c9ffb4ed3e
secretsmgr: actually _enable_ the timer unit
2022-03-18 01:08:35 +00:00
ce698ab382
nixos/secretsmgr: add the timer unit
2022-03-18 01:03:55 +00:00
b719181dfe
nixos: migrate to secretsmgr for sshd and ACME
2022-03-17 23:31:55 +00:00
702cd972ab
nixos/vault-agent: should care about /var/lib/vault-agent instead
2022-03-17 12:27:10 +00:00
b0d2782369
nixos/vault-agent: set a longer timeout on HTTP requests to upstream
2022-03-17 01:25:44 +00:00
f55dc46170
ssh-ca-vault: disable SSH host key signing for now
2022-03-14 21:28:37 +00:00
f1fcda810a
vault-agent-acme: disable
2022-03-12 23:39:45 +00:00
f15e112da7
ssh-ca-vault: by default enable user matches
2022-03-11 22:31:57 +00:00
ae97fddae2
vault-agent-acme: migrate to using a single token file that writes the other files as a side-effect
...
This avoids annoying problems like "too many" retries for certificate issuance,
since we only ask for the secret once.
2022-03-11 22:07:31 +00:00
ac0c6eccef
ssh-ca-vault: init
2022-03-11 21:48:06 +00:00
86a6191a56
vault-agent-secrets: add wantedBy for all restartable units too
2022-03-11 18:48:54 +00:00
ada466bae0
vault-agent-secrets: put Before in the correct place
2022-03-11 18:48:08 +00:00
fde964db82
hm/client: add VAULT_ADDR env variable
2022-03-11 18:44:52 +00:00
0187120a24
ops/nixos: move nix cache tokens into vault
2022-03-11 16:46:50 +00:00
34fa21a171
treewide: fix eval fallout from nixpkgs bump
2022-03-11 14:56:55 +00:00
6e6e714cf1
ops/nixos: init vault-agent-secrets module
2022-03-11 14:40:08 +00:00
f9546ed62a
ts3spotifybot: remove for now
2022-03-11 10:02:22 +00:00
4be2eaeb6d
nixos/lib/common: remove security.acme
2022-03-11 03:28:32 +00:00
0c458988de
ops/nixos: misc cleanups
2022-03-11 03:27:58 +00:00
daccfa5717
ops/nixos: migrate everything to vault-agent-acme
2022-03-07 00:52:03 +00:00
0c7f785107
vault-agent-acme: tidy up
2022-03-06 23:01:51 +00:00
8be4fe603e
vault-agent-acme: init
2022-03-06 22:26:49 +00:00
dfb663e659
blade-router: mark cloudflare as pending
2022-03-03 17:38:19 +00:00
c357d5ed8f
blade-router: add cloudflare2
2022-03-03 17:37:41 +00:00
610d5ccf40
hm/porcorosso-wsl: add nixpkgs to NIX_PATH
2022-03-03 16:25:34 +00:00
d79faeb3e0
porcorosso-wsl: add keychain
2022-02-27 19:44:48 +00:00
df2c10ed4e
porcorosso-wsl: init
2022-02-27 19:32:48 +00:00
cbabb6f211
ops/nixos: migrate nix.maxJobs/binaryCaches/trustedBinaryCaches to the nix.settings equivalents
2022-01-30 20:30:20 +00:00
14a8bd4945
lib/blade-router: fix
2022-01-30 20:22:10 +00:00
947d959cfe
hm/graphical-client-wayland: swap to env variable + normal element-desktop
2022-01-30 16:46:01 +00:00
652cb68e09
bgp: avoid sending routes to clouvider over routeservers
2022-01-30 15:57:35 +00:00
4065f9ac28
ops/nixos/hm: add vault
2022-01-23 23:58:55 +00:00
7c418666fe
ops/nixos: add some vault-agent setup
2022-01-23 23:38:40 +00:00
3ad4c2399a
nix/pkgs/lutris: add more deps
2022-01-23 23:37:19 +00:00
3eb564f12b
ops/nixos: factor out various things from clouvider-fra01
2022-01-23 16:58:29 +00:00
bf8e6b62ed
ops/nixos/hm: switch to networkmanagerapplet
2022-01-20 22:50:47 +00:00
6276e4b620
ops/nixos: add common-updater-scripts to hm/client
2022-01-16 18:04:24 +00:00
d8186b8f14
ops/nixos/graphical-client: enable gnome-keyring
2022-01-16 18:04:14 +00:00
9be6bcaf2d
ops/nixos: set up gnetwork link
2022-01-14 19:42:06 +00:00
7cfef2cd98
coredns/zones: add lukegb01.ring.nlnog.net
2022-01-10 23:35:54 +00:00
4f0a7b60bc
ops/nixos: use higher-priority 'mkDefault'
2022-01-09 21:38:17 +00:00
9472db4577
ops/nixos: consolidate Frantech VM configs into lib/frantech.nix
2022-01-08 21:49:09 +00:00
ad95bffd3d
ops/nixos: tidy up networking.useDHCP
2022-01-08 21:45:18 +00:00
f463055acf
ops/nixos: pipewire for everyone
2022-01-08 21:41:30 +00:00
05be94e4d7
ops/nixos/common: disable DNSSEC in systemd-resolved
...
It's super broken.
At the moment, resolving foss.heptapod.net breaks, because clever-cloud.com has
DNSKEY records but there's no matching DS record at .com for it.
There are also other reports: https://github.com/systemd/systemd/issues/12388
tl;dr: it just doesn't work, let's not use that.
2022-01-08 12:09:26 +00:00
6ab12dcad5
ops/nixos: rm marukuru
2022-01-06 15:55:21 +00:00
d79265ddad
ops/nixos: tidy up security.acme
2022-01-04 14:00:45 +00:00
de71fd5c9a
ops/nixos/lib/common: add global DNS servers
2022-01-04 13:32:56 +00:00
8cc6e2001a
ops/nixos: create permanent quotesdb user
...
Stop relying on DynamicUser because it messes a bit with postgres' auth.
2022-01-01 21:49:23 +00:00
67b038c2bc
ops/nixos/common: turn off logRefusedConnections - it's super noisy
2022-01-01 20:56:41 +00:00
7b4e6c0e1b
ops/nixos: oops, try to fix my.scrapeJournal.addr
2022-01-01 15:14:02 +00:00
c91a42948d
journal2clickhouse: init
2022-01-01 15:08:52 +00:00
c5119b4882
ops/nixos: enable HTTP gateway if Tailscale is configured
2022-01-01 12:40:13 +00:00
1f13fd811d
coredns: bind to specific interfaces/IPs
2022-01-01 09:03:25 +00:00
8e28b5bbfe
ops/nixos: drop Google/AS15169 routes from Veloxserv to prefer RouteServer
2022-01-01 03:02:55 +00:00
bfd08b08cf
ops/nixos: add fastly passive peer
2022-01-01 02:39:01 +00:00
e182171916
ops/nixos: disable LLMNR
2022-01-01 00:41:37 +00:00
f35a79444c
ops/nixos: add better support for specialisations
2021-12-31 23:51:09 +00:00
060f2cf96b
nhsenglandtests: init
2021-12-31 07:00:32 +00:00
66d1ae3939
lib/hm/graphical-client-wayland: add mako
2021-12-31 04:48:51 +00:00
6cb1af2f35
ops/nixos: start using systemd-resolved
2021-12-28 18:42:42 +00:00
837f7074ac
ops/nixos: fix MAC address for vl-linx
2021-12-27 06:50:12 +00:00
a41abf3d6e
ops/nixos/lib/hm: add element-desktop/element-desktop-wayland
2021-12-27 02:58:53 +00:00
ab9dd5d35a
common: remove nhs.uk IPv6 mapping
2021-12-24 02:27:15 +00:00
05aea7f5f1
ops/nixos: migrate from services.redis to services.redis.servers.""
2021-12-24 02:02:57 +00:00
4e4e8de984
ops/nixos: init bvm-logger
2021-12-23 04:11:39 +00:00
69db0e2a98
baserow: add nginx to baserow group too
2021-12-21 08:31:11 +00:00
c7a9d4ef76
baserow: tweak umask for opendkim...
2021-12-21 08:22:01 +00:00
1c97d3cd15
baserow: add postfix to opendkim group
2021-12-21 08:19:27 +00:00
656df5ac5b
common: add kitty.terminfo
2021-12-21 08:13:20 +00:00
ee2598c29b
baserow: oops, need the config argument
2021-12-21 08:12:39 +00:00
455856d7c0
baserow: enable postfix (totoro)
2021-12-21 08:11:38 +00:00
93a070870a
nix/pkgs/baserow: hooray, it works
2021-12-21 05:48:40 +00:00
5eb7f7102f
bvm-heptapod: init
2021-12-17 01:28:39 +00:00
fee02312d3
blade-tuvok: move public interface off a VLAN
...
Previously, the public/internal interfaces were VLANned onto the same NIC. For
some reason, sometime the Emulex adapters seem to end up not getting configured
properly, which causes me no end of pain when I spend time trying to debug why
none of my VMs can see the internet anymore.
Instead of doing this, put the public interface onto its own actual virtual
network interface.
2021-12-17 00:27:24 +00:00
29f7073384
ops/nixos: compatibility with NixOS 22.05
2021-12-07 19:13:04 +00:00
105fcf1d50
coredns/zones: quadv stuff
2021-12-07 16:01:57 +00:00
da0717b02c
ops/nixos: don't announce QuadV net everywhere by default
2021-12-07 15:19:45 +00:00
a1ee1e396c
ops/nixos: alacritty -> kitty
2021-11-28 12:51:40 +00:00
7cbd53de1a
ops/nixos: add blast configs
2021-11-25 17:14:03 +00:00
86e0ce9af9
nix/pkgs/datez: init
2021-11-18 21:33:40 +00:00
9c8f3824a8
ops/nixos/lib/blade: virtualisation.libvirtd.qemuRunAsRoot -> virtualisation.libvirtd.qemu.runAsRoot
2021-11-05 01:34:04 +00:00
a4f786f709
hm: add su-cinema-ernie
2021-10-19 07:53:59 +01:00
00a02f8772
coredns: use the correct syntax, oops
2021-09-25 21:27:24 +00:00
bbbdfd5138
as205479.net: hmm, what
2021-09-25 21:18:09 +00:00
c976214bf8
coredns: _acme-challenge.www.as205479.net -> _acme-challenge.as205479.net
2021-09-25 21:03:14 +00:00
9c92e12742
bvm-radius: start serving as205479.net webpage
2021-09-25 20:51:24 +00:00
a8718864c1
swann: configure for eduroam on VLAN 100
2021-09-25 17:38:21 +00:00
b50fa68559
coredns: delegate _acme-challenge to GCP DNS
2021-09-25 13:17:52 +00:00
0d6ab41728
bvm-radius: add tailscale IP
2021-09-25 12:19:07 +00:00
c908e3ab5d
coredns: add RADSEC entry for as205479.net.
2021-09-25 11:45:05 +00:00
158e0afcf3
coredns: init bvm-radius
2021-09-24 22:46:44 +00:00
ccec4b308b
as205479.net: add MX records
2021-09-19 00:08:03 +00:00
19782a9e63
ops/nixos: set group for isSystemUser users
2021-09-16 19:14:30 +00:00
cb7811898c
blade-tuvok: set bgp_local_prefs
2021-09-10 20:46:05 +00:00
dbf906a9a7
blade-router: add cloudflare
2021-09-10 20:23:24 +00:00
3ba0ab045c
blade-router: remove prefix limit
2021-09-10 20:00:31 +00:00
e7bfb107b1
coredns: update mac-mini tailscale IP
2021-09-05 08:07:14 +00:00
3abe727604
blade-router: add google session, which will hopefully turn up eventually
2021-08-31 20:36:26 +00:00
b4c80a07fa
blade-router: configure passive session towards AS62240
2021-08-31 16:39:23 +00:00
f7fbfa5436
nix/pkgs: init prometheus-bird-exporter-lfty
2021-08-31 02:01:38 +00:00
a0d97e082d
blade-tuvok: also NAT things going out onto linx
2021-08-31 01:37:34 +00:00
7134fe904a
ops/nixos: implement BFD+WG tunneling for mldn-rd
2021-08-30 19:58:21 +01:00
bc1932df9b
hm: start 1password's gui silently
2021-08-30 14:26:25 +01:00
dbcaa51968
hgrc: remove requirement for topic
2021-08-20 23:40:53 +00:00
4b7680acae
ops/nixos/blade: force external IP to vl-transit
2021-08-20 23:34:54 +00:00
0ee916e49e
ops/nixos/bgp: don't export routes to FB
2021-08-20 23:34:43 +00:00
0dd2d5d442
ops/nixos/bgp: more filtering shenanigans
2021-08-19 00:23:09 +00:00
fdacf57ead
blade-tuvok: LINX updates
2021-08-17 01:30:33 +00:00
8ad77134ae
ops/nixos/coredns: force store paths
2021-08-16 02:32:44 +00:00
68e0ee0a18
ops/nixos/coredns: add bvm-netbox to int zone
2021-08-16 02:19:38 +00:00
286ed4885d
ops/nixos: add bvm-netbox
2021-08-15 22:46:57 +00:00
7a3f214944
ops/nixos: switch to VLANs for uplink to veloxserv
2021-08-15 22:02:51 +00:00
c79ca35b6f
nixos/blade-router: disable routes-VRRP
...
This is no longer needed; I think actually it was some of the NixOS default
reverse-path filtering that was throwing me for a loop after all and nothing to
do with what was going on with Veloxserv.
2021-08-14 21:07:37 +00:00
23eda90726
ops/nixos/lib/common: add the running system hash to the exported metrics
2021-07-27 21:06:17 +00:00
9dfb1d205d
ops/nixos/lib/bgp: disable rp filtering on hosts running BGP
2021-07-17 14:29:04 +00:00
1557066375
coredns: allow tailscale net
2021-07-16 01:32:54 +00:00
eea81a640e
coredns: add bvm-plesk
2021-07-10 12:19:24 +00:00
9f5c1193b6
hgrc: tweak my settings along the lines of https://octobus.net/blog/2020-11-26-modern-mercurial.html
2021-07-03 19:02:18 +00:00
606ff984eb
ops/nixos: minotarproxy-as-a-lib
2021-07-01 01:48:12 +00:00
cadeef609f
hm/hgrc: switch from hggit to in-tree git
2021-06-22 20:48:11 +00:00
072cecb2e5
hm/gc-wayland: oops, no notification attr
2021-06-22 20:27:52 +00:00
eef598ec1f
hm/graphical-client: add 1password to startup
2021-06-19 19:07:32 +01:00
c56b6b358f
coredns: add blade-{oa,vcenet1,vcenet2,vcm}
2021-05-24 13:54:14 +00:00
1fc6e8f032
coredns: bump serials
2021-05-24 02:37:27 +00:00
499ff8f945
coredns: move bvm to root zone, out of public
2021-05-24 02:31:09 +00:00
ed79fe89bd
bvm-minecraft: init
2021-05-24 01:32:58 +00:00
38b306b095
bvm-matrix: add tailscale IP
2021-05-22 22:48:03 +00:00
4dc516722b
ops/nixos: add bvm-matrix
2021-05-22 21:48:13 +00:00
dccdaa2608
common: map www.nhs.uk to Akamai IPv6 address
2021-05-21 15:21:29 +00:00
df870ded34
as205479.net: add fp-la{,-pri,-sec}
2021-05-09 11:28:28 +00:00
34117ecd00
bvm-nixosmgmt: allocate .5
2021-05-09 10:26:34 +00:00
b7cd20c769
ops/nixos: refactoring for sway
2021-05-06 03:56:20 +01:00
1c571d965a
ops/nixos: add wayland support
2021-05-05 22:13:27 +01:00
a4631a8fda
ops/nixos/lib/blade: set rgw_data_log_backing back to omap
2021-04-23 13:32:34 +00:00
42e8b1eed0
bvm-ipfs: add public IPv4/v6 addresses
2021-04-18 16:04:25 +00:00
2ee3044113
switch-prebuilt: use nix build instead of nix copy to use cache.nixos.org
2021-04-17 23:55:31 +00:00
43e8e05e7b
ops/nixos: tweak alacritty settings
2021-04-17 20:28:27 +01:00
11066035e2
ops/nixos: add alacritty everywhere
2021-04-17 20:17:43 +01:00
0372f4b848
ops/nixos: set isNormalUser for all existing users
...
Now there's an assertion which requires either isNormalUser or isSystemUser, so
we set one of them for all the users we have already.
2021-04-17 20:16:27 +01:00
e0241545d2
add mercurial to rundeck path
2021-04-10 22:17:28 +00:00
bfa7051e2f
ops/nixos: tidy up hostnames
2021-04-10 20:15:30 +00:00
ecd086eae4
ops/nixos: set up things for generating rundeck nodes
2021-04-10 19:59:56 +00:00
5533fd502a
ops/nixos: try setting searchDomains differently
2021-04-10 19:40:10 +00:00
91f6cb3317
clouvider-lon01: add mac-mini as remote builder
2021-04-09 18:14:06 +00:00
6465f98036
as205479.net: add mac-mini.int
2021-04-09 18:51:07 +01:00
02db8ea7cb
ops/nixos/lib/hm: support macOS again
...
The ntfy package expects to have pyobjc available when running under Darwin,
which is currently broken in nixpkgs. There's a fairly involved ongoing effort
to package it again, but in the mean time we just patch out the dep. I'm using
the pushover backend anyway.
To avoid having to rebuild it rather than just fetch from the NixOS cache, I
only override it when running on Darwin.
2021-04-09 18:48:46 +01:00
13f2f79e6d
graphical-client: add wallpapers
...
If I find more I like, I'll add them here, I guess. For the moment, there's
just the one.
2021-04-06 09:53:56 +01:00
f5622acaf7
nix/pkgs/flameshot: bump to my patched version
2021-04-05 14:57:59 +01:00
48bdb3559c
lib/hm/graphical-client: add flameshot to environment
2021-04-05 13:00:02 +01:00
21fe79c904
ops/nixos: enable flameshot on graphical-client hosts
2021-04-05 12:42:35 +01:00
d582d3f352
ops/nixos/lib: inline latest_system_closure.sh
...
I can't be bothered to make it a proper script, and I also don't really want to
rely on invoking nix-shell at runtime (I'd rather have all the needed tools in
the system closure).
2021-04-04 19:35:38 +01:00
8dab1a04fe
ops/nixos/lib: fix latest_system_closure for machines with - in hostname
2021-04-04 19:25:02 +01:00
33cfba2e2f
ops/nixos/lib: enable 'switch-prebuilt latest' for getting latest closure
2021-04-04 18:25:01 +01:00
fbc3b47854
bvm-prosody: fix :/
2021-04-01 15:55:54 +00:00
bcf1266bfe
bvm-prosody: configure IP addresses
2021-04-01 15:50:27 +00:00
bea33016f6
nixos/blade: oops, forgot };
2021-03-31 21:20:56 +00:00
5b63d1555a
nixos/blade: use tmpfs for /var/log and /var/cache
2021-03-31 21:20:08 +00:00
c972f3ae12
as205479.net: add bvm-win10
2021-03-31 19:39:56 +00:00
f71179cbd6
coredns: add bvm-korobi
2021-03-30 12:51:17 +01:00
62dce112db
blade-router: fix radvd prefix to actually be onlink
2021-03-30 11:59:27 +01:00
4c013cb2bc
blade-router: use absolute path to birdc
2021-03-30 00:18:08 +00:00
e80a1750b8
blade-router: tweak notify script config
2021-03-30 00:09:02 +00:00
8b2238cf1e
blade-router: add shebang to VRRP notify script
2021-03-30 00:01:19 +00:00
f05a063fce
blade-router: add keepalived notify script for announcing/withdrawing routes
2021-03-29 23:54:26 +00:00
1071202e7f
coredns: update DNS to match swapped IPs
2021-03-29 23:13:01 +00:00
bff07335b5
blade-router: switch router VIP
2021-03-29 23:09:26 +00:00
cae0c4eb94
blade-router: we need config attribute...
2021-03-29 23:29:26 +01:00
7de4d2690e
blade-router: put radvd config in correct place
2021-03-29 23:27:40 +01:00
c5fc727f7a
blade-router: fix
2021-03-29 23:26:50 +01:00
ac63880ed7
ops/nixos: abstract into blade-router
2021-03-29 23:24:57 +01:00
e1e3a24f36
ops/nixos/lib/coredns: add DNS records
2021-03-29 20:45:39 +00:00
b559512200
blade-paris/blade-tuvok: add BGP config
2021-03-29 11:47:44 +00:00
a3ed8a6da3
hm: add ntfy everywhere
2021-03-28 23:08:02 +00:00
2b8dce0920
depot-wide: overhaul GitLab CI configuration
...
We now use a stub configuration to kick off the pipeline, which is dynamically
generated using Nix config.
2021-03-28 15:27:46 +00:00
f8b4903286
bvm-prosody: add tailscale IP
2021-03-28 14:33:54 +00:00
2eeba92d9e
bvm-twitterchiver: add tailscale IP
2021-03-28 14:32:16 +00:00
e6c56c9a74
bvm-ipfs: add tailscale IP
2021-03-28 14:00:25 +00:00
f27a8f8f1a
ops/nixos: mkBefore needs lib. in bvm.nix/blade.nix
2021-03-28 12:32:01 +00:00
f34d539462
bvm-nixosmgmt: condense down and abstract out
2021-03-28 12:26:11 +00:00
c1f450eb33
ops/nixos: flesh out DNS for internal blade IPs
2021-03-28 12:18:06 +00:00
701ab955af
coredns: update serial for as205479.net
2021-03-28 01:16:10 +00:00
b2e2f965c5
ops/nixos: rename various machines to comply with naming convention
...
* *-frantech should be frantech-*, it's provider first
* blade VMs now all begin bvm-
2021-03-28 00:34:36 +00:00
1883186bb8
hm/graphical-client: switch to google-chrome-beta from chromium
2021-03-25 10:54:01 +00:00
a99e0309c5
ops/nixos/fup: switch to using config file
2021-03-23 00:58:18 +00:00
11ed74003a
nixos/fup: allow large file uploads
2021-03-22 13:56:16 +00:00
ca642bfa5e
blade-tuvok: add fup
2021-03-22 02:43:17 +00:00
787b04737e
treewide: add some SPDX headers
2021-03-20 20:46:56 +00:00
35cc195717
common: remove everything from hosts files
2021-03-20 16:42:08 +00:00
99dce2de2a
as205479.net: add totoro.int
2021-03-20 16:41:26 +00:00
33fd1da091
dns: add blades to zone
2021-03-20 15:22:09 +00:00
4c78164384
ops/nixos/common: set search domains
2021-03-20 15:01:28 +00:00
5cf89fbc2f
switch-prebuilt: check for existence before nix copy
2021-03-20 13:37:08 +00:00
422c47c3e0
switch-prebuilt: run stuff assuming we're a trusted-user
2021-03-20 13:22:17 +00:00
be5eee48b3
switch-prebuilt: init
2021-03-20 12:39:23 +00:00
154db9706a
lib/common: add deployer to trustedUsers
2021-03-20 12:34:01 +00:00
d8086e7042
ops/nixos: add jq everywhere
2021-03-20 12:11:45 +00:00
627c8bf17c
lib/coredns: fix firewall
2021-03-20 02:06:08 +00:00
b0a6ebe52d
ops/nixos: add coredns
2021-03-20 02:03:23 +00:00
c51e5d478d
lib/common: add --delete-older-than
2021-03-19 21:29:54 +00:00
