blumeops

History

Erich Blume a87c997ee1 All checks were successful Deploy Fly.io Proxy / deploy (push) Successful in 1m28s Details Expose Forgejo publicly at forge.eblu.me (#278 ) ## Summary Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service. - Forgejo hardening: Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO) - Tailscale Ingress: ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint - Fly.io proxy: nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit - Authentik: OAuth callback updated to forge.eblu.me - DNS/TLS: CNAME record in Pulumi, cert in fly-setup - Rename: ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is) ## Deployment Order 1. `mise run provision-indri -- --tags forgejo` (config changes) 2. Verify forge.ops.eblu.me still works 3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator` 4. Verify `curl https://forge.tail8d86e.ts.net` 5. `cd fly && fly deploy` 6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/` 7. `fly certs add forge.eblu.me -a blumeops-proxy` 8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik` 9. `mise run dns-preview && mise run dns-up` 10. Full verification (see below) 11. Rehearse `mise run fly-shutoff` 12. After merge: reset ArgoCD revisions to main, re-sync ## Verification Checklist - [ ] forge.eblu.me loads, shows public repos - [ ] forge.ops.eblu.me still works from tailnet - [ ] SSH clone via forge.ops.eblu.me:2222 works - [ ] HTTPS clone via forge.eblu.me works - [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH - [ ] /swagger returns 403 - [ ] Rapid login attempts trigger 429 rate limit - [ ] fail2ban bans after 5 failed logins in 10 minutes - [ ] ArgoCD can still sync (SSH unaffected) - [ ] `mise run fly-shutoff` stops all public traffic - [ ] `mise run services-check` passes Reviewed-on: #278		2026-03-03 08:40:41 -08:00
..
ai-docs	Bake default display options into ai-docs mise task	2026-02-25 17:42:47 -08:00
blumeops-tasks	Update tooling dependencies (Feb 2026 cycle) (#254 )	2026-02-23 13:08:41 -08:00
branch-cleanup	Expose Forgejo publicly at forge.eblu.me (#278 )	2026-03-03 08:40:41 -08:00
container-build-and-release	Expose Forgejo publicly at forge.eblu.me (#278 )	2026-03-03 08:40:41 -08:00
container-list	Document container tag provenance and enhance container-list (#263 )	2026-02-24 09:54:58 -08:00
container-version-check	Harden zot registry, pt 1 (#231 )	2026-02-20 22:50:01 -08:00
dns-preview	Add plan and reference card for UniFi Express 7 Pulumi stack (#145 )	2026-02-10 15:36:13 -08:00
dns-up	Add plan and reference card for UniFi Express 7 Pulumi stack (#145 )	2026-02-10 15:36:13 -08:00
docs-check-filenames	Rename doc-* mise tasks to docs-check-* / docs-review-* (#113 )	2026-02-06 07:08:46 -08:00
docs-check-frontmatter	Add agent change process (C0/C1/C2) and docs-mikado tool (#225 )	2026-02-20 08:15:20 -08:00
docs-check-index	Rename doc-* mise tasks to docs-check-* / docs-review-* (#113 )	2026-02-06 07:08:46 -08:00
docs-check-links	docs/expose-service-publicly pt2 - fly.io (#119 )	2026-02-08 00:38:27 -08:00
docs-mikado	Expose Forgejo publicly at forge.eblu.me (#278 )	2026-03-03 08:40:41 -08:00
docs-review	docs-review: print file path instead of content for LLM usage	2026-02-26 07:24:37 -08:00
docs-review-stale	Update tooling dependencies (Feb 2026 cycle) (#254 )	2026-02-23 13:08:41 -08:00
docs-review-tags	Rename doc-* mise tasks to docs-check-* / docs-review-* (#113 )	2026-02-06 07:08:46 -08:00
ensure-k3s-ringtail-kubectl-config	Add k3s, 1Password Connect, and systemd nix-container-builder to ringtail (#209 )	2026-02-18 21:15:30 -08:00
ensure-minikube-indri-kubectl-config	P5.1: Migrate minikube from podman to QEMU2 driver (#38 )	2026-01-21 16:03:37 -08:00
fly-deploy	Add Fly.io public reverse proxy for docs.eblu.me (#120 )	2026-02-08 02:36:19 -08:00
fly-setup	Expose Forgejo publicly at forge.eblu.me (#278 )	2026-03-03 08:40:41 -08:00
fly-shutoff	Add Fly.io public reverse proxy for docs.eblu.me (#120 )	2026-02-08 02:36:19 -08:00
frigate-export-model	Fix dagger call hanging in mise tasks on interactive terminals (#256 )	2026-02-23 14:15:58 -08:00
mikado-branch-invariant-check	Enforce impl commits can't modify Mikado card files	2026-03-02 17:44:34 -08:00
mirror-create	Expose Forgejo publicly at forge.eblu.me (#278 )	2026-03-03 08:40:41 -08:00
mirror-update-pats	Add authenticated GitHub PAT for Forgejo mirror sync (#269 )	2026-02-25 20:20:23 -08:00
op-backup	Add how-to guide for restoring 1Password backup from borgmatic (#141 )	2026-02-10 10:55:00 -08:00
pr-comments	Expose Forgejo publicly at forge.eblu.me (#278 )	2026-03-03 08:40:41 -08:00
provision-indri	Set MISE_TASK_OUTPUT=interleave in provision-indri	2026-01-14 14:15:11 -08:00
provision-ringtail	Fix dagger call hanging in mise tasks on interactive terminals (#256 )	2026-02-23 14:15:58 -08:00
provision-sifaka	Operations and observability for sifaka NAS (#135 )	2026-02-09 17:44:05 -08:00
runner-logs	Expose Forgejo publicly at forge.eblu.me (#278 )	2026-03-03 08:40:41 -08:00
service-review	Update tooling dependencies (Feb 2026 cycle) (#254 )	2026-02-23 13:08:41 -08:00
services-check	Expose Forgejo publicly at forge.eblu.me (#278 )	2026-03-03 08:40:41 -08:00
tailnet-preview	Add plan and reference card for UniFi Express 7 Pulumi stack (#145 )	2026-02-10 15:36:13 -08:00
tailnet-up	Add plan and reference card for UniFi Express 7 Pulumi stack (#145 )	2026-02-10 15:36:13 -08:00
validate-workflows	Fix dagger call hanging in mise tasks on interactive terminals (#256 )	2026-02-23 14:15:58 -08:00