From 54e766b728808a41b2a777824f21d69aebdf86ef Mon Sep 17 00:00:00 2001
From: Hari <73809867+harivansh-afk@users.noreply.github.com>
Date: Wed, 1 Apr 2026 16:38:15 -0400
Subject: [PATCH 1/3] require sign-in for all forgejo access (#26)

Adds REQUIRE_SIGNIN_VIEW to prevent unauthenticated cloning and browsing.
---
 hosts/netty/configuration.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hosts/netty/configuration.nix b/hosts/netty/configuration.nix
index 1fc21b4..399d19e 100644
--- a/hosts/netty/configuration.nix
+++ b/hosts/netty/configuration.nix
@@ -270,7 +270,10 @@ in
         HTTP_PORT = 19300;
         SSH_DOMAIN = forgejoDomain;
       };
-      service.DISABLE_REGISTRATION = true;
+      service = {
+        DISABLE_REGISTRATION = true;
+        REQUIRE_SIGNIN_VIEW = true;
+      };
       session.COOKIE_SECURE = true;
       mirror = {
         DEFAULT_INTERVAL = "1h";

From 72b9ee6507de5678956a78a9393b733a642ddda6 Mon Sep 17 00:00:00 2001
From: Hari <73809867+harivansh-afk@users.noreply.github.com>
Date: Wed, 1 Apr 2026 16:39:43 -0400
Subject: [PATCH 2/3] forgejo require signin (#27)

* require sign-in for all forgejo access

Adds REQUIRE_SIGNIN_VIEW to prevent unauthenticated cloning and browsing.

* update readme
---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 8744da8..511b238 100644
--- a/README.md
+++ b/README.md
@@ -31,5 +31,5 @@ The VPS has a declarative service bundle:
 - netty exposes 3 tcp ports (22:ssh, 80:http, 443:https)
 - services only listen on 127.0.0.1 (runs behind nginx with ACME)
 - Self hosts Forgejo mirroring to GitHub (git.harivan.sh)
-- Self hosts VaultWarden (vault.harivan.sh)
-- Runs sandbox agent behind a CORS proxy (netty.harivan.sh)
\ No newline at end of file
+- Self hosts VaultWarden
+- Runs sandbox agent behind a CORS proxy

From 3a40e8d6342ada4eee482c8b8bc51511a563733b Mon Sep 17 00:00:00 2001
From: Hari <73809867+harivansh-afk@users.noreply.github.com>
Date: Wed, 1 Apr 2026 16:40:49 -0400
Subject: [PATCH 3/3] updatereadme (#28)

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 511b238..1506ae0 100644
--- a/README.md
+++ b/README.md
@@ -27,6 +27,8 @@ Global agent skills are installed declaratively using skills.sh and only resync
 Secrets live in Bitwarden and are rendered at activation time using cli
 Deployment is `just switch` for the laptop and `just switch-netty` for the server.
 
+All PRs auto-merge on creation if tests pass
+
 The VPS has a declarative service bundle: 
 - netty exposes 3 tcp ports (22:ssh, 80:http, 443:https)
 - services only listen on 127.0.0.1 (runs behind nginx with ACME)