v0.9.0 — platform leverage & networking
Pre-releasePlatform leverage & networking. A git forge, a DNS-over-HTTPS resolver, a bring-your-own reverse-proxy, a userspace mesh VPN, an in-panel app catalog, and an optional fail2ban-style rate-jail on the honeypot — all opt-in (ENABLE_* / RATE_JAIL_MODE, off by default), loopback-bound where they front a service, keeping any database/index/state on ext4.
Added
- Forgejo (
ENABLE_FORGEJO,git.${DOMAIN}) — single-binary git forge; sha256-pinned arm64 binary;HTTP_ADDR=127.0.0.1+ config assert + post-startsswildcard check; runs as an unprivileged user; SSH/registration/Actions off,INSTALL_LOCK; SQLite WAL + repos on ext4; first admin + secrets generated off-argv. git-HTTP/API/LFS need a CF Access service-token exemption. (docs/FORGEJO.md) - AdGuard Home (
ENABLE_ADGUARD,dns.${DOMAIN}) — filtering DoH resolver; UI + plain-HTTP DoH (/dns-query) on127.0.0.1:9129, resolver on9130; config assert + a post-startssaudit scoped to its own ports. Not a LAN:53sinkhole;/dns-queryneeds a CF Access path bypass. (docs/ADGUARD.md) - BYO reverse-proxy (
ENABLE_PROXY_ROUTES,PROXY_ROUTES) — publish any loopback service on its own subdomain; fail-closed loopback-target gate, injection-guard regex, collision check, authoritative stale-route sweep, fail-closedcaddy validate. (docs/PROXY_ROUTES.md) - Tailscale (
ENABLE_TAILSCALE) — userspace mesh VPN (no TUN/root) that sidesteps CGNAT; SOCKS5 + HTTP proxy on127.0.0.1:1055; auth key off-argv;GOMEMLIMITcap.⚠️ The tailnet bypasses the Cloudflare edge — the tailnet ACL is the only network gate. (docs/TAILSCALE.md) - App catalog / module manager (
ENABLE_APP_CATALOG) — enable + install a module from the admin panel; fixed in-code allow-list (request value never reaches argv), password re-auth + CSRF,ENABLE_*-only atomic0600.envwriter, detached installs, secret redaction at the single/logschokepoint. (docs/ADMIN.md) - Honeypot rate-jail (
RATE_JAIL_MODE, defaultoff) — fail2ban-style auth-failure-burst detector;enforcereuses the existing triple-gatedcf_block(degrades safely to alert-only without the blocking opt-in). (docs/HONEYPOT.md)
Validation
Verified against the real pinned arm64 binaries under qemu-aarch64: Forgejo boot + /api/healthz + admin-create flags; AdGuard boot + wizard-skip + plain-HTTP /dns-query + scoped loopback audit; Tailscale rootless userspace bring-up + up-flag validation; and caddy validate of all new vhosts. Live tailnet join, CF Access exemptions, and on-device first-run flows remain operator-owed.
Pre-release. Interfaces may still change before 1.0.