developer: infrastructure: hosting forum.forgefriends.org

2024-11-21 17:36:59 -05:00 · 2024-05-30 09:32:31 +02:00 · 2024-05-30 09:32:31 +02:00 · 1a8ed80ebd
commit 1a8ed80ebd
parent f2ad71255d
1 changed files with 75 additions and 42 deletions
--- a/docs/developer/infrastructure.md
+++ b/docs/developer/infrastructure.md
@ -7,12 +7,17 @@ license: 'CC-BY-SA-4.0'

 All LXC hosts are setup with [lxc-helpers](https://code.forgejo.org/forgejo/lxc-helpers/).

+```sh
+name=forgejo-host
+lxc-helpers.sh lxc_container_run $name -- sudo --user debian bash
+```
+
 ### Unprivileged

 ```sh
 name=forgejo-host
 lxc-helpers.sh lxc_container_create --config "unprivileged" $name
-echo "lxc.start.auto = 1" >> /var/lib/lxc/$name/config
+echo "lxc.start.auto = 1" | sudo tee -a /var/lib/lxc/$name/config
 lxc-helpers.sh lxc_container_start $name
 lxc-helpers.sh lxc_container_user_install $name $(id -u) $USER
 ```
@ -22,7 +27,7 @@ lxc-helpers.sh lxc_container_user_install $name $(id -u) $USER
 ```sh
 name=forgejo-host
 lxc-helpers.sh lxc_container_create --config "docker" $name
-echo "lxc.start.auto = 1" >> /var/lib/lxc/$name/config
+echo "lxc.start.auto = 1" | sudo tee -a /var/lib/lxc/$name/config
 lxc-helpers.sh lxc_container_start $name
 lxc-helpers.sh lxc_install_docker $name
 lxc-helpers.sh lxc_container_user_install $name $(id -u) $USER
@ -35,13 +40,74 @@ name=forgejo-host
 ipv4=10.85.12
 ipv6=fc33
 lxc-helpers.sh lxc_container_create --config "docker lxc" $name
-echo "lxc.start.auto = 1" >> /var/lib/lxc/$name/config
+echo "lxc.start.auto = 1" | sudo tee -a /var/lib/lxc/$name/config
 lxc-helpers.sh lxc_container_start $name
 lxc-helpers.sh lxc_install_docker $name
 lxc-helpers.sh lxc_install_lxc forgejo-runner-host $ipv4 $ipv6
 lxc-helpers.sh lxc_container_user_install $name $(id -u) $USER
 ```

+## Host reverse proxy
+
+The reverse proxy on a host forwards to the designated LXC container with
+something like the following in
+`/etc/nginx/sites-available/example.com`, where A.B.C.D is the
+IP allocated to the LXC container running the web service:
+
+The certificate is obtained once and automatically renewed with:
+
+```
+sudo apt-get install certbot python3-certbot-nginx
+sudo certbot -n --agree-tos --email contact@forgejo.org -d example.com --nginx
+```
+
+### Forgejo example
+
+```
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name example.com;
+
+    location / {
+        deny 47.76.209.138; # crawler that does not obey robots.txt
+        deny 47.76.99.127; # crawler that does not obey robots.txt
+        proxy_pass http://A.B.C.D:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        client_max_body_size 2G;
+	#
+	# http://nginx.org/en/docs/http/websocket.html
+	#
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Upgrade $http_upgrade;
+        include proxy_params;
+    }
+}
+```
+
+### Vanila example
+
+```nginx
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name example.com;
+
+    location / {
+        proxy_pass http://A.B.C.D;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+    }
+}
+```
+
 ## Forgejo runners

 The LXC container in which the runner is installed must have capabilities that support the backend.
@ -100,8 +166,6 @@ firefox http://private.forgejo.org

 ### Containers

-It hosts LXC containers setup with [lxc-helpers](https://code.forgejo.org/forgejo/lxc-helpers/).
-
 - `fogejo-host`

  Dedicated to http://private.forgejo.org
@ -254,6 +318,12 @@ lxc-helpers.sh lxc_install_lxc_inside 10.41.13 fc29
  - code.forgejo.org/f3/config\*.yml
  - code.forgejo.org/forgefriends/config\*.yml

+- `forgefriends-forum`
+
+  Dedicated to https://forum.forgefriends.org
+
+  - Docker enabled
+
 ### hetzner{02,03}

 https://hetzner02.forgejo.org & https://hetzner03.forgejo.org run on [EX44](https://www.hetzner.com/dedicated-rootserver/ex44) Hetzner hardware.
@ -328,45 +398,8 @@ add chain ip code prerouting {

 with `nft -f /root/code.nftables`.

-#### Reverse proxy
-
-The reverse proxy forwards to the designated LXC container with
-something like the following in
-`/etc/nginx/sites-enabled/code.forgejo.org`, where 10.6.83.195 is the
-IP allocated to the LXC container running the web service:
-
-```
-server {
-    listen 80;
-    listen [::]:80;
-
-    server_name code.forgejo.org;
-
-    location / {
-        deny 47.76.209.138; # crawler that does not obey robots.txt
-        deny 47.76.99.127; # crawler that does not obey robots.txt
-        proxy_pass http://10.6.83.195:8080;
-        client_max_body_size 2G;
-	#
-	# http://nginx.org/en/docs/http/websocket.html
-	#
-        proxy_set_header Connection $http_connection;
-        proxy_set_header Upgrade $http_upgrade;
-        include proxy_params;
-    }
-}
-```
-
-The LE certificate is obtained once and automatically renewed with:
-
-```
-sudo certbot -n --agree-tos --email contact@forgejo.org -d code.forgejo.org --nginx
-```
-
 #### Containers

-It hosts LXC containers setup with [lxc-helpers](https://code.forgejo.org/forgejo/lxc-helpers/).
-
 - `fogejo-code` on hetzner02

  Dedicated to https://code.forgejo.org