README.md

# Atay Makhzan Ops

Open-source operations repository for **Atay Makhzan**, Saad ibn Zoubayr's self-hosted Gitea forge.

Atay Makhzan is currently a sovereign Git forge running Gitea on a VPS with Docker Compose, PostgreSQL, Nginx, and SSH Git access.

## Current production snapshot

| Area | Current value |
|---|---|
| Public domain | `ataymakhzan.com` |
| Forge | Gitea |
| Gitea image | `gitea/gitea:1.26.2` |
| Database | PostgreSQL via `postgres:16-alpine` |
| Stack path | `/opt/gitea` |
| Web proxy | Nginx + Certbot TLS |
| Local Gitea HTTP | `127.0.0.1:3001` / container port `3001` |
| Git SSH | `ataymakhzan.com:2222` |

## What belongs in this repo

- Sanitized Docker Compose templates
- Nginx reverse-proxy templates
- Backup, verification, and upgrade scripts
- Restore and maintenance runbooks
- Architecture decision records
- Public roadmap for future Atay Makhzan evolution

## What must never be committed

- `.env` with real secrets
- Gitea `app.ini` with secrets
- PostgreSQL passwords
- SSH private keys
- Gitea dumps or database dumps
- Repository backups
- API tokens or access tokens
- TLS private keys

See [`SECURITY.md`](SECURITY.md).

## Quick commands

Verify a live instance:

```bash
DOMAIN=ataymakhzan.com \
SSH_PORT=2222 \
OWNER=ibnezzoubayr \
PROBE_REPO=Empire-OS \
./scripts/verify-gitea.sh
```

Create a rollback backup on the VPS:

```bash
sudo STACK_DIR=/opt/gitea ./scripts/backup-gitea.sh
```

Prepare an upgrade dry-run:

```bash
sudo TARGET_VERSION=1.26.2 STACK_DIR=/opt/gitea ./scripts/upgrade-gitea.sh
```

Apply an upgrade intentionally:

```bash
sudo TARGET_VERSION=1.26.2 STACK_DIR=/opt/gitea APPLY=1 ./scripts/upgrade-gitea.sh
```

## Strategic direction

This repo starts as **ops/infrastructure** for the official Gitea-based Atay Makhzan deployment.

Later, if Atay Makhzan needs product behavior that Gitea cannot cleanly support through configuration, themes, plugins, or external automation, we can create a separate source fork and maintain it as its own product.

Until then, the CTO rule is:

> Do not fork Gitea prematurely. First make the deployment reproducible, observable, backed up, and safe to upgrade.

See [`docs/FUTURE-GITEA-FORK.md`](docs/FUTURE-GITEA-FORK.md).
chore: bootstrap Atay Makhzan ops repo 2026-06-19 15:35:48 +01:00			`# Atay Makhzan Ops`

			`Open-source operations repository for Atay Makhzan, Saad ibn Zoubayr's self-hosted Gitea forge.`

			`Atay Makhzan is currently a sovereign Git forge running Gitea on a VPS with Docker Compose, PostgreSQL, Nginx, and SSH Git access.`

			`## Current production snapshot`

			`\| Area \| Current value \|`
			`\|---\|---\|`
			\| Public domain \| `ataymakhzan.com` \|
			`\| Forge \| Gitea \|`
			\| Gitea image \| `gitea/gitea:1.26.2` \|
			\| Database \| PostgreSQL via `postgres:16-alpine` \|
			\| Stack path \| `/opt/gitea` \|
			`\| Web proxy \| Nginx + Certbot TLS \|`
			\| Local Gitea HTTP \| `127.0.0.1:3001` / container port `3001` \|
			\| Git SSH \| `ataymakhzan.com:2222` \|

			`## What belongs in this repo`

			`- Sanitized Docker Compose templates`
			`- Nginx reverse-proxy templates`
			`- Backup, verification, and upgrade scripts`
			`- Restore and maintenance runbooks`
			`- Architecture decision records`
			`- Public roadmap for future Atay Makhzan evolution`

			`## What must never be committed`

			- `.env` with real secrets
			- Gitea `app.ini` with secrets
			`- PostgreSQL passwords`
			`- SSH private keys`
			`- Gitea dumps or database dumps`
			`- Repository backups`
			`- API tokens or access tokens`
			`- TLS private keys`

			See [`SECURITY.md`](SECURITY.md).

			`## Quick commands`

			`Verify a live instance:`

			```bash
			`DOMAIN=ataymakhzan.com \`
			`SSH_PORT=2222 \`
			`OWNER=ibnezzoubayr \`
			`PROBE_REPO=Empire-OS \`
			`./scripts/verify-gitea.sh`
			```

			`Create a rollback backup on the VPS:`

			```bash
			`sudo STACK_DIR=/opt/gitea ./scripts/backup-gitea.sh`
			```

			`Prepare an upgrade dry-run:`

			```bash
			`sudo TARGET_VERSION=1.26.2 STACK_DIR=/opt/gitea ./scripts/upgrade-gitea.sh`
			```

			`Apply an upgrade intentionally:`

			```bash
			`sudo TARGET_VERSION=1.26.2 STACK_DIR=/opt/gitea APPLY=1 ./scripts/upgrade-gitea.sh`
			```

			`## Strategic direction`

			`This repo starts as ops/infrastructure for the official Gitea-based Atay Makhzan deployment.`

			`Later, if Atay Makhzan needs product behavior that Gitea cannot cleanly support through configuration, themes, plugins, or external automation, we can create a separate source fork and maintain it as its own product.`

			`Until then, the CTO rule is:`

			`> Do not fork Gitea prematurely. First make the deployment reproducible, observable, backed up, and safe to upgrade.`

			See [`docs/FUTURE-GITEA-FORK.md`](docs/FUTURE-GITEA-FORK.md).