Erich Blume
a87c997ee1
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m28s
## Summary Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service. - **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO) - **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint - **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit - **Authentik:** OAuth callback updated to forge.eblu.me - **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup - **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is) ## Deployment Order 1. `mise run provision-indri -- --tags forgejo` (config changes) 2. Verify forge.ops.eblu.me still works 3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator` 4. Verify `curl https://forge.tail8d86e.ts.net` 5. `cd fly && fly deploy` 6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/` 7. `fly certs add forge.eblu.me -a blumeops-proxy` 8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik` 9. `mise run dns-preview && mise run dns-up` 10. Full verification (see below) 11. Rehearse `mise run fly-shutoff` 12. After merge: reset ArgoCD revisions to main, re-sync ## Verification Checklist - [ ] forge.eblu.me loads, shows public repos - [ ] forge.ops.eblu.me still works from tailnet - [ ] SSH clone via forge.ops.eblu.me:2222 works - [ ] HTTPS clone via forge.eblu.me works - [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH - [ ] /swagger returns 403 - [ ] Rapid login attempts trigger 429 rate limit - [ ] fail2ban bans after 5 failed logins in 10 minutes - [ ] ArgoCD can still sync (SSH unaffected) - [ ] `mise run fly-shutoff` stops all public traffic - [ ] `mise run services-check` passes Reviewed-on: #278
51 lines
1.4 KiB
YAML
51 lines
1.4 KiB
YAML
---
|
|
# Forgejo configuration
|
|
# Secrets are fetched from 1Password in the playbook pre_tasks
|
|
|
|
forgejo_app_name: Forgejo
|
|
forgejo_app_slogan: "Beyond coding. We Forge."
|
|
forgejo_run_user: forgejo
|
|
forgejo_run_mode: prod
|
|
|
|
# Paths (brew-managed for now, will change to mcquack in Phase 3)
|
|
forgejo_work_path: /opt/homebrew/var/forgejo
|
|
forgejo_config_path: "{{ forgejo_work_path }}/custom/conf/app.ini"
|
|
forgejo_data_path: "{{ forgejo_work_path }}/data"
|
|
forgejo_repo_root: "{{ forgejo_data_path }}/forgejo-repositories"
|
|
forgejo_lfs_path: "{{ forgejo_data_path }}/lfs"
|
|
forgejo_log_path: "{{ forgejo_work_path }}/log"
|
|
|
|
# Server settings
|
|
forgejo_http_addr: 0.0.0.0
|
|
forgejo_http_port: 3001
|
|
forgejo_domain: forge.eblu.me
|
|
forgejo_ssh_domain: forge.ops.eblu.me
|
|
forgejo_root_url: "https://{{ forgejo_domain }}/"
|
|
forgejo_offline_mode: true
|
|
|
|
# SSH settings (built-in SSH server)
|
|
forgejo_disable_ssh: false
|
|
forgejo_start_ssh_server: true
|
|
forgejo_builtin_ssh_user: forgejo
|
|
forgejo_ssh_port: 2222
|
|
forgejo_ssh_listen_port: 2200
|
|
forgejo_lfs_start_server: true
|
|
|
|
# Database (SQLite)
|
|
forgejo_db_type: sqlite3
|
|
forgejo_db_path: "{{ forgejo_data_path }}/forgejo.db"
|
|
|
|
# Service settings
|
|
forgejo_disable_registration: true
|
|
forgejo_require_signin_view: false
|
|
|
|
# Session
|
|
forgejo_session_provider: file
|
|
|
|
# Logging
|
|
forgejo_log_mode: console
|
|
forgejo_log_level: info
|
|
|
|
# Actions (Forgejo CI)
|
|
forgejo_actions_enabled: true
|
|
forgejo_actions_default_url: https://code.forgejo.org
|