Access control (team-only)¶
Team: rafael.gonzalez.albes and alex only.
Public without login: rafaelgonzalezalbes.com — portfolio static site on IONOS (indexable by Google).
Everything else requires an account on the relevant service.
Portfolio: website vs git¶
| Surface | Google / SEO | Direct URL | Login for content |
|---|---|---|---|
Live site (rafaelgonzalezalbes.com) |
Indexable (robots, sitemap) |
Public | No |
Git source (git.../portfolio) |
Not indexed | 404 without login | Yes (you + alex) |
Platform (git, ci, pm, status, docs, …) |
X-Robots-Tag: noindex via Traefik |
Works if you know URL | Yes |
Locking the Forgejo repo private does not take down the public website — CI deploys built files to IONOS via SFTP.
Per service¶
| Service | URL | Who can access | How |
|---|---|---|---|
| Portfolio website | rafaelgonzalezalbes.com |
Everyone | Static files on IONOS |
| Forgejo | git.* |
Rafael + Alex | Login; registration disabled; all repos private |
| Woodpecker | ci.* |
Rafael + Alex | Forgejo OAuth; WOODPECKER_OPEN=false |
| Plane | pm.* |
Rafael + Alex | Invite-only (ENABLE_SIGNUP=0) |
| Uptime Kuma | status.* |
Rafael + Alex | Login; no public status page |
| Docs | docs.* |
Rafael + Alex | Traefik noindex; team knowledge base |
| Plane MCP | mcp.* |
Rafael + Alex | Plane OAuth |
| Bridge | bridge.* |
Webhooks only | Shared secrets (not for browsing) |
Apply lockdown on VPS¶
After sync-to-server.sh:
ssh bioscan-vps
cd /opt/devops
bash scripts/lockdown-platform.sh
This script:
- Verifies Forgejo has only the two team users
- Sets repos to private
- Unpublishes the Kuma
/status/platformpage - Confirms Plane
ENABLE_SIGNUP=0 - Sets
WOODPECKER_ADMIN=rafael.gonzalez.albes,alex
Onboard Alex (one-time checklist)¶
- Forgejo account
alexexists bash scripts/add-alex-to-infra.shandbash scripts/add-alex-to-bioscan.sh- Plane → Workspace settings → Members → invite alex
- Alex logs into Woodpecker via Forgejo OAuth
Full step-by-step for Alex: Team onboarding.
Audit access¶
ssh bioscan-vps
PLANE_API_KEY='...' PLANE_WORKSPACE_SLUG='rafael-gonzalez-albes' bash /opt/devops/scripts/audit-team-access.sh
Or use the infra-ops MCP tool audit_team_access (runs on VPS via SSH).
Security notes¶
- Git repo privacy ≠ website privacy. Portfolio source is private in Forgejo; the built site on IONOS is public by design.
- Do not commit
local/.env,secrets/plain/*, or API tokens. - Rotate tokens if plain secrets were ever committed (
scripts/rotate-exposed-secrets.md). - Traefik adds
X-Robots-Tag: noindex, nofollowon platform subdomains. - Woodpecker clone fails after making a repo private → run
bash scripts/refresh-woodpecker-forgejo-token.sh, thenbash scripts/fix-portfolio-repo-private.sh(Woodpecker needsrepos.private=truefor OAuth clone), thenbash scripts/trigger-portfolio-pipeline.sh.
Repo visibility policy¶
| Repo | Visibility |
|---|---|
rafael.gonzalez.albes/portfolio |
Private (public site on IONOS) |
infra/devops |
Private |
bioscan/bioscancheck |
Private |
Future bioscan/* apps |
Private |