Skip to content

v0.9.0 — platform leverage & networking

Pre-release
Pre-release

Choose a tag to compare

@Partha-dev01 Partha-dev01 released this 23 Jun 13:13

Platform leverage & networking. A git forge, a DNS-over-HTTPS resolver, a bring-your-own reverse-proxy, a userspace mesh VPN, an in-panel app catalog, and an optional fail2ban-style rate-jail on the honeypot — all opt-in (ENABLE_* / RATE_JAIL_MODE, off by default), loopback-bound where they front a service, keeping any database/index/state on ext4.

Added

  • Forgejo (ENABLE_FORGEJO, git.${DOMAIN}) — single-binary git forge; sha256-pinned arm64 binary; HTTP_ADDR=127.0.0.1 + config assert + post-start ss wildcard check; runs as an unprivileged user; SSH/registration/Actions off, INSTALL_LOCK; SQLite WAL + repos on ext4; first admin + secrets generated off-argv. git-HTTP/API/LFS need a CF Access service-token exemption. (docs/FORGEJO.md)
  • AdGuard Home (ENABLE_ADGUARD, dns.${DOMAIN}) — filtering DoH resolver; UI + plain-HTTP DoH (/dns-query) on 127.0.0.1:9129, resolver on 9130; config assert + a post-start ss audit scoped to its own ports. Not a LAN :53 sinkhole; /dns-query needs a CF Access path bypass. (docs/ADGUARD.md)
  • BYO reverse-proxy (ENABLE_PROXY_ROUTES, PROXY_ROUTES) — publish any loopback service on its own subdomain; fail-closed loopback-target gate, injection-guard regex, collision check, authoritative stale-route sweep, fail-closed caddy validate. (docs/PROXY_ROUTES.md)
  • Tailscale (ENABLE_TAILSCALE) — userspace mesh VPN (no TUN/root) that sidesteps CGNAT; SOCKS5 + HTTP proxy on 127.0.0.1:1055; auth key off-argv; GOMEMLIMIT cap. ⚠️ The tailnet bypasses the Cloudflare edge — the tailnet ACL is the only network gate. (docs/TAILSCALE.md)
  • App catalog / module manager (ENABLE_APP_CATALOG) — enable + install a module from the admin panel; fixed in-code allow-list (request value never reaches argv), password re-auth + CSRF, ENABLE_*-only atomic 0600 .env writer, detached installs, secret redaction at the single /logs chokepoint. (docs/ADMIN.md)
  • Honeypot rate-jail (RATE_JAIL_MODE, default off) — fail2ban-style auth-failure-burst detector; enforce reuses the existing triple-gated cf_block (degrades safely to alert-only without the blocking opt-in). (docs/HONEYPOT.md)

Validation

Verified against the real pinned arm64 binaries under qemu-aarch64: Forgejo boot + /api/healthz + admin-create flags; AdGuard boot + wizard-skip + plain-HTTP /dns-query + scoped loopback audit; Tailscale rootless userspace bring-up + up-flag validation; and caddy validate of all new vhosts. Live tailnet join, CF Access exemptions, and on-device first-run flows remain operator-owed.

Pre-release. Interfaces may still change before 1.0.