From 40ec803464a9ace025c20bb4fd5713b0cdab6c35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hern=C3=A2ni=20Marques?= Date: Fri, 10 Jul 2026 14:41:46 +0200 Subject: [PATCH] docs: Bonfire FEDERATE + Forgejo rootless (git :9024/:9200) --- 2026/2026-07-10--bonfire-federate.md | 61 ++++++++ 2026/2026-07-10--forgejo-rootless.md | 17 ++- 2026/2026-07-10.md | 5 +- README.md | 23 ++- SECRETS.md | 4 +- configs/bonfire/README.md | 12 ++ configs/bonfire/compose.yml | 52 +++++++ configs/caddy/Caddyfile | 207 ++++++++++++++------------ configs/caddy/git.hacktivism.ch.caddy | 2 +- configs/forgejo/README.md | 36 +++++ configs/forgejo/app.ini.example | 79 ++++++++++ configs/ports.md | 11 +- host/overview/services.md | 36 +++-- 13 files changed, 422 insertions(+), 123 deletions(-) create mode 100644 2026/2026-07-10--bonfire-federate.md create mode 100644 configs/bonfire/README.md create mode 100644 configs/bonfire/compose.yml create mode 100644 configs/forgejo/README.md create mode 100644 configs/forgejo/app.ini.example diff --git a/2026/2026-07-10--bonfire-federate.md b/2026/2026-07-10--bonfire-federate.md new file mode 100644 index 0000000..77d0a8e --- /dev/null +++ b/2026/2026-07-10--bonfire-federate.md @@ -0,0 +1,61 @@ +# Bonfire — FEDERATE + public guest access (2026-07-10) + +Follow-up to ground zero: `2026-07-09--bonfire-ground-zero.md`. + +## Change + +| Item | Before | After | +|------|--------|--------| +| `.env` `FEDERATE` | unset | **`true`** | +| Container | recreated | `podman-compose up -d --force-recreate web` | +| `printenv FEDERATE` (web) | — | `true` | +| `HOSTNAME` / compose | `bonfire.hacktivism.ch` | unchanged | +| Port | **9021** → Caddy | unchanged | + +Only new env key vs ground-zero `.env`: **`FEDERATE`**. + +Live: `/home/hernani/koopa-bonfire/.env` (mode 600). +Mirror: `koopa-admin-secrets/koopa/home-hernani/koopa-bonfire/.env`. +Compose mirror: `configs/bonfire/compose.yml`. + +## Intent + +- Allow federation-related runtime paths (`FEDERATE` consumed in Bonfire `runtime.exs` as `true|yes|1`). +- Keep **guest-readable** public surfaces (no login required for explore / profiles that are already public). +- Operator stance: **federation enablement is accepted as OK** even if the UI banner lags. + +## Observed behaviour (after recreate) + +| Check | Result | +|-------|--------| +| Local `http://127.0.0.1:9021/` | 200; guest UI (Explore / Log in) | +| Guest UI banner | still may show **“Federation disabled”** | +| App RPC (earlier probe) | `activity_pub` instance sometimes still `federating: false`, `hostname: "localhost"` despite env | +| Public profile `@foss` | public posts still visible (gitbot / FOSS content) | +| Front / local feed | can be sparse (“That’s all for the last 30 days…”) depending on boundaries / feed window | + +So: **env is set and container healthy**; full ActivityPub “federating=true” in Application config may still need admin UI / deeper config if outbound federation is required later. Not blocking public profile timelines for guests. + +## Ops + +```bash +cd ~/koopa-bonfire +grep ^FEDERATE= .env +podman exec koopa-bonfire printenv FEDERATE HOSTNAME +podman ps --filter name=koopa-bonfire +curl -sS -o /dev/null -w "%{http_code}\n" http://127.0.0.1:9021/ +curl -sS -o /dev/null -w "%{http_code}\n" http://127.0.0.1:9021/@foss +``` + +Recreate web after env change: + +```bash +cd ~/koopa-bonfire +set -a && source .env && set +a +podman-compose up -d --force-recreate web +``` + +## Secrets / log rules + +- Values only in **`koopa-admin-secrets`**, not in this repo. +- Daylog major bullet only (see `2026-07-10.md`). diff --git a/2026/2026-07-10--forgejo-rootless.md b/2026/2026-07-10--forgejo-rootless.md index 85a4663..1f036d7 100644 --- a/2026/2026-07-10--forgejo-rootless.md +++ b/2026/2026-07-10--forgejo-rootless.md @@ -21,6 +21,10 @@ Do **not** switch to the non-rootless `forgejo:11` image under rootless podman: | SSH (git) | host **9200** → container 2222 (direct; not via Caddy) | | ROOT_URL | `https://git.hacktivism.ch/` | | Landing | explore (public browse OK) | +| LE cert | automatic via Caddy (`CN=git.hacktivism.ch`) | + +Compose + redacted `app.ini`: `configs/forgejo/`. +Caddy site block: `configs/caddy/git.hacktivism.ch.caddy` (+ full `configs/caddy/Caddyfile`). ## Access policy @@ -34,7 +38,8 @@ Do **not** switch to the non-rootless `forgejo:11` image under rootless podman: Reserved username `admin` cannot be used; first admin: **`hernani`**. -Passwords: `~/koopa-forgejo/users.env` + DB/secrets in `.env` (mode 600). Mirror: `koopa-admin-secrets/…/koopa-forgejo/`. +Passwords: `~/koopa-forgejo/users.env` + DB/secrets in `.env` (mode 600). +Mirror: `koopa-admin-secrets/koopa/home-hernani/koopa-forgejo/`. ## Start / status @@ -44,13 +49,13 @@ set -a && source .env && set +a podman-compose up -d podman ps --filter name=koopa-forgejo curl -sS http://127.0.0.1:9024/api/healthz +curl -sS https://git.hacktivism.ch/api/healthz ``` ## Caddy (host root) -Site block mirror: `configs/caddy/git.hacktivism.ch.caddy`. - -Also add `http://git.hacktivism.ch` to the shared ACME/redirect host list, then: +Site block live in `/etc/caddy/Caddyfile` (mirror under `configs/caddy/`). +Prefer including `http://git.hacktivism.ch` in the shared ACME/redirect host list. ```bash sudo caddy validate --config /etc/caddy/Caddyfile @@ -59,6 +64,6 @@ sudo systemctl reload caddy ## Notes -- DNS already points `git.hacktivism.ch` at koopa (with other hacktivism names). +- DNS: `git.hacktivism.ch` → koopa (same family as other `*.hacktivism.ch`). - Git over SSH: `ssh://git@git.hacktivism.ch:9200/…` (open **9200**/tcp on firewall/router if WAN access needed). -- Until Caddy is reloaded, only `http://127.0.0.1:9024` works on host. +- Clone URLs advertise `SSH_PORT=9200`; container still listens on internal **2222**. diff --git a/2026/2026-07-10.md b/2026/2026-07-10.md index 1a8f368..27ca1e7 100644 --- a/2026/2026-07-10.md +++ b/2026/2026-07-10.md @@ -3,4 +3,7 @@ - landing mem snapshot fix (pipeline → 0 B) - Caddy redir / → /intro/ (three sites) - SECRETS.md paths only; no secret material in admin-log -- **Forgejo rootless** on `git.hacktivism.ch` (:9024 / SSH :9200); no free registration +- **Bonfire** `FEDERATE=true` (+ web recreate); guest public profiles OK; UI may still say federation disabled + → topic: `2026-07-10--bonfire-federate.md`; secrets: `koopa-admin-secrets/…/koopa-bonfire/` +- **Forgejo rootless** on `git.hacktivism.ch` (HTTP **9024**, git-SSH **9200**); no free registration; admin `hernani` + → topic: `2026-07-10--forgejo-rootless.md`; secrets: `koopa-admin-secrets/…/koopa-forgejo/` diff --git a/README.md b/README.md index d451eb8..721d6a3 100644 --- a/README.md +++ b/README.md @@ -12,9 +12,10 @@ Ops log and config mirror for host **koopa** (openSUSE Tumbleweed). host/ # openSUSE host-level config + overview overview/services.md # graphical service map systemd/ firewalld/ caddy/ network/ -configs/ # mirrored app configs (caddy, taler, …) +configs/ # mirrored app configs (caddy, taler, forgejo, …) taler-merchant/ # overrides + nginx (same tree style as exchange) taler-exchange/ # overrides + coins + forgejo/ # rootless git.hacktivism.ch scripts/ # merchant, exchange, monitoring helpers taler-merchant/ # merchant-model start scripts taler-exchange/ # same model; archive/ = greenfield bootstrap @@ -29,15 +30,20 @@ scripts/ # merchant, exchange, monitoring helpers | `taler-exchange-hacktivism` | exchange | **9011** | | `taler-bank-hacktivism` | libeufin-bank (GOA, no IBAN) | **9012** | | `koopa-castopod` (+ mariadb/redis) | Castopod Fediverse podcast | **9020** | +| `koopa-bonfire` (+ postgres) | Bonfire social | **9021** | +| `koopa-prime` (Jellyfin) | media | **9022** | +| qBittorrent (prime stack) | torrents | **9023** | | `koopa-forgejo` (+ postgres) | **Forgejo rootless** git | **9024** (+ SSH **9200**) | Start model (Taler): **root** `/root/start_base_services_*` → shell as service user → `/usr/local/bin/start_*.sh [--restart]`. -Start model (Castopod): `hernani` → `cd ~/koopa-castopod && podman-compose up -d`. +Start model (user apps): `hernani` → `cd ~/koopa-{castopod,bonfire,prime,forgejo} && podman-compose up -d`. -Public hosts: `taler.` / `exchange.` / `bank.` / `castopod.` / **`git.hacktivism.ch`** (Caddy → 9010–9012 / 9020 / **9024**). +Public hosts: `taler.` / `exchange.` / `bank.` / `castopod.` / `bonfire.` / `prime.` / `bt.` / **`git.hacktivism.ch`** +(Caddy → 9010–9015 / 9020–**9024**; git-SSH host **9200** direct). -Service **details**: `configs/taler-*`, `scripts/*`. +Service **details**: `configs/taler-*`, `configs/forgejo/`, `scripts/*`. Host-wide picture: **`host/overview/services.md`**. +Port table: **`configs/ports.md`**. Router: **`../vecigate-admin-log`**. **Benchmarks** (drive from the local machine, measure on koopa): **`benchmarks/`** @@ -50,4 +56,11 @@ Router: **`../vecigate-admin-log`**. `configs/taler-exchange/README.md` (section "/keys, Wire and Account"). **Castopod pilot content (FOSS Airwaves, user ngi, free licenses):** -`2026/2026-07-09--castopod-content.md` → https://castopod.hacktivism.ch` / **`git.hacktivism.ch/@foss +`2026/2026-07-09--castopod-content.md` → https://castopod.hacktivism.ch/ + +**Bonfire FEDERATE + guest public (2026-07-10):** +`2026/2026-07-10--bonfire-federate.md` → https://bonfire.hacktivism.ch/ +(ground zero: `2026/2026-07-09--bonfire-ground-zero.md`) + +**Forgejo rootless (git.hacktivism.ch, no free registration, SSH :9200):** +`2026/2026-07-10--forgejo-rootless.md` → https://git.hacktivism.ch/ diff --git a/SECRETS.md b/SECRETS.md index 9fda90b..902cca5 100644 --- a/SECRETS.md +++ b/SECRETS.md @@ -18,9 +18,9 @@ Live passwords/keys live in sibling **`koopa-admin-secrets`**. | What | Mirror | Live | |------|--------|------| | Castopod | `koopa/home-hernani/koopa-castopod/{.env,users.env}` | `~/koopa-castopod/` | -| Bonfire | `koopa/home-hernani/koopa-bonfire/{.env,users.env}` | `~/koopa-bonfire/` | +| Bonfire (`FEDERATE=true`) | `koopa/home-hernani/koopa-bonfire/{.env,users.env,compose.yml}` | `~/koopa-bonfire/` | | Prime (Jellyfin + qBittorrent) | `koopa/home-hernani/koopa-prime/{.env,users.env}` | `~/koopa-prime/` | -| Forgejo (**rootless**) | `koopa/home-hernani/koopa-forgejo/{.env,users.env}` | `~/koopa-forgejo/` | +| Forgejo (**rootless**, git.hacktivism.ch) | `koopa/home-hernani/koopa-forgejo/{.env,users.env,compose.yml}` | `~/koopa-forgejo/` | ## Rules diff --git a/configs/bonfire/README.md b/configs/bonfire/README.md new file mode 100644 index 0000000..61b8b3d --- /dev/null +++ b/configs/bonfire/README.md @@ -0,0 +1,12 @@ +# Bonfire — bonfire.hacktivism.ch + +| Item | Value | +|------|--------| +| Live | `/home/hernani/koopa-bonfire/` | +| Image | `bonfirenetworks/bonfire:1.0.5-social-amd64` | +| Port | **9021** → Caddy | +| Compose | `compose.yml` (this dir) | +| Ground zero | `2026/2026-07-09--bonfire-ground-zero.md` | +| FEDERATE (2026-07-10) | `2026/2026-07-10--bonfire-federate.md` | + +Secrets: `koopa-admin-secrets/…/koopa-bonfire/{.env,users.env}`. diff --git a/configs/bonfire/compose.yml b/configs/bonfire/compose.yml new file mode 100644 index 0000000..afd8fe8 --- /dev/null +++ b/configs/bonfire/compose.yml @@ -0,0 +1,52 @@ +# koopa-bonfire — ground zero (host Caddy → :9021) +services: + web: + image: docker.io/bonfirenetworks/bonfire:1.0.5-social-amd64 + container_name: koopa-bonfire + restart: unless-stopped + env_file: [.env] + environment: + POSTGRES_HOST: db + HOSTNAME: bonfire.hacktivism.ch + PUBLIC_PORT: "443" + SERVER_PORT: "4000" + DB_MIGRATE_INDEXES_CONCURRENTLY: "false" + MIX_ENV: prod + ports: + - "9021:4000" + volumes: + - ./data/uploads:/opt/app/data/uploads + depends_on: + db: + condition: service_healthy + labels: + org.hacktivism.service: bonfire + org.hacktivism.host_port: "9021" + org.hacktivism.site: bonfire.hacktivism.ch + org.hacktivism.managed_by: koopa-admin + healthcheck: + test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:4000/ || exit 1"] + interval: 30s + timeout: 10s + retries: 15 + start_period: 180s + + db: + image: docker.io/library/postgres:15-alpine + container_name: koopa-bonfire-db + restart: unless-stopped + env_file: [.env] + environment: + POSTGRES_USER: postgres + POSTGRES_DB: bonfire_db + volumes: + - db-data:/var/lib/postgresql/data + healthcheck: + test: ["CMD-SHELL", "pg_isready -U postgres -d bonfire_db"] + interval: 5s + timeout: 5s + retries: 20 + start_period: 10s + +volumes: + db-data: diff --git a/configs/caddy/Caddyfile b/configs/caddy/Caddyfile index 15d141b..18f4914 100644 --- a/configs/caddy/Caddyfile +++ b/configs/caddy/Caddyfile @@ -1,140 +1,155 @@ # Internal only (not in the browser URL): # 9010 merchant API | 9011 exchange API | 9012 bank API # 9013 bank landing | 9014 exchange landing | 9015 merchant landing -# 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt +# 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt | 9024 forgejo | 9200 forgejo-ssh { - email info+koopa@hacktivism.ch - http_port 9000 - https_port 9001 - auto_https disable_redirects - # Caddy listens on 9001 behind VeciGate/https-proxy :443. - # Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443. - servers { - protocols h1 h2 - } + email info+koopa@hacktivism.ch + http_port 9000 + https_port 9001 + auto_https disable_redirects + # Caddy listens on 9001 behind VeciGate/https-proxy :443. + # Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443. + servers { + protocols h1 h2 + } } (proxy_public) { - header_up Host {host} - header_up X-Forwarded-Host {host} - header_up X-Forwarded-Proto {scheme} - header_up X-Forwarded-Port 443 - header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1" + header_up Host {host} + header_up X-Forwarded-Host {host} + header_up X-Forwarded-Proto {scheme} + header_up X-Forwarded-Port 443 + header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1" } taler.hacktivism.ch { - tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem - header Alt-Svc "clear" + tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem + header Alt-Svc "clear" - # Public landing first - redir / /intro/ 302 + # Public landing first + redir / /intro/ 302 - handle /intro* { - reverse_proxy 127.0.0.1:9015 { - import proxy_public - } - } + handle /intro* { + reverse_proxy 127.0.0.1:9015 { + import proxy_public + } + } - # SPA: /webui → /webui/ - redir /webui /webui/ 302 + # SPA: /webui → /webui/ + redir /webui /webui/ 302 - # Merchant API + WebUI (nginx :9010 → unix socket) - reverse_proxy https://127.0.0.1:9010 { - transport http { - tls_insecure_skip_verify - } - import proxy_public - } + # Merchant API + WebUI (nginx :9010 → unix socket) + reverse_proxy https://127.0.0.1:9010 { + transport http { + tls_insecure_skip_verify + } + import proxy_public + } } exchange.hacktivism.ch { - tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem - header Alt-Svc "clear" + tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem + header Alt-Svc "clear" - # Public landing first - redir / /intro/ 302 + # Public landing first + redir / /intro/ 302 - handle /intro* { - reverse_proxy 127.0.0.1:9014 { - import proxy_public - } - } + handle /intro* { + reverse_proxy 127.0.0.1:9014 { + import proxy_public + } + } - reverse_proxy 127.0.0.1:9011 { - import proxy_public - } + reverse_proxy 127.0.0.1:9011 { + import proxy_public + } } bank.hacktivism.ch { - header Alt-Svc "clear" + header Alt-Svc "clear" - # Public landing first - redir / /intro/ 302 + # Public landing first + redir / /intro/ 302 - handle /intro* { - reverse_proxy 127.0.0.1:9013 { - import proxy_public - } - } + handle /intro* { + reverse_proxy 127.0.0.1:9013 { + import proxy_public + } + } - # Static terms/privacy on landing nginx :9013 (optional; needs locations there) - handle /terms* { - reverse_proxy 127.0.0.1:9013 { - import proxy_public - } - } - handle /privacy* { - reverse_proxy 127.0.0.1:9013 { - import proxy_public - } - } + # Static terms/privacy on landing nginx :9013 + handle /terms* { + reverse_proxy 127.0.0.1:9013 { + import proxy_public + } + } + handle /privacy* { + reverse_proxy 127.0.0.1:9013 { + import proxy_public + } + } - reverse_proxy 127.0.0.1:9012 { - import proxy_public - } + reverse_proxy 127.0.0.1:9012 { + import proxy_public + } } castopod.hacktivism.ch { - header Alt-Svc "clear" - reverse_proxy 127.0.0.1:9020 { - header_up Host {host} - header_up X-Forwarded-For {remote_host} - } + header Alt-Svc "clear" + reverse_proxy 127.0.0.1:9020 { + header_up Host {host} + header_up X-Forwarded-For {remote_host} + } } bonfire.hacktivism.ch { - header Alt-Svc "clear" - reverse_proxy 127.0.0.1:9021 { - header_up Host {host} - header_up X-Forwarded-For {remote_host} - flush_interval -1 - } + header Alt-Svc "clear" + reverse_proxy 127.0.0.1:9021 { + header_up Host {host} + header_up X-Forwarded-For {remote_host} + flush_interval -1 + } } prime.hacktivism.ch { - header Alt-Svc "clear" - reverse_proxy 127.0.0.1:9022 { - header_up Host {host} - header_up X-Forwarded-For {remote_host} - flush_interval -1 - } + header Alt-Svc "clear" + reverse_proxy 127.0.0.1:9022 { + header_up Host {host} + header_up X-Forwarded-For {remote_host} + flush_interval -1 + } } bt.hacktivism.ch { - header Alt-Svc "clear" - reverse_proxy 127.0.0.1:9023 { - header_up Host {host} - header_up X-Forwarded-For {remote_host} - } + header Alt-Svc "clear" + reverse_proxy 127.0.0.1:9023 { + header_up Host {host} + header_up X-Forwarded-For {remote_host} + } } http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch, http://castopod.hacktivism.ch, http://bonfire.hacktivism.ch, http://prime.hacktivism.ch, http://bt.hacktivism.ch { - handle /.well-known/acme-challenge/* { - root * /var/www/acme - file_server - } - handle { - redir https://{host}{uri} permanent - } + handle /.well-known/acme-challenge/* { + root * /var/www/acme + file_server + } + handle { + redir https://{host}{uri} permanent + } +} + +# 9024 forgejo HTTP (SSH :9200 host-direct, not via Caddy) +git.hacktivism.ch { + header Alt-Svc "clear" + reverse_proxy 127.0.0.1:9024 { + header_up Host {host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + flush_interval -1 + transport http { + read_timeout 3600s + write_timeout 3600s + } + } } diff --git a/configs/caddy/git.hacktivism.ch.caddy b/configs/caddy/git.hacktivism.ch.caddy index 602ff1f..3addce5 100644 --- a/configs/caddy/git.hacktivism.ch.caddy +++ b/configs/caddy/git.hacktivism.ch.caddy @@ -1,5 +1,5 @@ # 9024 forgejo HTTP (SSH :9200 host-direct, not via Caddy) -# Apply on host: merge into /etc/caddy/Caddyfile, validate, reload +# Live: merged into /etc/caddy/Caddyfile (see also full Caddyfile mirror) git.hacktivism.ch { header Alt-Svc "clear" reverse_proxy 127.0.0.1:9024 { diff --git a/configs/forgejo/README.md b/configs/forgejo/README.md new file mode 100644 index 0000000..54624c0 --- /dev/null +++ b/configs/forgejo/README.md @@ -0,0 +1,36 @@ +# Forgejo — git.hacktivism.ch + +**Rootless** install (image + rootless podman as `hernani`). Details: `2026/2026-07-10--forgejo-rootless.md`. + +| Item | Value | +|------|--------| +| Live path | `/home/hernani/koopa-forgejo/` | +| Compose | `compose.yml` (this dir = mirror) | +| Image | `codeberg.org/forgejo/forgejo:11-rootless` | +| HTTP | **9024** → Caddy `git.hacktivism.ch` | +| Git SSH | **9200** → container 2222 (not via Caddy) | +| DB | `koopa-forgejo-db` postgres:16-alpine | +| Registration | **disabled** (admin-created users only) | +| Admin user | `hernani` (not reserved name `admin`) | + +## Files here + +| File | Notes | +|------|--------| +| `compose.yml` | live mirror | +| `app.ini.example` | redacted live `data/custom/conf/app.ini` (`@inline-secret@`) | + +## Secrets + +`koopa-admin-secrets/koopa/home-hernani/koopa-forgejo/{.env,users.env}` +→ live `~/koopa-forgejo/`. + +## Ops + +```bash +cd ~/koopa-forgejo +set -a && source .env && set +a +podman-compose up -d +curl -sS http://127.0.0.1:9024/api/healthz +# SSH clone: ssh://git@git.hacktivism.ch:9200//.git +``` diff --git a/configs/forgejo/app.ini.example b/configs/forgejo/app.ini.example new file mode 100644 index 0000000..4758efe --- /dev/null +++ b/configs/forgejo/app.ini.example @@ -0,0 +1,79 @@ +APP_NAME = hacktivism git +RUN_USER = git +RUN_MODE = prod +WORK_PATH = /var/lib/gitea + +[repository] +ROOT = /var/lib/gitea/git/repositories +ENABLE_PUSH_CREATE_USER = true +ENABLE_PUSH_CREATE_ORG = true +DEFAULT_PRIVATE = public + +[repository.local] +LOCAL_COPY_PATH = /tmp/gitea/local-repo + +[repository.upload] +TEMP_PATH = /tmp/gitea/uploads + +[server] +APP_DATA_PATH = /var/lib/gitea +SSH_DOMAIN = git.hacktivism.ch +HTTP_PORT = 3000 +ROOT_URL = https://git.hacktivism.ch/ +DISABLE_SSH = false +; In rootless gitea container only internal ssh server is supported +START_SSH_SERVER = true +SSH_PORT = 9200 +SSH_LISTEN_PORT = 2222 +BUILTIN_SSH_SERVER_USER = git +LFS_START_SERVER = +DOMAIN = git.hacktivism.ch +LANDING_PAGE = explore + +[database] +PATH = /var/lib/gitea/data/gitea.db +DB_TYPE = postgres +HOST = db:5432 +NAME = forgejo +USER = forgejo +PASSWD = @inline-secret@ + +[session] +PROVIDER_CONFIG = /var/lib/gitea/data/sessions +PROVIDER = memory + +[picture] +AVATAR_UPLOAD_PATH = /var/lib/gitea/data/avatars +REPOSITORY_AVATAR_UPLOAD_PATH = /var/lib/gitea/data/repo-avatars + +[attachment] +PATH = /var/lib/gitea/data/attachments + +[log] +ROOT_PATH = /var/lib/gitea/data/log +LEVEL = Info + +[security] +INSTALL_LOCK = true +SECRET_KEY = @inline-secret@ +REVERSE_PROXY_LIMIT = 1 +REVERSE_PROXY_TRUSTED_PROXIES = * +INTERNAL_TOKEN = @inline-secret@ + +[service] +DISABLE_REGISTRATION = true +REQUIRE_SIGNIN_VIEW = false +SHOW_REGISTRATION_BUTTON = false +DEFAULT_ALLOW_CREATE_ORGANIZATION = true +ALLOW_ONLY_EXTERNAL_REGISTRATION = false + +[lfs] +PATH = /var/lib/gitea/git/lfs + +[openid] +ENABLE_OPENID_SIGNUP = false +ENABLE_OPENID_SIGNIN = false + +[oauth2] +JWT_SECRET = @inline-secret@ + diff --git a/configs/ports.md b/configs/ports.md index 8b48de2..926ac2b 100644 --- a/configs/ports.md +++ b/configs/ports.md @@ -10,10 +10,15 @@ | 9010 | podman `taler-hacktivism` (merchant nginx TLS) — **not** in firewalld | | 9011 | podman `taler-exchange-hacktivism` (exchange httpd) — **not** in firewalld | | 9012 | podman `taler-bank-hacktivism` (libeufin-bank) — **not** in firewalld | -| 9020 | podman `koopa-castopod` (HTTP) → Caddy `castopod.hacktivism.ch` | +| 9013–9015 | bank / exchange / merchant public landings | +| 9020 | podman `koopa-castopod` → Caddy `castopod.hacktivism.ch` | | 9021 | podman `koopa-bonfire` → Caddy `bonfire.hacktivism.ch` | +| 9022 | podman `koopa-prime` (Jellyfin) → Caddy `prime.hacktivism.ch` | +| 9023 | podman qBittorrent → Caddy `bt.hacktivism.ch` | +| **9024** | podman **`koopa-forgejo`** (HTTP) → Caddy **`git.hacktivism.ch`** | +| **9200** | podman **Forgejo git-SSH** (host-direct; not Caddy) | | 8080 | Tor ORPort | VeciGate: WAN **80→9000**, WAN **443→9001**. -Public Taler: Caddy vhosts on **9001** → 127.0.0.1:{9010,9011,9012}. -Planned SM: Caddy → 127.0.0.1:9020+ (not deployed yet). +Public apps: Caddy vhosts on **9001** → 127.0.0.1:{9010–9015, 9020–9024}. +Git SSH needs separate NAT/firewall **9200/tcp** if exposed to WAN. diff --git a/host/overview/services.md b/host/overview/services.md index e1fbbfb..5811383 100644 --- a/host/overview/services.md +++ b/host/overview/services.md @@ -24,9 +24,15 @@ flowchart TB FW["firewalld public\n9000,9001,80,8080,ssh"] end - subgraph Podman["podman (hernani)"] - Merch["taler-hacktivism\n:9010 nginx TLS"] - Exch["taler-exchange-hacktivism\n:9011 exchange-httpd"] + subgraph Podman["podman rootless (hernani)"] + Merch["taler-hacktivism\n:9010"] + Exch["taler-exchange-hacktivism\n:9011"] + Bank["taler-bank-hacktivism\n:9012"] + Castopod["koopa-castopod\n:9020"] + Bonfire["koopa-bonfire\n:9021"] + Prime["koopa-prime jellyfin\n:9022"] + BT["qbittorrent\n:9023"] + Forgejo["koopa-forgejo ROOTLESS\n:9024 HTTP / :9200 SSH"] end Tor["tor ORPort :8080"] @@ -45,9 +51,12 @@ flowchart TB CaddyHTTP -->|other| Redir[301 HTTPS] CaddyHTTPS -->|taler.hacktivism.ch| Merch CaddyHTTPS -->|exchange.hacktivism.ch| Exch - - Merch --> MSock["unix merchant-http.sock"] - Exch --> EDB["postgresql + secmods"] + CaddyHTTPS -->|bank.hacktivism.ch| Bank + CaddyHTTPS -->|castopod.hacktivism.ch| Castopod + CaddyHTTPS -->|bonfire.hacktivism.ch| Bonfire + CaddyHTTPS -->|prime.hacktivism.ch| Prime + CaddyHTTPS -->|bt.hacktivism.ch| BT + CaddyHTTPS -->|git.hacktivism.ch| Forgejo ``` ## Port table @@ -59,10 +68,19 @@ flowchart TB | 443 | systemd socket | → 127.0.0.1:**9001** | | 9000 | caddy | HTTP + ACME | | 9001 | caddy | HTTPS vhosts | -| 9010 | podman pasta | **merchant** nginx | -| 9011 | podman pasta | **exchange** httpd | +| 9010 | podman | **merchant** nginx | +| 9011 | podman | **exchange** httpd | +| 9012 | podman | **bank** libeufin | +| 9020 | podman | **castopod** | +| 9021 | podman | **bonfire** | +| 9022 | podman | **jellyfin** (prime) | +| 9023 | podman | **qbittorrent** (bt) | +| **9024** | podman | **forgejo** HTTP → `git.hacktivism.ch` | +| **9200** | podman | **forgejo** git-SSH (host-direct) | | 8080 | tor | ORPort | +Full port notes: `configs/ports.md`. + ## Service index (details elsewhere) | Service | Detail docs | @@ -72,6 +90,6 @@ flowchart TB | systemd proxies | `host/systemd/` | | Merchant container | `configs/taler-merchant/`, `scripts/taler-merchant/` | | Exchange container | `configs/taler-exchange/`, `scripts/taler-exchange/` | - +| **Forgejo rootless** | `configs/forgejo/`, `2026/2026-07-10--forgejo-rootless.md` | | Tor monitoring scripts | `scripts/monitoring/` | | VeciGate NAT | `../vecigate-admin-log/ip/firewall/nat/` |