Commit graph

1511 commits

Author SHA1 Message Date
6f81c9d464 3p/nixpkgs: remove old PR patches 2022-04-04 19:05:49 +00:00
11f8adeb43 3p/nixpkgs: add pr167721 for paperless-ngx 2022-04-04 18:56:17 +00:00
9f9991c895 heptapod: 0.30.0 -> 0.30.1 2022-04-04 14:53:06 +01:00
32f6d38549 web/lukegbcom: limit homepage posts to 3 2022-04-04 02:38:10 +01:00
43e5ecf0db web/lukegbcom: add all the rest of the posts 2022-04-04 02:36:09 +01:00
762a5a7271 web/lukegbcom: init next.js version 2022-04-04 00:32:57 +01:00
f8f5d48eec porcorosso: blocklist r8152/r8153_ecm 2022-04-03 19:47:19 +01:00
b40f3435f4 swann: switch to SFP 2022-03-30 16:42:37 +00:00
addba44d44 coredns: fix ipv6 zones 2022-03-30 17:25:25 +01:00
4b6b4842d1 update dns 2022-03-29 21:30:09 +01:00
deployer@bvm-nixosmgmt.blade.as205479.net
d2aaa28aa5 nix/pkgs/plex-pass: update version to 1.25.8.5663-e071c3d62 2022-03-25 02:11:03 +00:00
f5d66318a3 go/access: set principal name, set presence required by host 2022-03-25 01:47:18 +00:00
3a32590571 go/access: init 2022-03-25 01:24:21 +00:00
eb163962a4 nixos/common: add wireguard-tools 2022-03-24 22:22:18 +00:00
4d00448f55 heptapod: 0.29.1 -> 0.30.0 2022-03-24 22:20:56 +00:00
dbaabf1295 vault: deployer should be allowed to read nix-daemon secrets 2022-03-24 22:20:44 +00:00
b8acd6e31b swann: re-enable vault-agent 2022-03-20 19:10:24 +00:00
7592e76a31 tokend: init
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.

It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
08b68745f0 ops/vault: move policies to token_policies
I want to be able to rescope these policies down in tokend, which means that I
can't have policies attached to the server's *identity*. Instead, we put these
on the approle instead, which allows us to down-scope all of these.
2022-03-20 11:29:10 +00:00
58a907b700 nixos/vault-agent: listen on UDS only
This UDS is going to be private to vault-agent and tokend (which doesn't exist
yet).

As a stopgap, for the moment, secretsmgrd will be granted direct access to
speak to the Vault Agent over the UDS.

tokend will be responsible for provisioning applications with tokens, by
issuing subtokens which have roles corresponding to the user account requesting
access.
2022-03-20 11:14:51 +00:00
d97a1b7437 bvm-radius: reenable roaming2.ja.net 2022-03-20 11:08:34 +00:00
c60a68a354 nix/gitlab-ci: try to restrict deploy steps to only default 2022-03-20 10:26:56 +00:00
4020f310ce ops/vault: destroy existing secrets before provisioning a new one 2022-03-20 10:20:25 +00:00
132cb805b3 ops/vault: use wrapping token to protect secret IDs in transit 2022-03-20 10:14:02 +00:00
829d179d37 nixos/common: make the EnvironmentFile optional to avoid... problems
In general, it's better for us to fail to pass credentials to the Nix daemon
than it is for the Nix daemon to fail to start up entirely.

We will restart the daemon once the secrets have been delivered anyway.
2022-03-20 10:00:17 +00:00
c9ffb4ed3e secretsmgr: actually _enable_ the timer unit 2022-03-18 01:08:35 +00:00
ce698ab382 nixos/secretsmgr: add the timer unit 2022-03-18 01:03:55 +00:00
b719181dfe nixos: migrate to secretsmgr for sshd and ACME 2022-03-17 23:31:55 +00:00
702cd972ab nixos/vault-agent: should care about /var/lib/vault-agent instead 2022-03-17 12:27:10 +00:00
deployer@bvm-nixosmgmt.blade.as205479.net
b4b3484e6c nix/pkgs/plex-pass: update version to 1.25.7.5604-980a13e02 2022-03-17 02:10:56 +00:00
037c6f0fd8 go/secretsmgr: add support for ACME certificate issuance 2022-03-17 01:26:18 +00:00
b0d2782369 nixos/vault-agent: set a longer timeout on HTTP requests to upstream 2022-03-17 01:25:44 +00:00
d2481b1461 vault-acme: sleep in lieu of waiting "properly" for DNS propagation
Once we've seen the TXT record on any nameserver, assume that it'll reach the
rest of them within 60 seconds.

This is an awful hack because some peculiarities of my setup don't work
properly with the upstream lego code.
2022-03-17 01:03:41 +00:00
148e071c21 ops/vault/cfg: add acme-ca 2022-03-16 00:18:47 +00:00
fb7e18260a ops/vault/cfg: where we're going, we don't need secrets.nix 2022-03-16 00:06:46 +00:00
165fc4559c go/secretsmgr: init
Currently this only handles signing SSH certificates, but let's see where we go from here.
2022-03-15 03:07:34 +00:00
0dacea5ff8 3p/gopkgs: add a bunch of dependencies of github.com/hashicorp/vault/api 2022-03-15 03:07:06 +00:00
23df8e3b18 ops/vault/cfg: initial configuration 2022-03-14 23:34:33 +00:00
92998b5d36 ops/vault/cfg: init terranix stuff 2022-03-14 21:29:15 +00:00
b469b24c5a totoro: add live2 alias 2022-03-14 21:28:58 +00:00
f55dc46170 ssh-ca-vault: disable SSH host key signing for now 2022-03-14 21:28:37 +00:00
8c6c7af3f7 ops/vault: add reissue-secret-id utility 2022-03-14 21:28:16 +00:00
262620f177 swann: also put v6 RA routes into the correct route table
(fixes ee)
2022-03-13 20:35:11 +00:00
615c30ed54 swann: reduce write activity on disk 2022-03-13 17:34:23 +00:00
edf6671aff 3p/nixpkgs: add pr164025 2022-03-13 17:33:59 +00:00
b29a330382 ubi_reader: init 2022-03-13 17:32:59 +00:00
c41914e274 nixos/networkd: add support for configuring networkd.conf settings
networkd.conf controls a few interesting options, such as enabling
systemd-networkd's speed meterer and, crucially, allowing you to disable the
behaviour where networkd will delete any routes or policy-based routing rules
that it doesn't recognise.

This also adds support for configuring routing table names and mirroring them
into the iproute2 config.
2022-03-13 04:00:48 +00:00
Default email
aa526eb20f Project import generated by Copybara.
GitOrigin-RevId: fcd48a5a0693f016a5c370460d0c2a8243b882dc
2022-03-10 11:12:11 -08:00
c9bd0696ed heptapod: enable SSH CA 2022-03-13 00:24:57 +00:00
f1fcda810a vault-agent-acme: disable 2022-03-12 23:39:45 +00:00