From eccd9ee7ddb277edee2e2788971af4b3c7532850 Mon Sep 17 00:00:00 2001 From: DannyDannyDanny Date: Mon, 4 May 2026 19:55:04 +0200 Subject: [PATCH] phantom-ship + vps-relay: Forgejo on git.dannydannydanny.me MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Phase 1 of the de-platform-from-GitHub roadmap (vimwiki/diary/2026-05-03.md). - phantom-ship: services.forgejo bound to 0.0.0.0:3000, sqlite, lfs on, registration disabled, sign-in required. - phantom-ship: open port 3000 only on the ZT interface (matches the bbbot pattern on sunken-ship — never exposed on WAN/Wi-Fi). - vps-relay: Caddy vhost git.dannydannydanny.me reverse-proxies over ZT to phantom-ship:3000. Manual steps still needed before this is reachable: 1. GoDaddy A record git.dannydannydanny.me -> 89.167.39.251 2. clan machines update phantom-ship && clan machines update vps-relay 3. On phantom-ship: bootstrap admin user (DISABLE_REGISTRATION is on): forgejo admin user create --admin --username danny \ --email --password --- nixos/hosts/phantom-ship.nix | 35 +++++++++++++++++++++++++++++++++++ nixos/hosts/vps-relay.nix | 5 +++++ 2 files changed, 40 insertions(+) diff --git a/nixos/hosts/phantom-ship.nix b/nixos/hosts/phantom-ship.nix index a298360..6e981dc 100644 --- a/nixos/hosts/phantom-ship.nix +++ b/nixos/hosts/phantom-ship.nix @@ -48,6 +48,11 @@ in }; networking.firewall.trustedInterfaces = [ "enp0s31f6" ]; + # Forgejo's HTTP backend is only allowed on the ZeroTier interface so + # vps-relay's Caddy can reach it via the ZT mesh. Same pattern as + # bbbot on sunken-ship — port 3000 is never exposed on WAN/Wi-Fi. + networking.firewall.interfaces."zt+".allowedTCPPorts = [ 3000 ]; + hardware.enableRedistributableFirmware = true; # iwlwifi (Intel 8260) + GPU + BT firmware boot.kernelParams = [ "consoleblank=60" ]; # blank TTY after 60s to reduce burn-in @@ -248,6 +253,36 @@ in }; }; + # Forgejo — self-hosted Git forge. Phase 1 of the de-platform-from-GitHub + # roadmap (vimwiki/diary/2026-05-03.md). Public URL git.dannydannydanny.me + # is fronted by Caddy on vps-relay reverse-proxying over ZT to :3000 here. + # Auth for now: HTTPS + PAT (osxkeychain credential helper on the Mac). + # SSH disabled in Phase 1; revisit if push-via-https gets annoying. + # Backups: TODO — snapshot /var/lib/forgejo/ once it's up. + services.forgejo = { + enable = true; + database.type = "sqlite3"; # personal scale; one user, plenty + lfs.enable = true; + settings = { + DEFAULT.APP_NAME = "git.dannydannydanny.me"; + server = { + DOMAIN = "git.dannydannydanny.me"; + ROOT_URL = "https://git.dannydannydanny.me/"; + # Bind to all interfaces — firewall above scopes inbound to ZT. + HTTP_ADDR = "0.0.0.0"; + HTTP_PORT = 3000; + DISABLE_SSH = true; + }; + service = { + DISABLE_REGISTRATION = true; # admin-bootstrapped only + REQUIRE_SIGNIN_VIEW = true; # no anonymous browsing + }; + session.COOKIE_SECURE = true; + log.LEVEL = "Info"; + repository.DEFAULT_BRANCH = "main"; + }; + }; + # Auto-rebuild service/timer + safe.directory provided by the # shared dotfiles-rebuild NixOS module (see nixos/modules/dotfiles-rebuild.nix). } diff --git a/nixos/hosts/vps-relay.nix b/nixos/hosts/vps-relay.nix index f7bf7b0..5bd653a 100644 --- a/nixos/hosts/vps-relay.nix +++ b/nixos/hosts/vps-relay.nix @@ -101,6 +101,11 @@ "bbbot.dannydannydanny.me".extraConfig = '' reverse_proxy http://[fdd5:53a2:de33:d269:6499:93d5:53a2:de33]:8080 ''; + # Forgejo on phantom-ship — Phase 1 of the de-platform-from-GitHub + # roadmap (vimwiki/diary/2026-05-03.md). + "git.dannydannydanny.me".extraConfig = '' + reverse_proxy http://[fdd5:53a2:de33:d269:6499:936c:48a:bbdc]:3000 + ''; }; };