b12f
eb63779bb6
auth: use all sshPubKeys for disk unlock, fix tests, fix hm config
Flake checks / Check (pull_request) Successful in 28m11s
2024-11-20 16:49:39 +01:00
b12f
2b72d9a5a8
style: run nix fmt
2024-11-20 16:49:39 +01:00
b12f
5366d07d44
auth: add user for each administrator
...
After this has been tested successfully, root SSH login can be disabled.
The advantages of having a user for each adminstrator:
* Better security analysis: who issued executed what command, who
touched which file, who used sudo at which time.
* Possibility of granular access, e.g. person X is only allowed to
manage service Y
2024-11-20 16:49:38 +01:00
teutat3s
280dc37aa0
Merge pull request 'matrix-authentication-service: disable changing mail address' ( #271 ) from matrix-mas-disable-email-change into main
...
Reviewed-on: #271
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-19 15:29:15 +00:00
teutat3s
213c06ca87
matrix-authentication-service: disable changing mail
...
Flake checks / Check (pull_request) Successful in 22m45s
address. This should be done via auth.pub.solar
2024-11-19 13:57:23 +01:00
teutat3s
a491680165
prometheus: disable daily e2e notification again
Flake checks / Check (pull_request) Successful in 27m35s
2024-11-19 13:56:42 +01:00
b12f
87f9bc92df
modules/forgejo: allow migrations from local networks
2024-11-14 11:10:44 +00:00
teutat3s
4923f033f5
coturn: fix secret path
...
Flake checks / Check (pull_request) Waiting to run
this is fallout that was overlooked in #250
2024-11-13 21:25:12 +01:00
teutat3s
b41edf0cfb
Merge pull request 'core: add activationScript to show closure diff' ( #260 ) from closure-diffs into main
...
Reviewed-on: #260
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-13 19:47:17 +00:00
teutat3s
73333537a5
Merge pull request 'alertmanager: alert on high load only after 20m' ( #255 ) from alerts-tweak-load into main
...
Reviewed-on: #255
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-12 14:47:53 +00:00
teutat3s
ab85ba751a
alertmanager: enable e2e_dead_man_switch
Flake checks / Check (pull_request) Successful in 23m13s
2024-11-12 13:41:42 +01:00
teutat3s
a9c5edfeb3
alertmanager: don't alert on high memory page faults
...
This alert is non actionable, we still monitor high memory usage.
2024-11-12 13:40:46 +01:00
teutat3s
e48fe612e2
core: add activationScript to show closure diff
...
Flake checks / Check (pull_request) Successful in 23m35s
This is useful when updating a host, by doing a dry-run with deploy-rs
we get a list of changed package versions.
2024-11-11 18:02:47 +01:00
teutat3s
43b0c8d489
matrix-appservice-irc: reduce logging level to warn
Flake checks / Check (pull_request) Successful in 22m38s
2024-11-06 21:29:27 +01:00
teutat3s
afe52ca6af
alertmanager: alert on high load only after 20m
Flake checks / Check (pull_request) Successful in 2m8s
2024-11-06 21:28:28 +01:00
teutat3s
3ec5c9f343
style: fix formatting
Flake checks / Check (pull_request) Successful in 22m4s
2024-10-30 20:32:47 +01:00
b12f
041d311bb2
modules/matrix: rename used config options
Flake checks / Check (pull_request) Failing after 23s
2024-10-30 18:37:47 +01:00
teutat3s
9d9bcf9a15
mas: move to module, add secrets for prod
2024-10-30 18:37:46 +01:00
teutat3s
9d7d251369
style: fix formatting
2024-10-30 18:37:46 +01:00
teutat3s
7775ad332e
matrix: do not change paths for nachtigall secrets
2024-10-30 18:37:46 +01:00
teutat3s
d6cc9c8164
matrix-authentication-service: init host underground
...
to test mas, related to #242
2024-10-30 18:37:45 +01:00
b12f
471d7650ff
modules/tt-rss: pin on revision
Flake checks / Check (pull_request) Successful in 21m25s
2024-10-30 18:35:18 +01:00
teutat3s
9758aeda5d
garage: fix wildcard DNS cert renewal with wildcard
...
Flake checks / Check (pull_request) Successful in 20m13s
CNAME records
By usind wildcard CNAME records, we make lego think it needs to validate
challenges using these CNAME records. We actually want regular
_acme-challenge.* records, so use a environment variable to avoid CNAME
detection. This fixes DNS cert renewal. Still curious? See:
https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme/
2024-10-23 20:18:57 +02:00
teutat3s
5300f381b0
nginx: use safer request_uri variable
...
Flake checks / Check (pull_request) Successful in 21m30s
Fix >> Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
2024-10-17 21:15:57 +02:00
teutat3s
8a18ee452b
garage: fix s3_api root_domain
2024-10-17 21:15:57 +02:00
teutat3s
666de2c8f4
mastodon: switch files.pub.solar from storj to garage
...
s3 backend
2024-10-17 21:15:55 +02:00
teutat3s
c39cf9c0b9
mastodon: update to version 4.3.0 from nixos-unstable
...
https://github.com/mastodon/mastodon/releases/tag/v4.3.0
https://github.com/NixOS/nixpkgs/pull/337545/files
2024-10-17 20:31:47 +02:00
teutat3s
092a45e3bd
mastodon: actually use opensearch via module option
Flake checks / Check (pull_request) Successful in 19m43s
2024-10-08 19:09:17 +02:00
teutat3s
8c8a757f8f
garage: update to 1.0.1
...
https://git.deuxfleurs.fr/Deuxfleurs/garage/releases/tag/v1.0.1
2024-10-05 13:03:40 +02:00
teutat3s
37f210c96f
security: add libolm to permittedInsecurePackages
2024-10-05 13:03:40 +02:00
b12f
4831430455
chore: run nix fmt
Flake checks / Check (pull_request) Has been cancelled
2024-09-10 16:02:26 +02:00
teutat3s
663ef8feb1
alerts: fix condition
2024-09-10 16:02:26 +02:00
teutat3s
63fa03e971
alerts.pub.solar: use DNS challenge for cert
2024-09-10 16:02:26 +02:00
teutat3s
faa71b7797
alerts: add check for healthy garage cluster
2024-09-10 16:02:26 +02:00
teutat3s
19723f3812
monitoring: add prometheus-exporter, promtail to
...
delite, blue-shell
add instance labels to garage scrape jobs
2024-09-10 16:02:26 +02:00
teutat3s
47b076e0a6
loki: store logs in /var/lib/loki
2024-09-10 16:02:25 +02:00
b12f
1ec5bafa30
flora-6: remove
...
This commit removes the flora-6 host. All services are moved to
trinkgenossin, with the drone service being removed completely in favour
of forgejo actions.
2024-09-10 16:02:24 +02:00
teutat3s
44f708ec76
obs-portal: run backups 1h later to avoid lock conflict
Flake checks / Check (pull_request) Has been cancelled
2024-09-09 17:28:57 +02:00
teutat3s
cd82b83427
obs-portal: fix backups, docker command does not
...
Flake checks / Check (pull_request) Successful in 20m28s
need a TTY
2024-08-31 22:05:11 +02:00
teutat3s
2d94ed5a0d
Merge pull request 'obs-portal: add backups' ( #228 ) from obs-portal-backups into main
...
Reviewed-on: #228
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-08-31 19:43:10 +00:00
teutat3s
2eb54a331e
backups: add storagebox to programs.ssh.knownHosts
2024-08-29 16:36:09 +02:00
teutat3s
77b642f646
garage: increase nginx client_body_size to 64m
...
To make bigger garage uploads work well, avoiding error
HTTP 413 Entity Too Large
2024-08-29 16:24:32 +02:00
teutat3s
2e16c77956
secrets: rename restic-repo-storagebox{,-nachtigall}
...
To use a restic repository per host
2024-08-29 16:22:58 +02:00
teutat3s
e2ba1aacf4
mail: add backups to garage bucket + storagebox
...
Restic backups to garage S3 bucket metronom-backups
2024-08-29 16:19:24 +02:00
teutat3s
27dc20dd04
obs-portal: add backups to garage bucket + storagebox
...
Flake checks / Check (pull_request) Successful in 23m21s
Restic backups to garage S3 bucket nachtigall-backups
2024-08-29 10:09:04 +02:00
teutat3s
d2389497c2
Merge pull request 'garage: initial cluster' ( #222 ) from garage-cluster into main
...
Reviewed-on: #222
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-08-28 15:55:16 +00:00
teutat3s
4626fd85c0
mediawiki: add backups to garage bucket + storagebox
...
Flake checks / Check (pull_request) Successful in 1m56s
Restic backups to garage S3 bucket nachtigall-backups
https://garagehq.deuxfleurs.fr/documentation/connect/backup/#restic
2024-08-28 17:13:34 +02:00
teutat3s
c0a3d90d63
backups: add environmentFile option
2024-08-28 17:13:34 +02:00
teutat3s
1d92ef53ca
backups: storeName -> repoName
2024-08-28 17:13:33 +02:00
teutat3s
751d82f7e3
backups: rename pub-solar-os.backups.backups -> pub-solar-os.backups.restic
2024-08-28 17:12:22 +02:00