phantom-ship + vps-relay: Forgejo on git.dannydannydanny.me

Phase 1 of the de-platform-from-GitHub roadmap (vimwiki/diary/2026-05-03.md).

- phantom-ship: services.forgejo bound to 0.0.0.0:3000, sqlite, lfs on,
  registration disabled, sign-in required.
- phantom-ship: open port 3000 only on the ZT interface (matches the
  bbbot pattern on sunken-ship — never exposed on WAN/Wi-Fi).
- vps-relay: Caddy vhost git.dannydannydanny.me reverse-proxies over ZT
  to phantom-ship:3000.

Manual steps still needed before this is reachable:
1. GoDaddy A record git.dannydannydanny.me -> 89.167.39.251
2. clan machines update phantom-ship && clan machines update vps-relay
3. On phantom-ship: bootstrap admin user (DISABLE_REGISTRATION is on):
     forgejo admin user create --admin --username danny \
       --email <addr> --password <pw>

nixos/hosts/phantom-ship.nix

@@ -48,6 +48,11 @@ in
   };
   networking.firewall.trustedInterfaces = [ "enp0s31f6" ];
 
+  # Forgejo's HTTP backend is only allowed on the ZeroTier interface so
+  # vps-relay's Caddy can reach it via the ZT mesh. Same pattern as
+  # bbbot on sunken-ship — port 3000 is never exposed on WAN/Wi-Fi.
+  networking.firewall.interfaces."zt+".allowedTCPPorts = [ 3000 ];
+
   hardware.enableRedistributableFirmware = true;  # iwlwifi (Intel 8260) + GPU + BT firmware
 
   boot.kernelParams = [ "consoleblank=60" ];  # blank TTY after 60s to reduce burn-in
@@ -248,6 +253,36 @@ in
     };
   };
 
+  # Forgejo — self-hosted Git forge. Phase 1 of the de-platform-from-GitHub
+  # roadmap (vimwiki/diary/2026-05-03.md). Public URL git.dannydannydanny.me
+  # is fronted by Caddy on vps-relay reverse-proxying over ZT to :3000 here.
+  # Auth for now: HTTPS + PAT (osxkeychain credential helper on the Mac).
+  # SSH disabled in Phase 1; revisit if push-via-https gets annoying.
+  # Backups: TODO — snapshot /var/lib/forgejo/ once it's up.
+  services.forgejo = {
+    enable = true;
+    database.type = "sqlite3";  # personal scale; one user, plenty
+    lfs.enable = true;
+    settings = {
+      DEFAULT.APP_NAME = "git.dannydannydanny.me";
+      server = {
+        DOMAIN = "git.dannydannydanny.me";
+        ROOT_URL = "https://git.dannydannydanny.me/";
+        # Bind to all interfaces — firewall above scopes inbound to ZT.
+        HTTP_ADDR = "0.0.0.0";
+        HTTP_PORT = 3000;
+        DISABLE_SSH = true;
+      };
+      service = {
+        DISABLE_REGISTRATION = true;       # admin-bootstrapped only
+        REQUIRE_SIGNIN_VIEW = true;         # no anonymous browsing
+      };
+      session.COOKIE_SECURE = true;
+      log.LEVEL = "Info";
+      repository.DEFAULT_BRANCH = "main";
+    };
+  };
+
   # Auto-rebuild service/timer + safe.directory provided by the
   # shared dotfiles-rebuild NixOS module (see nixos/modules/dotfiles-rebuild.nix).
 }

nixos/hosts/vps-relay.nix

@@ -101,6 +101,11 @@
       "bbbot.dannydannydanny.me".extraConfig = ''
         reverse_proxy http://[fdd5:53a2:de33:d269:6499:93d5:53a2:de33]:8080
       '';
+      # Forgejo on phantom-ship — Phase 1 of the de-platform-from-GitHub
+      # roadmap (vimwiki/diary/2026-05-03.md).
+      "git.dannydannydanny.me".extraConfig = ''
+        reverse_proxy http://[fdd5:53a2:de33:d269:6499:936c:48a:bbdc]:3000
+      '';
     };
   };