Commit graph

585 commits

Author SHA1 Message Date
teutat3s 679d9b236f
Merge pull request 'nginx: set worker_processes to number of CPU cores' (#146) from feat/nginx-tuning into main
Reviewed-on: #146
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-14 20:22:08 +00:00
teutat3s 78d5e5a4f0
chore: update flake inputs
All checks were successful
Flake checks / Check (pull_request) Successful in 23m27s
❯ nix store diff-closures $OLD_CLOSURE $NEW_CLOSURE
cpupower: 6.1.84 → 6.1.86
element-web: 1.11.63 → 1.11.64, +148.0 KiB
element-web-wrapped: 1.11.63 → 1.11.64
initrd-linux: 6.1.84 → 6.1.86
linux: 6.1.84, 6.1.84-modules → 6.1.86, 6.1.86-modules, +24.3 KiB
linux-firmware: 20240312 → 20240410, +493.3 KiB
nixos-system-nachtigall: 23.11.20240410.b2cf36f → 23.11.20240413.90055d5
owncast: 0.1.2 → 0.1.3, -376.1 KiB
php: 8.2.17 → 8.2.18
php-bcmath: 8.2.17 → 8.2.18
php-bz2: 8.2.17 → 8.2.18
php-calendar: 8.2.17 → 8.2.18
php-ctype: 8.2.17 → 8.2.18
php-curl: 8.2.17 → 8.2.18
php-dom: 8.2.17 → 8.2.18
php-exif: 8.2.17 → 8.2.18
php-extra-init: 8.2.17.ini → 8.2.18.ini
php-fileinfo: 8.2.17 → 8.2.18
php-filter: 8.2.17 → 8.2.18
php-ftp: 8.2.17 → 8.2.18
php-gd: 8.2.17 → 8.2.18
php-gettext: 8.2.17 → 8.2.18
php-gmp: 8.2.17 → 8.2.18
php-iconv: 8.2.17 → 8.2.18
php-imap: 8.2.17 → 8.2.18
php-intl: 8.2.17 → 8.2.18
php-ldap: 8.2.17 → 8.2.18
php-mbstring: 8.2.17 → 8.2.18
php-mysqli: 8.2.17 → 8.2.18
php-mysqlnd: 8.2.17 → 8.2.18
php-opcache: 8.2.17 → 8.2.18
php-openssl: 8.2.17 → 8.2.18
php-pcntl: 8.2.17 → 8.2.18
php-pdo: 8.2.17 → 8.2.18
php-pdo_mysql: 8.2.17 → 8.2.18
php-pdo_odbc: 8.2.17 → 8.2.18
php-pdo_pgsql: 8.2.17 → 8.2.18
php-pdo_sqlite: 8.2.17 → 8.2.18
php-pgsql: 8.2.17 → 8.2.18
php-posix: 8.2.17 → 8.2.18
php-readline: 8.2.17 → 8.2.18
php-session: 8.2.17 → 8.2.18
php-simplexml: 8.2.17 → 8.2.18
php-soap: 8.2.17 → 8.2.18
php-sockets: 8.2.17 → 8.2.18
php-sodium: 8.2.17 → 8.2.18
php-sqlite3: 8.2.17 → 8.2.18
php-sysvsem: 8.2.17 → 8.2.18
php-tokenizer: 8.2.17 → 8.2.18
php-with-extensions: 8.2.17 → 8.2.18
php-xmlreader: 8.2.17 → 8.2.18
php-xmlwriter: 8.2.17 → 8.2.18
php-zip: 8.2.17 → 8.2.18
php-zlib: 8.2.17 → 8.2.18
searxng: ∅ → 0-unstable-2024-03-08, +15337.5 KiB
searxng-unstable: 2023-10-31 → ∅, -14965.6 KiB
source: +470.3 KiB
uwsgi: 2.0.23 → 2.0.24
zfs-kernel: 2.2.3-6.1.84 → 2.2.3-6.1.86
2024-04-14 22:09:37 +02:00
teutat3s c768203bed
nginx: set worker_processes to number of CPU cores
All checks were successful
Flake checks / Check (pull_request) Successful in 12m4s
and set worker_connections to 1024

https://nginx.org/en/docs/ngx_core_module.html#worker_processes
https://nginx.org/en/docs/ngx_core_module.html#worker_connections
2024-04-14 17:39:56 +02:00
teutat3s b0c466869e
Merge pull request 'wireguard: use IP addresses for wireguard endpoints' (#145) from fix/use-ip-for-wireguard into main
Reviewed-on: #145
Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>
2024-04-12 20:40:39 +00:00
teutat3s b6a54efd9a
fix: add comment with hostnames to wireguard peers
All checks were successful
Flake checks / Check (pull_request) Successful in 12m31s
2024-04-12 22:36:17 +02:00
Benjamin Yule Bädorf 7e145040cc
wireguard: use IP addresses for wireguard endpoints
All checks were successful
Flake checks / Check (pull_request) Successful in 13m14s
Otherwise the hostnames written to the /etc/hosts file are already
pointing at the wireguard IP-addresses, so they can never connect.
2024-04-12 22:31:28 +02:00
b12f 9d94b888ae
Merge pull request 'networking: add wireguard hosts to /etc/hosts' (#144) from wireguard/add-etc-hosts into main
Reviewed-on: #144
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-12 19:54:09 +00:00
teutat3s 8a9fe3b8fe
chore: update flake inputs
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/d272ca50d1f7424fbfcd1e6f1c9e01d92f6da167' (2024-04-08)
  → 'github:nixos/nixpkgs/b2cf36f43f9ef2ded5711b30b1f393ac423d8f72' (2024-04-10)
• Updated input 'unstable':
    'github:nixos/nixpkgs/4cba8b53da471aea2ab2b0c1f30a81e7c451f4b6' (2024-04-08)
  → 'github:nixos/nixpkgs/1042fd8b148a9105f3c0aca3a6177fd1d9360ba5' (2024-04-10)
2024-04-12 19:54:09 +00:00
teutat3s 8743ea7b0c
networking: add wireguard hosts to /etc/hosts
Also re-enable DNSSEC, it's reported fixed in systemd-resolved
2024-04-12 19:54:09 +00:00
b12f 8743b50f7f
Merge pull request 'forgejo: also reroute ssh traffic for ipv6' (#139) from forgejo/reroute-ssh-ipv6 into main
Reviewed-on: #139
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-12 19:38:15 +00:00
Benjamin Yule Bädorf 316ba9ef53
forgejo: also reroute ssh traffic for ipv6 2024-04-12 19:38:15 +00:00
teutat3s afca75441c
Merge pull request 'forgejo: enable repo search (indexer), save login cookie for 365 days' (#142) from feat/forgejo-enable-search into main
Reviewed-on: #142
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-06 16:07:42 +00:00
teutat3s 9698c47530
Merge pull request 'mastodon: clean media older than 7 days' (#143) from mastodon/auto-clean-7-days into main
Reviewed-on: #143
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-06 16:07:34 +00:00
teutat3s ccb029dde3
Merge pull request 'wireguard: add ryzensun to teutat3s' hosts' (#141) from wireguard/add-ryzensun-host into main
Reviewed-on: #141
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-06 16:07:21 +00:00
teutat3s 41e4d3427c
mastodon: clean media older than 7 days
All checks were successful
Flake checks / Check (pull_request) Successful in 8m3s
Currently we keep everything for 30 days, which is about 180GB
2024-04-05 23:50:04 +02:00
teutat3s 16e9d476cb
Merge pull request 'docs: include notes regarding rollback in deploy docs, misc updates' (#140) from docs/update-deployment-docs into main
Reviewed-on: #140
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-05 21:39:46 +00:00
teutat3s 3caf085d0b
wireguard: add ryzensun to teutat3s' hosts
All checks were successful
Flake checks / Check (pull_request) Successful in 8m23s
2024-04-05 23:32:59 +02:00
teutat3s c5159dd66d
forgejo: enable repo search (indexer), save login
All checks were successful
Flake checks / Check (pull_request) Successful in 7m54s
cookie for 365 days instead of default 7 days.
Caveat for the repo indexer is that repository size on disk will grow
by factor of 6. Forgejo repositories currently use 4.7GB on disk, with
3.3GB being a nixpkgs fork.
2024-04-05 23:29:49 +02:00
teutat3s b27f8c1380
docs: include notes regarding rollback in deploy
All checks were successful
Flake checks / Check (pull_request) Successful in 7m55s
docs, misc updates
2024-04-05 23:03:43 +02:00
b12f 76ca43142a
Merge pull request 'forgejo: make SSH keys declarative' (#138) from forgejo/ssh-keys-declarative into main
Reviewed-on: #138
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-05 19:35:55 +00:00
Benjamin Yule Bädorf 16c6aa3b61
forgejo: make SSH keys declarative 2024-04-05 19:35:55 +00:00
teutat3s 315cbf5813
Merge pull request 'fix(nextcloud): define a maintenance window' (#135) from chore/nextcloud-config-maintenance-window into main
Reviewed-on: #135
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-05 18:41:17 +00:00
b12f 9191729f5c
Merge pull request 'nachtigall: forgejo: update firewall settings' (#137) from fix/git-forgejo-open-service-port-in-firewall into main
Reviewed-on: #137
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-05 16:51:36 +00:00
Hendrik Sokolowski b6b8d69852
nachtigall: forgejo: update firewall settings
All checks were successful
Flake checks / Check (pull_request) Successful in 8m11s
2024-04-05 18:39:43 +02:00
b12f 4380c3b0ab
Merge pull request 'forgejo: use iptables routing instead of ssh patch' (#136) from fix/forgejo-ssh-again into main
Reviewed-on: #136
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-05 15:26:10 +00:00
Benjamin Yule Bädorf e618b9f9c2
forgejo: use iptables routing instead of ssh patch
All checks were successful
Flake checks / Check (pull_request) Successful in 8m18s
2024-04-05 17:00:28 +02:00
b12f ae0c90e4f8
Merge pull request 'forgejo: allow multiple host addresses for SSH' (#133) from fix/forgejo-multi-host into main
Reviewed-on: #133
Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>
2024-04-05 14:27:03 +00:00
Benjamin Yule Bädorf d7c9333ff4
forgejo: allow multiple host addresses for SSH
All checks were successful
Flake checks / Check (pull_request) Successful in 9m1s
2024-04-05 14:26:56 +00:00
teutat3s 18a62b8d35
fix(nextcloud): define a maintenance window for
All checks were successful
Flake checks / Check (pull_request) Successful in 4m39s
resource intensive background jobs. Docs:
https://docs.nextcloud.com/server/28/admin_manual/configuration_server/background_jobs_configuration.html

> A value of 1 e.g. will only run these background jobs between 01:00am
UTC and 05:00am UTC
2024-04-05 16:23:16 +02:00
Hendrik Sokolowski 9ec77e2a30
Update flake.nix (#134)
Update deploy node settinsg with wireguard ips

Reviewed-on: #134
Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-05 14:11:42 +00:00
b12f 1bcb8bb7e0
Merge pull request 'admins: Add axeman's wireguard device' (#132) from axeman-wireguard into main
Reviewed-on: #132
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-05 13:41:43 +00:00
Akshay Mankar cf1e6f8134
admins: Add axeman's wireguard device
All checks were successful
Flake checks / Check (pull_request) Successful in 8m48s
2024-04-05 15:41:21 +02:00
b12f 83e293016f
Merge pull request 'docs: explain admin access and secrets' (#130) from docs/admin-access into main
Reviewed-on: #130
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-05 12:56:51 +00:00
Benjamin Yule Bädorf 91a2b66134
docs: explain admin access and secrets 2024-04-05 12:56:51 +00:00
b12f 2851273d18
Merge pull request 'security/close-ssh' (#128) from security/close-ssh into main
Reviewed-on: #128
Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-05 12:51:04 +00:00
Benjamin Yule Bädorf b1519c8f22
ssh: only allow ssh on wireguard interface
All checks were successful
Flake checks / Check (pull_request) Successful in 8m16s
2024-04-05 14:28:18 +02:00
Benjamin Yule Bädorf f7eaef0d18
wireguard: fix flora-6 address and private key
Reviewed-on: #129
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
Co-authored-by: Benjamin Yule Bädorf <git@benjaminbaedorf.eu>
Co-committed-by: Benjamin Yule Bädorf <git@benjaminbaedorf.eu>
2024-04-05 11:26:38 +00:00
b12f 51523439e7
Merge pull request 'feat/wireguard' (#126) from feat/wireguard into main
Reviewed-on: #126
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-05 11:09:31 +00:00
Benjamin Yule Bädorf 48845d6cf6
logins/wireguard: move teutat3s wireguard device 2024-04-05 11:09:31 +00:00
Hendrik Sokolowski c53adf51f7
logins: add judy for hensoko 2024-04-05 11:09:31 +00:00
Benjamin Yule Bädorf a795f0824f
logins: fix admin login merging 2024-04-05 11:09:31 +00:00
Benjamin Yule Bädorf 83125ae472
logins: check for missing wireguard device attribute 2024-04-05 11:09:31 +00:00
teutat3s 147ed44b9a
wireguard: add dumpyourvms 2024-04-05 11:09:31 +00:00
Benjamin Yule Bädorf 621e9336ed
wireguard: add basic keys 2024-04-05 11:09:31 +00:00
Benjamin Yule Bädorf eacf60974c
wireguard: initial commit 2024-04-05 11:09:31 +00:00
b12f 6748e44824
Merge pull request 'chore: update element-desktop, matrix-synapse, nextcloud and misc' (#127) from chore/flake-updates into main
Reviewed-on: #127
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-05 11:06:25 +00:00
teutat3s 815dccc0b4
chore: update flake inputs
All checks were successful
Flake checks / Check (pull_request) Successful in 1h15m46s
• Updated input 'agenix':
    'github:ryantm/agenix/8cb01a0e717311680e0cbca06a76cbceba6f3ed6' (2024-02-13)
  → 'github:ryantm/agenix/1381a759b205dff7a6818733118d02253340fd5e' (2024-04-02)
• Updated input 'deploy-rs':
    'github:serokell/deploy-rs/0a0187794ac7f7a1e62cda3dabf8dc041f868790' (2024-02-16)
  → 'github:serokell/deploy-rs/88b3059b020da69cbe16526b8d639bd5e0b51c8b' (2024-04-01)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2' (2024-03-01)
  → 'github:hercules-ci/flake-parts/9126214d0a59633752a136528f5f3b9aa8565b7d' (2024-04-01)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:NixOS/nixpkgs/1536926ef5621b09bba54035ae2bb6d806d72ac8?dir=lib' (2024-02-29)
  → 'github:NixOS/nixpkgs/d8fe5e6c92d0d190646fb9f1056741a229980089?dir=lib' (2024-03-29)
• Updated input 'home-manager':
    'github:nix-community/home-manager/652fda4ca6dafeb090943422c34ae9145787af37' (2024-02-03)
  → 'github:nix-community/home-manager/f33900124c23c4eca5831b9b5eb32ea5894375ce' (2024-03-19)
• Updated input 'nix-darwin':
    'github:lnl7/nix-darwin/bcc8afd06e237df060c85bad6af7128e05fd61a3' (2024-03-17)
  → 'github:lnl7/nix-darwin/36524adc31566655f2f4d55ad6b875fb5c1a4083' (2024-03-30)
• Updated input 'nixos-flake':
    'github:srid/nixos-flake/05f9464e282dee5a706273f50344a8201d8980b5' (2024-03-19)
  → 'github:srid/nixos-flake/7b19503e7f8c7cc0884fc2fbd669c0cc2e05aef5' (2024-03-25)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/fa9f817df522ac294016af3d40ccff82f5fd3a63' (2024-03-19)
  → 'github:nixos/nixpkgs/1487bdea619e4a7a53a4590c475deabb5a9d1bfb' (2024-04-03)
• Updated input 'unstable':
    'github:nixos/nixpkgs/b06025f1533a1e07b6db3e75151caa155d1c7eb3' (2024-03-19)
  → 'github:nixos/nixpkgs/fd281bd6b7d3e32ddfa399853946f782553163b5' (2024-04-03)
2024-04-04 18:49:09 +02:00
b12f dda8ed6938
Merge pull request 'mediawiki: update to v1.41.1' (#125) from mediawiki/v1.41.1 into main
Reviewed-on: #125
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-03-29 23:41:43 +00:00
Benjamin Yule Bädorf 9433a8aea7
mediawiki: update to v1.41.1
All checks were successful
Flake checks / Check (pull_request) Successful in 7m58s
2024-03-30 00:10:09 +01:00
b12f 37ebcb3669
Merge pull request 'website: add security.txt' (#122) from feat/security-txt into main
Reviewed-on: #122
Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>
2024-03-25 16:26:17 +00:00