Commit graph

455 commits

Author SHA1 Message Date
Benjamin Yule Bädorf 4f86c92941
obs-portal: init obs-portal on nachtigall
All checks were successful
Flake checks / Check (pull_request) Successful in 5m58s
This follows the official installation instructions at https://github.com/openbikesensor/portal/blob/main/docs/production-deployment.md

Unfortunately, the postgres database needs to have postgis enabled, so
we'll have to start a second instance. To stay close to the official
deployment instructions, this is running in docker.

The secrets were taken from the old installation instance. During
initial installation, we'll need to import data from the old instance
into this one, which might take a while.
2024-04-23 23:47:30 +02:00
teutat3s d62b6cda92
Merge pull request 'ci: update forgejo runner to fix cache' (#152) from ci/update-forgejo-runner into main
Reviewed-on: #152
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-23 18:18:39 +00:00
teutat3s c580fe0fbb
ci: prevent flake inputs from GC as well
All checks were successful
Flake checks / Check (pull_request) Successful in 5m29s
2024-04-23 19:10:20 +02:00
teutat3s 60aef1d038
ci: prevent nix garbage collection
All checks were successful
Flake checks / Check (pull_request) Successful in 5m36s
2024-04-23 16:00:16 +02:00
teutat3s fa9ce9d435
gitea-actions-runner: don't run as systemd DynamicUser
Some checks failed
Flake checks / Check (pull_request) Failing after 4m55s
to enable usage of cache outside of /var/lib/private
2024-04-23 15:42:33 +02:00
teutat3s 9541e5029e
flora-6: move forgejo-runner cache directory to /data
All checks were successful
Flake checks / Check (pull_request) Successful in 13m34s
2024-04-23 15:12:11 +02:00
teutat3s c4d0d34807
ci: revert cache-nix-action to version 4.0.3 2024-04-23 15:12:06 +02:00
teutat3s d5fe65b60d
ci: disable cachix daemon, spams logs with
[2024-04-22 23:46:26][Info] Skipping /nix/store/w2zp8k8yy2avv5r92w0cpq9aixkir2sp-LocalSettings.php
...
2024-04-23 15:11:59 +02:00
teutat3s 0e7dc95250
ci: remove broken purge config from check workflow
All checks were successful
Flake checks / Check (pull_request) Successful in 16m12s
2024-04-23 01:42:04 +02:00
teutat3s c86e22b292
ci: update forgejo-runner to version 3.4.1
https://github.com/NixOS/nixpkgs/pull/301383
2024-04-23 00:38:53 +02:00
Hendrik Sokolowski 4992819742
Merge pull request 'set pruneOpts for restic backups to daily 7, weekly 4, monthly 3' (#151) from feature/restic-backup-retention into main
Reviewed-on: #151
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>
2024-04-22 19:38:21 +00:00
Hendrik Sokolowski a9411d05a8
set pruneOpts for restic backups to daily 7, weekly 4, monthly 3
All checks were successful
Flake checks / Check (pull_request) Successful in 12m5s
2024-04-22 20:06:49 +02:00
teutat3s e8530caf1d
Merge pull request 'ci: update nix-quick-install-action, cache-nix-action, cachix-action' (#150) from chore-update-ci into main
Reviewed-on: #150
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-22 15:19:36 +00:00
teutat3s 7c492e7391
Merge pull request 'chore: forgejo security update, update matrix-synapse et al.' (#149) from chore-update-flake into main
Reviewed-on: #149
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-22 15:18:33 +00:00
teutat3s a0c6f0dc08
ci: fix cache-nix-action, use new config syntax
All checks were successful
Flake checks / Check (pull_request) Successful in 2m46s
2024-04-21 20:17:03 +02:00
teutat3s 46c7c9ecb1
ci: update nix-quick-install-action, cache-nix-action,
Some checks failed
Flake checks / Check (pull_request) Failing after 44s
cachix-action
2024-04-21 19:58:58 +02:00
teutat3s fb4004e9f0
chore: update flake inputs
All checks were successful
Flake checks / Check (pull_request) Successful in 22m26s
• Updated input 'nix-darwin':
    'github:lnl7/nix-darwin/36524adc31566655f2f4d55ad6b875fb5c1a4083?narHash=sha256-sXcesZWKXFlEQ8oyGHnfk4xc9f2Ip0X/%2BYZOq3sKviI%3D' (2024-03-30)
  → 'github:lnl7/nix-darwin/9e7c20ffd056e406ddd0276ee9d89f09c5e5f4ed?narHash=sha256-olEWxacm1xZhAtpq%2BZkEyQgR4zgfE7ddpNtZNvubi3g%3D' (2024-04-19)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/90055d5e616bd943795d38808c94dbf0dd35abe8?narHash=sha256-ZEfGB3YCBVggvk0BQIqVY7J8XF/9jxQ68fCca6nib%2B8%3D' (2024-04-13)
  → 'github:nixos/nixpkgs/bc194f70731cc5d2b046a6c1b3b15f170f05999c?narHash=sha256-YguPZpiejgzLEcO36/SZULjJQ55iWcjAmf3lYiyV1Fo%3D' (2024-04-19)
• Updated input 'unstable':
    'github:nixos/nixpkgs/cfd6b5fc90b15709b780a5a1619695a88505a176?narHash=sha256-WKm9CvgCldeIVvRz87iOMi8CFVB1apJlkUT4GGvA0iM%3D' (2024-04-12)
  → 'github:nixos/nixpkgs/5c24cf2f0a12ad855f444c30b2421d044120c66f?narHash=sha256-XtTSSIB2DA6tOv%2Bl0FhvfDMiyCmhoRbNB%2B0SeInZkbk%3D' (2024-04-19)
2024-04-21 19:28:02 +02:00
teutat3s 3030b0f84d
Merge pull request 'flora-6: add wg-ssh to ignored systemd-wait-online interfaces' (#148) from flora-6/fix-network-wait-online into main
Reviewed-on: #148
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-14 21:53:33 +00:00
teutat3s c07d24f6a7
flora-6: add wg-ssh to ignored interfaces
All checks were successful
Flake checks / Check (pull_request) Successful in 21m7s
for systemd-wait-online to start successfully
2024-04-14 23:22:53 +02:00
teutat3s 0f297c4711
Merge pull request 'chore: security update PHP, update element-web, misc updates' (#147) from chore-update-flake into main
Reviewed-on: #147
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-14 20:29:39 +00:00
teutat3s 679d9b236f
Merge pull request 'nginx: set worker_processes to number of CPU cores' (#146) from feat/nginx-tuning into main
Reviewed-on: #146
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-14 20:22:08 +00:00
teutat3s 78d5e5a4f0
chore: update flake inputs
All checks were successful
Flake checks / Check (pull_request) Successful in 23m27s
❯ nix store diff-closures $OLD_CLOSURE $NEW_CLOSURE
cpupower: 6.1.84 → 6.1.86
element-web: 1.11.63 → 1.11.64, +148.0 KiB
element-web-wrapped: 1.11.63 → 1.11.64
initrd-linux: 6.1.84 → 6.1.86
linux: 6.1.84, 6.1.84-modules → 6.1.86, 6.1.86-modules, +24.3 KiB
linux-firmware: 20240312 → 20240410, +493.3 KiB
nixos-system-nachtigall: 23.11.20240410.b2cf36f → 23.11.20240413.90055d5
owncast: 0.1.2 → 0.1.3, -376.1 KiB
php: 8.2.17 → 8.2.18
php-bcmath: 8.2.17 → 8.2.18
php-bz2: 8.2.17 → 8.2.18
php-calendar: 8.2.17 → 8.2.18
php-ctype: 8.2.17 → 8.2.18
php-curl: 8.2.17 → 8.2.18
php-dom: 8.2.17 → 8.2.18
php-exif: 8.2.17 → 8.2.18
php-extra-init: 8.2.17.ini → 8.2.18.ini
php-fileinfo: 8.2.17 → 8.2.18
php-filter: 8.2.17 → 8.2.18
php-ftp: 8.2.17 → 8.2.18
php-gd: 8.2.17 → 8.2.18
php-gettext: 8.2.17 → 8.2.18
php-gmp: 8.2.17 → 8.2.18
php-iconv: 8.2.17 → 8.2.18
php-imap: 8.2.17 → 8.2.18
php-intl: 8.2.17 → 8.2.18
php-ldap: 8.2.17 → 8.2.18
php-mbstring: 8.2.17 → 8.2.18
php-mysqli: 8.2.17 → 8.2.18
php-mysqlnd: 8.2.17 → 8.2.18
php-opcache: 8.2.17 → 8.2.18
php-openssl: 8.2.17 → 8.2.18
php-pcntl: 8.2.17 → 8.2.18
php-pdo: 8.2.17 → 8.2.18
php-pdo_mysql: 8.2.17 → 8.2.18
php-pdo_odbc: 8.2.17 → 8.2.18
php-pdo_pgsql: 8.2.17 → 8.2.18
php-pdo_sqlite: 8.2.17 → 8.2.18
php-pgsql: 8.2.17 → 8.2.18
php-posix: 8.2.17 → 8.2.18
php-readline: 8.2.17 → 8.2.18
php-session: 8.2.17 → 8.2.18
php-simplexml: 8.2.17 → 8.2.18
php-soap: 8.2.17 → 8.2.18
php-sockets: 8.2.17 → 8.2.18
php-sodium: 8.2.17 → 8.2.18
php-sqlite3: 8.2.17 → 8.2.18
php-sysvsem: 8.2.17 → 8.2.18
php-tokenizer: 8.2.17 → 8.2.18
php-with-extensions: 8.2.17 → 8.2.18
php-xmlreader: 8.2.17 → 8.2.18
php-xmlwriter: 8.2.17 → 8.2.18
php-zip: 8.2.17 → 8.2.18
php-zlib: 8.2.17 → 8.2.18
searxng: ∅ → 0-unstable-2024-03-08, +15337.5 KiB
searxng-unstable: 2023-10-31 → ∅, -14965.6 KiB
source: +470.3 KiB
uwsgi: 2.0.23 → 2.0.24
zfs-kernel: 2.2.3-6.1.84 → 2.2.3-6.1.86
2024-04-14 22:09:37 +02:00
teutat3s c768203bed
nginx: set worker_processes to number of CPU cores
All checks were successful
Flake checks / Check (pull_request) Successful in 12m4s
and set worker_connections to 1024

https://nginx.org/en/docs/ngx_core_module.html#worker_processes
https://nginx.org/en/docs/ngx_core_module.html#worker_connections
2024-04-14 17:39:56 +02:00
teutat3s b0c466869e
Merge pull request 'wireguard: use IP addresses for wireguard endpoints' (#145) from fix/use-ip-for-wireguard into main
Reviewed-on: #145
Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>
2024-04-12 20:40:39 +00:00
teutat3s b6a54efd9a
fix: add comment with hostnames to wireguard peers
All checks were successful
Flake checks / Check (pull_request) Successful in 12m31s
2024-04-12 22:36:17 +02:00
Benjamin Yule Bädorf 7e145040cc
wireguard: use IP addresses for wireguard endpoints
All checks were successful
Flake checks / Check (pull_request) Successful in 13m14s
Otherwise the hostnames written to the /etc/hosts file are already
pointing at the wireguard IP-addresses, so they can never connect.
2024-04-12 22:31:28 +02:00
b12f 9d94b888ae
Merge pull request 'networking: add wireguard hosts to /etc/hosts' (#144) from wireguard/add-etc-hosts into main
Reviewed-on: #144
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-12 19:54:09 +00:00
teutat3s 8a9fe3b8fe
chore: update flake inputs
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/d272ca50d1f7424fbfcd1e6f1c9e01d92f6da167' (2024-04-08)
  → 'github:nixos/nixpkgs/b2cf36f43f9ef2ded5711b30b1f393ac423d8f72' (2024-04-10)
• Updated input 'unstable':
    'github:nixos/nixpkgs/4cba8b53da471aea2ab2b0c1f30a81e7c451f4b6' (2024-04-08)
  → 'github:nixos/nixpkgs/1042fd8b148a9105f3c0aca3a6177fd1d9360ba5' (2024-04-10)
2024-04-12 19:54:09 +00:00
teutat3s 8743ea7b0c
networking: add wireguard hosts to /etc/hosts
Also re-enable DNSSEC, it's reported fixed in systemd-resolved
2024-04-12 19:54:09 +00:00
b12f 8743b50f7f
Merge pull request 'forgejo: also reroute ssh traffic for ipv6' (#139) from forgejo/reroute-ssh-ipv6 into main
Reviewed-on: #139
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-12 19:38:15 +00:00
Benjamin Yule Bädorf 316ba9ef53
forgejo: also reroute ssh traffic for ipv6 2024-04-12 19:38:15 +00:00
teutat3s afca75441c
Merge pull request 'forgejo: enable repo search (indexer), save login cookie for 365 days' (#142) from feat/forgejo-enable-search into main
Reviewed-on: #142
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-06 16:07:42 +00:00
teutat3s 9698c47530
Merge pull request 'mastodon: clean media older than 7 days' (#143) from mastodon/auto-clean-7-days into main
Reviewed-on: #143
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-06 16:07:34 +00:00
teutat3s ccb029dde3
Merge pull request 'wireguard: add ryzensun to teutat3s' hosts' (#141) from wireguard/add-ryzensun-host into main
Reviewed-on: #141
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-06 16:07:21 +00:00
teutat3s 41e4d3427c
mastodon: clean media older than 7 days
All checks were successful
Flake checks / Check (pull_request) Successful in 8m3s
Currently we keep everything for 30 days, which is about 180GB
2024-04-05 23:50:04 +02:00
teutat3s 16e9d476cb
Merge pull request 'docs: include notes regarding rollback in deploy docs, misc updates' (#140) from docs/update-deployment-docs into main
Reviewed-on: #140
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-05 21:39:46 +00:00
teutat3s 3caf085d0b
wireguard: add ryzensun to teutat3s' hosts
All checks were successful
Flake checks / Check (pull_request) Successful in 8m23s
2024-04-05 23:32:59 +02:00
teutat3s c5159dd66d
forgejo: enable repo search (indexer), save login
All checks were successful
Flake checks / Check (pull_request) Successful in 7m54s
cookie for 365 days instead of default 7 days.
Caveat for the repo indexer is that repository size on disk will grow
by factor of 6. Forgejo repositories currently use 4.7GB on disk, with
3.3GB being a nixpkgs fork.
2024-04-05 23:29:49 +02:00
teutat3s b27f8c1380
docs: include notes regarding rollback in deploy
All checks were successful
Flake checks / Check (pull_request) Successful in 7m55s
docs, misc updates
2024-04-05 23:03:43 +02:00
b12f 76ca43142a
Merge pull request 'forgejo: make SSH keys declarative' (#138) from forgejo/ssh-keys-declarative into main
Reviewed-on: #138
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-05 19:35:55 +00:00
Benjamin Yule Bädorf 16c6aa3b61
forgejo: make SSH keys declarative 2024-04-05 19:35:55 +00:00
teutat3s 315cbf5813
Merge pull request 'fix(nextcloud): define a maintenance window' (#135) from chore/nextcloud-config-maintenance-window into main
Reviewed-on: #135
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-05 18:41:17 +00:00
b12f 9191729f5c
Merge pull request 'nachtigall: forgejo: update firewall settings' (#137) from fix/git-forgejo-open-service-port-in-firewall into main
Reviewed-on: #137
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-05 16:51:36 +00:00
Hendrik Sokolowski b6b8d69852
nachtigall: forgejo: update firewall settings
All checks were successful
Flake checks / Check (pull_request) Successful in 8m11s
2024-04-05 18:39:43 +02:00
b12f 4380c3b0ab
Merge pull request 'forgejo: use iptables routing instead of ssh patch' (#136) from fix/forgejo-ssh-again into main
Reviewed-on: #136
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-05 15:26:10 +00:00
Benjamin Yule Bädorf e618b9f9c2
forgejo: use iptables routing instead of ssh patch
All checks were successful
Flake checks / Check (pull_request) Successful in 8m18s
2024-04-05 17:00:28 +02:00
b12f ae0c90e4f8
Merge pull request 'forgejo: allow multiple host addresses for SSH' (#133) from fix/forgejo-multi-host into main
Reviewed-on: #133
Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>
2024-04-05 14:27:03 +00:00
Benjamin Yule Bädorf d7c9333ff4
forgejo: allow multiple host addresses for SSH
All checks were successful
Flake checks / Check (pull_request) Successful in 9m1s
2024-04-05 14:26:56 +00:00
teutat3s 18a62b8d35
fix(nextcloud): define a maintenance window for
All checks were successful
Flake checks / Check (pull_request) Successful in 4m39s
resource intensive background jobs. Docs:
https://docs.nextcloud.com/server/28/admin_manual/configuration_server/background_jobs_configuration.html

> A value of 1 e.g. will only run these background jobs between 01:00am
UTC and 05:00am UTC
2024-04-05 16:23:16 +02:00
Hendrik Sokolowski 9ec77e2a30
Update flake.nix (#134)
Update deploy node settinsg with wireguard ips

Reviewed-on: #134
Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-05 14:11:42 +00:00