docs: Bonfire FEDERATE + Forgejo rootless (git :9024/:9200)

This commit is contained in:
Hernâni Marques 2026-07-10 14:41:46 +02:00
parent b0efda7731
commit 40ec803464
No known key found for this signature in database
13 changed files with 422 additions and 123 deletions

12
configs/bonfire/README.md Normal file
View file

@ -0,0 +1,12 @@
# Bonfire — bonfire.hacktivism.ch
| Item | Value |
|------|--------|
| Live | `/home/hernani/koopa-bonfire/` |
| Image | `bonfirenetworks/bonfire:1.0.5-social-amd64` |
| Port | **9021** → Caddy |
| Compose | `compose.yml` (this dir) |
| Ground zero | `2026/2026-07-09--bonfire-ground-zero.md` |
| FEDERATE (2026-07-10) | `2026/2026-07-10--bonfire-federate.md` |
Secrets: `koopa-admin-secrets/…/koopa-bonfire/{.env,users.env}`.

View file

@ -0,0 +1,52 @@
# koopa-bonfire — ground zero (host Caddy → :9021)
services:
web:
image: docker.io/bonfirenetworks/bonfire:1.0.5-social-amd64
container_name: koopa-bonfire
restart: unless-stopped
env_file: [.env]
environment:
POSTGRES_HOST: db
HOSTNAME: bonfire.hacktivism.ch
PUBLIC_PORT: "443"
SERVER_PORT: "4000"
DB_MIGRATE_INDEXES_CONCURRENTLY: "false"
MIX_ENV: prod
ports:
- "9021:4000"
volumes:
- ./data/uploads:/opt/app/data/uploads
depends_on:
db:
condition: service_healthy
labels:
org.hacktivism.service: bonfire
org.hacktivism.host_port: "9021"
org.hacktivism.site: bonfire.hacktivism.ch
org.hacktivism.managed_by: koopa-admin
healthcheck:
test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:4000/ || exit 1"]
interval: 30s
timeout: 10s
retries: 15
start_period: 180s
db:
image: docker.io/library/postgres:15-alpine
container_name: koopa-bonfire-db
restart: unless-stopped
env_file: [.env]
environment:
POSTGRES_USER: postgres
POSTGRES_DB: bonfire_db
volumes:
- db-data:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres -d bonfire_db"]
interval: 5s
timeout: 5s
retries: 20
start_period: 10s
volumes:
db-data:

View file

@ -1,140 +1,155 @@
# Internal only (not in the browser URL):
# 9010 merchant API | 9011 exchange API | 9012 bank API
# 9013 bank landing | 9014 exchange landing | 9015 merchant landing
# 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt
# 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt | 9024 forgejo | 9200 forgejo-ssh
{
email info+koopa@hacktivism.ch
http_port 9000
https_port 9001
auto_https disable_redirects
# Caddy listens on 9001 behind VeciGate/https-proxy :443.
# Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443.
servers {
protocols h1 h2
}
email info+koopa@hacktivism.ch
http_port 9000
https_port 9001
auto_https disable_redirects
# Caddy listens on 9001 behind VeciGate/https-proxy :443.
# Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443.
servers {
protocols h1 h2
}
}
(proxy_public) {
header_up Host {host}
header_up X-Forwarded-Host {host}
header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-Port 443
header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1"
header_up Host {host}
header_up X-Forwarded-Host {host}
header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-Port 443
header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1"
}
taler.hacktivism.ch {
tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
header Alt-Svc "clear"
tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
header Alt-Svc "clear"
# Public landing first
redir / /intro/ 302
# Public landing first
redir / /intro/ 302
handle /intro* {
reverse_proxy 127.0.0.1:9015 {
import proxy_public
}
}
handle /intro* {
reverse_proxy 127.0.0.1:9015 {
import proxy_public
}
}
# SPA: /webui → /webui/
redir /webui /webui/ 302
# SPA: /webui → /webui/
redir /webui /webui/ 302
# Merchant API + WebUI (nginx :9010 → unix socket)
reverse_proxy https://127.0.0.1:9010 {
transport http {
tls_insecure_skip_verify
}
import proxy_public
}
# Merchant API + WebUI (nginx :9010 → unix socket)
reverse_proxy https://127.0.0.1:9010 {
transport http {
tls_insecure_skip_verify
}
import proxy_public
}
}
exchange.hacktivism.ch {
tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem
header Alt-Svc "clear"
tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem
header Alt-Svc "clear"
# Public landing first
redir / /intro/ 302
# Public landing first
redir / /intro/ 302
handle /intro* {
reverse_proxy 127.0.0.1:9014 {
import proxy_public
}
}
handle /intro* {
reverse_proxy 127.0.0.1:9014 {
import proxy_public
}
}
reverse_proxy 127.0.0.1:9011 {
import proxy_public
}
reverse_proxy 127.0.0.1:9011 {
import proxy_public
}
}
bank.hacktivism.ch {
header Alt-Svc "clear"
header Alt-Svc "clear"
# Public landing first
redir / /intro/ 302
# Public landing first
redir / /intro/ 302
handle /intro* {
reverse_proxy 127.0.0.1:9013 {
import proxy_public
}
}
handle /intro* {
reverse_proxy 127.0.0.1:9013 {
import proxy_public
}
}
# Static terms/privacy on landing nginx :9013 (optional; needs locations there)
handle /terms* {
reverse_proxy 127.0.0.1:9013 {
import proxy_public
}
}
handle /privacy* {
reverse_proxy 127.0.0.1:9013 {
import proxy_public
}
}
# Static terms/privacy on landing nginx :9013
handle /terms* {
reverse_proxy 127.0.0.1:9013 {
import proxy_public
}
}
handle /privacy* {
reverse_proxy 127.0.0.1:9013 {
import proxy_public
}
}
reverse_proxy 127.0.0.1:9012 {
import proxy_public
}
reverse_proxy 127.0.0.1:9012 {
import proxy_public
}
}
castopod.hacktivism.ch {
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9020 {
header_up Host {host}
header_up X-Forwarded-For {remote_host}
}
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9020 {
header_up Host {host}
header_up X-Forwarded-For {remote_host}
}
}
bonfire.hacktivism.ch {
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9021 {
header_up Host {host}
header_up X-Forwarded-For {remote_host}
flush_interval -1
}
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9021 {
header_up Host {host}
header_up X-Forwarded-For {remote_host}
flush_interval -1
}
}
prime.hacktivism.ch {
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9022 {
header_up Host {host}
header_up X-Forwarded-For {remote_host}
flush_interval -1
}
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9022 {
header_up Host {host}
header_up X-Forwarded-For {remote_host}
flush_interval -1
}
}
bt.hacktivism.ch {
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9023 {
header_up Host {host}
header_up X-Forwarded-For {remote_host}
}
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9023 {
header_up Host {host}
header_up X-Forwarded-For {remote_host}
}
}
http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch, http://castopod.hacktivism.ch, http://bonfire.hacktivism.ch, http://prime.hacktivism.ch, http://bt.hacktivism.ch {
handle /.well-known/acme-challenge/* {
root * /var/www/acme
file_server
}
handle {
redir https://{host}{uri} permanent
}
handle /.well-known/acme-challenge/* {
root * /var/www/acme
file_server
}
handle {
redir https://{host}{uri} permanent
}
}
# 9024 forgejo HTTP (SSH :9200 host-direct, not via Caddy)
git.hacktivism.ch {
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9024 {
header_up Host {host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
flush_interval -1
transport http {
read_timeout 3600s
write_timeout 3600s
}
}
}

View file

@ -1,5 +1,5 @@
# 9024 forgejo HTTP (SSH :9200 host-direct, not via Caddy)
# Apply on host: merge into /etc/caddy/Caddyfile, validate, reload
# Live: merged into /etc/caddy/Caddyfile (see also full Caddyfile mirror)
git.hacktivism.ch {
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9024 {

36
configs/forgejo/README.md Normal file
View file

@ -0,0 +1,36 @@
# Forgejo — git.hacktivism.ch
**Rootless** install (image + rootless podman as `hernani`). Details: `2026/2026-07-10--forgejo-rootless.md`.
| Item | Value |
|------|--------|
| Live path | `/home/hernani/koopa-forgejo/` |
| Compose | `compose.yml` (this dir = mirror) |
| Image | `codeberg.org/forgejo/forgejo:11-rootless` |
| HTTP | **9024** → Caddy `git.hacktivism.ch` |
| Git SSH | **9200** → container 2222 (not via Caddy) |
| DB | `koopa-forgejo-db` postgres:16-alpine |
| Registration | **disabled** (admin-created users only) |
| Admin user | `hernani` (not reserved name `admin`) |
## Files here
| File | Notes |
|------|--------|
| `compose.yml` | live mirror |
| `app.ini.example` | redacted live `data/custom/conf/app.ini` (`@inline-secret@`) |
## Secrets
`koopa-admin-secrets/koopa/home-hernani/koopa-forgejo/{.env,users.env}`
→ live `~/koopa-forgejo/`.
## Ops
```bash
cd ~/koopa-forgejo
set -a && source .env && set +a
podman-compose up -d
curl -sS http://127.0.0.1:9024/api/healthz
# SSH clone: ssh://git@git.hacktivism.ch:9200/<user>/<repo>.git
```

View file

@ -0,0 +1,79 @@
APP_NAME = hacktivism git
RUN_USER = git
RUN_MODE = prod
WORK_PATH = /var/lib/gitea
[repository]
ROOT = /var/lib/gitea/git/repositories
ENABLE_PUSH_CREATE_USER = true
ENABLE_PUSH_CREATE_ORG = true
DEFAULT_PRIVATE = public
[repository.local]
LOCAL_COPY_PATH = /tmp/gitea/local-repo
[repository.upload]
TEMP_PATH = /tmp/gitea/uploads
[server]
APP_DATA_PATH = /var/lib/gitea
SSH_DOMAIN = git.hacktivism.ch
HTTP_PORT = 3000
ROOT_URL = https://git.hacktivism.ch/
DISABLE_SSH = false
; In rootless gitea container only internal ssh server is supported
START_SSH_SERVER = true
SSH_PORT = 9200
SSH_LISTEN_PORT = 2222
BUILTIN_SSH_SERVER_USER = git
LFS_START_SERVER =
DOMAIN = git.hacktivism.ch
LANDING_PAGE = explore
[database]
PATH = /var/lib/gitea/data/gitea.db
DB_TYPE = postgres
HOST = db:5432
NAME = forgejo
USER = forgejo
PASSWD = @inline-secret@
[session]
PROVIDER_CONFIG = /var/lib/gitea/data/sessions
PROVIDER = memory
[picture]
AVATAR_UPLOAD_PATH = /var/lib/gitea/data/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /var/lib/gitea/data/repo-avatars
[attachment]
PATH = /var/lib/gitea/data/attachments
[log]
ROOT_PATH = /var/lib/gitea/data/log
LEVEL = Info
[security]
INSTALL_LOCK = true
SECRET_KEY = @inline-secret@
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
INTERNAL_TOKEN = @inline-secret@
[service]
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = false
SHOW_REGISTRATION_BUTTON = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
[lfs]
PATH = /var/lib/gitea/git/lfs
[openid]
ENABLE_OPENID_SIGNUP = false
ENABLE_OPENID_SIGNIN = false
[oauth2]
JWT_SECRET = @inline-secret@

View file

@ -10,10 +10,15 @@
| 9010 | podman `taler-hacktivism` (merchant nginx TLS) — **not** in firewalld |
| 9011 | podman `taler-exchange-hacktivism` (exchange httpd) — **not** in firewalld |
| 9012 | podman `taler-bank-hacktivism` (libeufin-bank) — **not** in firewalld |
| 9020 | podman `koopa-castopod` (HTTP) → Caddy `castopod.hacktivism.ch` |
| 90139015 | bank / exchange / merchant public landings |
| 9020 | podman `koopa-castopod` → Caddy `castopod.hacktivism.ch` |
| 9021 | podman `koopa-bonfire` → Caddy `bonfire.hacktivism.ch` |
| 9022 | podman `koopa-prime` (Jellyfin) → Caddy `prime.hacktivism.ch` |
| 9023 | podman qBittorrent → Caddy `bt.hacktivism.ch` |
| **9024** | podman **`koopa-forgejo`** (HTTP) → Caddy **`git.hacktivism.ch`** |
| **9200** | podman **Forgejo git-SSH** (host-direct; not Caddy) |
| 8080 | Tor ORPort |
VeciGate: WAN **80→9000**, WAN **443→9001**.
Public Taler: Caddy vhosts on **9001** → 127.0.0.1:{9010,9011,9012}.
Planned SM: Caddy → 127.0.0.1:9020+ (not deployed yet).
Public apps: Caddy vhosts on **9001** → 127.0.0.1:{90109015, 90209024}.
Git SSH needs separate NAT/firewall **9200/tcp** if exposed to WAN.