warnason/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infrastructure/README.md
warnason 648d4e6b98 Initial infrastructure: Caddy reverse proxy and Forgejo git server 
- Ubuntu 24.04 base on dedicated hardware with software RAID 1
- Docker Compose stacks for Caddy and Forgejo (PostgreSQL-backed)
- Automatic TLS via Let's Encrypt
- SSH hardening, UFW firewall, fail2ban
- Setup documentation in docs/setup.md
2026-04-16 17:39:57 +02:00

60 lines
2 KiB
Markdown
Raw Blame History

# Infrastructure
Self-hosted development and deployment infrastructure for personal technical projects.
Runs a private Git forge (Forgejo), an automated reverse proxy with TLS (Caddy), and serves prototype applications under development.
## Overview
- **Host:** Ubuntu 24.04 LTS on dedicated hardware (Hetzner, Falkenstein)
- **Storage:** Software RAID 1 for the operating system, separate disk for non-critical data
- **Orchestration:** Docker Compose
- **Reverse proxy:** Caddy 2, with automatic Let's Encrypt certificates
- **Git hosting:** Forgejo with PostgreSQL backend
- **Firewall:** UFW, restricting inbound traffic to SSH, HTTP, HTTPS, and Git-over-SSH
- **Intrusion prevention:** fail2ban on SSH
## Services
| Service | URL | Purpose |
|---------|--------------------------|--------------------------------|
| Forgejo | https://git.stifting.at | Self-hosted Git and CI/CD |
| App | https://bim.stifting.at | Currently hosted prototype |
## Repository layout
```
.
├── caddy/ # Reverse proxy configuration
│ ├── docker-compose.yml
│ └── Caddyfile
├── forgejo/ # Git server configuration
│ ├── docker-compose.yml
│ └── .env.example
├── docs/ # Setup notes and runbooks
│ └── setup.md
└── README.md
```
## Bootstrapping a new host
See [docs/setup.md](docs/setup.md) for the full installation procedure.
High-level steps:
1. Provision Ubuntu 24.04 via `installimage` with RAID 1
2. Harden SSH, create an admin user, enable UFW and fail2ban
3. Install Docker and create the shared `web` network
4. Deploy Caddy, then Forgejo
5. Configure DNS records for the relevant subdomains
## Security notes
- SSH uses key-only authentication; root login is disabled
- Secrets (`.env`, passwords) are never committed; templates are provided as `.env.example`
- Unattended security upgrades are enabled
- TLS certificates are issued and renewed automatically via ACME
## License
MIT
Reference in a new issue View git blame Copy permalink