b8acd6e31b
swann: re-enable vault-agent
2022-03-20 19:10:24 +00:00
7592e76a31
tokend: init
...
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.
It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
08b68745f0
ops/vault: move policies to token_policies
...
I want to be able to rescope these policies down in tokend, which means that I
can't have policies attached to the server's *identity*. Instead, we put these
on the approle instead, which allows us to down-scope all of these.
2022-03-20 11:29:10 +00:00
58a907b700
nixos/vault-agent: listen on UDS only
...
This UDS is going to be private to vault-agent and tokend (which doesn't exist
yet).
As a stopgap, for the moment, secretsmgrd will be granted direct access to
speak to the Vault Agent over the UDS.
tokend will be responsible for provisioning applications with tokens, by
issuing subtokens which have roles corresponding to the user account requesting
access.
2022-03-20 11:14:51 +00:00
d97a1b7437
bvm-radius: reenable roaming2.ja.net
2022-03-20 11:08:34 +00:00
4020f310ce
ops/vault: destroy existing secrets before provisioning a new one
2022-03-20 10:20:25 +00:00
132cb805b3
ops/vault: use wrapping token to protect secret IDs in transit
2022-03-20 10:14:02 +00:00
829d179d37
nixos/common: make the EnvironmentFile optional to avoid... problems
...
In general, it's better for us to fail to pass credentials to the Nix daemon
than it is for the Nix daemon to fail to start up entirely.
We will restart the daemon once the secrets have been delivered anyway.
2022-03-20 10:00:17 +00:00
c9ffb4ed3e
secretsmgr: actually _enable_ the timer unit
2022-03-18 01:08:35 +00:00
ce698ab382
nixos/secretsmgr: add the timer unit
2022-03-18 01:03:55 +00:00
b719181dfe
nixos: migrate to secretsmgr for sshd and ACME
2022-03-17 23:31:55 +00:00
702cd972ab
nixos/vault-agent: should care about /var/lib/vault-agent instead
2022-03-17 12:27:10 +00:00
b0d2782369
nixos/vault-agent: set a longer timeout on HTTP requests to upstream
2022-03-17 01:25:44 +00:00
148e071c21
ops/vault/cfg: add acme-ca
2022-03-16 00:18:47 +00:00
fb7e18260a
ops/vault/cfg: where we're going, we don't need secrets.nix
2022-03-16 00:06:46 +00:00
23df8e3b18
ops/vault/cfg: initial configuration
2022-03-14 23:34:33 +00:00
92998b5d36
ops/vault/cfg: init terranix stuff
2022-03-14 21:29:15 +00:00
b469b24c5a
totoro: add live2 alias
2022-03-14 21:28:58 +00:00
f55dc46170
ssh-ca-vault: disable SSH host key signing for now
2022-03-14 21:28:37 +00:00
8c6c7af3f7
ops/vault: add reissue-secret-id utility
2022-03-14 21:28:16 +00:00
262620f177
swann: also put v6 RA routes into the correct route table
...
(fixes ee)
2022-03-13 20:35:11 +00:00
615c30ed54
swann: reduce write activity on disk
2022-03-13 17:34:23 +00:00
f1fcda810a
vault-agent-acme: disable
2022-03-12 23:39:45 +00:00
5283ee4fee
swann: migrate fully to using networkd
...
networkd appears to have gotten very aggressive about clearing routing rules it didn't insert itself
2022-03-12 19:38:54 +00:00
9099ee2a45
swann: only rename physical interfaces
2022-03-12 07:25:48 +00:00
fb2dc81bc0
bvm-radius: ensure acme user
2022-03-11 23:10:01 +00:00
6353ce6603
swann: make systemd-networkd-wait-online wait for _any_ NIC
2022-03-11 22:57:08 +00:00
f15e112da7
ssh-ca-vault: by default enable user matches
2022-03-11 22:31:57 +00:00
ae97fddae2
vault-agent-acme: migrate to using a single token file that writes the other files as a side-effect
...
This avoids annoying problems like "too many" retries for certificate issuance,
since we only ask for the secret once.
2022-03-11 22:07:31 +00:00
ac0c6eccef
ssh-ca-vault: init
2022-03-11 21:48:06 +00:00
86a6191a56
vault-agent-secrets: add wantedBy for all restartable units too
2022-03-11 18:48:54 +00:00
ada466bae0
vault-agent-secrets: put Before in the correct place
2022-03-11 18:48:08 +00:00
a66bd4822a
totoro: disable RP filter
2022-03-11 18:45:41 +00:00
fde964db82
hm/client: add VAULT_ADDR env variable
2022-03-11 18:44:52 +00:00
0187120a24
ops/nixos: move nix cache tokens into vault
2022-03-11 16:46:50 +00:00
4100b021aa
etheroute-lon01: add google service account token
2022-03-11 16:20:34 +00:00
dd746bec32
etheroute-lon01: use FQDN for Pomerium DNS
2022-03-11 16:20:24 +00:00
34fa21a171
treewide: fix eval fallout from nixpkgs bump
2022-03-11 14:56:55 +00:00
c98f3312a7
etheroute-lon01: migrate to vault-agent-secrets
2022-03-11 14:40:55 +00:00
6e6e714cf1
ops/nixos: init vault-agent-secrets module
2022-03-11 14:40:08 +00:00
f9546ed62a
ts3spotifybot: remove for now
2022-03-11 10:02:22 +00:00
e50f682237
totoro: remove cloudflare credentials from raritan-sslrenew
2022-03-11 03:46:31 +00:00
4be2eaeb6d
nixos/lib/common: remove security.acme
2022-03-11 03:28:32 +00:00
0c458988de
ops/nixos: misc cleanups
2022-03-11 03:27:58 +00:00
daccfa5717
ops/nixos: migrate everything to vault-agent-acme
2022-03-07 00:52:03 +00:00
0c7f785107
vault-agent-acme: tidy up
2022-03-06 23:01:51 +00:00
8be4fe603e
vault-agent-acme: init
2022-03-06 22:26:49 +00:00
a3eb1e4519
totoro: enable samba
2022-03-05 11:56:22 +00:00
f0e645fccb
swann: add lukegb01.ring.nlnog.net to smokeping prober
2022-03-03 18:44:56 +00:00
dfb663e659
blade-router: mark cloudflare as pending
2022-03-03 17:38:19 +00:00
c357d5ed8f
blade-router: add cloudflare2
2022-03-03 17:37:41 +00:00
610d5ccf40
hm/porcorosso-wsl: add nixpkgs to NIX_PATH
2022-03-03 16:25:34 +00:00
080577e0f3
swann: fix tailscale outbound
...
Tailscale adds a policy-based routing rule at priority 5200-ish, which is
before all the rules that we add. This avoids any Tailscale traffic going
out... over Tailscale, which would be bad.
Anyway, this breaks us because our main table is empty, so there's nowhere
for the Tailscale traffic to actually go. Oops.
Instead, use policy-based routing to send things over our WG tunnel, or over
any of our upstream connections depending on what's available.
2022-03-02 00:32:31 +00:00
d79faeb3e0
porcorosso-wsl: add keychain
2022-02-27 19:44:48 +00:00
df2c10ed4e
porcorosso-wsl: init
2022-02-27 19:32:48 +00:00
bdd9890f2f
totoro: adjust to new Home Assistant settings style
2022-02-22 03:56:49 +00:00
75a87253dd
porcorosso: remove defunct nvidiaWayland option
2022-02-13 21:29:00 +00:00
43f62d224f
ops/factorio/multiworld: prohibit /ws while hand-crafting
2022-02-05 21:04:03 +00:00
7b4b5dd1a4
clouvider-lon01: switch to -ws world
2022-02-05 17:52:06 +00:00
eef1ac57a1
ops/factorio/multiworld: actually add debugrenameworld
2022-02-05 17:51:29 +00:00
e005a5fd6e
ops/factorio/multiworld: add debugrenameworld
2022-02-05 17:40:03 +00:00
ee8ec5263a
ops/factorio/multiworld: init
2022-02-05 17:17:39 +00:00
616a441451
clouvider-lon01: swap back to the other save
2022-02-02 02:20:19 +00:00
28b70d8e5a
clouvider-lon01: swap game save
2022-02-01 22:56:21 +00:00
11739cc4c6
clouvider-lon01: change factorio savegame
2022-01-31 23:35:18 +00:00
cbabb6f211
ops/nixos: migrate nix.maxJobs/binaryCaches/trustedBinaryCaches to the nix.settings equivalents
2022-01-30 20:30:20 +00:00
14a8bd4945
lib/blade-router: fix
2022-01-30 20:22:10 +00:00
1cd0963bf5
blade-tuvok: add the forced-MAC's LL address
2022-01-30 17:54:59 +00:00
947d959cfe
hm/graphical-client-wayland: swap to env variable + normal element-desktop
2022-01-30 16:46:01 +00:00
652cb68e09
bgp: avoid sending routes to clouvider over routeservers
2022-01-30 15:57:35 +00:00
e6b3dab777
clouvider-fra01: readd deluge
2022-01-24 22:08:38 +00:00
4065f9ac28
ops/nixos/hm: add vault
2022-01-23 23:58:55 +00:00
e30a6d203b
porcorosso: reconfigure monitors again
2022-01-23 23:38:52 +00:00
7c418666fe
ops/nixos: add some vault-agent setup
2022-01-23 23:38:40 +00:00
3ad4c2399a
nix/pkgs/lutris: add more deps
2022-01-23 23:37:19 +00:00
4729529b4d
totoro: move plex stuff onto a macVLAN interface
2022-01-23 17:58:04 +00:00
7673e8be9d
bvm-radius: take roaming2 out of the rotation
2022-01-23 17:57:52 +00:00
4b14ea5b4d
ops/nixos: remove rebuilder
...
It's in the common profile, we don't need it everywhere.
2022-01-23 16:57:20 +00:00
3eb564f12b
ops/nixos: factor out various things from clouvider-fra01
2022-01-23 16:58:29 +00:00
bf8e6b62ed
ops/nixos/hm: switch to networkmanagerapplet
2022-01-20 22:50:47 +00:00
bd3c7c090e
totoro: add HA config
2022-01-17 04:04:07 +00:00
6276e4b620
ops/nixos: add common-updater-scripts to hm/client
2022-01-16 18:04:24 +00:00
d8186b8f14
ops/nixos/graphical-client: enable gnome-keyring
2022-01-16 18:04:14 +00:00
afae9bec9a
totoro: add some home-assistant gubbins
2022-01-17 02:38:33 +00:00
eb3b306439
Backed out changeset 073cf55ed346
...
Mischief managed
2022-01-15 13:32:47 +00:00
687d72cfdc
ops/nixos: experiment with ECMP
2022-01-15 13:32:41 +00:00
9be6bcaf2d
ops/nixos: set up gnetwork link
2022-01-14 19:42:06 +00:00
7cfef2cd98
coredns/zones: add lukegb01.ring.nlnog.net
2022-01-10 23:35:54 +00:00
9ccf3b333d
blade-tuvok: provide a proper path to the sysctl utility
2022-01-10 22:40:57 +00:00
4f0a7b60bc
ops/nixos: use higher-priority 'mkDefault'
2022-01-09 21:38:17 +00:00
ea10f06a4c
ops/nixos: more cleanups
2022-01-09 00:22:52 +00:00
2770e7c086
porcorosso: tweak setup-display so that it overrides panning
2022-01-08 22:17:13 +00:00
9472db4577
ops/nixos: consolidate Frantech VM configs into lib/frantech.nix
2022-01-08 21:49:09 +00:00
ad95bffd3d
ops/nixos: tidy up networking.useDHCP
2022-01-08 21:45:18 +00:00
f463055acf
ops/nixos: pipewire for everyone
2022-01-08 21:41:30 +00:00
4b2c0f7fa8
porcorosso: set up PRIME so we can draw to my laptop's internal display!
2022-01-08 21:28:03 +00:00
1348172aba
porcorosso: remove unused hyperv config
2022-01-08 19:54:03 +00:00
1b4b7f0a80
porcorosso: remove default.pa
2022-01-08 19:45:55 +00:00
2ddd50aef4
etheroute-lon01: disable TLS verification for totoro
...
For some reason this is failing with a TLS alert that the certificate
is expired???
2022-01-07 15:23:43 +00:00
fe09e44c5c
porcorosso: block i2c-nvidia-gpu, causes X11 to fail to init
2022-01-07 12:51:18 +00:00
bac7e1fb69
porcorosso: remove blast config
2022-01-07 12:42:55 +00:00
05be94e4d7
ops/nixos/common: disable DNSSEC in systemd-resolved
...
It's super broken.
At the moment, resolving foss.heptapod.net breaks, because clever-cloud.com has
DNSKEY records but there's no matching DS record at .com for it.
There are also other reports: https://github.com/systemd/systemd/issues/12388
tl;dr: it just doesn't work, let's not use that.
2022-01-08 12:09:26 +00:00
506a584dea
totoro: set up podman socket support
2022-01-08 12:08:04 +00:00
9e79ad0cfa
bvm-radius: add new roaming2.ja.net IPs
2022-01-07 11:49:24 +00:00
5001971b87
totoro: add bvm-.* alerts
2022-01-06 17:51:39 +00:00
6ab12dcad5
ops/nixos: rm marukuru
2022-01-06 15:55:21 +00:00
d79265ddad
ops/nixos: tidy up security.acme
2022-01-04 14:00:45 +00:00
de71fd5c9a
ops/nixos/lib/common: add global DNS servers
2022-01-04 13:32:56 +00:00
8cc6e2001a
ops/nixos: create permanent quotesdb user
...
Stop relying on DynamicUser because it messes a bit with postgres' auth.
2022-01-01 21:49:23 +00:00
3318874168
marukuru: remove heptapod{,-runner}
2022-01-01 21:31:01 +00:00
67b038c2bc
ops/nixos/common: turn off logRefusedConnections - it's super noisy
2022-01-01 20:56:41 +00:00
37e36418a1
bvm-logger: add custom clickhouse config
...
Just make it less spammy into the journal, sheesh.
2022-01-01 16:31:05 +00:00
730d057e18
bvm-logger: enable journal2clickhouse for real
2022-01-01 15:24:32 +00:00
7b4e6c0e1b
ops/nixos: oops, try to fix my.scrapeJournal.addr
2022-01-01 15:14:02 +00:00
c91a42948d
journal2clickhouse: init
2022-01-01 15:08:52 +00:00
c5119b4882
ops/nixos: enable HTTP gateway if Tailscale is configured
2022-01-01 12:40:13 +00:00
1f13fd811d
coredns: bind to specific interfaces/IPs
2022-01-01 09:03:25 +00:00
8e28b5bbfe
ops/nixos: drop Google/AS15169 routes from Veloxserv to prefer RouteServer
2022-01-01 03:02:55 +00:00
bfd08b08cf
ops/nixos: add fastly passive peer
2022-01-01 02:39:01 +00:00
6cfcd10e06
swann: use the router's public IP when making connections
...
For v6, the link is on an unrouted subnet so there's no way to address it from
outside. We don't want Linux to use the v6 subnet for connections it makes, so
we ask politely that the source on the route is actually an IP address that we
Like.
2022-01-01 02:11:59 +00:00
3458c7766e
swann: switch from prod.euw1.riotgames.com to euw1.api.riotgames.com
...
The former appears to resolve, but no longer respond to ICMP ping (even from a
different network). Switch to the documented API endpoint, which still
responds to ICMP ping.
2022-01-01 01:31:56 +00:00
3e98fae657
bvm-heptapod: autoStart deployer container
2022-01-01 00:43:15 +00:00
e182171916
ops/nixos: disable LLMNR
2022-01-01 00:41:37 +00:00
297e9c97e7
bvm-heptapod: add deployer container
2022-01-01 00:22:35 +00:00
8b3e77de1e
swann: coredns shouldn't bind to 127.0.0.53 because systemd-resolved wants it
2021-12-31 23:52:57 +00:00
afc4834723
porcorosso: enable TLP for battery saving in laptop mode
2021-12-31 23:52:40 +00:00
a35a702e7d
ops/nixos: disable avahi
...
We're using systemd-resolved, so just disable Avahi now.
2021-12-31 23:51:35 +00:00
f35a79444c
ops/nixos: add better support for specialisations
2021-12-31 23:51:09 +00:00
060f2cf96b
nhsenglandtests: init
2021-12-31 07:00:32 +00:00
66d1ae3939
lib/hm/graphical-client-wayland: add mako
2021-12-31 04:48:51 +00:00
2d77689ed9
howl: enable bluetooth
2021-12-31 04:47:53 +00:00
6cb1af2f35
ops/nixos: start using systemd-resolved
2021-12-28 18:42:42 +00:00
837f7074ac
ops/nixos: fix MAC address for vl-linx
2021-12-27 06:50:12 +00:00
a41abf3d6e
ops/nixos/lib/hm: add element-desktop/element-desktop-wayland
2021-12-27 02:58:53 +00:00
ab9dd5d35a
common: remove nhs.uk IPv6 mapping
2021-12-24 02:27:15 +00:00
ca6de1910d
swann: services.unifi.openPorts -> openFirewall
2021-12-24 02:03:36 +00:00
05aea7f5f1
ops/nixos: migrate from services.redis to services.redis.servers.""
2021-12-24 02:02:57 +00:00
e55a824929
bvm-logger: install clickhouse
2021-12-24 01:50:59 +00:00
4e4e8de984
ops/nixos: init bvm-logger
2021-12-23 04:11:39 +00:00
69db0e2a98
baserow: add nginx to baserow group too
2021-12-21 08:31:11 +00:00
c7a9d4ef76
baserow: tweak umask for opendkim...
2021-12-21 08:22:01 +00:00
1c97d3cd15
baserow: add postfix to opendkim group
2021-12-21 08:19:27 +00:00
656df5ac5b
common: add kitty.terminfo
2021-12-21 08:13:20 +00:00
ee2598c29b
baserow: oops, need the config argument
2021-12-21 08:12:39 +00:00
455856d7c0
baserow: enable postfix (totoro)
2021-12-21 08:11:38 +00:00
93a070870a
nix/pkgs/baserow: hooray, it works
2021-12-21 05:48:40 +00:00
576896970a
bvm-heptapod: add more heptapod
2021-12-18 04:15:53 +00:00
5eb7f7102f
bvm-heptapod: init
2021-12-17 01:28:39 +00:00
fee02312d3
blade-tuvok: move public interface off a VLAN
...
Previously, the public/internal interfaces were VLANned onto the same NIC. For
some reason, sometime the Emulex adapters seem to end up not getting configured
properly, which causes me no end of pain when I spend time trying to debug why
none of my VMs can see the internet anymore.
Instead of doing this, put the public interface onto its own actual virtual
network interface.
2021-12-17 00:27:24 +00:00
d99fe8b153
depot: fixups
2021-12-08 02:37:12 +00:00
