75d3386cd2
treewide: fix up for nixpkgs bump
2022-04-15 23:33:53 +01:00
Default email
bb584b27e9
Project import generated by Copybara.
...
GitOrigin-RevId: 5181d5945eda382ff6a9ca3e072ed6ea9b547fee
2022-04-15 03:41:22 +02:00
29ac5c60c3
oracle-lon01: do more complicated routing, because google
2022-04-15 11:58:16 +00:00
b5fbf1f472
oracle-lon01: add my first aarch64-linux boxen
2022-04-13 12:03:56 +00:00
dca96efffe
fup: move config to secret
2022-04-10 01:37:37 +01:00
8647af22d7
ops/nixos: put more things in Vault
2022-04-09 21:51:24 +01:00
2536214734
deluge: migrate auth file to vault
2022-04-09 20:59:11 +01:00
a3ef78701e
web/lukegbcom: add a diagram to illustrate the token hierarchy
2022-04-09 20:46:48 +01:00
675b65b5da
nix/docker/heptapod: add update script for image
2022-04-09 20:17:32 +01:00
e1ede118d1
web/lukegbcom: add some padding
2022-04-08 02:30:59 +01:00
482ecc6984
web/lukegbcom/2022-04-07-vault-and-me: add hero image
2022-04-08 02:22:01 +01:00
65236b2c0c
web/lukegbcom/2022-04-07: explain why tokend ACLs are more permissive...
2022-04-08 02:10:22 +01:00
78ccb6a571
web/lukegbcom: underline links in posts
2022-04-08 02:08:24 +01:00
adec31460a
web/lukegbcom: oops, YAML...
2022-04-08 02:01:51 +01:00
ff665ab50f
lukegbcom: add a long rambly post about my Vault setup
2022-04-08 01:42:43 +01:00
b238831963
frantech-nyc01: no more bgp
2022-04-07 04:13:33 +01:00
55b6bd2a19
ops/nixos: add nixos-size to measure total closure pinned by booted-system/current-system mismatch
2022-04-07 03:42:17 +00:00
deployer@bvm-nixosmgmt.blade.as205479.net
bd4e52105d
nix/pkgs/plex-pass: update version to 1.25.9.5721-965587f64
2022-04-07 02:12:24 +00:00
157629a402
paperless: allow websockets, set up postgres
2022-04-06 11:49:52 +01:00
Default email
d56f44df06
Project import generated by Copybara.
...
GitOrigin-RevId: bc4b9eef3ce3d5a90d8693e8367c9cbfc9fc1e13
2022-04-03 20:54:34 +02:00
fa8f317d6f
totoro: add firewall rule for Lifx
2022-04-06 01:00:55 +01:00
da71f20036
ops/nixos: enable paperless
2022-04-06 00:57:22 +01:00
a0802e697f
gitlab-ci: restore machine deploys
2022-04-05 22:13:21 +01:00
98cd1c7427
gitlab-ci: try setting NIX_PATH explicitly
2022-04-05 22:09:21 +01:00
97a2e46eeb
lukegbcom: autodeploy using Vault
2022-04-05 22:04:32 +01:00
57c5a7d1ce
coredns: add bvm-paperless.int
2022-04-05 11:28:10 +01:00
2585d70127
porcorosso: tidy up gl packages
2022-04-05 03:14:07 +00:00
67252bab10
lightspeed: delete
2022-04-05 02:41:16 +00:00
9119a5893f
lukegbcom: fix up images in posts
2022-04-05 02:18:57 +00:00
8f6ae5cfd4
bvm-paperless: init
2022-04-04 19:11:22 +00:00
Default email
8a45d4525b
Project import generated by Copybara.
...
GitOrigin-RevId: 710fed5a2483f945b14f4a58af2cd3676b42d8c8
2022-03-30 11:31:56 +02:00
6f81c9d464
3p/nixpkgs: remove old PR patches
2022-04-04 19:05:49 +00:00
11f8adeb43
3p/nixpkgs: add pr167721 for paperless-ngx
2022-04-04 18:56:17 +00:00
9f9991c895
heptapod: 0.30.0 -> 0.30.1
2022-04-04 14:53:06 +01:00
32f6d38549
web/lukegbcom: limit homepage posts to 3
2022-04-04 02:38:10 +01:00
43e5ecf0db
web/lukegbcom: add all the rest of the posts
2022-04-04 02:36:09 +01:00
762a5a7271
web/lukegbcom: init next.js version
2022-04-04 00:32:57 +01:00
f8f5d48eec
porcorosso: blocklist r8152/r8153_ecm
2022-04-03 19:47:19 +01:00
b40f3435f4
swann: switch to SFP
2022-03-30 16:42:37 +00:00
addba44d44
coredns: fix ipv6 zones
2022-03-30 17:25:25 +01:00
4b6b4842d1
update dns
2022-03-29 21:30:09 +01:00
deployer@bvm-nixosmgmt.blade.as205479.net
d2aaa28aa5
nix/pkgs/plex-pass: update version to 1.25.8.5663-e071c3d62
2022-03-25 02:11:03 +00:00
f5d66318a3
go/access: set principal name, set presence required by host
2022-03-25 01:47:18 +00:00
3a32590571
go/access: init
2022-03-25 01:24:21 +00:00
eb163962a4
nixos/common: add wireguard-tools
2022-03-24 22:22:18 +00:00
4d00448f55
heptapod: 0.29.1 -> 0.30.0
2022-03-24 22:20:56 +00:00
dbaabf1295
vault: deployer should be allowed to read nix-daemon secrets
2022-03-24 22:20:44 +00:00
b8acd6e31b
swann: re-enable vault-agent
2022-03-20 19:10:24 +00:00
7592e76a31
tokend: init
...
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.
It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
08b68745f0
ops/vault: move policies to token_policies
...
I want to be able to rescope these policies down in tokend, which means that I
can't have policies attached to the server's *identity*. Instead, we put these
on the approle instead, which allows us to down-scope all of these.
2022-03-20 11:29:10 +00:00
