eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add Caddy layer4 for Forgejo SSH #56

Merged
eblume merged 4 commits from feature/caddy-layer4-forge into main 2026-01-25 11:37:24 -08:00
Conversation 0 Commits 4 Files changed 15 +44 -28
eblume commented 2026-01-25 11:28:32 -08:00
Owner
Copy link

Summary

  • Add layer4 TCP proxy configuration to Caddyfile template for SSH services
  • Configure Forgejo SSH on port 2222 → localhost:2200
  • Switch HTTPS from port 8443 (testing) to 443 (production)
  • Requires Caddy rebuilt with github.com/mholt/caddy-l4 plugin

What This Enables

Git+SSH access via forge.ops.eblu.me:2222 is now accessible from:

  • Tailnet clients (gilbert)
  • Docker containers on indri
  • Kubernetes pods in minikube

This solves the DNS resolution issues where containers couldn't reach Tailscale MagicDNS names.

Testing Done

  • Caddy rebuilt with layer4 plugin
  • Validated Caddyfile syntax
  • Cleared svc:forge from tailscale serve
  • Verified HTTPS works: curl https://forge.ops.eblu.me
  • Verified SSH works: ssh -p 2222 forgejo@forge.ops.eblu.me
  • Verified git clone works via new endpoint
  • Verified minikube pods can reach both HTTPS and SSH endpoints

Deployment

Caddy is already running with the new config on indri. This PR captures the ansible changes.

Next Steps

  • Update zk docs with new git remote format
  • Migrate registry and other services to Caddy
  • Retire tailscale_services ansible role

🤖 Generated with Claude Code

## Summary - Add layer4 TCP proxy configuration to Caddyfile template for SSH services - Configure Forgejo SSH on port 2222 → localhost:2200 - Switch HTTPS from port 8443 (testing) to 443 (production) - Requires Caddy rebuilt with `github.com/mholt/caddy-l4` plugin ## What This Enables Git+SSH access via `forge.ops.eblu.me:2222` is now accessible from: - Tailnet clients (gilbert) - Docker containers on indri - Kubernetes pods in minikube This solves the DNS resolution issues where containers couldn't reach Tailscale MagicDNS names. ## Testing Done - [x] Caddy rebuilt with layer4 plugin - [x] Validated Caddyfile syntax - [x] Cleared `svc:forge` from tailscale serve - [x] Verified HTTPS works: `curl https://forge.ops.eblu.me` - [x] Verified SSH works: `ssh -p 2222 forgejo@forge.ops.eblu.me` - [x] Verified git clone works via new endpoint - [x] Verified minikube pods can reach both HTTPS and SSH endpoints ## Deployment Caddy is already running with the new config on indri. This PR captures the ansible changes. ## Next Steps - Update zk docs with new git remote format - Migrate registry and other services to Caddy - Retire tailscale_services ansible role 🤖 Generated with [Claude Code](https://claude.com/claude-code)
- Add layer4 TCP proxy configuration to Caddyfile template
- Configure SSH service on port 2222 → localhost:2200 (Forgejo)
- Switch HTTPS port from 8443 (testing) to 443 (production)
- Requires Caddy rebuilt with github.com/mholt/caddy-l4 plugin

This enables git+ssh access via forge.ops.eblu.me:2222, accessible
from tailnet clients, docker containers, and k8s pods alike.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change domain from forge.tail8d86e.ts.net to forge.ops.eblu.me
- Update SSH_PORT from 22 to 2222 (external port via Caddy L4)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update CLAUDE.md mirror location
- Update ansible managed header to use new SSH URL with port 2222
- Update Brewfile comment
- Update alloy build instructions
- Update mise tasks (pr-comments, indri-runner-logs, indri-services-check, container-tag-and-release)
- Update nettest connectivity script
- Mark tailscale-operator egress-forge as deprecated (pods can now reach forge directly via Caddy)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Forge has been migrated to Caddy at forge.ops.eblu.me.
Registry remains on tailscale serve until migrated.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
eblume merged commit 1184b4de1d into main 2026-01-25 11:37:24 -08:00
eblume referenced this pull request from a commit 2026-01-25 11:37:25 -08:00
Add Caddy layer4 for Forgejo SSH (#56)
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eblume/blumeops!56
No description provided.