Add Caddy layer4 for Forgejo SSH (#56)

## Summary - Add layer4 TCP proxy configuration to Caddyfile template for SSH services - Configure Forgejo SSH on port 2222 → localhost:2200 - Switch HTTPS from port 8443 (testing) to 443 (production) - Requires Caddy rebuilt with `github.com/mholt/caddy-l4` plugin ## What This Enables Git+SSH access via `forge.ops.eblu.me:2222` is now accessible from: - Tailnet clients (gilbert) - Docker containers on indri - Kubernetes pods in minikube This solves the DNS resolution issues where containers couldn't reach Tailscale MagicDNS names. ## Testing Done - [x] Caddy rebuilt with layer4 plugin - [x] Validated Caddyfile syntax - [x] Cleared `svc:forge` from tailscale serve - [x] Verified HTTPS works: `curl https://forge.ops.eblu.me` - [x] Verified SSH works: `ssh -p 2222 forgejo@forge.ops.eblu.me` - [x] Verified git clone works via new endpoint - [x] Verified minikube pods can reach both HTTPS and SSH endpoints ## Deployment Caddy is already running with the new config on indri. This PR captures the ansible changes. ## Next Steps - Update zk docs with new git remote format - Migrate registry and other services to Caddy - Retire tailscale_services ansible role 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/56
2026-01-25 11:37:23 -08:00 · 2026-01-25 11:37:23 -08:00 · 1184b4de1d
commit 1184b4de1d
parent 682a68dc9c
15 changed files with 44 additions and 28 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -1,2 +1,2 @@
 ---
-ansible_managed: "Managed by ansible - do not edit. Source: ssh://forgejo@forge.tail8d86e.ts.net/eblume/blumeops.git"
+ansible_managed: "Managed by ansible - do not edit. Source: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git"
--- a/ansible/roles/alloy/defaults/main.yml
+++ b/ansible/roles/alloy/defaults/main.yml
@ -10,7 +10,7 @@
 # Build on dev machine (gilbert), then copy to indri:
 #
 # 1. Clone from forge mirror:
-#    git clone ssh://forgejo@forge.tail8d86e.ts.net/eblume/alloy.git ~/code/3rd/alloy
+#    git clone ssh://forgejo@forge.ops.eblu.me:2222/eblume/alloy.git ~/code/3rd/alloy
 #
 # 2. Set up build tools via mise:
 #    cd ~/code/3rd/alloy && mise use go@1.25 node yarn
--- a/ansible/roles/caddy/defaults/main.yml
+++ b/ansible/roles/caddy/defaults/main.yml
@ -15,9 +15,8 @@ caddy_gandi_token_file: /Users/erichblume/.config/caddy/gandi-token
 # Domain configuration
 caddy_domain: ops.eblu.me

-# Listen on Tailscale interface only (port 443)
-# Use 8443 during testing to avoid conflicts with Tailscale serve
-caddy_https_port: 8443
+# HTTPS port (443 is standard)
+caddy_https_port: 443

 # Services to proxy
 # Format: { name: "service", host: "hostname", backend: "url" }
@ -35,3 +34,9 @@ caddy_services:
  # - name: grafana
  #   host: "grafana.{{ caddy_domain }}"
  #   backend: "http://minikube-ip:nodeport"
+
+# SSH services (Layer 4 TCP proxy)
+# Format: { port: external_port, backend: "host:port" }
+caddy_ssh_services:
+  - port: 2222
+    backend: "localhost:2200"  # Forgejo SSH
--- a/ansible/roles/caddy/templates/Caddyfile.j2
+++ b/ansible/roles/caddy/templates/Caddyfile.j2
@ -7,6 +7,19 @@
 {
 	# Global options
 	admin off
+
+{% if caddy_ssh_services %}
+	# Layer 4 (TCP) routing for SSH services
+	layer4 {
+{% for ssh_svc in caddy_ssh_services %}
+		:{{ ssh_svc.port }} {
+			route {
+				proxy {{ ssh_svc.backend }}
+			}
+		}
+{% endfor %}
+	}
+{% endif %}
 }

 # Wildcard certificate for all services
--- a/ansible/roles/forgejo/defaults/main.yml
+++ b/ansible/roles/forgejo/defaults/main.yml
@ -18,7 +18,7 @@ forgejo_log_path: "{{ forgejo_work_path }}/log"
 # Server settings
 forgejo_http_addr: 0.0.0.0
 forgejo_http_port: 3001
-forgejo_domain: forge.tail8d86e.ts.net
+forgejo_domain: forge.ops.eblu.me
 forgejo_ssh_domain: "{{ forgejo_domain }}"
 forgejo_root_url: "https://{{ forgejo_domain }}/"
 forgejo_offline_mode: true
@ -27,7 +27,7 @@ forgejo_offline_mode: true
 forgejo_disable_ssh: false
 forgejo_start_ssh_server: true
 forgejo_builtin_ssh_user: forgejo
-forgejo_ssh_port: 22
+forgejo_ssh_port: 2222
 forgejo_ssh_listen_port: 2200
 forgejo_lfs_start_server: true

--- a/ansible/roles/tailscale_serve/defaults/main.yml
+++ b/ansible/roles/tailscale_serve/defaults/main.yml
@ -1,16 +1,11 @@
 ---
 # Tailscale serve configuration for this host
 # Each service maps a Tailscale service name to local endpoints
+#
+# NOTE: forge has been migrated to Caddy (forge.ops.eblu.me)
+# Registry will be migrated next, then this role can be retired.

 tailscale_serve_services:
-  - name: svc:forge
-    https:
-      port: 443
-      upstream: http://localhost:3001
-    tcp:
-      port: 22
-      upstream: tcp://localhost:2200
-
  - name: svc:registry
    https:
      port: 443