diff --git a/.scaffold/molecule.yml b/.scaffold/molecule.yml index 51818d7..5fb119c 100644 --- a/.scaffold/molecule.yml +++ b/.scaffold/molecule.yml @@ -12,7 +12,7 @@ platforms: # Project-owned image built from .docker/molecule-debian13/Dockerfile # and hosted in the Forgejo container registry. # Build/push with: make molecule-image / make molecule-image-push - image: git.baobab.band///molecule-debian13:latest + image: forgejo.nyumbani.baobab.band///molecule-debian13:latest pre_build_image: true privileged: true # required for systemd cgroupns_mode: host diff --git a/docs/decisions/006-terraform.md b/docs/decisions/006-terraform.md index 70218a8..941f422 100644 --- a/docs/decisions/006-terraform.md +++ b/docs/decisions/006-terraform.md @@ -45,7 +45,7 @@ has been run). ## State backend -**Choice**: Forgejo HTTP backend (self-hosted at git.baobab.band) +**Choice**: Forgejo HTTP backend (self-hosted at forgejo.nyumbani.baobab.band) Keeps all state on the same self-hosted stack without additional services. Authentication uses a Forgejo personal access token via `TF_HTTP_USERNAME` and diff --git a/docs/decisions/007-network.md b/docs/decisions/007-network.md index 5914133..c798918 100644 --- a/docs/decisions/007-network.md +++ b/docs/decisions/007-network.md @@ -150,7 +150,7 @@ IoT devices cannot initiate connections to `srv`. | Infrastructure VMs | `` | `dns1`, `dns2`, `proxy` | | Hetzner VPS | `askari` | Swahili for guard/sentinel | | Internal FQDN | `.boma.baobab.band` | `dns1.boma.baobab.band` | -| Public service FQDN | `.baobab.band` | `git.baobab.band` | +| Public service FQDN | `.baobab.band` | `forgejo.nyumbani.baobab.band` | --- @@ -166,7 +166,7 @@ Terraform itself writes no DNS records — see ADR-009. Public-facing services resolve to the public IP or Cloudflare proxy. **Split-horizon**: `dns1`/`dns2` serve internal answers for any hostname that has -both a public and private face. Example: `git.baobab.band` resolves to +both a public and private face. Example: `forgejo.nyumbani.baobab.band` resolves to `10.20.0.12` (proxy) internally and to the public IP externally. OPNsense DNS resolver forwards `boma.baobab.band` queries to `dns1`/`dns2`. diff --git a/docs/decisions/008-testing.md b/docs/decisions/008-testing.md index d338a3c..c86977e 100644 --- a/docs/decisions/008-testing.md +++ b/docs/decisions/008-testing.md @@ -62,7 +62,7 @@ configuration issues invisible to Ansible check mode. **Source**: `.docker/molecule-debian13/Dockerfile` **Base**: `debian:trixie-slim` (official Debian 13, Docker Hub — only external dependency permitted here, as the base OS image is not substitutable) -**Registry**: `git.baobab.band///molecule-debian13:latest` +**Registry**: `forgejo.nyumbani.baobab.band///molecule-debian13:latest` Build and push with: ```bash diff --git a/docs/decisions/009-provisioning-handoff.md b/docs/decisions/009-provisioning-handoff.md index 7c1e0a0..872cb9a 100644 --- a/docs/decisions/009-provisioning-handoff.md +++ b/docs/decisions/009-provisioning-handoff.md @@ -108,7 +108,7 @@ rendered entirely by the Ansible `dns` role: remains the ultimate source of truth for which hosts exist; the data simply flows through the inventory instead of through a direct Terraform→DNS write. - **Service, alias (CNAME), split-horizon, and non-VM records** (e.g. the OPNsense - gateway, `git.baobab.band` → proxy) are explicit zone data in `group_vars`. + gateway, `forgejo.nyumbani.baobab.band` → proxy) are explicit zone data in `group_vars`. This dissolves the bootstrap cycle that a Terraform-managed zone would create. If Terraform wrote records via RFC 2136, provisioning the **first** DNS server would diff --git a/terraform/environments/production/backend.tf b/terraform/environments/production/backend.tf index 00abe3e..b9abdd8 100644 --- a/terraform/environments/production/backend.tf +++ b/terraform/environments/production/backend.tf @@ -8,9 +8,9 @@ terraform { # # If Forgejo's HTTP state endpoint is unavailable, remove this block entirely # to fall back to local state on the control node. - address = "https://git.baobab.band/api/v1/repos///raw/terraform/state/production.tfstate" - lock_address = "https://git.baobab.band/api/v1/repos///raw/terraform/state/production.tfstate/lock" - unlock_address = "https://git.baobab.band/api/v1/repos///raw/terraform/state/production.tfstate/lock" + address = "https://forgejo.nyumbani.baobab.band/api/v1/repos///raw/terraform/state/production.tfstate" + lock_address = "https://forgejo.nyumbani.baobab.band/api/v1/repos///raw/terraform/state/production.tfstate/lock" + unlock_address = "https://forgejo.nyumbani.baobab.band/api/v1/repos///raw/terraform/state/production.tfstate/lock" lock_method = "POST" unlock_method = "DELETE" } diff --git a/terraform/environments/staging/backend.tf b/terraform/environments/staging/backend.tf index 0167f1c..1facab4 100644 --- a/terraform/environments/staging/backend.tf +++ b/terraform/environments/staging/backend.tf @@ -8,9 +8,9 @@ terraform { # # If Forgejo's HTTP state endpoint is unavailable, remove this block entirely # to fall back to local state on the control node. - address = "https://git.baobab.band/api/v1/repos///raw/terraform/state/staging.tfstate" - lock_address = "https://git.baobab.band/api/v1/repos///raw/terraform/state/staging.tfstate/lock" - unlock_address = "https://git.baobab.band/api/v1/repos///raw/terraform/state/staging.tfstate/lock" + address = "https://forgejo.nyumbani.baobab.band/api/v1/repos///raw/terraform/state/staging.tfstate" + lock_address = "https://forgejo.nyumbani.baobab.band/api/v1/repos///raw/terraform/state/staging.tfstate/lock" + unlock_address = "https://forgejo.nyumbani.baobab.band/api/v1/repos///raw/terraform/state/staging.tfstate/lock" lock_method = "POST" unlock_method = "DELETE" }