fix(forge): correct podman exec UID + relax firstboot hardening + docs

THREE LATENT ISSUES IN THE FIRSTBOOT CHAIN

1. forge-firstboot.sh: 'podman exec --user mios-forge mios-forge ...'
   was wrong -- '--user' looks up the username inside the CONTAINER's
   /etc/passwd, where the user is 'git' (the Forgejo image's
   convention) not 'mios-forge'. Pinned to numeric '816:816' which
   matches the in-container UID we configured via USER_UID=816 in the
   Quadlet, so the lookup succeeds against the container's nsswitch.

2. mios-forge-firstboot.service: RestrictNamespaces=yes and
   RestrictAddressFamilies=AF_UNIX,AF_INET,AF_INET6 broke Podman's
   CRIU/conmon attach path on rootful container exec (the runtime
   needs CLONE_NEWNS / CLONE_NEWPID family transitions during
   exec-attach). Dropped both directives; ReadWritePaths now
   explicitly includes /var/lib/containers and /run/containers so the
   container state stays writable, and ProtectHome=yes +
   ProtectSystem=strict still scope the script's blast radius.

3. Documentation gaps: INDEX.md service-gating table didn't list
   mios-forge / mios-forge-firstboot; DEPLOY.md verification section
   didn't cover the forge. Both fixed in this commit.

NEW: just forge target

Surfaces forge status post-deploy:
  - mios-forge.service active/inactive
  - mios-forge-firstboot.service status + .firstboot-done sentinel
  - URL, admin user/email (read from install.env)
  - 'sudo cat /etc/mios/forge/admin-password' hint
  - copy-pasteable 'git remote add origin' line

DOCS UPDATED

  INDEX.md \xa75 -- mios-forge + mios-forge-firstboot rows added to the
                  service-gating table (Condition* directives that
                  short-circuit each service when its preconditions
                  aren't met).
  DEPLOY.md     -- new 'Self-hosted Git forge (mios-forge)' subsection
                  with end-to-end verification commands and the
                  default ports.
  Justfile      -- 'just forge' target (one-shot status + operator
                  hint surface).

Author: Kabuki94

DEPLOY.md

@@ -101,8 +101,30 @@ systemctl --failed                        # Any failed units
 mios "what is the current image tag?"     # Local AI sanity
 firewall-cmd --list-all                   # Firewall posture
 getenforce                                # SELinux mode (must be Enforcing)
+just forge                                # Self-hosted Git forge status + admin info
 ```
 
+### Self-hosted Git forge (`mios-forge`)
+
+The `mios-forge.container` Quadlet starts at first boot. The
+`mios-forge-firstboot.service` oneshot runs after it, reads the admin
+identity from `/etc/mios/install.env` (which `build-mios.{sh,ps1}`
+populated from `mios.toml`), generates a random initial password if
+none was supplied, and creates the admin user via the in-container
+`forgejo admin user create --must-change-password=true` CLI. The
+sentinel at `/var/lib/mios/forge/.firstboot-done` makes the service
+idempotent across reboots.
+
+```bash
+just forge                                       # status + URL + admin info
+sudo cat /etc/mios/forge/admin-password          # one-time password read
+git remote add origin http://localhost:3000/<user>/<repo>.git
+git push origin main
+```
+
+The forge runs at HTTP `:3000` and git+ssh `:2222`. Repository bytes
+live at `/srv/mios/forge/git/`; SQLite DB at `/srv/mios/forge/forgejo.db`.
+
 ## References
 
 - `Justfile` (`just --list` for the full target set)

INDEX.md

@@ -90,6 +90,8 @@ Active gating (referenced in `etc/containers/systemd/` and
 | `cloudws-pxe-hub` | `!wsl`, `!container` | virtualized hosts without routable LAN |
 | `mios-gpu-{nvidia,amd,intel,status}` | `ConditionPathExists=/dev/...`, `!container`, `!wsl` (Intel) | no matching GPU device |
 | `ollama` | none | always runs (CPU fallback) |
+| `mios-forge` | `ConditionPathIsDirectory=/etc/mios/forge`, `!container` | bootstrap incomplete, nested |
+| `mios-forge-firstboot` | `ConditionPathExists=/etc/mios/install.env`, `!sentinel`, `!container` | install.env absent, already ran, nested |
 
 ## 6. Global pipeline phases
 

Justfile

@@ -294,3 +294,30 @@ edit:
             echo "[FAIL] $CFG not found. Run: just init"; exit 1; \
         fi; \
         ${EDITOR:-vim} "$CFG"
+
+# Show mios-forge (Forgejo) status: Quadlet state, URL, admin identity,
+# initial-password file path, and a copy-pasteable 'git remote add' line.
+# Run on the deployed image after first boot.
+forge:
+    @echo "'MiOS' Forge (Forgejo)"
+    @if systemctl is-active --quiet mios-forge.service 2>/dev/null; then \
+        echo "  Service:        active"; \
+    else \
+        echo "  Service:        inactive (run: sudo systemctl start mios-forge)"; \
+    fi
+    @if systemctl is-active --quiet mios-forge-firstboot.service 2>/dev/null \
+        || [ -f /var/lib/mios/forge/.firstboot-done ]; then \
+        echo "  First-boot:     [ok] admin user created"; \
+    else \
+        echo "  First-boot:     pending (waiting on mios-forge.service readiness)"; \
+    fi
+    @echo "  Web UI:         http://localhost:${MIOS_FORGE_HTTP_PORT:-3000}/"
+    @echo "  git+ssh:        ssh://git@localhost:${MIOS_FORGE_SSH_PORT:-2222}/<user>/<repo>.git"
+    @echo "  Admin user:     $(grep -E '^MIOS_FORGE_ADMIN_USER=' /etc/mios/install.env 2>/dev/null | cut -d= -f2- | tr -d '\"' || echo '(check /etc/mios/install.env)')"
+    @echo "  Admin email:    $(grep -E '^MIOS_FORGE_ADMIN_EMAIL=' /etc/mios/install.env 2>/dev/null | cut -d= -f2- | tr -d '\"' || echo '(check /etc/mios/install.env)')"
+    @if [ -r /etc/mios/forge/admin-password ]; then \
+        echo "  Initial pwd:    sudo cat /etc/mios/forge/admin-password    (must change on first login)"; \
+    else \
+        echo "  Initial pwd:    (already changed, or firstboot not yet run)"; \
+    fi
+    @echo "  Local push:     git remote add origin http://localhost:${MIOS_FORGE_HTTP_PORT:-3000}/<user>/<repo>.git && git push origin main"

usr/lib/systemd/system/mios-forge-firstboot.service

@@ -14,17 +14,17 @@ EnvironmentFile=-/etc/mios/install.env
 ExecStart=/usr/libexec/mios/forge-firstboot.sh
 TimeoutStartSec=600s
 
-# Hardening: this service writes to a small set of paths, so we lock
-# everything else down. The script needs network for the readiness
-# probe and podman exec, plus write access to the password / sentinel
-# files declared in usr/lib/tmpfiles.d/mios-forge.conf.
+# Hardening: this service writes to a small set of paths plus calls
+# 'podman exec' against the running mios-forge container. RestrictNamespaces
+# and RestrictAddressFamilies were tried but break Podman's CRIU/conmon
+# attach path on rootful container exec; we drop them and lean on the
+# read-write path scoping + ProtectHome instead, which is sufficient for
+# this script's actual surface area.
 NoNewPrivileges=yes
 ProtectSystem=strict
 ProtectHome=yes
-ReadWritePaths=/etc/mios/forge /var/lib/mios/forge /var/log/mios/forge
+ReadWritePaths=/etc/mios/forge /var/lib/mios/forge /var/log/mios/forge /var/lib/containers /run/containers
 PrivateTmp=yes
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-RestrictNamespaces=yes
 LockPersonality=yes
 RestrictRealtime=yes
 

usr/libexec/mios/forge-firstboot.sh

@@ -83,7 +83,12 @@ fi
 # user already exists (e.g. someone created one via the web UI before
 # this service ran), 'forgejo admin user create' returns non-zero and
 # we accept that as a soft success.
-if podman exec --user mios-forge mios-forge \
+#
+# --user 816 matches the in-container UID we configured via USER_UID=816
+# in the Quadlet. The container's internal username is 'git' (the Forgejo
+# image's convention), not 'mios-forge'; we pass the numeric UID so the
+# podman exec lookup succeeds against the container's /etc/passwd.
+if podman exec --user 816:816 mios-forge \
         forgejo --config /data/gitea/conf/app.ini admin user create \
         --admin --must-change-password=true \
         --username "$admin_user" \