Commit graph

732 commits

Author SHA1 Message Date
b12f c96644b6c5
auth: use all sshPubKeys for disk unlock, fix tests, fix hm config
Some checks failed
Flake checks / Check (pull_request) Failing after 22s
2024-11-12 21:04:44 +01:00
b12f b5ed810f11
hosts: use correct wireguardDevices option
Some checks failed
Flake checks / Check (pull_request) Failing after 36s
2024-11-12 20:32:00 +01:00
b12f 656211888b
style: run nix fmt
Some checks failed
Flake checks / Check (pull_request) Failing after 38s
2024-11-12 20:30:03 +01:00
b12f daf2a34274
auth: add user for each administrator
Some checks failed
Flake checks / Check (pull_request) Failing after 25s
After this has been tested successfully, root SSH login can be disabled.

The advantages of having a user for each adminstrator:

* Better security analysis: who issued executed what command, who
  touched which file, who used sudo at which time.
* Possibility of granular access, e.g. person X is only allowed to
  manage service Y
2024-11-12 20:22:25 +01:00
teutat3s da529b023e
Merge pull request 'ci: use treefmt2 with flag --ci' (#248) from ci-treefmt into main
Reviewed-on: #248
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-06 14:40:03 +00:00
teutat3s cf39137340
Merge pull request 'docs: more garage CLI usage, avoid leaking secret' (#246) from docs-garage into main
Reviewed-on: #246
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-06 14:39:53 +00:00
teutat3s 18683d383f
Merge pull request 'docs: add examples for cachix usage' (#230) from docs-cachix into main
Reviewed-on: #230
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-11-06 14:39:44 +00:00
teutat3s d8a793190d
Merge pull request 'matrix-authentication-service: init, test, migrate synapse' (#250) from mas-init into main
Reviewed-on: #250
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-10-30 20:02:53 +00:00
teutat3s 3ec5c9f343
style: fix formatting
All checks were successful
Flake checks / Check (pull_request) Successful in 22m4s
2024-10-30 20:32:47 +01:00
teutat3s 7ba5a7bdd6
matrix: disable sliding-sync proxy, it's built into
Some checks failed
Flake checks / Check (pull_request) Failing after 22s
synapse now, update synapse config to use matrix-authentication-service
2024-10-30 20:31:29 +01:00
b12f 041d311bb2
modules/matrix: rename used config options
Some checks failed
Flake checks / Check (pull_request) Failing after 23s
2024-10-30 18:37:47 +01:00
teutat3s 9d9bcf9a15
mas: move to module, add secrets for prod 2024-10-30 18:37:46 +01:00
b12f 4434a90136
modules/matrix: rename secrets to not include hostnames 2024-10-30 18:37:46 +01:00
teutat3s 472f9aa68b
dns: list.pub.solar should be A / AAAA records 2024-10-30 18:37:46 +01:00
teutat3s c9c2d06a98
dns: add CNAME record for mas.pub.solar 2024-10-30 18:37:46 +01:00
teutat3s 8244e605b6
fix: passkey support in pub.solar keycloak theme 2024-10-30 18:37:46 +01:00
teutat3s 9d7d251369
style: fix formatting 2024-10-30 18:37:46 +01:00
teutat3s 7775ad332e
matrix: do not change paths for nachtigall secrets 2024-10-30 18:37:46 +01:00
teutat3s d6cc9c8164
matrix-authentication-service: init host underground
to test mas, related to #242
2024-10-30 18:37:45 +01:00
teutat3s 4c51eda8b6
Merge pull request 'modules/tt-rss: pin on revision' (#253) from update-tt-rss into main
Reviewed-on: #253
Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>
2024-10-30 17:37:10 +00:00
b12f 471d7650ff
modules/tt-rss: pin on revision
All checks were successful
Flake checks / Check (pull_request) Successful in 21m25s
2024-10-30 18:35:18 +01:00
teutat3s 9cc50ed678
Merge pull request 'maintenance: updates for mastodon, matrix-synapse' (#249) from flake-updates-2024-10-24 into main
Reviewed-on: #249
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-10-24 16:16:06 +00:00
teutat3s 4309cc9cdd
ci: use treefmt2 with flag --ci
All checks were successful
Flake checks / Check (pull_request) Successful in 2m7s
Update treefmt to version 2.

This adds the following flags for CI usage:
"--no-cache, --fail-on-change and adjusting some other settings best suited to a CI".
See: https://treefmt.com/usage
2024-10-24 15:43:00 +02:00
teutat3s 08f5c5ce67
docs: more garage CLI usage, avoid leaking secret
All checks were successful
Flake checks / Check (pull_request) Successful in 2m3s
2024-10-24 15:10:44 +02:00
teutat3s 870e81ee4c
flake.lock: Update
All checks were successful
Flake checks / Check (pull_request) Successful in 25m54s
Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/d7d57edb72e54891fa67a6f058a46b2bb405663b' (2024-10-16)
  → 'github:nix-community/disko/09a776702b004fdf9c41a024e1299d575ee18a7d' (2024-10-23)
• Updated input 'nix-darwin':
    'github:lnl7/nix-darwin/a60ac02f9466f85f092e576fd8364dfc4406b5a6' (2024-10-14)
  → 'github:lnl7/nix-darwin/04193f188e4144d7047f83ad1de81d6034d175cd' (2024-10-24)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/dc2e0028d274394f73653c7c90cc63edbb696be1' (2024-10-16)
  → 'github:nixos/nixpkgs/89172919243df199fe237ba0f776c3e3e3d72367' (2024-10-20)
• Updated input 'unstable':
    'github:nixos/nixpkgs/a3c0b3b21515f74fd2665903d4ce6bc4dc81c77c' (2024-10-14)
  → 'github:nixos/nixpkgs/2768c7d042a37de65bb1b5b3268fc987e534c49d' (2024-10-23)
2024-10-24 14:53:39 +02:00
teutat3s cef7a561f3
Merge pull request 'garage: fix wildcard DNS cert renewal with wildcard CNAME records' (#245) from fix-dns-cert-renewal into main
Reviewed-on: #245
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-10-24 12:51:41 +00:00
teutat3s 281701b7b6
Merge pull request 'docs: fix IP for keycloak admin API' (#247) from update-docs into main
Reviewed-on: #247
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-10-24 12:51:31 +00:00
teutat3s 90bbaad7b7
Merge pull request 'trinkgenossin: fix network in initrd' (#244) from trinkgenossin-remote-luks into main
Reviewed-on: #244
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-10-24 12:51:18 +00:00
teutat3s 6a15c09509
docs: add hint how to get CACHIX_AUTH_TOKEN
All checks were successful
Flake checks / Check (pull_request) Successful in 21m8s
2024-10-23 20:59:07 +02:00
teutat3s 94d7db1331
docs: add examples for cachix usage 2024-10-23 20:59:06 +02:00
teutat3s 633f0a4402
docs: fix IP for keycloak admin API
All checks were successful
Flake checks / Check (pull_request) Successful in 20m57s
2024-10-23 20:28:55 +02:00
teutat3s 9758aeda5d
garage: fix wildcard DNS cert renewal with wildcard
All checks were successful
Flake checks / Check (pull_request) Successful in 20m13s
CNAME records

By usind wildcard CNAME records, we make lego think it needs to validate
challenges using these CNAME records. We actually want regular
_acme-challenge.* records, so use a environment variable to avoid CNAME
detection. This fixes DNS cert renewal. Still curious? See:
https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme/
2024-10-23 20:18:57 +02:00
teutat3s 2c29d27ce7
style: remove redundant brackets
All checks were successful
Flake checks / Check (pull_request) Successful in 21m41s
2024-10-23 20:18:03 +02:00
teutat3s 31a885926b
trinkgenossin: fix network in initrd, virtio_net
kernel module was missing. Also this is a QEMU host, hyperV is not
required.
2024-10-23 20:17:32 +02:00
teutat3s 0ae6bc637b
Merge pull request 'mastodon: host media files on pub.solar garage cluster' (#239) from mastodon-media-on-garage into main
Reviewed-on: #239
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-10-23 15:24:28 +00:00
teutat3s 5300f381b0
nginx: use safer request_uri variable
All checks were successful
Flake checks / Check (pull_request) Successful in 21m30s
Fix >> Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
2024-10-17 21:15:57 +02:00
teutat3s 8a18ee452b
garage: fix s3_api root_domain 2024-10-17 21:15:57 +02:00
teutat3s 666de2c8f4
mastodon: switch files.pub.solar from storj to garage
s3 backend
2024-10-17 21:15:55 +02:00
teutat3s b1391521b9
Merge pull request 'maintenance: update element-web, keycloak, mastodon, nextcloud' (#240) from flake-updates into main
Reviewed-on: #240
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-10-17 19:12:37 +00:00
teutat3s 987c0919ca
style: fix formatting
All checks were successful
Flake checks / Check (pull_request) Successful in 27m37s
2024-10-17 20:31:47 +02:00
teutat3s c39cf9c0b9
mastodon: update to version 4.3.0 from nixos-unstable
https://github.com/mastodon/mastodon/releases/tag/v4.3.0
https://github.com/NixOS/nixpkgs/pull/337545/files
2024-10-17 20:31:47 +02:00
teutat3s 3943f34c92
flake.lock: Update
Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/48ebb577855fb2398653f033b3b2208a9249203d' (2024-10-05)
  → 'github:nix-community/disko/d7d57edb72e54891fa67a6f058a46b2bb405663b' (2024-10-16)
• Updated input 'nix-darwin':
    'github:lnl7/nix-darwin/8c8388ade72e58efdeae71b4cbb79e872c23a56b' (2024-10-03)
  → 'github:lnl7/nix-darwin/a60ac02f9466f85f092e576fd8364dfc4406b5a6' (2024-10-14)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/6e6b3dd395c3b1eb9be9f2d096383a8d05add030' (2024-10-04)
  → 'github:nixos/nixpkgs/dc2e0028d274394f73653c7c90cc63edbb696be1' (2024-10-16)
• Updated input 'unstable':
    'github:nixos/nixpkgs/bc947f541ae55e999ffdb4013441347d83b00feb' (2024-10-04)
  → 'github:nixos/nixpkgs/a3c0b3b21515f74fd2665903d4ce6bc4dc81c77c' (2024-10-14)
2024-10-17 20:31:17 +02:00
b12f e85807a29b
Merge pull request 'nextcloud: docs how to get debug logs' (#238) from nextcloud-fix-logs into main
Reviewed-on: #238
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-10-16 15:29:26 +00:00
teutat3s c53d48384a
nextcloud: document how to get debugging logs
Some checks failed
Flake checks / Check (pull_request) Has been cancelled
2024-10-16 17:19:49 +02:00
teutat3s 9579f6adde
Merge pull request 'logins: add teutat3s secondary SSH public key' (#237) from teutat3s-add-ssh into main
Reviewed-on: #237
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-10-08 22:09:53 +00:00
teutat3s 01ca3b21c2
Merge pull request 'mastodon: actually use opensearch via module option' (#236) from mastodon-full-text-search into main
Reviewed-on: #236
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-10-08 21:03:39 +00:00
teutat3s d085e49925
logins: add teutat3s secondary SSH public key
Some checks failed
Flake checks / Check (pull_request) Failing after 6m51s
2024-10-08 19:10:20 +02:00
teutat3s 092a45e3bd
mastodon: actually use opensearch via module option
All checks were successful
Flake checks / Check (pull_request) Successful in 19m43s
2024-10-08 19:09:17 +02:00
teutat3s a8d865bbca
Merge pull request 'maintenance updates for element-web, forgejo, mastodon, matrix-synapse, nextcloud and others' (#235) from flake-updates into main
Reviewed-on: #235
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>
2024-10-05 12:30:07 +00:00
teutat3s df2f0d4442
flake: refactor, bye srid
All checks were successful
Flake checks / Check (pull_request) Successful in 24m21s
Refactor flake to work without nixos-flake and use native NixOS module
system. This is because of recent changes to nixos-flake, like renaming it
to nixos-unified and changing the API without a changelog or guide how
to update.
2024-10-05 14:03:40 +02:00