675b65b5da
nix/docker/heptapod: add update script for image
2022-04-09 20:17:32 +01:00
e1ede118d1
web/lukegbcom: add some padding
2022-04-08 02:30:59 +01:00
482ecc6984
web/lukegbcom/2022-04-07-vault-and-me: add hero image
2022-04-08 02:22:01 +01:00
65236b2c0c
web/lukegbcom/2022-04-07: explain why tokend ACLs are more permissive...
2022-04-08 02:10:22 +01:00
78ccb6a571
web/lukegbcom: underline links in posts
2022-04-08 02:08:24 +01:00
adec31460a
web/lukegbcom: oops, YAML...
2022-04-08 02:01:51 +01:00
ff665ab50f
lukegbcom: add a long rambly post about my Vault setup
2022-04-08 01:42:43 +01:00
b238831963
frantech-nyc01: no more bgp
2022-04-07 04:13:33 +01:00
55b6bd2a19
ops/nixos: add nixos-size to measure total closure pinned by booted-system/current-system mismatch
2022-04-07 03:42:17 +00:00
deployer@bvm-nixosmgmt.blade.as205479.net
bd4e52105d
nix/pkgs/plex-pass: update version to 1.25.9.5721-965587f64
2022-04-07 02:12:24 +00:00
157629a402
paperless: allow websockets, set up postgres
2022-04-06 11:49:52 +01:00
Default email
d56f44df06
Project import generated by Copybara.
...
GitOrigin-RevId: bc4b9eef3ce3d5a90d8693e8367c9cbfc9fc1e13
2022-04-03 20:54:34 +02:00
fa8f317d6f
totoro: add firewall rule for Lifx
2022-04-06 01:00:55 +01:00
da71f20036
ops/nixos: enable paperless
2022-04-06 00:57:22 +01:00
a0802e697f
gitlab-ci: restore machine deploys
2022-04-05 22:13:21 +01:00
98cd1c7427
gitlab-ci: try setting NIX_PATH explicitly
2022-04-05 22:09:21 +01:00
97a2e46eeb
lukegbcom: autodeploy using Vault
2022-04-05 22:04:32 +01:00
57c5a7d1ce
coredns: add bvm-paperless.int
2022-04-05 11:28:10 +01:00
2585d70127
porcorosso: tidy up gl packages
2022-04-05 03:14:07 +00:00
67252bab10
lightspeed: delete
2022-04-05 02:41:16 +00:00
9119a5893f
lukegbcom: fix up images in posts
2022-04-05 02:18:57 +00:00
8f6ae5cfd4
bvm-paperless: init
2022-04-04 19:11:22 +00:00
Default email
8a45d4525b
Project import generated by Copybara.
...
GitOrigin-RevId: 710fed5a2483f945b14f4a58af2cd3676b42d8c8
2022-03-30 11:31:56 +02:00
6f81c9d464
3p/nixpkgs: remove old PR patches
2022-04-04 19:05:49 +00:00
11f8adeb43
3p/nixpkgs: add pr167721 for paperless-ngx
2022-04-04 18:56:17 +00:00
9f9991c895
heptapod: 0.30.0 -> 0.30.1
2022-04-04 14:53:06 +01:00
32f6d38549
web/lukegbcom: limit homepage posts to 3
2022-04-04 02:38:10 +01:00
43e5ecf0db
web/lukegbcom: add all the rest of the posts
2022-04-04 02:36:09 +01:00
762a5a7271
web/lukegbcom: init next.js version
2022-04-04 00:32:57 +01:00
f8f5d48eec
porcorosso: blocklist r8152/r8153_ecm
2022-04-03 19:47:19 +01:00
b40f3435f4
swann: switch to SFP
2022-03-30 16:42:37 +00:00
addba44d44
coredns: fix ipv6 zones
2022-03-30 17:25:25 +01:00
4b6b4842d1
update dns
2022-03-29 21:30:09 +01:00
deployer@bvm-nixosmgmt.blade.as205479.net
d2aaa28aa5
nix/pkgs/plex-pass: update version to 1.25.8.5663-e071c3d62
2022-03-25 02:11:03 +00:00
f5d66318a3
go/access: set principal name, set presence required by host
2022-03-25 01:47:18 +00:00
3a32590571
go/access: init
2022-03-25 01:24:21 +00:00
eb163962a4
nixos/common: add wireguard-tools
2022-03-24 22:22:18 +00:00
4d00448f55
heptapod: 0.29.1 -> 0.30.0
2022-03-24 22:20:56 +00:00
dbaabf1295
vault: deployer should be allowed to read nix-daemon secrets
2022-03-24 22:20:44 +00:00
b8acd6e31b
swann: re-enable vault-agent
2022-03-20 19:10:24 +00:00
7592e76a31
tokend: init
...
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.
It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
08b68745f0
ops/vault: move policies to token_policies
...
I want to be able to rescope these policies down in tokend, which means that I
can't have policies attached to the server's *identity*. Instead, we put these
on the approle instead, which allows us to down-scope all of these.
2022-03-20 11:29:10 +00:00
58a907b700
nixos/vault-agent: listen on UDS only
...
This UDS is going to be private to vault-agent and tokend (which doesn't exist
yet).
As a stopgap, for the moment, secretsmgrd will be granted direct access to
speak to the Vault Agent over the UDS.
tokend will be responsible for provisioning applications with tokens, by
issuing subtokens which have roles corresponding to the user account requesting
access.
2022-03-20 11:14:51 +00:00
d97a1b7437
bvm-radius: reenable roaming2.ja.net
2022-03-20 11:08:34 +00:00
c60a68a354
nix/gitlab-ci: try to restrict deploy steps to only default
2022-03-20 10:26:56 +00:00
4020f310ce
ops/vault: destroy existing secrets before provisioning a new one
2022-03-20 10:20:25 +00:00
132cb805b3
ops/vault: use wrapping token to protect secret IDs in transit
2022-03-20 10:14:02 +00:00
829d179d37
nixos/common: make the EnvironmentFile optional to avoid... problems
...
In general, it's better for us to fail to pass credentials to the Nix daemon
than it is for the Nix daemon to fail to start up entirely.
We will restart the daemon once the secrets have been delivered anyway.
2022-03-20 10:00:17 +00:00
c9ffb4ed3e
secretsmgr: actually _enable_ the timer unit
2022-03-18 01:08:35 +00:00
ce698ab382
nixos/secretsmgr: add the timer unit
2022-03-18 01:03:55 +00:00