From 02eba75d63a5de2e238484cbe748a4462e519d3b Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Sat, 21 Jan 2023 09:03:10 +0800
Subject: [PATCH] hosts/plover: update services host configurations

We're making some of them completely on the private network. This way,
they can only be accessed once we're in a tunneling service like
Wireguard or OpenVPN.
---
 hosts/plover/modules/hardware/networks.nix | 7 +++++++
 hosts/plover/modules/services/atuin.nix    | 4 ++++
 hosts/plover/modules/services/keycloak.nix | 8 +++++---
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/hosts/plover/modules/hardware/networks.nix b/hosts/plover/modules/hardware/networks.nix
index 3f9b5b7c..d5cf138f 100644
--- a/hosts/plover/modules/hardware/networks.nix
+++ b/hosts/plover/modules/hardware/networks.nix
@@ -13,10 +13,17 @@ rec {
   publicIPv6PrefixLength = 64;
   publicIPv6' = "${publicIPv6}/${toString publicIPv6PrefixLength}";
 
+  # The private network for this host.
   privateIPNetworkRange = "172.16.0.0/32";
   privateNetworkGatewayIP = "172.16.0.1/32";
+  privateNetworkServicesPart = "172.18.25";
+  privateNetworkHostPart = hostPart: "${privateNetworkServicesPart}.${toString hostPart}";
 
   wireguardIPv6 = "fdee:b0de:54e6:ae74::";
   wireguardIPv6LengthPrefix = 64;
   wireguardPort = 51820;
+
+  # Applications that are supposed to be internal.
+  atuinHost = privateNetworkHostPart 3;
+  keycloakHost = privateNetworkHostPart 4;
 }
diff --git a/hosts/plover/modules/services/atuin.nix b/hosts/plover/modules/services/atuin.nix
index 4c7bfa7e..3e509aba 100644
--- a/hosts/plover/modules/services/atuin.nix
+++ b/hosts/plover/modules/services/atuin.nix
@@ -5,6 +5,8 @@
 
 let
   atuinDomain = "atuin.${config.networking.domain}";
+
+  inherit (import ../hardware/networks.nix) atuinHost;
 in
 {
   # Atuin sync server because why not.
@@ -12,6 +14,8 @@ in
     enable = true;
     openFirewall = true;
     openRegistration = false;
+
+    host = atuinHost;
     port = 8965;
   };
 
diff --git a/hosts/plover/modules/services/keycloak.nix b/hosts/plover/modules/services/keycloak.nix
index 274de24e..14160ace 100644
--- a/hosts/plover/modules/services/keycloak.nix
+++ b/hosts/plover/modules/services/keycloak.nix
@@ -2,6 +2,8 @@
 { config, lib, pkgs, ... }:
 
 let
+  inherit (import ../hardware/networks.nix) keycloakHost;
+
   authDomain = "auth.${config.networking.domain}";
 
   # This is also set on our own.
@@ -15,7 +17,7 @@ in
   services.keycloak = {
     enable = true;
 
-    # Pls change at first login.
+    # Pls change at first login. Or just change it through `kcadm.sh`.
     initialAdminPassword = "wow what is this thing";
 
     database = {
@@ -25,7 +27,7 @@ in
     };
 
     settings = {
-      host = "127.0.0.1";
+      host = keycloakHost;
 
       db-schema = keycloakDbName;
 
@@ -73,7 +75,7 @@ in
     # This is based from the reverse proxy guide from the official
     # documentation at https://www.keycloak.org/server/reverseproxy.
     locations = let
-      keycloakPath = path: "http://localhost:${toString config.services.keycloak.settings.http-port}";
+      keycloakPath = path: "http://${keycloakHost}:${toString config.services.keycloak.settings.http-port}";
     in
     lib.listToAttrs
       (lib.lists.map