Commit graph

745 commits

Author SHA1 Message Date
b12f 87f9bc92df
modules/forgejo: allow migrations from local networks 2024-11-14 11:10:44 +00:00
teutat3s 3b29b847b0
Merge pull request 'coturn: fix secret path' (#265) from fix-coturn-secret into main
Reviewed-on: pub-solar/infra#265
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-13 20:39:47 +00:00
teutat3s 4923f033f5
coturn: fix secret path
this is fallout that was overlooked in #250
2024-11-13 21:25:12 +01:00
teutat3s 2424a3ec8b
Merge pull request 'keycloak: fix registration with pub.solar theme' (#264) from fix-keycloak-theme-for-registration into main
Reviewed-on: pub-solar/infra#264
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-13 19:48:15 +00:00
teutat3s b41edf0cfb
Merge pull request 'core: add activationScript to show closure diff' (#260) from closure-diffs into main
Reviewed-on: pub-solar/infra#260
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-13 19:47:17 +00:00
teutat3s 0d6da8d678
Merge pull request 'maintenance: updates for element-web, forgejo, matrix-synapse and others' (#259) from flake-updates into main
Reviewed-on: pub-solar/infra#259
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-13 19:47:05 +00:00
teutat3s b87670d07d
keycloak: fix registration with pub.solar theme
This pulls in changes from
* pub-solar/keycloak-theme#3
* pub-solar/keycloak-theme#4
2024-11-13 20:34:38 +01:00
teutat3s 73333537a5
Merge pull request 'alertmanager: alert on high load only after 20m' (#255) from alerts-tweak-load into main
Reviewed-on: pub-solar/infra#255
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-12 14:47:53 +00:00
teutat3s 45d3b939bf
Merge pull request 'matrix-appservice-irc: reduce logging level to warn' (#256) from irc-reduce-logging into main
Reviewed-on: pub-solar/infra#256
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-12 14:47:44 +00:00
teutat3s 904c7ed1e4
Merge pull request 'secrets: remove leftover secret files' (#257) from secrets-cleanup into main
Reviewed-on: pub-solar/infra#257
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-12 14:47:35 +00:00
teutat3s ab85ba751a
alertmanager: enable e2e_dead_man_switch 2024-11-12 13:41:42 +01:00
teutat3s a9c5edfeb3
alertmanager: don't alert on high memory page faults
This alert is non actionable, we still monitor high memory usage.
2024-11-12 13:40:46 +01:00
teutat3s 7067d93ee2
flake.lock: Update
Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/09a776702b004fdf9c41a024e1299d575ee18a7d' (2024-10-23)
  → 'github:nix-community/disko/486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc' (2024-11-10)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/3d04084d54bedc3d6b8b736c70ef449225c361b1' (2024-10-01)
  → 'github:hercules-ci/flake-parts/506278e768c2a08bec68eb62932193e341f55c90' (2024-11-01)
• Updated input 'flake-parts/nixpkgs-lib':
    'fb192fec7c.tar.gz?narHash=sha256-0xHYkMkeLVQAMa7gvkddbPqpxph%2BhDzdu1XdGPJR%2BOs%3D' (2024-10-01)
  → 'cc2f280002.tar.gz?narHash=sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s%3D' (2024-11-01)
• Updated input 'nix-darwin':
    'github:lnl7/nix-darwin/04193f188e4144d7047f83ad1de81d6034d175cd' (2024-10-24)
  → 'github:lnl7/nix-darwin/5c74ab862c8070cbf6400128a1b56abb213656da' (2024-11-09)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/89172919243df199fe237ba0f776c3e3e3d72367' (2024-10-20)
  → 'github:nixos/nixpkgs/9256f7c71a195ebe7a218043d9f93390d49e6884' (2024-11-10)
• Updated input 'unstable':
    'github:nixos/nixpkgs/2768c7d042a37de65bb1b5b3268fc987e534c49d' (2024-10-23)
  → 'github:nixos/nixpkgs/76612b17c0ce71689921ca12d9ffdc9c23ce40b2' (2024-11-09)
2024-11-11 20:05:12 +01:00
teutat3s e48fe612e2
core: add activationScript to show closure diff
This is useful when updating a host, by doing a dry-run with deploy-rs
we get a list of changed package versions.
2024-11-11 18:02:47 +01:00
teutat3s 34ce43a5e0
secrets: remove leftover secret files
After cleanup:
❯ find ./secrets -type f -name "*.age" | wc -l
64

❯ rg publicKeys secrets/secrets.nix  | wc -l
64
2024-11-07 12:22:27 +01:00
teutat3s 43b0c8d489
matrix-appservice-irc: reduce logging level to warn 2024-11-06 21:29:27 +01:00
teutat3s afe52ca6af
alertmanager: alert on high load only after 20m 2024-11-06 21:28:28 +01:00
teutat3s da529b023e
Merge pull request 'ci: use treefmt2 with flag --ci' (#248) from ci-treefmt into main
Reviewed-on: pub-solar/infra#248
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-06 14:40:03 +00:00
teutat3s cf39137340
Merge pull request 'docs: more garage CLI usage, avoid leaking secret' (#246) from docs-garage into main
Reviewed-on: pub-solar/infra#246
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-06 14:39:53 +00:00
teutat3s 18683d383f
Merge pull request 'docs: add examples for cachix usage' (#230) from docs-cachix into main
Reviewed-on: pub-solar/infra#230
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-06 14:39:44 +00:00
teutat3s d8a793190d
Merge pull request 'matrix-authentication-service: init, test, migrate synapse' (#250) from mas-init into main
Reviewed-on: pub-solar/infra#250
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-10-30 20:02:53 +00:00
teutat3s 3ec5c9f343
style: fix formatting 2024-10-30 20:32:47 +01:00
teutat3s 7ba5a7bdd6
matrix: disable sliding-sync proxy, it's built into
synapse now, update synapse config to use matrix-authentication-service
2024-10-30 20:31:29 +01:00
b12f 041d311bb2
modules/matrix: rename used config options 2024-10-30 18:37:47 +01:00
teutat3s 9d9bcf9a15
mas: move to module, add secrets for prod 2024-10-30 18:37:46 +01:00
b12f 4434a90136
modules/matrix: rename secrets to not include hostnames 2024-10-30 18:37:46 +01:00
teutat3s 472f9aa68b
dns: list.pub.solar should be A / AAAA records 2024-10-30 18:37:46 +01:00
teutat3s c9c2d06a98
dns: add CNAME record for mas.pub.solar 2024-10-30 18:37:46 +01:00
teutat3s 8244e605b6
fix: passkey support in pub.solar keycloak theme 2024-10-30 18:37:46 +01:00
teutat3s 9d7d251369
style: fix formatting 2024-10-30 18:37:46 +01:00
teutat3s 7775ad332e
matrix: do not change paths for nachtigall secrets 2024-10-30 18:37:46 +01:00
teutat3s d6cc9c8164
matrix-authentication-service: init host underground
to test mas, related to #242
2024-10-30 18:37:45 +01:00
teutat3s 4c51eda8b6
Merge pull request 'modules/tt-rss: pin on revision' (#253) from update-tt-rss into main
Reviewed-on: pub-solar/infra#253
Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>
2024-10-30 17:37:10 +00:00
b12f 471d7650ff
modules/tt-rss: pin on revision 2024-10-30 18:35:18 +01:00
teutat3s 9cc50ed678
Merge pull request 'maintenance: updates for mastodon, matrix-synapse' (#249) from flake-updates-2024-10-24 into main
Reviewed-on: pub-solar/infra#249
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-10-24 16:16:06 +00:00
teutat3s 4309cc9cdd
ci: use treefmt2 with flag --ci
Update treefmt to version 2.

This adds the following flags for CI usage:
"--no-cache, --fail-on-change and adjusting some other settings best suited to a CI".
See: https://treefmt.com/usage
2024-10-24 15:43:00 +02:00
teutat3s 08f5c5ce67
docs: more garage CLI usage, avoid leaking secret 2024-10-24 15:10:44 +02:00
teutat3s 870e81ee4c
flake.lock: Update
Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/d7d57edb72e54891fa67a6f058a46b2bb405663b' (2024-10-16)
  → 'github:nix-community/disko/09a776702b004fdf9c41a024e1299d575ee18a7d' (2024-10-23)
• Updated input 'nix-darwin':
    'github:lnl7/nix-darwin/a60ac02f9466f85f092e576fd8364dfc4406b5a6' (2024-10-14)
  → 'github:lnl7/nix-darwin/04193f188e4144d7047f83ad1de81d6034d175cd' (2024-10-24)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/dc2e0028d274394f73653c7c90cc63edbb696be1' (2024-10-16)
  → 'github:nixos/nixpkgs/89172919243df199fe237ba0f776c3e3e3d72367' (2024-10-20)
• Updated input 'unstable':
    'github:nixos/nixpkgs/a3c0b3b21515f74fd2665903d4ce6bc4dc81c77c' (2024-10-14)
  → 'github:nixos/nixpkgs/2768c7d042a37de65bb1b5b3268fc987e534c49d' (2024-10-23)
2024-10-24 14:53:39 +02:00
teutat3s cef7a561f3
Merge pull request 'garage: fix wildcard DNS cert renewal with wildcard CNAME records' (#245) from fix-dns-cert-renewal into main
Reviewed-on: pub-solar/infra#245
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-10-24 12:51:41 +00:00
teutat3s 281701b7b6
Merge pull request 'docs: fix IP for keycloak admin API' (#247) from update-docs into main
Reviewed-on: pub-solar/infra#247
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-10-24 12:51:31 +00:00
teutat3s 90bbaad7b7
Merge pull request 'trinkgenossin: fix network in initrd' (#244) from trinkgenossin-remote-luks into main
Reviewed-on: pub-solar/infra#244
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-10-24 12:51:18 +00:00
teutat3s 6a15c09509
docs: add hint how to get CACHIX_AUTH_TOKEN 2024-10-23 20:59:07 +02:00
teutat3s 94d7db1331
docs: add examples for cachix usage 2024-10-23 20:59:06 +02:00
teutat3s 633f0a4402
docs: fix IP for keycloak admin API 2024-10-23 20:28:55 +02:00
teutat3s 9758aeda5d
garage: fix wildcard DNS cert renewal with wildcard
CNAME records

By usind wildcard CNAME records, we make lego think it needs to validate
challenges using these CNAME records. We actually want regular
_acme-challenge.* records, so use a environment variable to avoid CNAME
detection. This fixes DNS cert renewal. Still curious? See:
https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme/
2024-10-23 20:18:57 +02:00
teutat3s 2c29d27ce7
style: remove redundant brackets 2024-10-23 20:18:03 +02:00
teutat3s 31a885926b
trinkgenossin: fix network in initrd, virtio_net
kernel module was missing. Also this is a QEMU host, hyperV is not
required.
2024-10-23 20:17:32 +02:00
teutat3s 0ae6bc637b
Merge pull request 'mastodon: host media files on pub.solar garage cluster' (#239) from mastodon-media-on-garage into main
Reviewed-on: pub-solar/infra#239
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-10-23 15:24:28 +00:00
teutat3s 5300f381b0
nginx: use safer request_uri variable
Fix >> Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
2024-10-17 21:15:57 +02:00
teutat3s 8a18ee452b
garage: fix s3_api root_domain 2024-10-17 21:15:57 +02:00