703c1128b0
ops: forgejo-runner-cacher
2024-11-20 01:13:04 +00:00
876e472a3c
ops/nixos: bvm-forgejo + pomerium
2024-11-10 21:55:37 +00:00
0c4a432cf2
ops/nixos/bsky-pds: init
2024-10-21 04:56:28 +01:00
b0eb1f77a0
ops/nixos/rexxar: enable fup
2024-10-20 17:21:54 +01:00
f97eeda933
vault: allow nausicaa access to the hackyplayer secrets
2024-06-28 08:20:01 +01:00
93d5a104da
add hackyplayer/hacky-vouchproxy/emfminiserv bits
2024-06-21 22:34:53 +01:00
ef157732dc
nixos: migrate gitlab-runner cache to rexxar
2024-03-26 19:00:40 +00:00
e7a1cf462c
rexxar: init
...
No BGP yet.
2024-03-25 19:13:05 +00:00
5dd4cbe7dd
nausicaa: init
2024-03-01 14:23:22 +00:00
6dd4431506
drop my own netbox build in favour of nixpkgs
2023-10-12 20:12:22 +00:00
86f193d44a
secretsmgr: add bare hostnames everywhere
2023-05-26 17:39:01 +01:00
983941331d
ops/vault: add nixbuild to clouvider-lon01
2023-05-07 14:39:17 +01:00
7fe7452e2f
ops/nixos: add tumblrandom
2023-04-18 20:05:51 +00:00
9aa6298df4
ssh-ca: also sign for otter-acoustic.ts.net
2023-03-12 03:53:42 +00:00
4daa3a593a
nixbuild-distributed: create
2023-03-09 21:33:42 +00:00
08d59f4e20
ops/vault: create binary-cache-deployer
2023-02-25 22:16:56 +00:00
d901b12f91
ops/vault: permit lukegbcom-deployer to write to lukegb-flipperzero bucket
2023-02-25 22:11:35 +00:00
8731a6a37f
ops/vault: allow servers to read their own wireguard keys
2023-01-15 19:23:53 +00:00
77c4d9d7c2
totoro: ADSB
2023-01-09 02:09:04 +00:00
653ac8f5f0
updateplexpass: use Plex Pass key to fetch new versions
2023-01-08 01:54:22 +00:00
5c1742e13f
depotwide: add google-cloudflare role
2022-08-10 01:51:46 +01:00
97d71c78a1
ops/vault: add authentik-backed auth
2022-05-21 15:42:55 +01:00
13d51a7978
ops/nixos: move gitlab-runner registration token to vault
2022-05-13 21:45:36 +00:00
bf601faa89
nix/pkgs/authentik: init
2022-05-12 22:55:10 +00:00
e51d58fac6
ops/vault: bump ACME TTL
2022-04-20 23:47:09 +01:00
dca96efffe
fup: move config to secret
2022-04-10 01:37:37 +01:00
8647af22d7
ops/nixos: put more things in Vault
2022-04-09 21:51:24 +01:00
2536214734
deluge: migrate auth file to vault
2022-04-09 20:59:11 +01:00
97a2e46eeb
lukegbcom: autodeploy using Vault
2022-04-05 22:04:32 +01:00
dbaabf1295
vault: deployer should be allowed to read nix-daemon secrets
2022-03-24 22:20:44 +00:00
7592e76a31
tokend: init
...
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.
It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
08b68745f0
ops/vault: move policies to token_policies
...
I want to be able to rescope these policies down in tokend, which means that I
can't have policies attached to the server's *identity*. Instead, we put these
on the approle instead, which allows us to down-scope all of these.
2022-03-20 11:29:10 +00:00
148e071c21
ops/vault/cfg: add acme-ca
2022-03-16 00:18:47 +00:00
fb7e18260a
ops/vault/cfg: where we're going, we don't need secrets.nix
2022-03-16 00:06:46 +00:00
23df8e3b18
ops/vault/cfg: initial configuration
2022-03-14 23:34:33 +00:00
92998b5d36
ops/vault/cfg: init terranix stuff
2022-03-14 21:29:15 +00:00
