MakerFLOSS/docs/infrastructure/vps-and-dns.md
sjat 16f56fd961
All checks were successful
Build docs site / build (push) Successful in 30s
Build slides / build (push) Successful in 48s
docs: standardise filenames to ASCII kebab-case + ISO date prefix
Adopt one filename convention everywhere except hardware host pages
(those are pinned to their hostnames by the index validator):

  - ASCII lowercase
  - kebab-case word separator
  - dated docs: YYYY-MM-DD-label.md (hyphen between date and label)
  - English regardless of content language

Renames:
  docs/makerFLOSS_house_rules.md                        -> docs/house-rules.md
  docs/infrastruktur/                                   -> docs/infrastructure/
  docs/infrastructure/vps-og-dns.md                     -> docs/infrastructure/vps-and-dns.md
  docs/presentations/2026-05-11_messaging.md            -> docs/presentations/2026-05-11-messaging.md
  docs/presentations/2026-05-11_SoMe-taxonomi.md        -> docs/presentations/2026-05-11-social-media-taxonomy.md
  notes/todo/2026-04-14_todo.md                         -> notes/todo/2026-04-14-todo.md
  notes/todo/OM_services.md                             -> notes/todo/om-services.md
  notes/todo/indkøbsliste.md                            -> notes/todo/wishlist.md
  notes/communications/2026-03-16_facebookpost.md       -> notes/communications/2026-03-16-facebook-post.md

Other touches:
- Document the convention in CLAUDE.md under Working Norms.
- Refresh the stale Repository Structure block in CLAUDE.md to reflect
  the docs/ vs notes/ split introduced in f6d589e.
- Update the House rules link in docs/index.md and the nav entry in
  mkdocs.yml to the new house-rules.md path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 17:07:26 +02:00

120 lines
4 KiB
Markdown

# VPS and DNS Setup for MakerFLOSS
This page documents the technical infrastructure behind MakerFLOSS — including our VPS server and DNS management. The setup is managed via the Ansible project [AnsibleBaobabV4](https://forgejo.nyumbani.baobab.band/sjat/AnsibleBaobabV4).
---
## VPS Server
### Overview
| Field | Value |
|-------------|-----------------|
| Hostname | `makerfloss` |
| IP address | `88.99.32.236` |
| SSH port | `7576` |
| Role | Forgejo git forge |
| Description | "Forgejo git forge" |
### Services
The server runs the following services via Docker:
- **Forgejo** — self-hosted git forge, available at `https://forgejo.makerfloss.eu`
- **Traefik** — reverse proxy with automatic TLS certificates via Let's Encrypt
- **Node Exporter** — Prometheus metrics (port 9100)
### Firewall Rules
| Port | Protocol | Purpose |
|------|----------|--------------------------------------|
| 80 | TCP | Traefik HTTP (redirects to HTTPS) |
| 443 | TCP | Traefik HTTPS |
| 7577 | TCP | Forgejo SSH (git over SSH) |
| 9100 | TCP | Node Exporter metrics |
### Forgejo Configuration
| Field | Value |
|-------------------|---------------------------------|
| Domain | `forgejo.makerfloss.eu` |
| Root URL | `https://forgejo.makerfloss.eu` |
| SSH domain | `forgejo.makerfloss.eu` |
| SSH port | `7577` |
| Open registration | Yes (for now) |
### Current Limitations
- **WireGuard** is not configured yet — the server is isolated from the internal network.
- **Backup** is disabled, as the backup server (`papa`) is unreachable without a WireGuard tunnel.
- **Centralised logging** is disabled for the same reason (Loki on `tembo` is unreachable).
---
## DNS Management
### Registrar and DNS Provider
The domain `makerfloss.eu` is registered and managed via **[Gandi.net](https://www.gandi.net)**.
The Gandi LiveDNS API is used for declarative DNS management via the Ansible role `baobab.gandi_dns`.
### DNS Records
These records are managed automatically by Ansible and must not be edited manually in the Gandi panel:
| Name | Type | TTL | Value | Purpose |
|-----------|-------|------|------------------|----------------------|
| `@` | A | 300 | `88.99.32.236` | Apex domain → VPS |
| `forgejo` | A | 300 | `88.99.32.236` | Forgejo git forge |
| `www` | CNAME | 3600 | `makerfloss.eu.` | www → apex |
### TLS Certificates
Traefik automatically manages TLS certificates via **Let's Encrypt** using DNS-01 challenge:
- **DNS provider**: Gandi (`gandiv5` via lego)
- **Certificate resolver**: `letsencrypt`
- **Wildcard**: `makerfloss.eu` and `*.makerfloss.eu`
- **ACME email**: `sjat+letsbaobab@ziethen.dk`
### Updating DNS Records
DNS records are updated by running the DNS playbook in AnsibleBaobabV4:
```bash
ansible-playbook play_dns.yml --limit makerfloss
```
Always change records in `host_vars/makerfloss.yml` (under `gandi_dns_records`) — never directly in the Gandi panel.
---
## Access
### SSH
```bash
ssh -p 7576 sjat@88.99.32.236
```
### Git (via Forgejo)
```bash
git clone ssh://git@forgejo.makerfloss.eu:7577/<user>/<repo>.git
```
---
## Infrastructure Code
All configuration lives in the Ansible project `AnsibleBaobabV4`:
| File/directory | Contents |
|----------------------------|---------------------------------------|
| `host_vars/makerfloss.yml` | All host-specific configuration |
| `play_dns.yml` | Playbook for DNS management |
| `play_containers.yml` | Playbook for container deployment |
| `roles/baobab.gandi_dns/` | Ansible role for Gandi LiveDNS |
| `roles/baobab.traefik/` | Ansible role for Traefik reverse proxy |
| `roles/baobab.forgejo/` | Ansible role for Forgejo git forge |