Commit graph

109 commits

Author SHA1 Message Date
Tristan Daniël Maat 997707021b
config: Enable authorization through ssh agent
This enables sudo-via-yubikey and therefore makes `-t` obsolete, in
turn fixing a whole sleuth of issues with deploy-rs.

*And* seems more secure and convenient at the same time.
2022-11-05 18:01:07 +00:00
Tristan Daniël Maat 0528f73187
nginx: Remove mitigation for openssl CVE
This has been fixed, instead we just update to the latest openssl.
2022-11-05 17:33:28 +00:00
Tristan Daniël Maat 598c439002
conduit: Disable turns, remove the user limits and add all relay IPs 2022-11-05 17:10:39 +00:00
Tristan Daniël Maat 2304711359
config: Mitigate upcoming SSL CVE
See
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

As 1.1 is unaffected, this override should be sufficient to evade this
problem.
2022-10-31 16:07:41 +00:00
Tristan Daniël Maat b3e8b0e85c
default.nix: Turn on minimal profile 2022-10-30 18:26:45 +00:00
Tristan Daniël Maat c72953e1ef
matrix: Add coturn support for calls 2022-10-29 01:39:09 +01:00
Tristan Daniël Maat c56de6cf7e
conduit: Add new conduit service 2022-10-22 21:22:55 +01:00
Tristan Daniël Maat 61d3008bc3
nextcloud: Fetch apps using nvfetcher 2022-10-17 11:00:02 +01:00
Tristan Daniël Maat c4fa991b62
treewide: Add fail2ban 2022-10-14 06:27:11 +01:00
Tristan Daniël Maat 1ddf23bd01
nextcloud: Update nextcloud version 2022-10-14 05:58:18 +01:00
Tristan Daniël Maat 78ecfd63a1
starbound: Fix post-update issues 2022-10-14 05:58:15 +01:00
Tristan Daniël Maat e8b16459d9
treewide: Refactor in order to clean up flake.nix 2022-10-14 05:58:13 +01:00
Tristan Daniël Maat 068e6d5d77
webserver: Use a hardened systemd unit instead of a container 2022-10-14 05:58:11 +01:00
Tristan Daniël Maat b6594cea54
gitea: Use a hardened systemd unit instead of a container 2022-10-14 05:58:08 +01:00
Tristan Daniël Maat 3cedb9f978
nextcloud: Use a hardened systemd unit instead of a container 2022-10-14 05:58:05 +01:00
Tristan Daniël Maat 6a81ce4c1d
sops: Improve secrets provisioning to split out staging 2022-10-12 23:22:50 +01:00
Tristan Daniël Maat ab3aa19481
treewide: Perform another nitpicking sweep 2022-10-12 23:22:42 +01:00
Tristan Daniël Maat 7095ab2631
treewide: Remove minecraft server
This has fallen into disuse since the big Java vulnerability, and I
have ideas for better ways of doing this. Meanwhile it's making
maintenance and refactoring more difficult.

Hence I'll remove the server completely for the time being.
2022-10-12 13:12:04 +01:00
Tristan Daniël Maat 046a88905d
treewide: Reformat project with alejandra 2022-10-10 13:03:18 +01:00
Tristan Daniël Maat 58e52dd119
ssh: Allow proxy connections with gatewayPorts 2022-10-10 13:01:26 +01:00
Tristan Daniël Maat ed74cfa576
starbound: Fix permissions for a syscall steamcmd needs 2022-04-23 09:31:21 +01:00
Tristan Daniël Maat cd92ec64c2
Add starbound server 2022-04-23 08:47:13 +01:00
Tristan Daniël Maat e7102adec1
Add sops-nix 2022-04-23 08:47:07 +01:00
Tristan Daniël Maat c019187b37
postgres: Upgrade to version 14 2022-01-18 18:54:37 +00:00
Tristan Daniël Maat b6f39969cc
Fix podman hostnames
It seems that with the newest version of podman container names are no
longer added as hostnames, meaning that any attempt to resolve
hostnames with the current config will fail. `localhost` is probably
more robust anyway, so we switch to that.

The bug manifests as broken services because nextcloud/gitea cannot
resolve their databases and nextcloud fails to resolve the php
server. To fix this a running system, the gitea and nextcloud database
configurations will need to be hand-edited, since those values are
only set on initialization, and not updated when changed later.
2022-01-08 02:19:04 +00:00
Tristan Daniël Maat bd7e4a3193
Fix service uid/gids 2022-01-08 00:33:01 +00:00
Tristan Daniël Maat 90926e2eee
nextcloud: Give nginx access to the nextcloud root 2021-10-13 15:29:12 +01:00
Tristan Daniël Maat 20cda44040
nextcloud: Update nginx config 2021-10-13 14:53:05 +01:00
Tristan Daniël Maat b16ea49c44
nextcloud: Set TRUSTED_PROXIES
Part of #47
2021-10-13 13:27:27 +01:00
Tristan Daniël Maat 3bdbe66fe4
nginx: Enable HSTS 2021-10-12 13:53:08 +01:00
Tristan Daniël Maat a66eac3b17
minecraft: Add automatic restart scheduling
This starts/stops the server at 2 pm and 4 am respectively. This
should hopefully fix some of the issues caused by shoddy programming.
2021-08-27 18:10:19 +01:00
Tristan Daniël Maat 6bc37ebdae
minecraft: Limit to a single core instead of limiting the quota
Minecraft is anyway supposed to be single-threaded, so if it goes
beyond one core something is very wrong.
2021-08-27 18:09:43 +01:00
Tristan Daniël Maat 4fe3b8b22b
minecraft: Fix ridiculous CPU usage
Tapes over https://bugs.mojang.com/browse/MC-183518, which schedules
things completely stupidly on Linux starting with 1.14.
2021-08-25 20:06:05 +01:00
Tristan Daniël Maat 6b85b9523c
minecraft: Enable command blocks to fix ice and fire ores 2021-08-21 00:20:20 +01:00
Tristan Daniël Maat b17ac84693
Add new minecraft mod configuration files 2021-08-20 23:45:51 +01:00
Tristan Daniël Maat 544036d4e4
Update miscellaneous minecraft configs
Largely sensible changes, no complete rewrites without taking user
configuration into account like ice and fire.
2021-08-20 23:45:35 +01:00
Tristan Daniël Maat 196ad863c4
Update supplementaries config 2021-08-20 23:45:15 +01:00
Tristan Daniël Maat cd55c50224
Update ice and fire config
Yes, they completely changed the config format and didn't take into
account the user's changes.

I guess I shouldn't be expecting much from minecraft mod authors, but
damn.
2021-08-20 23:45:12 +01:00
Tristan Daniël Maat 4c94932490
webserver: Use SIGKILL instead of SIGTERM 2021-05-17 00:18:51 +01:00
Tristan Daniël Maat 343c7fcc36
nginx: Don't override extra options in the host helper 2021-05-17 00:13:58 +01:00
Tristan Daniël Maat 5f8899d542
nginx: Make VM testing easier by binding virtualHosts to localhost 2021-05-17 00:13:38 +01:00
Tristan Daniël Maat b8bf3bd3a2
minecraft: Clean up use of pkgs.lib 2021-05-17 00:13:28 +01:00
Tristan Daniël Maat 458f6c7f7b
nginx: Avoid connection issues caused by IPv6 resolution
If localhost is specified in the proxyPass url, nginx will happily
resolve IPv6 addresses, even if the upstream doesn't support them.

This can result in connection issues, especially with containers that
don't support IPv6.
2021-05-16 01:34:03 +01:00
Tristan Daniël Maat 517f4f0080
postgres: Get rid of password authentication
Podman pods make this obsolete; though we need to explicitly set
slirp4netns, otherwise podman will not create private network
namespaces for the pods.
2021-05-16 00:40:09 +01:00
Tristan Daniël Maat 2ccaadd557
minecraft: Add supplementaries mod 2021-05-11 22:13:31 +01:00
Tristan Daniël Maat 9e06fcf917
gitea: Use a defined service UID
The default of 1000 mapped to my admin user, which was both a bit
concerning and a bit of an annoyance.
2021-04-28 23:18:30 +01:00
Tristan Daniël Maat 939c768280
nix: Add the wheel group to trusted users to allow remote builds 2021-04-28 00:22:21 +01:00
Tristan Daniël Maat 71d783ec11
forge-server: Fix potential duplicate definition of config 2021-04-25 21:05:47 +01:00
Tristan Daniël Maat 70e5b6206e
Tweak voor-kia modpack config
In a nutshell:

- Apotheosis
  - Don't clutter the world with super tall reed
  - Don't ruin spawners - it's nice to build buildings in more
    locations
- Ice and fire
  - *Really* tone down the griefing and amount of spawns
- Iron furnaces
  - *Hopefully* disable the annoying update chat messages
- Quark
  - Disable matrix enchanting so that apotheosis works
2021-04-25 06:23:17 +01:00
Tristan Daniël Maat 7ad729f2ca
Add voor-kia modpack with default configuration 2021-04-25 06:23:15 +01:00
Tristan Daniël Maat ad110fbbea
Add voor-kia minecraft modpack 2021-04-25 06:23:10 +01:00
Tristan Daniël Maat b474f7e97c
Add forge minecraft service 2021-04-25 04:44:07 +01:00
Tristan Daniël Maat a3b72d11bd
Set limited permissions for the webserver container 2021-04-19 02:03:18 +01:00
Tristan Daniël Maat 04c00b9877
Fix NixOS profile imports 2021-04-18 02:58:49 +01:00
Tristan Daniël Maat df76dcbf11
Rename the postgres named volumes 2021-04-17 22:14:21 +01:00
Tristan Daniël Maat 40002ac76e
Add webserver service 2021-04-12 01:58:11 +01:00
Tristan Daniël Maat 98cf95a922
Add nextcloud service 2021-04-12 01:58:09 +01:00
Tristan Daniël Maat 4689a153b9
Add gitea service 2021-04-12 01:58:07 +01:00
Tristan Daniël Maat 5e87a5ec0c
Start reworking the server for nix flakes
This removes all existing services as well, in preparation of moving
them to `podman`. These are easier to update to
virtualisation.oci-containers while retaining the "networks" through
pods.
2021-04-12 01:58:03 +01:00