From d0e9b3f9072df17afd58100d68bf1f5592ae1c1c Mon Sep 17 00:00:00 2001 From: DannyDannyDanny Date: Mon, 4 May 2026 21:34:13 +0200 Subject: [PATCH] phantom-ship + vps-relay: Forgejo on git.dannydannydanny.me MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Phase 1 of the de-platform-from-GitHub roadmap (vimwiki/diary/2026-05-03.md). - phantom-ship: services.forgejo bound to 0.0.0.0:3000, sqlite, lfs on, registration disabled, sign-in required. - phantom-ship: add :3000 to the existing zt+ allowedTCPPorts list (joins shelfish/scuttle — never exposed on WAN/Wi-Fi). - vps-relay: Caddy vhost git.dannydannydanny.me reverse-proxies over ZT to phantom-ship:3000. Manual steps before reachable: 1. GoDaddy A record git.dannydannydanny.me -> 89.167.39.251 2. clan machines update phantom-ship && clan machines update vps-relay 3. On phantom-ship: bootstrap admin (registration is disabled) --- nixos/hosts/phantom-ship.nix | 39 ++++++++++++++++++++++++++++++++---- nixos/hosts/vps-relay.nix | 5 +++++ 2 files changed, 40 insertions(+), 4 deletions(-) diff --git a/nixos/hosts/phantom-ship.nix b/nixos/hosts/phantom-ship.nix index b0698da..bab6b2d 100644 --- a/nixos/hosts/phantom-ship.nix +++ b/nixos/hosts/phantom-ship.nix @@ -49,10 +49,11 @@ in networking.firewall.trustedInterfaces = [ "enp0s31f6" ]; # KomTolk (:8080), Shelfish (:8081), Scuttle (:8082), Bananasimulator - # (:8083) are reachable only over the ZeroTier mesh — the vps-relay - # Caddy reverse-proxies into them. Same pattern as sunken-ship's bbbot. - # Not in global allowedTCPPorts, so the WAN side stays closed. - networking.firewall.interfaces."zt+".allowedTCPPorts = [ 8080 8081 8082 8083 ]; + # (:8083), Forgejo (:3000) are reachable only over the ZeroTier mesh — + # the vps-relay Caddy reverse-proxies into them. Same pattern as + # sunken-ship's bbbot. Not in global allowedTCPPorts, so the WAN side + # stays closed. + networking.firewall.interfaces."zt+".allowedTCPPorts = [ 3000 8080 8081 8082 8083 ]; hardware.enableRedistributableFirmware = true; # iwlwifi (Intel 8260) + GPU + BT firmware @@ -331,6 +332,7 @@ in }; }; +<<<<<<< HEAD # Bananasimulator — the actual project at https://bananasimulator.dannydannydanny.me # (was a placeholder in shipyard's apps.json for ages). You ARE a banana. # Code rsync'd from ~/python-projects/26_bananasimulator/ to /home/danny/bananasimulator/ @@ -429,6 +431,35 @@ in OnCalendar = "06,10,14,18:07"; Timezone = "Europe/Copenhagen"; Persistent = true; +======= + # Forgejo — self-hosted Git forge. Phase 1 of the de-platform-from-GitHub + # roadmap (vimwiki/diary/2026-05-03.md). Public URL git.dannydannydanny.me + # is fronted by Caddy on vps-relay reverse-proxying over ZT to :3000 here. + # Auth for now: HTTPS + PAT (osxkeychain credential helper on the Mac). + # SSH disabled in Phase 1; revisit if push-via-https gets annoying. + # Backups: TODO — snapshot /var/lib/forgejo/ once it's up. + services.forgejo = { + enable = true; + database.type = "sqlite3"; # personal scale; one user, plenty + lfs.enable = true; + settings = { + DEFAULT.APP_NAME = "git.dannydannydanny.me"; + server = { + DOMAIN = "git.dannydannydanny.me"; + ROOT_URL = "https://git.dannydannydanny.me/"; + # Bind to all interfaces — firewall above scopes inbound to ZT. + HTTP_ADDR = "0.0.0.0"; + HTTP_PORT = 3000; + DISABLE_SSH = true; + }; + service = { + DISABLE_REGISTRATION = true; # admin-bootstrapped only + REQUIRE_SIGNIN_VIEW = true; # no anonymous browsing + }; + session.COOKIE_SECURE = true; + log.LEVEL = "Info"; + repository.DEFAULT_BRANCH = "main"; +>>>>>>> 0a9124e (phantom-ship + vps-relay: Forgejo on git.dannydannydanny.me) }; }; diff --git a/nixos/hosts/vps-relay.nix b/nixos/hosts/vps-relay.nix index e94b116..4f40143 100644 --- a/nixos/hosts/vps-relay.nix +++ b/nixos/hosts/vps-relay.nix @@ -118,6 +118,11 @@ "komtolk.dannydannydanny.me".extraConfig = '' reverse_proxy http://[fdd5:53a2:de33:d269:6499:936c:48a:bbdc]:8080 ''; + # Forgejo on phantom-ship — Phase 1 of the de-platform-from-GitHub + # roadmap (vimwiki/diary/2026-05-03.md). + "git.dannydannydanny.me".extraConfig = '' + reverse_proxy http://[fdd5:53a2:de33:d269:6499:936c:48a:bbdc]:3000 + ''; }; };