move keycloak and forgejo on rivendell

I had to rekey all the secrets. Updated the documentation for both how to setup forgejo and keycloak.
author: Franck Cuny <franck@fcuny.net> 2025-10-18 14:46:47 -0700
committer: Franck Cuny <franck@fcuny.net> 2025-10-18 14:46:47 -0700
commit: d09952fcd5ae3b73ea91f0f308527f70c0dc5c21 (patch)
tree: 08a570d4da8fd6c15285b461d3df6b283c477226 /machines/nixos
parent: configure wireguard for rivendell (diff)
download: infra-d09952fcd5ae3b73ea91f0f308527f70c0dc5c21.tar.gz
6 files changed, 7 insertions, 137 deletions
diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix
index 0d74a1f..b49431f 100644
--- a/machines/nixos/x86_64-linux/do-rproxy/default.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix
@@ -20,13 +20,13 @@
         {
           # vm-synology
           publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
-          allowedIPs = [ "10.100.0.0/24" ];
+          allowedIPs = [ "10.100.0.40/32" ];
           persistentKeepalive = 25;
         }
         {
           # rivendell
           publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
-          allowedIPs = [ "10.100.0.0/24" ];
+          allowedIPs = [ "10.100.0.60/32" ];
           persistentKeepalive = 25;
         }
       ];
diff --git a/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix b/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
index 78c0667..9267d20 100644
--- a/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
@@ -52,10 +52,10 @@
         acmeRoot = null;
         forceSSL = true;
         locations."/" = {
-          proxyPass = "http://10.100.0.40:3000";
+          proxyPass = "http://10.100.0.60:3000";
         };
         locations."/metrics" = {
-          proxyPass = "http://10.100.0.40:3000/metrics";
+          proxyPass = "http://10.100.0.60:3000/metrics";
           extraConfig = ''
             deny all;
             access_log off;
@@ -75,7 +75,7 @@
         acmeRoot = null;
         forceSSL = true;
         locations."/" = {
-          proxyPass = "http://10.100.0.40:8080";
+          proxyPass = "http://10.100.0.60:8080";
         };
       };
       "fcuny.net" = {
diff --git a/machines/nixos/x86_64-linux/rivendell/default.nix b/machines/nixos/x86_64-linux/rivendell/default.nix
index 1f38f6f..a34e885 100644
--- a/machines/nixos/x86_64-linux/rivendell/default.nix
+++ b/machines/nixos/x86_64-linux/rivendell/default.nix
@@ -10,6 +10,8 @@
     (modulesPath + "/installer/scan/not-detected.nix")
     inputs.nixos-hardware.nixosModules.framework-desktop-amd-ai-max-300-series
     ../../../../profiles/disk/btrfs-on-luks.nix
+    ../../../../profiles/forgejo.nix
+    ../../../../profiles/keycloak.nix
   ];
 
   age = {
diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix
index d04a44a..915d851 100644
--- a/machines/nixos/x86_64-linux/synology-vm/default.nix
+++ b/machines/nixos/x86_64-linux/synology-vm/default.nix
@@ -9,8 +9,6 @@
     ./disks.nix
     ./hardware.nix
     ./secrets.nix
-    ./profiles/forgejo.nix
-    ./profiles/keycloak.nix
     ./profiles/goget.nix
   ];
 
diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix b/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
deleted file mode 100644
index 18d6207..0000000
--- a/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
+++ /dev/null
@@ -1,110 +0,0 @@
-{
-  self,
-  config,
-  pkgs,
-  ...
-}:
-let
-  # convenience wrapper for admin commands
-  forgejo-admin = pkgs.writeShellScriptBin "forgejo-admin" ''
-    sudo -u forgejo ${pkgs.forgejo}/bin/gitea -c ${config.services.forgejo.customDir}/conf/app.ini admin "$@"
-  '';
-in
-{
-  networking.firewall.allowedTCPPorts = [ 3000 ];
-
-  age.secrets.forgejo-fastmail = {
-    file = "${self}/secrets/forgejo-fastmail.age";
-  };
-
-  environment.systemPackages = [ forgejo-admin ];
-
-  services.forgejo = {
-    enable = true;
-    dump = {
-      enable = true;
-    };
-    database.type = "postgres";
-    lfs.enable = false;
-    secrets = {
-      mailer.PASSWD = config.age.secrets.forgejo-fastmail.path;
-    };
-    settings = {
-      DEFAULT.APP_NAME = "¯\\_(ツ)_/¯";
-      session = {
-        COOKIE_SECURE = true;
-        PROVIDER = "db";
-        PROVIDER_CONFIG = "";
-        SESSION_LIFE_TIME = 86400 * 5;
-      };
-      server = {
-        DOMAIN = "code.fcuny.net";
-        ROOT_URL = "https://code.fcuny.net";
-        HTTP_PORT = 3000;
-        HTTP_ADDR = "10.100.0.40";
-        LANDING_PAGE = "explore";
-      };
-      mailer = {
-        ENABLED = true;
-        PROTOCOL = "smtp+starttls";
-        FROM = "code <forgejo@code.fcuny.net>";
-        USER = "franck@fcuny.net";
-        SMTP_ADDR = "smtp.fastmail.com";
-      };
-      metrics = {
-        ENABLED = true;
-        ENABLED_ISSUE_BY_LABEL = true;
-        ENABLED_ISSUE_BY_REPOSITORY = true;
-      };
-      service = {
-        REGISTER_EMAIL_CONFIRM = true;
-        DISABLE_REGISTRATION = true;
-        ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
-        SHOW_REGISTRATION_BUTTON = true;
-      };
-      openid = {
-        ENABLE_OPENID_SIGNIN = true;
-        ENABLE_OPENID_SIGNUP = true;
-      };
-      oauth2_client = {
-        REGISTER_EMAIL_CONFIRM = false;
-        ENABLE_AUTO_REGISTRATION = true;
-        USERNAME = "preferred_username";
-        ACCOUNT_LINKING = "auto";
-      };
-      repository = {
-        DEFAULT_PRIVATE = "public";
-        DEFAULT_PUSH_CREATE_PRIVATE = true;
-        ENABLE_PUSH_CREATE_USER = true;
-        PREFERRED_LICENSES = "GPL-3.0-or-later,MIT";
-        DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
-        DISABLE_STARS = true; # self-hosting so, doesn't make sense
-      };
-      "service.explore" = {
-        DISABLE_USERS_PAGE = true;
-      };
-      federation = {
-        ENABLED = true;
-      };
-      ui = {
-        # To protect privacy of users.
-        SHOW_USER_EMAIL = false;
-      };
-    };
-  };
-
-  my.modules.backups = {
-    local.paths = [ "/var/lib/forgejo" ];
-    local.exclude = [
-      "/var/lib/forgejo/data/indexers"
-      "/var/lib/forgejo/data/repo-archive"
-      "/var/lib/forgejo/data/tmp"
-    ];
-    remote.paths = [ "/var/lib/forgejo" ];
-    remote.exclude = [
-      "/var/lib/forgejo/data/indexers"
-      "/var/lib/forgejo/data/repo-archive"
-      "/var/lib/forgejo/data/tmp"
-    ];
-  };
-}
diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix b/machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix
deleted file mode 100644
index b6fb6c3..0000000
--- a/machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-{ config, self, ... }:
-{
-  age.secrets.keycloak-db-password = {
-    file = "${self}/secrets/keycloak-db-password.age";
-  };
-
-  networking.firewall.allowedTCPPorts = [ 8080 ];
-
-  services.keycloak = {
-    enable = true;
-    database.passwordFile = config.age.secrets.keycloak-db-password.path;
-    settings = {
-      hostname = "id.fcuny.net";
-      http-host = "10.100.0.40";
-      http-port = 8080;
-      proxy-headers = "xforwarded";
-      http-enabled = true;
-    };
-  };
-}
author	Franck Cuny <franck@fcuny.net>	2025-10-18 14:46:47 -0700
committer	Franck Cuny <franck@fcuny.net>	2025-10-18 14:46:47 -0700
commit	d09952fcd5ae3b73ea91f0f308527f70c0dc5c21 (patch)
tree	08a570d4da8fd6c15285b461d3df6b283c477226 /machines/nixos
parent	configure wireguard for rivendell (diff)
download	infra-d09952fcd5ae3b73ea91f0f308527f70c0dc5c21.tar.gz