Commit graph

428 commits

Author SHA1 Message Date
d21b733794 ops/nixos: add bgp.tools route collector 2022-04-30 16:48:01 +01:00
04e013b237 ops/nixos/bgp: add support for route collectors 2022-04-30 16:47:35 +01:00
6f70c36b8f ops/nixos/blade: further nuke forwardX11 2022-04-16 01:52:50 +01:00
514d703560 ops/nixos/blade: nuke forwardX11 2022-04-16 01:48:32 +01:00
7b4febe0ab ops/nixos/blade: honey I shrunk the closure 2022-04-10 02:20:41 +00:00
75d3386cd2 treewide: fix up for nixpkgs bump 2022-04-15 23:33:53 +01:00
b5fbf1f472 oracle-lon01: add my first aarch64-linux boxen 2022-04-13 12:03:56 +00:00
dca96efffe fup: move config to secret 2022-04-10 01:37:37 +01:00
8647af22d7 ops/nixos: put more things in Vault 2022-04-09 21:51:24 +01:00
2536214734 deluge: migrate auth file to vault 2022-04-09 20:59:11 +01:00
55b6bd2a19 ops/nixos: add nixos-size to measure total closure pinned by booted-system/current-system mismatch 2022-04-07 03:42:17 +00:00
57c5a7d1ce coredns: add bvm-paperless.int 2022-04-05 11:28:10 +01:00
8f6ae5cfd4 bvm-paperless: init 2022-04-04 19:11:22 +00:00
addba44d44 coredns: fix ipv6 zones 2022-03-30 17:25:25 +01:00
4b6b4842d1 update dns 2022-03-29 21:30:09 +01:00
3a32590571 go/access: init 2022-03-25 01:24:21 +00:00
eb163962a4 nixos/common: add wireguard-tools 2022-03-24 22:22:18 +00:00
7592e76a31 tokend: init
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.

It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
58a907b700 nixos/vault-agent: listen on UDS only
This UDS is going to be private to vault-agent and tokend (which doesn't exist
yet).

As a stopgap, for the moment, secretsmgrd will be granted direct access to
speak to the Vault Agent over the UDS.

tokend will be responsible for provisioning applications with tokens, by
issuing subtokens which have roles corresponding to the user account requesting
access.
2022-03-20 11:14:51 +00:00
132cb805b3 ops/vault: use wrapping token to protect secret IDs in transit 2022-03-20 10:14:02 +00:00
829d179d37 nixos/common: make the EnvironmentFile optional to avoid... problems
In general, it's better for us to fail to pass credentials to the Nix daemon
than it is for the Nix daemon to fail to start up entirely.

We will restart the daemon once the secrets have been delivered anyway.
2022-03-20 10:00:17 +00:00
c9ffb4ed3e secretsmgr: actually _enable_ the timer unit 2022-03-18 01:08:35 +00:00
ce698ab382 nixos/secretsmgr: add the timer unit 2022-03-18 01:03:55 +00:00
b719181dfe nixos: migrate to secretsmgr for sshd and ACME 2022-03-17 23:31:55 +00:00
702cd972ab nixos/vault-agent: should care about /var/lib/vault-agent instead 2022-03-17 12:27:10 +00:00
b0d2782369 nixos/vault-agent: set a longer timeout on HTTP requests to upstream 2022-03-17 01:25:44 +00:00
f55dc46170 ssh-ca-vault: disable SSH host key signing for now 2022-03-14 21:28:37 +00:00
f1fcda810a vault-agent-acme: disable 2022-03-12 23:39:45 +00:00
f15e112da7 ssh-ca-vault: by default enable user matches 2022-03-11 22:31:57 +00:00
ae97fddae2 vault-agent-acme: migrate to using a single token file that writes the other files as a side-effect
This avoids annoying problems like "too many" retries for certificate issuance,
since we only ask for the secret once.
2022-03-11 22:07:31 +00:00
ac0c6eccef ssh-ca-vault: init 2022-03-11 21:48:06 +00:00
86a6191a56 vault-agent-secrets: add wantedBy for all restartable units too 2022-03-11 18:48:54 +00:00
ada466bae0 vault-agent-secrets: put Before in the correct place 2022-03-11 18:48:08 +00:00
fde964db82 hm/client: add VAULT_ADDR env variable 2022-03-11 18:44:52 +00:00
0187120a24 ops/nixos: move nix cache tokens into vault 2022-03-11 16:46:50 +00:00
34fa21a171 treewide: fix eval fallout from nixpkgs bump 2022-03-11 14:56:55 +00:00
6e6e714cf1 ops/nixos: init vault-agent-secrets module 2022-03-11 14:40:08 +00:00
f9546ed62a ts3spotifybot: remove for now 2022-03-11 10:02:22 +00:00
4be2eaeb6d nixos/lib/common: remove security.acme 2022-03-11 03:28:32 +00:00
0c458988de ops/nixos: misc cleanups 2022-03-11 03:27:58 +00:00
daccfa5717 ops/nixos: migrate everything to vault-agent-acme 2022-03-07 00:52:03 +00:00
0c7f785107 vault-agent-acme: tidy up 2022-03-06 23:01:51 +00:00
8be4fe603e vault-agent-acme: init 2022-03-06 22:26:49 +00:00
dfb663e659 blade-router: mark cloudflare as pending 2022-03-03 17:38:19 +00:00
c357d5ed8f blade-router: add cloudflare2 2022-03-03 17:37:41 +00:00
610d5ccf40 hm/porcorosso-wsl: add nixpkgs to NIX_PATH 2022-03-03 16:25:34 +00:00
d79faeb3e0 porcorosso-wsl: add keychain 2022-02-27 19:44:48 +00:00
df2c10ed4e porcorosso-wsl: init 2022-02-27 19:32:48 +00:00
cbabb6f211 ops/nixos: migrate nix.maxJobs/binaryCaches/trustedBinaryCaches to the nix.settings equivalents 2022-01-30 20:30:20 +00:00
14a8bd4945 lib/blade-router: fix 2022-01-30 20:22:10 +00:00
947d959cfe hm/graphical-client-wayland: swap to env variable + normal element-desktop 2022-01-30 16:46:01 +00:00
652cb68e09 bgp: avoid sending routes to clouvider over routeservers 2022-01-30 15:57:35 +00:00
4065f9ac28 ops/nixos/hm: add vault 2022-01-23 23:58:55 +00:00
7c418666fe ops/nixos: add some vault-agent setup 2022-01-23 23:38:40 +00:00
3ad4c2399a nix/pkgs/lutris: add more deps 2022-01-23 23:37:19 +00:00
3eb564f12b ops/nixos: factor out various things from clouvider-fra01 2022-01-23 16:58:29 +00:00
bf8e6b62ed ops/nixos/hm: switch to networkmanagerapplet 2022-01-20 22:50:47 +00:00
6276e4b620 ops/nixos: add common-updater-scripts to hm/client 2022-01-16 18:04:24 +00:00
d8186b8f14 ops/nixos/graphical-client: enable gnome-keyring 2022-01-16 18:04:14 +00:00
9be6bcaf2d ops/nixos: set up gnetwork link 2022-01-14 19:42:06 +00:00
7cfef2cd98 coredns/zones: add lukegb01.ring.nlnog.net 2022-01-10 23:35:54 +00:00
4f0a7b60bc ops/nixos: use higher-priority 'mkDefault' 2022-01-09 21:38:17 +00:00
9472db4577 ops/nixos: consolidate Frantech VM configs into lib/frantech.nix 2022-01-08 21:49:09 +00:00
ad95bffd3d ops/nixos: tidy up networking.useDHCP 2022-01-08 21:45:18 +00:00
f463055acf ops/nixos: pipewire for everyone 2022-01-08 21:41:30 +00:00
05be94e4d7 ops/nixos/common: disable DNSSEC in systemd-resolved
It's super broken.

At the moment, resolving foss.heptapod.net breaks, because clever-cloud.com has
DNSKEY records but there's no matching DS record at .com for it.

There are also other reports: https://github.com/systemd/systemd/issues/12388

tl;dr: it just doesn't work, let's not use that.
2022-01-08 12:09:26 +00:00
6ab12dcad5 ops/nixos: rm marukuru 2022-01-06 15:55:21 +00:00
d79265ddad ops/nixos: tidy up security.acme 2022-01-04 14:00:45 +00:00
de71fd5c9a ops/nixos/lib/common: add global DNS servers 2022-01-04 13:32:56 +00:00
8cc6e2001a ops/nixos: create permanent quotesdb user
Stop relying on DynamicUser because it messes a bit with postgres' auth.
2022-01-01 21:49:23 +00:00
67b038c2bc ops/nixos/common: turn off logRefusedConnections - it's super noisy 2022-01-01 20:56:41 +00:00
7b4e6c0e1b ops/nixos: oops, try to fix my.scrapeJournal.addr 2022-01-01 15:14:02 +00:00
c91a42948d journal2clickhouse: init 2022-01-01 15:08:52 +00:00
c5119b4882 ops/nixos: enable HTTP gateway if Tailscale is configured 2022-01-01 12:40:13 +00:00
1f13fd811d coredns: bind to specific interfaces/IPs 2022-01-01 09:03:25 +00:00
8e28b5bbfe ops/nixos: drop Google/AS15169 routes from Veloxserv to prefer RouteServer 2022-01-01 03:02:55 +00:00
bfd08b08cf ops/nixos: add fastly passive peer 2022-01-01 02:39:01 +00:00
e182171916 ops/nixos: disable LLMNR 2022-01-01 00:41:37 +00:00
f35a79444c ops/nixos: add better support for specialisations 2021-12-31 23:51:09 +00:00
060f2cf96b nhsenglandtests: init 2021-12-31 07:00:32 +00:00
66d1ae3939 lib/hm/graphical-client-wayland: add mako 2021-12-31 04:48:51 +00:00
6cb1af2f35 ops/nixos: start using systemd-resolved 2021-12-28 18:42:42 +00:00
837f7074ac ops/nixos: fix MAC address for vl-linx 2021-12-27 06:50:12 +00:00
a41abf3d6e ops/nixos/lib/hm: add element-desktop/element-desktop-wayland 2021-12-27 02:58:53 +00:00
ab9dd5d35a common: remove nhs.uk IPv6 mapping 2021-12-24 02:27:15 +00:00
05aea7f5f1 ops/nixos: migrate from services.redis to services.redis.servers."" 2021-12-24 02:02:57 +00:00
4e4e8de984 ops/nixos: init bvm-logger 2021-12-23 04:11:39 +00:00
69db0e2a98 baserow: add nginx to baserow group too 2021-12-21 08:31:11 +00:00
c7a9d4ef76 baserow: tweak umask for opendkim... 2021-12-21 08:22:01 +00:00
1c97d3cd15 baserow: add postfix to opendkim group 2021-12-21 08:19:27 +00:00
656df5ac5b common: add kitty.terminfo 2021-12-21 08:13:20 +00:00
ee2598c29b baserow: oops, need the config argument 2021-12-21 08:12:39 +00:00
455856d7c0 baserow: enable postfix (totoro) 2021-12-21 08:11:38 +00:00
93a070870a nix/pkgs/baserow: hooray, it works 2021-12-21 05:48:40 +00:00
5eb7f7102f bvm-heptapod: init 2021-12-17 01:28:39 +00:00
fee02312d3 blade-tuvok: move public interface off a VLAN
Previously, the public/internal interfaces were VLANned onto the same NIC. For
some reason, sometime the Emulex adapters seem to end up not getting configured
properly, which causes me no end of pain when I spend time trying to debug why
none of my VMs can see the internet anymore.

Instead of doing this, put the public interface onto its own actual virtual
network interface.
2021-12-17 00:27:24 +00:00
29f7073384 ops/nixos: compatibility with NixOS 22.05 2021-12-07 19:13:04 +00:00
105fcf1d50 coredns/zones: quadv stuff 2021-12-07 16:01:57 +00:00
da0717b02c ops/nixos: don't announce QuadV net everywhere by default 2021-12-07 15:19:45 +00:00
a1ee1e396c ops/nixos: alacritty -> kitty 2021-11-28 12:51:40 +00:00
7cbd53de1a ops/nixos: add blast configs 2021-11-25 17:14:03 +00:00
86e0ce9af9 nix/pkgs/datez: init 2021-11-18 21:33:40 +00:00
9c8f3824a8 ops/nixos/lib/blade: virtualisation.libvirtd.qemuRunAsRoot -> virtualisation.libvirtd.qemu.runAsRoot 2021-11-05 01:34:04 +00:00
a4f786f709 hm: add su-cinema-ernie 2021-10-19 07:53:59 +01:00
00a02f8772 coredns: use the correct syntax, oops 2021-09-25 21:27:24 +00:00
bbbdfd5138 as205479.net: hmm, what 2021-09-25 21:18:09 +00:00
c976214bf8 coredns: _acme-challenge.www.as205479.net -> _acme-challenge.as205479.net 2021-09-25 21:03:14 +00:00
9c92e12742 bvm-radius: start serving as205479.net webpage 2021-09-25 20:51:24 +00:00
a8718864c1 swann: configure for eduroam on VLAN 100 2021-09-25 17:38:21 +00:00
b50fa68559 coredns: delegate _acme-challenge to GCP DNS 2021-09-25 13:17:52 +00:00
0d6ab41728 bvm-radius: add tailscale IP 2021-09-25 12:19:07 +00:00
c908e3ab5d coredns: add RADSEC entry for as205479.net. 2021-09-25 11:45:05 +00:00
158e0afcf3 coredns: init bvm-radius 2021-09-24 22:46:44 +00:00
ccec4b308b as205479.net: add MX records 2021-09-19 00:08:03 +00:00
19782a9e63 ops/nixos: set group for isSystemUser users 2021-09-16 19:14:30 +00:00
cb7811898c blade-tuvok: set bgp_local_prefs 2021-09-10 20:46:05 +00:00
dbf906a9a7 blade-router: add cloudflare 2021-09-10 20:23:24 +00:00
3ba0ab045c blade-router: remove prefix limit 2021-09-10 20:00:31 +00:00
e7bfb107b1 coredns: update mac-mini tailscale IP 2021-09-05 08:07:14 +00:00
3abe727604 blade-router: add google session, which will hopefully turn up eventually 2021-08-31 20:36:26 +00:00
b4c80a07fa blade-router: configure passive session towards AS62240 2021-08-31 16:39:23 +00:00
f7fbfa5436 nix/pkgs: init prometheus-bird-exporter-lfty 2021-08-31 02:01:38 +00:00
a0d97e082d blade-tuvok: also NAT things going out onto linx 2021-08-31 01:37:34 +00:00
7134fe904a ops/nixos: implement BFD+WG tunneling for mldn-rd 2021-08-30 19:58:21 +01:00
bc1932df9b hm: start 1password's gui silently 2021-08-30 14:26:25 +01:00
dbcaa51968 hgrc: remove requirement for topic 2021-08-20 23:40:53 +00:00
4b7680acae ops/nixos/blade: force external IP to vl-transit 2021-08-20 23:34:54 +00:00
0ee916e49e ops/nixos/bgp: don't export routes to FB 2021-08-20 23:34:43 +00:00
0dd2d5d442 ops/nixos/bgp: more filtering shenanigans 2021-08-19 00:23:09 +00:00
fdacf57ead blade-tuvok: LINX updates 2021-08-17 01:30:33 +00:00
8ad77134ae ops/nixos/coredns: force store paths 2021-08-16 02:32:44 +00:00
68e0ee0a18 ops/nixos/coredns: add bvm-netbox to int zone 2021-08-16 02:19:38 +00:00
286ed4885d ops/nixos: add bvm-netbox 2021-08-15 22:46:57 +00:00
7a3f214944 ops/nixos: switch to VLANs for uplink to veloxserv 2021-08-15 22:02:51 +00:00
c79ca35b6f nixos/blade-router: disable routes-VRRP
This is no longer needed; I think actually it was some of the NixOS default
reverse-path filtering that was throwing me for a loop after all and nothing to
do with what was going on with Veloxserv.
2021-08-14 21:07:37 +00:00
23eda90726 ops/nixos/lib/common: add the running system hash to the exported metrics 2021-07-27 21:06:17 +00:00
9dfb1d205d ops/nixos/lib/bgp: disable rp filtering on hosts running BGP 2021-07-17 14:29:04 +00:00
1557066375 coredns: allow tailscale net 2021-07-16 01:32:54 +00:00
eea81a640e coredns: add bvm-plesk 2021-07-10 12:19:24 +00:00
9f5c1193b6 hgrc: tweak my settings along the lines of https://octobus.net/blog/2020-11-26-modern-mercurial.html 2021-07-03 19:02:18 +00:00
606ff984eb ops/nixos: minotarproxy-as-a-lib 2021-07-01 01:48:12 +00:00
cadeef609f hm/hgrc: switch from hggit to in-tree git 2021-06-22 20:48:11 +00:00
072cecb2e5 hm/gc-wayland: oops, no notification attr 2021-06-22 20:27:52 +00:00
eef598ec1f hm/graphical-client: add 1password to startup 2021-06-19 19:07:32 +01:00
c56b6b358f coredns: add blade-{oa,vcenet1,vcenet2,vcm} 2021-05-24 13:54:14 +00:00
1fc6e8f032 coredns: bump serials 2021-05-24 02:37:27 +00:00
499ff8f945 coredns: move bvm to root zone, out of public 2021-05-24 02:31:09 +00:00
ed79fe89bd bvm-minecraft: init 2021-05-24 01:32:58 +00:00
38b306b095 bvm-matrix: add tailscale IP 2021-05-22 22:48:03 +00:00
4dc516722b ops/nixos: add bvm-matrix 2021-05-22 21:48:13 +00:00