docs: Bonfire FEDERATE + Forgejo rootless (git :9024/:9200)
This commit is contained in:
parent
b0efda7731
commit
40ec803464
13 changed files with 422 additions and 123 deletions
12
configs/bonfire/README.md
Normal file
12
configs/bonfire/README.md
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
# Bonfire — bonfire.hacktivism.ch
|
||||
|
||||
| Item | Value |
|
||||
|------|--------|
|
||||
| Live | `/home/hernani/koopa-bonfire/` |
|
||||
| Image | `bonfirenetworks/bonfire:1.0.5-social-amd64` |
|
||||
| Port | **9021** → Caddy |
|
||||
| Compose | `compose.yml` (this dir) |
|
||||
| Ground zero | `2026/2026-07-09--bonfire-ground-zero.md` |
|
||||
| FEDERATE (2026-07-10) | `2026/2026-07-10--bonfire-federate.md` |
|
||||
|
||||
Secrets: `koopa-admin-secrets/…/koopa-bonfire/{.env,users.env}`.
|
||||
52
configs/bonfire/compose.yml
Normal file
52
configs/bonfire/compose.yml
Normal file
|
|
@ -0,0 +1,52 @@
|
|||
# koopa-bonfire — ground zero (host Caddy → :9021)
|
||||
services:
|
||||
web:
|
||||
image: docker.io/bonfirenetworks/bonfire:1.0.5-social-amd64
|
||||
container_name: koopa-bonfire
|
||||
restart: unless-stopped
|
||||
env_file: [.env]
|
||||
environment:
|
||||
POSTGRES_HOST: db
|
||||
HOSTNAME: bonfire.hacktivism.ch
|
||||
PUBLIC_PORT: "443"
|
||||
SERVER_PORT: "4000"
|
||||
DB_MIGRATE_INDEXES_CONCURRENTLY: "false"
|
||||
MIX_ENV: prod
|
||||
ports:
|
||||
- "9021:4000"
|
||||
volumes:
|
||||
- ./data/uploads:/opt/app/data/uploads
|
||||
depends_on:
|
||||
db:
|
||||
condition: service_healthy
|
||||
labels:
|
||||
org.hacktivism.service: bonfire
|
||||
org.hacktivism.host_port: "9021"
|
||||
org.hacktivism.site: bonfire.hacktivism.ch
|
||||
org.hacktivism.managed_by: koopa-admin
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:4000/ || exit 1"]
|
||||
interval: 30s
|
||||
timeout: 10s
|
||||
retries: 15
|
||||
start_period: 180s
|
||||
|
||||
db:
|
||||
image: docker.io/library/postgres:15-alpine
|
||||
container_name: koopa-bonfire-db
|
||||
restart: unless-stopped
|
||||
env_file: [.env]
|
||||
environment:
|
||||
POSTGRES_USER: postgres
|
||||
POSTGRES_DB: bonfire_db
|
||||
volumes:
|
||||
- db-data:/var/lib/postgresql/data
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U postgres -d bonfire_db"]
|
||||
interval: 5s
|
||||
timeout: 5s
|
||||
retries: 20
|
||||
start_period: 10s
|
||||
|
||||
volumes:
|
||||
db-data:
|
||||
|
|
@ -1,140 +1,155 @@
|
|||
# Internal only (not in the browser URL):
|
||||
# 9010 merchant API | 9011 exchange API | 9012 bank API
|
||||
# 9013 bank landing | 9014 exchange landing | 9015 merchant landing
|
||||
# 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt
|
||||
# 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt | 9024 forgejo | 9200 forgejo-ssh
|
||||
|
||||
{
|
||||
email info+koopa@hacktivism.ch
|
||||
http_port 9000
|
||||
https_port 9001
|
||||
auto_https disable_redirects
|
||||
# Caddy listens on 9001 behind VeciGate/https-proxy :443.
|
||||
# Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443.
|
||||
servers {
|
||||
protocols h1 h2
|
||||
}
|
||||
email info+koopa@hacktivism.ch
|
||||
http_port 9000
|
||||
https_port 9001
|
||||
auto_https disable_redirects
|
||||
# Caddy listens on 9001 behind VeciGate/https-proxy :443.
|
||||
# Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443.
|
||||
servers {
|
||||
protocols h1 h2
|
||||
}
|
||||
}
|
||||
|
||||
(proxy_public) {
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-Host {host}
|
||||
header_up X-Forwarded-Proto {scheme}
|
||||
header_up X-Forwarded-Port 443
|
||||
header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1"
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-Host {host}
|
||||
header_up X-Forwarded-Proto {scheme}
|
||||
header_up X-Forwarded-Port 443
|
||||
header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1"
|
||||
}
|
||||
|
||||
taler.hacktivism.ch {
|
||||
tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
|
||||
header Alt-Svc "clear"
|
||||
tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
|
||||
header Alt-Svc "clear"
|
||||
|
||||
# Public landing first
|
||||
redir / /intro/ 302
|
||||
# Public landing first
|
||||
redir / /intro/ 302
|
||||
|
||||
handle /intro* {
|
||||
reverse_proxy 127.0.0.1:9015 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
handle /intro* {
|
||||
reverse_proxy 127.0.0.1:9015 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
|
||||
# SPA: /webui → /webui/
|
||||
redir /webui /webui/ 302
|
||||
# SPA: /webui → /webui/
|
||||
redir /webui /webui/ 302
|
||||
|
||||
# Merchant API + WebUI (nginx :9010 → unix socket)
|
||||
reverse_proxy https://127.0.0.1:9010 {
|
||||
transport http {
|
||||
tls_insecure_skip_verify
|
||||
}
|
||||
import proxy_public
|
||||
}
|
||||
# Merchant API + WebUI (nginx :9010 → unix socket)
|
||||
reverse_proxy https://127.0.0.1:9010 {
|
||||
transport http {
|
||||
tls_insecure_skip_verify
|
||||
}
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
|
||||
exchange.hacktivism.ch {
|
||||
tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem
|
||||
header Alt-Svc "clear"
|
||||
tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem
|
||||
header Alt-Svc "clear"
|
||||
|
||||
# Public landing first
|
||||
redir / /intro/ 302
|
||||
# Public landing first
|
||||
redir / /intro/ 302
|
||||
|
||||
handle /intro* {
|
||||
reverse_proxy 127.0.0.1:9014 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
handle /intro* {
|
||||
reverse_proxy 127.0.0.1:9014 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
|
||||
reverse_proxy 127.0.0.1:9011 {
|
||||
import proxy_public
|
||||
}
|
||||
reverse_proxy 127.0.0.1:9011 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
|
||||
bank.hacktivism.ch {
|
||||
header Alt-Svc "clear"
|
||||
header Alt-Svc "clear"
|
||||
|
||||
# Public landing first
|
||||
redir / /intro/ 302
|
||||
# Public landing first
|
||||
redir / /intro/ 302
|
||||
|
||||
handle /intro* {
|
||||
reverse_proxy 127.0.0.1:9013 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
handle /intro* {
|
||||
reverse_proxy 127.0.0.1:9013 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
|
||||
# Static terms/privacy on landing nginx :9013 (optional; needs locations there)
|
||||
handle /terms* {
|
||||
reverse_proxy 127.0.0.1:9013 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
handle /privacy* {
|
||||
reverse_proxy 127.0.0.1:9013 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
# Static terms/privacy on landing nginx :9013
|
||||
handle /terms* {
|
||||
reverse_proxy 127.0.0.1:9013 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
handle /privacy* {
|
||||
reverse_proxy 127.0.0.1:9013 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
|
||||
reverse_proxy 127.0.0.1:9012 {
|
||||
import proxy_public
|
||||
}
|
||||
reverse_proxy 127.0.0.1:9012 {
|
||||
import proxy_public
|
||||
}
|
||||
}
|
||||
|
||||
castopod.hacktivism.ch {
|
||||
header Alt-Svc "clear"
|
||||
reverse_proxy 127.0.0.1:9020 {
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
}
|
||||
header Alt-Svc "clear"
|
||||
reverse_proxy 127.0.0.1:9020 {
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
}
|
||||
}
|
||||
|
||||
bonfire.hacktivism.ch {
|
||||
header Alt-Svc "clear"
|
||||
reverse_proxy 127.0.0.1:9021 {
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
flush_interval -1
|
||||
}
|
||||
header Alt-Svc "clear"
|
||||
reverse_proxy 127.0.0.1:9021 {
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
flush_interval -1
|
||||
}
|
||||
}
|
||||
|
||||
prime.hacktivism.ch {
|
||||
header Alt-Svc "clear"
|
||||
reverse_proxy 127.0.0.1:9022 {
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
flush_interval -1
|
||||
}
|
||||
header Alt-Svc "clear"
|
||||
reverse_proxy 127.0.0.1:9022 {
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
flush_interval -1
|
||||
}
|
||||
}
|
||||
|
||||
bt.hacktivism.ch {
|
||||
header Alt-Svc "clear"
|
||||
reverse_proxy 127.0.0.1:9023 {
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
}
|
||||
header Alt-Svc "clear"
|
||||
reverse_proxy 127.0.0.1:9023 {
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
}
|
||||
}
|
||||
|
||||
http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch, http://castopod.hacktivism.ch, http://bonfire.hacktivism.ch, http://prime.hacktivism.ch, http://bt.hacktivism.ch {
|
||||
handle /.well-known/acme-challenge/* {
|
||||
root * /var/www/acme
|
||||
file_server
|
||||
}
|
||||
handle {
|
||||
redir https://{host}{uri} permanent
|
||||
}
|
||||
handle /.well-known/acme-challenge/* {
|
||||
root * /var/www/acme
|
||||
file_server
|
||||
}
|
||||
handle {
|
||||
redir https://{host}{uri} permanent
|
||||
}
|
||||
}
|
||||
|
||||
# 9024 forgejo HTTP (SSH :9200 host-direct, not via Caddy)
|
||||
git.hacktivism.ch {
|
||||
header Alt-Svc "clear"
|
||||
reverse_proxy 127.0.0.1:9024 {
|
||||
header_up Host {host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
header_up X-Forwarded-Proto {scheme}
|
||||
flush_interval -1
|
||||
transport http {
|
||||
read_timeout 3600s
|
||||
write_timeout 3600s
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# 9024 forgejo HTTP (SSH :9200 host-direct, not via Caddy)
|
||||
# Apply on host: merge into /etc/caddy/Caddyfile, validate, reload
|
||||
# Live: merged into /etc/caddy/Caddyfile (see also full Caddyfile mirror)
|
||||
git.hacktivism.ch {
|
||||
header Alt-Svc "clear"
|
||||
reverse_proxy 127.0.0.1:9024 {
|
||||
|
|
|
|||
36
configs/forgejo/README.md
Normal file
36
configs/forgejo/README.md
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
# Forgejo — git.hacktivism.ch
|
||||
|
||||
**Rootless** install (image + rootless podman as `hernani`). Details: `2026/2026-07-10--forgejo-rootless.md`.
|
||||
|
||||
| Item | Value |
|
||||
|------|--------|
|
||||
| Live path | `/home/hernani/koopa-forgejo/` |
|
||||
| Compose | `compose.yml` (this dir = mirror) |
|
||||
| Image | `codeberg.org/forgejo/forgejo:11-rootless` |
|
||||
| HTTP | **9024** → Caddy `git.hacktivism.ch` |
|
||||
| Git SSH | **9200** → container 2222 (not via Caddy) |
|
||||
| DB | `koopa-forgejo-db` postgres:16-alpine |
|
||||
| Registration | **disabled** (admin-created users only) |
|
||||
| Admin user | `hernani` (not reserved name `admin`) |
|
||||
|
||||
## Files here
|
||||
|
||||
| File | Notes |
|
||||
|------|--------|
|
||||
| `compose.yml` | live mirror |
|
||||
| `app.ini.example` | redacted live `data/custom/conf/app.ini` (`@inline-secret@`) |
|
||||
|
||||
## Secrets
|
||||
|
||||
`koopa-admin-secrets/koopa/home-hernani/koopa-forgejo/{.env,users.env}`
|
||||
→ live `~/koopa-forgejo/`.
|
||||
|
||||
## Ops
|
||||
|
||||
```bash
|
||||
cd ~/koopa-forgejo
|
||||
set -a && source .env && set +a
|
||||
podman-compose up -d
|
||||
curl -sS http://127.0.0.1:9024/api/healthz
|
||||
# SSH clone: ssh://git@git.hacktivism.ch:9200/<user>/<repo>.git
|
||||
```
|
||||
79
configs/forgejo/app.ini.example
Normal file
79
configs/forgejo/app.ini.example
Normal file
|
|
@ -0,0 +1,79 @@
|
|||
APP_NAME = hacktivism git
|
||||
RUN_USER = git
|
||||
RUN_MODE = prod
|
||||
WORK_PATH = /var/lib/gitea
|
||||
|
||||
[repository]
|
||||
ROOT = /var/lib/gitea/git/repositories
|
||||
ENABLE_PUSH_CREATE_USER = true
|
||||
ENABLE_PUSH_CREATE_ORG = true
|
||||
DEFAULT_PRIVATE = public
|
||||
|
||||
[repository.local]
|
||||
LOCAL_COPY_PATH = /tmp/gitea/local-repo
|
||||
|
||||
[repository.upload]
|
||||
TEMP_PATH = /tmp/gitea/uploads
|
||||
|
||||
[server]
|
||||
APP_DATA_PATH = /var/lib/gitea
|
||||
SSH_DOMAIN = git.hacktivism.ch
|
||||
HTTP_PORT = 3000
|
||||
ROOT_URL = https://git.hacktivism.ch/
|
||||
DISABLE_SSH = false
|
||||
; In rootless gitea container only internal ssh server is supported
|
||||
START_SSH_SERVER = true
|
||||
SSH_PORT = 9200
|
||||
SSH_LISTEN_PORT = 2222
|
||||
BUILTIN_SSH_SERVER_USER = git
|
||||
LFS_START_SERVER =
|
||||
DOMAIN = git.hacktivism.ch
|
||||
LANDING_PAGE = explore
|
||||
|
||||
[database]
|
||||
PATH = /var/lib/gitea/data/gitea.db
|
||||
DB_TYPE = postgres
|
||||
HOST = db:5432
|
||||
NAME = forgejo
|
||||
USER = forgejo
|
||||
PASSWD = @inline-secret@
|
||||
|
||||
[session]
|
||||
PROVIDER_CONFIG = /var/lib/gitea/data/sessions
|
||||
PROVIDER = memory
|
||||
|
||||
[picture]
|
||||
AVATAR_UPLOAD_PATH = /var/lib/gitea/data/avatars
|
||||
REPOSITORY_AVATAR_UPLOAD_PATH = /var/lib/gitea/data/repo-avatars
|
||||
|
||||
[attachment]
|
||||
PATH = /var/lib/gitea/data/attachments
|
||||
|
||||
[log]
|
||||
ROOT_PATH = /var/lib/gitea/data/log
|
||||
LEVEL = Info
|
||||
|
||||
[security]
|
||||
INSTALL_LOCK = true
|
||||
SECRET_KEY = @inline-secret@
|
||||
REVERSE_PROXY_LIMIT = 1
|
||||
REVERSE_PROXY_TRUSTED_PROXIES = *
|
||||
INTERNAL_TOKEN = @inline-secret@
|
||||
|
||||
[service]
|
||||
DISABLE_REGISTRATION = true
|
||||
REQUIRE_SIGNIN_VIEW = false
|
||||
SHOW_REGISTRATION_BUTTON = false
|
||||
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
|
||||
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
|
||||
|
||||
[lfs]
|
||||
PATH = /var/lib/gitea/git/lfs
|
||||
|
||||
[openid]
|
||||
ENABLE_OPENID_SIGNUP = false
|
||||
ENABLE_OPENID_SIGNIN = false
|
||||
|
||||
[oauth2]
|
||||
JWT_SECRET = @inline-secret@
|
||||
|
||||
|
|
@ -10,10 +10,15 @@
|
|||
| 9010 | podman `taler-hacktivism` (merchant nginx TLS) — **not** in firewalld |
|
||||
| 9011 | podman `taler-exchange-hacktivism` (exchange httpd) — **not** in firewalld |
|
||||
| 9012 | podman `taler-bank-hacktivism` (libeufin-bank) — **not** in firewalld |
|
||||
| 9020 | podman `koopa-castopod` (HTTP) → Caddy `castopod.hacktivism.ch` |
|
||||
| 9013–9015 | bank / exchange / merchant public landings |
|
||||
| 9020 | podman `koopa-castopod` → Caddy `castopod.hacktivism.ch` |
|
||||
| 9021 | podman `koopa-bonfire` → Caddy `bonfire.hacktivism.ch` |
|
||||
| 9022 | podman `koopa-prime` (Jellyfin) → Caddy `prime.hacktivism.ch` |
|
||||
| 9023 | podman qBittorrent → Caddy `bt.hacktivism.ch` |
|
||||
| **9024** | podman **`koopa-forgejo`** (HTTP) → Caddy **`git.hacktivism.ch`** |
|
||||
| **9200** | podman **Forgejo git-SSH** (host-direct; not Caddy) |
|
||||
| 8080 | Tor ORPort |
|
||||
|
||||
VeciGate: WAN **80→9000**, WAN **443→9001**.
|
||||
Public Taler: Caddy vhosts on **9001** → 127.0.0.1:{9010,9011,9012}.
|
||||
Planned SM: Caddy → 127.0.0.1:9020+ (not deployed yet).
|
||||
Public apps: Caddy vhosts on **9001** → 127.0.0.1:{9010–9015, 9020–9024}.
|
||||
Git SSH needs separate NAT/firewall **9200/tcp** if exposed to WAN.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue