c-forge/infra
3
0
Fork
You've already forked infra
0
Provisioning and configuration for C-Forge infrastructure
  • HCL 56.2%
  • Python 24.6%
  • Shell 19.2%
2026年02月15日 15:30:48 -07:00
.forgejo/workflows init 2026年02月09日 17:35:12 -07:00
automation refactor folder names 2026年02月15日 13:32:29 -07:00
config/os init 2026年02月09日 17:35:12 -07:00
containers update labels 2026年02月15日 15:30:48 -07:00
docs/wiki init 2026年02月09日 17:35:12 -07:00
pipelines refactor folder names 2026年02月15日 13:32:29 -07:00
scripts update script file extensions 2026年02月15日 13:18:05 -07:00
terraform init 2026年02月09日 17:35:12 -07:00
tests/appdata init 2026年02月09日 17:35:12 -07:00
.gitignore init 2026年02月09日 17:35:12 -07:00
.python-version init 2026年02月09日 17:35:12 -07:00
.yamllint init 2026年02月09日 17:35:12 -07:00
pyproject.toml init 2026年02月09日 17:35:12 -07:00
README.md init 2026年02月09日 17:35:12 -07:00

c-forge/infrastructure

Shared infrastructure-as-code supporting C-Forge operations

Provision and manage cloud infrastructure and applications with Ansible, OpenTofu, and Podman containers. This project is designed to be a flexible infrastructure distribution, deployable in full or in parts on any GNU/Linux-based machine(s); each implementation is packaged modularly to enable composable deployments of only the software and configuration required for a given scenario.

Core Features

  • Podman rootless containers: No root daemons, no privileged containers
  • Compose for services: Declarative, portable, version-controlled
  • Ansible for provisioning: Idempotent system configurations
  • OpenTofu for cloud resources: Hostinger VPS, Cloudflare DNS/Workers/R2/Tunnels
  • Bitwarden Secrets Manager: Secure secrets retrieval with .env fallback for testing
  • Dagger testing: Ephemeral container validation and Ansible testing
  • Full observability stack: Grafana, Prometheus, Loki, Alertmanager with automated dashboards

Structure

infrastructure/
├── ansible/ # VPS provisioning
│ ├── playbooks/
│ │ └── vps-base.yml # Hardening + Podman + /appdata setup
│ ├── roles/
│ │ ├── hardening/ # UFW, fail2ban, SSH, sysctl
│ │ ├── podman/ # Rootless Podman + quadlet
│ │ ├── appdata/ # /appdata directory setup
│ │ └── secrets/ # Bitwarden Secrets Manager + .env fallback
│ └── inventories/
│ └── production/
├── containers/ # Container stack definitions
│ └── stacks/
│ ├── monitoring/ # Grafana, Prometheus, Loki, Alertmanager
│ ├── freshrss/ # RSS feed aggregator
│ ├── adguardhome/ # DNS ad blocker
│ ├── windmill/ # Workflow automation
│ ├── forgejo/ # Git hosting
│ ├── forgejo-runner/ # CI/CD runner
│ ├── jellyfin/ # Media server
│ ├── opengist/ # Pastebin/gist service
│ └── lldap/ # LDAP authentication
├── scripts/ # Operational helpers
├── dagger/ # Testing harness with Dagger
├── docs/ # Documentation and runbooks
├── terraform/ # OpenTofu/Terraform configuration
│ ├── environments/
│ │ └── production/ # Production resources
│ └── modules/
│ ├── hostinger-vps/ # Hostinger VPS management
│ ├── cloudflare-dns/ # DNS zones and records
│ ├── cloudflare-tunnel/ # Zero-trust tunnels
│ ├── cloudflare-workers/ # Edge functions
│ ├── cloudflare-pages/ # Static site deployments
│ └── cloudflare-r2/ # Object storage
├── scripts/ # Operational helpers
└── docs/
 ├── runbooks/
 └── decisions/

Security Model

Podman Rootless

All containers run without root privileges:

  • User namespaces: Container root (UID 0) maps to unprivileged host UID
  • No daemon: Podman is daemonless; no persistent root process
  • Rootless networking: Uses slirp4netns or pasta, no CAP_NET_ADMIN
  • No privileged containers: Not possible in rootless mode

Network Isolation

  • UFW denies all inbound by default
  • Services bind to localhost; Cloudflare Tunnel for external access
  • Podman pods for inter-container communication

Defense in Depth

  • fail2ban for SSH brute-force protection
  • Automatic security updates (unattended-upgrades)
  • SSH hardened (key-only, no root)
  • Kernel hardening via sysctl