Commit graph

14 commits

Author SHA1 Message Date
b12f eb63779bb6
auth: use all sshPubKeys for disk unlock, fix tests, fix hm config
All checks were successful
Flake checks / Check (pull_request) Successful in 28m11s
2024-11-20 16:49:39 +01:00
b12f 2b72d9a5a8
style: run nix fmt 2024-11-20 16:49:39 +01:00
b12f 5366d07d44
auth: add user for each administrator
After this has been tested successfully, root SSH login can be disabled.

The advantages of having a user for each adminstrator:

* Better security analysis: who issued executed what command, who
  touched which file, who used sudo at which time.
* Possibility of granular access, e.g. person X is only allowed to
  manage service Y
2024-11-20 16:49:38 +01:00
teutat3s e48fe612e2
core: add activationScript to show closure diff
All checks were successful
Flake checks / Check (pull_request) Successful in 23m35s
This is useful when updating a host, by doing a dry-run with deploy-rs
we get a list of changed package versions.
2024-11-11 18:02:47 +01:00
teutat3s 37f210c96f
security: add libolm to permittedInsecurePackages 2024-10-05 13:03:40 +02:00
b12f 1ec5bafa30
flora-6: remove
This commit removes the flora-6 host. All services are moved to
trinkgenossin, with the drone service being removed completely in favour
of forgejo actions.
2024-09-10 16:02:24 +02:00
teutat3s 701c62dd69
tests: create keycloak test, add working test for website
Co-authored-by: b12f <b12f@noreply.git.pub.solar>
Co-authored-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-08-27 09:55:25 +02:00
teutat3s 6ea916603c
networking: set networking.domain in core module
All checks were successful
Flake checks / Check (pull_request) Successful in 4m0s
2024-06-06 19:30:11 +02:00
teutat3s 61ea0ad7c2
networking: add internal IPv6 wireguard IPs to /etc/hosts
All checks were successful
Flake checks / Check (pull_request) Successful in 3m8s
2024-06-03 12:33:51 +02:00
teutat3s 56f692740e
networking: use *.wg.pub.solar in /etc/hosts
instead of overriding IPs for existing DNS records, to reduce suprises
when DNS records are different depending on the host.

Add metronom + tankstelle internal wireguard IPs, too.
2024-06-03 12:28:33 +02:00
teutat3s c015a1ec2e
style: avoid usage of top-level "with lib";
All checks were successful
Flake checks / Check (pull_request) Successful in 3m2s
See: https://github.com/NixOS/nixpkgs/issues/208242
2024-05-19 15:27:19 +02:00
teutat3s 2ca0bd7c3e
style: run treefmt
All checks were successful
Flake checks / Check (pull_request) Successful in 2m36s
2024-05-08 22:57:07 +02:00
Benjamin Yule Bädorf 68278ad983
refactor: use options for config parts
All checks were successful
Flake checks / Check (pull_request) Successful in 5m52s
This works towards having reusable modules

* `config.pub-solar-os.networking.domain` is used for the main domain
* `config.pub-solar-os.privacyPolicUrl` links towards the privacy policy
* `config.pub-solar-os.imprintUrl` links towards the imprint
* `config.pub-solar-os.auth.enable` enables the keycloak installation.
  This is needed because `config.pub-solar-os.auth` has to be available
  everywhere, but we do not want to install keycloak everywhere.
* `config.pub-solar-os.auth.realm` sets the keycloak realm name
2024-05-08 19:47:47 +02:00
Benjamin Yule Bädorf ef94681e11
refactor: Move all apps into modules
All checks were successful
Flake checks / Check (pull_request) Successful in 6m5s
2024-04-28 18:07:28 +02:00