sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Correct Forgejo host to forgejo.nyumbani.baobab.band

Browse source 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
sjat 2026-05-30 18:16:38 +02:00
parent 4ee1b66e23
commit 810e6d557b
7 changed files with 12 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.scaffold/molecule.yml
View file

@ -12,7 +12,7 @@ platforms:
# Project-owned image built from .docker/molecule-debian13/Dockerfile
# and hosted in the Forgejo container registry.
# Build/push with: make molecule-image / make molecule-image-push
image: git.baobab.band/<owner>/<repo>/molecule-debian13:latest
image: forgejo.nyumbani.baobab.band/<owner>/<repo>/molecule-debian13:latest
pre_build_image: true
privileged: true # required for systemd
cgroupns_mode: host

2
docs/decisions/006-terraform.md
View file

@ -45,7 +45,7 @@ has been run).
## State backend
**Choice**: Forgejo HTTP backend (self-hosted at git.baobab.band)
**Choice**: Forgejo HTTP backend (self-hosted at forgejo.nyumbani.baobab.band)
Keeps all state on the same self-hosted stack without additional services.
Authentication uses a Forgejo personal access token via `TF_HTTP_USERNAME` and

4
docs/decisions/007-network.md
View file

@ -150,7 +150,7 @@ IoT devices cannot initiate connections to `srv`.
| Infrastructure VMs | `<role><n>` | `dns1`, `dns2`, `proxy` |
| Hetzner VPS | `askari` | Swahili for guard/sentinel |
| Internal FQDN | `<host>.boma.baobab.band` | `dns1.boma.baobab.band` |
| Public service FQDN | `<service>.baobab.band` | `git.baobab.band` |
| Public service FQDN | `<service>.baobab.band` | `forgejo.nyumbani.baobab.band` |
---
@ -166,7 +166,7 @@ Terraform itself writes no DNS records — see ADR-009.
Public-facing services resolve to the public IP or Cloudflare proxy.
**Split-horizon**: `dns1`/`dns2` serve internal answers for any hostname that has
both a public and private face. Example: `git.baobab.band` resolves to
both a public and private face. Example: `forgejo.nyumbani.baobab.band` resolves to
`10.20.0.12` (proxy) internally and to the public IP externally.
OPNsense DNS resolver forwards `boma.baobab.band` queries to `dns1`/`dns2`.

2
docs/decisions/008-testing.md
View file

@ -62,7 +62,7 @@ configuration issues invisible to Ansible check mode.
**Source**: `.docker/molecule-debian13/Dockerfile`
**Base**: `debian:trixie-slim` (official Debian 13, Docker Hub — only external
dependency permitted here, as the base OS image is not substitutable)
**Registry**: `git.baobab.band/<owner>/<repo-name>/molecule-debian13:latest`
**Registry**: `forgejo.nyumbani.baobab.band/<owner>/<repo-name>/molecule-debian13:latest`
Build and push with:
```bash

2
docs/decisions/009-provisioning-handoff.md
View file

@ -108,7 +108,7 @@ rendered entirely by the Ansible `dns` role:
remains the ultimate source of truth for which hosts exist; the data simply flows
through the inventory instead of through a direct Terraform→DNS write.
- **Service, alias (CNAME), split-horizon, and non-VM records** (e.g. the OPNsense
gateway, `git.baobab.band` → proxy) are explicit zone data in `group_vars`.
gateway, `forgejo.nyumbani.baobab.band` → proxy) are explicit zone data in `group_vars`.
This dissolves the bootstrap cycle that a Terraform-managed zone would create. If
Terraform wrote records via RFC 2136, provisioning the **first** DNS server would

6
terraform/environments/production/backend.tf
View file

@ -8,9 +8,9 @@ terraform {
#
# If Forgejo's HTTP state endpoint is unavailable, remove this block entirely
# to fall back to local state on the control node.
address = "https://git.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/production.tfstate"
lock_address = "https://git.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/production.tfstate/lock"
unlock_address = "https://git.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/production.tfstate/lock"
address = "https://forgejo.nyumbani.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/production.tfstate"
lock_address = "https://forgejo.nyumbani.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/production.tfstate/lock"
unlock_address = "https://forgejo.nyumbani.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/production.tfstate/lock"
lock_method = "POST"
unlock_method = "DELETE"
}

6
terraform/environments/staging/backend.tf
View file

@ -8,9 +8,9 @@ terraform {
#
# If Forgejo's HTTP state endpoint is unavailable, remove this block entirely
# to fall back to local state on the control node.
address = "https://git.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/staging.tfstate"
lock_address = "https://git.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/staging.tfstate/lock"
unlock_address = "https://git.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/staging.tfstate/lock"
address = "https://forgejo.nyumbani.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/staging.tfstate"
lock_address = "https://forgejo.nyumbani.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/staging.tfstate/lock"
unlock_address = "https://forgejo.nyumbani.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/staging.tfstate/lock"
lock_method = "POST"
unlock_method = "DELETE"
}