Expose Forgejo publicly at forge.eblu.me (#278)
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m28s
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m28s
## Summary Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service. - **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO) - **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint - **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit - **Authentik:** OAuth callback updated to forge.eblu.me - **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup - **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is) ## Deployment Order 1. `mise run provision-indri -- --tags forgejo` (config changes) 2. Verify forge.ops.eblu.me still works 3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator` 4. Verify `curl https://forge.tail8d86e.ts.net` 5. `cd fly && fly deploy` 6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/` 7. `fly certs add forge.eblu.me -a blumeops-proxy` 8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik` 9. `mise run dns-preview && mise run dns-up` 10. Full verification (see below) 11. Rehearse `mise run fly-shutoff` 12. After merge: reset ArgoCD revisions to main, re-sync ## Verification Checklist - [ ] forge.eblu.me loads, shows public repos - [ ] forge.ops.eblu.me still works from tailnet - [ ] SSH clone via forge.ops.eblu.me:2222 works - [ ] HTTPS clone via forge.eblu.me works - [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH - [ ] /swagger returns 403 - [ ] Rapid login attempts trigger 429 rate limit - [ ] fail2ban bans after 5 failed logins in 10 minutes - [ ] ArgoCD can still sync (SSH unaffected) - [ ] `mise run fly-shutoff` stops all public traffic - [ ] `mise run services-check` passes Reviewed-on: #278
This commit is contained in:
parent
a32c99a252
commit
a87c997ee1
49 changed files with 340 additions and 128 deletions
|
|
@ -11,7 +11,7 @@
|
|||
# 3. The workflow creates a release with attached artifacts
|
||||
#
|
||||
# Documentation asset URL:
|
||||
# https://forge.ops.eblu.me/eblume/blumeops/releases/download/<tag>/docs-<version>.tar.gz
|
||||
# https://forge.eblu.me/eblume/blumeops/releases/download/<tag>/docs-<version>.tar.gz
|
||||
|
||||
name: Build BlumeOps
|
||||
|
||||
|
|
@ -46,7 +46,7 @@ jobs:
|
|||
|
||||
# Fetch latest release
|
||||
echo "Fetching latest release..."
|
||||
LATEST=$(curl -s "https://forge.ops.eblu.me/api/v1/repos/eblume/blumeops/releases/latest" | jq -r '.tag_name // empty' || true)
|
||||
LATEST=$(curl -s "https://forge.eblu.me/api/v1/repos/eblume/blumeops/releases/latest" | jq -r '.tag_name // empty' || true)
|
||||
|
||||
if [ -z "$LATEST" ]; then
|
||||
LATEST="v0.0.0"
|
||||
|
|
@ -94,9 +94,9 @@ jobs:
|
|||
esac
|
||||
|
||||
# Check if this version already exists
|
||||
if curl -sf "https://forge.ops.eblu.me/api/v1/repos/eblume/blumeops/releases/tags/$VERSION" > /dev/null 2>&1; then
|
||||
if curl -sf "https://forge.eblu.me/api/v1/repos/eblume/blumeops/releases/tags/$VERSION" > /dev/null 2>&1; then
|
||||
echo "Error: Release $VERSION already exists"
|
||||
echo "See: https://forge.ops.eblu.me/eblume/blumeops/releases/tag/$VERSION"
|
||||
echo "See: https://forge.eblu.me/eblume/blumeops/releases/tag/$VERSION"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
|
@ -181,7 +181,7 @@ jobs:
|
|||
echo "Download \`$TARBALL\` and configure the quartz container with:"
|
||||
echo ""
|
||||
echo "\`\`\`"
|
||||
echo "DOCS_RELEASE_URL=https://forge.ops.eblu.me/eblume/blumeops/releases/download/$VERSION/$TARBALL"
|
||||
echo "DOCS_RELEASE_URL=https://forge.eblu.me/eblume/blumeops/releases/download/$VERSION/$TARBALL"
|
||||
echo "\`\`\`"
|
||||
} > /tmp/release_body.txt
|
||||
|
||||
|
|
@ -197,7 +197,7 @@ jobs:
|
|||
-H "Content-Type: application/json" \
|
||||
-H "Authorization: token $GITHUB_TOKEN" \
|
||||
-d "$RELEASE_DATA" \
|
||||
"https://forge.ops.eblu.me/api/v1/repos/eblume/blumeops/releases")
|
||||
"https://forge.eblu.me/api/v1/repos/eblume/blumeops/releases")
|
||||
|
||||
echo "API Response: $RELEASE_RESPONSE"
|
||||
|
||||
|
|
@ -217,7 +217,7 @@ jobs:
|
|||
-H "Content-Type: application/gzip" \
|
||||
-H "Authorization: token $GITHUB_TOKEN" \
|
||||
--data-binary "@$TARBALL" \
|
||||
"https://forge.ops.eblu.me/api/v1/repos/eblume/blumeops/releases/$RELEASE_ID/assets?name=$TARBALL")
|
||||
"https://forge.eblu.me/api/v1/repos/eblume/blumeops/releases/$RELEASE_ID/assets?name=$TARBALL")
|
||||
|
||||
echo "Upload Response: $UPLOAD_RESPONSE"
|
||||
echo ""
|
||||
|
|
@ -228,7 +228,7 @@ jobs:
|
|||
VERSION="${{ steps.version.outputs.version }}"
|
||||
TARBALL="docs-${VERSION}.tar.gz"
|
||||
DEPLOYMENT_FILE="argocd/manifests/docs/deployment.yaml"
|
||||
RELEASE_URL="https://forge.ops.eblu.me/eblume/blumeops/releases/download/${VERSION}/${TARBALL}"
|
||||
RELEASE_URL="https://forge.eblu.me/eblume/blumeops/releases/download/${VERSION}/${TARBALL}"
|
||||
|
||||
echo "Updating $DEPLOYMENT_FILE with new release URL..."
|
||||
yq -i "(.spec.template.spec.containers[0].env[] | select(.name == \"DOCS_RELEASE_URL\")).value = \"${RELEASE_URL}\"" "$DEPLOYMENT_FILE"
|
||||
|
|
@ -307,7 +307,7 @@ jobs:
|
|||
echo "================================================"
|
||||
echo ""
|
||||
echo "Release URL:"
|
||||
echo " https://forge.ops.eblu.me/eblume/blumeops/releases/tag/$VERSION"
|
||||
echo " https://forge.eblu.me/eblume/blumeops/releases/tag/$VERSION"
|
||||
echo ""
|
||||
echo "Asset URL (for DOCS_RELEASE_URL ConfigMap):"
|
||||
echo " https://forge.ops.eblu.me/eblume/blumeops/releases/download/$VERSION/$TARBALL"
|
||||
echo " https://forge.eblu.me/eblume/blumeops/releases/download/$VERSION/$TARBALL"
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ jobs:
|
|||
|
||||
if [ "$INPUT_VERSION" = "latest" ]; then
|
||||
echo "Resolving latest CV package version..."
|
||||
VERSION=$(curl -s "https://forge.ops.eblu.me/api/v1/packages/eblume?type=generic&q=cv" \
|
||||
VERSION=$(curl -s "https://forge.eblu.me/api/v1/packages/eblume?type=generic&q=cv" \
|
||||
| jq -r '[.[] | select(.name == "cv")] | sort_by(.version) | last | .version // empty')
|
||||
|
||||
if [ -z "$VERSION" ]; then
|
||||
|
|
@ -48,7 +48,7 @@ jobs:
|
|||
|
||||
# Verify the package exists
|
||||
TARBALL="cv-${VERSION}.tar.gz"
|
||||
PACKAGE_URL="https://forge.ops.eblu.me/api/packages/eblume/generic/cv/${VERSION}/${TARBALL}"
|
||||
PACKAGE_URL="https://forge.eblu.me/api/packages/eblume/generic/cv/${VERSION}/${TARBALL}"
|
||||
if ! curl -fsSL --head "$PACKAGE_URL" > /dev/null 2>&1; then
|
||||
echo "Error: Package not found at $PACKAGE_URL"
|
||||
echo "Run the 'Release CV' workflow in the cv repo first."
|
||||
|
|
@ -65,7 +65,7 @@ jobs:
|
|||
VERSION="${{ steps.version.outputs.version }}"
|
||||
TARBALL="cv-${VERSION}.tar.gz"
|
||||
DEPLOYMENT_FILE="argocd/manifests/cv/deployment.yaml"
|
||||
RELEASE_URL="https://forge.ops.eblu.me/api/packages/eblume/generic/cv/${VERSION}/${TARBALL}"
|
||||
RELEASE_URL="https://forge.eblu.me/api/packages/eblume/generic/cv/${VERSION}/${TARBALL}"
|
||||
|
||||
echo "Updating $DEPLOYMENT_FILE with CV_RELEASE_URL..."
|
||||
yq -i "(.spec.template.spec.containers[0].env[] | select(.name == \"CV_RELEASE_URL\")).value = \"${RELEASE_URL}\"" "$DEPLOYMENT_FILE"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue