docs: Bonfire FEDERATE + Forgejo rootless (git :9024/:9200)

This commit is contained in:
Hernâni Marques 2026-07-10 14:41:46 +02:00
parent b0efda7731
commit 40ec803464
No known key found for this signature in database
13 changed files with 422 additions and 123 deletions

View file

@ -0,0 +1,61 @@
# Bonfire — FEDERATE + public guest access (2026-07-10)
Follow-up to ground zero: `2026-07-09--bonfire-ground-zero.md`.
## Change
| Item | Before | After |
|------|--------|--------|
| `.env` `FEDERATE` | unset | **`true`** |
| Container | recreated | `podman-compose up -d --force-recreate web` |
| `printenv FEDERATE` (web) | — | `true` |
| `HOSTNAME` / compose | `bonfire.hacktivism.ch` | unchanged |
| Port | **9021** → Caddy | unchanged |
Only new env key vs ground-zero `.env`: **`FEDERATE`**.
Live: `/home/hernani/koopa-bonfire/.env` (mode 600).
Mirror: `koopa-admin-secrets/koopa/home-hernani/koopa-bonfire/.env`.
Compose mirror: `configs/bonfire/compose.yml`.
## Intent
- Allow federation-related runtime paths (`FEDERATE` consumed in Bonfire `runtime.exs` as `true|yes|1`).
- Keep **guest-readable** public surfaces (no login required for explore / profiles that are already public).
- Operator stance: **federation enablement is accepted as OK** even if the UI banner lags.
## Observed behaviour (after recreate)
| Check | Result |
|-------|--------|
| Local `http://127.0.0.1:9021/` | 200; guest UI (Explore / Log in) |
| Guest UI banner | still may show **“Federation disabled”** |
| App RPC (earlier probe) | `activity_pub` instance sometimes still `federating: false`, `hostname: "localhost"` despite env |
| Public profile `@foss` | public posts still visible (gitbot / FOSS content) |
| Front / local feed | can be sparse (“Thats all for the last 30 days…”) depending on boundaries / feed window |
So: **env is set and container healthy**; full ActivityPub “federating=true” in Application config may still need admin UI / deeper config if outbound federation is required later. Not blocking public profile timelines for guests.
## Ops
```bash
cd ~/koopa-bonfire
grep ^FEDERATE= .env
podman exec koopa-bonfire printenv FEDERATE HOSTNAME
podman ps --filter name=koopa-bonfire
curl -sS -o /dev/null -w "%{http_code}\n" http://127.0.0.1:9021/
curl -sS -o /dev/null -w "%{http_code}\n" http://127.0.0.1:9021/@foss
```
Recreate web after env change:
```bash
cd ~/koopa-bonfire
set -a && source .env && set +a
podman-compose up -d --force-recreate web
```
## Secrets / log rules
- Values only in **`koopa-admin-secrets`**, not in this repo.
- Daylog major bullet only (see `2026-07-10.md`).

View file

@ -21,6 +21,10 @@ Do **not** switch to the non-rootless `forgejo:11` image under rootless podman:
| SSH (git) | host **9200** → container 2222 (direct; not via Caddy) | | SSH (git) | host **9200** → container 2222 (direct; not via Caddy) |
| ROOT_URL | `https://git.hacktivism.ch/` | | ROOT_URL | `https://git.hacktivism.ch/` |
| Landing | explore (public browse OK) | | Landing | explore (public browse OK) |
| LE cert | automatic via Caddy (`CN=git.hacktivism.ch`) |
Compose + redacted `app.ini`: `configs/forgejo/`.
Caddy site block: `configs/caddy/git.hacktivism.ch.caddy` (+ full `configs/caddy/Caddyfile`).
## Access policy ## Access policy
@ -34,7 +38,8 @@ Do **not** switch to the non-rootless `forgejo:11` image under rootless podman:
Reserved username `admin` cannot be used; first admin: **`hernani`**. Reserved username `admin` cannot be used; first admin: **`hernani`**.
Passwords: `~/koopa-forgejo/users.env` + DB/secrets in `.env` (mode 600). Mirror: `koopa-admin-secrets/…/koopa-forgejo/`. Passwords: `~/koopa-forgejo/users.env` + DB/secrets in `.env` (mode 600).
Mirror: `koopa-admin-secrets/koopa/home-hernani/koopa-forgejo/`.
## Start / status ## Start / status
@ -44,13 +49,13 @@ set -a && source .env && set +a
podman-compose up -d podman-compose up -d
podman ps --filter name=koopa-forgejo podman ps --filter name=koopa-forgejo
curl -sS http://127.0.0.1:9024/api/healthz curl -sS http://127.0.0.1:9024/api/healthz
curl -sS https://git.hacktivism.ch/api/healthz
``` ```
## Caddy (host root) ## Caddy (host root)
Site block mirror: `configs/caddy/git.hacktivism.ch.caddy`. Site block live in `/etc/caddy/Caddyfile` (mirror under `configs/caddy/`).
Prefer including `http://git.hacktivism.ch` in the shared ACME/redirect host list.
Also add `http://git.hacktivism.ch` to the shared ACME/redirect host list, then:
```bash ```bash
sudo caddy validate --config /etc/caddy/Caddyfile sudo caddy validate --config /etc/caddy/Caddyfile
@ -59,6 +64,6 @@ sudo systemctl reload caddy
## Notes ## Notes
- DNS already points `git.hacktivism.ch` at koopa (with other hacktivism names). - DNS: `git.hacktivism.ch` → koopa (same family as other `*.hacktivism.ch`).
- Git over SSH: `ssh://git@git.hacktivism.ch:9200/…` (open **9200**/tcp on firewall/router if WAN access needed). - Git over SSH: `ssh://git@git.hacktivism.ch:9200/…` (open **9200**/tcp on firewall/router if WAN access needed).
- Until Caddy is reloaded, only `http://127.0.0.1:9024` works on host. - Clone URLs advertise `SSH_PORT=9200`; container still listens on internal **2222**.

View file

@ -3,4 +3,7 @@
- landing mem snapshot fix (pipeline → 0 B) - landing mem snapshot fix (pipeline → 0 B)
- Caddy redir / → /intro/ (three sites) - Caddy redir / → /intro/ (three sites)
- SECRETS.md paths only; no secret material in admin-log - SECRETS.md paths only; no secret material in admin-log
- **Forgejo rootless** on `git.hacktivism.ch` (:9024 / SSH :9200); no free registration - **Bonfire** `FEDERATE=true` (+ web recreate); guest public profiles OK; UI may still say federation disabled
→ topic: `2026-07-10--bonfire-federate.md`; secrets: `koopa-admin-secrets/…/koopa-bonfire/`
- **Forgejo rootless** on `git.hacktivism.ch` (HTTP **9024**, git-SSH **9200**); no free registration; admin `hernani`
→ topic: `2026-07-10--forgejo-rootless.md`; secrets: `koopa-admin-secrets/…/koopa-forgejo/`

View file

@ -12,9 +12,10 @@ Ops log and config mirror for host **koopa** (openSUSE Tumbleweed).
host/ # openSUSE host-level config + overview host/ # openSUSE host-level config + overview
overview/services.md # graphical service map overview/services.md # graphical service map
systemd/ firewalld/ caddy/ network/ systemd/ firewalld/ caddy/ network/
configs/ # mirrored app configs (caddy, taler, …) configs/ # mirrored app configs (caddy, taler, forgejo, …)
taler-merchant/ # overrides + nginx (same tree style as exchange) taler-merchant/ # overrides + nginx (same tree style as exchange)
taler-exchange/ # overrides + coins taler-exchange/ # overrides + coins
forgejo/ # rootless git.hacktivism.ch
scripts/ # merchant, exchange, monitoring helpers scripts/ # merchant, exchange, monitoring helpers
taler-merchant/ # merchant-model start scripts taler-merchant/ # merchant-model start scripts
taler-exchange/ # same model; archive/ = greenfield bootstrap taler-exchange/ # same model; archive/ = greenfield bootstrap
@ -29,15 +30,20 @@ scripts/ # merchant, exchange, monitoring helpers
| `taler-exchange-hacktivism` | exchange | **9011** | | `taler-exchange-hacktivism` | exchange | **9011** |
| `taler-bank-hacktivism` | libeufin-bank (GOA, no IBAN) | **9012** | | `taler-bank-hacktivism` | libeufin-bank (GOA, no IBAN) | **9012** |
| `koopa-castopod` (+ mariadb/redis) | Castopod Fediverse podcast | **9020** | | `koopa-castopod` (+ mariadb/redis) | Castopod Fediverse podcast | **9020** |
| `koopa-bonfire` (+ postgres) | Bonfire social | **9021** |
| `koopa-prime` (Jellyfin) | media | **9022** |
| qBittorrent (prime stack) | torrents | **9023** |
| `koopa-forgejo` (+ postgres) | **Forgejo rootless** git | **9024** (+ SSH **9200**) | | `koopa-forgejo` (+ postgres) | **Forgejo rootless** git | **9024** (+ SSH **9200**) |
Start model (Taler): **root** `/root/start_base_services_*` → shell as service user → `/usr/local/bin/start_*.sh [--restart]`. Start model (Taler): **root** `/root/start_base_services_*` → shell as service user → `/usr/local/bin/start_*.sh [--restart]`.
Start model (Castopod): `hernani``cd ~/koopa-castopod && podman-compose up -d`. Start model (user apps): `hernani``cd ~/koopa-{castopod,bonfire,prime,forgejo} && podman-compose up -d`.
Public hosts: `taler.` / `exchange.` / `bank.` / `castopod.` / **`git.hacktivism.ch`** (Caddy → 90109012 / 9020 / **9024**). Public hosts: `taler.` / `exchange.` / `bank.` / `castopod.` / `bonfire.` / `prime.` / `bt.` / **`git.hacktivism.ch`**
(Caddy → 90109015 / 9020**9024**; git-SSH host **9200** direct).
Service **details**: `configs/taler-*`, `scripts/*`. Service **details**: `configs/taler-*`, `configs/forgejo/`, `scripts/*`.
Host-wide picture: **`host/overview/services.md`**. Host-wide picture: **`host/overview/services.md`**.
Port table: **`configs/ports.md`**.
Router: **`../vecigate-admin-log`**. Router: **`../vecigate-admin-log`**.
**Benchmarks** (drive from the local machine, measure on koopa): **`benchmarks/`** **Benchmarks** (drive from the local machine, measure on koopa): **`benchmarks/`**
@ -50,4 +56,11 @@ Router: **`../vecigate-admin-log`**.
`configs/taler-exchange/README.md` (section "/keys, Wire and Account"). `configs/taler-exchange/README.md` (section "/keys, Wire and Account").
**Castopod pilot content (FOSS Airwaves, user ngi, free licenses):** **Castopod pilot content (FOSS Airwaves, user ngi, free licenses):**
`2026/2026-07-09--castopod-content.md` → https://castopod.hacktivism.ch` / **`git.hacktivism.ch/@foss `2026/2026-07-09--castopod-content.md` → https://castopod.hacktivism.ch/
**Bonfire FEDERATE + guest public (2026-07-10):**
`2026/2026-07-10--bonfire-federate.md` → https://bonfire.hacktivism.ch/
(ground zero: `2026/2026-07-09--bonfire-ground-zero.md`)
**Forgejo rootless (git.hacktivism.ch, no free registration, SSH :9200):**
`2026/2026-07-10--forgejo-rootless.md` → https://git.hacktivism.ch/

View file

@ -18,9 +18,9 @@ Live passwords/keys live in sibling **`koopa-admin-secrets`**.
| What | Mirror | Live | | What | Mirror | Live |
|------|--------|------| |------|--------|------|
| Castopod | `koopa/home-hernani/koopa-castopod/{.env,users.env}` | `~/koopa-castopod/` | | Castopod | `koopa/home-hernani/koopa-castopod/{.env,users.env}` | `~/koopa-castopod/` |
| Bonfire | `koopa/home-hernani/koopa-bonfire/{.env,users.env}` | `~/koopa-bonfire/` | | Bonfire (`FEDERATE=true`) | `koopa/home-hernani/koopa-bonfire/{.env,users.env,compose.yml}` | `~/koopa-bonfire/` |
| Prime (Jellyfin + qBittorrent) | `koopa/home-hernani/koopa-prime/{.env,users.env}` | `~/koopa-prime/` | | Prime (Jellyfin + qBittorrent) | `koopa/home-hernani/koopa-prime/{.env,users.env}` | `~/koopa-prime/` |
| Forgejo (**rootless**) | `koopa/home-hernani/koopa-forgejo/{.env,users.env}` | `~/koopa-forgejo/` | | Forgejo (**rootless**, git.hacktivism.ch) | `koopa/home-hernani/koopa-forgejo/{.env,users.env,compose.yml}` | `~/koopa-forgejo/` |
## Rules ## Rules

12
configs/bonfire/README.md Normal file
View file

@ -0,0 +1,12 @@
# Bonfire — bonfire.hacktivism.ch
| Item | Value |
|------|--------|
| Live | `/home/hernani/koopa-bonfire/` |
| Image | `bonfirenetworks/bonfire:1.0.5-social-amd64` |
| Port | **9021** → Caddy |
| Compose | `compose.yml` (this dir) |
| Ground zero | `2026/2026-07-09--bonfire-ground-zero.md` |
| FEDERATE (2026-07-10) | `2026/2026-07-10--bonfire-federate.md` |
Secrets: `koopa-admin-secrets/…/koopa-bonfire/{.env,users.env}`.

View file

@ -0,0 +1,52 @@
# koopa-bonfire — ground zero (host Caddy → :9021)
services:
web:
image: docker.io/bonfirenetworks/bonfire:1.0.5-social-amd64
container_name: koopa-bonfire
restart: unless-stopped
env_file: [.env]
environment:
POSTGRES_HOST: db
HOSTNAME: bonfire.hacktivism.ch
PUBLIC_PORT: "443"
SERVER_PORT: "4000"
DB_MIGRATE_INDEXES_CONCURRENTLY: "false"
MIX_ENV: prod
ports:
- "9021:4000"
volumes:
- ./data/uploads:/opt/app/data/uploads
depends_on:
db:
condition: service_healthy
labels:
org.hacktivism.service: bonfire
org.hacktivism.host_port: "9021"
org.hacktivism.site: bonfire.hacktivism.ch
org.hacktivism.managed_by: koopa-admin
healthcheck:
test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:4000/ || exit 1"]
interval: 30s
timeout: 10s
retries: 15
start_period: 180s
db:
image: docker.io/library/postgres:15-alpine
container_name: koopa-bonfire-db
restart: unless-stopped
env_file: [.env]
environment:
POSTGRES_USER: postgres
POSTGRES_DB: bonfire_db
volumes:
- db-data:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres -d bonfire_db"]
interval: 5s
timeout: 5s
retries: 20
start_period: 10s
volumes:
db-data:

View file

@ -1,140 +1,155 @@
# Internal only (not in the browser URL): # Internal only (not in the browser URL):
# 9010 merchant API | 9011 exchange API | 9012 bank API # 9010 merchant API | 9011 exchange API | 9012 bank API
# 9013 bank landing | 9014 exchange landing | 9015 merchant landing # 9013 bank landing | 9014 exchange landing | 9015 merchant landing
# 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt # 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt | 9024 forgejo | 9200 forgejo-ssh
{ {
email info+koopa@hacktivism.ch email info+koopa@hacktivism.ch
http_port 9000 http_port 9000
https_port 9001 https_port 9001
auto_https disable_redirects auto_https disable_redirects
# Caddy listens on 9001 behind VeciGate/https-proxy :443. # Caddy listens on 9001 behind VeciGate/https-proxy :443.
# Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443. # Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443.
servers { servers {
protocols h1 h2 protocols h1 h2
} }
} }
(proxy_public) { (proxy_public) {
header_up Host {host} header_up Host {host}
header_up X-Forwarded-Host {host} header_up X-Forwarded-Host {host}
header_up X-Forwarded-Proto {scheme} header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-Port 443 header_up X-Forwarded-Port 443
header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1" header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1"
} }
taler.hacktivism.ch { taler.hacktivism.ch {
tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem
header Alt-Svc "clear" header Alt-Svc "clear"
# Public landing first # Public landing first
redir / /intro/ 302 redir / /intro/ 302
handle /intro* { handle /intro* {
reverse_proxy 127.0.0.1:9015 { reverse_proxy 127.0.0.1:9015 {
import proxy_public import proxy_public
} }
} }
# SPA: /webui → /webui/ # SPA: /webui → /webui/
redir /webui /webui/ 302 redir /webui /webui/ 302
# Merchant API + WebUI (nginx :9010 → unix socket) # Merchant API + WebUI (nginx :9010 → unix socket)
reverse_proxy https://127.0.0.1:9010 { reverse_proxy https://127.0.0.1:9010 {
transport http { transport http {
tls_insecure_skip_verify tls_insecure_skip_verify
} }
import proxy_public import proxy_public
} }
} }
exchange.hacktivism.ch { exchange.hacktivism.ch {
tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem
header Alt-Svc "clear" header Alt-Svc "clear"
# Public landing first # Public landing first
redir / /intro/ 302 redir / /intro/ 302
handle /intro* { handle /intro* {
reverse_proxy 127.0.0.1:9014 { reverse_proxy 127.0.0.1:9014 {
import proxy_public import proxy_public
} }
} }
reverse_proxy 127.0.0.1:9011 { reverse_proxy 127.0.0.1:9011 {
import proxy_public import proxy_public
} }
} }
bank.hacktivism.ch { bank.hacktivism.ch {
header Alt-Svc "clear" header Alt-Svc "clear"
# Public landing first # Public landing first
redir / /intro/ 302 redir / /intro/ 302
handle /intro* { handle /intro* {
reverse_proxy 127.0.0.1:9013 { reverse_proxy 127.0.0.1:9013 {
import proxy_public import proxy_public
} }
} }
# Static terms/privacy on landing nginx :9013 (optional; needs locations there) # Static terms/privacy on landing nginx :9013
handle /terms* { handle /terms* {
reverse_proxy 127.0.0.1:9013 { reverse_proxy 127.0.0.1:9013 {
import proxy_public import proxy_public
} }
} }
handle /privacy* { handle /privacy* {
reverse_proxy 127.0.0.1:9013 { reverse_proxy 127.0.0.1:9013 {
import proxy_public import proxy_public
} }
} }
reverse_proxy 127.0.0.1:9012 { reverse_proxy 127.0.0.1:9012 {
import proxy_public import proxy_public
} }
} }
castopod.hacktivism.ch { castopod.hacktivism.ch {
header Alt-Svc "clear" header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9020 { reverse_proxy 127.0.0.1:9020 {
header_up Host {host} header_up Host {host}
header_up X-Forwarded-For {remote_host} header_up X-Forwarded-For {remote_host}
} }
} }
bonfire.hacktivism.ch { bonfire.hacktivism.ch {
header Alt-Svc "clear" header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9021 { reverse_proxy 127.0.0.1:9021 {
header_up Host {host} header_up Host {host}
header_up X-Forwarded-For {remote_host} header_up X-Forwarded-For {remote_host}
flush_interval -1 flush_interval -1
} }
} }
prime.hacktivism.ch { prime.hacktivism.ch {
header Alt-Svc "clear" header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9022 { reverse_proxy 127.0.0.1:9022 {
header_up Host {host} header_up Host {host}
header_up X-Forwarded-For {remote_host} header_up X-Forwarded-For {remote_host}
flush_interval -1 flush_interval -1
} }
} }
bt.hacktivism.ch { bt.hacktivism.ch {
header Alt-Svc "clear" header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9023 { reverse_proxy 127.0.0.1:9023 {
header_up Host {host} header_up Host {host}
header_up X-Forwarded-For {remote_host} header_up X-Forwarded-For {remote_host}
} }
} }
http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch, http://castopod.hacktivism.ch, http://bonfire.hacktivism.ch, http://prime.hacktivism.ch, http://bt.hacktivism.ch { http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch, http://castopod.hacktivism.ch, http://bonfire.hacktivism.ch, http://prime.hacktivism.ch, http://bt.hacktivism.ch {
handle /.well-known/acme-challenge/* { handle /.well-known/acme-challenge/* {
root * /var/www/acme root * /var/www/acme
file_server file_server
} }
handle { handle {
redir https://{host}{uri} permanent redir https://{host}{uri} permanent
} }
}
# 9024 forgejo HTTP (SSH :9200 host-direct, not via Caddy)
git.hacktivism.ch {
header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9024 {
header_up Host {host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
flush_interval -1
transport http {
read_timeout 3600s
write_timeout 3600s
}
}
} }

View file

@ -1,5 +1,5 @@
# 9024 forgejo HTTP (SSH :9200 host-direct, not via Caddy) # 9024 forgejo HTTP (SSH :9200 host-direct, not via Caddy)
# Apply on host: merge into /etc/caddy/Caddyfile, validate, reload # Live: merged into /etc/caddy/Caddyfile (see also full Caddyfile mirror)
git.hacktivism.ch { git.hacktivism.ch {
header Alt-Svc "clear" header Alt-Svc "clear"
reverse_proxy 127.0.0.1:9024 { reverse_proxy 127.0.0.1:9024 {

36
configs/forgejo/README.md Normal file
View file

@ -0,0 +1,36 @@
# Forgejo — git.hacktivism.ch
**Rootless** install (image + rootless podman as `hernani`). Details: `2026/2026-07-10--forgejo-rootless.md`.
| Item | Value |
|------|--------|
| Live path | `/home/hernani/koopa-forgejo/` |
| Compose | `compose.yml` (this dir = mirror) |
| Image | `codeberg.org/forgejo/forgejo:11-rootless` |
| HTTP | **9024** → Caddy `git.hacktivism.ch` |
| Git SSH | **9200** → container 2222 (not via Caddy) |
| DB | `koopa-forgejo-db` postgres:16-alpine |
| Registration | **disabled** (admin-created users only) |
| Admin user | `hernani` (not reserved name `admin`) |
## Files here
| File | Notes |
|------|--------|
| `compose.yml` | live mirror |
| `app.ini.example` | redacted live `data/custom/conf/app.ini` (`@inline-secret@`) |
## Secrets
`koopa-admin-secrets/koopa/home-hernani/koopa-forgejo/{.env,users.env}`
→ live `~/koopa-forgejo/`.
## Ops
```bash
cd ~/koopa-forgejo
set -a && source .env && set +a
podman-compose up -d
curl -sS http://127.0.0.1:9024/api/healthz
# SSH clone: ssh://git@git.hacktivism.ch:9200/<user>/<repo>.git
```

View file

@ -0,0 +1,79 @@
APP_NAME = hacktivism git
RUN_USER = git
RUN_MODE = prod
WORK_PATH = /var/lib/gitea
[repository]
ROOT = /var/lib/gitea/git/repositories
ENABLE_PUSH_CREATE_USER = true
ENABLE_PUSH_CREATE_ORG = true
DEFAULT_PRIVATE = public
[repository.local]
LOCAL_COPY_PATH = /tmp/gitea/local-repo
[repository.upload]
TEMP_PATH = /tmp/gitea/uploads
[server]
APP_DATA_PATH = /var/lib/gitea
SSH_DOMAIN = git.hacktivism.ch
HTTP_PORT = 3000
ROOT_URL = https://git.hacktivism.ch/
DISABLE_SSH = false
; In rootless gitea container only internal ssh server is supported
START_SSH_SERVER = true
SSH_PORT = 9200
SSH_LISTEN_PORT = 2222
BUILTIN_SSH_SERVER_USER = git
LFS_START_SERVER =
DOMAIN = git.hacktivism.ch
LANDING_PAGE = explore
[database]
PATH = /var/lib/gitea/data/gitea.db
DB_TYPE = postgres
HOST = db:5432
NAME = forgejo
USER = forgejo
PASSWD = @inline-secret@
[session]
PROVIDER_CONFIG = /var/lib/gitea/data/sessions
PROVIDER = memory
[picture]
AVATAR_UPLOAD_PATH = /var/lib/gitea/data/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /var/lib/gitea/data/repo-avatars
[attachment]
PATH = /var/lib/gitea/data/attachments
[log]
ROOT_PATH = /var/lib/gitea/data/log
LEVEL = Info
[security]
INSTALL_LOCK = true
SECRET_KEY = @inline-secret@
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
INTERNAL_TOKEN = @inline-secret@
[service]
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = false
SHOW_REGISTRATION_BUTTON = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
[lfs]
PATH = /var/lib/gitea/git/lfs
[openid]
ENABLE_OPENID_SIGNUP = false
ENABLE_OPENID_SIGNIN = false
[oauth2]
JWT_SECRET = @inline-secret@

View file

@ -10,10 +10,15 @@
| 9010 | podman `taler-hacktivism` (merchant nginx TLS) — **not** in firewalld | | 9010 | podman `taler-hacktivism` (merchant nginx TLS) — **not** in firewalld |
| 9011 | podman `taler-exchange-hacktivism` (exchange httpd) — **not** in firewalld | | 9011 | podman `taler-exchange-hacktivism` (exchange httpd) — **not** in firewalld |
| 9012 | podman `taler-bank-hacktivism` (libeufin-bank) — **not** in firewalld | | 9012 | podman `taler-bank-hacktivism` (libeufin-bank) — **not** in firewalld |
| 9020 | podman `koopa-castopod` (HTTP) → Caddy `castopod.hacktivism.ch` | | 90139015 | bank / exchange / merchant public landings |
| 9020 | podman `koopa-castopod` → Caddy `castopod.hacktivism.ch` |
| 9021 | podman `koopa-bonfire` → Caddy `bonfire.hacktivism.ch` | | 9021 | podman `koopa-bonfire` → Caddy `bonfire.hacktivism.ch` |
| 9022 | podman `koopa-prime` (Jellyfin) → Caddy `prime.hacktivism.ch` |
| 9023 | podman qBittorrent → Caddy `bt.hacktivism.ch` |
| **9024** | podman **`koopa-forgejo`** (HTTP) → Caddy **`git.hacktivism.ch`** |
| **9200** | podman **Forgejo git-SSH** (host-direct; not Caddy) |
| 8080 | Tor ORPort | | 8080 | Tor ORPort |
VeciGate: WAN **80→9000**, WAN **443→9001**. VeciGate: WAN **80→9000**, WAN **443→9001**.
Public Taler: Caddy vhosts on **9001** → 127.0.0.1:{9010,9011,9012}. Public apps: Caddy vhosts on **9001** → 127.0.0.1:{90109015, 90209024}.
Planned SM: Caddy → 127.0.0.1:9020+ (not deployed yet). Git SSH needs separate NAT/firewall **9200/tcp** if exposed to WAN.

View file

@ -24,9 +24,15 @@ flowchart TB
FW["firewalld public\n9000,9001,80,8080,ssh"] FW["firewalld public\n9000,9001,80,8080,ssh"]
end end
subgraph Podman["podman (hernani)"] subgraph Podman["podman rootless (hernani)"]
Merch["taler-hacktivism\n:9010 nginx TLS"] Merch["taler-hacktivism\n:9010"]
Exch["taler-exchange-hacktivism\n:9011 exchange-httpd"] Exch["taler-exchange-hacktivism\n:9011"]
Bank["taler-bank-hacktivism\n:9012"]
Castopod["koopa-castopod\n:9020"]
Bonfire["koopa-bonfire\n:9021"]
Prime["koopa-prime jellyfin\n:9022"]
BT["qbittorrent\n:9023"]
Forgejo["koopa-forgejo ROOTLESS\n:9024 HTTP / :9200 SSH"]
end end
Tor["tor ORPort :8080"] Tor["tor ORPort :8080"]
@ -45,9 +51,12 @@ flowchart TB
CaddyHTTP -->|other| Redir[301 HTTPS] CaddyHTTP -->|other| Redir[301 HTTPS]
CaddyHTTPS -->|taler.hacktivism.ch| Merch CaddyHTTPS -->|taler.hacktivism.ch| Merch
CaddyHTTPS -->|exchange.hacktivism.ch| Exch CaddyHTTPS -->|exchange.hacktivism.ch| Exch
CaddyHTTPS -->|bank.hacktivism.ch| Bank
Merch --> MSock["unix merchant-http.sock"] CaddyHTTPS -->|castopod.hacktivism.ch| Castopod
Exch --> EDB["postgresql + secmods"] CaddyHTTPS -->|bonfire.hacktivism.ch| Bonfire
CaddyHTTPS -->|prime.hacktivism.ch| Prime
CaddyHTTPS -->|bt.hacktivism.ch| BT
CaddyHTTPS -->|git.hacktivism.ch| Forgejo
``` ```
## Port table ## Port table
@ -59,10 +68,19 @@ flowchart TB
| 443 | systemd socket | → 127.0.0.1:**9001** | | 443 | systemd socket | → 127.0.0.1:**9001** |
| 9000 | caddy | HTTP + ACME | | 9000 | caddy | HTTP + ACME |
| 9001 | caddy | HTTPS vhosts | | 9001 | caddy | HTTPS vhosts |
| 9010 | podman pasta | **merchant** nginx | | 9010 | podman | **merchant** nginx |
| 9011 | podman pasta | **exchange** httpd | | 9011 | podman | **exchange** httpd |
| 9012 | podman | **bank** libeufin |
| 9020 | podman | **castopod** |
| 9021 | podman | **bonfire** |
| 9022 | podman | **jellyfin** (prime) |
| 9023 | podman | **qbittorrent** (bt) |
| **9024** | podman | **forgejo** HTTP → `git.hacktivism.ch` |
| **9200** | podman | **forgejo** git-SSH (host-direct) |
| 8080 | tor | ORPort | | 8080 | tor | ORPort |
Full port notes: `configs/ports.md`.
## Service index (details elsewhere) ## Service index (details elsewhere)
| Service | Detail docs | | Service | Detail docs |
@ -72,6 +90,6 @@ flowchart TB
| systemd proxies | `host/systemd/` | | systemd proxies | `host/systemd/` |
| Merchant container | `configs/taler-merchant/`, `scripts/taler-merchant/` | | Merchant container | `configs/taler-merchant/`, `scripts/taler-merchant/` |
| Exchange container | `configs/taler-exchange/`, `scripts/taler-exchange/` | | Exchange container | `configs/taler-exchange/`, `scripts/taler-exchange/` |
| **Forgejo rootless** | `configs/forgejo/`, `2026/2026-07-10--forgejo-rootless.md` |
| Tor monitoring scripts | `scripts/monitoring/` | | Tor monitoring scripts | `scripts/monitoring/` |
| VeciGate NAT | `../vecigate-admin-log/ip/firewall/nat/` | | VeciGate NAT | `../vecigate-admin-log/ip/firewall/nat/` |