49cab76737
nixos/hm/common: tweak ssh settings
2022-07-15 08:59:43 +01:00
64940e45d6
ops/nixos/graphical-client: install qFlipper
2022-07-07 22:06:35 +01:00
f9f7542da5
bvm-paperless: add more paperless env variables
2022-06-29 21:39:56 +01:00
5f19f9d783
totoro: add gateway
2022-06-25 17:43:30 +00:00
a5fb805dfa
totoro: set default gateway. oops.
2022-06-25 17:35:49 +00:00
dd10a6ba6b
totoro: switch to networkd
2022-06-19 20:34:43 +00:00
2884ced8a3
bvm-paperless: fix DBHOST to use unix sockets again
2022-06-19 21:21:15 +01:00
679c040677
Backed out changeset a532ddc33432
2022-06-19 21:02:02 +01:00
855faad5a0
bvm-prosody: eventphone stuff
2022-06-19 21:01:55 +01:00
d04959acf9
bvm-paperless: clear password for paperless to force unix auth
2022-06-19 20:59:51 +01:00
bfe2fb1707
totoro: add deluge, expose content share over Samba
2022-06-19 00:55:31 +00:00
bd2be7196a
nixos/common: add pam-ussh
2022-06-04 12:21:32 +01:00
2c6be52ce9
howl: add BGP for EMFIX
2022-06-04 12:15:43 +01:00
e68f8b615f
hm/graphical-client-wayland: use wallpaper
2022-04-18 16:45:14 +01:00
8b9c3494ff
ops/vault/reissue-secret-id: don't fail on systems with no pre-existing secrets
2022-04-18 16:44:55 +01:00
60e6ae8af5
nixos/blade-router: bump LINX LON1 netmask to /21
2022-05-29 22:03:56 +01:00
977ee51c54
ops/nixos: change default for RP check to loose to silence Tailscale warnings
2022-05-21 16:31:58 +01:00
97d71c78a1
ops/vault: add authentik-backed auth
2022-05-21 15:42:55 +01:00
f7686f6a5a
hm/common: add whitby alias for ssh
2022-05-17 01:41:48 +01:00
7f587564de
porcorosso-wsl: don't try to load ed25519, use genie
2022-05-17 01:37:01 +01:00
4f3c21a8ea
blade: tweak rbd_cache settings
2022-05-02 17:40:32 +01:00
13d51a7978
ops/nixos: move gitlab-runner registration token to vault
2022-05-13 21:45:36 +00:00
bf601faa89
nix/pkgs/authentik: init
2022-05-12 22:55:10 +00:00
cb383c46ad
ops/nixos/lib/coredns: add IPv6 address for oracle-lon01
2022-05-12 18:38:16 +00:00
8d1ae0fce1
bvm-prosody: use SQLite3
2022-05-02 17:20:03 +01:00
58793004a2
ops/nixos/hm/common: Tweak the IP for SAR1.
2022-04-30 16:48:35 +01:00
6e746fb2cf
etheroute-lon01: use gre rather than ipip
...
Cloudflare Magic Transit appears to become Very Unhappy when you blast it with IPIP.
Use GRE instead, which it is happier with.
2022-04-30 16:48:28 +01:00
d21b733794
ops/nixos: add bgp.tools route collector
2022-04-30 16:48:01 +01:00
04e013b237
ops/nixos/bgp: add support for route collectors
2022-04-30 16:47:35 +01:00
8acf275884
porcorosso: add lukegb to dialout
...
I would like to be able to use /dev/ttyUSB0 without sudo thanks.
2022-04-30 16:46:31 +01:00
35c014bdbe
etheroute-lon01: configure endpoint my end
2022-04-26 09:16:25 +01:00
e51d58fac6
ops/vault: bump ACME TTL
2022-04-20 23:47:09 +01:00
6f70c36b8f
ops/nixos/blade: further nuke forwardX11
2022-04-16 01:52:50 +01:00
514d703560
ops/nixos/blade: nuke forwardX11
2022-04-16 01:48:32 +01:00
7b4febe0ab
ops/nixos/blade: honey I shrunk the closure
2022-04-10 02:20:41 +00:00
784324fd20
ops/nixos: decommission virgin media
2022-04-15 23:42:05 +01:00
75d3386cd2
treewide: fix up for nixpkgs bump
2022-04-15 23:33:53 +01:00
29ac5c60c3
oracle-lon01: do more complicated routing, because google
2022-04-15 11:58:16 +00:00
b5fbf1f472
oracle-lon01: add my first aarch64-linux boxen
2022-04-13 12:03:56 +00:00
dca96efffe
fup: move config to secret
2022-04-10 01:37:37 +01:00
8647af22d7
ops/nixos: put more things in Vault
2022-04-09 21:51:24 +01:00
2536214734
deluge: migrate auth file to vault
2022-04-09 20:59:11 +01:00
b238831963
frantech-nyc01: no more bgp
2022-04-07 04:13:33 +01:00
55b6bd2a19
ops/nixos: add nixos-size to measure total closure pinned by booted-system/current-system mismatch
2022-04-07 03:42:17 +00:00
157629a402
paperless: allow websockets, set up postgres
2022-04-06 11:49:52 +01:00
fa8f317d6f
totoro: add firewall rule for Lifx
2022-04-06 01:00:55 +01:00
da71f20036
ops/nixos: enable paperless
2022-04-06 00:57:22 +01:00
97a2e46eeb
lukegbcom: autodeploy using Vault
2022-04-05 22:04:32 +01:00
57c5a7d1ce
coredns: add bvm-paperless.int
2022-04-05 11:28:10 +01:00
2585d70127
porcorosso: tidy up gl packages
2022-04-05 03:14:07 +00:00
8f6ae5cfd4
bvm-paperless: init
2022-04-04 19:11:22 +00:00
f8f5d48eec
porcorosso: blocklist r8152/r8153_ecm
2022-04-03 19:47:19 +01:00
b40f3435f4
swann: switch to SFP
2022-03-30 16:42:37 +00:00
addba44d44
coredns: fix ipv6 zones
2022-03-30 17:25:25 +01:00
4b6b4842d1
update dns
2022-03-29 21:30:09 +01:00
3a32590571
go/access: init
2022-03-25 01:24:21 +00:00
eb163962a4
nixos/common: add wireguard-tools
2022-03-24 22:22:18 +00:00
dbaabf1295
vault: deployer should be allowed to read nix-daemon secrets
2022-03-24 22:20:44 +00:00
b8acd6e31b
swann: re-enable vault-agent
2022-03-20 19:10:24 +00:00
7592e76a31
tokend: init
...
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.
It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
08b68745f0
ops/vault: move policies to token_policies
...
I want to be able to rescope these policies down in tokend, which means that I
can't have policies attached to the server's *identity*. Instead, we put these
on the approle instead, which allows us to down-scope all of these.
2022-03-20 11:29:10 +00:00
58a907b700
nixos/vault-agent: listen on UDS only
...
This UDS is going to be private to vault-agent and tokend (which doesn't exist
yet).
As a stopgap, for the moment, secretsmgrd will be granted direct access to
speak to the Vault Agent over the UDS.
tokend will be responsible for provisioning applications with tokens, by
issuing subtokens which have roles corresponding to the user account requesting
access.
2022-03-20 11:14:51 +00:00
d97a1b7437
bvm-radius: reenable roaming2.ja.net
2022-03-20 11:08:34 +00:00
4020f310ce
ops/vault: destroy existing secrets before provisioning a new one
2022-03-20 10:20:25 +00:00
132cb805b3
ops/vault: use wrapping token to protect secret IDs in transit
2022-03-20 10:14:02 +00:00
829d179d37
nixos/common: make the EnvironmentFile optional to avoid... problems
...
In general, it's better for us to fail to pass credentials to the Nix daemon
than it is for the Nix daemon to fail to start up entirely.
We will restart the daemon once the secrets have been delivered anyway.
2022-03-20 10:00:17 +00:00
c9ffb4ed3e
secretsmgr: actually _enable_ the timer unit
2022-03-18 01:08:35 +00:00
ce698ab382
nixos/secretsmgr: add the timer unit
2022-03-18 01:03:55 +00:00
b719181dfe
nixos: migrate to secretsmgr for sshd and ACME
2022-03-17 23:31:55 +00:00
702cd972ab
nixos/vault-agent: should care about /var/lib/vault-agent instead
2022-03-17 12:27:10 +00:00
b0d2782369
nixos/vault-agent: set a longer timeout on HTTP requests to upstream
2022-03-17 01:25:44 +00:00
148e071c21
ops/vault/cfg: add acme-ca
2022-03-16 00:18:47 +00:00
fb7e18260a
ops/vault/cfg: where we're going, we don't need secrets.nix
2022-03-16 00:06:46 +00:00
23df8e3b18
ops/vault/cfg: initial configuration
2022-03-14 23:34:33 +00:00
92998b5d36
ops/vault/cfg: init terranix stuff
2022-03-14 21:29:15 +00:00
b469b24c5a
totoro: add live2 alias
2022-03-14 21:28:58 +00:00
f55dc46170
ssh-ca-vault: disable SSH host key signing for now
2022-03-14 21:28:37 +00:00
8c6c7af3f7
ops/vault: add reissue-secret-id utility
2022-03-14 21:28:16 +00:00
262620f177
swann: also put v6 RA routes into the correct route table
...
(fixes ee)
2022-03-13 20:35:11 +00:00
615c30ed54
swann: reduce write activity on disk
2022-03-13 17:34:23 +00:00
f1fcda810a
vault-agent-acme: disable
2022-03-12 23:39:45 +00:00
5283ee4fee
swann: migrate fully to using networkd
...
networkd appears to have gotten very aggressive about clearing routing rules it didn't insert itself
2022-03-12 19:38:54 +00:00
9099ee2a45
swann: only rename physical interfaces
2022-03-12 07:25:48 +00:00
fb2dc81bc0
bvm-radius: ensure acme user
2022-03-11 23:10:01 +00:00
6353ce6603
swann: make systemd-networkd-wait-online wait for _any_ NIC
2022-03-11 22:57:08 +00:00
f15e112da7
ssh-ca-vault: by default enable user matches
2022-03-11 22:31:57 +00:00
ae97fddae2
vault-agent-acme: migrate to using a single token file that writes the other files as a side-effect
...
This avoids annoying problems like "too many" retries for certificate issuance,
since we only ask for the secret once.
2022-03-11 22:07:31 +00:00
ac0c6eccef
ssh-ca-vault: init
2022-03-11 21:48:06 +00:00
86a6191a56
vault-agent-secrets: add wantedBy for all restartable units too
2022-03-11 18:48:54 +00:00
ada466bae0
vault-agent-secrets: put Before in the correct place
2022-03-11 18:48:08 +00:00
a66bd4822a
totoro: disable RP filter
2022-03-11 18:45:41 +00:00
fde964db82
hm/client: add VAULT_ADDR env variable
2022-03-11 18:44:52 +00:00
0187120a24
ops/nixos: move nix cache tokens into vault
2022-03-11 16:46:50 +00:00
4100b021aa
etheroute-lon01: add google service account token
2022-03-11 16:20:34 +00:00
dd746bec32
etheroute-lon01: use FQDN for Pomerium DNS
2022-03-11 16:20:24 +00:00
34fa21a171
treewide: fix eval fallout from nixpkgs bump
2022-03-11 14:56:55 +00:00
c98f3312a7
etheroute-lon01: migrate to vault-agent-secrets
2022-03-11 14:40:55 +00:00
6e6e714cf1
ops/nixos: init vault-agent-secrets module
2022-03-11 14:40:08 +00:00
f9546ed62a
ts3spotifybot: remove for now
2022-03-11 10:02:22 +00:00
e50f682237
totoro: remove cloudflare credentials from raritan-sslrenew
2022-03-11 03:46:31 +00:00
