Skip to content

Access control (team-only)

Team: rafael.gonzalez.albes and alex only.

Public without login: rafaelgonzalezalbes.com — portfolio static site on IONOS (indexable by Google).

Everything else requires an account on the relevant service.

Portfolio: website vs git

Surface Google / SEO Direct URL Login for content
Live site (rafaelgonzalezalbes.com) Indexable (robots, sitemap) Public No
Git source (git.../portfolio) Not indexed 404 without login Yes (you + alex)
Platform (git, ci, pm, status, docs, …) X-Robots-Tag: noindex via Traefik Works if you know URL Yes

Locking the Forgejo repo private does not take down the public website — CI deploys built files to IONOS via SFTP.

Per service

Service URL Who can access How
Portfolio website rafaelgonzalezalbes.com Everyone Static files on IONOS
Forgejo git.* Rafael + Alex Login; registration disabled; all repos private
Woodpecker ci.* Rafael + Alex Forgejo OAuth; WOODPECKER_OPEN=false
Plane pm.* Rafael + Alex Invite-only (ENABLE_SIGNUP=0)
Uptime Kuma status.* Rafael + Alex Login; no public status page
Docs docs.* Rafael + Alex Traefik noindex; team knowledge base
Plane MCP mcp.* Rafael + Alex Plane OAuth
Bridge bridge.* Webhooks only Shared secrets (not for browsing)

Apply lockdown on VPS

After sync-to-server.sh:

ssh bioscan-vps
cd /opt/devops
bash scripts/lockdown-platform.sh

This script:

  1. Verifies Forgejo has only the two team users
  2. Sets repos to private
  3. Unpublishes the Kuma /status/platform page
  4. Confirms Plane ENABLE_SIGNUP=0
  5. Sets WOODPECKER_ADMIN=rafael.gonzalez.albes,alex

Onboard Alex (one-time checklist)

  1. Forgejo account alex exists
  2. bash scripts/add-alex-to-infra.sh and bash scripts/add-alex-to-bioscan.sh
  3. Plane → Workspace settings → Members → invite alex
  4. Alex logs into Woodpecker via Forgejo OAuth

Full step-by-step for Alex: Team onboarding.

Audit access

ssh bioscan-vps
PLANE_API_KEY='...' PLANE_WORKSPACE_SLUG='rafael-gonzalez-albes' bash /opt/devops/scripts/audit-team-access.sh

Or use the infra-ops MCP tool audit_team_access (runs on VPS via SSH).

Security notes

  • Git repo privacy ≠ website privacy. Portfolio source is private in Forgejo; the built site on IONOS is public by design.
  • Do not commit local/.env, secrets/plain/*, or API tokens.
  • Rotate tokens if plain secrets were ever committed (scripts/rotate-exposed-secrets.md).
  • Traefik adds X-Robots-Tag: noindex, nofollow on platform subdomains.
  • Woodpecker clone fails after making a repo private → run bash scripts/refresh-woodpecker-forgejo-token.sh, then bash scripts/fix-portfolio-repo-private.sh (Woodpecker needs repos.private=true for OAuth clone), then bash scripts/trigger-portfolio-pipeline.sh.

Repo visibility policy

Repo Visibility
rafael.gonzalez.albes/portfolio Private (public site on IONOS)
infra/devops Private
bioscan/bioscancheck Private
Future bioscan/* apps Private