Commit graph

132 commits

Author SHA1 Message Date
95b5d4b3bd
nginx: Reduce number of rotated logs kept around 2023-12-15 17:04:42 +01:00
eb3bd485c4
metrics: Add size limit to victoriametrics 2023-12-15 17:04:39 +01:00
759a9c7c0c
conduit: Fix acme issue
letsencrypt will prod on port 80 to verify the domain. `listen`
overrides `addSSL`, so none of the NixOS modules' setup will actually
work.

This means the conduit virtualhost never listened on port 80, and
couldn't verify letsencrypt requests.

How this *ever* worked is beyond me, but this commit resolves the
problems (don't worry, `forceSSL` does what it says on the tin and
overrides the `listen` again).
2023-10-13 06:08:26 +02:00
55a4aaf48b
metrics: Add metrics with victoriametrics + grafana 2023-10-12 20:41:04 +02:00
78a9eac9bb
sops: Sort secrets alphabetically 2023-10-12 20:27:43 +02:00
87dd9daa4f
backups: Add atomic backups with restic 2023-10-12 20:27:34 +02:00
ab5e088016
conduit: Add Element X support 2023-09-18 04:17:16 +02:00
bb3ffbbd90
nextcloud: Configure redis caching 2023-07-29 18:17:39 +02:00
0c5755d2f0
nextcloud: Upgrade to version 27 2023-07-29 18:17:24 +02:00
88d96f198b
nextcloud: Apply recommended PHP setting 2023-07-28 12:19:00 +02:00
828d3f3878
services: Update outdated options 2023-07-28 11:23:56 +02:00
a3e2d2931c
services: Add FoundryVTT service 2023-05-11 22:22:30 +01:00
14d29fa49d
services: Add wireguard service 2023-05-11 22:09:39 +01:00
acd7cc802b
networking: Set up static IP address 2023-05-11 22:09:32 +01:00
74f38614a0
matrix: Add heisenbridge 2023-02-28 04:26:55 +00:00
33ec32a8da
conduit: Update to 0.5.0 2023-02-26 05:59:54 +00:00
bb397841ee
refactoring: Use flake-inputs instead of awkwardly passing through 2023-02-26 05:59:09 +00:00
b7feffc52f
hardware-configuration: Update to new auto-generated settings 2023-01-11 02:38:58 +00:00
b7726af1c4
config: Make changes suggested post 22.11 update 2023-01-11 02:38:56 +00:00
957ab110c5
firewall: Open Minecraft ports for port forwarding 2023-01-11 02:38:53 +00:00
f6e39e09a5
gitea: Update configuration for 22.11 2023-01-11 02:38:50 +00:00
b798efb2c0
nextcloud: Update the service and apps for 22.11 2023-01-11 02:38:42 +00:00
Tristan Daniël Maat
a28d385b17
conduit: Enable TURNS with a ZeroSSL-provided certificate 2022-11-05 22:26:52 +00:00
Tristan Daniël Maat
997707021b
config: Enable authorization through ssh agent
This enables sudo-via-yubikey and therefore makes `-t` obsolete, in
turn fixing a whole sleuth of issues with deploy-rs.

*And* seems more secure and convenient at the same time.
2022-11-05 18:01:07 +00:00
Tristan Daniël Maat
0528f73187
nginx: Remove mitigation for openssl CVE
This has been fixed, instead we just update to the latest openssl.
2022-11-05 17:33:28 +00:00
Tristan Daniël Maat
598c439002
conduit: Disable turns, remove the user limits and add all relay IPs 2022-11-05 17:10:39 +00:00
Tristan Daniël Maat
2304711359
config: Mitigate upcoming SSL CVE
See
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

As 1.1 is unaffected, this override should be sufficient to evade this
problem.
2022-10-31 16:07:41 +00:00
Tristan Daniël Maat
b3e8b0e85c
default.nix: Turn on minimal profile 2022-10-30 18:26:45 +00:00
Tristan Daniël Maat
c72953e1ef
matrix: Add coturn support for calls 2022-10-29 01:39:09 +01:00
c56de6cf7e
conduit: Add new conduit service 2022-10-22 21:22:55 +01:00
61d3008bc3
nextcloud: Fetch apps using nvfetcher 2022-10-17 11:00:02 +01:00
c4fa991b62
treewide: Add fail2ban 2022-10-14 06:27:11 +01:00
1ddf23bd01
nextcloud: Update nextcloud version 2022-10-14 05:58:18 +01:00
78ecfd63a1
starbound: Fix post-update issues 2022-10-14 05:58:15 +01:00
e8b16459d9
treewide: Refactor in order to clean up flake.nix 2022-10-14 05:58:13 +01:00
068e6d5d77
webserver: Use a hardened systemd unit instead of a container 2022-10-14 05:58:11 +01:00
b6594cea54
gitea: Use a hardened systemd unit instead of a container 2022-10-14 05:58:08 +01:00
3cedb9f978
nextcloud: Use a hardened systemd unit instead of a container 2022-10-14 05:58:05 +01:00
6a81ce4c1d
sops: Improve secrets provisioning to split out staging 2022-10-12 23:22:50 +01:00
ab3aa19481
treewide: Perform another nitpicking sweep 2022-10-12 23:22:42 +01:00
7095ab2631
treewide: Remove minecraft server
This has fallen into disuse since the big Java vulnerability, and I
have ideas for better ways of doing this. Meanwhile it's making
maintenance and refactoring more difficult.

Hence I'll remove the server completely for the time being.
2022-10-12 13:12:04 +01:00
046a88905d
treewide: Reformat project with alejandra 2022-10-10 13:03:18 +01:00
58e52dd119
ssh: Allow proxy connections with gatewayPorts 2022-10-10 13:01:26 +01:00
ed74cfa576
starbound: Fix permissions for a syscall steamcmd needs 2022-04-23 09:31:21 +01:00
cd92ec64c2
Add starbound server 2022-04-23 08:47:13 +01:00
e7102adec1
Add sops-nix 2022-04-23 08:47:07 +01:00
c019187b37
postgres: Upgrade to version 14 2022-01-18 18:54:37 +00:00
b6f39969cc
Fix podman hostnames
It seems that with the newest version of podman container names are no
longer added as hostnames, meaning that any attempt to resolve
hostnames with the current config will fail. `localhost` is probably
more robust anyway, so we switch to that.

The bug manifests as broken services because nextcloud/gitea cannot
resolve their databases and nextcloud fails to resolve the php
server. To fix this a running system, the gitea and nextcloud database
configurations will need to be hand-edited, since those values are
only set on initialization, and not updated when changed later.
2022-01-08 02:19:04 +00:00
bd7e4a3193
Fix service uid/gids 2022-01-08 00:33:01 +00:00
90926e2eee
nextcloud: Give nginx access to the nextcloud root 2021-10-13 15:29:12 +01:00