coulomb/railiance-forge
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove public Gitea NodePort side door
All checks were successful
Forge Runner Smoke / compatibility-smoke (push) Successful in 0s
Details

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-14 02:26:59 +02:00
parent a1b55776fa
commit 9c4b400cb6
9 changed files with 124 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/gitea-actions-runner-evidence.md
View File

@@ -80,7 +80,7 @@ Observed on 2026-06-07:
| live runner process | PID `5911` after activation |
| registration file | `/root/.runner`, mode `0644`, owner `root:root` |
| registration name | `haskelseed` |
| registration address | `http://92.205.130.254:32166` |
| historical registration address | `http://92.205.130.254:32166` before the public NodePort was retired under `FORGE-WP-0005` |
| registration labels before activation | `haskelseed:host`, `linux:host`, `x86_64:host` |
| registration labels after activation | `self-hosted:host`, `haskelseed:host`, `linux:host`, `linux_amd64:host`, `x86_64:host`, `container-build:host`, `registry-publish:host` |
| ephemeral | `false` |
@@ -146,8 +146,8 @@ Run from an operator host with registry access:
```bash
for tag in 91037a4 ae9e497 fa96fb8 7cc3173 latest; do
skopeo inspect --tls-verify=false \
"docker://92.205.130.254:32166/coulomb/inter-hub:${tag}" \
skopeo inspect \
"docker://gitea.coulomb.social/coulomb/inter-hub:${tag}" \
--format "${tag} {{.Name}} {{.Digest}}"
done
```

2
docs/gitea-container-registry.md
View File

@@ -10,6 +10,8 @@ Use `gitea.coulomb.social` as the approved forge and registry host. The public
ingress serves the Gitea web route at `https://gitea.coulomb.social/`, the OCI
registry route at `/v2`, and the Python package route at `/api/packages`. The
`/v2` route returns the OCI registry authentication challenge over HTTPS.
Do not use raw node IP HTTP ports for web or registry traffic; the Gitea HTTP
Service is internal-only and the public standard is the HTTPS host.
Registry-specific Gitea settings are carried in
`helm/gitea-registry-values.yaml`, a non-secret overlay applied after the SOPS

1
docs/gitea-package-registry.md
View File

@@ -17,6 +17,7 @@ reconcile the Gitea Helm release with `helm/gitea-registry-values.yaml` so
Status on 2026-06-13: the root web route returns `200`, live `ROOT_URL` is
`https://gitea.coulomb.social/`, and package artifact links render HTTPS URLs.
Raw node IP HTTP access is not a supported package or web entry point.
## Python Packages

4
docs/observability-operating-evidence.md
View File

@@ -57,6 +57,10 @@ curl -i https://gitea.coulomb.social/v2/
curl -i https://gitea.coulomb.social/api/packages/coulomb/pypi/simple/
```
The raw node IP HTTP NodePort is intentionally not part of the public health
surface. Treat any reachable `http://<node-ip>:<gitea-nodeport>/` web route as
a regression to close, not as an alternate supported endpoint.
Git SSH:
- If a Git SSH endpoint is published, verify it with a read-only `git ls-remote`