Commit graph

121 commits

Author SHA1 Message Date
teutat3s 386f2b2ba5
bash: ignore leading space + duplicates in history
All checks were successful
Flake checks / Check (pull_request) Successful in 28m23s
2024-12-09 18:49:58 +01:00
teutat3s eef268b21b
style: fix formatting
All checks were successful
Flake checks / Check (pull_request) Successful in 41m25s
2024-12-08 18:59:27 +01:00
teutat3s 3e32bfe106
Merge pull request 'auth: add user for each administrator' (#261) from per-admin-user into main
Reviewed-on: #261
Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>
Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>
2024-11-28 16:16:35 +00:00
teutat3s 90c8072f92
matrix: remove long-gone dimension from well-known
All checks were successful
Flake checks / Check (pull_request) Successful in 24m49s
2024-11-21 09:15:10 +01:00
Akshay Mankar 5076266842
matrix: Enable MSC4108 to allow Signing in with QR Code
Enable MSC3266 room summary API to enable room previews

Co-authored-by: teutat3s <teutates@mailbox.org>
2024-11-21 09:14:17 +01:00
b12f eb63779bb6
auth: use all sshPubKeys for disk unlock, fix tests, fix hm config
All checks were successful
Flake checks / Check (pull_request) Successful in 28m11s
2024-11-20 16:49:39 +01:00
b12f 2b72d9a5a8
style: run nix fmt 2024-11-20 16:49:39 +01:00
b12f 5366d07d44
auth: add user for each administrator
After this has been tested successfully, root SSH login can be disabled.

The advantages of having a user for each adminstrator:

* Better security analysis: who issued executed what command, who
  touched which file, who used sudo at which time.
* Possibility of granular access, e.g. person X is only allowed to
  manage service Y
2024-11-20 16:49:38 +01:00
teutat3s 280dc37aa0
Merge pull request 'matrix-authentication-service: disable changing mail address' (#271) from matrix-mas-disable-email-change into main
Reviewed-on: #271
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-19 15:29:15 +00:00
teutat3s 213c06ca87
matrix-authentication-service: disable changing mail
All checks were successful
Flake checks / Check (pull_request) Successful in 22m45s
address. This should be done via auth.pub.solar
2024-11-19 13:57:23 +01:00
teutat3s a491680165
prometheus: disable daily e2e notification again
All checks were successful
Flake checks / Check (pull_request) Successful in 27m35s
2024-11-19 13:56:42 +01:00
b12f 87f9bc92df
modules/forgejo: allow migrations from local networks 2024-11-14 11:10:44 +00:00
teutat3s 4923f033f5
coturn: fix secret path
Some checks are pending
Flake checks / Check (pull_request) Waiting to run
this is fallout that was overlooked in #250
2024-11-13 21:25:12 +01:00
teutat3s b41edf0cfb
Merge pull request 'core: add activationScript to show closure diff' (#260) from closure-diffs into main
Reviewed-on: #260
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-13 19:47:17 +00:00
teutat3s 73333537a5
Merge pull request 'alertmanager: alert on high load only after 20m' (#255) from alerts-tweak-load into main
Reviewed-on: #255
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-12 14:47:53 +00:00
teutat3s ab85ba751a
alertmanager: enable e2e_dead_man_switch
All checks were successful
Flake checks / Check (pull_request) Successful in 23m13s
2024-11-12 13:41:42 +01:00
teutat3s a9c5edfeb3
alertmanager: don't alert on high memory page faults
This alert is non actionable, we still monitor high memory usage.
2024-11-12 13:40:46 +01:00
teutat3s e48fe612e2
core: add activationScript to show closure diff
All checks were successful
Flake checks / Check (pull_request) Successful in 23m35s
This is useful when updating a host, by doing a dry-run with deploy-rs
we get a list of changed package versions.
2024-11-11 18:02:47 +01:00
teutat3s 43b0c8d489
matrix-appservice-irc: reduce logging level to warn
All checks were successful
Flake checks / Check (pull_request) Successful in 22m38s
2024-11-06 21:29:27 +01:00
teutat3s afe52ca6af
alertmanager: alert on high load only after 20m
All checks were successful
Flake checks / Check (pull_request) Successful in 2m8s
2024-11-06 21:28:28 +01:00
teutat3s 3ec5c9f343
style: fix formatting
All checks were successful
Flake checks / Check (pull_request) Successful in 22m4s
2024-10-30 20:32:47 +01:00
b12f 041d311bb2
modules/matrix: rename used config options
Some checks failed
Flake checks / Check (pull_request) Failing after 23s
2024-10-30 18:37:47 +01:00
teutat3s 9d9bcf9a15
mas: move to module, add secrets for prod 2024-10-30 18:37:46 +01:00
teutat3s 9d7d251369
style: fix formatting 2024-10-30 18:37:46 +01:00
teutat3s 7775ad332e
matrix: do not change paths for nachtigall secrets 2024-10-30 18:37:46 +01:00
teutat3s d6cc9c8164
matrix-authentication-service: init host underground
to test mas, related to #242
2024-10-30 18:37:45 +01:00
b12f 471d7650ff
modules/tt-rss: pin on revision
All checks were successful
Flake checks / Check (pull_request) Successful in 21m25s
2024-10-30 18:35:18 +01:00
teutat3s 9758aeda5d
garage: fix wildcard DNS cert renewal with wildcard
All checks were successful
Flake checks / Check (pull_request) Successful in 20m13s
CNAME records

By usind wildcard CNAME records, we make lego think it needs to validate
challenges using these CNAME records. We actually want regular
_acme-challenge.* records, so use a environment variable to avoid CNAME
detection. This fixes DNS cert renewal. Still curious? See:
https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme/
2024-10-23 20:18:57 +02:00
teutat3s 5300f381b0
nginx: use safer request_uri variable
All checks were successful
Flake checks / Check (pull_request) Successful in 21m30s
Fix >> Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
2024-10-17 21:15:57 +02:00
teutat3s 8a18ee452b
garage: fix s3_api root_domain 2024-10-17 21:15:57 +02:00
teutat3s 666de2c8f4
mastodon: switch files.pub.solar from storj to garage
s3 backend
2024-10-17 21:15:55 +02:00
teutat3s c39cf9c0b9
mastodon: update to version 4.3.0 from nixos-unstable
https://github.com/mastodon/mastodon/releases/tag/v4.3.0
https://github.com/NixOS/nixpkgs/pull/337545/files
2024-10-17 20:31:47 +02:00
teutat3s 092a45e3bd
mastodon: actually use opensearch via module option
All checks were successful
Flake checks / Check (pull_request) Successful in 19m43s
2024-10-08 19:09:17 +02:00
teutat3s 8c8a757f8f
garage: update to 1.0.1
https://git.deuxfleurs.fr/Deuxfleurs/garage/releases/tag/v1.0.1
2024-10-05 13:03:40 +02:00
teutat3s 37f210c96f
security: add libolm to permittedInsecurePackages 2024-10-05 13:03:40 +02:00
b12f 4831430455
chore: run nix fmt
Some checks failed
Flake checks / Check (pull_request) Has been cancelled
2024-09-10 16:02:26 +02:00
teutat3s 663ef8feb1
alerts: fix condition 2024-09-10 16:02:26 +02:00
teutat3s 63fa03e971
alerts.pub.solar: use DNS challenge for cert 2024-09-10 16:02:26 +02:00
teutat3s faa71b7797
alerts: add check for healthy garage cluster 2024-09-10 16:02:26 +02:00
teutat3s 19723f3812
monitoring: add prometheus-exporter, promtail to
delite, blue-shell

add instance labels to garage scrape jobs
2024-09-10 16:02:26 +02:00
teutat3s 47b076e0a6
loki: store logs in /var/lib/loki 2024-09-10 16:02:25 +02:00
b12f 1ec5bafa30
flora-6: remove
This commit removes the flora-6 host. All services are moved to
trinkgenossin, with the drone service being removed completely in favour
of forgejo actions.
2024-09-10 16:02:24 +02:00
teutat3s 44f708ec76
obs-portal: run backups 1h later to avoid lock conflict
Some checks failed
Flake checks / Check (pull_request) Has been cancelled
2024-09-09 17:28:57 +02:00
teutat3s cd82b83427
obs-portal: fix backups, docker command does not
All checks were successful
Flake checks / Check (pull_request) Successful in 20m28s
need a TTY
2024-08-31 22:05:11 +02:00
teutat3s 2d94ed5a0d
Merge pull request 'obs-portal: add backups' (#228) from obs-portal-backups into main
Reviewed-on: #228
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-08-31 19:43:10 +00:00
teutat3s 2eb54a331e
backups: add storagebox to programs.ssh.knownHosts 2024-08-29 16:36:09 +02:00
teutat3s 77b642f646
garage: increase nginx client_body_size to 64m
To make bigger garage uploads work well, avoiding error
HTTP 413 Entity Too Large
2024-08-29 16:24:32 +02:00
teutat3s 2e16c77956
secrets: rename restic-repo-storagebox{,-nachtigall}
To use a restic repository per host
2024-08-29 16:22:58 +02:00
teutat3s e2ba1aacf4
mail: add backups to garage bucket + storagebox
Restic backups to garage S3 bucket metronom-backups
2024-08-29 16:19:24 +02:00
teutat3s 27dc20dd04
obs-portal: add backups to garage bucket + storagebox
All checks were successful
Flake checks / Check (pull_request) Successful in 23m21s
Restic backups to garage S3 bucket nachtigall-backups
2024-08-29 10:09:04 +02:00