b16bfb93ce
treewide: hack/nixpkgs, which uses _our_ nixpkgs, not actual nixpkgs
2023-08-11 23:05:35 +01:00
721a7e6828
ops/nixos: refactor ssh_config
2023-03-12 03:58:52 +00:00
d3fdb0b04d
ops/nixos/common: demand system as an arg
2023-01-21 18:59:48 +00:00
e03ae8b853
treewide: fix things up for new nixpkgs
2022-10-02 22:23:44 +01:00
c16856f8ab
treewide: add my.ip.tailscale6
2022-09-02 00:22:16 +01:00
04df4d0a98
depotwide: make closures smaller, especially on frantech machines
2022-08-27 19:38:03 +01:00
bd2be7196a
nixos/common: add pam-ussh
2022-06-04 12:21:32 +01:00
977ee51c54
ops/nixos: change default for RP check to loose to silence Tailscale warnings
2022-05-21 16:31:58 +01:00
75d3386cd2
treewide: fix up for nixpkgs bump
2022-04-15 23:33:53 +01:00
b5fbf1f472
oracle-lon01: add my first aarch64-linux boxen
2022-04-13 12:03:56 +00:00
55b6bd2a19
ops/nixos: add nixos-size to measure total closure pinned by booted-system/current-system mismatch
2022-04-07 03:42:17 +00:00
eb163962a4
nixos/common: add wireguard-tools
2022-03-24 22:22:18 +00:00
7592e76a31
tokend: init
...
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.
It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
132cb805b3
ops/vault: use wrapping token to protect secret IDs in transit
2022-03-20 10:14:02 +00:00
829d179d37
nixos/common: make the EnvironmentFile optional to avoid... problems
...
In general, it's better for us to fail to pass credentials to the Nix daemon
than it is for the Nix daemon to fail to start up entirely.
We will restart the daemon once the secrets have been delivered anyway.
2022-03-20 10:00:17 +00:00
b719181dfe
nixos: migrate to secretsmgr for sshd and ACME
2022-03-17 23:31:55 +00:00
ac0c6eccef
ssh-ca-vault: init
2022-03-11 21:48:06 +00:00
0187120a24
ops/nixos: move nix cache tokens into vault
2022-03-11 16:46:50 +00:00
6e6e714cf1
ops/nixos: init vault-agent-secrets module
2022-03-11 14:40:08 +00:00
4be2eaeb6d
nixos/lib/common: remove security.acme
2022-03-11 03:28:32 +00:00
8be4fe603e
vault-agent-acme: init
2022-03-06 22:26:49 +00:00
cbabb6f211
ops/nixos: migrate nix.maxJobs/binaryCaches/trustedBinaryCaches to the nix.settings equivalents
2022-01-30 20:30:20 +00:00
7c418666fe
ops/nixos: add some vault-agent setup
2022-01-23 23:38:40 +00:00
4f0a7b60bc
ops/nixos: use higher-priority 'mkDefault'
2022-01-09 21:38:17 +00:00
ad95bffd3d
ops/nixos: tidy up networking.useDHCP
2022-01-08 21:45:18 +00:00
05be94e4d7
ops/nixos/common: disable DNSSEC in systemd-resolved
...
It's super broken.
At the moment, resolving foss.heptapod.net breaks, because clever-cloud.com has
DNSKEY records but there's no matching DS record at .com for it.
There are also other reports: https://github.com/systemd/systemd/issues/12388
tl;dr: it just doesn't work, let's not use that.
2022-01-08 12:09:26 +00:00
d79265ddad
ops/nixos: tidy up security.acme
2022-01-04 14:00:45 +00:00
de71fd5c9a
ops/nixos/lib/common: add global DNS servers
2022-01-04 13:32:56 +00:00
67b038c2bc
ops/nixos/common: turn off logRefusedConnections - it's super noisy
2022-01-01 20:56:41 +00:00
7b4e6c0e1b
ops/nixos: oops, try to fix my.scrapeJournal.addr
2022-01-01 15:14:02 +00:00
c91a42948d
journal2clickhouse: init
2022-01-01 15:08:52 +00:00
c5119b4882
ops/nixos: enable HTTP gateway if Tailscale is configured
2022-01-01 12:40:13 +00:00
e182171916
ops/nixos: disable LLMNR
2022-01-01 00:41:37 +00:00
f35a79444c
ops/nixos: add better support for specialisations
2021-12-31 23:51:09 +00:00
6cb1af2f35
ops/nixos: start using systemd-resolved
2021-12-28 18:42:42 +00:00
ab9dd5d35a
common: remove nhs.uk IPv6 mapping
2021-12-24 02:27:15 +00:00
656df5ac5b
common: add kitty.terminfo
2021-12-21 08:13:20 +00:00
29f7073384
ops/nixos: compatibility with NixOS 22.05
2021-12-07 19:13:04 +00:00
19782a9e63
ops/nixos: set group for isSystemUser users
2021-09-16 19:14:30 +00:00
23eda90726
ops/nixos/lib/common: add the running system hash to the exported metrics
2021-07-27 21:06:17 +00:00
dccdaa2608
common: map www.nhs.uk to Akamai IPv6 address
2021-05-21 15:21:29 +00:00
11066035e2
ops/nixos: add alacritty everywhere
2021-04-17 20:17:43 +01:00
e0241545d2
add mercurial to rundeck path
2021-04-10 22:17:28 +00:00
bfa7051e2f
ops/nixos: tidy up hostnames
2021-04-10 20:15:30 +00:00
ecd086eae4
ops/nixos: set up things for generating rundeck nodes
2021-04-10 19:59:56 +00:00
5533fd502a
ops/nixos: try setting searchDomains differently
2021-04-10 19:40:10 +00:00
2b8dce0920
depot-wide: overhaul GitLab CI configuration
...
We now use a stub configuration to kick off the pipeline, which is dynamically
generated using Nix config.
2021-03-28 15:27:46 +00:00
35cc195717
common: remove everything from hosts files
2021-03-20 16:42:08 +00:00
4c78164384
ops/nixos/common: set search domains
2021-03-20 15:01:28 +00:00
be5eee48b3
switch-prebuilt: init
2021-03-20 12:39:23 +00:00
