Commit graph

263 commits

Author SHA1 Message Date
teutat3s d32abd7a7f
wireguard: add trinkgenossin, delite, blue-shell 2024-08-25 00:13:53 +02:00
teutat3s 15b507904f
garage: init buckets.pub.solar, use nginx as reverse proxy
https://garagehq.deuxfleurs.fr/documentation/cookbook/reverse-proxy/
2024-08-24 21:48:48 +02:00
teutat3s b0790876ec
style: format using nixfmt-rfc-style 2024-08-24 17:39:49 +02:00
teutat3s 83b7e3e11e
hosts: init blue-shell 2024-08-24 03:02:15 +02:00
teutat3s 4ef9781d10
hosts: init delite 2024-08-24 03:01:46 +02:00
teutat3s ca8e578b11
hosts: init trinkgenossin 2024-08-24 03:00:01 +02:00
Benjamin Yule Bädorf 8ce50bb73b
tt-rss: add pub.solar specific configuration 2024-07-17 15:22:58 +02:00
teutat3s 153ef69daf
metronom: enable ZFS auto scrub once per month 2024-06-23 15:16:04 +02:00
teutat3s af5abfc712
nachtigall: enable ZFS auto scrub once per month 2024-06-23 15:14:30 +02:00
teutat3s e127c668f6
metronom, tankstelle: cleanup for SSH only via wireguard 2024-06-08 23:52:08 +02:00
teutat3s 6ea916603c
networking: set networking.domain in core module 2024-06-06 19:30:11 +02:00
teutat3s 4350cbf7c4
tankstelle: add promtail, prometheus node-exporter
for monitoring, configure wireguard between flora-6 and tankstelle
2024-06-06 12:53:49 +02:00
teutat3s b93608a8fa
metronom: add promtail, prometheus node-exporter
configure wireguard to push logs to and scrape metrics from flora-6

open firewall for node-exporter port on wg-ssh interface
2024-06-06 12:52:55 +02:00
teutat3s 008e14f2d2
mail: add missing NixOS module to metronom 2024-06-06 12:49:58 +02:00
teutat3s 0038be3d2c
metronom: use wireguard IP for SSH, lock down SSH
port access to wireguard only
2024-05-31 16:52:04 +02:00
teutat3s 9a9dccf5bb
mail: move NixOS module to modules 2024-05-31 16:52:04 +02:00
teutat3s c5dfb472f8
style: treefmt 2024-05-31 16:52:04 +02:00
teutat3s 1ca1168d7a
mail: switch to mail.pub.solar 2024-05-31 16:52:04 +02:00
teutat3s b6f64a1e04
mail: add more @pub.solar mail accounts 2024-05-31 16:52:03 +02:00
Hendrik Sokolowski af233793fb
initial work on mail 2024-05-31 16:52:01 +02:00
teutat3s 941eff6d87
tankstelle: configure wireguard 2024-05-30 19:17:21 +02:00
teutat3s 5aa1276e85
ci: add nix to PATH 2024-05-30 19:04:40 +02:00
teutat3s cc70a740a1
ci: run actions runner as normal user 2024-05-30 19:04:40 +02:00
teutat3s 866785ef47
style: format using treefmt 2024-05-30 19:04:40 +02:00
teutat3s 692c152406
gitea-actions-runner: fix PATH in systemd 2024-05-30 19:04:40 +02:00
teutat3s e71cbfc461
ci: add self-hosted forgejo-actions-runner
wip: add git.pub.solar to /etc/hosts

ci: add devshell with Node.js for forgejo actions

ci: add PATH

ci: add HOME
2024-05-30 19:04:13 +02:00
Hendrik Sokolowski 946585d1ca
initial commit of tankstelle 2024-05-29 14:08:59 +02:00
teutat3s 0cb89a9fe8
fix: nachtigall wants keycloak 2024-05-15 19:20:06 +02:00
teutat3s 2ca0bd7c3e
style: run treefmt 2024-05-08 22:57:07 +02:00
Benjamin Yule Bädorf 68278ad983
refactor: use options for config parts
This works towards having reusable modules

* `config.pub-solar-os.networking.domain` is used for the main domain
* `config.pub-solar-os.privacyPolicUrl` links towards the privacy policy
* `config.pub-solar-os.imprintUrl` links towards the imprint
* `config.pub-solar-os.auth.enable` enables the keycloak installation.
  This is needed because `config.pub-solar-os.auth` has to be available
  everywhere, but we do not want to install keycloak everywhere.
* `config.pub-solar-os.auth.realm` sets the keycloak realm name
2024-05-08 19:47:47 +02:00
Benjamin Yule Bädorf ef94681e11
refactor: Move all apps into modules 2024-04-28 18:07:28 +02:00
Hendrik Sokolowski 10c86c6b20
nachtigall: obs-portal: remove tiles mount 2024-04-28 01:07:49 +02:00
Hendrik Sokolowski 1d6c5003e8
nachtigall: obs-portal: fix dependencies of docker network unit and portal 2024-04-28 01:05:43 +02:00
Benjamin Yule Bädorf d280b29394
obs-portal: init obs-portal on nachtigall
This follows the official installation instructions at https://github.com/openbikesensor/portal/blob/main/docs/production-deployment.md

Unfortunately, the postgres database needs to have postgis enabled, so
we'll have to start a second instance. To stay close to the official
deployment instructions, this is running in docker.

The secrets were taken from the old installation instance. During
initial installation, we'll need to import data from the old instance
into this one, which might take a while.
2024-04-27 22:45:07 +02:00
teutat3s 2fa3ccf28e
Revert "matrix-appservice-irc: remove unneeded syscall override"
This reverts commit a11255b433.
2024-04-27 01:44:20 +02:00
teutat3s a11255b433
matrix-appservice-irc: remove unneeded syscall override
PR was merged and backported:
https://github.com/NixOS/nixpkgs/pull/271740
2024-04-25 12:37:58 +02:00
teutat3s fa9ce9d435
gitea-actions-runner: don't run as systemd DynamicUser
to enable usage of cache outside of /var/lib/private
2024-04-23 15:42:33 +02:00
teutat3s 9541e5029e
flora-6: move forgejo-runner cache directory to /data 2024-04-23 15:12:11 +02:00
teutat3s c86e22b292
ci: update forgejo-runner to version 3.4.1
https://github.com/NixOS/nixpkgs/pull/301383
2024-04-23 00:38:53 +02:00
Hendrik Sokolowski a9411d05a8
set pruneOpts for restic backups to daily 7, weekly 4, monthly 3 2024-04-22 20:06:49 +02:00
teutat3s c07d24f6a7
flora-6: add wg-ssh to ignored interfaces
for systemd-wait-online to start successfully
2024-04-14 23:22:53 +02:00
teutat3s c768203bed
nginx: set worker_processes to number of CPU cores
and set worker_connections to 1024

https://nginx.org/en/docs/ngx_core_module.html#worker_processes
https://nginx.org/en/docs/ngx_core_module.html#worker_connections
2024-04-14 17:39:56 +02:00
teutat3s b6a54efd9a
fix: add comment with hostnames to wireguard peers 2024-04-12 22:36:17 +02:00
Benjamin Yule Bädorf 7e145040cc
wireguard: use IP addresses for wireguard endpoints
Otherwise the hostnames written to the /etc/hosts file are already
pointing at the wireguard IP-addresses, so they can never connect.
2024-04-12 22:31:28 +02:00
teutat3s 8743ea7b0c
networking: add wireguard hosts to /etc/hosts
Also re-enable DNSSEC, it's reported fixed in systemd-resolved
2024-04-12 19:54:09 +00:00
Benjamin Yule Bädorf 316ba9ef53
forgejo: also reroute ssh traffic for ipv6 2024-04-12 19:38:15 +00:00
teutat3s afca75441c
Merge pull request 'forgejo: enable repo search (indexer), save login cookie for 365 days' (#142) from feat/forgejo-enable-search into main
Reviewed-on: pub-solar/infra#142
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-06 16:07:42 +00:00
teutat3s 9698c47530
Merge pull request 'mastodon: clean media older than 7 days' (#143) from mastodon/auto-clean-7-days into main
Reviewed-on: pub-solar/infra#143
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-06 16:07:34 +00:00
teutat3s 41e4d3427c
mastodon: clean media older than 7 days
Currently we keep everything for 30 days, which is about 180GB
2024-04-05 23:50:04 +02:00
teutat3s c5159dd66d
forgejo: enable repo search (indexer), save login
cookie for 365 days instead of default 7 days.
Caveat for the repo indexer is that repository size on disk will grow
by factor of 6. Forgejo repositories currently use 4.7GB on disk, with
3.3GB being a nixpkgs fork.
2024-04-05 23:29:49 +02:00