Commit graph

411 commits

Author SHA1 Message Date
d79265ddad ops/nixos: tidy up security.acme 2022-01-04 14:00:45 +00:00
de71fd5c9a ops/nixos/lib/common: add global DNS servers 2022-01-04 13:32:56 +00:00
8cc6e2001a ops/nixos: create permanent quotesdb user
Stop relying on DynamicUser because it messes a bit with postgres' auth.
2022-01-01 21:49:23 +00:00
67b038c2bc ops/nixos/common: turn off logRefusedConnections - it's super noisy 2022-01-01 20:56:41 +00:00
7b4e6c0e1b ops/nixos: oops, try to fix my.scrapeJournal.addr 2022-01-01 15:14:02 +00:00
c91a42948d journal2clickhouse: init 2022-01-01 15:08:52 +00:00
c5119b4882 ops/nixos: enable HTTP gateway if Tailscale is configured 2022-01-01 12:40:13 +00:00
1f13fd811d coredns: bind to specific interfaces/IPs 2022-01-01 09:03:25 +00:00
8e28b5bbfe ops/nixos: drop Google/AS15169 routes from Veloxserv to prefer RouteServer 2022-01-01 03:02:55 +00:00
bfd08b08cf ops/nixos: add fastly passive peer 2022-01-01 02:39:01 +00:00
e182171916 ops/nixos: disable LLMNR 2022-01-01 00:41:37 +00:00
f35a79444c ops/nixos: add better support for specialisations 2021-12-31 23:51:09 +00:00
060f2cf96b nhsenglandtests: init 2021-12-31 07:00:32 +00:00
66d1ae3939 lib/hm/graphical-client-wayland: add mako 2021-12-31 04:48:51 +00:00
6cb1af2f35 ops/nixos: start using systemd-resolved 2021-12-28 18:42:42 +00:00
837f7074ac ops/nixos: fix MAC address for vl-linx 2021-12-27 06:50:12 +00:00
a41abf3d6e ops/nixos/lib/hm: add element-desktop/element-desktop-wayland 2021-12-27 02:58:53 +00:00
ab9dd5d35a common: remove nhs.uk IPv6 mapping 2021-12-24 02:27:15 +00:00
05aea7f5f1 ops/nixos: migrate from services.redis to services.redis.servers."" 2021-12-24 02:02:57 +00:00
4e4e8de984 ops/nixos: init bvm-logger 2021-12-23 04:11:39 +00:00
69db0e2a98 baserow: add nginx to baserow group too 2021-12-21 08:31:11 +00:00
c7a9d4ef76 baserow: tweak umask for opendkim... 2021-12-21 08:22:01 +00:00
1c97d3cd15 baserow: add postfix to opendkim group 2021-12-21 08:19:27 +00:00
656df5ac5b common: add kitty.terminfo 2021-12-21 08:13:20 +00:00
ee2598c29b baserow: oops, need the config argument 2021-12-21 08:12:39 +00:00
455856d7c0 baserow: enable postfix (totoro) 2021-12-21 08:11:38 +00:00
93a070870a nix/pkgs/baserow: hooray, it works 2021-12-21 05:48:40 +00:00
5eb7f7102f bvm-heptapod: init 2021-12-17 01:28:39 +00:00
fee02312d3 blade-tuvok: move public interface off a VLAN
Previously, the public/internal interfaces were VLANned onto the same NIC. For
some reason, sometime the Emulex adapters seem to end up not getting configured
properly, which causes me no end of pain when I spend time trying to debug why
none of my VMs can see the internet anymore.

Instead of doing this, put the public interface onto its own actual virtual
network interface.
2021-12-17 00:27:24 +00:00
29f7073384 ops/nixos: compatibility with NixOS 22.05 2021-12-07 19:13:04 +00:00
105fcf1d50 coredns/zones: quadv stuff 2021-12-07 16:01:57 +00:00
da0717b02c ops/nixos: don't announce QuadV net everywhere by default 2021-12-07 15:19:45 +00:00
a1ee1e396c ops/nixos: alacritty -> kitty 2021-11-28 12:51:40 +00:00
7cbd53de1a ops/nixos: add blast configs 2021-11-25 17:14:03 +00:00
86e0ce9af9 nix/pkgs/datez: init 2021-11-18 21:33:40 +00:00
9c8f3824a8 ops/nixos/lib/blade: virtualisation.libvirtd.qemuRunAsRoot -> virtualisation.libvirtd.qemu.runAsRoot 2021-11-05 01:34:04 +00:00
a4f786f709 hm: add su-cinema-ernie 2021-10-19 07:53:59 +01:00
00a02f8772 coredns: use the correct syntax, oops 2021-09-25 21:27:24 +00:00
bbbdfd5138 as205479.net: hmm, what 2021-09-25 21:18:09 +00:00
c976214bf8 coredns: _acme-challenge.www.as205479.net -> _acme-challenge.as205479.net 2021-09-25 21:03:14 +00:00
9c92e12742 bvm-radius: start serving as205479.net webpage 2021-09-25 20:51:24 +00:00
a8718864c1 swann: configure for eduroam on VLAN 100 2021-09-25 17:38:21 +00:00
b50fa68559 coredns: delegate _acme-challenge to GCP DNS 2021-09-25 13:17:52 +00:00
0d6ab41728 bvm-radius: add tailscale IP 2021-09-25 12:19:07 +00:00
c908e3ab5d coredns: add RADSEC entry for as205479.net. 2021-09-25 11:45:05 +00:00
158e0afcf3 coredns: init bvm-radius 2021-09-24 22:46:44 +00:00
ccec4b308b as205479.net: add MX records 2021-09-19 00:08:03 +00:00
19782a9e63 ops/nixos: set group for isSystemUser users 2021-09-16 19:14:30 +00:00
cb7811898c blade-tuvok: set bgp_local_prefs 2021-09-10 20:46:05 +00:00
dbf906a9a7 blade-router: add cloudflare 2021-09-10 20:23:24 +00:00
3ba0ab045c blade-router: remove prefix limit 2021-09-10 20:00:31 +00:00
e7bfb107b1 coredns: update mac-mini tailscale IP 2021-09-05 08:07:14 +00:00
3abe727604 blade-router: add google session, which will hopefully turn up eventually 2021-08-31 20:36:26 +00:00
b4c80a07fa blade-router: configure passive session towards AS62240 2021-08-31 16:39:23 +00:00
f7fbfa5436 nix/pkgs: init prometheus-bird-exporter-lfty 2021-08-31 02:01:38 +00:00
a0d97e082d blade-tuvok: also NAT things going out onto linx 2021-08-31 01:37:34 +00:00
7134fe904a ops/nixos: implement BFD+WG tunneling for mldn-rd 2021-08-30 19:58:21 +01:00
bc1932df9b hm: start 1password's gui silently 2021-08-30 14:26:25 +01:00
dbcaa51968 hgrc: remove requirement for topic 2021-08-20 23:40:53 +00:00
4b7680acae ops/nixos/blade: force external IP to vl-transit 2021-08-20 23:34:54 +00:00
0ee916e49e ops/nixos/bgp: don't export routes to FB 2021-08-20 23:34:43 +00:00
0dd2d5d442 ops/nixos/bgp: more filtering shenanigans 2021-08-19 00:23:09 +00:00
fdacf57ead blade-tuvok: LINX updates 2021-08-17 01:30:33 +00:00
8ad77134ae ops/nixos/coredns: force store paths 2021-08-16 02:32:44 +00:00
68e0ee0a18 ops/nixos/coredns: add bvm-netbox to int zone 2021-08-16 02:19:38 +00:00
286ed4885d ops/nixos: add bvm-netbox 2021-08-15 22:46:57 +00:00
7a3f214944 ops/nixos: switch to VLANs for uplink to veloxserv 2021-08-15 22:02:51 +00:00
c79ca35b6f nixos/blade-router: disable routes-VRRP
This is no longer needed; I think actually it was some of the NixOS default
reverse-path filtering that was throwing me for a loop after all and nothing to
do with what was going on with Veloxserv.
2021-08-14 21:07:37 +00:00
23eda90726 ops/nixos/lib/common: add the running system hash to the exported metrics 2021-07-27 21:06:17 +00:00
9dfb1d205d ops/nixos/lib/bgp: disable rp filtering on hosts running BGP 2021-07-17 14:29:04 +00:00
1557066375 coredns: allow tailscale net 2021-07-16 01:32:54 +00:00
eea81a640e coredns: add bvm-plesk 2021-07-10 12:19:24 +00:00
9f5c1193b6 hgrc: tweak my settings along the lines of https://octobus.net/blog/2020-11-26-modern-mercurial.html 2021-07-03 19:02:18 +00:00
606ff984eb ops/nixos: minotarproxy-as-a-lib 2021-07-01 01:48:12 +00:00
cadeef609f hm/hgrc: switch from hggit to in-tree git 2021-06-22 20:48:11 +00:00
072cecb2e5 hm/gc-wayland: oops, no notification attr 2021-06-22 20:27:52 +00:00
eef598ec1f hm/graphical-client: add 1password to startup 2021-06-19 19:07:32 +01:00
c56b6b358f coredns: add blade-{oa,vcenet1,vcenet2,vcm} 2021-05-24 13:54:14 +00:00
1fc6e8f032 coredns: bump serials 2021-05-24 02:37:27 +00:00
499ff8f945 coredns: move bvm to root zone, out of public 2021-05-24 02:31:09 +00:00
ed79fe89bd bvm-minecraft: init 2021-05-24 01:32:58 +00:00
38b306b095 bvm-matrix: add tailscale IP 2021-05-22 22:48:03 +00:00
4dc516722b ops/nixos: add bvm-matrix 2021-05-22 21:48:13 +00:00
dccdaa2608 common: map www.nhs.uk to Akamai IPv6 address 2021-05-21 15:21:29 +00:00
df870ded34 as205479.net: add fp-la{,-pri,-sec} 2021-05-09 11:28:28 +00:00
34117ecd00 bvm-nixosmgmt: allocate .5 2021-05-09 10:26:34 +00:00
b7cd20c769 ops/nixos: refactoring for sway 2021-05-06 03:56:20 +01:00
1c571d965a ops/nixos: add wayland support 2021-05-05 22:13:27 +01:00
a4631a8fda ops/nixos/lib/blade: set rgw_data_log_backing back to omap 2021-04-23 13:32:34 +00:00
42e8b1eed0 bvm-ipfs: add public IPv4/v6 addresses 2021-04-18 16:04:25 +00:00
2ee3044113 switch-prebuilt: use nix build instead of nix copy to use cache.nixos.org 2021-04-17 23:55:31 +00:00
43e8e05e7b ops/nixos: tweak alacritty settings 2021-04-17 20:28:27 +01:00
11066035e2 ops/nixos: add alacritty everywhere 2021-04-17 20:17:43 +01:00
0372f4b848 ops/nixos: set isNormalUser for all existing users
Now there's an assertion which requires either isNormalUser or isSystemUser, so
we set one of them for all the users we have already.
2021-04-17 20:16:27 +01:00
e0241545d2 add mercurial to rundeck path 2021-04-10 22:17:28 +00:00
bfa7051e2f ops/nixos: tidy up hostnames 2021-04-10 20:15:30 +00:00
ecd086eae4 ops/nixos: set up things for generating rundeck nodes 2021-04-10 19:59:56 +00:00
5533fd502a ops/nixos: try setting searchDomains differently 2021-04-10 19:40:10 +00:00
91f6cb3317 clouvider-lon01: add mac-mini as remote builder 2021-04-09 18:14:06 +00:00
6465f98036 as205479.net: add mac-mini.int 2021-04-09 18:51:07 +01:00
02db8ea7cb ops/nixos/lib/hm: support macOS again
The ntfy package expects to have pyobjc available when running under Darwin,
which is currently broken in nixpkgs. There's a fairly involved ongoing effort
to package it again, but in the mean time we just patch out the dep. I'm using
the pushover backend anyway.

To avoid having to rebuild it rather than just fetch from the NixOS cache, I
only override it when running on Darwin.
2021-04-09 18:48:46 +01:00
13f2f79e6d graphical-client: add wallpapers
If I find more I like, I'll add them here, I guess. For the moment, there's
just the one.
2021-04-06 09:53:56 +01:00
f5622acaf7 nix/pkgs/flameshot: bump to my patched version 2021-04-05 14:57:59 +01:00
48bdb3559c lib/hm/graphical-client: add flameshot to environment 2021-04-05 13:00:02 +01:00
21fe79c904 ops/nixos: enable flameshot on graphical-client hosts 2021-04-05 12:42:35 +01:00
d582d3f352 ops/nixos/lib: inline latest_system_closure.sh
I can't be bothered to make it a proper script, and I also don't really want to
rely on invoking nix-shell at runtime (I'd rather have all the needed tools in
the system closure).
2021-04-04 19:35:38 +01:00
8dab1a04fe ops/nixos/lib: fix latest_system_closure for machines with - in hostname 2021-04-04 19:25:02 +01:00
33cfba2e2f ops/nixos/lib: enable 'switch-prebuilt latest' for getting latest closure 2021-04-04 18:25:01 +01:00
fbc3b47854 bvm-prosody: fix :/ 2021-04-01 15:55:54 +00:00
bcf1266bfe bvm-prosody: configure IP addresses 2021-04-01 15:50:27 +00:00
bea33016f6 nixos/blade: oops, forgot }; 2021-03-31 21:20:56 +00:00
5b63d1555a nixos/blade: use tmpfs for /var/log and /var/cache 2021-03-31 21:20:08 +00:00
c972f3ae12 as205479.net: add bvm-win10 2021-03-31 19:39:56 +00:00
f71179cbd6 coredns: add bvm-korobi 2021-03-30 12:51:17 +01:00
62dce112db blade-router: fix radvd prefix to actually be onlink 2021-03-30 11:59:27 +01:00
4c013cb2bc blade-router: use absolute path to birdc 2021-03-30 00:18:08 +00:00
e80a1750b8 blade-router: tweak notify script config 2021-03-30 00:09:02 +00:00
8b2238cf1e blade-router: add shebang to VRRP notify script 2021-03-30 00:01:19 +00:00
f05a063fce blade-router: add keepalived notify script for announcing/withdrawing routes 2021-03-29 23:54:26 +00:00
1071202e7f coredns: update DNS to match swapped IPs 2021-03-29 23:13:01 +00:00
bff07335b5 blade-router: switch router VIP 2021-03-29 23:09:26 +00:00
cae0c4eb94 blade-router: we need config attribute... 2021-03-29 23:29:26 +01:00
7de4d2690e blade-router: put radvd config in correct place 2021-03-29 23:27:40 +01:00
c5fc727f7a blade-router: fix 2021-03-29 23:26:50 +01:00
ac63880ed7 ops/nixos: abstract into blade-router 2021-03-29 23:24:57 +01:00
e1e3a24f36 ops/nixos/lib/coredns: add DNS records 2021-03-29 20:45:39 +00:00
b559512200 blade-paris/blade-tuvok: add BGP config 2021-03-29 11:47:44 +00:00
a3ed8a6da3 hm: add ntfy everywhere 2021-03-28 23:08:02 +00:00
2b8dce0920 depot-wide: overhaul GitLab CI configuration
We now use a stub configuration to kick off the pipeline, which is dynamically
generated using Nix config.
2021-03-28 15:27:46 +00:00
f8b4903286 bvm-prosody: add tailscale IP 2021-03-28 14:33:54 +00:00
2eeba92d9e bvm-twitterchiver: add tailscale IP 2021-03-28 14:32:16 +00:00
e6c56c9a74 bvm-ipfs: add tailscale IP 2021-03-28 14:00:25 +00:00
f27a8f8f1a ops/nixos: mkBefore needs lib. in bvm.nix/blade.nix 2021-03-28 12:32:01 +00:00
f34d539462 bvm-nixosmgmt: condense down and abstract out 2021-03-28 12:26:11 +00:00
c1f450eb33 ops/nixos: flesh out DNS for internal blade IPs 2021-03-28 12:18:06 +00:00
701ab955af coredns: update serial for as205479.net 2021-03-28 01:16:10 +00:00
b2e2f965c5 ops/nixos: rename various machines to comply with naming convention
* *-frantech should be frantech-*, it's provider first
* blade VMs now all begin bvm-
2021-03-28 00:34:36 +00:00
1883186bb8 hm/graphical-client: switch to google-chrome-beta from chromium 2021-03-25 10:54:01 +00:00
a99e0309c5 ops/nixos/fup: switch to using config file 2021-03-23 00:58:18 +00:00
11ed74003a nixos/fup: allow large file uploads 2021-03-22 13:56:16 +00:00
ca642bfa5e blade-tuvok: add fup 2021-03-22 02:43:17 +00:00
787b04737e treewide: add some SPDX headers 2021-03-20 20:46:56 +00:00
35cc195717 common: remove everything from hosts files 2021-03-20 16:42:08 +00:00
99dce2de2a as205479.net: add totoro.int 2021-03-20 16:41:26 +00:00
33fd1da091 dns: add blades to zone 2021-03-20 15:22:09 +00:00
4c78164384 ops/nixos/common: set search domains 2021-03-20 15:01:28 +00:00
5cf89fbc2f switch-prebuilt: check for existence before nix copy 2021-03-20 13:37:08 +00:00
422c47c3e0 switch-prebuilt: run stuff assuming we're a trusted-user 2021-03-20 13:22:17 +00:00
be5eee48b3 switch-prebuilt: init 2021-03-20 12:39:23 +00:00
154db9706a lib/common: add deployer to trustedUsers 2021-03-20 12:34:01 +00:00
d8086e7042 ops/nixos: add jq everywhere 2021-03-20 12:11:45 +00:00
627c8bf17c lib/coredns: fix firewall 2021-03-20 02:06:08 +00:00
b0a6ebe52d ops/nixos: add coredns 2021-03-20 02:03:23 +00:00
c51e5d478d lib/common: add --delete-older-than 2021-03-19 21:29:54 +00:00
9ddb5d75f2 blade: restrict ceph firewall rules to storage network 2021-03-19 21:27:15 +00:00
3f3c92addc blade-tuvok: serve objdump directly 2021-03-19 19:45:03 +00:00
c26a321f5f home-manager: drop enableVaapi 2021-03-18 23:56:25 +00:00
c682fc0422 blade: fix serial console 2021-03-14 17:39:07 +00:00
bb1178e82c blade: enable serial console for GRUB and boot 2021-03-14 17:34:08 +00:00
ff2be56561 blade: disable coredump writing 2021-03-14 17:25:03 +00:00
f3c5990de4 blade: nit: forgot a ) 2021-03-14 15:56:58 +00:00
22dadde50a blade-torres: remap en-storage onto a vlan 2021-03-14 15:52:53 +00:00
b3def9be96 ceph: add /var/lib/ceph mount 2021-03-14 14:35:36 +00:00
22cb1575b4 ceph: set up storage network 10.100.2.0/24 2021-03-14 14:35:32 +00:00
dc68fb7305 blade: correct IP 2021-03-14 02:01:42 +00:00
74fd32c0b8 ops/nixos/blade: switch mon IPs in config 2021-03-14 01:23:24 +00:00
a763c85e3d blade: allow tailscale 41641/udp 2021-03-13 20:58:43 +00:00
e979f4e83e blade: move journald storage to volatile 2021-03-13 20:57:04 +00:00
b2a085f84c ops/nixos/blade: enable NAT on routers 2021-03-13 16:41:05 +00:00
53b7ca1c8a ops/nixos: revamp blade network config 2021-03-12 14:47:08 +00:00
7cd70420c6 blade-janeway: fix interfaces 2021-02-25 12:29:05 +00:00
a7094217ba blade: tweak networking 2021-02-24 19:58:15 +00:00
5018ba70cd home-manager/common: add iotop/iftop 2021-02-14 21:40:41 +00:00
caea9c19c4 lib/blade: mount boot drive to /boot 2021-02-13 16:07:33 +00:00
2596579835 lib/blade: add a ceph-osd-lvm-activate to prep the OSDs 2021-02-13 16:29:18 +00:00
93b5d2c288 ops/nixos: enable ceph in libvirtd 2021-02-11 02:21:59 +00:00
a484168097 lib/blade: add ceph support to libvirtd 2021-02-11 00:34:27 +00:00
c94e94284f lib/blade: decrease miimon 2021-02-11 00:27:25 +00:00
fc14641404 lib/blade: enable libvirtd group for lukegb 2021-02-11 00:22:47 +00:00
e81c71b85f lib/blade: enable acpi_power_meter 2021-02-11 00:22:39 +00:00
82503b6192 ops/nixos/lib/blade: enable polkit for libvirtd access 2021-02-11 00:13:32 +00:00
4a53baab51 ops/nixos: fix lib/blade.nix 2021-02-10 23:39:36 +00:00
270b461b97 ops/nixos: create br-ext and put everything on it 2021-02-10 23:38:05 +00:00
372aed550f ops/nixos: enable osds on blade-janeway 2021-02-09 21:47:04 +00:00
1ed83bd25a ops/nixos/blade: add ceph 2021-02-09 01:17:54 +00:00
dad04a0062 ops/nixos: add other blade hosts
blade-paris and blade-kim are TBD
2021-02-08 22:26:22 +00:00
37be1e38f8 ops/nixos: switch blades to static IPs 2021-02-08 20:45:15 +00:00
f55f861e17 ops/nixos: split most of blade-janeway into lib/blade.nix 2021-02-07 21:23:23 +00:00
e6f4d37982 ops/nixos: add fwupd to common 2021-01-30 18:47:12 +00:00
c7df81d6a1 clouvider-fra01: add ts3spotifybot 2021-01-27 18:39:58 +00:00
1fe4e04464 ops/nixos: add dev-quotes.bfob.gg to server aliases 2021-01-20 00:22:54 +00:00
5ee6a1c3b7 ops/nixos/quotes.bfob.gg: add my.quotesdb.listen option 2021-01-20 00:21:21 +00:00
b7574660de web/quotes: prodify 2021-01-19 23:43:43 +00:00
ef81a0c080 quotes.bfob.gg: add to clouvider-lon01 2021-01-19 23:41:47 +00:00
9dd18e2cdc ops/nixos/lib/common: add nixos_running_system/nixos_booted_system node metrics 2021-01-11 17:44:23 +00:00
6b95f54ca7 ops/nixos/lib/common: add systemd collector to all systems 2021-01-07 10:01:36 +00:00
aba7285824 totoro: add twitternuke timer 2021-01-06 21:29:33 +00:00
f91109cb50 nixos/lightspeed: init lightspeed-ingest and lightspeed-webrtc NixOS modules 2021-01-04 15:50:42 +00:00
34d9b4eda5 hm/graphical-client: pull in nm-applet only for i3 2020-12-19 19:39:13 +00:00
cb4ba45b1b hm/graphical-client: enable nm-applet
I'm assuming (probably wrongly) that anything using my graphical-client preset
is _also_ using NetworkManager, which is probably true for real client machines
but may not be true on terminal services machines which also end up with this
preset.

Whatever, I'll work it out later.
2020-12-19 19:25:15 +00:00