From d2da346ac0bd56e15c8acb621735f1f5b04aa703 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Tue, 3 Mar 2026 07:50:25 -0800
Subject: [PATCH] Harden Forgejo for public access: domain, proxy trust,
 registration lockdown

- Set forgejo_domain to forge.eblu.me (public URL in clone URLs)
- Set forgejo_ssh_domain to forge.ops.eblu.me (SSH stays tailnet-only)
- Add REVERSE_PROXY_LIMIT=2, REVERSE_PROXY_TRUSTED_PROXIES=* for
  correct client IP logging through Fly.io + Tailscale proxy chain
- Enable ALLOW_ONLY_EXTERNAL_REGISTRATION to block local signups

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 ansible/roles/forgejo/defaults/main.yml    | 4 ++--
 ansible/roles/forgejo/templates/app.ini.j2 | 4 +++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/ansible/roles/forgejo/defaults/main.yml b/ansible/roles/forgejo/defaults/main.yml
index 95ffda8..be967aa 100644
--- a/ansible/roles/forgejo/defaults/main.yml
+++ b/ansible/roles/forgejo/defaults/main.yml
@@ -18,8 +18,8 @@ forgejo_log_path: "{{ forgejo_work_path }}/log"
 # Server settings
 forgejo_http_addr: 0.0.0.0
 forgejo_http_port: 3001
-forgejo_domain: forge.ops.eblu.me
-forgejo_ssh_domain: "{{ forgejo_domain }}"
+forgejo_domain: forge.eblu.me
+forgejo_ssh_domain: forge.ops.eblu.me
 forgejo_root_url: "https://{{ forgejo_domain }}/"
 forgejo_offline_mode: true
 
diff --git a/ansible/roles/forgejo/templates/app.ini.j2 b/ansible/roles/forgejo/templates/app.ini.j2
index 3668827..de931be 100644
--- a/ansible/roles/forgejo/templates/app.ini.j2
+++ b/ansible/roles/forgejo/templates/app.ini.j2
@@ -20,6 +20,8 @@ SSH_LISTEN_PORT = {{ forgejo_ssh_listen_port }}
 LFS_START_SERVER = {{ forgejo_lfs_start_server | lower }}
 LFS_JWT_SECRET = {{ forgejo_lfs_jwt_secret }}
 OFFLINE_MODE = {{ forgejo_offline_mode | lower }}
+REVERSE_PROXY_LIMIT = 2
+REVERSE_PROXY_TRUSTED_PROXIES = *
 
 [database]
 DB_TYPE = {{ forgejo_db_type }}
@@ -40,7 +42,7 @@ ENABLED = false
 REGISTER_EMAIL_CONFIRM = false
 ENABLE_NOTIFY_MAIL = false
 DISABLE_REGISTRATION = {{ forgejo_disable_registration | lower }}
-ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION = true
 ENABLE_CAPTCHA = false
 REQUIRE_SIGNIN_VIEW = {{ forgejo_require_signin_view | lower }}
 DEFAULT_KEEP_EMAIL_PRIVATE = false