- Block port 2222 (Forgejo SSH) alongside 3000 after install since
git operations use HTTPS via NPM proxy only
- Add save_iptables_rules helper: uses netfilter-persistent if present,
otherwise writes /etc/iptables/rules.v4 and installs iptables-persistent
so DROP rules survive reboots
- Call save_iptables_rules after Forgejo port block and toggle-port-81
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Automatically add iptables DOCKER-USER DROP rule for port 3000 so
Forgejo is only reachable via NPM proxy, not directly from the internet
- Rewrite post-install instructions in English with all 6 NPM setup steps
including SSL config and correct ROOT_URL / SSH Port values
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Codeberg container registry does not publish a 'latest' tag for Forgejo.
Switch to the stable major version tag 'codeberg.org/forgejo/forgejo:9'.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
generate_docker_compose now only adds the d3v-net network section if the
network actually exists on the host. Servers without Forgejo no longer
fail with "network declared as external, but could not be found".
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add paths filter so the build only triggers on changes to backend/,
frontend/, docker/, or the workflow file itself. Edits to install.sh,
CLAUDE.md, etc. no longer cause unnecessary image rebuilds.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add Forgejo as option 8 in main menu with submenu (install/uninstall/update)
- do_forgejo_install: creates /opt/forgejo with SQLite, ports 3000/2222,
joins d3v-net network so NPM can proxy to it
- ensure_docker_network: creates d3v-net external network if missing
- On Forgejo install, regenerate D3V-NPMWG compose to include d3v-net
and connect running container immediately (no restart required)
- Success output includes step-by-step NPM Proxy Host setup guide
- DOCKER_NETWORK constant (d3v-net) shared across both stacks
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Hide the Open xGat3 button when the page is accessed via a domain name.
Only show it when the hostname is a raw IP (e.g. 10.0.0.1 over WireGuard).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a button below the login card that opens the xGat3 reverse
proxy interface (port 80) in a new tab when accessed via WireGuard VPN.
The link is built dynamically from the current hostname so it works
regardless of which IP the client uses to reach the server.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The wg+ wildcard in the server isolation DROP rule was also matching
same-interface traffic (wg0->wg0), blocking clients from pinging each
other even with Client Isolation turned off.
Fix: always insert an explicit same-interface ACCEPT (or REJECT if
isolated) rule AFTER the wg+ DROP, so it lands at position 1 in the
chain and is evaluated before the DROP.
Also update syncIptablesRules to apply the ACCEPT rule (not just remove
the REJECT) when isolation is toggled off at runtime.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
wg syncconf does not execute PostUp/PostDown, so toggling isolate_clients
had no effect until container restart. Add syncIptablesRules() to directly
apply/remove the REJECT rule after every syncconf call.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Sửa lỗi db.js export getInstance() thay vì knex instance trực tiếp
- Tìm admin theo user đầu tiên trong DB thay vì hard-code id=1
- Chỉ hỏi mật khẩu mới, hiển thị email sau khi update thành công
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
