developer/uvlava
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
uvlava/terraform/do/cloud-init/forge.yaml
Natalie 056a33a417 fix(dns-updater): target the live forge droplet's host Caddy, not a container 
The running ct-forge droplet (134.199.243.61 / lilith-forge) terminates TLS
with a HOST Caddy (/etc/caddy/Caddyfile, systemd) proxying to localhost ports —
it does NOT run a Caddy container or the cloud-init compose stack. Rework:
- compose.yml publishes 127.0.0.1:8090 (loopback) instead of joining an edge net
- deploy.sh appends the dns.ct vhost to /etc/caddy/Caddyfile, caddy-validates,
  systemctl reload caddy; default target is the IP (forge.ct won't resolve until
  DNSSEC is removed)
- revert the forge.yaml cloud-init edits (edge network + container vhost) that
  assumed a Caddy container
- README documents the host-Caddy reality

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-29 15:13:03 -04:00

122 lines
5.1 KiB
YAML
Raw Permalink Blame History

#cloud-config
# lilith-forge - replaces the dead forge.black.lan in one small box:
# - Forgejo (git canonical, the new `origin`) :3000 web, :2222 git-ssh
# - Verdaccio (npm registry for @lilith/* ) :4873
# - PyPI server (for Python packages) :8080
# - Swift support via Forgejo package registry (or dedicated if needed)
# Services run as Docker containers with persistent volumes on the ct-forge DO droplet.
# Exposure controlled by DO cloud firewall + Caddy for TLS (npm.ct, pypi.ct, swift.ct).
# Git ops use SSH. No more black. Look at LP for old setup, this is the new on ct-forge.
package_update: true
packages:
- ca-certificates
- curl
- ufw
write_files:
- path: /opt/forge/docker-compose.yml
permissions: "0644"
content: |
# Docker stack for ct-forge on DO uvlava infra: Forgejo + Verdaccio (npm) + PyPI + Caddy (TLS).
# Verdaccio for @lilith npm, pypiserver for PyPI packages, Swift via Forgejo's package registry (/api/packages/.../swift).
# New services on the forge droplet for publishing (no more black).
services:
forgejo:
image: codeberg.org/forgejo/forgejo:9
container_name: forgejo
restart: always
environment:
- USER_UID=1000
- USER_GID=1000
- FORGEJO__server__DOMAIN=${forge_public_ip}
- FORGEJO__server__SSH_DOMAIN=${forge_public_ip}
- FORGEJO__server__SSH_PORT=2222
- FORGEJO__server__ROOT_URL=http://${forge_public_ip}:3000/
- FORGEJO__service__DISABLE_REGISTRATION=true
# Enable package registry for pypi, swift (verdaccio separate for npm)
- FORGEJO__package__ENABLED=true
volumes:
- ./forgejo-data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "3000:3000"
- "2222:22"
verdaccio:
image: verdaccio/verdaccio:6
container_name: verdaccio
restart: always
volumes:
- ./verdaccio-storage:/verdaccio/storage
ports:
- "4873:4873"
pypiserver:
image: pypiserver/pypiserver:latest
container_name: pypiserver
restart: always
command: -p 8080 -P . -a . /data
volumes:
- ./pypi-storage:/data
ports:
- "8080:8080"
# swift: Forgejo built-in at https://${forge_public_ip}:3000/api/packages/<owner>/swift
# (no extra container needed; enabled above)
caddy:
image: caddy:2
container_name: caddy
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- ./caddy-data:/data
- ./caddy-config:/config
- ./Caddyfile:/etc/caddy/Caddyfile
- path: /opt/forge/Caddyfile
permissions: "0644"
content: |
# TLS + reverse proxy for ct-forge services.
# LE certs auto via Caddy. Requires the A records (forge.ct / npm.ct / pypi.ct / swift.ct) to
# resolve to this droplet's public IP.
# swift.ct proxies to forgejo (uses its Swift package registry API).
forge.ct.uvlava.com {
reverse_proxy forgejo:3000
}
npm.ct.uvlava.com {
reverse_proxy verdaccio:4873
}
pypi.ct.uvlava.com {
reverse_proxy pypiserver:8080
}
swift.ct.uvlava.com {
reverse_proxy forgejo:3000
}
runcmd:
# Install Docker engine + compose plugin.
- install -m 0755 -d /etc/apt/keyrings
- curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
- chmod a+r /etc/apt/keyrings/docker.asc
- echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo $VERSION_CODENAME) stable" > /etc/apt/sources.list.d/docker.list
- apt-get update
- apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
# Host firewall: SSH(22) + git-ssh(2222) + http/https (Caddy on 80/443) + the legacy direct ports (3000/4873) for bootstrap.
# The DO cloud firewall (now TF-managed as digitalocean_firewall.forge) further restricts sources.
- ufw --force reset
- ufw default deny incoming
- ufw default allow outgoing
- ufw allow 22/tcp
- ufw allow 2222/tcp
- ufw allow 80/tcp
- ufw allow 443/tcp
- ufw allow 3000/tcp
- ufw allow 4873/tcp
- ufw allow 8080/tcp
- ufw allow 8081/tcp
- ufw --force enable
# Bring up the stack (Forgejo, Verdaccio, PyPI, Caddy for TLS on the ct domains).
- cd /opt/forge && docker compose up -d
final_message: "ct-forge (cocotte-forge) up on DO uvlava infra. Forgejo https://forge.ct.uvlava.com (or http://${forge_public_ip}:3000 for bootstrap), git-ssh :2222, Verdaccio https://npm.ct.uvlava.com (or http://${forge_public_ip}:4873), PyPI https://pypi.ct.uvlava.com (or http://${forge_public_ip}:8080), Swift via https://swift.ct.uvlava.com/api/packages/.../swift . Caddy provides LE TLS. Complete Forgejo first-run admin setup. Publish to these new services from package CI (no more black)."
Reference in a new issue View git blame Copy permalink