Tristan Daniël Maat
a28d385b17
conduit: Enable TURNS with a ZeroSSL-provided certificate
2022-11-05 22:26:52 +00:00
Tristan Daniël Maat
997707021b
config: Enable authorization through ssh agent
...
This enables sudo-via-yubikey and therefore makes `-t` obsolete, in
turn fixing a whole sleuth of issues with deploy-rs.
*And* seems more secure and convenient at the same time.
2022-11-05 18:01:07 +00:00
Tristan Daniël Maat
0528f73187
nginx: Remove mitigation for openssl CVE
...
This has been fixed, instead we just update to the latest openssl.
2022-11-05 17:33:28 +00:00
Tristan Daniël Maat
2304711359
config: Mitigate upcoming SSL CVE
...
See
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
As 1.1 is unaffected, this override should be sufficient to evade this
problem.
2022-10-31 16:07:41 +00:00
Tristan Daniël Maat
b3e8b0e85c
default.nix: Turn on minimal profile
2022-10-30 18:26:45 +00:00
Tristan Daniël Maat
c72953e1ef
matrix: Add coturn support for calls
2022-10-29 01:39:09 +01:00
c56de6cf7e
conduit: Add new conduit service
2022-10-22 21:22:55 +01:00
61d3008bc3
nextcloud: Fetch apps using nvfetcher
2022-10-17 11:00:02 +01:00
c4fa991b62
treewide: Add fail2ban
2022-10-14 06:27:11 +01:00
78ecfd63a1
starbound: Fix post-update issues
2022-10-14 05:58:15 +01:00
e8b16459d9
treewide: Refactor in order to clean up flake.nix
2022-10-14 05:58:13 +01:00
068e6d5d77
webserver: Use a hardened systemd unit instead of a container
2022-10-14 05:58:11 +01:00
b6594cea54
gitea: Use a hardened systemd unit instead of a container
2022-10-14 05:58:08 +01:00
3cedb9f978
nextcloud: Use a hardened systemd unit instead of a container
2022-10-14 05:58:05 +01:00
6a81ce4c1d
sops: Improve secrets provisioning to split out staging
2022-10-12 23:22:50 +01:00
ab3aa19481
treewide: Perform another nitpicking sweep
2022-10-12 23:22:42 +01:00
7095ab2631
treewide: Remove minecraft server
...
This has fallen into disuse since the big Java vulnerability, and I
have ideas for better ways of doing this. Meanwhile it's making
maintenance and refactoring more difficult.
Hence I'll remove the server completely for the time being.
2022-10-12 13:12:04 +01:00
046a88905d
treewide: Reformat project with alejandra
2022-10-10 13:03:18 +01:00
58e52dd119
ssh: Allow proxy connections with gatewayPorts
2022-10-10 13:01:26 +01:00
cd92ec64c2
Add starbound server
2022-04-23 08:47:13 +01:00
e7102adec1
Add sops-nix
2022-04-23 08:47:07 +01:00
3bdbe66fe4
nginx: Enable HSTS
2021-10-12 13:53:08 +01:00
4fe3b8b22b
minecraft: Fix ridiculous CPU usage
...
Tapes over https://bugs.mojang.com/browse/MC-183518 , which schedules
things completely stupidly on Linux starting with 1.14.
2021-08-25 20:06:05 +01:00
343c7fcc36
nginx: Don't override extra options in the host helper
2021-05-17 00:13:58 +01:00
5f8899d542
nginx: Make VM testing easier by binding virtualHosts to localhost
2021-05-17 00:13:38 +01:00
458f6c7f7b
nginx: Avoid connection issues caused by IPv6 resolution
...
If localhost is specified in the proxyPass url, nginx will happily
resolve IPv6 addresses, even if the upstream doesn't support them.
This can result in connection issues, especially with containers that
don't support IPv6.
2021-05-16 01:34:03 +01:00
939c768280
nix: Add the wheel group to trusted users to allow remote builds
2021-04-28 00:22:21 +01:00
b474f7e97c
Add forge minecraft service
2021-04-25 04:44:07 +01:00
a3b72d11bd
Set limited permissions for the webserver container
2021-04-19 02:03:18 +01:00
40002ac76e
Add webserver service
2021-04-12 01:58:11 +01:00
98cf95a922
Add nextcloud service
2021-04-12 01:58:09 +01:00
4689a153b9
Add gitea service
2021-04-12 01:58:07 +01:00
5e87a5ec0c
Start reworking the server for nix flakes
...
This removes all existing services as well, in preparation of moving
them to `podman`. These are easier to update to
virtualisation.oci-containers while retaining the "networks" through
pods.
2021-04-12 01:58:03 +01:00
