diff --git a/2026/2026-07-10--admin-log-origin-forgejo.md b/2026/2026-07-10--admin-log-origin-forgejo.md index d42b5be..48340e6 100644 --- a/2026/2026-07-10--admin-log-origin-forgejo.md +++ b/2026/2026-07-10--admin-log-origin-forgejo.md @@ -29,3 +29,12 @@ Credentials: `koopa-admin-secrets/…/koopa-forgejo/users.env` — not in this r - Forgejo install: `2026-07-10--forgejo-rootless.md` - Secrets sibling: **not** hosted here (private material stays in `koopa-admin-secrets` only) + +## Network (SSH :9200) + +Public git-SSH requires: + +1. VeciGate WAN/hairpin + IPv6 forward **9200** → koopa +2. koopa firewalld **9200/tcp** + +See `2026-07-10--forgejo-rootless.md` (Network exposure) and `../vecigate-admin-log/docs/CHANGELOG.md`. diff --git a/2026/2026-07-10--forgejo-rootless.md b/2026/2026-07-10--forgejo-rootless.md index 1f036d7..fa7e37b 100644 --- a/2026/2026-07-10--forgejo-rootless.md +++ b/2026/2026-07-10--forgejo-rootless.md @@ -62,8 +62,27 @@ sudo caddy validate --config /etc/caddy/Caddyfile sudo systemctl reload caddy ``` +## Network exposure (2026-07-10) + +| Layer | Rule | +|-------|------| +| **VeciGate IPv4** | WAN **9200** → `192.168.100.95:9200`; hairpin LAN/LAN2 → public A:9200 | +| **VeciGate IPv6** | WAN→LAN forward **tcp/9200** | +| **koopa firewalld** | `public` **9200/tcp** | + +Docs: `../vecigate-admin-log` (`ip/firewall/nat/`, `ipv6/firewall/filter/`, `docs/CHANGELOG.md`); +host ports: `configs/firewalld/public-ports.md`. + +```bash +# host +sudo firewall-cmd --permanent --add-port=9200/tcp && sudo firewall-cmd --reload +# client +ssh -p 9200 -T git@git.hacktivism.ch +``` + ## Notes - DNS: `git.hacktivism.ch` → koopa (same family as other `*.hacktivism.ch`). -- Git over SSH: `ssh://git@git.hacktivism.ch:9200/…` (open **9200**/tcp on firewall/router if WAN access needed). +- Git over SSH: `ssh://git@git.hacktivism.ch:9200/…` - Clone URLs advertise `SSH_PORT=9200`; container still listens on internal **2222**. +- Admin-log origin: `hernani/koopa-admin-log` on this Forgejo — see `2026-07-10--admin-log-origin-forgejo.md`. diff --git a/2026/2026-07-10.md b/2026/2026-07-10.md index 49c04b4..752e108 100644 --- a/2026/2026-07-10.md +++ b/2026/2026-07-10.md @@ -7,5 +7,7 @@ → topic: `2026-07-10--bonfire-federate.md`; secrets: `koopa-admin-secrets/…/koopa-bonfire/` - **Forgejo rootless** on `git.hacktivism.ch` (HTTP **9024**, git-SSH **9200**); no free registration; admin `hernani` → topic: `2026-07-10--forgejo-rootless.md`; secrets: `koopa-admin-secrets/…/koopa-forgejo/` +- **git-SSH :9200** exposed: VeciGate DNAT/hairpin + IPv6 forward; koopa firewalld **9200/tcp** + → vecigate-admin-log CHANGELOG 2026-07-10; `configs/firewalld/public-ports.md` - **admin-log origin** → Forgejo `hernani/koopa-admin-log` on git.hacktivism.ch (public; SSH :9200) → topic: `2026-07-10--admin-log-origin-forgejo.md` diff --git a/configs/firewalld/public-ports.md b/configs/firewalld/public-ports.md index ac874c0..278f2c1 100644 --- a/configs/firewalld/public-ports.md +++ b/configs/firewalld/public-ports.md @@ -1,10 +1,10 @@ # firewalld zone public (eno1) -## Current (2026-07-09) +## Current (2026-07-10) ``` firewall-cmd --list-ports -# 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp +# 80/tcp 443/tcp 8080/tcp 9000/tcp 9001/tcp 23235/tcp 9200/tcp ``` | Port | Purpose | @@ -14,9 +14,19 @@ firewall-cmd --list-ports | 9000/tcp | Caddy HTTP (VeciGate IPv4 WAN:80 → 9000) | | 9001/tcp | Caddy HTTPS (VeciGate IPv4 WAN:443 → 9001) | | 8080/tcp | Tor OR | -| 23235/tcp | SSH (VeciGate maps public 23235) | +| 23235/tcp | SSH (VeciGate maps public 23235 → host 22) | +| **9200/tcp** | **Forgejo git-SSH** (VeciGate WAN/hairpin/IPv6 → host 9200 → container 2222) | | dhcpv6-client, ssh | services | +### Add / verify 9200 + +```bash +sudo firewall-cmd --permanent --add-port=9200/tcp +sudo firewall-cmd --reload +sudo firewall-cmd --list-ports +ss -lntp | grep 9200 +``` + ### Why 443 is required again IPv4 public HTTPS is DNAT’d to **9001**, so opening only 9001 was enough. @@ -24,9 +34,17 @@ IPv6 has **no DNAT**: clients hit `2a02:168:53a8:0:d584:9e34:13cf:15d6:443` directly. Without 443/tcp in firewalld, AAAA looked like `ERR_ADDRESS_UNREACHABLE` / connect timeout while IPv4 still worked. +### Why 9200 + +Forgejo advertises `SSH_PORT=9200`. Rootless podman publishes `0.0.0.0:9200→2222`. +VeciGate DNATs WAN:9200 and hairpins public A:9200; IPv6 forwards :9200 to koopa. +Without firewalld **9200/tcp**, external/LAN clients see **connection refused** even +though `ss` shows LISTEN on the host (local-only path still works). + ## History | Port | Note | |------|------| | 443 removed earlier | “old host HTTPS before DNAT to 9001” — re-added 2026-07-09 for IPv6 | | 8082/tcp removed | old Podman ACME | +| **9200/tcp added** | 2026-07-10 Forgejo git-SSH |