From d09952fcd5ae3b73ea91f0f308527f70c0dc5c21 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Sat, 18 Oct 2025 14:46:47 -0700
Subject: move keycloak and forgejo on rivendell

I had to rekey all the secrets. Updated the documentation for both how
to setup forgejo and keycloak.
---
 docs/keycloak.org                                  |  26 ++---
 docs/tofu.org                                      |  15 +++
 machines/nixos/x86_64-linux/do-rproxy/default.nix  |   4 +-
 .../x86_64-linux/do-rproxy/profiles/nginx.nix      |   6 +-
 machines/nixos/x86_64-linux/rivendell/default.nix  |   2 +
 .../nixos/x86_64-linux/synology-vm/default.nix     |   2 -
 .../x86_64-linux/synology-vm/profiles/forgejo.nix  | 110 ---------------------
 .../x86_64-linux/synology-vm/profiles/keycloak.nix |  20 ----
 profiles/forgejo.nix                               | 104 +++++++++++++++++++
 profiles/keycloak.nix                              |  19 ++++
 secrets/cloudflare-nginx.age                       | Bin 363 -> 363 bytes
 secrets/do/host-ed25519-key.age                    | Bin 611 -> 611 bytes
 secrets/do/wireguard.age                           |  12 +--
 secrets/forgejo-fastmail.age                       | Bin 339 -> 339 bytes
 secrets/keycloak-db-password.age                   |  12 +--
 secrets/nas_client.age                             | Bin 364 -> 364 bytes
 secrets/restic_gcs_credentials.age                 | Bin 2661 -> 2661 bytes
 secrets/restic_password.age                        |  14 ++-
 secrets/rivendell/wireguard.age                    |  12 +--
 secrets/secrets.nix                                |   4 +-
 secrets/ssh-remote-builder.age                     |  18 ++--
 secrets/vm-synology/wireguard.age                  |  13 +--
 22 files changed, 195 insertions(+), 198 deletions(-)
 create mode 100644 docs/tofu.org
 delete mode 100644 machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
 delete mode 100644 machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix
 create mode 100644 profiles/forgejo.nix
 create mode 100644 profiles/keycloak.nix

diff --git a/docs/keycloak.org b/docs/keycloak.org
index c8760ff..cd6e773 100644
--- a/docs/keycloak.org
+++ b/docs/keycloak.org
@@ -1,18 +1,17 @@
 * Keycloak
 
-Running at id.fcuny.net
+Running at https://id.fcuny.net.
 
 There's an admin user in 1password.
+** Bootstrap
+#+begin_src shell
+ssh keycloak-host -L 8080:localhost:8080
+#+end_src
+
+Then go to =http://localhost:8080= with your browser to setup the initial user.
 
 ** Client for forgejo
-- create a client with name =forgejo=
-- set root URL to =https://code.fcuny.net=
-- set home URL to =https://code.fcuny.net=
-- set valid redirects URL to =https://code.fcuny.net*=
-- set web origins to =https://code.fcuny.net=
-- set admin URL to https://code.fcuny.net
-- set client authentication to =on=
-- keep =standard flow= checked and nothing else
+The client is managed by terranix.
 *** forgejo configuration
 - create a new authentication source under https://code.fcuny.net/admin/auths
 - choose OAuth2
@@ -34,11 +33,4 @@ First, we need a client ID and a secret. The client can be created in the UI:
 
 The go to "Service account roles" for the newly created client, and ensure it has =admin= role (assign role -> filter by realm roles -> admin).
 
-Export the secret with =KEYCLOAK_CLIENT_SECRET=.
-
-To import resources:
-#+begin_src bash
-nix run .#tf -- import keycloak_realm.master master
-nix run .#tf -- import keycloak_user.fcuny master/d0fdbc04-8f6c-4558-8fd6-ebf7d9e23e6f
-...
-#+end_src
+Export the secret with =KEYCLOAK_CLIENT_SECRET= (it might be already be set in =../.envrc.local=).
diff --git a/docs/tofu.org b/docs/tofu.org
new file mode 100644
index 0000000..5747f9e
--- /dev/null
+++ b/docs/tofu.org
@@ -0,0 +1,15 @@
+* Tofu/terranix
+
+I use terranix to manage some configurations with terraform/tofu.
+
+I usually start by cleaning the working directory:
+#+begin_src shell
+rm -rf .terraform*
+#+end_src
+
+Then we can =init=, =plan=, and =build=:
+#+begin_src shell
+nix run .#tf -- init
+nix run .#tf -- plan
+nix run .#tf -- build
+#+end_src
diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix
index 0d74a1f..b49431f 100644
--- a/machines/nixos/x86_64-linux/do-rproxy/default.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix
@@ -20,13 +20,13 @@
         {
           # vm-synology
           publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
-          allowedIPs = [ "10.100.0.0/24" ];
+          allowedIPs = [ "10.100.0.40/32" ];
           persistentKeepalive = 25;
         }
         {
           # rivendell
           publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
-          allowedIPs = [ "10.100.0.0/24" ];
+          allowedIPs = [ "10.100.0.60/32" ];
           persistentKeepalive = 25;
         }
       ];
diff --git a/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix b/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
index 78c0667..9267d20 100644
--- a/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
@@ -52,10 +52,10 @@
         acmeRoot = null;
         forceSSL = true;
         locations."/" = {
-          proxyPass = "http://10.100.0.40:3000";
+          proxyPass = "http://10.100.0.60:3000";
         };
         locations."/metrics" = {
-          proxyPass = "http://10.100.0.40:3000/metrics";
+          proxyPass = "http://10.100.0.60:3000/metrics";
           extraConfig = ''
             deny all;
             access_log off;
@@ -75,7 +75,7 @@
         acmeRoot = null;
         forceSSL = true;
         locations."/" = {
-          proxyPass = "http://10.100.0.40:8080";
+          proxyPass = "http://10.100.0.60:8080";
         };
       };
       "fcuny.net" = {
diff --git a/machines/nixos/x86_64-linux/rivendell/default.nix b/machines/nixos/x86_64-linux/rivendell/default.nix
index 1f38f6f..a34e885 100644
--- a/machines/nixos/x86_64-linux/rivendell/default.nix
+++ b/machines/nixos/x86_64-linux/rivendell/default.nix
@@ -10,6 +10,8 @@
     (modulesPath + "/installer/scan/not-detected.nix")
     inputs.nixos-hardware.nixosModules.framework-desktop-amd-ai-max-300-series
     ../../../../profiles/disk/btrfs-on-luks.nix
+    ../../../../profiles/forgejo.nix
+    ../../../../profiles/keycloak.nix
   ];
 
   age = {
diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix
index d04a44a..915d851 100644
--- a/machines/nixos/x86_64-linux/synology-vm/default.nix
+++ b/machines/nixos/x86_64-linux/synology-vm/default.nix
@@ -9,8 +9,6 @@
     ./disks.nix
     ./hardware.nix
     ./secrets.nix
-    ./profiles/forgejo.nix
-    ./profiles/keycloak.nix
     ./profiles/goget.nix
   ];
 
diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix b/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
deleted file mode 100644
index 18d6207..0000000
--- a/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
+++ /dev/null
@@ -1,110 +0,0 @@
-{
-  self,
-  config,
-  pkgs,
-  ...
-}:
-let
-  # convenience wrapper for admin commands
-  forgejo-admin = pkgs.writeShellScriptBin "forgejo-admin" ''
-    sudo -u forgejo ${pkgs.forgejo}/bin/gitea -c ${config.services.forgejo.customDir}/conf/app.ini admin "$@"
-  '';
-in
-{
-  networking.firewall.allowedTCPPorts = [ 3000 ];
-
-  age.secrets.forgejo-fastmail = {
-    file = "${self}/secrets/forgejo-fastmail.age";
-  };
-
-  environment.systemPackages = [ forgejo-admin ];
-
-  services.forgejo = {
-    enable = true;
-    dump = {
-      enable = true;
-    };
-    database.type = "postgres";
-    lfs.enable = false;
-    secrets = {
-      mailer.PASSWD = config.age.secrets.forgejo-fastmail.path;
-    };
-    settings = {
-      DEFAULT.APP_NAME = "Â¯\\_(ãƒ„)_/Â¯";
-      session = {
-        COOKIE_SECURE = true;
-        PROVIDER = "db";
-        PROVIDER_CONFIG = "";
-        SESSION_LIFE_TIME = 86400 * 5;
-      };
-      server = {
-        DOMAIN = "code.fcuny.net";
-        ROOT_URL = "https://code.fcuny.net";
-        HTTP_PORT = 3000;
-        HTTP_ADDR = "10.100.0.40";
-        LANDING_PAGE = "explore";
-      };
-      mailer = {
-        ENABLED = true;
-        PROTOCOL = "smtp+starttls";
-        FROM = "code <forgejo@code.fcuny.net>";
-        USER = "franck@fcuny.net";
-        SMTP_ADDR = "smtp.fastmail.com";
-      };
-      metrics = {
-        ENABLED = true;
-        ENABLED_ISSUE_BY_LABEL = true;
-        ENABLED_ISSUE_BY_REPOSITORY = true;
-      };
-      service = {
-        REGISTER_EMAIL_CONFIRM = true;
-        DISABLE_REGISTRATION = true;
-        ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
-        SHOW_REGISTRATION_BUTTON = true;
-      };
-      openid = {
-        ENABLE_OPENID_SIGNIN = true;
-        ENABLE_OPENID_SIGNUP = true;
-      };
-      oauth2_client = {
-        REGISTER_EMAIL_CONFIRM = false;
-        ENABLE_AUTO_REGISTRATION = true;
-        USERNAME = "preferred_username";
-        ACCOUNT_LINKING = "auto";
-      };
-      repository = {
-        DEFAULT_PRIVATE = "public";
-        DEFAULT_PUSH_CREATE_PRIVATE = true;
-        ENABLE_PUSH_CREATE_USER = true;
-        PREFERRED_LICENSES = "GPL-3.0-or-later,MIT";
-        DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
-        DISABLE_STARS = true; # self-hosting so, doesn't make sense
-      };
-      "service.explore" = {
-        DISABLE_USERS_PAGE = true;
-      };
-      federation = {
-        ENABLED = true;
-      };
-      ui = {
-        # To protect privacy of users.
-        SHOW_USER_EMAIL = false;
-      };
-    };
-  };
-
-  my.modules.backups = {
-    local.paths = [ "/var/lib/forgejo" ];
-    local.exclude = [
-      "/var/lib/forgejo/data/indexers"
-      "/var/lib/forgejo/data/repo-archive"
-      "/var/lib/forgejo/data/tmp"
-    ];
-    remote.paths = [ "/var/lib/forgejo" ];
-    remote.exclude = [
-      "/var/lib/forgejo/data/indexers"
-      "/var/lib/forgejo/data/repo-archive"
-      "/var/lib/forgejo/data/tmp"
-    ];
-  };
-}
diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix b/machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix
deleted file mode 100644
index b6fb6c3..0000000
--- a/machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-{ config, self, ... }:
-{
-  age.secrets.keycloak-db-password = {
-    file = "${self}/secrets/keycloak-db-password.age";
-  };
-
-  networking.firewall.allowedTCPPorts = [ 8080 ];
-
-  services.keycloak = {
-    enable = true;
-    database.passwordFile = config.age.secrets.keycloak-db-password.path;
-    settings = {
-      hostname = "id.fcuny.net";
-      http-host = "10.100.0.40";
-      http-port = 8080;
-      proxy-headers = "xforwarded";
-      http-enabled = true;
-    };
-  };
-}
diff --git a/profiles/forgejo.nix b/profiles/forgejo.nix
new file mode 100644
index 0000000..70af185
--- /dev/null
+++ b/profiles/forgejo.nix
@@ -0,0 +1,104 @@
+{ config, pkgs, ... }:
+let
+  # convenience wrapper for admin commands
+  forgejo-admin = pkgs.writeShellScriptBin "forgejo-admin" ''
+    sudo -u forgejo ${pkgs.forgejo}/bin/gitea -c ${config.services.forgejo.customDir}/conf/app.ini admin "$@"
+  '';
+in
+{
+  networking.firewall.allowedTCPPorts = [ 3000 ];
+
+  age.secrets.forgejo-fastmail = {
+    file = ../secrets/forgejo-fastmail.age;
+  };
+
+  environment.systemPackages = [ forgejo-admin ];
+
+  services.forgejo = {
+    enable = true;
+    dump = {
+      enable = true;
+    };
+    database.type = "postgres";
+    lfs.enable = false;
+    secrets = {
+      mailer.PASSWD = config.age.secrets.forgejo-fastmail.path;
+    };
+    settings = {
+      DEFAULT.APP_NAME = "Â¯\\_(ãƒ„)_/Â¯";
+      session = {
+        COOKIE_SECURE = true;
+        PROVIDER = "db";
+        PROVIDER_CONFIG = "";
+        SESSION_LIFE_TIME = 86400 * 5;
+      };
+      server = {
+        DOMAIN = "code.fcuny.net";
+        ROOT_URL = "https://code.fcuny.net";
+        HTTP_PORT = 3000;
+        LANDING_PAGE = "explore";
+      };
+      mailer = {
+        ENABLED = true;
+        PROTOCOL = "smtp+starttls";
+        FROM = "code <forgejo@code.fcuny.net>";
+        USER = "franck@fcuny.net";
+        SMTP_ADDR = "smtp.fastmail.com";
+      };
+      metrics = {
+        ENABLED = true;
+        ENABLED_ISSUE_BY_LABEL = true;
+        ENABLED_ISSUE_BY_REPOSITORY = true;
+      };
+      service = {
+        REGISTER_EMAIL_CONFIRM = true;
+        DISABLE_REGISTRATION = true;
+        ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
+        SHOW_REGISTRATION_BUTTON = true;
+      };
+      openid = {
+        ENABLE_OPENID_SIGNIN = true;
+        ENABLE_OPENID_SIGNUP = true;
+      };
+      oauth2_client = {
+        REGISTER_EMAIL_CONFIRM = false;
+        ENABLE_AUTO_REGISTRATION = true;
+        USERNAME = "preferred_username";
+        ACCOUNT_LINKING = "auto";
+      };
+      repository = {
+        DEFAULT_PRIVATE = "public";
+        DEFAULT_PUSH_CREATE_PRIVATE = true;
+        ENABLE_PUSH_CREATE_USER = true;
+        PREFERRED_LICENSES = "GPL-3.0-or-later,MIT";
+        DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
+        DISABLE_STARS = true; # self-hosting so, doesn't make sense
+      };
+      "service.explore" = {
+        DISABLE_USERS_PAGE = true;
+      };
+      federation = {
+        ENABLED = true;
+      };
+      ui = {
+        # To protect privacy of users.
+        SHOW_USER_EMAIL = false;
+      };
+    };
+  };
+
+  # my.modules.backups = {
+  #   local.paths = [ "/var/lib/forgejo" ];
+  #   local.exclude = [
+  #     "/var/lib/forgejo/data/indexers"
+  #     "/var/lib/forgejo/data/repo-archive"
+  #     "/var/lib/forgejo/data/tmp"
+  #   ];
+  #   remote.paths = [ "/var/lib/forgejo" ];
+  #   remote.exclude = [
+  #     "/var/lib/forgejo/data/indexers"
+  #     "/var/lib/forgejo/data/repo-archive"
+  #     "/var/lib/forgejo/data/tmp"
+  #   ];
+  # };
+}
diff --git a/profiles/keycloak.nix b/profiles/keycloak.nix
new file mode 100644
index 0000000..7aac133
--- /dev/null
+++ b/profiles/keycloak.nix
@@ -0,0 +1,19 @@
+{ config, ... }:
+{
+  age.secrets.keycloak-db-password = {
+    file = ../secrets/keycloak-db-password.age;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8080 ];
+
+  services.keycloak = {
+    enable = true;
+    database.passwordFile = config.age.secrets.keycloak-db-password.path;
+    settings = {
+      hostname = "id.fcuny.net";
+      http-port = 8080;
+      proxy-headers = "xforwarded";
+      http-enabled = true;
+    };
+  };
+}
diff --git a/secrets/cloudflare-nginx.age b/secrets/cloudflare-nginx.age
index 6800d5b..3dca56c 100644
Binary files a/secrets/cloudflare-nginx.age and b/secrets/cloudflare-nginx.age differ
diff --git a/secrets/do/host-ed25519-key.age b/secrets/do/host-ed25519-key.age
index 69510ed..ef10a90 100644
Binary files a/secrets/do/host-ed25519-key.age and b/secrets/do/host-ed25519-key.age differ
diff --git a/secrets/do/wireguard.age b/secrets/do/wireguard.age
index e959862..19dfb0e 100644
--- a/secrets/do/wireguard.age
+++ b/secrets/do/wireguard.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 pFjJaA iOwZlej6WOezWYg6Ny3rTKZ2sBeWI9i6EzUzyBvxqzY
-VxAoCn7/jPLEl6CPrRlgRLKXRiPdtvUQ7uouC10O4xM
--> ssh-ed25519 8Nmf6A zCM/oBDQYgMHShRN4Ot/VY230ojHuobZDoueu+3ITnQ
-MtblJtdI6uHzHjIBudIFn1hrJDRa3lyM5HjXs1BJGnU
---- zn5OUqFqPe0iT1rkmy5CxZlURLb5ao8soPpTVo5jIFI
-”Ü‘;f1raN… œF@7öÖóBµ³àø¯ªº’ãø5.b´xj{F¨¡Kžw!$®¤jj#·)I±,ã†‚ç.L¹ª
\ No newline at end of file
+-> ssh-ed25519 pFjJaA Y0Rjr5u2uGI790/JvO7VoQSxF2KpS67e3ff0s1pXj3A
+7Lk30Dwsa9TfbxtEpZFWeDSRPRN66IXu2mFCWaXZIsA
+-> ssh-ed25519 8Nmf6A n76CvLiAh4fjWtRx/DPRJUeazkUMxQ0Oc2qSGj0fDgk
+D7ULUEBjuzmUTzIEC8bzet7SJMJC0cHYgQoil8Q3/3c
+--- o9Qerf9m8XuzxQ1GzPZVumNlE4kBZzABb4PbriMXeNQ
+´Ì›û…„Ÿ%U/„:"«|X8(èì0•SÁ†~zØã‚øoƒ¡O¢:ƒ¤ë4?Yá?åž!ÖH$lsìÞÖÙûþÕ~®ž¡î¸
\ No newline at end of file
diff --git a/secrets/forgejo-fastmail.age b/secrets/forgejo-fastmail.age
index bad24e6..ddb69f1 100644
Binary files a/secrets/forgejo-fastmail.age and b/secrets/forgejo-fastmail.age differ
diff --git a/secrets/keycloak-db-password.age b/secrets/keycloak-db-password.age
index 6ac0e85..21a1a7e 100644
--- a/secrets/keycloak-db-password.age
+++ b/secrets/keycloak-db-password.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 pFjJaA cmAZbTltBmkWqUjWnr57vyxGl+5c96bxME0SS6w7ozs
-7bu8taoNlffYBuhKAhQ4bid2fRs45IYKgIZmiJKX9xk
--> ssh-ed25519 qRUWSw 3c8Lqxx5rVaUBG3J05ffcNHP7I4Rq4kEvKQQgC29nxE
-R9EojU4XpWpBnTCWEF4p94SGGQ0TZwI8BBxRlg+/6hc
---- AK9ErFYwVcMqqejL/qAHVt7se+s9LSdiMBarumrwRZg
-y´\†îhŠ—Gp²r O¤Ö­ûÁbb´4ÌAý{¨Å`ä\–.ÿŠbì)É{ßm_
\ No newline at end of file
+-> ssh-ed25519 pFjJaA u7eibDVH1zLVbZkW2/cJcKfHwUvSjAL41nhZ8lb/TF8
+fQ1C/6A7G2sOmS3YyORQ0tJgmgxSkZFdq+LmkJuLuh4
+-> ssh-ed25519 Y5h84Q ymkfeS/fq1BfAievpj2UstwWSSW+IRCqXfuPy8zX92Y
+wSd280jyTsOOAxxkBhNrHQ6xfd/RjcIWH0QP9RtEJeY
+--- RoXe7h0yyYK/QAdlKQp2ucIK2lsaxmb9tbxZ0DU61kw
+äk³’_Q`ó`´£ùšcQ¨‘bØ)‡'Ž’Iu‡Cí´½ÛþuäNšl”6Ç+^ËCZß2
\ No newline at end of file
diff --git a/secrets/nas_client.age b/secrets/nas_client.age
index 4118f9f..f24a6ed 100644
Binary files a/secrets/nas_client.age and b/secrets/nas_client.age differ
diff --git a/secrets/restic_gcs_credentials.age b/secrets/restic_gcs_credentials.age
index 0a7b689..101a7aa 100644
Binary files a/secrets/restic_gcs_credentials.age and b/secrets/restic_gcs_credentials.age differ
diff --git a/secrets/restic_password.age b/secrets/restic_password.age
index 9062156..8db89a5 100644
--- a/secrets/restic_password.age
+++ b/secrets/restic_password.age
@@ -1,9 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 pFjJaA FE3RMgUxVGFCI1wI6YBz1QbZS1MTgTfMlDdoWzOpKlc
-sAA4/6VYI+q8xwo3DMDA/70t4Xf57hZmW6Itxi6relY
--> ssh-ed25519 qRUWSw DbEKBuyCDRAdlTrytJx1UuCSbA82SStTM5V5YrvGkn8
-JX0393noMLYj6qUCDH4y686eOuPQPVIdK44sjw8ul9w
---- cVmK2XpBhsnM5qgHZjdR9PLnUpi5m0pj2a6zVbK2WZ4
-D8×H¥’=tìŒÔ&›f}<k	{T+îÀfÃcë7¦W
-„u$×À'
-€ÔµuýF?
\ No newline at end of file
+-> ssh-ed25519 pFjJaA 5KWfhxNk3FAF68Iry4yvyPIxF5AfDvPZUj4paHQGBQA
+j/TPillAQNbuqvaudO2SRH+wRmJlcwwrW5cGKBHk3bw
+-> ssh-ed25519 qRUWSw AHkeUh1rsr6ddoH9Z3g+mG6rmHPMIstn+Ln6dRr/eS8
+PsVdJkliyr0OhtLwmtnfzR1s8N+oMHpToGkq6l5UGPo
+--- cf9ExBbs2M12iIrTMUengqVgLKJD00nhPaLVbCVGN4I
+W!”o¡Ë›&l§±‘TÆ&Ò«NÞÄŸT—úv÷ñ*És[ñÅº®bâTŸ¿+;
\ No newline at end of file
diff --git a/secrets/rivendell/wireguard.age b/secrets/rivendell/wireguard.age
index cedc155..e9c7308 100644
--- a/secrets/rivendell/wireguard.age
+++ b/secrets/rivendell/wireguard.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 pFjJaA yX115u9bhmWSBuvkwd94kOuuz7I1jIViRfX6GqsNOGg
-AF+GO3PXF2YUh/Q0HdrSgmwycrmWwEp+jJtk5sd+UY4
--> ssh-ed25519 Y5h84Q CvmWwsgwFJkdBpkMsb10/QjR1l5hBxAFs3mqsHjgjwY
-XoXKK3JH6bdWfwKsaoLTK2rK4f3uuPOieLb/IwtV/Gc
---- mSxeIgzkrqgnyeUm52rvVRmaGLsqyIVv7dEBTXRNBSw
-\jÊôP¨[(µÄðGÇ¸kžhCù©ÄþêA`1ãzt‡îH³væÍsM7-ëÌWPöQÏúvc›t^•Ä#‚›lƒ=Q¹¸\0÷4
\ No newline at end of file
+-> ssh-ed25519 pFjJaA ZTzkRZ66+yhHksE9WVFCkRVRgB45t0wNd2pUE66VmzA
+7eggYsHXV9i4U+rU+gfWaW0TvwokmXBPNQSa3NebpFo
+-> ssh-ed25519 Y5h84Q HuwiTMDWku0ZHKorfgksv0duG8zJL742AerQIvAPHms
+Es4hk20knqHdQv2KZBDMFednDzd/Zvkr1RfqOPLfMyY
+--- FrE5GOxQwCBJwXSzMJF5hgx04pmz54jAWun5YpEfD1Y
+05”mxËþ>£’b³æ¯¹ááëOK›¹'§NíÀ®!§çìV½¡<ªîì6Õ2@} ¥S-¸ê‰åè)^N¥±½?bÕUYþüE
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 72bd62c..658da54 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -12,11 +12,11 @@ in
 {
   "forgejo-fastmail.age".publicKeys = [
     users.fcuny
-    hosts.vm-synology
+    hosts.rivendell
   ];
   "keycloak-db-password.age".publicKeys = [
     users.fcuny
-    hosts.vm-synology
+    hosts.rivendell
   ];
   "cloudflare-nginx.age".publicKeys = [
     users.fcuny
diff --git a/secrets/ssh-remote-builder.age b/secrets/ssh-remote-builder.age
index 14f343c..d10ac6d 100644
--- a/secrets/ssh-remote-builder.age
+++ b/secrets/ssh-remote-builder.age
@@ -1,11 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 pFjJaA kz8dUf2Qkw+XSKBCp/0S8INQg+CEa3MXhzLfZfx3FHo
-R7vbSTkDWLLQbiRoCZWIxirH2gfGkBUzYUQYVq4WoxM
--> ssh-ed25519 qRUWSw e0S9joQotJ2yBHClnZNkajjV+fQ14K4cyH7MuUPZM0A
-XppDbDmyLfQ0CjD0iGRovNjNLXDySQ0xuBtx7v2qnOA
--> ssh-ed25519 E2Yu8Q kWHQZgcHT+cBPoT4AzFmeRg/5YOdbyhlkvss+XKdM30
-QcHvmCaiWJY8NGWSHoK02tJ0CAW5bowsar96r/tR67Q
---- vrFHpETvMrLdoebIcPdOUxcDf2gMnfUtjpYVeUmd000
-)	
-©”í_dµþì<3A6peé&Bˆ±ê[“¼š“²¨pùOËÓ€8d‘BÃºÄ†Mfw_xÍyè–]U«ß®Ö[îš¬V¬îŽ6WG÷wÀª„†]ãÔém{þ}²*X+|ÉÞ­¦áJ³¨^PÝ¾B£Âî%c]2ÌšN˜¯*JLC±¯é³]ËÏ#üó`B¼=Å÷Š	Í-5	HeøTÞlnKkL×ˆ´.V;Þµ¨ê²UÅ‹%`5èˆÁá9¦oál¦ýD,0¯,CÙòäy¼o
-0àÇ«ëÆr‰Ši=#3=1m×)ž†Ý–÷8lómýÍçFÀÃÿQšÖ~p1>®~ºÊ’È{dD×Ø¼õQZ„KâŸ–¥¶I®ÒœÛç£ÒN‡	š'Œ6)›ß`“Ãrõ²Ä‡´u^[lŸD»-_•»ÖìvÇñÏ`$¦c½ßtƒ¥+N6~’×ø¯Ì¡óˆÍŽìlõ!5”y¨R£{©Úp[®«êÌ2½&£H”ˆˆ2xu6êxÚÑI´2^*ÐÍj2í
\ No newline at end of file
+-> ssh-ed25519 pFjJaA 84O2SPCUx+QVlQmLN7fdDmfgClYXHvYcUuKTQVIVaxY
+eBnck8bhHN7xvpogTjciztNrgaiwfTrygF2R2LgmZ6Q
+-> ssh-ed25519 qRUWSw oh0qeksN0bzOADFq79bzRFPHvgJIysWrKIin+aJonko
+Cb052NA2jRTpmp7J4ubCGEn9NWdcHXQtDmZik5gCDm0
+-> ssh-ed25519 E2Yu8Q 0NCgJMvW+YFdKNWPvec05WRi63/adKvyrisyqW59JB0
+lE99gvBokfXkwKmluCtoy4hbh8Jk/k5WPDs0WHccYoM
+--- 8d0KnB6sOB92oKS4jEDMsJ+q/R+kw7YSLOhLz1vKA2w
+k)°ÁÎÂ?OB6*«¦þC[Šä?WÑê¡»ßeÖ€\ÈEœ„ÉŸ9ÜîÁò&d©2Îð:’w{vŸÈúxZ#¥Ã!nù©›-PqžVÀMÑ£¬Ýk¦rä*x[dd0tz8¸¬(ü—¯\/gWÍ;©ƒÐö6~°}š`i~ÔÚ¥s¼å”ý€‚àWKÞŒ?.–ã²¹Ñ÷êÊ²TRÑBfö+ÓN‚“¡ÅJ™H)ÛøoX`(BÎÝ—	0MÆC÷‰‘Üí­x%ª ÔÒ•Øº(Ø²;õ¿JLš¡ÆÔ¾Pà•žÅ-òƒ„oüŒÆ›¤ý#ËùìðtgAj¿ÛR@¼°Ô{+˜\×7×ß‡=	¡Ã ’»¯Idˆ?ŽÔ˜?4ÄÚQ¯B<åÖÙ¬Š'ä#[ÛÑpc@ê‰Û§»•tb™ö4¼<iþ‰Øû€-ížà·öm’àá@a˜U”`½^¬÷àbøŒXáŸ¤`BúÅ`‚ßÔbÛÁÝ­OKØUÒA0^Œ+ÆD'?£“zÿMPÔ€×¯Ð×Ù´¸gƒcuã‡·‹À
\ No newline at end of file
diff --git a/secrets/vm-synology/wireguard.age b/secrets/vm-synology/wireguard.age
index 2b750e9..b1a1384 100644
--- a/secrets/vm-synology/wireguard.age
+++ b/secrets/vm-synology/wireguard.age
@@ -1,7 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 pFjJaA 8sS1TpcBjcc0+Up15kXuS14b1iCmk4lxmkjWdxijTU4
-4AWYQoFymg+GUUOBQIzc2YWgX/p/VY45PA6aMFeTWqM
--> ssh-ed25519 qRUWSw kfUXP5B9JRVccoqStdMkj81qYoEZOrVcLr2YTtnV6SE
-hDAY3gXyfhYxKPZvIiXIJoqJOK+2qKzxmdXjjNVy48w
---- JvXubYcS99y0WWBD9T6ByQdawMAp9RoyV0kbE6ya4zQ
-×£³Q5ÃÔº›w®"jã…[oÏ…¦ÊD—‘S(úLò«4À¸ý@)˜˜ßòXv¥O•SæÜË•µÅŠhJpVÈhíßŠ`
\ No newline at end of file
+-> ssh-ed25519 pFjJaA +fvsiaJMb18gU/QCaD9yHhOO+2XKznzOrYW2sX/NwE0
+iBLuUNGccw/rU294GUPW42LsK7x8tCLmD0Hlb9Jy1+E
+-> ssh-ed25519 qRUWSw 6DQndWls6IHZCXuTBJDoEQ/M7Z1Ahr61oJviPP02Ln8
+18nr/YXPC1II3eV2Qdj5kSYPa+WeyXL3k6zJ9g10rl8
+--- KP/xhZkn1tNxbRanbGzryFXwEgdGj9UJWGWeYF0uuOA
+Þ]2Ï`v >Õ»pgöÙo9j—ô
+õ"yâöv„B•´h.D‡Œ:µÆGW\ú]†`Œ±GýÔS¢ùtÀ‡Éâ´ñÕnþÌx0Å«a
\ No newline at end of file
-- 
cgit v1.2.3