feat: add git.skudak.com Gitea instance and skudak domain migrations

Gitea Skudak (git.skudak.com):
- New Gitea instance with PostgreSQL in podman pod under git user
- SSH access via Gitea's built-in SSH server on port 2222
- Registration restricted to @skudak.com emails with email confirmation
- SMTP configured for email delivery

Domain migrations:
- wiki.skudakrennsport.com → wiki.skudak.com (302 redirect)
- cloud.skudakrennsport.com + cloud.skudak.com (dual-domain serving)
- BookStack APP_URL updated to wiki.skudak.com
- Nextcloud trusted_domains updated for cloud.skudak.com

Infrastructure:
- SELinux context for git user container storage (container_file_t)
- Firewall rule for port 2222/tcp (Gitea Skudak SSH)
- Caddy reverse proxy for git.skudak.com

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

ansible/roles/git/defaults/main.yml

@@ -6,3 +6,7 @@ git_home: "/srv/{{ git_user }}"
 gitea_debyl_server_name: git.debyl.io
 gitea_image: docker.gitea.com/gitea:1.25.2
 gitea_db_image: docker.io/library/postgres:14-alpine
+
+# Skudak Gitea configuration
+gitea_skudak_server_name: git.skudak.com
+gitea_skudak_ssh_port: 2222

ansible/roles/git/tasks/gitea-skudak.yml

@@ -0,0 +1,114 @@
+---
+# Deploy Gitea Skudak containers using Podman pod
+# NOTE: Directories are created in podman.yml (psql dir created by postgres container)
+
+# Ensure SELinux contexts are applied before pod creation
+- name: flush handlers before gitea-skudak pod creation
+  ansible.builtin.meta: flush_handlers
+  tags: gitea, gitea-skudak
+
+# Create pod for Skudak Gitea services
+- name: create gitea-skudak pod
+  become: true
+  become_user: "{{ git_user }}"
+  containers.podman.podman_pod:
+    name: gitea-skudak-pod
+    state: started
+    ports:
+      - "3101:3000"
+      - "{{ gitea_skudak_ssh_port }}:2222"
+  tags: gitea, gitea-skudak
+
+# PostgreSQL container in pod
+- name: create gitea-skudak-postgres container
+  become: true
+  become_user: "{{ git_user }}"
+  containers.podman.podman_container:
+    name: gitea-skudak-postgres
+    image: "{{ gitea_db_image }}"
+    pod: gitea-skudak-pod
+    restart_policy: on-failure:3
+    log_driver: journald
+    env:
+      POSTGRES_DB: gitea
+      POSTGRES_USER: gitea
+      POSTGRES_PASSWORD: "{{ gitea_skudak_db_pass }}"
+    volumes:
+      - "{{ git_home }}/volumes/gitea-skudak/psql:/var/lib/postgresql/data"
+  tags: gitea, gitea-skudak
+
+# Gitea container in pod
+- name: create gitea-skudak container
+  become: true
+  become_user: "{{ git_user }}"
+  containers.podman.podman_container:
+    name: gitea-skudak
+    image: "{{ gitea_image }}"
+    pod: gitea-skudak-pod
+    restart_policy: on-failure:3
+    log_driver: journald
+    env:
+      USER_UID: "1000"
+      USER_GID: "1000"
+      GITEA__database__DB_TYPE: postgres
+      GITEA__database__HOST: "127.0.0.1:5432"
+      GITEA__database__NAME: gitea
+      GITEA__database__USER: gitea
+      GITEA__database__PASSWD: "{{ gitea_skudak_db_pass }}"
+      GITEA__server__DOMAIN: "{{ gitea_skudak_server_name }}"
+      GITEA__server__ROOT_URL: "https://{{ gitea_skudak_server_name }}/"
+      GITEA__server__SSH_DOMAIN: "{{ gitea_skudak_server_name }}"
+      # Use Gitea's built-in SSH server (non-privileged port inside container)
+      GITEA__server__START_SSH_SERVER: "true"
+      GITEA__server__DISABLE_SSH: "false"
+      GITEA__server__SSH_PORT: "{{ gitea_skudak_ssh_port }}"
+      GITEA__server__SSH_LISTEN_PORT: "2222"
+      GITEA__security__SECRET_KEY: "{{ gitea_skudak_secret_key }}"
+      GITEA__security__INTERNAL_TOKEN: "{{ gitea_skudak_internal_token }}"
+      GITEA__security__INSTALL_LOCK: "true"
+      # Allow registration only for @skudak.com emails
+      GITEA__service__DISABLE_REGISTRATION: "false"
+      GITEA__service__EMAIL_DOMAIN_ALLOWLIST: "skudak.com"
+      GITEA__service__REGISTER_EMAIL_CONFIRM: "true"
+      GITEA__service__REQUIRE_SIGNIN_VIEW: "false"
+      # Mailer configuration for email confirmation
+      GITEA__mailer__ENABLED: "true"
+      GITEA__mailer__PROTOCOL: "smtps"
+      GITEA__mailer__SMTP_ADDR: "{{ gitea_skudak_smtp_host }}"
+      GITEA__mailer__SMTP_PORT: "{{ gitea_skudak_smtp_port }}"
+      GITEA__mailer__USER: "{{ gitea_skudak_smtp_user }}"
+      GITEA__mailer__PASSWD: "{{ gitea_skudak_smtp_pass }}"
+      GITEA__mailer__FROM: "{{ gitea_skudak_smtp_from }}"
+      # Logging configuration - output to journald for fluent-bit capture
+      GITEA__log__MODE: console
+      GITEA__log__LEVEL: Info
+      GITEA__log__ENABLE_ACCESS_LOG: "true"
+    volumes:
+      - "{{ git_home }}/volumes/gitea-skudak/data:/data"
+      - /etc/localtime:/etc/localtime:ro
+  tags: gitea, gitea-skudak
+
+# Generate systemd service for the pod
+- name: create systemd job for gitea-skudak-pod
+  become: true
+  become_user: "{{ git_user }}"
+  ansible.builtin.shell: |
+    podman generate systemd --name gitea-skudak-pod --files --new
+    mv pod-gitea-skudak-pod.service {{ git_home }}/.config/systemd/user/
+    mv container-gitea-skudak-postgres.service {{ git_home }}/.config/systemd/user/
+    mv container-gitea-skudak.service {{ git_home }}/.config/systemd/user/
+  args:
+    chdir: "{{ git_home }}"
+  changed_when: false
+  tags: gitea, gitea-skudak
+
+- name: enable gitea-skudak-pod service
+  become: true
+  become_user: "{{ git_user }}"
+  ansible.builtin.systemd:
+    name: pod-gitea-skudak-pod.service
+    daemon_reload: true
+    enabled: true
+    state: started
+    scope: user
+  tags: gitea, gitea-skudak

ansible/roles/git/tasks/main.yml

@@ -6,6 +6,7 @@
 - import_tasks: selinux.yml
 - import_tasks: selinux-podman.yml
 - import_tasks: gitea.yml
+- import_tasks: gitea-skudak.yml
 # git-daemon no longer needed - commented out
 # - import_tasks: systemd.yml
 

ansible/roles/git/tasks/podman.yml

@@ -45,9 +45,14 @@
     - "{{ git_home }}/volumes"
     - "{{ git_home }}/volumes/gitea"
     - "{{ git_home }}/volumes/gitea/data"
-    # NOTE: psql directory is created by PostgreSQL container with container user ownership
+    - "{{ git_home }}/volumes/gitea/psql"
+    - "{{ git_home }}/volumes/gitea-skudak"
+    - "{{ git_home }}/volumes/gitea-skudak/data"
+    - "{{ git_home }}/volumes/gitea-skudak/psql"
+  # NOTE: psql directories may already exist with postgres ownership - ignore errors
+  failed_when: false
   notify: restorecon git
-  tags: git, gitea
+  tags: git, gitea, gitea-skudak
 
 # SELinux context for container volumes
 - name: selinux context for git container volumes
@@ -57,7 +62,17 @@
     setype: container_file_t
     state: present
   notify: restorecon git
-  tags: git, gitea, selinux
+  tags: git, gitea, gitea-skudak, selinux
+
+# SELinux context for container storage (images, overlays, etc.)
+- name: selinux context for git container storage
+  become: true
+  community.general.sefcontext:
+    target: "{{ git_home }}/.local/share/containers(/.*)?"
+    setype: container_file_t
+    state: present
+  notify: restorecon git
+  tags: git, gitea, gitea-skudak, selinux
 
 # Enable podman socket for SSH key lookup via AuthorizedKeysCommand
 - name: enable podman socket for git user

ansible/roles/podman/defaults/main.yml

@@ -89,6 +89,11 @@ parts_server_name_io: parts.debyl.io
 photos_server_name_io: photos.debyl.io
 gitea_debyl_server_name: git.debyl.io
 
+# skudak.com domains (migration from skudakrennsport.com)
+bookstack_server_name_new: wiki.skudak.com
+cloud_skudak_server_name_new: cloud.skudak.com
+gitea_skudak_server_name: git.skudak.com
+
 # Legacy nginx/ModSecurity configuration removed - Caddy provides built-in security
 
 # Web server configuration (Caddy is the default)
@@ -144,6 +149,7 @@ caddy_log_names:
   - cloud
   - cloud-skudak
   - gitea-debyl
+  - gitea-skudak
   - fulfillr
 
 # GeoIP configuration for Graylog

ansible/roles/podman/tasks/containers/skudak/cloud.yml

@@ -119,3 +119,14 @@
     insertbefore: '^\);'
     create: false
   failed_when: false
+
+# Add cloud.skudak.com to Nextcloud trusted_domains
+- name: add cloud.skudak.com to nextcloud trusted_domains
+  become: true
+  become_user: "{{ podman_user }}"
+  ansible.builtin.command: >
+    podman exec -u www-data skudak-cloud
+    php occ config:system:set trusted_domains 1 --value="cloud.skudak.com"
+  register: trusted_domain_result
+  changed_when: "'System config value trusted_domains' in trusted_domain_result.stdout"
+  failed_when: false

ansible/roles/podman/tasks/containers/skudak/wiki.yml

@@ -68,7 +68,7 @@
     network:
       - shared
     env:
-      APP_URL: "https://wiki.skudakrennsport.com"
+      APP_URL: "https://wiki.skudak.com"
       APP_KEY: "{{ bookstack_app_key }}"
       DB_HOST: "bookstack-db"
       DB_USERNAME: "bookstack"

ansible/roles/podman/tasks/firewall.yml

@@ -13,6 +13,8 @@
     # web server (Caddy)
     - 80/tcp
     - 443/tcp
+    # Gitea Skudak SSH
+    - 2222/tcp
     # pihole (unused?)
     - 53/tcp
     - 53/udp

ansible/roles/podman/templates/caddy/Caddyfile.j2

@@ -79,8 +79,13 @@
 }
 
 
-# Wiki/BookStack - {{ bookstack_server_name }}
+# Wiki/BookStack - {{ bookstack_server_name }} redirect to new domain
 {{ bookstack_server_name }} {
+	redir https://{{ bookstack_server_name_new }}{uri} 302
+}
+
+# Wiki/BookStack - {{ bookstack_server_name_new }} (new primary domain)
+{{ bookstack_server_name_new }} {
 	import common_headers
 	reverse_proxy localhost:6875
 
@@ -258,8 +263,8 @@
 	}
 }
 
-# Skudak Nextcloud - {{ cloud_skudak_server_name }}
+# Skudak Nextcloud - serve both domains (migration period)
-{{ cloud_skudak_server_name }} {
+{{ cloud_skudak_server_name }}, {{ cloud_skudak_server_name_new }} {
 	request_body {
 		max_size {{ caddy_max_request_body_mb }}MB
 	}
@@ -300,6 +305,20 @@
 	}
 }
 
+# Gitea Skudak - {{ gitea_skudak_server_name }}
+{{ gitea_skudak_server_name }} {
+	import common_headers
+
+	reverse_proxy localhost:3101 {
+		flush_interval -1
+	}
+
+	log {
+		output file /var/log/caddy/gitea-skudak.log
+		format json
+	}
+}
+
 # Fulfillr - {{ fulfillr_server_name }} (Static + API with IP restrictions)
 {{ fulfillr_server_name }} {
 {{ ip_restricted_site() }}