move keycloak and forgejo on rivendell

I had to rekey all the secrets. Updated the documentation for both how
to setup forgejo and keycloak.

6 files changed, 25 insertions, 32 deletions

diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix
index 0d74a1f..b49431f 100644
--- a/machines/nixos/x86_64-linux/do-rproxy/default.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix
@@ -20,13 +20,13 @@
         {
           # vm-synology
           publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
-          allowedIPs = [ "10.100.0.0/24" ];
+          allowedIPs = [ "10.100.0.40/32" ];
           persistentKeepalive = 25;
         }
         {
           # rivendell
           publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
-          allowedIPs = [ "10.100.0.0/24" ];
+          allowedIPs = [ "10.100.0.60/32" ];
           persistentKeepalive = 25;
         }
       ];
diff --git a/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix b/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
index 78c0667..9267d20 100644
--- a/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
@@ -52,10 +52,10 @@
         acmeRoot = null;
         forceSSL = true;
         locations."/" = {
-          proxyPass = "http://10.100.0.40:3000";
+          proxyPass = "http://10.100.0.60:3000";
         };
         locations."/metrics" = {
-          proxyPass = "http://10.100.0.40:3000/metrics";
+          proxyPass = "http://10.100.0.60:3000/metrics";
           extraConfig = ''
             deny all;
             access_log off;
@@ -75,7 +75,7 @@
         acmeRoot = null;
         forceSSL = true;
         locations."/" = {
-          proxyPass = "http://10.100.0.40:8080";
+          proxyPass = "http://10.100.0.60:8080";
         };
       };
       "fcuny.net" = {
diff --git a/machines/nixos/x86_64-linux/rivendell/default.nix b/machines/nixos/x86_64-linux/rivendell/default.nix
index 1f38f6f..a34e885 100644
--- a/machines/nixos/x86_64-linux/rivendell/default.nix
+++ b/machines/nixos/x86_64-linux/rivendell/default.nix
@@ -10,6 +10,8 @@
     (modulesPath + "/installer/scan/not-detected.nix")
     inputs.nixos-hardware.nixosModules.framework-desktop-amd-ai-max-300-series
     ../../../../profiles/disk/btrfs-on-luks.nix
+    ../../../../profiles/forgejo.nix
+    ../../../../profiles/keycloak.nix
   ];
 
   age = {
diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix
index d04a44a..915d851 100644
--- a/machines/nixos/x86_64-linux/synology-vm/default.nix
+++ b/machines/nixos/x86_64-linux/synology-vm/default.nix
@@ -9,8 +9,6 @@
     ./disks.nix
     ./hardware.nix
     ./secrets.nix
-    ./profiles/forgejo.nix
-    ./profiles/keycloak.nix
     ./profiles/goget.nix
   ];
 
diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix b/profiles/forgejo.nix
index 18d6207..70af185 100644
--- a/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
+++ b/profiles/forgejo.nix
@@ -1,9 +1,4 @@
-{
-  self,
-  config,
-  pkgs,
-  ...
-}:
+{ config, pkgs, ... }:
 let
   # convenience wrapper for admin commands
   forgejo-admin = pkgs.writeShellScriptBin "forgejo-admin" ''
@@ -14,7 +9,7 @@ in
   networking.firewall.allowedTCPPorts = [ 3000 ];
 
   age.secrets.forgejo-fastmail = {
-    file = "${self}/secrets/forgejo-fastmail.age";
+    file = ../secrets/forgejo-fastmail.age;
   };
 
   environment.systemPackages = [ forgejo-admin ];
@@ -41,7 +36,6 @@ in
         DOMAIN = "code.fcuny.net";
         ROOT_URL = "https://code.fcuny.net";
         HTTP_PORT = 3000;
-        HTTP_ADDR = "10.100.0.40";
         LANDING_PAGE = "explore";
       };
       mailer = {
@@ -93,18 +87,18 @@ in
     };
   };
 
-  my.modules.backups = {
-    local.paths = [ "/var/lib/forgejo" ];
-    local.exclude = [
-      "/var/lib/forgejo/data/indexers"
-      "/var/lib/forgejo/data/repo-archive"
-      "/var/lib/forgejo/data/tmp"
-    ];
-    remote.paths = [ "/var/lib/forgejo" ];
-    remote.exclude = [
-      "/var/lib/forgejo/data/indexers"
-      "/var/lib/forgejo/data/repo-archive"
-      "/var/lib/forgejo/data/tmp"
-    ];
-  };
+  # my.modules.backups = {
+  #   local.paths = [ "/var/lib/forgejo" ];
+  #   local.exclude = [
+  #     "/var/lib/forgejo/data/indexers"
+  #     "/var/lib/forgejo/data/repo-archive"
+  #     "/var/lib/forgejo/data/tmp"
+  #   ];
+  #   remote.paths = [ "/var/lib/forgejo" ];
+  #   remote.exclude = [
+  #     "/var/lib/forgejo/data/indexers"
+  #     "/var/lib/forgejo/data/repo-archive"
+  #     "/var/lib/forgejo/data/tmp"
+  #   ];
+  # };
 }
diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix b/profiles/keycloak.nix
index b6fb6c3..7aac133 100644
--- a/machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix
+++ b/profiles/keycloak.nix
@@ -1,7 +1,7 @@
-{ config, self, ... }:
+{ config, ... }:
 {
   age.secrets.keycloak-db-password = {
-    file = "${self}/secrets/keycloak-db-password.age";
+    file = ../secrets/keycloak-db-password.age;
   };
 
   networking.firewall.allowedTCPPorts = [ 8080 ];
@@ -11,7 +11,6 @@
     database.passwordFile = config.age.secrets.keycloak-db-password.path;
     settings = {
       hostname = "id.fcuny.net";
-      http-host = "10.100.0.40";
       http-port = 8080;
       proxy-headers = "xforwarded";
       http-enabled = true;