Commit graph

1487 commits

Author SHA1 Message Date
8647af22d7 ops/nixos: put more things in Vault 2022-04-09 21:51:24 +01:00
2536214734 deluge: migrate auth file to vault 2022-04-09 20:59:11 +01:00
a3ef78701e web/lukegbcom: add a diagram to illustrate the token hierarchy 2022-04-09 20:46:48 +01:00
675b65b5da nix/docker/heptapod: add update script for image 2022-04-09 20:17:32 +01:00
e1ede118d1 web/lukegbcom: add some padding 2022-04-08 02:30:59 +01:00
482ecc6984 web/lukegbcom/2022-04-07-vault-and-me: add hero image 2022-04-08 02:22:01 +01:00
65236b2c0c web/lukegbcom/2022-04-07: explain why tokend ACLs are more permissive... 2022-04-08 02:10:22 +01:00
78ccb6a571 web/lukegbcom: underline links in posts 2022-04-08 02:08:24 +01:00
adec31460a web/lukegbcom: oops, YAML... 2022-04-08 02:01:51 +01:00
ff665ab50f lukegbcom: add a long rambly post about my Vault setup 2022-04-08 01:42:43 +01:00
b238831963 frantech-nyc01: no more bgp 2022-04-07 04:13:33 +01:00
55b6bd2a19 ops/nixos: add nixos-size to measure total closure pinned by booted-system/current-system mismatch 2022-04-07 03:42:17 +00:00
deployer@bvm-nixosmgmt.blade.as205479.net
bd4e52105d nix/pkgs/plex-pass: update version to 1.25.9.5721-965587f64 2022-04-07 02:12:24 +00:00
157629a402 paperless: allow websockets, set up postgres 2022-04-06 11:49:52 +01:00
Default email
d56f44df06 Project import generated by Copybara.
GitOrigin-RevId: bc4b9eef3ce3d5a90d8693e8367c9cbfc9fc1e13
2022-04-03 20:54:34 +02:00
fa8f317d6f totoro: add firewall rule for Lifx 2022-04-06 01:00:55 +01:00
da71f20036 ops/nixos: enable paperless 2022-04-06 00:57:22 +01:00
a0802e697f gitlab-ci: restore machine deploys 2022-04-05 22:13:21 +01:00
98cd1c7427 gitlab-ci: try setting NIX_PATH explicitly 2022-04-05 22:09:21 +01:00
97a2e46eeb lukegbcom: autodeploy using Vault 2022-04-05 22:04:32 +01:00
57c5a7d1ce coredns: add bvm-paperless.int 2022-04-05 11:28:10 +01:00
2585d70127 porcorosso: tidy up gl packages 2022-04-05 03:14:07 +00:00
67252bab10 lightspeed: delete 2022-04-05 02:41:16 +00:00
9119a5893f lukegbcom: fix up images in posts 2022-04-05 02:18:57 +00:00
8f6ae5cfd4 bvm-paperless: init 2022-04-04 19:11:22 +00:00
Default email
8a45d4525b Project import generated by Copybara.
GitOrigin-RevId: 710fed5a2483f945b14f4a58af2cd3676b42d8c8
2022-03-30 11:31:56 +02:00
6f81c9d464 3p/nixpkgs: remove old PR patches 2022-04-04 19:05:49 +00:00
11f8adeb43 3p/nixpkgs: add pr167721 for paperless-ngx 2022-04-04 18:56:17 +00:00
9f9991c895 heptapod: 0.30.0 -> 0.30.1 2022-04-04 14:53:06 +01:00
32f6d38549 web/lukegbcom: limit homepage posts to 3 2022-04-04 02:38:10 +01:00
43e5ecf0db web/lukegbcom: add all the rest of the posts 2022-04-04 02:36:09 +01:00
762a5a7271 web/lukegbcom: init next.js version 2022-04-04 00:32:57 +01:00
f8f5d48eec porcorosso: blocklist r8152/r8153_ecm 2022-04-03 19:47:19 +01:00
b40f3435f4 swann: switch to SFP 2022-03-30 16:42:37 +00:00
addba44d44 coredns: fix ipv6 zones 2022-03-30 17:25:25 +01:00
4b6b4842d1 update dns 2022-03-29 21:30:09 +01:00
deployer@bvm-nixosmgmt.blade.as205479.net
d2aaa28aa5 nix/pkgs/plex-pass: update version to 1.25.8.5663-e071c3d62 2022-03-25 02:11:03 +00:00
f5d66318a3 go/access: set principal name, set presence required by host 2022-03-25 01:47:18 +00:00
3a32590571 go/access: init 2022-03-25 01:24:21 +00:00
eb163962a4 nixos/common: add wireguard-tools 2022-03-24 22:22:18 +00:00
4d00448f55 heptapod: 0.29.1 -> 0.30.0 2022-03-24 22:20:56 +00:00
dbaabf1295 vault: deployer should be allowed to read nix-daemon secrets 2022-03-24 22:20:44 +00:00
b8acd6e31b swann: re-enable vault-agent 2022-03-20 19:10:24 +00:00
7592e76a31 tokend: init
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.

It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
08b68745f0 ops/vault: move policies to token_policies
I want to be able to rescope these policies down in tokend, which means that I
can't have policies attached to the server's *identity*. Instead, we put these
on the approle instead, which allows us to down-scope all of these.
2022-03-20 11:29:10 +00:00
58a907b700 nixos/vault-agent: listen on UDS only
This UDS is going to be private to vault-agent and tokend (which doesn't exist
yet).

As a stopgap, for the moment, secretsmgrd will be granted direct access to
speak to the Vault Agent over the UDS.

tokend will be responsible for provisioning applications with tokens, by
issuing subtokens which have roles corresponding to the user account requesting
access.
2022-03-20 11:14:51 +00:00
d97a1b7437 bvm-radius: reenable roaming2.ja.net 2022-03-20 11:08:34 +00:00
c60a68a354 nix/gitlab-ci: try to restrict deploy steps to only default 2022-03-20 10:26:56 +00:00
4020f310ce ops/vault: destroy existing secrets before provisioning a new one 2022-03-20 10:20:25 +00:00
132cb805b3 ops/vault: use wrapping token to protect secret IDs in transit 2022-03-20 10:14:02 +00:00