--- name: internal-api description: Use http://172.16.3.20:3000 for Gitea API; git.azcomputerguru.com is behind Cloudflare and blocks curl applies-to: all --- # Gitea API Access ## Internal IP for API calls Always use the internal IP for Gitea API calls: ``` http://172.16.3.20:3000 ``` The public URL `git.azcomputerguru.com` is proxied through Cloudflare. Cloudflare's bot protection blocks programmatic curl requests with HTTP 403 or challenge pages. The internal IP bypasses Cloudflare entirely and is accessible from all machines on the office network and Tailscale. ## Git remotes (push/pull) For git push and pull, the public URL works fine — git's SSH/HTTPS protocols are not affected by Cloudflare's bot challenge: ```bash git push https://azcomputerguru@git.azcomputerguru.com/azcomputerguru/gururmm.git main git remote set-url origin https://azcomputerguru@git.azcomputerguru.com/azcomputerguru/claudetools.git ``` Only API calls (REST HTTP) need the internal IP. ## API base URLs | Use case | URL | |----------|-----| | Gitea REST API | `http://172.16.3.20:3000/api/v1/` | | Gitea web UI | `http://172.16.3.20:3000/` | | GuruRMM repo | `http://172.16.3.20:3000/azcomputerguru/gururmm` | | ClaudeTools repo | `http://172.16.3.20:3000/azcomputerguru/claudetools` | ## Authentication Gitea API tokens are stored in the vault. The push account `azcomputerguru` is shared, but individual API tokens should be scoped appropriately. ## Example API call ```bash # Correct — internal IP curl -s "http://172.16.3.20:3000/api/v1/repos/azcomputerguru/gururmm/releases" \ -H "Authorization: token " # Wrong — blocked by Cloudflare curl -s "https://git.azcomputerguru.com/api/v1/repos/azcomputerguru/gururmm/releases" \ -H "Authorization: token " ``` ## Webhook The build webhook is separate — it runs on Saturn (172.16.3.30:9000), not Gitea: ``` POST http://172.16.3.30:9000/webhook/build Header: X-Hub-Signature-256: sha256= Secret: gururmm-build-secret ```