Correct Forgejo host to forgejo.nyumbani.baobab.band
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
4ee1b66e23
commit
810e6d557b
7 changed files with 12 additions and 12 deletions
|
|
@ -12,7 +12,7 @@ platforms:
|
||||||
# Project-owned image built from .docker/molecule-debian13/Dockerfile
|
# Project-owned image built from .docker/molecule-debian13/Dockerfile
|
||||||
# and hosted in the Forgejo container registry.
|
# and hosted in the Forgejo container registry.
|
||||||
# Build/push with: make molecule-image / make molecule-image-push
|
# Build/push with: make molecule-image / make molecule-image-push
|
||||||
image: git.baobab.band/<owner>/<repo>/molecule-debian13:latest
|
image: forgejo.nyumbani.baobab.band/<owner>/<repo>/molecule-debian13:latest
|
||||||
pre_build_image: true
|
pre_build_image: true
|
||||||
privileged: true # required for systemd
|
privileged: true # required for systemd
|
||||||
cgroupns_mode: host
|
cgroupns_mode: host
|
||||||
|
|
|
||||||
|
|
@ -45,7 +45,7 @@ has been run).
|
||||||
|
|
||||||
## State backend
|
## State backend
|
||||||
|
|
||||||
**Choice**: Forgejo HTTP backend (self-hosted at git.baobab.band)
|
**Choice**: Forgejo HTTP backend (self-hosted at forgejo.nyumbani.baobab.band)
|
||||||
|
|
||||||
Keeps all state on the same self-hosted stack without additional services.
|
Keeps all state on the same self-hosted stack without additional services.
|
||||||
Authentication uses a Forgejo personal access token via `TF_HTTP_USERNAME` and
|
Authentication uses a Forgejo personal access token via `TF_HTTP_USERNAME` and
|
||||||
|
|
|
||||||
|
|
@ -150,7 +150,7 @@ IoT devices cannot initiate connections to `srv`.
|
||||||
| Infrastructure VMs | `<role><n>` | `dns1`, `dns2`, `proxy` |
|
| Infrastructure VMs | `<role><n>` | `dns1`, `dns2`, `proxy` |
|
||||||
| Hetzner VPS | `askari` | Swahili for guard/sentinel |
|
| Hetzner VPS | `askari` | Swahili for guard/sentinel |
|
||||||
| Internal FQDN | `<host>.boma.baobab.band` | `dns1.boma.baobab.band` |
|
| Internal FQDN | `<host>.boma.baobab.band` | `dns1.boma.baobab.band` |
|
||||||
| Public service FQDN | `<service>.baobab.band` | `git.baobab.band` |
|
| Public service FQDN | `<service>.baobab.band` | `forgejo.nyumbani.baobab.band` |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
@ -166,7 +166,7 @@ Terraform itself writes no DNS records — see ADR-009.
|
||||||
Public-facing services resolve to the public IP or Cloudflare proxy.
|
Public-facing services resolve to the public IP or Cloudflare proxy.
|
||||||
|
|
||||||
**Split-horizon**: `dns1`/`dns2` serve internal answers for any hostname that has
|
**Split-horizon**: `dns1`/`dns2` serve internal answers for any hostname that has
|
||||||
both a public and private face. Example: `git.baobab.band` resolves to
|
both a public and private face. Example: `forgejo.nyumbani.baobab.band` resolves to
|
||||||
`10.20.0.12` (proxy) internally and to the public IP externally.
|
`10.20.0.12` (proxy) internally and to the public IP externally.
|
||||||
|
|
||||||
OPNsense DNS resolver forwards `boma.baobab.band` queries to `dns1`/`dns2`.
|
OPNsense DNS resolver forwards `boma.baobab.band` queries to `dns1`/`dns2`.
|
||||||
|
|
|
||||||
|
|
@ -62,7 +62,7 @@ configuration issues invisible to Ansible check mode.
|
||||||
**Source**: `.docker/molecule-debian13/Dockerfile`
|
**Source**: `.docker/molecule-debian13/Dockerfile`
|
||||||
**Base**: `debian:trixie-slim` (official Debian 13, Docker Hub — only external
|
**Base**: `debian:trixie-slim` (official Debian 13, Docker Hub — only external
|
||||||
dependency permitted here, as the base OS image is not substitutable)
|
dependency permitted here, as the base OS image is not substitutable)
|
||||||
**Registry**: `git.baobab.band/<owner>/<repo-name>/molecule-debian13:latest`
|
**Registry**: `forgejo.nyumbani.baobab.band/<owner>/<repo-name>/molecule-debian13:latest`
|
||||||
|
|
||||||
Build and push with:
|
Build and push with:
|
||||||
```bash
|
```bash
|
||||||
|
|
|
||||||
|
|
@ -108,7 +108,7 @@ rendered entirely by the Ansible `dns` role:
|
||||||
remains the ultimate source of truth for which hosts exist; the data simply flows
|
remains the ultimate source of truth for which hosts exist; the data simply flows
|
||||||
through the inventory instead of through a direct Terraform→DNS write.
|
through the inventory instead of through a direct Terraform→DNS write.
|
||||||
- **Service, alias (CNAME), split-horizon, and non-VM records** (e.g. the OPNsense
|
- **Service, alias (CNAME), split-horizon, and non-VM records** (e.g. the OPNsense
|
||||||
gateway, `git.baobab.band` → proxy) are explicit zone data in `group_vars`.
|
gateway, `forgejo.nyumbani.baobab.band` → proxy) are explicit zone data in `group_vars`.
|
||||||
|
|
||||||
This dissolves the bootstrap cycle that a Terraform-managed zone would create. If
|
This dissolves the bootstrap cycle that a Terraform-managed zone would create. If
|
||||||
Terraform wrote records via RFC 2136, provisioning the **first** DNS server would
|
Terraform wrote records via RFC 2136, provisioning the **first** DNS server would
|
||||||
|
|
|
||||||
|
|
@ -8,9 +8,9 @@ terraform {
|
||||||
#
|
#
|
||||||
# If Forgejo's HTTP state endpoint is unavailable, remove this block entirely
|
# If Forgejo's HTTP state endpoint is unavailable, remove this block entirely
|
||||||
# to fall back to local state on the control node.
|
# to fall back to local state on the control node.
|
||||||
address = "https://git.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/production.tfstate"
|
address = "https://forgejo.nyumbani.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/production.tfstate"
|
||||||
lock_address = "https://git.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/production.tfstate/lock"
|
lock_address = "https://forgejo.nyumbani.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/production.tfstate/lock"
|
||||||
unlock_address = "https://git.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/production.tfstate/lock"
|
unlock_address = "https://forgejo.nyumbani.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/production.tfstate/lock"
|
||||||
lock_method = "POST"
|
lock_method = "POST"
|
||||||
unlock_method = "DELETE"
|
unlock_method = "DELETE"
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -8,9 +8,9 @@ terraform {
|
||||||
#
|
#
|
||||||
# If Forgejo's HTTP state endpoint is unavailable, remove this block entirely
|
# If Forgejo's HTTP state endpoint is unavailable, remove this block entirely
|
||||||
# to fall back to local state on the control node.
|
# to fall back to local state on the control node.
|
||||||
address = "https://git.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/staging.tfstate"
|
address = "https://forgejo.nyumbani.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/staging.tfstate"
|
||||||
lock_address = "https://git.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/staging.tfstate/lock"
|
lock_address = "https://forgejo.nyumbani.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/staging.tfstate/lock"
|
||||||
unlock_address = "https://git.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/staging.tfstate/lock"
|
unlock_address = "https://forgejo.nyumbani.baobab.band/api/v1/repos/<owner>/<repo>/raw/terraform/state/staging.tfstate/lock"
|
||||||
lock_method = "POST"
|
lock_method = "POST"
|
||||||
unlock_method = "DELETE"
|
unlock_method = "DELETE"
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue