Commit graph

1625 commits

Author SHA1 Message Date
0dacea5ff8 3p/gopkgs: add a bunch of dependencies of github.com/hashicorp/vault/api 2022-03-15 03:07:06 +00:00
23df8e3b18 ops/vault/cfg: initial configuration 2022-03-14 23:34:33 +00:00
92998b5d36 ops/vault/cfg: init terranix stuff 2022-03-14 21:29:15 +00:00
b469b24c5a totoro: add live2 alias 2022-03-14 21:28:58 +00:00
f55dc46170 ssh-ca-vault: disable SSH host key signing for now 2022-03-14 21:28:37 +00:00
8c6c7af3f7 ops/vault: add reissue-secret-id utility 2022-03-14 21:28:16 +00:00
262620f177 swann: also put v6 RA routes into the correct route table
(fixes ee)
2022-03-13 20:35:11 +00:00
615c30ed54 swann: reduce write activity on disk 2022-03-13 17:34:23 +00:00
edf6671aff 3p/nixpkgs: add pr164025 2022-03-13 17:33:59 +00:00
b29a330382 ubi_reader: init 2022-03-13 17:32:59 +00:00
c41914e274 nixos/networkd: add support for configuring networkd.conf settings
networkd.conf controls a few interesting options, such as enabling
systemd-networkd's speed meterer and, crucially, allowing you to disable the
behaviour where networkd will delete any routes or policy-based routing rules
that it doesn't recognise.

This also adds support for configuring routing table names and mirroring them
into the iproute2 config.
2022-03-13 04:00:48 +00:00
Default email
aa526eb20f Project import generated by Copybara.
GitOrigin-RevId: fcd48a5a0693f016a5c370460d0c2a8243b882dc
2022-03-10 11:12:11 -08:00
c9bd0696ed heptapod: enable SSH CA 2022-03-13 00:24:57 +00:00
f1fcda810a vault-agent-acme: disable 2022-03-12 23:39:45 +00:00
5283ee4fee swann: migrate fully to using networkd
networkd appears to have gotten very aggressive about clearing routing rules it didn't insert itself
2022-03-12 19:38:54 +00:00
9099ee2a45 swann: only rename physical interfaces 2022-03-12 07:25:48 +00:00
fb2dc81bc0 bvm-radius: ensure acme user 2022-03-11 23:10:01 +00:00
6353ce6603 swann: make systemd-networkd-wait-online wait for _any_ NIC 2022-03-11 22:57:08 +00:00
f15e112da7 ssh-ca-vault: by default enable user matches 2022-03-11 22:31:57 +00:00
ae97fddae2 vault-agent-acme: migrate to using a single token file that writes the other files as a side-effect
This avoids annoying problems like "too many" retries for certificate issuance,
since we only ask for the secret once.
2022-03-11 22:07:31 +00:00
ac0c6eccef ssh-ca-vault: init 2022-03-11 21:48:06 +00:00
86a6191a56 vault-agent-secrets: add wantedBy for all restartable units too 2022-03-11 18:48:54 +00:00
ada466bae0 vault-agent-secrets: put Before in the correct place 2022-03-11 18:48:08 +00:00
a66bd4822a totoro: disable RP filter 2022-03-11 18:45:41 +00:00
fde964db82 hm/client: add VAULT_ADDR env variable 2022-03-11 18:44:52 +00:00
0187120a24 ops/nixos: move nix cache tokens into vault 2022-03-11 16:46:50 +00:00
4100b021aa etheroute-lon01: add google service account token 2022-03-11 16:20:34 +00:00
dd746bec32 etheroute-lon01: use FQDN for Pomerium DNS 2022-03-11 16:20:24 +00:00
72a647b80f baserow: disable moto tests which are broken for some reason 2022-03-11 15:53:04 +00:00
3cb0fa9787 3p/nixpkgs: add pr163678 to fix mercurial 2022-03-11 15:46:15 +00:00
e8b2667c01 heptapod-runner: make a separate drv and stop maintaining it as a patchset on top of gitlab-runner 2022-03-11 15:15:30 +00:00
34fa21a171 treewide: fix eval fallout from nixpkgs bump 2022-03-11 14:56:55 +00:00
Default email
8e65f7f0cc Project import generated by Copybara.
GitOrigin-RevId: 062a0c5437b68f950b081bbfc8a699d57a4ee026
2022-03-05 17:20:37 +01:00
75a5b40962 3p/nixpkgs: remove handrolled pomerium fixes, migrate to upstream PR 2022-03-11 14:41:08 +00:00
c98f3312a7 etheroute-lon01: migrate to vault-agent-secrets 2022-03-11 14:40:55 +00:00
6e6e714cf1 ops/nixos: init vault-agent-secrets module 2022-03-11 14:40:08 +00:00
f9546ed62a ts3spotifybot: remove for now 2022-03-11 10:02:22 +00:00
e50f682237 totoro: remove cloudflare credentials from raritan-sslrenew 2022-03-11 03:46:31 +00:00
4be2eaeb6d nixos/lib/common: remove security.acme 2022-03-11 03:28:32 +00:00
0c458988de ops/nixos: misc cleanups 2022-03-11 03:27:58 +00:00
daccfa5717 ops/nixos: migrate everything to vault-agent-acme 2022-03-07 00:52:03 +00:00
0c7f785107 vault-agent-acme: tidy up 2022-03-06 23:01:51 +00:00
8be4fe603e vault-agent-acme: init 2022-03-06 22:26:49 +00:00
332d1ca100 nix/docker/vault: update Vault's plugin registry as part of upload
It's possible (and likely) that when we update the Vault image that the SHA256
of the plugin will also change.

Automatically update that as the last step of the deploy.
2022-03-06 17:10:58 +00:00
932b47e9e9 vault-acme: init
This is a Vault secrets plugin for provisioning SSL certificates using ACME.
2022-03-06 16:52:47 +00:00
6c3ecb4d0b nix/docker/vault: init
This is the Docker image I use for deploying Vault.
2022-03-06 16:51:34 +00:00
a3eb1e4519 totoro: enable samba 2022-03-05 11:56:22 +00:00
f0e645fccb swann: add lukegb01.ring.nlnog.net to smokeping prober 2022-03-03 18:44:56 +00:00
dfb663e659 blade-router: mark cloudflare as pending 2022-03-03 17:38:19 +00:00
c357d5ed8f blade-router: add cloudflare2 2022-03-03 17:37:41 +00:00