Tristan Daniël Maat
2007c9ce76
WIP: Add atomic backups with restic
2023-09-23 21:07:17 +02:00
Tristan Daniël Maat
828d3f3878
services: Update outdated options
2023-07-28 11:23:56 +02:00
Tristan Daniël Maat
acd7cc802b
networking: Set up static IP address
2023-05-11 22:09:32 +01:00
Tristan Daniël Maat
bb397841ee
refactoring: Use flake-inputs instead of awkwardly passing through
2023-02-26 05:59:09 +00:00
Tristan Daniël Maat
b7726af1c4
config: Make changes suggested post 22.11 update
2023-01-11 02:38:56 +00:00
Tristan Daniël Maat
957ab110c5
firewall: Open Minecraft ports for port forwarding
2023-01-11 02:38:53 +00:00
Tristan Daniël Maat
a28d385b17
conduit: Enable TURNS with a ZeroSSL-provided certificate
2022-11-05 22:26:52 +00:00
Tristan Daniël Maat
997707021b
config: Enable authorization through ssh agent
...
This enables sudo-via-yubikey and therefore makes `-t` obsolete, in
turn fixing a whole sleuth of issues with deploy-rs.
*And* seems more secure and convenient at the same time.
2022-11-05 18:01:07 +00:00
Tristan Daniël Maat
0528f73187
nginx: Remove mitigation for openssl CVE
...
This has been fixed, instead we just update to the latest openssl.
2022-11-05 17:33:28 +00:00
Tristan Daniël Maat
2304711359
config: Mitigate upcoming SSL CVE
...
See
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
As 1.1 is unaffected, this override should be sufficient to evade this
problem.
2022-10-31 16:07:41 +00:00
Tristan Daniël Maat
b3e8b0e85c
default.nix: Turn on minimal profile
2022-10-30 18:26:45 +00:00
Tristan Daniël Maat
c72953e1ef
matrix: Add coturn support for calls
2022-10-29 01:39:09 +01:00
Tristan Daniël Maat
c56de6cf7e
conduit: Add new conduit service
2022-10-22 21:22:55 +01:00
Tristan Daniël Maat
61d3008bc3
nextcloud: Fetch apps using nvfetcher
2022-10-17 11:00:02 +01:00
Tristan Daniël Maat
c4fa991b62
treewide: Add fail2ban
2022-10-14 06:27:11 +01:00
Tristan Daniël Maat
78ecfd63a1
starbound: Fix post-update issues
2022-10-14 05:58:15 +01:00
Tristan Daniël Maat
e8b16459d9
treewide: Refactor in order to clean up flake.nix
2022-10-14 05:58:13 +01:00
Tristan Daniël Maat
068e6d5d77
webserver: Use a hardened systemd unit instead of a container
2022-10-14 05:58:11 +01:00
Tristan Daniël Maat
b6594cea54
gitea: Use a hardened systemd unit instead of a container
2022-10-14 05:58:08 +01:00
Tristan Daniël Maat
3cedb9f978
nextcloud: Use a hardened systemd unit instead of a container
2022-10-14 05:58:05 +01:00
Tristan Daniël Maat
6a81ce4c1d
sops: Improve secrets provisioning to split out staging
2022-10-12 23:22:50 +01:00
Tristan Daniël Maat
ab3aa19481
treewide: Perform another nitpicking sweep
2022-10-12 23:22:42 +01:00
Tristan Daniël Maat
7095ab2631
treewide: Remove minecraft server
...
This has fallen into disuse since the big Java vulnerability, and I
have ideas for better ways of doing this. Meanwhile it's making
maintenance and refactoring more difficult.
Hence I'll remove the server completely for the time being.
2022-10-12 13:12:04 +01:00
Tristan Daniël Maat
046a88905d
treewide: Reformat project with alejandra
2022-10-10 13:03:18 +01:00
Tristan Daniël Maat
58e52dd119
ssh: Allow proxy connections with gatewayPorts
2022-10-10 13:01:26 +01:00
Tristan Daniël Maat
cd92ec64c2
Add starbound server
2022-04-23 08:47:13 +01:00
Tristan Daniël Maat
e7102adec1
Add sops-nix
2022-04-23 08:47:07 +01:00
Tristan Daniël Maat
3bdbe66fe4
nginx: Enable HSTS
2021-10-12 13:53:08 +01:00
Tristan Daniël Maat
4fe3b8b22b
minecraft: Fix ridiculous CPU usage
...
Tapes over https://bugs.mojang.com/browse/MC-183518 , which schedules
things completely stupidly on Linux starting with 1.14.
2021-08-25 20:06:05 +01:00
Tristan Daniël Maat
343c7fcc36
nginx: Don't override extra options in the host helper
2021-05-17 00:13:58 +01:00
Tristan Daniël Maat
5f8899d542
nginx: Make VM testing easier by binding virtualHosts to localhost
2021-05-17 00:13:38 +01:00
Tristan Daniël Maat
458f6c7f7b
nginx: Avoid connection issues caused by IPv6 resolution
...
If localhost is specified in the proxyPass url, nginx will happily
resolve IPv6 addresses, even if the upstream doesn't support them.
This can result in connection issues, especially with containers that
don't support IPv6.
2021-05-16 01:34:03 +01:00
Tristan Daniël Maat
939c768280
nix: Add the wheel group to trusted users to allow remote builds
2021-04-28 00:22:21 +01:00
Tristan Daniël Maat
b474f7e97c
Add forge minecraft service
2021-04-25 04:44:07 +01:00
Tristan Daniël Maat
a3b72d11bd
Set limited permissions for the webserver container
2021-04-19 02:03:18 +01:00
Tristan Daniël Maat
40002ac76e
Add webserver service
2021-04-12 01:58:11 +01:00
Tristan Daniël Maat
98cf95a922
Add nextcloud service
2021-04-12 01:58:09 +01:00
Tristan Daniël Maat
4689a153b9
Add gitea service
2021-04-12 01:58:07 +01:00
Tristan Daniël Maat
5e87a5ec0c
Start reworking the server for nix flakes
...
This removes all existing services as well, in preparation of moving
them to `podman`. These are easier to update to
virtualisation.oci-containers while retaining the "networks" through
pods.
2021-04-12 01:58:03 +01:00