teutat3s
27c239b985
loki: allow port 3100 in firewall for wg-ssh interface
2024-06-05 01:59:44 +02:00
teutat3s
61ea0ad7c2
networking: add internal IPv6 wireguard IPs to /etc/hosts
2024-06-03 12:33:51 +02:00
teutat3s
56f692740e
networking: use *.wg.pub.solar in /etc/hosts
...
instead of overriding IPs for existing DNS records, to reduce suprises
when DNS records are different depending on the host.
Add metronom + tankstelle internal wireguard IPs, too.
2024-06-03 12:28:33 +02:00
teutat3s
20ebf92f1f
loki, promtail, prometheus: remove basic auth, use
...
wireguard to secure connections
2024-06-01 16:51:14 +02:00
teutat3s
9a9dccf5bb
mail: move NixOS module to modules
2024-05-31 16:52:04 +02:00
teutat3s
9d8026a31a
mail(treewide): update mail.greenbaum.zone -> mail.pub.solar
2024-05-31 16:52:04 +02:00
teutat3s
2eeef069a2
alerts: alert for uptime after 90 days instead
2024-05-27 16:45:58 +02:00
teutat3s
1235a4f878
Merge pull request 'style: avoid usage of top-level "with lib;"' ( #195 ) from style-avoid-top-level-lib into main
...
Reviewed-on: pub-solar/infra#195
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-05-27 10:03:43 +00:00
teutat3s
708cf947de
backups: remove droppie
...
There were no backups to droppie since December 2023. We can always add
it back, if desired.
2024-05-19 15:31:20 +02:00
teutat3s
c015a1ec2e
style: avoid usage of top-level "with lib";
...
See: https://github.com/NixOS/nixpkgs/issues/208242
2024-05-19 15:27:19 +02:00
teutat3s
67b9b84e01
backups: reduce chances for lock race
...
Start one backup per hour each night
2024-05-15 21:00:41 +02:00
teutat3s
e52324209f
alertmanager: fix SMTP secret
2024-05-15 17:15:46 +02:00
teutat3s
bd4241e71d
caddy: use alerts.pub.solar domain for vhost
2024-05-15 16:17:54 +02:00
teutat3s
d1a68a7c13
secrets: fix too open permissions
2024-05-15 16:01:44 +02:00
teutat3s
9245fa6797
alertmanager: finalize init
2024-05-15 16:01:44 +02:00
teutat3s
a8a8155114
style: treefmt with nixfmt-rfc-style
2024-05-15 16:01:44 +02:00
Pablo Ovelleiro Corral
11f5557a7a
Add reverseproxy for alerts.pub.solar
...
Co-authored-by: teutat3s <teutat3s@noreply.git.pub.solar>
2024-05-15 16:01:43 +02:00
Pablo Ovelleiro Corral
7e2bcfc5cf
Add alertmanager config
2024-05-15 16:01:42 +02:00
teutat3s
2ca0bd7c3e
style: run treefmt
2024-05-08 22:57:07 +02:00
Benjamin Yule Bädorf
68278ad983
refactor: use options for config parts
...
This works towards having reusable modules
* `config.pub-solar-os.networking.domain` is used for the main domain
* `config.pub-solar-os.privacyPolicUrl` links towards the privacy policy
* `config.pub-solar-os.imprintUrl` links towards the imprint
* `config.pub-solar-os.auth.enable` enables the keycloak installation.
This is needed because `config.pub-solar-os.auth` has to be available
everywhere, but we do not want to install keycloak everywhere.
* `config.pub-solar-os.auth.realm` sets the keycloak realm name
2024-05-08 19:47:47 +02:00
teutat3s
ff9703e542
matrix: init stickerpicker
2024-05-07 17:47:55 +02:00
teutat3s
c738f2d41f
modules: remove leftover apps dir
2024-04-30 00:57:46 +02:00
Pablo Ovelleiro Corral
512ab12de1
Put modules into uniform folders
2024-04-28 19:17:09 +02:00
Benjamin Yule Bädorf
ef94681e11
refactor: Move all apps into modules
2024-04-28 18:07:28 +02:00
teutat3s
8743ea7b0c
networking: add wireguard hosts to /etc/hosts
...
Also re-enable DNSSEC, it's reported fixed in systemd-resolved
2024-04-12 19:54:09 +00:00
Benjamin Yule Bädorf
b1519c8f22
ssh: only allow ssh on wireguard interface
2024-04-05 14:28:18 +02:00
Benjamin Yule Bädorf
eacf60974c
wireguard: initial commit
2024-04-05 11:09:31 +00:00
teutat3s
815033c764
treewide: apply nixpkgs-fmt
...
Used command:
nixpkgs-fmt .
2024-01-27 20:29:30 +01:00
teutat3s
38a6e5e084
fix: add nix registry setting to speed up ad-hoc flake
...
usage, e.g. via nix shell nixpkgs#<flake-name>
2023-11-16 22:05:04 +01:00
b12f
f5185e5c15
feat: add mediawiki
...
Co-authored-by: @teutat3s <teutates@mailbox.org>
2023-11-15 21:40:29 +01:00
teutat3s
d5922ff2b8
fix: disable DNSSEC for now because of an issue in
...
systemd https://github.com/systemd/systemd/issues/10579
Without this change, there are random SERVFAIL responses with Greenbaum DNS
when using allow-downgrade. Fixes DNS queries for lev-1.int.greenbaum.zone
❯ dig obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone
; <<>> DiG 9.18.19 <<>> obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1871
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone. IN A
;; ANSWER SECTION:
obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone. 22 IN A 192.168.128.82
;; Query time: 105 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Nov 09 10:38:02 UTC 2023
;; MSG SIZE rcvd: 121
2023-11-15 18:54:32 +00:00
teutat3s
9c1d19d49f
nachtigall: move SSH private key from user to host
2023-11-15 18:54:32 +00:00
teutat3s
7be3567e6d
flora-6: refactor to use flake.parts
2023-11-15 18:54:32 +00:00
Benjamin Bädorf
20fbcbb571
fix: two typos
2023-11-06 21:07:24 +00:00
Benjamin Bädorf
e8ad662631
refactor: change file structure to use modules dir
...
This commit changes the file structure around, so that we have the
following parts:
`/modules` contains reusable logic blocks for hosts.
`/hosts` contains host configurations.
`/lib` contains nix library functions.
`/overlays` contains overlay files.
`/public-keys` contains all information regarding public keys.
This change reduces the complexity of flake.nix, instead delegating this
out to the `default.nix` files in the above directories.
2023-11-06 13:11:30 +01:00