teutat3s
998cf4c63d
website: force HTTPS
...
Co-authored-by: b12f <b12f@noreply.git.pub.solar>
Co-authored-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-08-27 10:03:43 +02:00
teutat3s
a0b52d51e5
nachtigall: make postgres wait for zfs mount
...
Co-authored-by: b12f <b12f@noreply.git.pub.solar>
Co-authored-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-08-27 10:00:42 +02:00
teutat3s
701c62dd69
tests: create keycloak test, add working test for website
...
Co-authored-by: b12f <b12f@noreply.git.pub.solar>
Co-authored-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-08-27 09:55:25 +02:00
teutat3s
f236962e17
garage: add monitoring, connect to grafana + loki
...
https://garagehq.deuxfleurs.fr/documentation/reference-manual/monitoring/
2024-08-25 00:18:09 +02:00
teutat3s
15b507904f
garage: init buckets.pub.solar, use nginx as reverse proxy
...
https://garagehq.deuxfleurs.fr/documentation/cookbook/reverse-proxy/
2024-08-24 21:48:48 +02:00
teutat3s
25827a97d3
modules: add unlock-luks-on-boot
2024-08-24 03:05:28 +02:00
teutat3s
4a3d3ce84b
garage: init module
2024-08-24 03:05:16 +02:00
teutat3s
7f2bfd923f
loki: move data dir to /data disk with more room
2024-08-07 10:19:53 +02:00
teutat3s
79679720ff
tt-rss: lint with treefmt
2024-07-18 17:49:29 +02:00
teutat3s
0fc0c6d595
tt-rss: use git.tt-rss.org instead of gitlab
...
gitlab repo was throwing HTTP 500 errors
2024-07-18 17:35:05 +02:00
Benjamin Yule Bädorf
13c381ff3d
rss: fix auth build, fix nginx group rights, log to stdout
2024-07-17 18:50:06 +02:00
Benjamin Yule Bädorf
68be6b9303
tt-rss: fix secret paths, add plugin sha
2024-07-17 15:22:59 +02:00
Benjamin Yule Bädorf
cf830a9770
tt-rss: module init
2024-07-17 15:22:57 +02:00
teutat3s
26e96dfac5
mediawiki: update to v1.42.1
2024-07-15 18:51:10 +02:00
teutat3s
7ce66f38fc
grafana: update dashboard json, select nachtigall by default
2024-07-02 19:04:52 +02:00
teutat3s
2ebe4bd109
loki: fix invalid config max_look_back_period,
...
seems no longer used in loki 3
2024-06-23 15:19:20 +02:00
teutat3s
bc9ac6011e
flake: update to NixOS 24.05
...
Fix warnings:
trace: warning: The option `services.nextcloud.extraOptions' defined in `/nix/store/a53lc1l5wy9vbv1d3n93903dq0wjgvfj-source/flake.nix#nixosModules.nextcloud' has been renamed to `services.nextcloud.settings'.
trace: warning: The option `services.nextcloud.skeletonDirectory' defined in `/nix/store/a53lc1l5wy9vbv1d3n93903dq0wjgvfj-source/flake.nix#nixosModules.nextcloud' has been renamed to `services.nextcloud.settings.skeletondirectory'.
trace: warning: The option `services.nextcloud.config.overwriteProtocol' defined in `/nix/store/a53lc1l5wy9vbv1d3n93903dq0wjgvfj-source/flake.nix#nixosModules.nextcloud' has been renamed to `services.nextcloud.settings.overwriteprotocol'.
trace: warning: The option `services.matrix-synapse.sliding-sync' defined in `/nix/store/a53lc1l5wy9vbv1d3n93903dq0wjgvfj-source/flake.nix#nixosModules.matrix' has been renamed to `services.matrix-sliding-sync'.
Fix errors:
loki: fix config for version 3+
keycloak: declarative-user-profile feature is now enabled by default
error: A definition for option `programs.gnupg.agent.pinentryPackage' is not of type `null or package'. Definition values:
- In `/nix/store/a53lc1l5wy9vbv1d3n93903dq0wjgvfj-source/flake.nix#nixosModules.forgejo': "curses"
2024-06-23 15:19:18 +02:00
teutat3s
99f84268e7
nextcloud: fine tune for performance, following
...
https://docs.nextcloud.com/server/latest/admin_manual/installation/server_tuning.html
2024-06-23 15:01:37 +02:00
teutat3s
f38aa289ea
matrix-synapse: enable more useful logging
2024-06-23 15:00:40 +02:00
teutat3s
d21ae91c3e
postgresql: tune
2024-06-22 16:42:38 +02:00
teutat3s
e2691988bf
nextcloud: use port 465 and TLS/SSL for mail transfer
2024-06-08 23:54:05 +02:00
teutat3s
d3fedd84e9
loki: tune settings, enable cache
2024-06-08 23:53:43 +02:00
teutat3s
6ea916603c
networking: set networking.domain in core module
2024-06-06 19:30:11 +02:00
teutat3s
bae41b07a8
promtail: use hostName to set label
2024-06-06 19:29:42 +02:00
teutat3s
eaed05c834
style: apply treefmt
2024-06-06 12:56:55 +02:00
teutat3s
4350cbf7c4
tankstelle: add promtail, prometheus node-exporter
...
for monitoring, configure wireguard between flora-6 and tankstelle
2024-06-06 12:53:49 +02:00
teutat3s
b93608a8fa
metronom: add promtail, prometheus node-exporter
...
configure wireguard to push logs to and scrape metrics from flora-6
open firewall for node-exporter port on wg-ssh interface
2024-06-06 12:52:55 +02:00
teutat3s
6aa18b0a2c
flake: update inputs
...
• Updated input 'element-themes':
'github:aaronraimist/element-themes/2368b58c16d2c4aabb82a245f036d228cbb6e5f5' (2024-02-12)
→ 'github:aaronraimist/element-themes/6ed3a981191cbd59f03ea530f16e096b9a4c278c' (2024-05-28)
• Updated input 'flake-parts':
'github:hercules-ci/flake-parts/8dc45382d5206bd292f9c2768b8058a8fd8311d9' (2024-05-16)
→ 'github:hercules-ci/flake-parts/2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8' (2024-06-01)
• Updated input 'flake-parts/nixpkgs-lib':
'50eb7ecf4c
.tar.gz?narHash=sha256-QBx10%2Bk6JWz6u7VsohfSw8g8hjdBZEf8CFzXH1/1Z94%3D' (2024-05-02)
→ 'eb9ceca17d
.tar.gz?narHash=sha256-lIbdfCsf8LMFloheeE6N31%2BBMIeixqyQWbSr2vk79EQ%3D' (2024-06-01)
• Updated input 'home-manager':
'github:nix-community/home-manager/2c78a57c544dd19b07442350727ced097e1aa6e6' (2024-05-26)
→ 'github:nix-community/home-manager/095ef64aa3b2ab4a4f1bf07f29997e21e3a5576a' (2024-06-04)
• Updated input 'nix-darwin':
'github:lnl7/nix-darwin/0bea8222f6e83247dd13b055d83e64bce02ee532' (2024-05-24)
→ 'github:lnl7/nix-darwin/c0d5b8c54d6828516c97f6be9f2d00c63a363df4' (2024-05-29)
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/46397778ef1f73414b03ed553a3368f0e7e33c2f' (2024-05-22)
→ 'github:nixos/nixpkgs/a62e6edd6d5e1fa0329b8653c801147986f8d446' (2024-05-31)
• Updated input 'unstable':
'github:nixos/nixpkgs/bfb7a882678e518398ce9a31a881538679f6f092' (2024-05-24)
→ 'github:nixos/nixpkgs/57610d2f8f0937f39dbd72251e9614b1561942d8' (2024-05-31)
2024-06-05 02:08:13 +02:00
teutat3s
e93a56e594
nginx: use square brackets for IPv6 address
2024-06-05 01:59:54 +02:00
teutat3s
27c239b985
loki: allow port 3100 in firewall for wg-ssh interface
2024-06-05 01:59:44 +02:00
teutat3s
61ea0ad7c2
networking: add internal IPv6 wireguard IPs to /etc/hosts
2024-06-03 12:33:51 +02:00
teutat3s
56f692740e
networking: use *.wg.pub.solar in /etc/hosts
...
instead of overriding IPs for existing DNS records, to reduce suprises
when DNS records are different depending on the host.
Add metronom + tankstelle internal wireguard IPs, too.
2024-06-03 12:28:33 +02:00
teutat3s
20ebf92f1f
loki, promtail, prometheus: remove basic auth, use
...
wireguard to secure connections
2024-06-01 16:51:14 +02:00
teutat3s
9a9dccf5bb
mail: move NixOS module to modules
2024-05-31 16:52:04 +02:00
teutat3s
9d8026a31a
mail(treewide): update mail.greenbaum.zone -> mail.pub.solar
2024-05-31 16:52:04 +02:00
teutat3s
2eeef069a2
alerts: alert for uptime after 90 days instead
2024-05-27 16:45:58 +02:00
teutat3s
1235a4f878
Merge pull request 'style: avoid usage of top-level "with lib;"' ( #195 ) from style-avoid-top-level-lib into main
...
Reviewed-on: pub-solar/infra#195
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-05-27 10:03:43 +00:00
teutat3s
708cf947de
backups: remove droppie
...
There were no backups to droppie since December 2023. We can always add
it back, if desired.
2024-05-19 15:31:20 +02:00
teutat3s
c015a1ec2e
style: avoid usage of top-level "with lib";
...
See: https://github.com/NixOS/nixpkgs/issues/208242
2024-05-19 15:27:19 +02:00
teutat3s
67b9b84e01
backups: reduce chances for lock race
...
Start one backup per hour each night
2024-05-15 21:00:41 +02:00
teutat3s
e52324209f
alertmanager: fix SMTP secret
2024-05-15 17:15:46 +02:00
teutat3s
bd4241e71d
caddy: use alerts.pub.solar domain for vhost
2024-05-15 16:17:54 +02:00
teutat3s
d1a68a7c13
secrets: fix too open permissions
2024-05-15 16:01:44 +02:00
teutat3s
9245fa6797
alertmanager: finalize init
2024-05-15 16:01:44 +02:00
teutat3s
a8a8155114
style: treefmt with nixfmt-rfc-style
2024-05-15 16:01:44 +02:00
Pablo Ovelleiro Corral
11f5557a7a
Add reverseproxy for alerts.pub.solar
...
Co-authored-by: teutat3s <teutat3s@noreply.git.pub.solar>
2024-05-15 16:01:43 +02:00
Pablo Ovelleiro Corral
7e2bcfc5cf
Add alertmanager config
2024-05-15 16:01:42 +02:00
teutat3s
2ca0bd7c3e
style: run treefmt
2024-05-08 22:57:07 +02:00
Benjamin Yule Bädorf
68278ad983
refactor: use options for config parts
...
This works towards having reusable modules
* `config.pub-solar-os.networking.domain` is used for the main domain
* `config.pub-solar-os.privacyPolicUrl` links towards the privacy policy
* `config.pub-solar-os.imprintUrl` links towards the imprint
* `config.pub-solar-os.auth.enable` enables the keycloak installation.
This is needed because `config.pub-solar-os.auth` has to be available
everywhere, but we do not want to install keycloak everywhere.
* `config.pub-solar-os.auth.realm` sets the keycloak realm name
2024-05-08 19:47:47 +02:00
teutat3s
ff9703e542
matrix: init stickerpicker
2024-05-07 17:47:55 +02:00
teutat3s
c738f2d41f
modules: remove leftover apps dir
2024-04-30 00:57:46 +02:00
Pablo Ovelleiro Corral
512ab12de1
Put modules into uniform folders
2024-04-28 19:17:09 +02:00
Benjamin Yule Bädorf
ef94681e11
refactor: Move all apps into modules
2024-04-28 18:07:28 +02:00
teutat3s
8743ea7b0c
networking: add wireguard hosts to /etc/hosts
...
Also re-enable DNSSEC, it's reported fixed in systemd-resolved
2024-04-12 19:54:09 +00:00
Benjamin Yule Bädorf
b1519c8f22
ssh: only allow ssh on wireguard interface
2024-04-05 14:28:18 +02:00
Benjamin Yule Bädorf
eacf60974c
wireguard: initial commit
2024-04-05 11:09:31 +00:00
teutat3s
815033c764
treewide: apply nixpkgs-fmt
...
Used command:
nixpkgs-fmt .
2024-01-27 20:29:30 +01:00
teutat3s
38a6e5e084
fix: add nix registry setting to speed up ad-hoc flake
...
usage, e.g. via nix shell nixpkgs#<flake-name>
2023-11-16 22:05:04 +01:00
b12f
f5185e5c15
feat: add mediawiki
...
Co-authored-by: @teutat3s <teutates@mailbox.org>
2023-11-15 21:40:29 +01:00
teutat3s
d5922ff2b8
fix: disable DNSSEC for now because of an issue in
...
systemd https://github.com/systemd/systemd/issues/10579
Without this change, there are random SERVFAIL responses with Greenbaum DNS
when using allow-downgrade. Fixes DNS queries for lev-1.int.greenbaum.zone
❯ dig obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone
; <<>> DiG 9.18.19 <<>> obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1871
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone. IN A
;; ANSWER SECTION:
obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone. 22 IN A 192.168.128.82
;; Query time: 105 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Nov 09 10:38:02 UTC 2023
;; MSG SIZE rcvd: 121
2023-11-15 18:54:32 +00:00
teutat3s
9c1d19d49f
nachtigall: move SSH private key from user to host
2023-11-15 18:54:32 +00:00
teutat3s
7be3567e6d
flora-6: refactor to use flake.parts
2023-11-15 18:54:32 +00:00
Benjamin Bädorf
20fbcbb571
fix: two typos
2023-11-06 21:07:24 +00:00
Benjamin Bädorf
e8ad662631
refactor: change file structure to use modules dir
...
This commit changes the file structure around, so that we have the
following parts:
`/modules` contains reusable logic blocks for hosts.
`/hosts` contains host configurations.
`/lib` contains nix library functions.
`/overlays` contains overlay files.
`/public-keys` contains all information regarding public keys.
This change reduces the complexity of flake.nix, instead delegating this
out to the `default.nix` files in the above directories.
2023-11-06 13:11:30 +01:00