docs: updated todo

docs/infrastruktur/vps-og-dns.md

@@ -0,0 +1,120 @@
+# VPS and DNS Setup for MakerFLOSS
+
+This page documents the technical infrastructure behind MakerFLOSS — including our VPS server and DNS management. The setup is managed via the Ansible project [AnsibleBaobabV4](https://forgejo.nyumbani.baobab.band/sjat/AnsibleBaobabV4).
+
+---
+
+## VPS Server
+
+### Overview
+
+| Field       | Value           |
+|-------------|-----------------|
+| Hostname    | `makerfloss`    |
+| IP address  | `88.99.32.236`  |
+| SSH port    | `7576`          |
+| Role        | Forgejo git forge |
+| Description | "Forgejo git forge" |
+
+### Services
+
+The server runs the following services via Docker:
+
+- **Forgejo** — self-hosted git forge, available at `https://forgejo.makerfloss.eu`
+- **Traefik** — reverse proxy with automatic TLS certificates via Let's Encrypt
+- **Node Exporter** — Prometheus metrics (port 9100)
+
+### Firewall Rules
+
+| Port | Protocol | Purpose                              |
+|------|----------|--------------------------------------|
+| 80   | TCP      | Traefik HTTP (redirects to HTTPS)    |
+| 443  | TCP      | Traefik HTTPS                        |
+| 7577 | TCP      | Forgejo SSH (git over SSH)           |
+| 9100 | TCP      | Node Exporter metrics                |
+
+### Forgejo Configuration
+
+| Field             | Value                           |
+|-------------------|---------------------------------|
+| Domain            | `forgejo.makerfloss.eu`         |
+| Root URL          | `https://forgejo.makerfloss.eu` |
+| SSH domain        | `forgejo.makerfloss.eu`         |
+| SSH port          | `7577`                          |
+| Open registration | Yes (for now)                   |
+
+### Current Limitations
+
+- **WireGuard** is not configured yet — the server is isolated from the internal network.
+- **Backup** is disabled, as the backup server (`papa`) is unreachable without a WireGuard tunnel.
+- **Centralised logging** is disabled for the same reason (Loki on `tembo` is unreachable).
+
+---
+
+## DNS Management
+
+### Registrar and DNS Provider
+
+The domain `makerfloss.eu` is registered and managed via **[Gandi.net](https://www.gandi.net)**.
+
+The Gandi LiveDNS API is used for declarative DNS management via the Ansible role `baobab.gandi_dns`.
+
+### DNS Records
+
+These records are managed automatically by Ansible and must not be edited manually in the Gandi panel:
+
+| Name      | Type  | TTL  | Value            | Purpose              |
+|-----------|-------|------|------------------|----------------------|
+| `@`       | A     | 300  | `88.99.32.236`   | Apex domain → VPS    |
+| `forgejo` | A     | 300  | `88.99.32.236`   | Forgejo git forge    |
+| `www`     | CNAME | 3600 | `makerfloss.eu.` | www → apex           |
+
+### TLS Certificates
+
+Traefik automatically manages TLS certificates via **Let's Encrypt** using DNS-01 challenge:
+
+- **DNS provider**: Gandi (`gandiv5` via lego)
+- **Certificate resolver**: `letsencrypt`
+- **Wildcard**: `makerfloss.eu` and `*.makerfloss.eu`
+- **ACME email**: `sjat+letsbaobab@ziethen.dk`
+
+### Updating DNS Records
+
+DNS records are updated by running the DNS playbook in AnsibleBaobabV4:
+
+```bash
+ansible-playbook play_dns.yml --limit makerfloss
+```
+
+Always change records in `host_vars/makerfloss.yml` (under `gandi_dns_records`) — never directly in the Gandi panel.
+
+---
+
+## Access
+
+### SSH
+
+```bash
+ssh -p 7576 sjat@88.99.32.236
+```
+
+### Git (via Forgejo)
+
+```bash
+git clone ssh://git@forgejo.makerfloss.eu:7577/<user>/<repo>.git
+```
+
+---
+
+## Infrastructure Code
+
+All configuration lives in the Ansible project `AnsibleBaobabV4`:
+
+| File/directory             | Contents                              |
+|----------------------------|---------------------------------------|
+| `host_vars/makerfloss.yml` | All host-specific configuration       |
+| `play_dns.yml`             | Playbook for DNS management           |
+| `play_containers.yml`      | Playbook for container deployment     |
+| `roles/baobab.gandi_dns/`  | Ansible role for Gandi LiveDNS        |
+| `roles/baobab.traefik/`    | Ansible role for Traefik reverse proxy |
+| `roles/baobab.forgejo/`    | Ansible role for Forgejo git forge    |

docs/todo/2026-04-14 TODO.md

@@ -0,0 +1,12 @@
+# ToDo:
+
+## makerFLOSS – Working Norms (v0.1)
+
+Language: English for code, docs, commits
+Git: trunk-based, feature branches, simple commit convention
+Environments: containerized, reproducible setups
+Hardware: all setups documented with README + labeled physically
+AI: allowed, but reviewed; no secrets
+Decisions: lightweight markdown decision logs
+Collaboration: open, low-barrier, no gatekeeping
+License: FLOSS by default