From 682b5cba068a96ea92d709bb433d952a4d1822ca Mon Sep 17 00:00:00 2001
From: thomasabishop <thomasabishop@tuta.com>
Date: Sat, 9 Aug 2025 12:05:48 +0100
Subject: [PATCH 1/5] chore: ignore runner logs Forgejo

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 219f398..611ffe4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@
 proxy/nginx/vim
 proxy/nginx/.*
 services/linkding/data
+services/forgejo/runner-data

From cbb208da3fb8ede41fcbd1d264eab1949e7cf7ff Mon Sep 17 00:00:00 2001
From: thomasabishop <thomasabishop@tuta.com>
Date: Sat, 9 Aug 2025 12:39:07 +0100
Subject: [PATCH 2/5] chore: update README

---
 README.md | 45 ++++++++++++++++++++++++---------------------
 1 file changed, 24 insertions(+), 21 deletions(-)

diff --git a/README.md b/README.md
index fec6da1..435c84b 100644
--- a/README.md
+++ b/README.md
@@ -4,41 +4,44 @@ Configuration of self-hosted third-party software on my Hetzner Cloud VPS.
 
 ![](./diagrams/directory-structure.png)
 
-## Services I am currently self-hosting
+## Third-party applications
 
-- Grafana
-- Linkding
-- Forgejo
-- RocketChat
+### Services I am currently self-hosting
 
-## Service data
+- [Grafana](https://grafana.com/)
+- [Linkding](https://linkding.link/)
+- [Forgejo](https://forgejo.systemsobscure.net/thomasabishop)
+- [Miniflux](https://miniflux.app/)
+- [Wakapi](https://wakapi.dev/)
 
-Most application data is stored in a network-attached Hetzner Storagebox drive
+### Service data
+
+Some applicaton data is stored in a network-attached Hetzner Storagebox drive
 ("Storagebox Alpha"). Docker volumes are mapped to this location.
 
 This device is permanantly mounted using the [CIFS
 protocol](https://www.lenovo.com/gb/en/glossary/what-is-common-internet-file-system-cifs/)
 at `/mnt/storagebox_alpha`, as specified in `/etc/fstab`.
 
-For certain services, data is stored on the small harddrive of the VPS:
+Other application data is stored on the small harddrive of the VPS:
 
 | Service | Data            | Location              | Description                                     |
 | ------- | --------------- | --------------------- | ----------------------------------------------- |
 | Forgejo | MySQL database  | `/data/mysql/forgejo` | Database data only. Repositories stored in NAS. |
 | Wakapi  | SQLite database | `/data/sqlite/wakapi` |                                                 |
 
-## Port mappings
-
-| Range | Function         |
-| ----- | ---------------- |
-| 8000  | Web applications |
-
 ### Services
 
-| Server port | Docker port | Subdomain                     | Service    | Description                |
-| ----------- | ----------- | ----------------------------- | ---------- | -------------------------- |
-| 8000        | 3000        | grafana.systemsobscure.net    | Grafana    | Server logs and monitoring |
-| 8001        | 9090        | bookmarks.systemsobscure.net  | Linkding   | Article bookmarking tool   |
-| 8002        | 3000        | forgejo.systemsobscure.net    | Forgejo    | Git forge                  |
-| 8003        | 3000        | rocketchat.systemsobscure.net | RocketChat | Messaging app, alerts      |
-| 8004        | 3000        | wakapi.systemsobscure.net     | Wakapi     | Coding statistics tracker  |
+| Server port | Docker port | Subdomain                    | Service  | Description                |
+| ----------- | ----------- | ---------------------------- | -------- | -------------------------- |
+| 8000        | 3000        | grafana.systemsobscure.net   | Grafana  | Server logs and monitoring |
+| 8001        | 9090        | bookmarks.systemsobscure.net | Linkding | Article bookmarking tool   |
+| 8002        | 3000        | forgejo.systemsobscure.net   | Forgejo  | Git forge                  |
+| 8004        | 3000        | wakapi.systemsobscure.net    | Wakapi   | Coding statistics tracker  |
+| 8005        | 8080        | miniflux.systemsobscure.net  | Miniflux | RSS aggregator             |
+
+## My applications
+
+### systemsobscure.blog
+
+This is a static website served from `/var/www/` directory.

From a5835bd97a04b2f00692f93e8d9bced1c1c6c1f5 Mon Sep 17 00:00:00 2001
From: thomasabishop <thomasabishop@tuta.com>
Date: Sat, 9 Aug 2025 12:47:12 +0100
Subject: [PATCH 3/5] chore: update README

---
 README.md | 24 ++++++++----------------
 1 file changed, 8 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index 435c84b..33cbc8d 100644
--- a/README.md
+++ b/README.md
@@ -6,13 +6,15 @@ Configuration of self-hosted third-party software on my Hetzner Cloud VPS.
 
 ## Third-party applications
 
-### Services I am currently self-hosting
+### Services
 
-- [Grafana](https://grafana.com/)
-- [Linkding](https://linkding.link/)
-- [Forgejo](https://forgejo.systemsobscure.net/thomasabishop)
-- [Miniflux](https://miniflux.app/)
-- [Wakapi](https://wakapi.dev/)
+| Server port | Docker port | Subdomain                    | Service  | Description                |
+| ----------- | ----------- | ---------------------------- | -------- | -------------------------- |
+| 8000        | 3000        | grafana.systemsobscure.net   | Grafana  | Server logs and monitoring |
+| 8001        | 9090        | bookmarks.systemsobscure.net | Linkding | Article bookmarking tool   |
+| 8002        | 3000        | forgejo.systemsobscure.net   | Forgejo  | Git forge                  |
+| 8004        | 3000        | wakapi.systemsobscure.net    | Wakapi   | Coding statistics tracker  |
+| 8005        | 8080        | miniflux.systemsobscure.net  | Miniflux | RSS aggregator             |
 
 ### Service data
 
@@ -30,16 +32,6 @@ Other application data is stored on the small harddrive of the VPS:
 | Forgejo | MySQL database  | `/data/mysql/forgejo` | Database data only. Repositories stored in NAS. |
 | Wakapi  | SQLite database | `/data/sqlite/wakapi` |                                                 |
 
-### Services
-
-| Server port | Docker port | Subdomain                    | Service  | Description                |
-| ----------- | ----------- | ---------------------------- | -------- | -------------------------- |
-| 8000        | 3000        | grafana.systemsobscure.net   | Grafana  | Server logs and monitoring |
-| 8001        | 9090        | bookmarks.systemsobscure.net | Linkding | Article bookmarking tool   |
-| 8002        | 3000        | forgejo.systemsobscure.net   | Forgejo  | Git forge                  |
-| 8004        | 3000        | wakapi.systemsobscure.net    | Wakapi   | Coding statistics tracker  |
-| 8005        | 8080        | miniflux.systemsobscure.net  | Miniflux | RSS aggregator             |
-
 ## My applications
 
 ### systemsobscure.blog

From 1bb055ae0ec7e444ae0e22ffacfcf45a121fa5d6 Mon Sep 17 00:00:00 2001
From: thomasabishop <thomasabishop@tuta.com>
Date: Sun, 10 Aug 2025 16:43:39 +0100
Subject: [PATCH 4/5] feat: add proxy routing for garage (S3)

---
 proxy/nginx/conf.d/s3.conf         | 42 ++++++++++++++++++++++++++++++
 scripts/regenerate_certificates.sh |  4 ++-
 2 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 proxy/nginx/conf.d/s3.conf

diff --git a/proxy/nginx/conf.d/s3.conf b/proxy/nginx/conf.d/s3.conf
new file mode 100644
index 0000000..7ad2d3d
--- /dev/null
+++ b/proxy/nginx/conf.d/s3.conf
@@ -0,0 +1,42 @@
+# HTTP configuration
+# -- Redirect all HTTP requests to HTTPS port
+server {
+	listen 80; # HTTP port
+	server_name s3.systemsobscure.net;
+	location / {
+		return 301 https://$host$request_uri; # Variable is a placeholder for all requests to the server name
+	}
+}
+
+# HTTPS configuration 
+
+server {
+	listen 443 ssl;
+	server_name s3.systemsobscure.net;
+
+	# SSL configuration
+	ssl_certificate /etc/letsencrypt/live/systemsobscure.net/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/systemsobscure.net/privkey.pem;
+
+	# Security headers
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    
+	# Proxy Configuration
+  location / {
+		proxy_pass http://127.0.0.1:3900;
+		proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+		# CORS headers for web access
+    add_header Access-Control-Allow-Origin *;
+		add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+    add_header Access-Control-Allow-Headers "Authorization, Content-Type";
+        
+    # Handle preflight requests
+    if ($request_method = 'OPTIONS') {
+			return 204;
+    }
+  }
+}
diff --git a/scripts/regenerate_certificates.sh b/scripts/regenerate_certificates.sh
index d6c65ad..78cf1af 100755
--- a/scripts/regenerate_certificates.sh
+++ b/scripts/regenerate_certificates.sh
@@ -21,7 +21,9 @@ sudo certbot certonly --standalone \
 	-d linkding.systemsobscure.net \
 	-d miniflux.systemsobscure.net \
 	-d systemsobscure.blog \
-	-d www.systemsobscure.blog
+	-d www.systemsobscure.blog \
+	-d s3.systemsobscure.net
+
 echo "INFO Confirming certificate creation..."
 
 sudo certbot certificates

From 1db5f2e1b1f46727f9d362f1e6b847c94d292030 Mon Sep 17 00:00:00 2001
From: thomasabishop <thomasabishop@tuta.com>
Date: Sun, 10 Aug 2025 16:45:55 +0100
Subject: [PATCH 5/5] fix: enable 100M uploads S3 (garage)

---
 proxy/nginx/conf.d/s3.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/proxy/nginx/conf.d/s3.conf b/proxy/nginx/conf.d/s3.conf
index 7ad2d3d..ab99ae7 100644
--- a/proxy/nginx/conf.d/s3.conf
+++ b/proxy/nginx/conf.d/s3.conf
@@ -14,6 +14,8 @@ server {
 	listen 443 ssl;
 	server_name s3.systemsobscure.net;
 
+  client_max_body_size 100M; # Allow large image uploads
+
 	# SSL configuration
 	ssl_certificate /etc/letsencrypt/live/systemsobscure.net/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/systemsobscure.net/privkey.pem;