4b6b4842d1
update dns
2022-03-29 21:30:09 +01:00
3a32590571
go/access: init
2022-03-25 01:24:21 +00:00
eb163962a4
nixos/common: add wireguard-tools
2022-03-24 22:22:18 +00:00
b8acd6e31b
swann: re-enable vault-agent
2022-03-20 19:10:24 +00:00
7592e76a31
tokend: init
...
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.
It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
58a907b700
nixos/vault-agent: listen on UDS only
...
This UDS is going to be private to vault-agent and tokend (which doesn't exist
yet).
As a stopgap, for the moment, secretsmgrd will be granted direct access to
speak to the Vault Agent over the UDS.
tokend will be responsible for provisioning applications with tokens, by
issuing subtokens which have roles corresponding to the user account requesting
access.
2022-03-20 11:14:51 +00:00
d97a1b7437
bvm-radius: reenable roaming2.ja.net
2022-03-20 11:08:34 +00:00
132cb805b3
ops/vault: use wrapping token to protect secret IDs in transit
2022-03-20 10:14:02 +00:00
829d179d37
nixos/common: make the EnvironmentFile optional to avoid... problems
...
In general, it's better for us to fail to pass credentials to the Nix daemon
than it is for the Nix daemon to fail to start up entirely.
We will restart the daemon once the secrets have been delivered anyway.
2022-03-20 10:00:17 +00:00
c9ffb4ed3e
secretsmgr: actually _enable_ the timer unit
2022-03-18 01:08:35 +00:00
ce698ab382
nixos/secretsmgr: add the timer unit
2022-03-18 01:03:55 +00:00
b719181dfe
nixos: migrate to secretsmgr for sshd and ACME
2022-03-17 23:31:55 +00:00
702cd972ab
nixos/vault-agent: should care about /var/lib/vault-agent instead
2022-03-17 12:27:10 +00:00
b0d2782369
nixos/vault-agent: set a longer timeout on HTTP requests to upstream
2022-03-17 01:25:44 +00:00
b469b24c5a
totoro: add live2 alias
2022-03-14 21:28:58 +00:00
f55dc46170
ssh-ca-vault: disable SSH host key signing for now
2022-03-14 21:28:37 +00:00
262620f177
swann: also put v6 RA routes into the correct route table
...
(fixes ee)
2022-03-13 20:35:11 +00:00
615c30ed54
swann: reduce write activity on disk
2022-03-13 17:34:23 +00:00
f1fcda810a
vault-agent-acme: disable
2022-03-12 23:39:45 +00:00
5283ee4fee
swann: migrate fully to using networkd
...
networkd appears to have gotten very aggressive about clearing routing rules it didn't insert itself
2022-03-12 19:38:54 +00:00
9099ee2a45
swann: only rename physical interfaces
2022-03-12 07:25:48 +00:00
fb2dc81bc0
bvm-radius: ensure acme user
2022-03-11 23:10:01 +00:00
6353ce6603
swann: make systemd-networkd-wait-online wait for _any_ NIC
2022-03-11 22:57:08 +00:00
f15e112da7
ssh-ca-vault: by default enable user matches
2022-03-11 22:31:57 +00:00
ae97fddae2
vault-agent-acme: migrate to using a single token file that writes the other files as a side-effect
...
This avoids annoying problems like "too many" retries for certificate issuance,
since we only ask for the secret once.
2022-03-11 22:07:31 +00:00
ac0c6eccef
ssh-ca-vault: init
2022-03-11 21:48:06 +00:00
86a6191a56
vault-agent-secrets: add wantedBy for all restartable units too
2022-03-11 18:48:54 +00:00
ada466bae0
vault-agent-secrets: put Before in the correct place
2022-03-11 18:48:08 +00:00
a66bd4822a
totoro: disable RP filter
2022-03-11 18:45:41 +00:00
fde964db82
hm/client: add VAULT_ADDR env variable
2022-03-11 18:44:52 +00:00
0187120a24
ops/nixos: move nix cache tokens into vault
2022-03-11 16:46:50 +00:00
4100b021aa
etheroute-lon01: add google service account token
2022-03-11 16:20:34 +00:00
dd746bec32
etheroute-lon01: use FQDN for Pomerium DNS
2022-03-11 16:20:24 +00:00
34fa21a171
treewide: fix eval fallout from nixpkgs bump
2022-03-11 14:56:55 +00:00
c98f3312a7
etheroute-lon01: migrate to vault-agent-secrets
2022-03-11 14:40:55 +00:00
6e6e714cf1
ops/nixos: init vault-agent-secrets module
2022-03-11 14:40:08 +00:00
f9546ed62a
ts3spotifybot: remove for now
2022-03-11 10:02:22 +00:00
e50f682237
totoro: remove cloudflare credentials from raritan-sslrenew
2022-03-11 03:46:31 +00:00
4be2eaeb6d
nixos/lib/common: remove security.acme
2022-03-11 03:28:32 +00:00
0c458988de
ops/nixos: misc cleanups
2022-03-11 03:27:58 +00:00
daccfa5717
ops/nixos: migrate everything to vault-agent-acme
2022-03-07 00:52:03 +00:00
0c7f785107
vault-agent-acme: tidy up
2022-03-06 23:01:51 +00:00
8be4fe603e
vault-agent-acme: init
2022-03-06 22:26:49 +00:00
a3eb1e4519
totoro: enable samba
2022-03-05 11:56:22 +00:00
f0e645fccb
swann: add lukegb01.ring.nlnog.net to smokeping prober
2022-03-03 18:44:56 +00:00
dfb663e659
blade-router: mark cloudflare as pending
2022-03-03 17:38:19 +00:00
c357d5ed8f
blade-router: add cloudflare2
2022-03-03 17:37:41 +00:00
610d5ccf40
hm/porcorosso-wsl: add nixpkgs to NIX_PATH
2022-03-03 16:25:34 +00:00
080577e0f3
swann: fix tailscale outbound
...
Tailscale adds a policy-based routing rule at priority 5200-ish, which is
before all the rules that we add. This avoids any Tailscale traffic going
out... over Tailscale, which would be bad.
Anyway, this breaks us because our main table is empty, so there's nowhere
for the Tailscale traffic to actually go. Oops.
Instead, use policy-based routing to send things over our WG tunnel, or over
any of our upstream connections depending on what's available.
2022-03-02 00:32:31 +00:00
d79faeb3e0
porcorosso-wsl: add keychain
2022-02-27 19:44:48 +00:00