Commit graph

878 commits

Author SHA1 Message Date
3c7d0fa54e clouvider-lon01: add live1 relay 2022-11-24 13:03:16 +00:00
154ea3a393 howl: disable lukegbgp/try to fix bindsTo/partOf 2022-11-13 19:37:02 +00:00
79ae0d7fef nix/pkgs/baserow/web-frontend: fix
We need to use openssl-legacy-provider to fix an issue with OpenSSL 3.x,
because Webpack (or Nuxt?) need to use deprecated hashes.
2022-11-09 00:35:09 +00:00
b03bf3ea87 baserow: drop mjml-tcpserver 2022-11-02 02:08:52 +00:00
f34d5e20db hm/common: no manuals 2022-11-02 00:49:53 +00:00
f143d0be51 3p/nixpkgs: post-bump fixups 2022-10-31 21:41:42 +00:00
1d7a00e684 hm/graphical-client: add 'discord' 2022-10-31 20:09:53 +00:00
9dee33f3dc swann: reenable unifi controller 2022-10-09 18:15:47 +01:00
e772336dc5 porcorosso: bump system.stateVersion (will change postgresql version) 2022-10-08 22:11:21 +01:00
86539ec1f2 totoro: bump system.stateVersion 2022-10-08 22:05:50 +01:00
068f1e2d9c treewide: various warning fixups 2022-10-08 21:49:16 +01:00
88334fa721 hm/porcorosso-wsl: drop genie 2022-10-08 21:27:01 +01:00
f216bbad29 ops/nixos: services.ipfs --> services.kubo 2022-10-08 21:20:04 +01:00
746c427690 hm/ext: init SSH config tweaks for 3p systems 2022-10-08 21:14:36 +01:00
e03ae8b853 treewide: fix things up for new nixpkgs 2022-10-02 22:23:44 +01:00
2796d03b22 nixos/client: add udisks2 2022-09-24 16:40:45 +01:00
18d7f36feb howl/porcorosso: switch NetworkManager/system-connections from symlink to bind mount 2022-09-18 17:53:02 +01:00
bfe31111ba bvm-paperless: oops, need to put square brackets there 2022-09-11 22:50:08 +01:00
27eb5b251e blade-router: tweak export filter to drop local communities 2022-08-17 02:30:09 +01:00
a8bb05ba1e blade-router: add ovh 2022-08-17 00:50:45 +01:00
9752742d76 bgp: force next-hop for OVH since I just can't talk to their router 2 2022-09-04 21:10:33 +01:00
2e56cddee5 hm/common: add a 'github' server alias 2022-09-04 21:10:20 +01:00
c16856f8ab treewide: add my.ip.tailscale6 2022-09-02 00:22:16 +01:00
04df4d0a98 depotwide: make closures smaller, especially on frantech machines 2022-08-27 19:38:03 +01:00
4d0091c35e as205479.net: add IPv6 tailnet, swap etheroute-lon01 2022-08-26 21:10:05 +01:00
203cba674d blade: oops, we need SPICE 2022-08-26 21:00:52 +01:00
bc6832b6ca etheroute-lon01: reinstall, reconfig bgp.tools session 2022-08-26 21:00:43 +01:00
bd37aaa161 porcorosso: enable swtpm and secure boot OVMF 2022-08-19 19:55:03 +01:00
e917fa122d bvm-netbox: oops, ninovpn 2022-08-19 19:26:44 +01:00
e43e0a4e25 ops/nixos: switch from iosevka to iosevka-bin 2022-08-14 23:01:39 +01:00
e25a1ba6c4 depotwide: fix stuff 2022-08-14 21:01:26 +01:00
65d5cf0f92 porcorosso: some various changes 2022-08-14 18:11:14 +01:00
159da44acf totoro: enable nodered 2022-08-14 18:10:49 +01:00
5c1742e13f depotwide: add google-cloudflare role 2022-08-10 01:51:46 +01:00
54ba8ff398 bvm-matrix: add a pointless hostname to the cert set 2022-07-21 09:46:56 +01:00
d1b8449d76 ops/nixos/blade-router: don't export routes to LINX collector
It confuses some other people on LINX, so for the avoidance of arguments let's Just Not.
2022-07-15 12:03:37 +01:00
49cab76737 nixos/hm/common: tweak ssh settings 2022-07-15 08:59:43 +01:00
64940e45d6 ops/nixos/graphical-client: install qFlipper 2022-07-07 22:06:35 +01:00
f9f7542da5 bvm-paperless: add more paperless env variables 2022-06-29 21:39:56 +01:00
5f19f9d783 totoro: add gateway 2022-06-25 17:43:30 +00:00
a5fb805dfa totoro: set default gateway. oops. 2022-06-25 17:35:49 +00:00
dd10a6ba6b totoro: switch to networkd 2022-06-19 20:34:43 +00:00
2884ced8a3 bvm-paperless: fix DBHOST to use unix sockets again 2022-06-19 21:21:15 +01:00
679c040677 Backed out changeset a532ddc33432 2022-06-19 21:02:02 +01:00
855faad5a0 bvm-prosody: eventphone stuff 2022-06-19 21:01:55 +01:00
d04959acf9 bvm-paperless: clear password for paperless to force unix auth 2022-06-19 20:59:51 +01:00
bfe2fb1707 totoro: add deluge, expose content share over Samba 2022-06-19 00:55:31 +00:00
bd2be7196a nixos/common: add pam-ussh 2022-06-04 12:21:32 +01:00
2c6be52ce9 howl: add BGP for EMFIX 2022-06-04 12:15:43 +01:00
e68f8b615f hm/graphical-client-wayland: use wallpaper 2022-04-18 16:45:14 +01:00
8b9c3494ff ops/vault/reissue-secret-id: don't fail on systems with no pre-existing secrets 2022-04-18 16:44:55 +01:00
60e6ae8af5 nixos/blade-router: bump LINX LON1 netmask to /21 2022-05-29 22:03:56 +01:00
977ee51c54 ops/nixos: change default for RP check to loose to silence Tailscale warnings 2022-05-21 16:31:58 +01:00
97d71c78a1 ops/vault: add authentik-backed auth 2022-05-21 15:42:55 +01:00
f7686f6a5a hm/common: add whitby alias for ssh 2022-05-17 01:41:48 +01:00
7f587564de porcorosso-wsl: don't try to load ed25519, use genie 2022-05-17 01:37:01 +01:00
4f3c21a8ea blade: tweak rbd_cache settings 2022-05-02 17:40:32 +01:00
13d51a7978 ops/nixos: move gitlab-runner registration token to vault 2022-05-13 21:45:36 +00:00
bf601faa89 nix/pkgs/authentik: init 2022-05-12 22:55:10 +00:00
cb383c46ad ops/nixos/lib/coredns: add IPv6 address for oracle-lon01 2022-05-12 18:38:16 +00:00
8d1ae0fce1 bvm-prosody: use SQLite3 2022-05-02 17:20:03 +01:00
58793004a2 ops/nixos/hm/common: Tweak the IP for SAR1. 2022-04-30 16:48:35 +01:00
6e746fb2cf etheroute-lon01: use gre rather than ipip
Cloudflare Magic Transit appears to become Very Unhappy when you blast it with IPIP.

Use GRE instead, which it is happier with.
2022-04-30 16:48:28 +01:00
d21b733794 ops/nixos: add bgp.tools route collector 2022-04-30 16:48:01 +01:00
04e013b237 ops/nixos/bgp: add support for route collectors 2022-04-30 16:47:35 +01:00
8acf275884 porcorosso: add lukegb to dialout
I would like to be able to use /dev/ttyUSB0 without sudo thanks.
2022-04-30 16:46:31 +01:00
35c014bdbe etheroute-lon01: configure endpoint my end 2022-04-26 09:16:25 +01:00
e51d58fac6 ops/vault: bump ACME TTL 2022-04-20 23:47:09 +01:00
6f70c36b8f ops/nixos/blade: further nuke forwardX11 2022-04-16 01:52:50 +01:00
514d703560 ops/nixos/blade: nuke forwardX11 2022-04-16 01:48:32 +01:00
7b4febe0ab ops/nixos/blade: honey I shrunk the closure 2022-04-10 02:20:41 +00:00
784324fd20 ops/nixos: decommission virgin media 2022-04-15 23:42:05 +01:00
75d3386cd2 treewide: fix up for nixpkgs bump 2022-04-15 23:33:53 +01:00
29ac5c60c3 oracle-lon01: do more complicated routing, because google 2022-04-15 11:58:16 +00:00
b5fbf1f472 oracle-lon01: add my first aarch64-linux boxen 2022-04-13 12:03:56 +00:00
dca96efffe fup: move config to secret 2022-04-10 01:37:37 +01:00
8647af22d7 ops/nixos: put more things in Vault 2022-04-09 21:51:24 +01:00
2536214734 deluge: migrate auth file to vault 2022-04-09 20:59:11 +01:00
b238831963 frantech-nyc01: no more bgp 2022-04-07 04:13:33 +01:00
55b6bd2a19 ops/nixos: add nixos-size to measure total closure pinned by booted-system/current-system mismatch 2022-04-07 03:42:17 +00:00
157629a402 paperless: allow websockets, set up postgres 2022-04-06 11:49:52 +01:00
fa8f317d6f totoro: add firewall rule for Lifx 2022-04-06 01:00:55 +01:00
da71f20036 ops/nixos: enable paperless 2022-04-06 00:57:22 +01:00
97a2e46eeb lukegbcom: autodeploy using Vault 2022-04-05 22:04:32 +01:00
57c5a7d1ce coredns: add bvm-paperless.int 2022-04-05 11:28:10 +01:00
2585d70127 porcorosso: tidy up gl packages 2022-04-05 03:14:07 +00:00
8f6ae5cfd4 bvm-paperless: init 2022-04-04 19:11:22 +00:00
f8f5d48eec porcorosso: blocklist r8152/r8153_ecm 2022-04-03 19:47:19 +01:00
b40f3435f4 swann: switch to SFP 2022-03-30 16:42:37 +00:00
addba44d44 coredns: fix ipv6 zones 2022-03-30 17:25:25 +01:00
4b6b4842d1 update dns 2022-03-29 21:30:09 +01:00
3a32590571 go/access: init 2022-03-25 01:24:21 +00:00
eb163962a4 nixos/common: add wireguard-tools 2022-03-24 22:22:18 +00:00
dbaabf1295 vault: deployer should be allowed to read nix-daemon secrets 2022-03-24 22:20:44 +00:00
b8acd6e31b swann: re-enable vault-agent 2022-03-20 19:10:24 +00:00
7592e76a31 tokend: init
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.

It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
08b68745f0 ops/vault: move policies to token_policies
I want to be able to rescope these policies down in tokend, which means that I
can't have policies attached to the server's *identity*. Instead, we put these
on the approle instead, which allows us to down-scope all of these.
2022-03-20 11:29:10 +00:00
58a907b700 nixos/vault-agent: listen on UDS only
This UDS is going to be private to vault-agent and tokend (which doesn't exist
yet).

As a stopgap, for the moment, secretsmgrd will be granted direct access to
speak to the Vault Agent over the UDS.

tokend will be responsible for provisioning applications with tokens, by
issuing subtokens which have roles corresponding to the user account requesting
access.
2022-03-20 11:14:51 +00:00
d97a1b7437 bvm-radius: reenable roaming2.ja.net 2022-03-20 11:08:34 +00:00
4020f310ce ops/vault: destroy existing secrets before provisioning a new one 2022-03-20 10:20:25 +00:00