Tristan Daniël Maat
997707021b
config: Enable authorization through ssh agent
...
This enables sudo-via-yubikey and therefore makes `-t` obsolete, in
turn fixing a whole sleuth of issues with deploy-rs.
*And* seems more secure and convenient at the same time.
2022-11-05 18:01:07 +00:00
Tristan Daniël Maat
0528f73187
nginx: Remove mitigation for openssl CVE
...
This has been fixed, instead we just update to the latest openssl.
2022-11-05 17:33:28 +00:00
Tristan Daniël Maat
598c439002
conduit: Disable turns, remove the user limits and add all relay IPs
2022-11-05 17:10:39 +00:00
Tristan Daniël Maat
2304711359
config: Mitigate upcoming SSL CVE
...
See
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
As 1.1 is unaffected, this override should be sufficient to evade this
problem.
2022-10-31 16:07:41 +00:00
Tristan Daniël Maat
b3e8b0e85c
default.nix: Turn on minimal profile
2022-10-30 18:26:45 +00:00
Tristan Daniël Maat
c72953e1ef
matrix: Add coturn support for calls
2022-10-29 01:39:09 +01:00
Tristan Daniël Maat
c56de6cf7e
conduit: Add new conduit service
2022-10-22 21:22:55 +01:00
Tristan Daniël Maat
61d3008bc3
nextcloud: Fetch apps using nvfetcher
2022-10-17 11:00:02 +01:00
Tristan Daniël Maat
c4fa991b62
treewide: Add fail2ban
2022-10-14 06:27:11 +01:00
Tristan Daniël Maat
1ddf23bd01
nextcloud: Update nextcloud version
2022-10-14 05:58:18 +01:00
Tristan Daniël Maat
78ecfd63a1
starbound: Fix post-update issues
2022-10-14 05:58:15 +01:00
Tristan Daniël Maat
e8b16459d9
treewide: Refactor in order to clean up flake.nix
2022-10-14 05:58:13 +01:00
Tristan Daniël Maat
068e6d5d77
webserver: Use a hardened systemd unit instead of a container
2022-10-14 05:58:11 +01:00
Tristan Daniël Maat
b6594cea54
gitea: Use a hardened systemd unit instead of a container
2022-10-14 05:58:08 +01:00
Tristan Daniël Maat
3cedb9f978
nextcloud: Use a hardened systemd unit instead of a container
2022-10-14 05:58:05 +01:00
Tristan Daniël Maat
6a81ce4c1d
sops: Improve secrets provisioning to split out staging
2022-10-12 23:22:50 +01:00
Tristan Daniël Maat
ab3aa19481
treewide: Perform another nitpicking sweep
2022-10-12 23:22:42 +01:00
Tristan Daniël Maat
7095ab2631
treewide: Remove minecraft server
...
This has fallen into disuse since the big Java vulnerability, and I
have ideas for better ways of doing this. Meanwhile it's making
maintenance and refactoring more difficult.
Hence I'll remove the server completely for the time being.
2022-10-12 13:12:04 +01:00
Tristan Daniël Maat
046a88905d
treewide: Reformat project with alejandra
2022-10-10 13:03:18 +01:00
Tristan Daniël Maat
58e52dd119
ssh: Allow proxy connections with gatewayPorts
2022-10-10 13:01:26 +01:00
Tristan Daniël Maat
ed74cfa576
starbound: Fix permissions for a syscall steamcmd needs
2022-04-23 09:31:21 +01:00
Tristan Daniël Maat
cd92ec64c2
Add starbound server
2022-04-23 08:47:13 +01:00
Tristan Daniël Maat
e7102adec1
Add sops-nix
2022-04-23 08:47:07 +01:00
Tristan Daniël Maat
c019187b37
postgres: Upgrade to version 14
2022-01-18 18:54:37 +00:00
Tristan Daniël Maat
b6f39969cc
Fix podman hostnames
...
It seems that with the newest version of podman container names are no
longer added as hostnames, meaning that any attempt to resolve
hostnames with the current config will fail. `localhost` is probably
more robust anyway, so we switch to that.
The bug manifests as broken services because nextcloud/gitea cannot
resolve their databases and nextcloud fails to resolve the php
server. To fix this a running system, the gitea and nextcloud database
configurations will need to be hand-edited, since those values are
only set on initialization, and not updated when changed later.
2022-01-08 02:19:04 +00:00
Tristan Daniël Maat
bd7e4a3193
Fix service uid/gids
2022-01-08 00:33:01 +00:00
Tristan Daniël Maat
90926e2eee
nextcloud: Give nginx access to the nextcloud root
2021-10-13 15:29:12 +01:00
Tristan Daniël Maat
20cda44040
nextcloud: Update nginx config
2021-10-13 14:53:05 +01:00
Tristan Daniël Maat
b16ea49c44
nextcloud: Set TRUSTED_PROXIES
...
Part of #47
2021-10-13 13:27:27 +01:00
Tristan Daniël Maat
3bdbe66fe4
nginx: Enable HSTS
2021-10-12 13:53:08 +01:00
Tristan Daniël Maat
a66eac3b17
minecraft: Add automatic restart scheduling
...
This starts/stops the server at 2 pm and 4 am respectively. This
should hopefully fix some of the issues caused by shoddy programming.
2021-08-27 18:10:19 +01:00
Tristan Daniël Maat
6bc37ebdae
minecraft: Limit to a single core instead of limiting the quota
...
Minecraft is anyway supposed to be single-threaded, so if it goes
beyond one core something is very wrong.
2021-08-27 18:09:43 +01:00
Tristan Daniël Maat
4fe3b8b22b
minecraft: Fix ridiculous CPU usage
...
Tapes over https://bugs.mojang.com/browse/MC-183518 , which schedules
things completely stupidly on Linux starting with 1.14.
2021-08-25 20:06:05 +01:00
Tristan Daniël Maat
6b85b9523c
minecraft: Enable command blocks to fix ice and fire ores
2021-08-21 00:20:20 +01:00
Tristan Daniël Maat
b17ac84693
Add new minecraft mod configuration files
2021-08-20 23:45:51 +01:00
Tristan Daniël Maat
544036d4e4
Update miscellaneous minecraft configs
...
Largely sensible changes, no complete rewrites without taking user
configuration into account like ice and fire.
2021-08-20 23:45:35 +01:00
Tristan Daniël Maat
196ad863c4
Update supplementaries config
2021-08-20 23:45:15 +01:00
Tristan Daniël Maat
cd55c50224
Update ice and fire config
...
Yes, they completely changed the config format and didn't take into
account the user's changes.
I guess I shouldn't be expecting much from minecraft mod authors, but
damn.
2021-08-20 23:45:12 +01:00
Tristan Daniël Maat
4c94932490
webserver: Use SIGKILL instead of SIGTERM
2021-05-17 00:18:51 +01:00
Tristan Daniël Maat
343c7fcc36
nginx: Don't override extra options in the host helper
2021-05-17 00:13:58 +01:00
Tristan Daniël Maat
5f8899d542
nginx: Make VM testing easier by binding virtualHosts to localhost
2021-05-17 00:13:38 +01:00
Tristan Daniël Maat
b8bf3bd3a2
minecraft: Clean up use of pkgs.lib
2021-05-17 00:13:28 +01:00
Tristan Daniël Maat
458f6c7f7b
nginx: Avoid connection issues caused by IPv6 resolution
...
If localhost is specified in the proxyPass url, nginx will happily
resolve IPv6 addresses, even if the upstream doesn't support them.
This can result in connection issues, especially with containers that
don't support IPv6.
2021-05-16 01:34:03 +01:00
Tristan Daniël Maat
517f4f0080
postgres: Get rid of password authentication
...
Podman pods make this obsolete; though we need to explicitly set
slirp4netns, otherwise podman will not create private network
namespaces for the pods.
2021-05-16 00:40:09 +01:00
Tristan Daniël Maat
2ccaadd557
minecraft: Add supplementaries mod
2021-05-11 22:13:31 +01:00
Tristan Daniël Maat
9e06fcf917
gitea: Use a defined service UID
...
The default of 1000 mapped to my admin user, which was both a bit
concerning and a bit of an annoyance.
2021-04-28 23:18:30 +01:00
Tristan Daniël Maat
939c768280
nix: Add the wheel group to trusted users to allow remote builds
2021-04-28 00:22:21 +01:00
Tristan Daniël Maat
71d783ec11
forge-server: Fix potential duplicate definition of config
2021-04-25 21:05:47 +01:00
Tristan Daniël Maat
70e5b6206e
Tweak voor-kia modpack config
...
In a nutshell:
- Apotheosis
- Don't clutter the world with super tall reed
- Don't ruin spawners - it's nice to build buildings in more
locations
- Ice and fire
- *Really* tone down the griefing and amount of spawns
- Iron furnaces
- *Hopefully* disable the annoying update chat messages
- Quark
- Disable matrix enchanting so that apotheosis works
2021-04-25 06:23:17 +01:00
Tristan Daniël Maat
7ad729f2ca
Add voor-kia modpack with default configuration
2021-04-25 06:23:15 +01:00
Tristan Daniël Maat
ad110fbbea
Add voor-kia minecraft modpack
2021-04-25 06:23:10 +01:00
Tristan Daniël Maat
b474f7e97c
Add forge minecraft service
2021-04-25 04:44:07 +01:00
Tristan Daniël Maat
a3b72d11bd
Set limited permissions for the webserver container
2021-04-19 02:03:18 +01:00
Tristan Daniël Maat
04c00b9877
Fix NixOS profile imports
2021-04-18 02:58:49 +01:00
Tristan Daniël Maat
df76dcbf11
Rename the postgres named volumes
2021-04-17 22:14:21 +01:00
Tristan Daniël Maat
40002ac76e
Add webserver service
2021-04-12 01:58:11 +01:00
Tristan Daniël Maat
98cf95a922
Add nextcloud service
2021-04-12 01:58:09 +01:00
Tristan Daniël Maat
4689a153b9
Add gitea service
2021-04-12 01:58:07 +01:00
Tristan Daniël Maat
5e87a5ec0c
Start reworking the server for nix flakes
...
This removes all existing services as well, in preparation of moving
them to `podman`. These are easier to update to
virtualisation.oci-containers while retaining the "networks" through
pods.
2021-04-12 01:58:03 +01:00