Commit graph

277 commits

Author SHA1 Message Date
teutat3s fa9ce9d435
gitea-actions-runner: don't run as systemd DynamicUser
to enable usage of cache outside of /var/lib/private
2024-04-23 15:42:33 +02:00
teutat3s 9541e5029e
flora-6: move forgejo-runner cache directory to /data 2024-04-23 15:12:11 +02:00
teutat3s c86e22b292
ci: update forgejo-runner to version 3.4.1
https://github.com/NixOS/nixpkgs/pull/301383
2024-04-23 00:38:53 +02:00
Hendrik Sokolowski a9411d05a8
set pruneOpts for restic backups to daily 7, weekly 4, monthly 3 2024-04-22 20:06:49 +02:00
teutat3s c07d24f6a7
flora-6: add wg-ssh to ignored interfaces
for systemd-wait-online to start successfully
2024-04-14 23:22:53 +02:00
teutat3s c768203bed
nginx: set worker_processes to number of CPU cores
and set worker_connections to 1024

https://nginx.org/en/docs/ngx_core_module.html#worker_processes
https://nginx.org/en/docs/ngx_core_module.html#worker_connections
2024-04-14 17:39:56 +02:00
teutat3s b6a54efd9a
fix: add comment with hostnames to wireguard peers 2024-04-12 22:36:17 +02:00
Benjamin Yule Bädorf 7e145040cc
wireguard: use IP addresses for wireguard endpoints
Otherwise the hostnames written to the /etc/hosts file are already
pointing at the wireguard IP-addresses, so they can never connect.
2024-04-12 22:31:28 +02:00
teutat3s 8743ea7b0c
networking: add wireguard hosts to /etc/hosts
Also re-enable DNSSEC, it's reported fixed in systemd-resolved
2024-04-12 19:54:09 +00:00
Benjamin Yule Bädorf 316ba9ef53
forgejo: also reroute ssh traffic for ipv6 2024-04-12 19:38:15 +00:00
teutat3s afca75441c
Merge pull request 'forgejo: enable repo search (indexer), save login cookie for 365 days' (#142) from feat/forgejo-enable-search into main
Reviewed-on: pub-solar/infra#142
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-06 16:07:42 +00:00
teutat3s 9698c47530
Merge pull request 'mastodon: clean media older than 7 days' (#143) from mastodon/auto-clean-7-days into main
Reviewed-on: pub-solar/infra#143
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-06 16:07:34 +00:00
teutat3s 41e4d3427c
mastodon: clean media older than 7 days
Currently we keep everything for 30 days, which is about 180GB
2024-04-05 23:50:04 +02:00
teutat3s c5159dd66d
forgejo: enable repo search (indexer), save login
cookie for 365 days instead of default 7 days.
Caveat for the repo indexer is that repository size on disk will grow
by factor of 6. Forgejo repositories currently use 4.7GB on disk, with
3.3GB being a nixpkgs fork.
2024-04-05 23:29:49 +02:00
Benjamin Yule Bädorf 16c6aa3b61
forgejo: make SSH keys declarative 2024-04-05 19:35:55 +00:00
teutat3s 315cbf5813
Merge pull request 'fix(nextcloud): define a maintenance window' (#135) from chore/nextcloud-config-maintenance-window into main
Reviewed-on: pub-solar/infra#135
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-05 18:41:17 +00:00
Hendrik Sokolowski b6b8d69852
nachtigall: forgejo: update firewall settings 2024-04-05 18:39:43 +02:00
Benjamin Yule Bädorf e618b9f9c2
forgejo: use iptables routing instead of ssh patch 2024-04-05 17:00:28 +02:00
Benjamin Yule Bädorf d7c9333ff4
forgejo: allow multiple host addresses for SSH 2024-04-05 14:26:56 +00:00
teutat3s 18a62b8d35
fix(nextcloud): define a maintenance window for
resource intensive background jobs. Docs:
https://docs.nextcloud.com/server/28/admin_manual/configuration_server/background_jobs_configuration.html

> A value of 1 e.g. will only run these background jobs between 01:00am
UTC and 05:00am UTC
2024-04-05 16:23:16 +02:00
Benjamin Yule Bädorf f7eaef0d18
wireguard: fix flora-6 address and private key
Reviewed-on: pub-solar/infra#129
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
Co-authored-by: Benjamin Yule Bädorf <git@benjaminbaedorf.eu>
Co-committed-by: Benjamin Yule Bädorf <git@benjaminbaedorf.eu>
2024-04-05 11:26:38 +00:00
Benjamin Yule Bädorf 621e9336ed
wireguard: add basic keys 2024-04-05 11:09:31 +00:00
Benjamin Yule Bädorf eacf60974c
wireguard: initial commit 2024-04-05 11:09:31 +00:00
Benjamin Yule Bädorf 9433a8aea7
mediawiki: update to v1.41.1 2024-03-30 00:10:09 +01:00
b12f 6aea728583
Merge branch 'main' into feat/security-txt 2024-03-25 15:38:30 +00:00
Benjamin Yule Bädorf b9cffad02a
matrix: set forgotten_room_retention_period to 7d
This commit sets the value for the synapse config option
`forgotten_room_retention_period` to 7 days. This was previously unset,
meaning rooms that had no more local users were never purged from the database.

The new value makes sure that 7 days after the last local user left a
room, it will be permanently deleted from the database.

https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html?highlight=forgotten_room_retention_period#forgotten_room_retention_period
2024-03-24 18:24:30 +01:00
Benjamin Yule Bädorf 2bb2247716
website: add security.txt
Ref: pub-solar/legal#11
2024-03-23 11:07:04 +01:00
teutat3s 45e91d7ef1
fix: drone port should bind to localhost 2024-03-21 10:44:40 +01:00
teutat3s c49ffb2d5b
fix: nginx duplicate default server
nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /etc/nginx/nginx.conf:665
2024-02-25 23:02:00 +01:00
Benjamin Yule Bädorf de04556191
nginx/miom: disable logging 2024-02-25 21:41:06 +00:00
Benjamin Yule Bädorf 0e89b7f210
nginx/miom: init miom.space website
This adds an nginx configuration for https://miom.space/. MiOM is a
creative collective in Cologne that frequently hosts our hakken.irl
hackathons. They're already using our cloud to organize.

This service is a bit more specific than most pub.solar services and falls
into a similar category as the obs-portal.

On the old miom website all logging was turned off, we might want to do
the same thing in nginx here as well then.
2024-02-25 21:41:06 +00:00
Benjamin Yule Bädorf 24b77b6de5
nginx/pub.solar: disable logging for homepage 2024-02-25 18:51:24 +01:00
teutat3s 842ec945f4
forgejo: appName option has been renamed
trace: warning: The option `services.forgejo.appName' defined in
`/nix/store/z68x68rbw9sg4d7mcjrjd6aq598rmrwf-source/hosts/nachtigall/apps/forgejo.nix'
has been renamed to `services.forgejo.settings.DEFAULT.APP_NAME'.
2024-02-07 19:02:04 +01:00
teutat3s d67190d175
feat: init tmate-ssh-server
https://tmate.io
2024-02-07 19:01:36 +01:00
teutat3s f43ba01ee6
feat: use forgejo NixOS module with gitea user
https://nixos.org/manual/nixos/stable/#module-forgejo-migration-gitea
2024-02-06 12:19:45 +01:00
teutat3s 4ce188edec
metrics(matrix-synapse): enable internal MAU metrics
https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#mau_stats_only
2024-02-01 15:51:55 +01:00
teutat3s 62c248348a
Merge pull request 'feat(grafana): add synapse dashboard' (#106) from feat/grafana-synapse-dashboard into main
Reviewed-on: pub-solar/infra#106
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-02-01 10:31:43 +00:00
teutat3s 031bab4a4e
fix(nextcloud): interned_strings_buffer should be
powers of 2
2024-02-01 11:21:10 +01:00
teutat3s 33d80dc558
feat(grafana): add synapse dashboard
Source:
https://github.com/element-hq/synapse/blob/master/contrib/grafana/synapse.json
2024-01-30 20:00:41 +01:00
teutat3s 576ceb6875
fix(matrix-synapse): mail hostname, missing tls
setting on metrics listener
2024-01-30 19:42:48 +01:00
teutat3s 69b976607f
fix(matrix-synapse): make sure to find element in
list of config.services.matrix-synapse.settings.listeners that sets
type = "metrics" instead of just using the first element in the list
2024-01-29 00:44:53 +01:00
teutat3s 62429bca08
fix(matrix-synapse): make sure to find element in
list of config.services.matrix-synapse.settings.listeners.*.resources
that sets names = "client" instead of just using the first element in the list of listeners
2024-01-29 00:44:53 +01:00
teutat3s 3cfdd9d20a
refactor(matrix-synapse): get first listener port 2024-01-29 00:44:52 +01:00
teutat3s 2f75ae7e62
feat(matrix-synapse): enable metrics
Following:
https://github.com/matrix-org/synapse/blob/develop/docs/metrics-howto.md
2024-01-29 00:44:13 +01:00
teutat3s 815033c764
treewide: apply nixpkgs-fmt
Used command:
nixpkgs-fmt .
2024-01-27 20:29:30 +01:00
teutat3s b3b3725c9f
feat: php opcache tuning for nextcloud
https://docs.nextcloud.com/server/latest/admin_manual/installation/server_tuning.html#:~:text=opcache.jit%20%3D%201255%20opcache.jit_buffer_size%20%3D%20128m
2024-01-25 20:19:32 +01:00
teutat3s be668fbb17
fix: nextcloud likes interned strings buffer > 8
7cf6f51516 made a wrong assumption
2024-01-23 22:18:58 +01:00
teutat3s ffdf55993f
fix(nginx): [warn] could not build optimal proxy_headers_hash
nginx: [warn] could not build optimal proxy_headers_hash, you should
increase either proxy_headers_hash_max_size: 2048 or
proxy_headers_hash_bucket_size: 64; ignoring
proxy_headers_hash_bucket_size
2024-01-17 15:16:06 +01:00
teutat3s 94ae6c9302
fix(mastodon): use working unix sockets for streaming api
The streaming API is currently unusable because we still pass traffic
to the old unix socket path.
Since c82195d9e8 (diff-157b1ef68573bbec951d6e551513a555e2d1ca7a161a68f1978b11d39a0bef1eR789-R803)
there are multiple unix sockets involved.
2024-01-17 10:32:03 +01:00
teutat3s 5590b5b1b3
fix: remove QuickInstantCommons extension
Docker image updated in 529554b4d1

Seems currently broken:
https://wiki.pub.solar/index.php/Special:RecentChanges with the
extension enabled throws:

Internal error LogicException: Backend with name 'wikimediacommons-backend' already registered.
2024-01-08 21:53:14 +01:00
teutat3s 8d06c61d2f
fix: remove duplicate wgLogo setting 2024-01-08 17:56:48 +01:00
teutat3s 1d018ade9b
feat: enable InstantCommons
https://www.mediawiki.org/wiki/InstantCommons
https://commons.wikimedia.org/wiki/Commons:Reusing_content_outside_Wikimedia/technical#InstantCommons
2024-01-08 17:56:33 +01:00
teutat3s 05f7dbe262
feat: enable wgUseInstantCommons
https://commons.wikimedia.org/wiki/Commons:Reusing_content_outside_Wikimedia/technical#InstantCommons
2024-01-08 17:42:57 +01:00
teutat3s a7f98c2d45
fix: ensure mediawiki logo survives updates 2024-01-08 14:35:43 +01:00
teutat3s a59e9cb6ea
feat: update mediawiki to 1.41.0, enable extension
TemplateStyles

https://gerrit.wikimedia.org/g/mediawiki/core/%2B/REL1_41/RELEASE-NOTES-1.41
2024-01-08 14:14:34 +01:00
teutat3s f2217a1409
feat: shutdown freenode IRC bridge, use shorter
IRC aliases, use nixos matrix-synapse service config for homeserver port
2024-01-07 20:15:16 +01:00
Hendrik Sokolowski 0fe02a9f73
fix uploads path eventually (#92)
yeah yeah

Reviewed-on: pub-solar/infra#92
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
Co-authored-by: Hendrik Sokolowski <hensoko@gssws.de>
Co-committed-by: Hendrik Sokolowski <hensoko@gssws.de>
2024-01-07 16:18:43 +00:00
Hendrik Sokolowski b37ad608a4
update mediawiki config (#91)
* disable logging to /dev/stderr
* fix upload path

Reviewed-on: pub-solar/infra#91
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
Co-authored-by: Hendrik Sokolowski <hensoko@gssws.de>
Co-committed-by: Hendrik Sokolowski <hensoko@gssws.de>
2024-01-07 15:44:21 +00:00
teutat3s 7e8f3c8cf5
fix: update forgejo-actions-runner token, use
docker image from https://git.pub.solar/pub-solar/actions-base-image
2023-12-29 19:26:43 +01:00
teutat3s afca5c3735
chore: bump Nextcloud to version 28 2023-12-28 17:38:41 +01:00
teutat3s a310b414f7
fix: update well-known for sliding-sync 2023-12-16 14:57:36 +01:00
teutat3s 768d4c78bc
fix: use nginx locations recommended by upstream
https://github.com/matrix-org/sliding-sync#same-hostname
2023-12-16 14:48:08 +01:00
teutat3s 14fa3fdec2
feat(matrix): enable sliding-sync
Sliding Sync is an implementation of MSC3575 and a prerequisite for
running the new (still beta) Element X clients (Element X iOS and
Element X Android).

https://github.com/matrix-org/sliding-sync
https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md
2023-12-16 13:53:34 +01:00
teutat3s d734adce58
fix: new Greenbaum mail server is mail.greenbaum.zone 2023-12-13 20:45:35 +01:00
teutat3s e3d4f61a42
feat(nachtigall): send logs to loki, https+basic auth
Use caddy as reverse proxy for loki on flora-6, add basic auth

Add promtail to nachtigall, push logs to flora-6
2023-12-13 19:18:56 +01:00
teutat3s 10bb3295de
fix: grafana editor role is unused for now 2023-12-13 17:52:01 +01:00
teutat3s e8cf4dceb0
fix(flora-6): allow traffic from br-+ interfaces 2023-12-13 17:51:34 +01:00
teutat3s 1b9a6bb0c2
fix: don't ignore interfaces that can change 2023-12-13 02:12:12 +01:00
teutat3s 219b67df20
fix: add 4 logs retention for loki 2023-12-13 02:12:12 +01:00
teutat3s 6c1fa290e8
feat(prometheus): add job to scrape nachtigall.pub.solar 2023-12-13 02:12:12 +01:00
teutat3s d5b59ea18a
feat(prometheus): add node-exporter to nachtigall,
protect endpoint https://nachtigall.pub.solar/metrics
with TLS and basic auth
2023-12-13 02:12:11 +01:00
teutat3s fdda65eea9
feat: init loki 2023-12-13 02:12:11 +01:00
teutat3s 0e290f080e
feat(grafana): provision node-exporter dashboard 2023-12-13 02:12:11 +01:00
teutat3s 6b15d72d85
fix: systemd-networkd-wait-online timing out 2023-12-13 02:12:11 +01:00
teutat3s 2f7eccc970
fix: grafana root_url needs https://, role mapping 2023-12-13 02:12:11 +01:00
teutat3s 8dc908aabd
feat(flora-6): init grafana + prometheus on
grafana.pub.solar
2023-12-13 02:12:10 +01:00
teutat3s 6bfeb835c2
fix: type INI atom (null, bool, int, float or string)
option `services.gitea.settings.webhook.ALLOWED_HOST_LIST' is not of
type `INI atom (null, bool, int, float or string)'
2023-12-08 17:37:28 +01:00
Benjamin Bädorf 97a592a53e
forgejo: allow webhooks to all pub.solar subdomains
This should fix the following error that was occuring while trying to post
notices to matrix channels:

```
Delivery: Put "https://matrix.pub.solar/_matrix/client/r0/rooms/[...]": dial tcp [::1]:443: webhook can only call allowed HTTP servers (check your webhook.ALLOWED_HOST_LIST setting), deny 'matrix.pub.solar([::1]:443)'
```
2023-12-08 17:12:02 +01:00
teutat3s a3ce107c73
Merge pull request 'feat: backup matrix-synapse, matrix-appservice-irc, mautrix-telegram to storagebox' (#76) from feat/matrix-backups into main
Reviewed-on: pub-solar/infra#76
Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>
2023-12-08 15:36:10 +00:00
teutat3s caaab0e14d
fix: new Greenbaum mail server is mail.greenbaum.zone 2023-12-05 20:57:26 +01:00
teutat3s 3ac327a750
feat: backup matrix-synapse, matrix-appservice-irc,
mautrix-telegram to storagebox
2023-12-03 13:11:25 +01:00
Akshay Mankar 75270321d5
fix: Allow matrix-appservice-irc to chown things
@chown is part of @privileged. It is used by sed which is used to manage the
registration.yaml
2023-12-02 17:22:28 +01:00
teutat3s becaa9d649
fix: revert mautrix-telegram changes 2023-12-02 16:09:15 +01:00
teutat3s 37528c0874
fix: mautrix-telegram ExecStart missing \ 2023-12-02 15:44:40 +01:00
teutat3s 1cfe140e77
fix: mkForce mautrix-telegram ExecStart 2023-12-02 15:43:52 +01:00
teutat3s f911ac7bad
fix(matrix-synapse): needs to defince oidc extras
after NixOS module updates
https://nixos.org/manual/nixos/stable/release-notes#sec-release-23.11-highlights
2023-12-02 15:35:02 +01:00
teutat3s 904a73b51d
fix(mautrix-telegram): should not try to update config
See: https://github.com/mautrix/python/pull/152
2023-12-02 15:33:58 +01:00
teutat3s 35a4ac5619
Merge pull request 'feat: NixOS 23.11 Tapir' (#74) from feat/nixos-23.11 into main
Reviewed-on: pub-solar/infra#74
Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>
2023-12-02 12:53:18 +00:00
teutat3s 7cf6f51516
fix: nextcloud interned strings buffer defaults to 23 now 2023-12-02 11:58:48 +01:00
teutat3s 2ee4bc5682
feat: NixOS 23.11 Tapir
https://nixos.org/manual/nixos/stable/release-notes#sec-release-23.11-highlights

Track nixos-23.11 branch, remove unstable overlays

This will update our services to the following versions:
nextcloud: 27.1.3 -> 27.1.4
forgejo: 1.20.5-0 -> 1.20.6-0
keycloak: 21.1.2 -> 22.0.5
matrix-synapse: 1.95.1 -> 1.97.0

Internal:
postgresql: 14.9 -> 15.5

Flake inputs diff:
• Updated input 'home-manager':
    'github:nix-community/home-manager/28535c3a34d79071f2ccb68671971ce0c0984d7e' (2023-11-19)
  → 'github:nix-community/home-manager/aeb2232d7a32530d3448318790534d196bf9427a' (2023-11-24)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/d2332963662edffacfddfad59ff4f709dde80ffe' (2023-11-30)
  → 'github:nixos/nixpkgs/5de0b32be6e85dc1a9404c75131316e4ffbc634c' (2023-12-01)
2023-12-02 11:13:56 +01:00
Benjamin Bädorf 1d3934693b
nextcloud: add skeleton directory that adds a good readme for new users
Co-authored-by: teutat3s <teutates@mailbox.org>
2023-12-02 11:11:16 +01:00
Akshay Mankar 2cbc46c154
matrix: Move the whole email section into the secret
Matrix doesn't deep merge the secrets, so this is necessary
2023-11-25 23:37:58 +01:00
teutat3s 9f633582d1
feat: add well-known for matrix support contacts 2023-11-25 14:28:23 +01:00
Akshay Mankar 8a2d946206
matrix: Use production domains 2023-11-19 18:17:58 +01:00
Akshay Mankar 35afcd9682
matrix: Make public rooms discoverable over federation 2023-11-19 18:12:08 +01:00
Akshay Mankar fe284a20d9
matrix: Fix typo 2023-11-19 18:12:08 +01:00
Akshay Mankar f0c3178b4d
matrix: Use greenbaum cloud for sending emails 2023-11-19 18:12:07 +01:00
Akshay Mankar 7fcefe4b85
matrix: Use chat.pub.solar as invite_client_location 2023-11-19 18:12:07 +01:00
Akshay Mankar 8a2f83c96a
nachtigall: Deploy coturn and configure matrix to use it 2023-11-19 18:08:15 +01:00
Akshay Mankar a2e7adbc79
element: Add themes 2023-11-19 16:03:24 +01:00