privacy

Operational privacy summary for depotra.in. Descriptions below reflect live configuration, not generic policy boilerplate.

stack

single VPS. forgejo v15 LTS. everything below is scoped to depotra.in only, zero shared paths with navi.land mail.

• forgejo listens 127.0.0.1:3000, not public, nginx front door only
• nginx vhost depotra.in, reverse proxy, TLS via Let's Encrypt
• sqlite3 forgejo DB at /var/lib/forgejo/data/forgejo.db, no MariaDB, no shared mail DB
• sqlite3 invite gate at /var/lib/forgejo/invite-gate/invites.db
• php-fpm dedicated pool /run/php/depotra-fpm.sock, not the navi.land php8.2-fpm socket
• git ssh port 2222 on depotra.in
• actions enabled, runner on-host, artifacts local disk

[database]

DB_TYPE = sqlite3

PATH = /var/lib/forgejo/data/forgejo.db



[server]

HTTP_ADDR = 127.0.0.1

HTTP_PORT = 3000

DOMAIN = depotra.in

network & cloudflare

DNS for depotra.in is Cloudflare proxied (orange cloud). that means:

• visitors hit CF edge first, they see CF's IP, not ours directly
• CF terminates some abuse/DDoS stuff before it reaches us
• we only trust reverse-proxy headers from localhost, forgejo won't accept spoofed X-Forwarded-For from random clients

[security]

REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128

nginx adds HSTS, nosniff, SAMEORIGIN frame guard, strict referrer, and disables camera, microphone, geolocation, and payment APIs:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

add_header X-Content-Type-Options "nosniff" always;

add_header X-Frame-Options "SAMEORIGIN" always;

add_header Referrer-Policy "strict-origin-when-cross-origin" always;

add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;

add_header Content-Security-Policy "font-src 'self' data:" always;

isolation from navi.land: separate nginx site, separate webroot (/var/www/depotra.in), separate PHP pool, separate systemd units. the mail stack (postfix, dovecot, mariadb, snappymail) is never touched by forgejo deploy scripts.

logging

Log volume is intentionally minimized. Current forgejo log configuration:

[log]

MODE = console

LEVEL = Error

LOGGER_ACCESS_MODE =

LOGGER_ROUTER_MODE =

LOGGER_XORM_MODE =

LOGGER_SSH_MODE =

LOGGER_ACCESS_LEVEL = None

LOGGER_ROUTER_LEVEL = None

LOGGER_XORM_LEVEL = None

LOGGER_SSH_LEVEL = None

• ✓ errors only, no info/debug spam
• ✗ no HTTP access log file
• ✗ no router log
• ✗ no xorm/sql query log
• ✗ no ssh log file

nginx for this vhost:

access_log off;

Per-request access logs are not written for depotra.in traffic.

Additional disabled features:

• [metrics] ENABLED = false, no prometheus scrape endpoint
• ENABLE_PPROF = false, no go pprof endpoint exposed
• ENABLE_SWAGGER = false, swagger UI hidden (API still works with tokens)
• SHOW_FOOTER_VERSION = false, SHOW_FOOTER_TEMPLATE_LOAD_TIME = false, SHOW_FOOTER_POWERED_BY = false

exception: the health watchdog writes operational state to /var/log/forgejo-watchdog.log and /var/lib/forgejo/watchdog.state, service up/down, permission fixes, HTTP probe results. that's infra housekeeping, not user activity tracking. auto-update logs to /var/log/forgejo-auto-update.log on weekly schedule.

fonts & third-party assets

we do not load Google Fonts (fonts.googleapis.com, fonts.gstatic.com) or any other external font CDN. the UI uses your device's system font stack (system-ui, Segoe UI, etc.) via CSS only, no outbound font requests.

• ✓ forgejo theme CSS served from /assets/css/ on this host
• ✓ custom amoled.css overrides theme font variables to system fonts
• ✗ no Montserrat, Inter, or other CDN webfonts
• ✗ nginx CSP: font-src 'self' data:, blocks third-party font loads in the browser

what we don't do

• ✗ ads
• ✗ third-party trackers (google analytics, facebook pixel, etc.)
• ✗ Google Fonts or external font CDNs
• ✗ third-party cookies
• ✗ analytics / telemetry beacons
• ✗ nginx access logs
• ✗ outbound email ([mailer] ENABLED = false, forgejo won't mail you)
• ✗ user heatmaps (ENABLE_USER_HEATMAP = false)
• ✗ open registration UI (SHOW_REGISTRATION_BUTTON = false)
• ✗ public explore without login ([service.explore] REQUIRE_SIGNIN_VIEW = true)
• ✗ federated login (ENABLE_OPENID_SIGNIN = false)

password security

On signup and on every password change, Forgejo checks the password against the Have I Been Pwned (HIBP) Pwned Passwords database using k-anonymity (range query to api.pwnedpasswords.com). We do not use XposedOrNot or any other breach-check service for passwords.

[security]

PASSWORD_HASH_ALGO = argon2

MIN_PASSWORD_LENGTH = 12

PASSWORD_CHECK_PWN = true

• passwords stored with argon2, minimum 12 characters
• Forgejo SHA-1 hashes the password locally, sends only the first 5 hex characters of that hash to api.pwnedpasswords.com, receives a list of matching hash suffixes, and compares the remainder on this host
• your full password never leaves this server; HIBP receives a partial hash prefix, not the password or complete hash
• if the password appears in a known breach, signup or password change is rejected

API reference: HIBP Pwned Passwords API (k-anonymity).

auth & cookies

forgejo sessions

[session]

COOKIE_SECURE = true

SAME_SITE = strict



[security]

DISABLE_QUERY_AUTH_TOKEN = true

• TOTP and WebAuthn 2FA available under Settings → Security (optional for all users)
• API tokens can't be passed in query strings (?token= rejected), header only
• session cookie: secure + same-site strict

invite gate (signup wall)

no open signups. nginx auth_request gates /user/sign_up, you need a valid invite cookie or you get bounced to /invite/.

• invite codes: 32-char hex, one-time use, stored in sqlite
• on redeem: code marked used_at, random redeem_token issued, HMAC-signed cookie set
• cookie depot_invite: httponly, secure, samesite=lax, 15 minute TTL
• admin panel auth: bcrypt hash in /etc/forgejo/invite-gate.env (ADMIN_PASS_HASH), verified via password_verify(), not plaintext
• invite PHP has open_basedir locked to invite-gate dir, can't wander the filesystem
• we don't log submitted invite codes anywhere in the gate code

CREATE TABLE invites (

  code TEXT UNIQUE NOT NULL,   -- one-time

  used_at TEXT,                -- set on redeem

  redeem_token TEXT,           -- cookie binding

  revoked_at TEXT,

  expires_at TEXT

);

repo visibility

[repository]

DEFAULT_PRIVATE = private

FORCE_PRIVATE = true

DEFAULT_PUSH_CREATE_PRIVATE = true



[service]

DEFAULT_KEEP_EMAIL_PRIVATE = true

DEFAULT_USER_VISIBILITY = private

SHOW_USER_EMAIL = false

repos are private by default and you can't make public ones. profiles default private, emails hidden.

data retention

what actually persists on disk:

• git repos, your code, until you delete it or your account goes away
• forgejo sqlite, users, issues, PRs, sessions, tokens, etc. (normal forgejo semantics)
• invite sqlite, code metadata (created/used/expired timestamps, optional admin note). not the plaintext code after redeem, just that it was used
• lfs objects, /var/lib/forgejo/data/lfs
• actions artifacts, local storage, ARTIFACT_RETENTION_DAYS = 90
• actions logs, local storage, LOG_RETENTION_DAYS = 180
• attachments, max 2048 MiB per file, 50 files (config limit, not a retention policy)

backups: backup_forgejo.sh archives /var/lib/forgejo, /etc/forgejo, bootstrap secrets. Mail stack backups are separate and outside this scope.

automation timers

• forgejo-watchdog.timer, every 5 minutes. checks forgejo/runner/nginx/fpm/invite-db, auto-restarts failed services. never touches navi.land.
• forgejo-auto-update.timer, Sunday 04:00 weekly, v15.x LTS only, rollback on failure.

what we don't store (on purpose)

• nginx access logs for depotra.in
• forgejo HTTP/router/xorm/ssh log files
• metrics/time-series of your browsing patterns
• marketing profiles, ad segments, "engagement scores"
• plaintext invite codes after redemption
• anything in a third-party SaaS analytics dashboard, because we don't run one

contact

Questions or reports of config mismatches: [email protected]

back·legal·sign in