
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-08 02:36:19 -08:00
|
|
|
location / {
|
|
|
|
|
return 444;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|