teutat3s
fa9ce9d435
gitea-actions-runner: don't run as systemd DynamicUser
...
to enable usage of cache outside of /var/lib/private
2024-04-23 15:42:33 +02:00
teutat3s
9541e5029e
flora-6: move forgejo-runner cache directory to /data
2024-04-23 15:12:11 +02:00
teutat3s
c86e22b292
ci: update forgejo-runner to version 3.4.1
...
https://github.com/NixOS/nixpkgs/pull/301383
2024-04-23 00:38:53 +02:00
Hendrik Sokolowski
a9411d05a8
set pruneOpts for restic backups to daily 7, weekly 4, monthly 3
2024-04-22 20:06:49 +02:00
teutat3s
c07d24f6a7
flora-6: add wg-ssh to ignored interfaces
...
for systemd-wait-online to start successfully
2024-04-14 23:22:53 +02:00
teutat3s
c768203bed
nginx: set worker_processes to number of CPU cores
...
and set worker_connections to 1024
https://nginx.org/en/docs/ngx_core_module.html#worker_processes
https://nginx.org/en/docs/ngx_core_module.html#worker_connections
2024-04-14 17:39:56 +02:00
teutat3s
b6a54efd9a
fix: add comment with hostnames to wireguard peers
2024-04-12 22:36:17 +02:00
Benjamin Yule Bädorf
7e145040cc
wireguard: use IP addresses for wireguard endpoints
...
Otherwise the hostnames written to the /etc/hosts file are already
pointing at the wireguard IP-addresses, so they can never connect.
2024-04-12 22:31:28 +02:00
teutat3s
8743ea7b0c
networking: add wireguard hosts to /etc/hosts
...
Also re-enable DNSSEC, it's reported fixed in systemd-resolved
2024-04-12 19:54:09 +00:00
Benjamin Yule Bädorf
316ba9ef53
forgejo: also reroute ssh traffic for ipv6
2024-04-12 19:38:15 +00:00
teutat3s
afca75441c
Merge pull request 'forgejo: enable repo search (indexer), save login cookie for 365 days' ( #142 ) from feat/forgejo-enable-search into main
...
Reviewed-on: pub-solar/infra#142
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-06 16:07:42 +00:00
teutat3s
9698c47530
Merge pull request 'mastodon: clean media older than 7 days' ( #143 ) from mastodon/auto-clean-7-days into main
...
Reviewed-on: pub-solar/infra#143
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-06 16:07:34 +00:00
teutat3s
41e4d3427c
mastodon: clean media older than 7 days
...
Currently we keep everything for 30 days, which is about 180GB
2024-04-05 23:50:04 +02:00
teutat3s
c5159dd66d
forgejo: enable repo search (indexer), save login
...
cookie for 365 days instead of default 7 days.
Caveat for the repo indexer is that repository size on disk will grow
by factor of 6. Forgejo repositories currently use 4.7GB on disk, with
3.3GB being a nixpkgs fork.
2024-04-05 23:29:49 +02:00
Benjamin Yule Bädorf
16c6aa3b61
forgejo: make SSH keys declarative
2024-04-05 19:35:55 +00:00
teutat3s
315cbf5813
Merge pull request 'fix(nextcloud): define a maintenance window' ( #135 ) from chore/nextcloud-config-maintenance-window into main
...
Reviewed-on: pub-solar/infra#135
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-05 18:41:17 +00:00
Hendrik Sokolowski
b6b8d69852
nachtigall: forgejo: update firewall settings
2024-04-05 18:39:43 +02:00
Benjamin Yule Bädorf
e618b9f9c2
forgejo: use iptables routing instead of ssh patch
2024-04-05 17:00:28 +02:00
Benjamin Yule Bädorf
d7c9333ff4
forgejo: allow multiple host addresses for SSH
2024-04-05 14:26:56 +00:00
teutat3s
18a62b8d35
fix(nextcloud): define a maintenance window for
...
resource intensive background jobs. Docs:
https://docs.nextcloud.com/server/28/admin_manual/configuration_server/background_jobs_configuration.html
> A value of 1 e.g. will only run these background jobs between 01:00am
UTC and 05:00am UTC
2024-04-05 16:23:16 +02:00
Benjamin Yule Bädorf
f7eaef0d18
wireguard: fix flora-6 address and private key
...
Reviewed-on: pub-solar/infra#129
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
Co-authored-by: Benjamin Yule Bädorf <git@benjaminbaedorf.eu>
Co-committed-by: Benjamin Yule Bädorf <git@benjaminbaedorf.eu>
2024-04-05 11:26:38 +00:00
Benjamin Yule Bädorf
621e9336ed
wireguard: add basic keys
2024-04-05 11:09:31 +00:00
Benjamin Yule Bädorf
eacf60974c
wireguard: initial commit
2024-04-05 11:09:31 +00:00
Benjamin Yule Bädorf
9433a8aea7
mediawiki: update to v1.41.1
2024-03-30 00:10:09 +01:00
b12f
6aea728583
Merge branch 'main' into feat/security-txt
2024-03-25 15:38:30 +00:00
Benjamin Yule Bädorf
b9cffad02a
matrix: set forgotten_room_retention_period to 7d
...
This commit sets the value for the synapse config option
`forgotten_room_retention_period` to 7 days. This was previously unset,
meaning rooms that had no more local users were never purged from the database.
The new value makes sure that 7 days after the last local user left a
room, it will be permanently deleted from the database.
https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html?highlight=forgotten_room_retention_period#forgotten_room_retention_period
2024-03-24 18:24:30 +01:00
Benjamin Yule Bädorf
2bb2247716
website: add security.txt
...
Ref: pub-solar/legal#11
2024-03-23 11:07:04 +01:00
teutat3s
45e91d7ef1
fix: drone port should bind to localhost
2024-03-21 10:44:40 +01:00
teutat3s
c49ffb2d5b
fix: nginx duplicate default server
...
nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /etc/nginx/nginx.conf:665
2024-02-25 23:02:00 +01:00
Benjamin Yule Bädorf
de04556191
nginx/miom: disable logging
2024-02-25 21:41:06 +00:00
Benjamin Yule Bädorf
0e89b7f210
nginx/miom: init miom.space website
...
This adds an nginx configuration for https://miom.space/ . MiOM is a
creative collective in Cologne that frequently hosts our hakken.irl
hackathons. They're already using our cloud to organize.
This service is a bit more specific than most pub.solar services and falls
into a similar category as the obs-portal.
On the old miom website all logging was turned off, we might want to do
the same thing in nginx here as well then.
2024-02-25 21:41:06 +00:00
Benjamin Yule Bädorf
24b77b6de5
nginx/pub.solar: disable logging for homepage
2024-02-25 18:51:24 +01:00
teutat3s
842ec945f4
forgejo: appName option has been renamed
...
trace: warning: The option `services.forgejo.appName' defined in
`/nix/store/z68x68rbw9sg4d7mcjrjd6aq598rmrwf-source/hosts/nachtigall/apps/forgejo.nix'
has been renamed to `services.forgejo.settings.DEFAULT.APP_NAME'.
2024-02-07 19:02:04 +01:00
teutat3s
d67190d175
feat: init tmate-ssh-server
...
https://tmate.io
2024-02-07 19:01:36 +01:00
teutat3s
f43ba01ee6
feat: use forgejo NixOS module with gitea user
...
https://nixos.org/manual/nixos/stable/#module-forgejo-migration-gitea
2024-02-06 12:19:45 +01:00
teutat3s
4ce188edec
metrics(matrix-synapse): enable internal MAU metrics
...
https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#mau_stats_only
2024-02-01 15:51:55 +01:00
teutat3s
62c248348a
Merge pull request 'feat(grafana): add synapse dashboard' ( #106 ) from feat/grafana-synapse-dashboard into main
...
Reviewed-on: pub-solar/infra#106
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-02-01 10:31:43 +00:00
teutat3s
031bab4a4e
fix(nextcloud): interned_strings_buffer should be
...
powers of 2
2024-02-01 11:21:10 +01:00
teutat3s
33d80dc558
feat(grafana): add synapse dashboard
...
Source:
https://github.com/element-hq/synapse/blob/master/contrib/grafana/synapse.json
2024-01-30 20:00:41 +01:00
teutat3s
576ceb6875
fix(matrix-synapse): mail hostname, missing tls
...
setting on metrics listener
2024-01-30 19:42:48 +01:00
teutat3s
69b976607f
fix(matrix-synapse): make sure to find element in
...
list of config.services.matrix-synapse.settings.listeners that sets
type = "metrics" instead of just using the first element in the list
2024-01-29 00:44:53 +01:00
teutat3s
62429bca08
fix(matrix-synapse): make sure to find element in
...
list of config.services.matrix-synapse.settings.listeners.*.resources
that sets names = "client" instead of just using the first element in the list of listeners
2024-01-29 00:44:53 +01:00
teutat3s
3cfdd9d20a
refactor(matrix-synapse): get first listener port
2024-01-29 00:44:52 +01:00
teutat3s
2f75ae7e62
feat(matrix-synapse): enable metrics
...
Following:
https://github.com/matrix-org/synapse/blob/develop/docs/metrics-howto.md
2024-01-29 00:44:13 +01:00
teutat3s
815033c764
treewide: apply nixpkgs-fmt
...
Used command:
nixpkgs-fmt .
2024-01-27 20:29:30 +01:00
teutat3s
b3b3725c9f
feat: php opcache tuning for nextcloud
...
https://docs.nextcloud.com/server/latest/admin_manual/installation/server_tuning.html#:~:text=opcache.jit%20%3D%201255%20opcache.jit_buffer_size%20%3D%20128m
2024-01-25 20:19:32 +01:00
teutat3s
be668fbb17
fix: nextcloud likes interned strings buffer > 8
...
7cf6f51516
made a wrong assumption
2024-01-23 22:18:58 +01:00
teutat3s
ffdf55993f
fix(nginx): [warn] could not build optimal proxy_headers_hash
...
nginx: [warn] could not build optimal proxy_headers_hash, you should
increase either proxy_headers_hash_max_size: 2048 or
proxy_headers_hash_bucket_size: 64; ignoring
proxy_headers_hash_bucket_size
2024-01-17 15:16:06 +01:00
teutat3s
94ae6c9302
fix(mastodon): use working unix sockets for streaming api
...
The streaming API is currently unusable because we still pass traffic
to the old unix socket path.
Since c82195d9e8 (diff-157b1ef68573bbec951d6e551513a555e2d1ca7a161a68f1978b11d39a0bef1eR789-R803)
there are multiple unix sockets involved.
2024-01-17 10:32:03 +01:00
teutat3s
5590b5b1b3
fix: remove QuickInstantCommons extension
...
Docker image updated in 529554b4d1
Seems currently broken:
https://wiki.pub.solar/index.php/Special:RecentChanges with the
extension enabled throws:
Internal error LogicException: Backend with name 'wikimediacommons-backend' already registered.
2024-01-08 21:53:14 +01:00
teutat3s
8d06c61d2f
fix: remove duplicate wgLogo setting
2024-01-08 17:56:48 +01:00
teutat3s
1d018ade9b
feat: enable InstantCommons
...
https://www.mediawiki.org/wiki/InstantCommons
https://commons.wikimedia.org/wiki/Commons:Reusing_content_outside_Wikimedia/technical#InstantCommons
2024-01-08 17:56:33 +01:00
teutat3s
05f7dbe262
feat: enable wgUseInstantCommons
...
https://commons.wikimedia.org/wiki/Commons:Reusing_content_outside_Wikimedia/technical#InstantCommons
2024-01-08 17:42:57 +01:00
teutat3s
a7f98c2d45
fix: ensure mediawiki logo survives updates
2024-01-08 14:35:43 +01:00
teutat3s
a59e9cb6ea
feat: update mediawiki to 1.41.0, enable extension
...
TemplateStyles
https://gerrit.wikimedia.org/g/mediawiki/core/%2B/REL1_41/RELEASE-NOTES-1.41
2024-01-08 14:14:34 +01:00
teutat3s
f2217a1409
feat: shutdown freenode IRC bridge, use shorter
...
IRC aliases, use nixos matrix-synapse service config for homeserver port
2024-01-07 20:15:16 +01:00
Hendrik Sokolowski
0fe02a9f73
fix uploads path eventually ( #92 )
...
yeah yeah
Reviewed-on: pub-solar/infra#92
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
Co-authored-by: Hendrik Sokolowski <hensoko@gssws.de>
Co-committed-by: Hendrik Sokolowski <hensoko@gssws.de>
2024-01-07 16:18:43 +00:00
Hendrik Sokolowski
b37ad608a4
update mediawiki config ( #91 )
...
* disable logging to /dev/stderr
* fix upload path
Reviewed-on: pub-solar/infra#91
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
Co-authored-by: Hendrik Sokolowski <hensoko@gssws.de>
Co-committed-by: Hendrik Sokolowski <hensoko@gssws.de>
2024-01-07 15:44:21 +00:00
teutat3s
7e8f3c8cf5
fix: update forgejo-actions-runner token, use
...
docker image from https://git.pub.solar/pub-solar/actions-base-image
2023-12-29 19:26:43 +01:00
teutat3s
afca5c3735
chore: bump Nextcloud to version 28
2023-12-28 17:38:41 +01:00
teutat3s
a310b414f7
fix: update well-known for sliding-sync
2023-12-16 14:57:36 +01:00
teutat3s
768d4c78bc
fix: use nginx locations recommended by upstream
...
https://github.com/matrix-org/sliding-sync#same-hostname
2023-12-16 14:48:08 +01:00
teutat3s
14fa3fdec2
feat(matrix): enable sliding-sync
...
Sliding Sync is an implementation of MSC3575 and a prerequisite for
running the new (still beta) Element X clients (Element X iOS and
Element X Android).
https://github.com/matrix-org/sliding-sync
https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md
2023-12-16 13:53:34 +01:00
teutat3s
d734adce58
fix: new Greenbaum mail server is mail.greenbaum.zone
2023-12-13 20:45:35 +01:00
teutat3s
e3d4f61a42
feat(nachtigall): send logs to loki, https+basic auth
...
Use caddy as reverse proxy for loki on flora-6, add basic auth
Add promtail to nachtigall, push logs to flora-6
2023-12-13 19:18:56 +01:00
teutat3s
10bb3295de
fix: grafana editor role is unused for now
2023-12-13 17:52:01 +01:00
teutat3s
e8cf4dceb0
fix(flora-6): allow traffic from br-+ interfaces
2023-12-13 17:51:34 +01:00
teutat3s
1b9a6bb0c2
fix: don't ignore interfaces that can change
2023-12-13 02:12:12 +01:00
teutat3s
219b67df20
fix: add 4 logs retention for loki
2023-12-13 02:12:12 +01:00
teutat3s
6c1fa290e8
feat(prometheus): add job to scrape nachtigall.pub.solar
2023-12-13 02:12:12 +01:00
teutat3s
d5b59ea18a
feat(prometheus): add node-exporter to nachtigall,
...
protect endpoint https://nachtigall.pub.solar/metrics
with TLS and basic auth
2023-12-13 02:12:11 +01:00
teutat3s
fdda65eea9
feat: init loki
2023-12-13 02:12:11 +01:00
teutat3s
0e290f080e
feat(grafana): provision node-exporter dashboard
2023-12-13 02:12:11 +01:00
teutat3s
6b15d72d85
fix: systemd-networkd-wait-online timing out
2023-12-13 02:12:11 +01:00
teutat3s
2f7eccc970
fix: grafana root_url needs https://, role mapping
2023-12-13 02:12:11 +01:00
teutat3s
8dc908aabd
feat(flora-6): init grafana + prometheus on
...
grafana.pub.solar
2023-12-13 02:12:10 +01:00
teutat3s
6bfeb835c2
fix: type INI atom (null, bool, int, float or string)
...
option `services.gitea.settings.webhook.ALLOWED_HOST_LIST' is not of
type `INI atom (null, bool, int, float or string)'
2023-12-08 17:37:28 +01:00
Benjamin Bädorf
97a592a53e
forgejo: allow webhooks to all pub.solar subdomains
...
This should fix the following error that was occuring while trying to post
notices to matrix channels:
```
Delivery: Put "https://matrix.pub.solar/_matrix/client/r0/rooms/[...] ": dial tcp [::1]:443: webhook can only call allowed HTTP servers (check your webhook.ALLOWED_HOST_LIST setting), deny 'matrix.pub.solar([::1]:443)'
```
2023-12-08 17:12:02 +01:00
teutat3s
a3ce107c73
Merge pull request 'feat: backup matrix-synapse, matrix-appservice-irc, mautrix-telegram to storagebox' ( #76 ) from feat/matrix-backups into main
...
Reviewed-on: pub-solar/infra#76
Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>
2023-12-08 15:36:10 +00:00
teutat3s
caaab0e14d
fix: new Greenbaum mail server is mail.greenbaum.zone
2023-12-05 20:57:26 +01:00
teutat3s
3ac327a750
feat: backup matrix-synapse, matrix-appservice-irc,
...
mautrix-telegram to storagebox
2023-12-03 13:11:25 +01:00
Akshay Mankar
75270321d5
fix: Allow matrix-appservice-irc to chown things
...
@chown is part of @privileged. It is used by sed which is used to manage the
registration.yaml
2023-12-02 17:22:28 +01:00
teutat3s
becaa9d649
fix: revert mautrix-telegram changes
2023-12-02 16:09:15 +01:00
teutat3s
37528c0874
fix: mautrix-telegram ExecStart missing \
2023-12-02 15:44:40 +01:00
teutat3s
1cfe140e77
fix: mkForce mautrix-telegram ExecStart
2023-12-02 15:43:52 +01:00
teutat3s
f911ac7bad
fix(matrix-synapse): needs to defince oidc extras
...
after NixOS module updates
https://nixos.org/manual/nixos/stable/release-notes#sec-release-23.11-highlights
2023-12-02 15:35:02 +01:00
teutat3s
904a73b51d
fix(mautrix-telegram): should not try to update config
...
See: https://github.com/mautrix/python/pull/152
2023-12-02 15:33:58 +01:00
teutat3s
35a4ac5619
Merge pull request 'feat: NixOS 23.11 Tapir' ( #74 ) from feat/nixos-23.11 into main
...
Reviewed-on: pub-solar/infra#74
Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>
2023-12-02 12:53:18 +00:00
teutat3s
7cf6f51516
fix: nextcloud interned strings buffer defaults to 23 now
2023-12-02 11:58:48 +01:00
teutat3s
2ee4bc5682
feat: NixOS 23.11 Tapir
...
https://nixos.org/manual/nixos/stable/release-notes#sec-release-23.11-highlights
Track nixos-23.11 branch, remove unstable overlays
This will update our services to the following versions:
nextcloud: 27.1.3 -> 27.1.4
forgejo: 1.20.5-0 -> 1.20.6-0
keycloak: 21.1.2 -> 22.0.5
matrix-synapse: 1.95.1 -> 1.97.0
Internal:
postgresql: 14.9 -> 15.5
Flake inputs diff:
• Updated input 'home-manager':
'github:nix-community/home-manager/28535c3a34d79071f2ccb68671971ce0c0984d7e' (2023-11-19)
→ 'github:nix-community/home-manager/aeb2232d7a32530d3448318790534d196bf9427a' (2023-11-24)
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/d2332963662edffacfddfad59ff4f709dde80ffe' (2023-11-30)
→ 'github:nixos/nixpkgs/5de0b32be6e85dc1a9404c75131316e4ffbc634c' (2023-12-01)
2023-12-02 11:13:56 +01:00
Benjamin Bädorf
1d3934693b
nextcloud: add skeleton directory that adds a good readme for new users
...
Co-authored-by: teutat3s <teutates@mailbox.org>
2023-12-02 11:11:16 +01:00
Akshay Mankar
2cbc46c154
matrix: Move the whole email section into the secret
...
Matrix doesn't deep merge the secrets, so this is necessary
2023-11-25 23:37:58 +01:00
teutat3s
9f633582d1
feat: add well-known for matrix support contacts
2023-11-25 14:28:23 +01:00
Akshay Mankar
8a2d946206
matrix: Use production domains
2023-11-19 18:17:58 +01:00
Akshay Mankar
35afcd9682
matrix: Make public rooms discoverable over federation
2023-11-19 18:12:08 +01:00
Akshay Mankar
fe284a20d9
matrix: Fix typo
2023-11-19 18:12:08 +01:00
Akshay Mankar
f0c3178b4d
matrix: Use greenbaum cloud for sending emails
2023-11-19 18:12:07 +01:00
Akshay Mankar
7fcefe4b85
matrix: Use chat.pub.solar as invite_client_location
2023-11-19 18:12:07 +01:00
Akshay Mankar
8a2f83c96a
nachtigall: Deploy coturn and configure matrix to use it
2023-11-19 18:08:15 +01:00
Akshay Mankar
a2e7adbc79
element: Add themes
2023-11-19 16:03:24 +01:00