Provisioning and configuration for C-Forge infrastructure
| .forgejo/workflows | init | |
| automation | refactor folder names | |
| config/os | init | |
| containers | update labels | |
| docs/wiki | init | |
| pipelines | refactor folder names | |
| scripts | update script file extensions | |
| terraform | init | |
| tests/appdata | init | |
| .gitignore | init | |
| .python-version | init | |
| .yamllint | init | |
| pyproject.toml | init | |
| README.md | init | |
c-forge/infrastructure
Shared infrastructure-as-code supporting C-Forge operations
Provision and manage cloud infrastructure and applications with Ansible, OpenTofu, and Podman containers. This project is designed to be a flexible infrastructure distribution, deployable in full or in parts on any GNU/Linux-based machine(s); each implementation is packaged modularly to enable composable deployments of only the software and configuration required for a given scenario.
Core Features
- Podman rootless containers: No root daemons, no privileged containers
- Compose for services: Declarative, portable, version-controlled
- Ansible for provisioning: Idempotent system configurations
- OpenTofu for cloud resources: Hostinger VPS, Cloudflare DNS/Workers/R2/Tunnels
- Bitwarden Secrets Manager: Secure secrets retrieval with .env fallback for testing
- Dagger testing: Ephemeral container validation and Ansible testing
- Full observability stack: Grafana, Prometheus, Loki, Alertmanager with automated dashboards
Structure
infrastructure/
├── ansible/ # VPS provisioning
│ ├── playbooks/
│ │ └── vps-base.yml # Hardening + Podman + /appdata setup
│ ├── roles/
│ │ ├── hardening/ # UFW, fail2ban, SSH, sysctl
│ │ ├── podman/ # Rootless Podman + quadlet
│ │ ├── appdata/ # /appdata directory setup
│ │ └── secrets/ # Bitwarden Secrets Manager + .env fallback
│ └── inventories/
│ └── production/
├── containers/ # Container stack definitions
│ └── stacks/
│ ├── monitoring/ # Grafana, Prometheus, Loki, Alertmanager
│ ├── freshrss/ # RSS feed aggregator
│ ├── adguardhome/ # DNS ad blocker
│ ├── windmill/ # Workflow automation
│ ├── forgejo/ # Git hosting
│ ├── forgejo-runner/ # CI/CD runner
│ ├── jellyfin/ # Media server
│ ├── opengist/ # Pastebin/gist service
│ └── lldap/ # LDAP authentication
├── scripts/ # Operational helpers
├── dagger/ # Testing harness with Dagger
├── docs/ # Documentation and runbooks
├── terraform/ # OpenTofu/Terraform configuration
│ ├── environments/
│ │ └── production/ # Production resources
│ └── modules/
│ ├── hostinger-vps/ # Hostinger VPS management
│ ├── cloudflare-dns/ # DNS zones and records
│ ├── cloudflare-tunnel/ # Zero-trust tunnels
│ ├── cloudflare-workers/ # Edge functions
│ ├── cloudflare-pages/ # Static site deployments
│ └── cloudflare-r2/ # Object storage
├── scripts/ # Operational helpers
└── docs/
├── runbooks/
└── decisions/
Security Model
Podman Rootless
All containers run without root privileges:
- User namespaces: Container root (UID 0) maps to unprivileged host UID
- No daemon: Podman is daemonless; no persistent root process
- Rootless networking: Uses slirp4netns or pasta, no CAP_NET_ADMIN
- No privileged containers: Not possible in rootless mode
Network Isolation
- UFW denies all inbound by default
- Services bind to localhost; Cloudflare Tunnel for external access
- Podman pods for inter-container communication
Defense in Depth
- fail2ban for SSH brute-force protection
- Automatic security updates (unattended-upgrades)
- SSH hardened (key-only, no root)
- Kernel hardening via sysctl