Complete infrastructure deployment including: - Docker Compose templates with 1Password integration (op://) - Caddy reverse proxy configuration for git.terraphim.cloud - Automated deployment script (deploy-to-bigbox.sh) - Comprehensive documentation and deployment article - Network isolation: Public (Gitea) + Tailscale (Prometheus/S3) - Security: No hardcoded secrets, all via 1Password Services deployed: - Gitea 1.22.6 (Git hosting) - PostgreSQL 15 (Database) - SeaweedFS (S3-compatible storage) - Prometheus (Monitoring) Excludes: - docker-compose.yml (contains resolved secrets) - s3_config.json (contains resolved secrets) - Data directories (gitea/, postgres/, seaweedfs/) Refs: Private deployment on bigbox with TerraphimPlatform vault
9.4 KiB
Gitea Stack Deployment Summary
Date: 2026-02-16
Target: bigbox (via SSH)
Status: Ready for deployment
What Was Done
1. Disciplined Research (Phase 1)
Created comprehensive research document analyzing:
- Current Docker Compose stack (Gitea, PostgreSQL, SeaweedFS, Prometheus)
- Bigbox environment (125GB RAM, 367GB free, Docker 28.1.1, 1Password CLI installed)
- Security requirements (eliminate hardcoded credentials)
- Caddy reverse proxy integration
File: .docs/RESEARCH-gitea-bigbox-deployment.md
2. Disciplined Design (Phase 2)
Created implementation plan with:
- 1Password secrets management using
op inject - Template files with
op://references - Caddy reverse proxy configuration with automatic HTTPS
- 10-step deployment process
- Complete rollback plan
File: .docs/IMPLEMENTATION-gitea-bigbox-deployment.md
3. Implementation Artifacts Created
Template Files (Safe to Commit)
docker-compose.yml.template- Docker Compose with 1Password referencess3_config.json.template- SeaweedFS S3 config with 1Password referencesCaddyfile- Caddy reverse proxy configuration.gitignore- Excludes secrets and data directories
Deployment Script
deploy-to-bigbox.sh- Automated deployment script
Generated Files (NOT in Git - Created at Deploy Time)
docker-compose.yml- Secrets injected viaop injects3_config.json- Secrets injected viaop inject
1Password Integration
Prerequisites on Bigbox
- 1Password CLI installed (
/usr/bin/op) - Service account script:
~/op_zesticai_non_prod.sh - Valid service account token configured
Required Vault Items
Create these in the zesticai-non-prod vault:
# Create gitea-postgres item
op item create \
--vault="zesticai-non-prod" \
--category=login \
--title="gitea-postgres" \
--generate-password=20,letters,digits \
username=gitea
# Create gitea-s3 item
op item create \
--vault="zesticai-non-prod" \
--category=custom \
--title="gitea-s3" \
access-key="$(openssl rand -hex 20)" \
secret-key="$(openssl rand -hex 40)"
How It Works
- Template Creation: Files use
op://vault/item/fieldsyntax - Authentication: Source
op_zesticai_non_prod.shto setOP_SERVICE_ACCOUNT_TOKEN - Secret Injection: Run
op inject --in-file template --out-file config - Deployment: Use injected config files with Docker Compose
Network Architecture
Public Access (via Caddy HTTPS)
Bigbox already runs Caddy with existing services (terraphim.cloud, privacy1st.org). We add Gitea to the existing instance:
| Service | Domain | Backend | Access |
|---|---|---|---|
| Gitea | git.terraphim.cloud | localhost:3000 | Public HTTPS |
Tailscale Network Only (100.106.66.7)
These services are bound to the Tailscale interface and are NOT accessible from the public internet:
| Service | Address | Purpose |
|---|---|---|
| Prometheus | 100.106.66.7:9000 | Monitoring |
| S3 API | 100.106.66.7:8333 | Object storage |
| S3 Metrics | 100.106.66.7:9327 | Prometheus metrics |
SSH Access
- Port 222: Git over SSH (exposed on all interfaces)
- Command:
git clone ssh://git@bigbox:222/owner/repo.git
Internal Services (Docker Network Only)
- PostgreSQL: Internal Docker network only
- SeaweedFS Master, Volume, Filer: Internal Docker network only
Caddy Configuration
- Existing Instance: Caddy already running on bigbox
- Route Addition: Gitea route added via Caddy Admin API
- SSL: Automatic HTTPS via Let's Encrypt
- Logging: JSON format to
/var/log/caddy/gitea-access.log
Deployment Steps
Option 1: Automated (Recommended)
# 1. Create 1Password items first (see above)
# 2. Run deployment script
./deploy-to-bigbox.sh
Option 2: Manual Step-by-Step
See .docs/IMPLEMENTATION-gitea-bigbox-deployment.md for detailed manual steps.
Post-Deployment
Access URLs
After deployment, services will be available at:
Public Access (HTTPS via Caddy):
- Gitea Web: https://git.terraphim.cloud
- Gitea SSH: ssh://bigbox:222
Tailscale Network Only (requires Tailscale connection):
- Prometheus: http://100.106.66.7:9000
- S3 API: http://100.106.66.7:8333
- S3 Metrics: http://100.106.66.7:9327
Local Development (on bigbox):
- Gitea: http://localhost:3000
Important: Prometheus and S3 are intentionally NOT accessible from the public internet. They are bound to the Tailscale interface (100.106.66.7) and require connection to the Tailscale VPN.
Immediate Actions
- Update DNS: Add entries to your DNS or local
/etc/hosts - Gitea Setup: Complete initial setup at http://bigbox:3000
- Change Password: Update default admin password immediately
- Verify Caddy: Check SSL certificates are generated
Useful Commands
# Check service status
ssh bigbox "cd ~/gitea-stack && docker compose ps"
# View logs
ssh bigbox "cd ~/gitea-stack && docker compose logs -f"
# View Caddy logs
ssh bigbox "sudo tail -f /var/log/caddy/*.log"
# Restart services
ssh bigbox "cd ~/gitea-stack && docker compose restart"
# Reload Caddy config
ssh bigbox "sudo caddy reload --config /etc/caddy/Caddyfile"
Security Improvements
Before (Hardcoded Secrets)
- S3 credentials in
s3_config.json - Database password in
docker-compose.yml - Secrets committed to git
After (1Password Managed)
- All secrets in 1Password vault
- Template files only contain references (
op://) - Secrets injected at deployment time
- Easy secret rotation via 1Password
.gitignoreprevents accidental commits
Caddy Security
- Automatic HTTPS (Let's Encrypt)
- No manual certificate management
- Request logging for audit trail
- Easy to add basic authentication
Rollback
If deployment fails:
# Stop services
ssh bigbox "cd ~/gitea-stack && docker compose down"
# Stop Caddy
ssh bigbox "sudo pkill caddy || sudo systemctl stop caddy"
# Remove deployment
ssh bigbox "rm -rf ~/gitea-stack"
# Remove Caddy config
ssh bigbox "sudo rm /etc/caddy/Caddyfile"
Files Changed/Created
New Files
.docs/RESEARCH-gitea-bigbox-deployment.md- Research findings.docs/IMPLEMENTATION-gitea-bigbox-deployment.md- Implementation plandocker-compose.yml.template- Compose template with 1Password refss3_config.json.template- S3 config template with 1Password refsCaddyfile- Caddy reverse proxy configuration.gitignore- Excludes secrets and datadeploy-to-bigbox.sh- Automated deployment script.docs/DEPLOYMENT-SUMMARY.md- This file
Modified Files
- None (original docker-compose.yml and s3_config.json remain unchanged)
Files Excluded from Git
docker-compose.yml(contains resolved secrets)s3_config.json(contains resolved secrets).env(if created)gitea/,postgres/,seaweedfs/(data directories)
Next Steps
- Create 1Password Items: Run the
op item createcommands - Update Domains: Caddyfile already configured for
git.terraphim.cloud - Run Deployment: Execute
./deploy-to-bigbox.sh - Verify: Check all services are accessible
- Document: Update this summary with actual domain names and any issues
Troubleshooting
1Password Authentication Fails
# Test on bigbox
ssh bigbox
source ~/op_zesticai_non_prod.sh
op vault list
# If it fails, check service account token is valid
Caddy Route Not Working
# Check if Caddy is running
ssh bigbox "pgrep -x caddy"
# Check existing Caddy routes
ssh bigbox "curl -s http://localhost:2019/config/apps/http/servers/srv0/routes | grep git.terraphim"
# Check Caddy logs
ssh bigbox "sudo tail -f /var/log/caddy/*.log"
# Verify Gitea is responding on localhost:3000
ssh bigbox "curl http://localhost:3000/api/healthz"
Services Not Accessible
# Check container logs
ssh bigbox "cd ~/gitea-stack && docker compose logs"
# Check if containers are running
ssh bigbox "cd ~/gitea-stack && docker compose ps"
# Check Gitea (public via Caddy)
curl https://git.terraphim.cloud/api/healthz
# Check Prometheus/S3 (Tailscale only - must be on Tailscale network)
curl http://100.106.66.7:9000/-/healthy
curl http://100.106.66.7:8333
Cannot Access Prometheus or S3
These services are bound to the Tailscale interface (100.106.66.7) only:
# Verify you're connected to Tailscale
tailscale status
# Verify you can reach the Tailscale IP
ping 100.106.66.7
# Then access services
curl http://100.106.66.7:9000/-/healthy
curl http://100.106.66.7:8333
Secret Injection Fails
# Test op inject manually
ssh bigbox "cd ~/gitea-stack && source ~/op_zesticai_non_prod.sh && op inject --in-file docker-compose.yml.template --dry-run"
Maintenance
Rotating Secrets
- Update secret in 1Password vault
- Re-run deployment:
./deploy-to-bigbox.sh - Or manually:
ssh bigbox "cd ~/gitea-stack && source ~/op_zesticai_non_prod.sh && op inject --in-file docker-compose.yml.template --out-file docker-compose.yml && docker compose up -d"
Backup
# Backup data directories
rsync -avz bigbox:~/gitea-stack/gitea ./backup/
rsync -avz bigbox:~/gitea-stack/postgres ./backup/
rsync -avz bigbox:~/gitea-stack/seaweedfs ./backup/
Updates
# Update images
ssh bigbox "cd ~/gitea-stack && docker compose pull && docker compose up -d"
# Update Caddy
ssh bigbox "sudo apt update && sudo apt upgrade caddy"
Ready to deploy! Run ./deploy-to-bigbox.sh after creating the 1Password vault items.