Commit graph

98 commits

Author SHA1 Message Date
f8d00b7cf4 nixos/common: ManageForeignRoutingPolicyRules = false 2024-03-30 01:01:13 +00:00
41a28dc2f5 ops/nixos: tidy up various warnings 2024-03-01 17:29:10 +00:00
248d2e1026 Merge 2023-12-14 11:54:09 +00:00
f15e212875 totoro: enable freeswitch 2023-12-14 11:30:26 +00:00
b934f315dd ops/nixos: fixes for nixpkgs bump 2023-10-24 23:51:25 +01:00
60a49c7037 ops/nixos/common: give up and set wait-online.anyInterface=true by default 2023-10-10 23:31:16 +00:00
b16bfb93ce treewide: hack/nixpkgs, which uses _our_ nixpkgs, not actual nixpkgs 2023-08-11 23:05:35 +01:00
721a7e6828 ops/nixos: refactor ssh_config 2023-03-12 03:58:52 +00:00
d3fdb0b04d ops/nixos/common: demand system as an arg 2023-01-21 18:59:48 +00:00
e03ae8b853 treewide: fix things up for new nixpkgs 2022-10-02 22:23:44 +01:00
c16856f8ab treewide: add my.ip.tailscale6 2022-09-02 00:22:16 +01:00
04df4d0a98 depotwide: make closures smaller, especially on frantech machines 2022-08-27 19:38:03 +01:00
bd2be7196a nixos/common: add pam-ussh 2022-06-04 12:21:32 +01:00
977ee51c54 ops/nixos: change default for RP check to loose to silence Tailscale warnings 2022-05-21 16:31:58 +01:00
75d3386cd2 treewide: fix up for nixpkgs bump 2022-04-15 23:33:53 +01:00
b5fbf1f472 oracle-lon01: add my first aarch64-linux boxen 2022-04-13 12:03:56 +00:00
55b6bd2a19 ops/nixos: add nixos-size to measure total closure pinned by booted-system/current-system mismatch 2022-04-07 03:42:17 +00:00
eb163962a4 nixos/common: add wireguard-tools 2022-03-24 22:22:18 +00:00
7592e76a31 tokend: init
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.

It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
132cb805b3 ops/vault: use wrapping token to protect secret IDs in transit 2022-03-20 10:14:02 +00:00
829d179d37 nixos/common: make the EnvironmentFile optional to avoid... problems
In general, it's better for us to fail to pass credentials to the Nix daemon
than it is for the Nix daemon to fail to start up entirely.

We will restart the daemon once the secrets have been delivered anyway.
2022-03-20 10:00:17 +00:00
b719181dfe nixos: migrate to secretsmgr for sshd and ACME 2022-03-17 23:31:55 +00:00
ac0c6eccef ssh-ca-vault: init 2022-03-11 21:48:06 +00:00
0187120a24 ops/nixos: move nix cache tokens into vault 2022-03-11 16:46:50 +00:00
6e6e714cf1 ops/nixos: init vault-agent-secrets module 2022-03-11 14:40:08 +00:00
4be2eaeb6d nixos/lib/common: remove security.acme 2022-03-11 03:28:32 +00:00
8be4fe603e vault-agent-acme: init 2022-03-06 22:26:49 +00:00
cbabb6f211 ops/nixos: migrate nix.maxJobs/binaryCaches/trustedBinaryCaches to the nix.settings equivalents 2022-01-30 20:30:20 +00:00
7c418666fe ops/nixos: add some vault-agent setup 2022-01-23 23:38:40 +00:00
4f0a7b60bc ops/nixos: use higher-priority 'mkDefault' 2022-01-09 21:38:17 +00:00
ad95bffd3d ops/nixos: tidy up networking.useDHCP 2022-01-08 21:45:18 +00:00
05be94e4d7 ops/nixos/common: disable DNSSEC in systemd-resolved
It's super broken.

At the moment, resolving foss.heptapod.net breaks, because clever-cloud.com has
DNSKEY records but there's no matching DS record at .com for it.

There are also other reports: https://github.com/systemd/systemd/issues/12388

tl;dr: it just doesn't work, let's not use that.
2022-01-08 12:09:26 +00:00
d79265ddad ops/nixos: tidy up security.acme 2022-01-04 14:00:45 +00:00
de71fd5c9a ops/nixos/lib/common: add global DNS servers 2022-01-04 13:32:56 +00:00
67b038c2bc ops/nixos/common: turn off logRefusedConnections - it's super noisy 2022-01-01 20:56:41 +00:00
7b4e6c0e1b ops/nixos: oops, try to fix my.scrapeJournal.addr 2022-01-01 15:14:02 +00:00
c91a42948d journal2clickhouse: init 2022-01-01 15:08:52 +00:00
c5119b4882 ops/nixos: enable HTTP gateway if Tailscale is configured 2022-01-01 12:40:13 +00:00
e182171916 ops/nixos: disable LLMNR 2022-01-01 00:41:37 +00:00
f35a79444c ops/nixos: add better support for specialisations 2021-12-31 23:51:09 +00:00
6cb1af2f35 ops/nixos: start using systemd-resolved 2021-12-28 18:42:42 +00:00
ab9dd5d35a common: remove nhs.uk IPv6 mapping 2021-12-24 02:27:15 +00:00
656df5ac5b common: add kitty.terminfo 2021-12-21 08:13:20 +00:00
29f7073384 ops/nixos: compatibility with NixOS 22.05 2021-12-07 19:13:04 +00:00
19782a9e63 ops/nixos: set group for isSystemUser users 2021-09-16 19:14:30 +00:00
23eda90726 ops/nixos/lib/common: add the running system hash to the exported metrics 2021-07-27 21:06:17 +00:00
dccdaa2608 common: map www.nhs.uk to Akamai IPv6 address 2021-05-21 15:21:29 +00:00
11066035e2 ops/nixos: add alacritty everywhere 2021-04-17 20:17:43 +01:00
e0241545d2 add mercurial to rundeck path 2021-04-10 22:17:28 +00:00
bfa7051e2f ops/nixos: tidy up hostnames 2021-04-10 20:15:30 +00:00