Add Forgejo T05 verify, operator bootstrap, and security hardening
All checks were successful
CI Smoke / host-smoke (push) Successful in 1s
CI Smoke / container-smoke (push) Successful in 3s

Introduce forgejo-verify acceptance checks, idempotent operator bootstrap,
runner registration SOPS capture helper, and session/security Helm values.
This commit is contained in:
tegwick 2026-07-07 22:09:53 +02:00
parent 9b31f229e8
commit 3a9236148a
8 changed files with 436 additions and 1 deletions

View file

@ -79,6 +79,29 @@ make forgejo-runner-status
make forgejo-status
make forgejo-logs
make forgejo-smoke
make forgejo-verify # T05 acceptance (smoke, TLS, DB, mailer, SSH operator)
make forgejo-secrets-check # SOPS sentinels present
```
## Operator accounts (T05)
Bootstrap is automated and does not commit secrets:
```bash
# Requires admin API token at /tmp/forgejo-tegwick-api-token (or FORGEJO_ADMIN_TOKEN)
make forgejo-operator-bootstrap
```
Default operator: `tegwick` (site admin, `coulomb` Owners team, SSH via
`forgejo-remote` / `~/.ssh/id_gitea`). `forgejo_admin` remains the Helm chart
bootstrap account; day-2 git+ssh should use the operator user.
Runner registration token: if the cluster secret was created with `kubectl create
secret` (not SOPS), capture it once on a host with the age key:
```bash
make forgejo-runner-registration-sops-bootstrap
make check-sops SOPS_SENTINEL=helm/forgejo-runner-registration.sops.yaml
```
## SMTP (IONOS) — password reset / notifications
@ -135,6 +158,15 @@ Do not put the SMTP password in `helm/forgejo-secrets.sops.yaml`.
Gitea on coulombcore remains canonical until `RAIL-HO-WP-0005` migration drills
and cutover pass. Do not repoint repo remotes until Wave 1 cutover is approved.
## Package registry (OCI, npm, generic)
See `docs/forgejo-package-registry.md`. Smoke targets:
```bash
make forgejo-smoke
make forgejo-npm-smoke
```
## Related
- Gitea reference: `~/railiance-forge/Makefile` (`gitea-deploy`)

View file

@ -0,0 +1,81 @@
# Forgejo Package Registry (railiance01)
Workplan: `RAIL-HO-WP-0005` T07 · Decision: Option C (OCI + npm + generic)
Public host: `https://forgejo.coulomb.social`
Helm values: `helm/forgejo-registry-values.yaml` (`packages.ENABLED`, `ROOT_URL`).
## OCI (container images)
Registry API: `GET /v2/` (expect `401` + `Docker-Distribution-Api-Version`).
```bash
docker login forgejo.coulomb.social -u tegwick
docker tag IMAGE forgejo.coulomb.social/coulomb/REPO:TAG
docker push forgejo.coulomb.social/coulomb/REPO:TAG
```
Cluster pull (railiance01):
```bash
KUBECONFIG=~/.kube/config-hosteurope crictl pull forgejo.coulomb.social/coulomb/REPO:TAG
```
Smoke: `make forgejo-smoke`
## npm
Org registry: `https://forgejo.coulomb.social/api/packages/coulomb/npm/`
Workstation config (use a PAT with `read:package` / `write:package`; do not commit):
```bash
npm config set @coulomb:registry https://forgejo.coulomb.social/api/packages/coulomb/npm/
npm config set -- '//forgejo.coulomb.social/api/packages/coulomb/npm/:_authToken' "${FORGEJO_NPM_TOKEN}"
```
Publish (scoped package under `@coulomb/`):
```bash
npm publish --scope=@coulomb
# or explicit:
npm publish --scope=@coulomb --registry=https://forgejo.coulomb.social/api/packages/coulomb/npm/
```
Install:
```bash
npm install @coulomb/PACKAGE@VERSION
```
Probe package (T07 evidence): `@coulomb/forgejo-npm-probe@0.0.1`
Smoke: `make forgejo-npm-smoke` (requires `FORGEJO_NPM_TOKEN` or `/tmp/forgejo-tegwick-api-token`)
CI template: `railiance-enablement/workflows/npm-publish.yaml`
## Generic packages
Upload release artifacts via Forgejo UI or API (`/api/packages/{owner}/generic/...`).
Use for binaries, checksum files, and non-OCI release assets.
## Retention and backup
| Type | Storage | Backup | Cleanup |
| --- | --- | --- | --- |
| OCI | `/data/packages` in Forgejo PVC | `make forgejo-backup` (`forgejo dump`) | Delete unused tags in UI; no auto-prune yet |
| npm | same | same | `npm unpublish @coulomb/pkg@version` or UI package settings |
| generic | same | same | per-package UI delete |
Package blobs are included in daily `forgejo dump` (~686M with 14 repos, 2026-07-07).
Restore drills must verify package metadata after isolated restore (T09).
RPO/RTO for package data matches Forgejo backup policy: 24h / 4h
(`the-custodian/docs/forgejo-production-decisions.md` § Backup).
## Related
- `docs/forgejo-on-railiance01.md`
- `railiance-enablement/docs/forgejo-actions-workflow-templates.md`
- Gitea legacy reference: `~/railiance-forge/docs/gitea-package-registry.md`