4daa3a593a
nixbuild-distributed: create
2023-03-09 21:33:42 +00:00
09610ee555
hm/client: copybara only on x86 Linux
2023-02-12 17:57:39 +00:00
28cbcf08a4
kerrigan: provision IPv6
2023-01-21 22:46:00 +00:00
d3fdb0b04d
ops/nixos/common: demand system as an arg
2023-01-21 18:59:48 +00:00
c8f1d10e4e
switch-prebuilt: update
2023-01-21 18:52:15 +00:00
f1118a9a04
cofractal-ams01: support v4-on-v6 + ENH
2023-01-19 09:29:37 +00:00
9213875d8b
cofractal-ams01: bgp-over-ipv4
2023-01-18 23:41:42 +00:00
756c1a3dd2
cofractal-ams01: more turnup bits
2023-01-18 21:43:48 +00:00
0583eb2f07
clouvider-lon01: enable aarch64 emulation
2023-01-17 21:49:53 +00:00
f8aaa89d74
coredns: update oracle-lon01, add cofractal-ams01
2023-01-17 21:45:18 +00:00
35a9ec6bf5
nhsenglandtests: delete
2023-01-15 16:26:50 +00:00
8407c1a743
hm/common: point at actual terminfo dir
2023-01-15 16:14:14 +00:00
e2b9b63743
terminfos: init
2023-01-15 16:10:12 +00:00
757900436a
hm/common: update blast IPs
2022-12-14 05:35:38 +00:00
c758bcb61a
hm/client: fix path to jj
2022-12-04 22:03:47 +00:00
754afefc78
jj: init at c52a14eac6532ba814c88f2c8c740415293bfb1a
2022-12-04 21:52:55 +00:00
980a2be55c
ops/nixos/hm/client: add git-absorb
2022-12-02 03:04:25 +00:00
08332c8a7b
hm/graphical-client: drop yubioath-desktop, since it got deleted from nixpkgs
2022-11-30 11:06:19 +00:00
79ae0d7fef
nix/pkgs/baserow/web-frontend: fix
...
We need to use openssl-legacy-provider to fix an issue with OpenSSL 3.x,
because Webpack (or Nuxt?) need to use deprecated hashes.
2022-11-09 00:35:09 +00:00
b03bf3ea87
baserow: drop mjml-tcpserver
2022-11-02 02:08:52 +00:00
f34d5e20db
hm/common: no manuals
2022-11-02 00:49:53 +00:00
1d7a00e684
hm/graphical-client: add 'discord'
2022-10-31 20:09:53 +00:00
88334fa721
hm/porcorosso-wsl: drop genie
2022-10-08 21:27:01 +01:00
746c427690
hm/ext: init SSH config tweaks for 3p systems
2022-10-08 21:14:36 +01:00
e03ae8b853
treewide: fix things up for new nixpkgs
2022-10-02 22:23:44 +01:00
2796d03b22
nixos/client: add udisks2
2022-09-24 16:40:45 +01:00
27eb5b251e
blade-router: tweak export filter to drop local communities
2022-08-17 02:30:09 +01:00
a8bb05ba1e
blade-router: add ovh
2022-08-17 00:50:45 +01:00
9752742d76
bgp: force next-hop for OVH since I just can't talk to their router 2
2022-09-04 21:10:33 +01:00
2e56cddee5
hm/common: add a 'github' server alias
2022-09-04 21:10:20 +01:00
c16856f8ab
treewide: add my.ip.tailscale6
2022-09-02 00:22:16 +01:00
04df4d0a98
depotwide: make closures smaller, especially on frantech machines
2022-08-27 19:38:03 +01:00
4d0091c35e
as205479.net: add IPv6 tailnet, swap etheroute-lon01
2022-08-26 21:10:05 +01:00
203cba674d
blade: oops, we need SPICE
2022-08-26 21:00:52 +01:00
e43e0a4e25
ops/nixos: switch from iosevka to iosevka-bin
2022-08-14 23:01:39 +01:00
e25a1ba6c4
depotwide: fix stuff
2022-08-14 21:01:26 +01:00
5c1742e13f
depotwide: add google-cloudflare role
2022-08-10 01:51:46 +01:00
d1b8449d76
ops/nixos/blade-router: don't export routes to LINX collector
...
It confuses some other people on LINX, so for the avoidance of arguments let's Just Not.
2022-07-15 12:03:37 +01:00
49cab76737
nixos/hm/common: tweak ssh settings
2022-07-15 08:59:43 +01:00
64940e45d6
ops/nixos/graphical-client: install qFlipper
2022-07-07 22:06:35 +01:00
bd2be7196a
nixos/common: add pam-ussh
2022-06-04 12:21:32 +01:00
2c6be52ce9
howl: add BGP for EMFIX
2022-06-04 12:15:43 +01:00
e68f8b615f
hm/graphical-client-wayland: use wallpaper
2022-04-18 16:45:14 +01:00
60e6ae8af5
nixos/blade-router: bump LINX LON1 netmask to /21
2022-05-29 22:03:56 +01:00
977ee51c54
ops/nixos: change default for RP check to loose to silence Tailscale warnings
2022-05-21 16:31:58 +01:00
f7686f6a5a
hm/common: add whitby alias for ssh
2022-05-17 01:41:48 +01:00
7f587564de
porcorosso-wsl: don't try to load ed25519, use genie
2022-05-17 01:37:01 +01:00
4f3c21a8ea
blade: tweak rbd_cache settings
2022-05-02 17:40:32 +01:00
cb383c46ad
ops/nixos/lib/coredns: add IPv6 address for oracle-lon01
2022-05-12 18:38:16 +00:00
58793004a2
ops/nixos/hm/common: Tweak the IP for SAR1.
2022-04-30 16:48:35 +01:00
d21b733794
ops/nixos: add bgp.tools route collector
2022-04-30 16:48:01 +01:00
04e013b237
ops/nixos/bgp: add support for route collectors
2022-04-30 16:47:35 +01:00
6f70c36b8f
ops/nixos/blade: further nuke forwardX11
2022-04-16 01:52:50 +01:00
514d703560
ops/nixos/blade: nuke forwardX11
2022-04-16 01:48:32 +01:00
7b4febe0ab
ops/nixos/blade: honey I shrunk the closure
2022-04-10 02:20:41 +00:00
75d3386cd2
treewide: fix up for nixpkgs bump
2022-04-15 23:33:53 +01:00
b5fbf1f472
oracle-lon01: add my first aarch64-linux boxen
2022-04-13 12:03:56 +00:00
dca96efffe
fup: move config to secret
2022-04-10 01:37:37 +01:00
8647af22d7
ops/nixos: put more things in Vault
2022-04-09 21:51:24 +01:00
2536214734
deluge: migrate auth file to vault
2022-04-09 20:59:11 +01:00
55b6bd2a19
ops/nixos: add nixos-size to measure total closure pinned by booted-system/current-system mismatch
2022-04-07 03:42:17 +00:00
57c5a7d1ce
coredns: add bvm-paperless.int
2022-04-05 11:28:10 +01:00
8f6ae5cfd4
bvm-paperless: init
2022-04-04 19:11:22 +00:00
addba44d44
coredns: fix ipv6 zones
2022-03-30 17:25:25 +01:00
4b6b4842d1
update dns
2022-03-29 21:30:09 +01:00
3a32590571
go/access: init
2022-03-25 01:24:21 +00:00
eb163962a4
nixos/common: add wireguard-tools
2022-03-24 22:22:18 +00:00
7592e76a31
tokend: init
...
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.
It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
58a907b700
nixos/vault-agent: listen on UDS only
...
This UDS is going to be private to vault-agent and tokend (which doesn't exist
yet).
As a stopgap, for the moment, secretsmgrd will be granted direct access to
speak to the Vault Agent over the UDS.
tokend will be responsible for provisioning applications with tokens, by
issuing subtokens which have roles corresponding to the user account requesting
access.
2022-03-20 11:14:51 +00:00
132cb805b3
ops/vault: use wrapping token to protect secret IDs in transit
2022-03-20 10:14:02 +00:00
829d179d37
nixos/common: make the EnvironmentFile optional to avoid... problems
...
In general, it's better for us to fail to pass credentials to the Nix daemon
than it is for the Nix daemon to fail to start up entirely.
We will restart the daemon once the secrets have been delivered anyway.
2022-03-20 10:00:17 +00:00
c9ffb4ed3e
secretsmgr: actually _enable_ the timer unit
2022-03-18 01:08:35 +00:00
ce698ab382
nixos/secretsmgr: add the timer unit
2022-03-18 01:03:55 +00:00
b719181dfe
nixos: migrate to secretsmgr for sshd and ACME
2022-03-17 23:31:55 +00:00
702cd972ab
nixos/vault-agent: should care about /var/lib/vault-agent instead
2022-03-17 12:27:10 +00:00
b0d2782369
nixos/vault-agent: set a longer timeout on HTTP requests to upstream
2022-03-17 01:25:44 +00:00
f55dc46170
ssh-ca-vault: disable SSH host key signing for now
2022-03-14 21:28:37 +00:00
f1fcda810a
vault-agent-acme: disable
2022-03-12 23:39:45 +00:00
f15e112da7
ssh-ca-vault: by default enable user matches
2022-03-11 22:31:57 +00:00
ae97fddae2
vault-agent-acme: migrate to using a single token file that writes the other files as a side-effect
...
This avoids annoying problems like "too many" retries for certificate issuance,
since we only ask for the secret once.
2022-03-11 22:07:31 +00:00
ac0c6eccef
ssh-ca-vault: init
2022-03-11 21:48:06 +00:00
86a6191a56
vault-agent-secrets: add wantedBy for all restartable units too
2022-03-11 18:48:54 +00:00
ada466bae0
vault-agent-secrets: put Before in the correct place
2022-03-11 18:48:08 +00:00
fde964db82
hm/client: add VAULT_ADDR env variable
2022-03-11 18:44:52 +00:00
0187120a24
ops/nixos: move nix cache tokens into vault
2022-03-11 16:46:50 +00:00
34fa21a171
treewide: fix eval fallout from nixpkgs bump
2022-03-11 14:56:55 +00:00
6e6e714cf1
ops/nixos: init vault-agent-secrets module
2022-03-11 14:40:08 +00:00
f9546ed62a
ts3spotifybot: remove for now
2022-03-11 10:02:22 +00:00
4be2eaeb6d
nixos/lib/common: remove security.acme
2022-03-11 03:28:32 +00:00
0c458988de
ops/nixos: misc cleanups
2022-03-11 03:27:58 +00:00
daccfa5717
ops/nixos: migrate everything to vault-agent-acme
2022-03-07 00:52:03 +00:00
0c7f785107
vault-agent-acme: tidy up
2022-03-06 23:01:51 +00:00
8be4fe603e
vault-agent-acme: init
2022-03-06 22:26:49 +00:00
dfb663e659
blade-router: mark cloudflare as pending
2022-03-03 17:38:19 +00:00
c357d5ed8f
blade-router: add cloudflare2
2022-03-03 17:37:41 +00:00
610d5ccf40
hm/porcorosso-wsl: add nixpkgs to NIX_PATH
2022-03-03 16:25:34 +00:00
d79faeb3e0
porcorosso-wsl: add keychain
2022-02-27 19:44:48 +00:00
df2c10ed4e
porcorosso-wsl: init
2022-02-27 19:32:48 +00:00
cbabb6f211
ops/nixos: migrate nix.maxJobs/binaryCaches/trustedBinaryCaches to the nix.settings equivalents
2022-01-30 20:30:20 +00:00
14a8bd4945
lib/blade-router: fix
2022-01-30 20:22:10 +00:00