Commit graph

449 commits

Author SHA1 Message Date
670ffb4186 bgp: for 92.118.31.0/24, prepend with AS197753 for now 2023-07-24 13:28:17 +01:00
4f588c0267 coredns: quadv.net 2023-07-24 13:13:52 +01:00
d1a4a792ef ops/nixos: reinit blade-paris 2023-07-02 16:05:13 +00:00
52fd493096 blade-paris: not on ZFS 2023-07-11 11:40:55 +01:00
4921cabb8a ops/nixos: drop boot.loader.grub.version = 2 - doesn't do anything anymore 2023-05-27 20:26:35 +01:00
86f193d44a secretsmgr: add bare hostnames everywhere 2023-05-26 17:39:01 +01:00
450ae89942 cofractal-ams01: update tailcsale IP 2023-05-26 00:01:17 +01:00
e0c88bac2d porcorosso: more plasma tweaks; let's try Wayland again 2023-05-16 13:48:55 +01:00
074b3d25b6 porcorosso: let's try KDE 2023-05-14 15:04:36 +01:00
dea2ddd168 hm: add blast-{csgo,worker}{1,2}-jump 2023-05-07 14:39:32 +01:00
7fe7452e2f ops/nixos: add tumblrandom 2023-04-18 20:05:51 +00:00
2d1bf2ffae bgp: fix problem where I forgot to add depot 2023-04-15 14:47:37 +00:00
28e7704f44 ops/nixos: move tailscale/systemd-networkd fixes to lib/bgp 2023-04-15 14:36:22 +00:00
24cd61c461 etheroute-lon01: IPv4 renumber 2023-03-16 10:32:09 +00:00
721a7e6828 ops/nixos: refactor ssh_config 2023-03-12 03:58:52 +00:00
9aa6298df4 ssh-ca: also sign for otter-acoustic.ts.net 2023-03-12 03:53:42 +00:00
6d24fe6e78 ops/nixos: whitby-distributed 2023-03-12 03:51:10 +00:00
c5d4542bbb ops/nixos/lib/content: fixup 2023-03-12 03:35:48 +00:00
ca7b57a78a cofractal-ams01: adopt more responsibility from clouvider-fra01 2023-03-12 03:15:34 +00:00
f0712a966a nixbuild-distributed: tweak secret format 2023-03-12 02:04:08 +00:00
9d6aa88d2d ops/nixos: add gitlab-runner-cacher, unassign clouvider-lon01, assign cofractal-ams01 2023-03-11 18:15:45 +00:00
4daa3a593a nixbuild-distributed: create 2023-03-09 21:33:42 +00:00
09610ee555 hm/client: copybara only on x86 Linux 2023-02-12 17:57:39 +00:00
28cbcf08a4 kerrigan: provision IPv6 2023-01-21 22:46:00 +00:00
d3fdb0b04d ops/nixos/common: demand system as an arg 2023-01-21 18:59:48 +00:00
c8f1d10e4e switch-prebuilt: update 2023-01-21 18:52:15 +00:00
f1118a9a04 cofractal-ams01: support v4-on-v6 + ENH 2023-01-19 09:29:37 +00:00
9213875d8b cofractal-ams01: bgp-over-ipv4 2023-01-18 23:41:42 +00:00
756c1a3dd2 cofractal-ams01: more turnup bits 2023-01-18 21:43:48 +00:00
0583eb2f07 clouvider-lon01: enable aarch64 emulation 2023-01-17 21:49:53 +00:00
f8aaa89d74 coredns: update oracle-lon01, add cofractal-ams01 2023-01-17 21:45:18 +00:00
35a9ec6bf5 nhsenglandtests: delete 2023-01-15 16:26:50 +00:00
8407c1a743 hm/common: point at actual terminfo dir 2023-01-15 16:14:14 +00:00
e2b9b63743 terminfos: init 2023-01-15 16:10:12 +00:00
757900436a hm/common: update blast IPs 2022-12-14 05:35:38 +00:00
c758bcb61a hm/client: fix path to jj 2022-12-04 22:03:47 +00:00
754afefc78 jj: init at c52a14eac6532ba814c88f2c8c740415293bfb1a 2022-12-04 21:52:55 +00:00
980a2be55c ops/nixos/hm/client: add git-absorb 2022-12-02 03:04:25 +00:00
08332c8a7b hm/graphical-client: drop yubioath-desktop, since it got deleted from nixpkgs 2022-11-30 11:06:19 +00:00
79ae0d7fef nix/pkgs/baserow/web-frontend: fix
We need to use openssl-legacy-provider to fix an issue with OpenSSL 3.x,
because Webpack (or Nuxt?) need to use deprecated hashes.
2022-11-09 00:35:09 +00:00
b03bf3ea87 baserow: drop mjml-tcpserver 2022-11-02 02:08:52 +00:00
f34d5e20db hm/common: no manuals 2022-11-02 00:49:53 +00:00
1d7a00e684 hm/graphical-client: add 'discord' 2022-10-31 20:09:53 +00:00
88334fa721 hm/porcorosso-wsl: drop genie 2022-10-08 21:27:01 +01:00
746c427690 hm/ext: init SSH config tweaks for 3p systems 2022-10-08 21:14:36 +01:00
e03ae8b853 treewide: fix things up for new nixpkgs 2022-10-02 22:23:44 +01:00
2796d03b22 nixos/client: add udisks2 2022-09-24 16:40:45 +01:00
27eb5b251e blade-router: tweak export filter to drop local communities 2022-08-17 02:30:09 +01:00
a8bb05ba1e blade-router: add ovh 2022-08-17 00:50:45 +01:00
9752742d76 bgp: force next-hop for OVH since I just can't talk to their router 2 2022-09-04 21:10:33 +01:00
2e56cddee5 hm/common: add a 'github' server alias 2022-09-04 21:10:20 +01:00
c16856f8ab treewide: add my.ip.tailscale6 2022-09-02 00:22:16 +01:00
04df4d0a98 depotwide: make closures smaller, especially on frantech machines 2022-08-27 19:38:03 +01:00
4d0091c35e as205479.net: add IPv6 tailnet, swap etheroute-lon01 2022-08-26 21:10:05 +01:00
203cba674d blade: oops, we need SPICE 2022-08-26 21:00:52 +01:00
e43e0a4e25 ops/nixos: switch from iosevka to iosevka-bin 2022-08-14 23:01:39 +01:00
e25a1ba6c4 depotwide: fix stuff 2022-08-14 21:01:26 +01:00
5c1742e13f depotwide: add google-cloudflare role 2022-08-10 01:51:46 +01:00
d1b8449d76 ops/nixos/blade-router: don't export routes to LINX collector
It confuses some other people on LINX, so for the avoidance of arguments let's Just Not.
2022-07-15 12:03:37 +01:00
49cab76737 nixos/hm/common: tweak ssh settings 2022-07-15 08:59:43 +01:00
64940e45d6 ops/nixos/graphical-client: install qFlipper 2022-07-07 22:06:35 +01:00
bd2be7196a nixos/common: add pam-ussh 2022-06-04 12:21:32 +01:00
2c6be52ce9 howl: add BGP for EMFIX 2022-06-04 12:15:43 +01:00
e68f8b615f hm/graphical-client-wayland: use wallpaper 2022-04-18 16:45:14 +01:00
60e6ae8af5 nixos/blade-router: bump LINX LON1 netmask to /21 2022-05-29 22:03:56 +01:00
977ee51c54 ops/nixos: change default for RP check to loose to silence Tailscale warnings 2022-05-21 16:31:58 +01:00
f7686f6a5a hm/common: add whitby alias for ssh 2022-05-17 01:41:48 +01:00
7f587564de porcorosso-wsl: don't try to load ed25519, use genie 2022-05-17 01:37:01 +01:00
4f3c21a8ea blade: tweak rbd_cache settings 2022-05-02 17:40:32 +01:00
cb383c46ad ops/nixos/lib/coredns: add IPv6 address for oracle-lon01 2022-05-12 18:38:16 +00:00
58793004a2 ops/nixos/hm/common: Tweak the IP for SAR1. 2022-04-30 16:48:35 +01:00
d21b733794 ops/nixos: add bgp.tools route collector 2022-04-30 16:48:01 +01:00
04e013b237 ops/nixos/bgp: add support for route collectors 2022-04-30 16:47:35 +01:00
6f70c36b8f ops/nixos/blade: further nuke forwardX11 2022-04-16 01:52:50 +01:00
514d703560 ops/nixos/blade: nuke forwardX11 2022-04-16 01:48:32 +01:00
7b4febe0ab ops/nixos/blade: honey I shrunk the closure 2022-04-10 02:20:41 +00:00
75d3386cd2 treewide: fix up for nixpkgs bump 2022-04-15 23:33:53 +01:00
b5fbf1f472 oracle-lon01: add my first aarch64-linux boxen 2022-04-13 12:03:56 +00:00
dca96efffe fup: move config to secret 2022-04-10 01:37:37 +01:00
8647af22d7 ops/nixos: put more things in Vault 2022-04-09 21:51:24 +01:00
2536214734 deluge: migrate auth file to vault 2022-04-09 20:59:11 +01:00
55b6bd2a19 ops/nixos: add nixos-size to measure total closure pinned by booted-system/current-system mismatch 2022-04-07 03:42:17 +00:00
57c5a7d1ce coredns: add bvm-paperless.int 2022-04-05 11:28:10 +01:00
8f6ae5cfd4 bvm-paperless: init 2022-04-04 19:11:22 +00:00
addba44d44 coredns: fix ipv6 zones 2022-03-30 17:25:25 +01:00
4b6b4842d1 update dns 2022-03-29 21:30:09 +01:00
3a32590571 go/access: init 2022-03-25 01:24:21 +00:00
eb163962a4 nixos/common: add wireguard-tools 2022-03-24 22:22:18 +00:00
7592e76a31 tokend: init
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.

It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
58a907b700 nixos/vault-agent: listen on UDS only
This UDS is going to be private to vault-agent and tokend (which doesn't exist
yet).

As a stopgap, for the moment, secretsmgrd will be granted direct access to
speak to the Vault Agent over the UDS.

tokend will be responsible for provisioning applications with tokens, by
issuing subtokens which have roles corresponding to the user account requesting
access.
2022-03-20 11:14:51 +00:00
132cb805b3 ops/vault: use wrapping token to protect secret IDs in transit 2022-03-20 10:14:02 +00:00
829d179d37 nixos/common: make the EnvironmentFile optional to avoid... problems
In general, it's better for us to fail to pass credentials to the Nix daemon
than it is for the Nix daemon to fail to start up entirely.

We will restart the daemon once the secrets have been delivered anyway.
2022-03-20 10:00:17 +00:00
c9ffb4ed3e secretsmgr: actually _enable_ the timer unit 2022-03-18 01:08:35 +00:00
ce698ab382 nixos/secretsmgr: add the timer unit 2022-03-18 01:03:55 +00:00
b719181dfe nixos: migrate to secretsmgr for sshd and ACME 2022-03-17 23:31:55 +00:00
702cd972ab nixos/vault-agent: should care about /var/lib/vault-agent instead 2022-03-17 12:27:10 +00:00
b0d2782369 nixos/vault-agent: set a longer timeout on HTTP requests to upstream 2022-03-17 01:25:44 +00:00
f55dc46170 ssh-ca-vault: disable SSH host key signing for now 2022-03-14 21:28:37 +00:00
f1fcda810a vault-agent-acme: disable 2022-03-12 23:39:45 +00:00
f15e112da7 ssh-ca-vault: by default enable user matches 2022-03-11 22:31:57 +00:00