move keycloak and forgejo on rivendell

I had to rekey all the secrets. Updated the documentation for both how to setup forgejo and keycloak.
author: Franck Cuny <franck@fcuny.net> 2025-10-18 14:46:47 -0700
committer: Franck Cuny <franck@fcuny.net> 2025-10-18 14:46:47 -0700
commit: d09952fcd5ae3b73ea91f0f308527f70c0dc5c21 (patch)
tree: 08a570d4da8fd6c15285b461d3df6b283c477226
parent: configure wireguard for rivendell (diff)
download: infra-d09952fcd5ae3b73ea91f0f308527f70c0dc5c21.tar.gz
20 files changed, 90 insertions, 93 deletions
diff --git a/docs/keycloak.org b/docs/keycloak.org
index c8760ff..cd6e773 100644
--- a/docs/keycloak.org
+++ b/docs/keycloak.org
@@ -1,18 +1,17 @@
 * Keycloak
 
-Running at id.fcuny.net
+Running at https://id.fcuny.net.
 
 There's an admin user in 1password.
+** Bootstrap
+#+begin_src shell
+ssh keycloak-host -L 8080:localhost:8080
+#+end_src
+
+Then go to =http://localhost:8080= with your browser to setup the initial user.
 
 ** Client for forgejo
-- create a client with name =forgejo=
-- set root URL to =https://code.fcuny.net=
-- set home URL to =https://code.fcuny.net=
-- set valid redirects URL to =https://code.fcuny.net*=
-- set web origins to =https://code.fcuny.net=
-- set admin URL to https://code.fcuny.net
-- set client authentication to =on=
-- keep =standard flow= checked and nothing else
+The client is managed by terranix.
 *** forgejo configuration
 - create a new authentication source under https://code.fcuny.net/admin/auths
 - choose OAuth2
@@ -34,11 +33,4 @@ First, we need a client ID and a secret. The client can be created in the UI:
 
 The go to "Service account roles" for the newly created client, and ensure it has =admin= role (assign role -> filter by realm roles -> admin).
 
-Export the secret with =KEYCLOAK_CLIENT_SECRET=.
-
-To import resources:
-#+begin_src bash
-nix run .#tf -- import keycloak_realm.master master
-nix run .#tf -- import keycloak_user.fcuny master/d0fdbc04-8f6c-4558-8fd6-ebf7d9e23e6f
-...
-#+end_src
+Export the secret with =KEYCLOAK_CLIENT_SECRET= (it might be already be set in =../.envrc.local=).
diff --git a/docs/tofu.org b/docs/tofu.org
new file mode 100644
index 0000000..5747f9e
--- /dev/null
+++ b/docs/tofu.org
@@ -0,0 +1,15 @@
+* Tofu/terranix
+
+I use terranix to manage some configurations with terraform/tofu.
+
+I usually start by cleaning the working directory:
+#+begin_src shell
+rm -rf .terraform*
+#+end_src
+
+Then we can =init=, =plan=, and =build=:
+#+begin_src shell
+nix run .#tf -- init
+nix run .#tf -- plan
+nix run .#tf -- build
+#+end_src
diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix
index 0d74a1f..b49431f 100644
--- a/machines/nixos/x86_64-linux/do-rproxy/default.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix
@@ -20,13 +20,13 @@
         {
           # vm-synology
           publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
-          allowedIPs = [ "10.100.0.0/24" ];
+          allowedIPs = [ "10.100.0.40/32" ];
           persistentKeepalive = 25;
         }
         {
           # rivendell
           publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
-          allowedIPs = [ "10.100.0.0/24" ];
+          allowedIPs = [ "10.100.0.60/32" ];
           persistentKeepalive = 25;
         }
       ];
diff --git a/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix b/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
index 78c0667..9267d20 100644
--- a/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
@@ -52,10 +52,10 @@
         acmeRoot = null;
         forceSSL = true;
         locations."/" = {
-          proxyPass = "http://10.100.0.40:3000";
+          proxyPass = "http://10.100.0.60:3000";
         };
         locations."/metrics" = {
-          proxyPass = "http://10.100.0.40:3000/metrics";
+          proxyPass = "http://10.100.0.60:3000/metrics";
           extraConfig = ''
             deny all;
             access_log off;
@@ -75,7 +75,7 @@
         acmeRoot = null;
         forceSSL = true;
         locations."/" = {
-          proxyPass = "http://10.100.0.40:8080";
+          proxyPass = "http://10.100.0.60:8080";
         };
       };
       "fcuny.net" = {
diff --git a/machines/nixos/x86_64-linux/rivendell/default.nix b/machines/nixos/x86_64-linux/rivendell/default.nix
index 1f38f6f..a34e885 100644
--- a/machines/nixos/x86_64-linux/rivendell/default.nix
+++ b/machines/nixos/x86_64-linux/rivendell/default.nix
@@ -10,6 +10,8 @@
     (modulesPath + "/installer/scan/not-detected.nix")
     inputs.nixos-hardware.nixosModules.framework-desktop-amd-ai-max-300-series
     ../../../../profiles/disk/btrfs-on-luks.nix
+    ../../../../profiles/forgejo.nix
+    ../../../../profiles/keycloak.nix
   ];
 
   age = {
diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix
index d04a44a..915d851 100644
--- a/machines/nixos/x86_64-linux/synology-vm/default.nix
+++ b/machines/nixos/x86_64-linux/synology-vm/default.nix
@@ -9,8 +9,6 @@
     ./disks.nix
     ./hardware.nix
     ./secrets.nix
-    ./profiles/forgejo.nix
-    ./profiles/keycloak.nix
     ./profiles/goget.nix
   ];
 
diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix b/profiles/forgejo.nix
index 18d6207..70af185 100644
--- a/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
+++ b/profiles/forgejo.nix
@@ -1,9 +1,4 @@
-{
-  self,
-  config,
-  pkgs,
-  ...
-}:
+{ config, pkgs, ... }:
 let
   # convenience wrapper for admin commands
   forgejo-admin = pkgs.writeShellScriptBin "forgejo-admin" ''
@@ -14,7 +9,7 @@ in
   networking.firewall.allowedTCPPorts = [ 3000 ];
 
   age.secrets.forgejo-fastmail = {
-    file = "${self}/secrets/forgejo-fastmail.age";
+    file = ../secrets/forgejo-fastmail.age;
   };
 
   environment.systemPackages = [ forgejo-admin ];
@@ -41,7 +36,6 @@ in
         DOMAIN = "code.fcuny.net";
         ROOT_URL = "https://code.fcuny.net";
         HTTP_PORT = 3000;
-        HTTP_ADDR = "10.100.0.40";
         LANDING_PAGE = "explore";
       };
       mailer = {
@@ -93,18 +87,18 @@ in
     };
   };
 
-  my.modules.backups = {
-    local.paths = [ "/var/lib/forgejo" ];
-    local.exclude = [
-      "/var/lib/forgejo/data/indexers"
-      "/var/lib/forgejo/data/repo-archive"
-      "/var/lib/forgejo/data/tmp"
-    ];
-    remote.paths = [ "/var/lib/forgejo" ];
-    remote.exclude = [
-      "/var/lib/forgejo/data/indexers"
-      "/var/lib/forgejo/data/repo-archive"
-      "/var/lib/forgejo/data/tmp"
-    ];
-  };
+  # my.modules.backups = {
+  #   local.paths = [ "/var/lib/forgejo" ];
+  #   local.exclude = [
+  #     "/var/lib/forgejo/data/indexers"
+  #     "/var/lib/forgejo/data/repo-archive"
+  #     "/var/lib/forgejo/data/tmp"
+  #   ];
+  #   remote.paths = [ "/var/lib/forgejo" ];
+  #   remote.exclude = [
+  #     "/var/lib/forgejo/data/indexers"
+  #     "/var/lib/forgejo/data/repo-archive"
+  #     "/var/lib/forgejo/data/tmp"
+  #   ];
+  # };
 }
diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix b/profiles/keycloak.nix
index b6fb6c3..7aac133 100644
--- a/machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix
+++ b/profiles/keycloak.nix
@@ -1,7 +1,7 @@
-{ config, self, ... }:
+{ config, ... }:
 {
   age.secrets.keycloak-db-password = {
-    file = "${self}/secrets/keycloak-db-password.age";
+    file = ../secrets/keycloak-db-password.age;
   };
 
   networking.firewall.allowedTCPPorts = [ 8080 ];
@@ -11,7 +11,6 @@
     database.passwordFile = config.age.secrets.keycloak-db-password.path;
     settings = {
       hostname = "id.fcuny.net";
-      http-host = "10.100.0.40";
       http-port = 8080;
       proxy-headers = "xforwarded";
       http-enabled = true;
diff --git a/secrets/cloudflare-nginx.age b/secrets/cloudflare-nginx.age
index 6800d5b..3dca56c 100644
--- a/secrets/cloudflare-nginx.age
+++ b/secrets/cloudflare-nginx.age
diff --git a/secrets/do/host-ed25519-key.age b/secrets/do/host-ed25519-key.age
index 69510ed..ef10a90 100644
--- a/secrets/do/host-ed25519-key.age
+++ b/secrets/do/host-ed25519-key.age
diff --git a/secrets/do/wireguard.age b/secrets/do/wireguard.age
index e959862..19dfb0e 100644
--- a/secrets/do/wireguard.age
+++ b/secrets/do/wireguard.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 pFjJaA iOwZlej6WOezWYg6Ny3rTKZ2sBeWI9i6EzUzyBvxqzY
-VxAoCn7/jPLEl6CPrRlgRLKXRiPdtvUQ7uouC10O4xM
--> ssh-ed25519 8Nmf6A zCM/oBDQYgMHShRN4Ot/VY230ojHuobZDoueu+3ITnQ
-MtblJtdI6uHzHjIBudIFn1hrJDRa3lyM5HjXs1BJGnU
---- zn5OUqFqPe0iT1rkmy5CxZlURLb5ao8soPpTVo5jIFI
-�ܑ;f1ra
-N���F@7���B�����������5.b�xj{F��K�w!$��jj#�)I�,ㆂ�.L
-��
-\ No newline at end of file
+-> ssh-ed25519 pFjJaA Y0Rjr5u2uGI790/JvO7VoQSxF2KpS67e3ff0s1pXj3A
+7Lk30Dwsa9TfbxtEpZFWeDSRPRN66IXu2mFCWaXZIsA
+-> ssh-ed25519 8Nmf6A n76CvLiAh4fjWtRx/DPRJUeazkUMxQ0Oc2qSGj0fDgk
+D7ULUEBjuzmUTzIEC8bzet7SJMJC0cHYgQoil8Q3/3c
+--- o9Qerf9m8XuzxQ1GzPZVumNlE4kBZzABb4PbriMXeNQ
+�̛����%U/�:"��|X8(��0�S���~z���o��O�:���4?�Y�?�!�H$ls�������~����
+\ No newline at end of file
diff --git a/secrets/forgejo-fastmail.age b/secrets/forgejo-fastmail.age
index bad24e6..ddb69f1 100644
--- a/secrets/forgejo-fastmail.age
+++ b/secrets/forgejo-fastmail.age
diff --git a/secrets/keycloak-db-password.age b/secrets/keycloak-db-password.age
index 6ac0e85..21a1a7e 100644
--- a/secrets/keycloak-db-password.age
+++ b/secrets/keycloak-db-password.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 pFjJaA cmAZbTltBmkWqUjWnr57vyxGl+5c96bxME0SS6w7ozs
-7bu8taoNlffYBuhKAhQ4bid2fRs45IYKgIZmiJKX9xk
--> ssh-ed25519 qRUWSw 3c8Lqxx5rVaUBG3J05ffcNHP7I4Rq4kEvKQQgC29nxE
-R9EojU4XpWpBnTCWEF4p94SGGQ0TZwI8BBxRlg+/6hc
---- AK9ErFYwVcMqqejL/qAHVt7se+s9LSdiMBarumrwRZg
-y��\��h��Gp�r�O�֭��bb�4�A�{��`�\��.��b�)�{�m_
-\ No newline at end of file
+-> ssh-ed25519 pFjJaA u7eibDVH1zLVbZkW2/cJcKfHwUvSjAL41nhZ8lb/TF8
+fQ1C/6A7G2sOmS3YyORQ0tJgmgxSkZFdq+LmkJuLuh4
+-> ssh-ed25519 Y5h84Q ymkfeS/fq1BfAievpj2UstwWSSW+IRCqXfuPy8zX92Y
+wSd280jyTsOOAxxkBhNrHQ6xfd/RjcIWH0QP9RtEJeY
+--- RoXe7h0yyYK/QAdlKQp2ucIK2lsaxmb9tbxZ0DU61kw
+�k��_Q`�`����cQ��b�)�'��Iu�C�����u�N�l�6�+^�CZ�2
+\ No newline at end of file
diff --git a/secrets/nas_client.age b/secrets/nas_client.age
index 4118f9f..f24a6ed 100644
--- a/secrets/nas_client.age
+++ b/secrets/nas_client.age
diff --git a/secrets/restic_gcs_credentials.age b/secrets/restic_gcs_credentials.age
index 0a7b689..101a7aa 100644
--- a/secrets/restic_gcs_credentials.age
+++ b/secrets/restic_gcs_credentials.age
diff --git a/secrets/restic_password.age b/secrets/restic_password.age
index 9062156..8db89a5 100644
--- a/secrets/restic_password.age
+++ b/secrets/restic_password.age
@@ -1,9 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 pFjJaA FE3RMgUxVGFCI1wI6YBz1QbZS1MTgTfMlDdoWzOpKlc
-sAA4/6VYI+q8xwo3DMDA/70t4Xf57hZmW6Itxi6relY
--> ssh-ed25519 qRUWSw DbEKBuyCDRAdlTrytJx1UuCSbA82SStTM5V5YrvGkn8
-JX0393noMLYj6qUCDH4y686eOuPQPVIdK44sjw8ul9w
---- cVmK2XpBhsnM5qgHZjdR9PLnUpi5m0pj2a6zVbK2WZ4
-D8�H��=t��&�f}<k	{T+��f�c�7��W
-�u�$��'
-�Եu�F?
-\ No newline at end of file
+-> ssh-ed25519 pFjJaA 5KWfhxNk3FAF68Iry4yvyPIxF5AfDvPZUj4paHQGBQA
+j/TPillAQNbuqvaudO2SRH+wRmJlcwwrW5cGKBHk3bw
+-> ssh-ed25519 qRUWSw AHkeUh1rsr6ddoH9Z3g+mG6rmHPMIstn+Ln6dRr/eS8
+PsVdJkliyr0OhtLwmtnfzR1s8N+oMHpToGkq6l5UGPo
+--- cf9ExBbs2M12iIrTMUengqVgLKJD00nhPaLVbCVGN4I
+W!�o�˛&l���TƁ&��N�ğT��v��*��s[�ź�b�T��+;
+\ No newline at end of file
diff --git a/secrets/rivendell/wireguard.age b/secrets/rivendell/wireguard.age
index cedc155..e9c7308 100644
--- a/secrets/rivendell/wireguard.age
+++ b/secrets/rivendell/wireguard.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 pFjJaA yX115u9bhmWSBuvkwd94kOuuz7I1jIViRfX6GqsNOGg
-AF+GO3PXF2YUh/Q0HdrSgmwycrmWwEp+jJtk5sd+UY4
--> ssh-ed25519 Y5h84Q CvmWwsgwFJkdBpkMsb10/QjR1l5hBxAFs3mqsHjgjwY
-XoXKK3JH6bdWfwKsaoLTK2rK4f3uuPOieLb/IwtV/Gc
---- mSxeIgzkrqgnyeUm52rvVRmaGLsqyIVv7dEBTXRNBSw
-\j��P�[(���GǸk�hC�����A`1�zt��H�v��sM7-��WP�Q��vc�t^��#��l�=Q��\0�4
-\ No newline at end of file
+-> ssh-ed25519 pFjJaA ZTzkRZ66+yhHksE9WVFCkRVRgB45t0wNd2pUE66VmzA
+7eggYsHXV9i4U+rU+gfWaW0TvwokmXBPNQSa3NebpFo
+-> ssh-ed25519 Y5h84Q HuwiTMDWku0ZHKorfgksv0duG8zJL742AerQIvAPHms
+Es4hk20knqHdQv2KZBDMFednDzd/Zvkr1RfqOPLfMyY
+--- FrE5GOxQwCBJwXSzMJF5hgx04pmz54jAWun5YpEfD1Y
+05��mx��
+>��b�毹���OK���'�N���!���V��<���6�2@}��S-����)^N���?b�UY��E
+\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 72bd62c..658da54 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -12,11 +12,11 @@ in
 {
   "forgejo-fastmail.age".publicKeys = [
     users.fcuny
-    hosts.vm-synology
+    hosts.rivendell
   ];
   "keycloak-db-password.age".publicKeys = [
     users.fcuny
-    hosts.vm-synology
+    hosts.rivendell
   ];
   "cloudflare-nginx.age".publicKeys = [
     users.fcuny
diff --git a/secrets/ssh-remote-builder.age b/secrets/ssh-remote-builder.age
index 14f343c..d10ac6d 100644
--- a/secrets/ssh-remote-builder.age
+++ b/secrets/ssh-remote-builder.age
@@ -1,11 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 pFjJaA kz8dUf2Qkw+XSKBCp/0S8INQg+CEa3MXhzLfZfx3FHo
-R7vbSTkDWLLQbiRoCZWIxirH2gfGkBUzYUQYVq4WoxM
--> ssh-ed25519 qRUWSw e0S9joQotJ2yBHClnZNkajjV+fQ14K4cyH7MuUPZM0A
-XppDbDmyLfQ0CjD0iGRovNjNLXDySQ0xuBtx7v2qnOA
--> ssh-ed25519 E2Yu8Q kWHQZgcHT+cBPoT4AzFmeRg/5YOdbyhlkvss+XKdM30
-QcHvmCaiWJY8NGWSHoK02tJ0CAW5bowsar96r/tR67Q
---- vrFHpETvMrLdoebIcPdOUxcDf2gMnfUtjpYVeUmd000
-)	
-���_d���<3A6pe�&B����[������p�O�Ӏ8d��BúĆMfw_x�y�]U�߮�[V�6W�G�w����]���m{�}�*X+|�ޭ��J��^PݾB���%c]2̚N��*JLC����]��#��`B�=���	�-5	He�T�lnKkL׈�.V;޵��Uŋ%`5����9�o�l��D,0�,C���y�o
-0�ǫ��r��i
-=#3=1m�)��ݖ�8l�m���F���Q��~p1>�~��ʒȏ{dD�ؼ�QZ�K����I�Ҝ��ҐN�	�'�6)��`��r��ć�u^[l�D��-_����v���`$�c�ߐt��+N6~�����̡�͎�l�!5�y�R�{��p[����2�&��H���2xu6�x��I��2^*��j2�
-\ No newline at end of file
+-> ssh-ed25519 pFjJaA 84O2SPCUx+QVlQmLN7fdDmfgClYXHvYcUuKTQVIVaxY
+eBnck8bhHN7xvpogTjciztNrgaiwfTrygF2R2LgmZ6Q
+-> ssh-ed25519 qRUWSw oh0qeksN0bzOADFq79bzRFPHvgJIysWrKIin+aJonko
+Cb052NA2jRTpmp7J4ubCGEn9NWdcHXQtDmZik5gCDm0
+-> ssh-ed25519 E2Yu8Q 0NCgJMvW+YFdKNWPvec05WRi63/adKvyrisyqW59JB0
+lE99gvBokfXkwKmluCtoy4hbh8Jk/k5WPDs0WHccYoM
+--- 8d0KnB6sOB92oKS4jEDMsJ+q/R+kw7YSLOhLz1vKA2w
+k)����?OB6*���C[��?W�꡻�eր\�E��ɟ9����&d�2��:�w{v���xZ#��!n���-Pq
+�V�Mѣ�ݝk�r�*x[dd0tz8��(���\/gW�;����6~�}�`
+i~�ڥs������WKތ?.�㲹�����ʲTR�Bf�+�N����J�H
+)��oX`(B�ݗ	0M�C������x%���ҕغ(ز;��JL���ԾP����-��o��ƛ��#����tgAj��R@���{+�\�7�߇=	�� ���Id�?�Ԙ�?4��Q�B<��٬�'�#[��p�c@�ۧ��tb���4��<i�����-���m���@a�U�`�^���b��X៤`B��`���b��ݭOK�U�A0^�+�D'?��
+z�MPԀׯ��ٴ�g�cuㇷ��
+\ No newline at end of file
diff --git a/secrets/vm-synology/wireguard.age b/secrets/vm-synology/wireguard.age
index 2b750e9..b1a1384 100644
--- a/secrets/vm-synology/wireguard.age
+++ b/secrets/vm-synology/wireguard.age
@@ -1,7 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 pFjJaA 8sS1TpcBjcc0+Up15kXuS14b1iCmk4lxmkjWdxijTU4
-4AWYQoFymg+GUUOBQIzc2YWgX/p/VY45PA6aMFeTWqM
--> ssh-ed25519 qRUWSw kfUXP5B9JRVccoqStdMkj81qYoEZOrVcLr2YTtnV6SE
-hDAY3gXyfhYxKPZvIiXIJoqJOK+2qKzxmdXjjNVy48w
---- JvXubYcS99y0WWBD9T6ByQdawMAp9RoyV0kbE6ya4zQ
-���Q5�Ժ�w�"j�[oϐ���D��S(�L�4���@)����Xv�O�S�܍˕�ŊhJpV�h�ߊ`
-\ No newline at end of file
+-> ssh-ed25519 pFjJaA +fvsiaJMb18gU/QCaD9yHhOO+2XKznzOrYW2sX/NwE0
+iBLuUNGccw/rU294GUPW42LsK7x8tCLmD0Hlb9Jy1+E
+-> ssh-ed25519 qRUWSw 6DQndWls6IHZCXuTBJDoEQ/M7Z1Ahr61oJviPP02Ln8
+18nr/YXPC1II3eV2Qdj5kSYPa+WeyXL3k6zJ9g10rl8
+--- KP/xhZkn1tNxbRanbGzryFXwEgdGj9UJWGWeYF0uuOA
+��]2�`v >ջpg��o9j��
+�"y��v�B��h.D��:��GW\�]�`��G��
+S��t������n��x0ūa
+\ No newline at end of file
author	Franck Cuny <franck@fcuny.net>	2025-10-18 14:46:47 -0700
committer	Franck Cuny <franck@fcuny.net>	2025-10-18 14:46:47 -0700
commit	d09952fcd5ae3b73ea91f0f308527f70c0dc5c21 (patch)
tree	08a570d4da8fd6c15285b461d3df6b283c477226
parent	configure wireguard for rivendell (diff)
download	infra-d09952fcd5ae3b73ea91f0f308527f70c0dc5c21.tar.gz