Commit graph

227 commits

Author SHA1 Message Date
teutat3s fa9ce9d435
gitea-actions-runner: don't run as systemd DynamicUser
Some checks failed
Flake checks / Check (pull_request) Failing after 4m55s
to enable usage of cache outside of /var/lib/private
2024-04-23 15:42:33 +02:00
teutat3s 9541e5029e
flora-6: move forgejo-runner cache directory to /data
All checks were successful
Flake checks / Check (pull_request) Successful in 13m34s
2024-04-23 15:12:11 +02:00
teutat3s c86e22b292
ci: update forgejo-runner to version 3.4.1
https://github.com/NixOS/nixpkgs/pull/301383
2024-04-23 00:38:53 +02:00
Hendrik Sokolowski a9411d05a8
set pruneOpts for restic backups to daily 7, weekly 4, monthly 3
All checks were successful
Flake checks / Check (pull_request) Successful in 12m5s
2024-04-22 20:06:49 +02:00
teutat3s c07d24f6a7
flora-6: add wg-ssh to ignored interfaces
All checks were successful
Flake checks / Check (pull_request) Successful in 21m7s
for systemd-wait-online to start successfully
2024-04-14 23:22:53 +02:00
teutat3s c768203bed
nginx: set worker_processes to number of CPU cores
All checks were successful
Flake checks / Check (pull_request) Successful in 12m4s
and set worker_connections to 1024

https://nginx.org/en/docs/ngx_core_module.html#worker_processes
https://nginx.org/en/docs/ngx_core_module.html#worker_connections
2024-04-14 17:39:56 +02:00
teutat3s b6a54efd9a
fix: add comment with hostnames to wireguard peers
All checks were successful
Flake checks / Check (pull_request) Successful in 12m31s
2024-04-12 22:36:17 +02:00
Benjamin Yule Bädorf 7e145040cc
wireguard: use IP addresses for wireguard endpoints
All checks were successful
Flake checks / Check (pull_request) Successful in 13m14s
Otherwise the hostnames written to the /etc/hosts file are already
pointing at the wireguard IP-addresses, so they can never connect.
2024-04-12 22:31:28 +02:00
teutat3s 8743ea7b0c
networking: add wireguard hosts to /etc/hosts
Also re-enable DNSSEC, it's reported fixed in systemd-resolved
2024-04-12 19:54:09 +00:00
Benjamin Yule Bädorf 316ba9ef53
forgejo: also reroute ssh traffic for ipv6 2024-04-12 19:38:15 +00:00
teutat3s afca75441c
Merge pull request 'forgejo: enable repo search (indexer), save login cookie for 365 days' (#142) from feat/forgejo-enable-search into main
Reviewed-on: #142
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-06 16:07:42 +00:00
teutat3s 9698c47530
Merge pull request 'mastodon: clean media older than 7 days' (#143) from mastodon/auto-clean-7-days into main
Reviewed-on: #143
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-06 16:07:34 +00:00
teutat3s 41e4d3427c
mastodon: clean media older than 7 days
All checks were successful
Flake checks / Check (pull_request) Successful in 8m3s
Currently we keep everything for 30 days, which is about 180GB
2024-04-05 23:50:04 +02:00
teutat3s c5159dd66d
forgejo: enable repo search (indexer), save login
All checks were successful
Flake checks / Check (pull_request) Successful in 7m54s
cookie for 365 days instead of default 7 days.
Caveat for the repo indexer is that repository size on disk will grow
by factor of 6. Forgejo repositories currently use 4.7GB on disk, with
3.3GB being a nixpkgs fork.
2024-04-05 23:29:49 +02:00
Benjamin Yule Bädorf 16c6aa3b61
forgejo: make SSH keys declarative 2024-04-05 19:35:55 +00:00
teutat3s 315cbf5813
Merge pull request 'fix(nextcloud): define a maintenance window' (#135) from chore/nextcloud-config-maintenance-window into main
Reviewed-on: #135
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-05 18:41:17 +00:00
Hendrik Sokolowski b6b8d69852
nachtigall: forgejo: update firewall settings
All checks were successful
Flake checks / Check (pull_request) Successful in 8m11s
2024-04-05 18:39:43 +02:00
Benjamin Yule Bädorf e618b9f9c2
forgejo: use iptables routing instead of ssh patch
All checks were successful
Flake checks / Check (pull_request) Successful in 8m18s
2024-04-05 17:00:28 +02:00
Benjamin Yule Bädorf d7c9333ff4
forgejo: allow multiple host addresses for SSH
All checks were successful
Flake checks / Check (pull_request) Successful in 9m1s
2024-04-05 14:26:56 +00:00
teutat3s 18a62b8d35
fix(nextcloud): define a maintenance window for
All checks were successful
Flake checks / Check (pull_request) Successful in 4m39s
resource intensive background jobs. Docs:
https://docs.nextcloud.com/server/28/admin_manual/configuration_server/background_jobs_configuration.html

> A value of 1 e.g. will only run these background jobs between 01:00am
UTC and 05:00am UTC
2024-04-05 16:23:16 +02:00
Benjamin Yule Bädorf f7eaef0d18
wireguard: fix flora-6 address and private key
Reviewed-on: #129
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
Co-authored-by: Benjamin Yule Bädorf <git@benjaminbaedorf.eu>
Co-committed-by: Benjamin Yule Bädorf <git@benjaminbaedorf.eu>
2024-04-05 11:26:38 +00:00
Benjamin Yule Bädorf 621e9336ed
wireguard: add basic keys 2024-04-05 11:09:31 +00:00
Benjamin Yule Bädorf eacf60974c
wireguard: initial commit 2024-04-05 11:09:31 +00:00
Benjamin Yule Bädorf 9433a8aea7
mediawiki: update to v1.41.1
All checks were successful
Flake checks / Check (pull_request) Successful in 7m58s
2024-03-30 00:10:09 +01:00
b12f 6aea728583
Merge branch 'main' into feat/security-txt
All checks were successful
Flake checks / Check (pull_request) Successful in 7m4s
2024-03-25 15:38:30 +00:00
Benjamin Yule Bädorf b9cffad02a
matrix: set forgotten_room_retention_period to 7d
All checks were successful
Flake checks / Check (pull_request) Successful in 7m4s
This commit sets the value for the synapse config option
`forgotten_room_retention_period` to 7 days. This was previously unset,
meaning rooms that had no more local users were never purged from the database.

The new value makes sure that 7 days after the last local user left a
room, it will be permanently deleted from the database.

https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html?highlight=forgotten_room_retention_period#forgotten_room_retention_period
2024-03-24 18:24:30 +01:00
Benjamin Yule Bädorf 2bb2247716
website: add security.txt
All checks were successful
Flake checks / Check (pull_request) Successful in 6m58s
Ref: pub-solar/legal#11
2024-03-23 11:07:04 +01:00
teutat3s 45e91d7ef1
fix: drone port should bind to localhost
All checks were successful
Flake checks / Check (pull_request) Successful in 18m12s
2024-03-21 10:44:40 +01:00
teutat3s c49ffb2d5b
fix: nginx duplicate default server
All checks were successful
Flake checks / Check (pull_request) Successful in 4m53s
nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /etc/nginx/nginx.conf:665
2024-02-25 23:02:00 +01:00
Benjamin Yule Bädorf de04556191
nginx/miom: disable logging
All checks were successful
Flake checks / Check (pull_request) Successful in 4m42s
2024-02-25 21:41:06 +00:00
Benjamin Yule Bädorf 0e89b7f210
nginx/miom: init miom.space website
This adds an nginx configuration for https://miom.space/. MiOM is a
creative collective in Cologne that frequently hosts our hakken.irl
hackathons. They're already using our cloud to organize.

This service is a bit more specific than most pub.solar services and falls
into a similar category as the obs-portal.

On the old miom website all logging was turned off, we might want to do
the same thing in nginx here as well then.
2024-02-25 21:41:06 +00:00
Benjamin Yule Bädorf 24b77b6de5
nginx/pub.solar: disable logging for homepage
All checks were successful
Flake checks / Check (pull_request) Successful in 4m45s
2024-02-25 18:51:24 +01:00
teutat3s 842ec945f4
forgejo: appName option has been renamed
All checks were successful
Flake checks / Check (pull_request) Successful in 10m14s
trace: warning: The option `services.forgejo.appName' defined in
`/nix/store/z68x68rbw9sg4d7mcjrjd6aq598rmrwf-source/hosts/nachtigall/apps/forgejo.nix'
has been renamed to `services.forgejo.settings.DEFAULT.APP_NAME'.
2024-02-07 19:02:04 +01:00
teutat3s d67190d175
feat: init tmate-ssh-server
https://tmate.io
2024-02-07 19:01:36 +01:00
teutat3s f43ba01ee6
feat: use forgejo NixOS module with gitea user
All checks were successful
Flake checks / Check (pull_request) Successful in 7m50s
https://nixos.org/manual/nixos/stable/#module-forgejo-migration-gitea
2024-02-06 12:19:45 +01:00
teutat3s 4ce188edec
metrics(matrix-synapse): enable internal MAU metrics
All checks were successful
Flake checks / Check (pull_request) Successful in 7m55s
https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#mau_stats_only
2024-02-01 15:51:55 +01:00
teutat3s 62c248348a
Merge pull request 'feat(grafana): add synapse dashboard' (#106) from feat/grafana-synapse-dashboard into main
Reviewed-on: #106
Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>
2024-02-01 10:31:43 +00:00
teutat3s 031bab4a4e
fix(nextcloud): interned_strings_buffer should be
All checks were successful
Flake checks / Check (pull_request) Successful in 8m39s
powers of 2
2024-02-01 11:21:10 +01:00
teutat3s 33d80dc558
feat(grafana): add synapse dashboard
All checks were successful
Flake checks / Check (pull_request) Successful in 8m6s
Source:
https://github.com/element-hq/synapse/blob/master/contrib/grafana/synapse.json
2024-01-30 20:00:41 +01:00
teutat3s 576ceb6875
fix(matrix-synapse): mail hostname, missing tls
All checks were successful
Flake checks / Check (pull_request) Successful in 21m21s
setting on metrics listener
2024-01-30 19:42:48 +01:00
teutat3s 69b976607f
fix(matrix-synapse): make sure to find element in
All checks were successful
Flake checks / Check (pull_request) Successful in 8m33s
list of config.services.matrix-synapse.settings.listeners that sets
type = "metrics" instead of just using the first element in the list
2024-01-29 00:44:53 +01:00
teutat3s 62429bca08
fix(matrix-synapse): make sure to find element in
list of config.services.matrix-synapse.settings.listeners.*.resources
that sets names = "client" instead of just using the first element in the list of listeners
2024-01-29 00:44:53 +01:00
teutat3s 3cfdd9d20a
refactor(matrix-synapse): get first listener port 2024-01-29 00:44:52 +01:00
teutat3s 2f75ae7e62
feat(matrix-synapse): enable metrics
Following:
https://github.com/matrix-org/synapse/blob/develop/docs/metrics-howto.md
2024-01-29 00:44:13 +01:00
teutat3s 815033c764
treewide: apply nixpkgs-fmt
Used command:
nixpkgs-fmt .
2024-01-27 20:29:30 +01:00
teutat3s b3b3725c9f
feat: php opcache tuning for nextcloud
All checks were successful
Flake checks / Check (pull_request) Successful in 9m19s
https://docs.nextcloud.com/server/latest/admin_manual/installation/server_tuning.html#:~:text=opcache.jit%20%3D%201255%20opcache.jit_buffer_size%20%3D%20128m
2024-01-25 20:19:32 +01:00
teutat3s be668fbb17
fix: nextcloud likes interned strings buffer > 8
All checks were successful
Flake checks / Check (pull_request) Successful in 19m28s
7cf6f51516 made a wrong assumption
2024-01-23 22:18:58 +01:00
teutat3s ffdf55993f
fix(nginx): [warn] could not build optimal proxy_headers_hash
All checks were successful
Flake checks / Check (pull_request) Successful in 10m14s
nginx: [warn] could not build optimal proxy_headers_hash, you should
increase either proxy_headers_hash_max_size: 2048 or
proxy_headers_hash_bucket_size: 64; ignoring
proxy_headers_hash_bucket_size
2024-01-17 15:16:06 +01:00
teutat3s 94ae6c9302
fix(mastodon): use working unix sockets for streaming api
All checks were successful
Flake checks / Check (pull_request) Successful in 10m35s
The streaming API is currently unusable because we still pass traffic
to the old unix socket path.
Since c82195d9e8 (diff-157b1ef68573bbec951d6e551513a555e2d1ca7a161a68f1978b11d39a0bef1eR789-R803)
there are multiple unix sockets involved.
2024-01-17 10:32:03 +01:00
teutat3s 5590b5b1b3
fix: remove QuickInstantCommons extension
All checks were successful
Flake checks / Check (pull_request) Successful in 4m34s
Docker image updated in 529554b4d1

Seems currently broken:
https://wiki.pub.solar/index.php/Special:RecentChanges with the
extension enabled throws:

Internal error LogicException: Backend with name 'wikimediacommons-backend' already registered.
2024-01-08 21:53:14 +01:00