feat: add git.skudak.com Gitea instance and skudak domain migrations

Gitea Skudak (git.skudak.com): - New Gitea instance with PostgreSQL in podman pod under git user - SSH access via Gitea's built-in SSH server on port 2222 - Registration restricted to @skudak.com emails with email confirmation - SMTP configured for email delivery Domain migrations: - wiki.skudakrennsport.com → wiki.skudak.com (302 redirect) - cloud.skudakrennsport.com + cloud.skudak.com (dual-domain serving) - BookStack APP_URL updated to wiki.skudak.com - Nextcloud trusted_domains updated for cloud.skudak.com Infrastructure: - SELinux context for git user container storage (container_file_t) - Firewall rule for port 2222/tcp (Gitea Skudak SSH) - Caddy reverse proxy for git.skudak.com Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-15 22:27:02 -05:00
parent 9e665a841d
commit c96aeafb3f
10 changed files with 184 additions and 12 deletions
--- a/ansible/roles/podman/defaults/main.yml
+++ b/ansible/roles/podman/defaults/main.yml
@@ -89,6 +89,11 @@ parts_server_name_io: parts.debyl.io
 photos_server_name_io: photos.debyl.io
 gitea_debyl_server_name: git.debyl.io

+# skudak.com domains (migration from skudakrennsport.com)
+bookstack_server_name_new: wiki.skudak.com
+cloud_skudak_server_name_new: cloud.skudak.com
+gitea_skudak_server_name: git.skudak.com
+
 # Legacy nginx/ModSecurity configuration removed - Caddy provides built-in security

 # Web server configuration (Caddy is the default)
@@ -144,6 +149,7 @@ caddy_log_names:
  - cloud
  - cloud-skudak
  - gitea-debyl
+  - gitea-skudak
  - fulfillr

 # GeoIP configuration for Graylog
--- a/ansible/roles/podman/tasks/containers/skudak/cloud.yml
+++ b/ansible/roles/podman/tasks/containers/skudak/cloud.yml
@@ -119,3 +119,14 @@
    insertbefore: '^\);'
    create: false
  failed_when: false
+
+# Add cloud.skudak.com to Nextcloud trusted_domains
+- name: add cloud.skudak.com to nextcloud trusted_domains
+  become: true
+  become_user: "{{ podman_user }}"
+  ansible.builtin.command: >
+    podman exec -u www-data skudak-cloud
+    php occ config:system:set trusted_domains 1 --value="cloud.skudak.com"
+  register: trusted_domain_result
+  changed_when: "'System config value trusted_domains' in trusted_domain_result.stdout"
+  failed_when: false
--- a/ansible/roles/podman/tasks/containers/skudak/wiki.yml
+++ b/ansible/roles/podman/tasks/containers/skudak/wiki.yml
@@ -68,7 +68,7 @@
    network:
      - shared
    env:
-      APP_URL: "https://wiki.skudakrennsport.com"
+      APP_URL: "https://wiki.skudak.com"
      APP_KEY: "{{ bookstack_app_key }}"
      DB_HOST: "bookstack-db"
      DB_USERNAME: "bookstack"
--- a/ansible/roles/podman/tasks/firewall.yml
+++ b/ansible/roles/podman/tasks/firewall.yml
@@ -13,6 +13,8 @@
    # web server (Caddy)
    - 80/tcp
    - 443/tcp
+    # Gitea Skudak SSH
+    - 2222/tcp
    # pihole (unused?)
    - 53/tcp
    - 53/udp
--- a/ansible/roles/podman/templates/caddy/Caddyfile.j2
+++ b/ansible/roles/podman/templates/caddy/Caddyfile.j2
@@ -79,11 +79,16 @@
 }


-# Wiki/BookStack - {{ bookstack_server_name }}
+# Wiki/BookStack - {{ bookstack_server_name }} redirect to new domain
 {{ bookstack_server_name }} {
+	redir https://{{ bookstack_server_name_new }}{uri} 302
+}
+
+# Wiki/BookStack - {{ bookstack_server_name_new }} (new primary domain)
+{{ bookstack_server_name_new }} {
 	import common_headers
 	reverse_proxy localhost:6875
-	
+
 	log {
 		output file /var/log/caddy/wiki.log
 		format json
@@ -258,28 +263,28 @@
 	}
 }

-# Skudak Nextcloud - {{ cloud_skudak_server_name }}
-{{ cloud_skudak_server_name }} {
+# Skudak Nextcloud - serve both domains (migration period)
+{{ cloud_skudak_server_name }}, {{ cloud_skudak_server_name_new }} {
 	request_body {
 		max_size {{ caddy_max_request_body_mb }}MB
 	}
-	
+
 	reverse_proxy localhost:8090 {
 		header_up Host {host}
 		header_up X-Real-IP {remote}
 	}
-	
+
 	header {
 		Strict-Transport-Security "max-age=31536000; includeSubDomains"
 		X-Content-Type-Options "nosniff"
 		Referrer-Policy "same-origin"
 		-X-Powered-By
 	}
-	
+
 	# Nextcloud specific redirects
 	redir /.well-known/carddav /remote.php/dav 301
 	redir /.well-known/caldav /remote.php/dav 301
-	
+
 	log {
 		output file /var/log/caddy/cloud-skudak.log
 		format json
@@ -300,6 +305,20 @@
 	}
 }

+# Gitea Skudak - {{ gitea_skudak_server_name }}
+{{ gitea_skudak_server_name }} {
+	import common_headers
+
+	reverse_proxy localhost:3101 {
+		flush_interval -1
+	}
+
+	log {
+		output file /var/log/caddy/gitea-skudak.log
+		format json
+	}
+}
+
 # Fulfillr - {{ fulfillr_server_name }} (Static + API with IP restrictions)
 {{ fulfillr_server_name }} {
 {{ ip_restricted_site() }}