Commit graph

231 commits

Author SHA1 Message Date
b12f 041d311bb2
modules/matrix: rename used config options 2024-10-30 18:37:47 +01:00
teutat3s 9d9bcf9a15
mas: move to module, add secrets for prod 2024-10-30 18:37:46 +01:00
b12f 4434a90136
modules/matrix: rename secrets to not include hostnames 2024-10-30 18:37:46 +01:00
teutat3s 9d7d251369
style: fix formatting 2024-10-30 18:37:46 +01:00
teutat3s 7775ad332e
matrix: do not change paths for nachtigall secrets 2024-10-30 18:37:46 +01:00
teutat3s d6cc9c8164
matrix-authentication-service: init host underground
to test mas, related to #242
2024-10-30 18:37:45 +01:00
teutat3s 987c0919ca
style: fix formatting 2024-10-17 20:31:47 +02:00
teutat3s c39cf9c0b9
mastodon: update to version 4.3.0 from nixos-unstable
https://github.com/mastodon/mastodon/releases/tag/v4.3.0
https://github.com/NixOS/nixpkgs/pull/337545/files
2024-10-17 20:31:47 +02:00
teutat3s 8600fc64c5
wireguard: fix trinkgenossin IPv4 address 2024-10-05 13:03:40 +02:00
b12f 1ec5bafa30
flora-6: remove
This commit removes the flora-6 host. All services are moved to
trinkgenossin, with the drone service being removed completely in favour
of forgejo actions.
2024-09-10 16:02:24 +02:00
teutat3s 2e16c77956
secrets: rename restic-repo-storagebox{,-nachtigall}
To use a restic repository per host
2024-08-29 16:22:58 +02:00
teutat3s 4626fd85c0
mediawiki: add backups to garage bucket + storagebox
Restic backups to garage S3 bucket nachtigall-backups
https://garagehq.deuxfleurs.fr/documentation/connect/backup/#restic
2024-08-28 17:13:34 +02:00
teutat3s 88b76beb5c
keycloak: use backups module
Co-authored-by: b12f <b12f@noreply.git.pub.solar>
Co-authored-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-08-27 10:09:07 +02:00
teutat3s a0b52d51e5
nachtigall: make postgres wait for zfs mount
Co-authored-by: b12f <b12f@noreply.git.pub.solar>
Co-authored-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-08-27 10:00:42 +02:00
teutat3s af5abfc712
nachtigall: enable ZFS auto scrub once per month 2024-06-23 15:14:30 +02:00
teutat3s 6ea916603c
networking: set networking.domain in core module 2024-06-06 19:30:11 +02:00
teutat3s 941eff6d87
tankstelle: configure wireguard 2024-05-30 19:17:21 +02:00
teutat3s 0cb89a9fe8
fix: nachtigall wants keycloak 2024-05-15 19:20:06 +02:00
teutat3s 2ca0bd7c3e
style: run treefmt 2024-05-08 22:57:07 +02:00
Benjamin Yule Bädorf ef94681e11
refactor: Move all apps into modules 2024-04-28 18:07:28 +02:00
Hendrik Sokolowski 10c86c6b20
nachtigall: obs-portal: remove tiles mount 2024-04-28 01:07:49 +02:00
Hendrik Sokolowski 1d6c5003e8
nachtigall: obs-portal: fix dependencies of docker network unit and portal 2024-04-28 01:05:43 +02:00
Benjamin Yule Bädorf d280b29394
obs-portal: init obs-portal on nachtigall
This follows the official installation instructions at https://github.com/openbikesensor/portal/blob/main/docs/production-deployment.md

Unfortunately, the postgres database needs to have postgis enabled, so
we'll have to start a second instance. To stay close to the official
deployment instructions, this is running in docker.

The secrets were taken from the old installation instance. During
initial installation, we'll need to import data from the old instance
into this one, which might take a while.
2024-04-27 22:45:07 +02:00
teutat3s 2fa3ccf28e
Revert "matrix-appservice-irc: remove unneeded syscall override"
This reverts commit a11255b433.
2024-04-27 01:44:20 +02:00
teutat3s a11255b433
matrix-appservice-irc: remove unneeded syscall override
PR was merged and backported:
https://github.com/NixOS/nixpkgs/pull/271740
2024-04-25 12:37:58 +02:00
Hendrik Sokolowski a9411d05a8
set pruneOpts for restic backups to daily 7, weekly 4, monthly 3 2024-04-22 20:06:49 +02:00
teutat3s c768203bed
nginx: set worker_processes to number of CPU cores
and set worker_connections to 1024

https://nginx.org/en/docs/ngx_core_module.html#worker_processes
https://nginx.org/en/docs/ngx_core_module.html#worker_connections
2024-04-14 17:39:56 +02:00
teutat3s b6a54efd9a
fix: add comment with hostnames to wireguard peers 2024-04-12 22:36:17 +02:00
Benjamin Yule Bädorf 7e145040cc
wireguard: use IP addresses for wireguard endpoints
Otherwise the hostnames written to the /etc/hosts file are already
pointing at the wireguard IP-addresses, so they can never connect.
2024-04-12 22:31:28 +02:00
Benjamin Yule Bädorf 316ba9ef53
forgejo: also reroute ssh traffic for ipv6 2024-04-12 19:38:15 +00:00
teutat3s afca75441c
Merge pull request 'forgejo: enable repo search (indexer), save login cookie for 365 days' (#142) from feat/forgejo-enable-search into main
Reviewed-on: pub-solar/infra#142
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-06 16:07:42 +00:00
teutat3s 9698c47530
Merge pull request 'mastodon: clean media older than 7 days' (#143) from mastodon/auto-clean-7-days into main
Reviewed-on: pub-solar/infra#143
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-06 16:07:34 +00:00
teutat3s 41e4d3427c
mastodon: clean media older than 7 days
Currently we keep everything for 30 days, which is about 180GB
2024-04-05 23:50:04 +02:00
teutat3s c5159dd66d
forgejo: enable repo search (indexer), save login
cookie for 365 days instead of default 7 days.
Caveat for the repo indexer is that repository size on disk will grow
by factor of 6. Forgejo repositories currently use 4.7GB on disk, with
3.3GB being a nixpkgs fork.
2024-04-05 23:29:49 +02:00
Benjamin Yule Bädorf 16c6aa3b61
forgejo: make SSH keys declarative 2024-04-05 19:35:55 +00:00
teutat3s 315cbf5813
Merge pull request 'fix(nextcloud): define a maintenance window' (#135) from chore/nextcloud-config-maintenance-window into main
Reviewed-on: pub-solar/infra#135
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-05 18:41:17 +00:00
Hendrik Sokolowski b6b8d69852
nachtigall: forgejo: update firewall settings 2024-04-05 18:39:43 +02:00
Benjamin Yule Bädorf e618b9f9c2
forgejo: use iptables routing instead of ssh patch 2024-04-05 17:00:28 +02:00
Benjamin Yule Bädorf d7c9333ff4
forgejo: allow multiple host addresses for SSH 2024-04-05 14:26:56 +00:00
teutat3s 18a62b8d35
fix(nextcloud): define a maintenance window for
resource intensive background jobs. Docs:
https://docs.nextcloud.com/server/28/admin_manual/configuration_server/background_jobs_configuration.html

> A value of 1 e.g. will only run these background jobs between 01:00am
UTC and 05:00am UTC
2024-04-05 16:23:16 +02:00
Benjamin Yule Bädorf f7eaef0d18
wireguard: fix flora-6 address and private key
Reviewed-on: pub-solar/infra#129
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
Co-authored-by: Benjamin Yule Bädorf <git@benjaminbaedorf.eu>
Co-committed-by: Benjamin Yule Bädorf <git@benjaminbaedorf.eu>
2024-04-05 11:26:38 +00:00
Benjamin Yule Bädorf 621e9336ed
wireguard: add basic keys 2024-04-05 11:09:31 +00:00
Benjamin Yule Bädorf eacf60974c
wireguard: initial commit 2024-04-05 11:09:31 +00:00
Benjamin Yule Bädorf 9433a8aea7
mediawiki: update to v1.41.1 2024-03-30 00:10:09 +01:00
b12f 6aea728583
Merge branch 'main' into feat/security-txt 2024-03-25 15:38:30 +00:00
Benjamin Yule Bädorf b9cffad02a
matrix: set forgotten_room_retention_period to 7d
This commit sets the value for the synapse config option
`forgotten_room_retention_period` to 7 days. This was previously unset,
meaning rooms that had no more local users were never purged from the database.

The new value makes sure that 7 days after the last local user left a
room, it will be permanently deleted from the database.

https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html?highlight=forgotten_room_retention_period#forgotten_room_retention_period
2024-03-24 18:24:30 +01:00
Benjamin Yule Bädorf 2bb2247716
website: add security.txt
Ref: pub-solar/legal#11
2024-03-23 11:07:04 +01:00
teutat3s c49ffb2d5b
fix: nginx duplicate default server
nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /etc/nginx/nginx.conf:665
2024-02-25 23:02:00 +01:00
Benjamin Yule Bädorf de04556191
nginx/miom: disable logging 2024-02-25 21:41:06 +00:00
Benjamin Yule Bädorf 0e89b7f210
nginx/miom: init miom.space website
This adds an nginx configuration for https://miom.space/. MiOM is a
creative collective in Cologne that frequently hosts our hakken.irl
hackathons. They're already using our cloud to organize.

This service is a bit more specific than most pub.solar services and falls
into a similar category as the obs-portal.

On the old miom website all logging was turned off, we might want to do
the same thing in nginx here as well then.
2024-02-25 21:41:06 +00:00