update documentation based on APP-MANIFEST.md

.devcontainer/devcontainer.json

@@ -0,0 +1,22 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/alpine
+{
+	"name": "Debian",
+	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+	"image": "mcr.microsoft.com/devcontainers/base:debian-12"
+
+	// Features to add to the dev container. More info: https://containers.dev/features.
+	// "features": {},
+
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	// "forwardPorts": [],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	// "postCreateCommand": "uname -a",
+
+	// Configure tool-specific properties.
+	// "customizations": {},
+
+	// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+	// "remoteUser": "root"
+}

.gitea/workflows/test.yaml

@@ -0,0 +1,9 @@
+name: Gitea Actions Demo
+run-name: ${{ gitea.actor }} is testing Gitea Actions 🚀
+on: [push]
+jobs:
+  Explore-Gitea-Actions:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "🎉 The job was automatically triggered by a ${{ gitea.event_name }} event."
+      - run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by Gitea!"

2026-roadmap.md

@@ -7,7 +7,7 @@ Goal: Move from "reactive" to "proactive" management.
 
 ## 🤖 Phase 2: CI/CD & Automation
 Goal: Fully automate the "Update Dash" and backup workflows.
-* **Gitea Actions:** Set up a local Gitea Runner.
+* **Gitea Actions:** Deployment of local `gitea-act-runner` completed (see manifest).
 * **Workflow Integration:** Replace the manual `updatedash` script with an Action that triggers a Docker build and deploy automatically upon every `git push` to the dashboard repo.
 
 ## 📧 Phase 3: Application Optimization

APP-MANIFEST.md

@@ -1,7 +1,12 @@
+# App Manifest
 | App Name | Subdomain | Internal Port | DB Name |
-| :.... | :.... | :.... | :.... |
+| :--- | :--- | :--- | :--- |
-| Gitea | git |	3000 | gitea |
+| Gitea | git |	22, 3000 | gitea |
+| Gitea-Act_runner | none | none | none |
+| Surmai | travel | 8080 | surmai |
 | Linkwarden | links | 3000 | linkwarden |
+| Postgres | none | 5432 | none |
 | FreshRSS | news | 80 | freshrss |
 | Memos | memos | 5230 | memos |
 | Dashboard | home | 80 | None |
+| cloudflared | none | none | none |

apps/gitea/compose.yaml

@@ -0,0 +1,28 @@
+services:
+  server:
+    image: gitea/gitea:latest
+    container_name: gitea
+    restart: always
+    environment:
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=global_postgres:5432 # Point to the universal container
+      - GITEA__database__NAME=gitea
+      - GITEA__database__USER=gitea
+      - GITEA__database__PASSWD=check-password-in-keeper
+      # SSH configuration
+      - GITEA__server__START_SSH_SERVER=true
+      - GITEA__server__SSH_DOMAIN=git-ssh.davisdre.com
+      - GITEA__server__SSH_PORT=22
+      - GITEA__server__SSH_LISTEN_PORT=2222
+      - GITEA__server__ROOT_URL=https://git.davisdre.com/
+      - GITEA__repository__ENABLE_PUSH_CREATE_USER=true
+      - GITEA__repository__ENABLE_PUSH_CREATE_ORG=true
+    networks:
+      - db_network
+      - web_gateway
+
+networks:
+  db_network:
+    external: true
+  web_gateway:
+    external: true

config-summary.md

@@ -23,8 +23,24 @@
   - Features: Automatic multi-DB creation via init-script.
 - **gitea:** Self-hosted Git.
   - Location: `/opt/docker/gitea`
-  - DB: Universal DB (Postgres)
+  - DB: Universal DB (gitea)
-  - Access: Via Cloudflare Tunnel (git.yourdomain.com)
+  - Access: Via Cloudflare Tunnel (git.davisdre.com)
+- **gitea-act-runner:** CI/CD Runner for Gitea Actions.
+  - Location: `/opt/docker/gitea`
+- **linkwarden:** Bookmark and archive manager.
+  - Location: `/opt/docker/linkwarden`
+  - DB: Universal DB (linkwarden)
+- **freshrss:** RSS Feed Aggregator.
+  - Location: `/opt/docker/freshrss`
+  - DB: Universal DB (freshrss)
+- **memos:** Privacy-first, lightweight note-taking.
+  - Location: `/opt/docker/memos`
+  - DB: Universal DB (memos)
+- **surmai:** Personal travel itinerary manager.
+  - Location: `/opt/docker/surmai`
+  - DB: Universal DB (surmai)
+- **dashboard:** Homelab landing page.
+  - Location: `/opt/docker/dashboard`
 - **cloudflared-tunnel:** Outbound tunnel to Cloudflare Edge.
   - Location: `/opt/docker/cloudflared`
 

disaster-recovery.md

@@ -39,4 +39,5 @@ cd /opt/docker/linkwarden && docker compose up -d
 cd /opt/docker/freshrss && docker compose up -d
 cd /opt/docker/memos && docker compose up -d
 cd /opt/docker/surmai && docker compose up -d
+cd /opt/docker/cloudflared && docker compose up -d
 ```

manifest.md

@@ -24,11 +24,13 @@
 | :--- | :--- | :--- | :--- |
 | **Dashboard** | `home.davisdre.com` | `/opt/docker/dashboard` | Static (Nginx) |
 | **Gitea** | `git.davisdre.com` | `/opt/docker/gitea` | `gitea` (Postgres) |
+| **Gitea-Act_runner** | *Internal Only* | `/opt/docker/gitea` | None |
 | **Linkwarden** | `links.davisdre.com` | `/opt/docker/linkwarden` | `linkwarden` (Postgres) |
 | **FreshRSS** | `news.davisdre.com` | `/opt/docker/freshrss` | `freshrss` (Postgres) |
 | **Memos** | `memos.davisdre.com` | `/opt/docker/memos` | `memos` (Postgres) |
 | **Surmai** | `travel.davisdre.com` | `/opt/docker/surmai` | Internal SQLite |
 | **Postgres** | *Internal Only* | `/opt/docker/global-db` | **Universal DB** |
+| **cloudflared** | *Tunnel Only* | `/opt/docker/cloudflared` | None |
 
 ---
 

ssh-key-management-access.md

@@ -0,0 +1,107 @@
+# SOP: SSH Key Management & Access (Zero Trust)
+
+**Purpose:** Standardize the creation, storage, and usage of SSH keys for accessing internal homelab services (Gitea, servers, etc.) protected by Cloudflare Tunnels, without opening firewall ports.
+
+**Prerequisites:**
+
+* **Client:** Windows 10/11 with OpenSSH Client installed.
+* **Software:** Keeper Password Manager (Desktop App), `cloudflared` daemon.
+* **Network:** Cloudflare Tunnel configured for the target service (SSH protocol).
+
+---
+
+## 1. Key Generation
+
+Use **Ed25519** for all new keys (faster, smaller, more secure than RSA).
+
+1. Open PowerShell.
+2. Generate a new key pair (replace `service` with app name, e.g., `gitea`, `prod-server`):
+```powershell
+ssh-keygen -t ed25519 -C "davisdre@service" -f "$env:USERPROFILE\.ssh\id_ed25519_service"
+
+```
+
+
+3. **Do not** set a passphrase if relying on Keeper (Keeper protects the key).
+
+## 2. Storage & Agent Setup (Keeper)
+
+We do not store private keys permanently on the local disk. They live in Keeper and are injected into memory via the SSH Agent.
+
+1. **Create Record:** Create a new record in Keeper (e.g., "SSH Key - Gitea").
+2. **Attach Keys:** Upload the `.pub` (Public) and the private key file (no extension) to the record attachments or dedicated SSH Key fields.
+3. **Enable Agent:**
+* In Keeper Desktop: Go to **Settings > SSH Agent**.
+* Ensure **Enable SSH Agent Integration** is ON.
+* Select the key record you just created and ensure it is listed/active.
+
+
+4. **Cleanup:** Delete the **private** key file from your local `.ssh` folder. You may keep the `.pub` file for reference.
+
+## 3. Client Configuration (`config`)
+
+Configure the local SSH client to route traffic through Cloudflare and use the Keeper agent.
+
+1. Open your config file: `C:\Users\davis\.ssh\config`.
+2. Add a new block for the service.
+* **Note:** Do *not* hardcode `IdentityAgent` lines; rely on the `SSH_AUTH_SOCK` environment variable set by Keeper.
+
+
+
+```text
+# Template for Cloudflare Tunnel Services
+Host service.davisdre.com
+  User git
+  # Proxy traffic via Cloudflare (requires cloudflared installed)
+  ProxyCommand cloudflared access ssh --hostname %h
+
+```
+
+## 4. Service Configuration
+
+1. Copy the content of your **Public Key** (`.pub` file).
+2. Navigate to the Service (e.g., Gitea Settings > SSH / GPG Keys).
+3. Add Key and paste the string (starts with `ssh-ed25519`).
+
+## 5. Connection Verification
+
+Before using the tool (VS Code, git, etc.), verify the handshake in PowerShell.
+
+1. **Unlock Keeper:** Ensure the vault is open.
+2. **Test Connection:**
+```powershell
+ssh -T git@service.davisdre.com
+
+```
+
+
+3. **Expected Output:**
+* *First time:* Prompts to verify host fingerprint (Type `yes`).
+* *Success:* `Hi there...! You've successfully authenticated...`
+
+
+
+---
+
+## Troubleshooting
+
+| Issue | Check |
+| --- | --- |
+| **Permission Denied (publickey)** | 1. Is Keeper unlocked? <br>
+
+<br> 2. Run `ssh-add -l` to see if keys are loaded. <br>
+
+<br> 3. Ensure `git config core.sshCommand` is set to Windows OpenSSH. |
+| **TLS Handshake Failure** | Cloudflare SSL mismatch. Ensure the tunnel hostname is not 4th level (e.g., use `git-ssh.domain.com`, NOT `ssh.git.domain.com`). |
+| **"Unknown Port" / Proxy Error** | Ensure `cloudflared` is installed and the Tunnel Public Hostname is set to `SSH` service (not HTTP). |
+
+---
+
+### **Git Configuration (One-Time Setup)**
+
+Ensure Git uses the Windows Native SSH (which talks to Keeper) rather than the bundled MinGW SSH.
+
+```powershell
+git config --global core.sshCommand "C:/Windows/System32/OpenSSH/ssh.exe"
+
+```