# VPS and DNS Setup for MakerFLOSS This page documents the technical infrastructure behind MakerFLOSS — including our VPS server and DNS management. The setup is managed via the Ansible project [AnsibleBaobabV4](https://forgejo.nyumbani.baobab.band/sjat/AnsibleBaobabV4). --- ## VPS Server ### Overview | Field | Value | |-------------|-----------------| | Hostname | `makerfloss` | | IP address | `88.99.32.236` | | SSH port | `7576` | | Role | Forgejo git forge | | Description | "Forgejo git forge" | ### Services The server runs the following services via Docker: - **Forgejo** — self-hosted git forge, available at `https://forgejo.makerfloss.eu` - **Traefik** — reverse proxy with automatic TLS certificates via Let's Encrypt - **Node Exporter** — Prometheus metrics (port 9100) ### Firewall Rules | Port | Protocol | Purpose | |------|----------|--------------------------------------| | 80 | TCP | Traefik HTTP (redirects to HTTPS) | | 443 | TCP | Traefik HTTPS | | 7577 | TCP | Forgejo SSH (git over SSH) | | 9100 | TCP | Node Exporter metrics | ### Forgejo Configuration | Field | Value | |-------------------|---------------------------------| | Domain | `forgejo.makerfloss.eu` | | Root URL | `https://forgejo.makerfloss.eu` | | SSH domain | `forgejo.makerfloss.eu` | | SSH port | `7577` | | Open registration | Yes (for now) | ### Current Limitations - **WireGuard** is not configured yet — the server is isolated from the internal network. - **Backup** is disabled, as the backup server (`papa`) is unreachable without a WireGuard tunnel. - **Centralised logging** is disabled for the same reason (Loki on `tembo` is unreachable). --- ## DNS Management ### Registrar and DNS Provider The domain `makerfloss.eu` is registered and managed via **[Gandi.net](https://www.gandi.net)**. The Gandi LiveDNS API is used for declarative DNS management via the Ansible role `baobab.gandi_dns`. ### DNS Records These records are managed automatically by Ansible and must not be edited manually in the Gandi panel: | Name | Type | TTL | Value | Purpose | |-----------|-------|------|------------------|----------------------| | `@` | A | 300 | `88.99.32.236` | Apex domain → VPS | | `forgejo` | A | 300 | `88.99.32.236` | Forgejo git forge | | `www` | CNAME | 3600 | `makerfloss.eu.` | www → apex | ### TLS Certificates Traefik automatically manages TLS certificates via **Let's Encrypt** using DNS-01 challenge: - **DNS provider**: Gandi (`gandiv5` via lego) - **Certificate resolver**: `letsencrypt` - **Wildcard**: `makerfloss.eu` and `*.makerfloss.eu` - **ACME email**: `sjat+letsbaobab@ziethen.dk` ### Updating DNS Records DNS records are updated by running the DNS playbook in AnsibleBaobabV4: ```bash ansible-playbook play_dns.yml --limit makerfloss ``` Always change records in `host_vars/makerfloss.yml` (under `gandi_dns_records`) — never directly in the Gandi panel. --- ## Access ### SSH ```bash ssh -p 7576 sjat@88.99.32.236 ``` ### Git (via Forgejo) ```bash git clone ssh://git@forgejo.makerfloss.eu:7577//.git ``` --- ## Infrastructure Code All configuration lives in the Ansible project `AnsibleBaobabV4`: | File/directory | Contents | |----------------------------|---------------------------------------| | `host_vars/makerfloss.yml` | All host-specific configuration | | `play_dns.yml` | Playbook for DNS management | | `play_containers.yml` | Playbook for container deployment | | `roles/baobab.gandi_dns/` | Ansible role for Gandi LiveDNS | | `roles/baobab.traefik/` | Ansible role for Traefik reverse proxy | | `roles/baobab.forgejo/` | Ansible role for Forgejo git forge |