Commit graph

147 commits

Author SHA1 Message Date
Tristan Daniël Maat 997707021b
config: Enable authorization through ssh agent
This enables sudo-via-yubikey and therefore makes `-t` obsolete, in
turn fixing a whole sleuth of issues with deploy-rs.

*And* seems more secure and convenient at the same time.
2022-11-05 18:01:07 +00:00
Tristan Daniël Maat 0528f73187
nginx: Remove mitigation for openssl CVE
This has been fixed, instead we just update to the latest openssl.
2022-11-05 17:33:28 +00:00
Tristan Daniël Maat 4d5eaf34be
Update inputs 2022-11-05 17:31:58 +00:00
Tristan Daniël Maat 85a989d3c8
nvfetcher: Don't allow fetching rc versions of nextcloud cookbook 2022-11-05 17:31:24 +00:00
Tristan Daniël Maat 598c439002
conduit: Disable turns, remove the user limits and add all relay IPs 2022-11-05 17:10:39 +00:00
Tristan Daniël Maat ea06138a9b
flake.nix: Add packages for utility scripts to enable nix build 2022-11-05 16:00:50 +00:00
Tristan Daniël Maat 2304711359
config: Mitigate upcoming SSL CVE
See
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

As 1.1 is unaffected, this override should be sufficient to evade this
problem.
2022-10-31 16:07:41 +00:00
Tristan Daniël Maat 73023b817d
conduit: Use dependencies from stable
Partially to circumvent the upcoming openssl CVE, partially to reduce
the number of dependencies.
2022-10-31 16:06:31 +00:00
Tristan Daniël Maat b3e8b0e85c
default.nix: Turn on minimal profile 2022-10-30 18:26:45 +00:00
Tristan Daniël Maat 5c89aa5b83
Update 2022-10-30 17:13:15 +00:00
Tristan Daniël Maat c72953e1ef
matrix: Add coturn support for calls 2022-10-29 01:39:09 +01:00
Tristan Daniël Maat 7fb5aac33e
nextcloud: Fix nextcloud app download links 2022-10-23 23:45:44 +01:00
Tristan Daniël Maat c56de6cf7e
conduit: Add new conduit service 2022-10-22 21:22:55 +01:00
Tristan Daniël Maat 3e13b575b0
flake.nix: Clean up devshell 2022-10-22 20:01:56 +01:00
Tristan Daniël Maat bec05bafb1
README.md: Update to new and improved flake mechanisms 2022-10-17 14:29:56 +01:00
Tristan Daniël Maat 59a44261b8
flake.nix: Move vm out of nixosConfigurations so that checks work 2022-10-17 14:23:52 +01:00
Tristan Daniël Maat 61d3008bc3
nextcloud: Fetch apps using nvfetcher 2022-10-17 11:00:02 +01:00
Tristan Daniël Maat c4fa991b62
treewide: Add fail2ban 2022-10-14 06:27:11 +01:00
Tristan Daniël Maat 325e8a0ea1
flake.nix: Add deploy-rs for deployment management 2022-10-14 05:59:59 +01:00
Tristan Daniël Maat 1ddf23bd01
nextcloud: Update nextcloud version 2022-10-14 05:58:18 +01:00
Tristan Daniël Maat 78ecfd63a1
starbound: Fix post-update issues 2022-10-14 05:58:15 +01:00
Tristan Daniël Maat e8b16459d9
treewide: Refactor in order to clean up flake.nix 2022-10-14 05:58:13 +01:00
Tristan Daniël Maat 068e6d5d77
webserver: Use a hardened systemd unit instead of a container 2022-10-14 05:58:11 +01:00
Tristan Daniël Maat b6594cea54
gitea: Use a hardened systemd unit instead of a container 2022-10-14 05:58:08 +01:00
Tristan Daniël Maat 3cedb9f978
nextcloud: Use a hardened systemd unit instead of a container 2022-10-14 05:58:05 +01:00
Tristan Daniël Maat 6a81ce4c1d
sops: Improve secrets provisioning to split out staging 2022-10-12 23:22:50 +01:00
Tristan Daniël Maat ab3aa19481
treewide: Perform another nitpicking sweep 2022-10-12 23:22:42 +01:00
Tristan Daniël Maat dea9032530
flake.nix: Add app to start VM through nix run 2022-10-12 13:16:46 +01:00
Tristan Daniël Maat e512e73b5e
flake.nix: Clean up and refactor 2022-10-12 13:12:28 +01:00
Tristan Daniël Maat 7095ab2631
treewide: Remove minecraft server
This has fallen into disuse since the big Java vulnerability, and I
have ideas for better ways of doing this. Meanwhile it's making
maintenance and refactoring more difficult.

Hence I'll remove the server completely for the time being.
2022-10-12 13:12:04 +01:00
Tristan Daniël Maat 046a88905d
treewide: Reformat project with alejandra 2022-10-10 13:03:18 +01:00
Tristan Daniël Maat 58e52dd119
ssh: Allow proxy connections with gatewayPorts 2022-10-10 13:01:26 +01:00
Tristan Daniël Maat ed74cfa576
starbound: Fix permissions for a syscall steamcmd needs 2022-04-23 09:31:21 +01:00
Tristan Daniël Maat cd92ec64c2
Add starbound server 2022-04-23 08:47:13 +01:00
Tristan Daniël Maat e7102adec1
Add sops-nix 2022-04-23 08:47:07 +01:00
Tristan Daniël Maat 73988df2a6
flake.lock: Update
Flake lock file changes:

• Updated input 'flake-utils':
    'github:numtide/flake-utils/3cecb5b042f7f209c56ffd8371b2711a290ec797' (2022-02-07)
  → 'github:numtide/flake-utils/a4b154ebbdc88c8498a5c7b01589addc9e9cb678' (2022-04-11)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/9886a06e4745edb31587d0e9481ad82d35f0d593' (2022-02-04)
  → 'github:nixos/nixos-hardware/6b4ebea9093c997c5f275c820e679108de4871ab' (2022-04-21)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/521e4d7d13b09bc0a21976b9d19abd197d4e3b1e' (2022-02-07)
  → 'github:nixos/nixpkgs/9887f024766aa27704d1f89f623efd1d063da92a' (2022-04-21)
2022-04-21 18:21:53 +01:00
Tristan Daniël Maat 34235a2041
flake: Fix python language server version 2022-04-21 18:20:06 +01:00
Tristan Daniël Maat 1721785d1c
Update forge server sha 2022-02-10 22:54:30 +00:00
Tristan Daniël Maat 4ef17ed1a2
flake.lock: Update
Flake lock file changes:

• Updated input 'flake-utils':
    'github:numtide/flake-utils/74f7e4319258e287b0f9cb95426c9853b282730b' (2021-11-28)
  → 'github:numtide/flake-utils/3cecb5b042f7f209c56ffd8371b2711a290ec797' (2022-02-07)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/2a7063461c3751d83869a2a0a8ebc59e34bec5b2' (2021-12-11)
  → 'github:nixos/nixos-hardware/9886a06e4745edb31587d0e9481ad82d35f0d593' (2022-02-04)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/573095944e7c1d58d30fc679c81af63668b54056' (2021-12-10)
  → 'github:nixos/nixpkgs/521e4d7d13b09bc0a21976b9d19abd197d4e3b1e' (2022-02-07)
2022-02-10 22:17:37 +00:00
Tristan Daniël Maat c019187b37
postgres: Upgrade to version 14 2022-01-18 18:54:37 +00:00
Tristan Daniël Maat b6f39969cc
Fix podman hostnames
It seems that with the newest version of podman container names are no
longer added as hostnames, meaning that any attempt to resolve
hostnames with the current config will fail. `localhost` is probably
more robust anyway, so we switch to that.

The bug manifests as broken services because nextcloud/gitea cannot
resolve their databases and nextcloud fails to resolve the php
server. To fix this a running system, the gitea and nextcloud database
configurations will need to be hand-edited, since those values are
only set on initialization, and not updated when changed later.
2022-01-08 02:19:04 +00:00
Tristan Daniël Maat bd7e4a3193
Fix service uid/gids 2022-01-08 00:33:01 +00:00
Tristan Daniël Maat 9060cb6414
Update to NixOS 21.11
Flake lock file changes:

• Updated input 'flake-utils':
    'github:numtide/flake-utils/7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19' (2021-09-13)
  → 'github:numtide/flake-utils/74f7e4319258e287b0f9cb95426c9853b282730b' (2021-11-28)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/0a8b8054c9920368a3c15e6d766188fdf04b736f' (2021-09-30)
  → 'github:nixos/nixos-hardware/2a7063461c3751d83869a2a0a8ebc59e34bec5b2' (2021-12-11)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/7daf35532d2d8bf5e6f7f962e6cd13a66d01a71d' (2021-10-03)
  → 'github:nixos/nixpkgs/573095944e7c1d58d30fc679c81af63668b54056' (2021-12-10)
2021-12-17 18:40:59 +00:00
Tristan Daniël Maat 90926e2eee
nextcloud: Give nginx access to the nextcloud root 2021-10-13 15:29:12 +01:00
Tristan Daniël Maat 20cda44040
nextcloud: Update nginx config 2021-10-13 14:53:05 +01:00
Tristan Daniël Maat b16ea49c44
nextcloud: Set TRUSTED_PROXIES
Part of #47
2021-10-13 13:27:27 +01:00
Tristan Daniël Maat 3bdbe66fe4
nginx: Enable HSTS 2021-10-12 13:53:08 +01:00
Tristan Daniël Maat d6e1cd3ffa
update-mods.py: Fix issues revealed by 1.17 updates 2021-10-06 01:22:24 +01:00
Tristan Daniël Maat b9af400942
flake.lock: Update
Flake lock file changes:

• Updated input 'flake-utils':
    'github:numtide/flake-utils/997f7efcb746a9c140ce1f13c72263189225f482' (2021-08-20)
  → 'github:numtide/flake-utils/7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19' (2021-09-13)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/de40acde6c056a7c5f3c9ad4dca0c172fa35d207' (2021-08-23)
  → 'github:nixos/nixos-hardware/0a8b8054c9920368a3c15e6d766188fdf04b736f' (2021-09-30)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/a1007637cea374bd1bafd754cfd5388894c49129' (2021-08-19)
  → 'github:nixos/nixpkgs/7daf35532d2d8bf5e6f7f962e6cd13a66d01a71d' (2021-10-03)
• Updated input 'tlaternet-templates':
    'git+https://gitea.tlater.net/tlaternet/tlaternet-templates.git?ref=master&rev=6da1d644ac02143172d20e0d3e9fcd7a0c8720ef' (2021-04-11)
  → 'git+https://gitea.tlater.net/tlaternet/tlaternet-templates.git?ref=master&rev=555a2949bdf643c74b535bd0c623d98f99d33628' (2021-10-05)
• Removed input 'tlaternet-templates/nixpkgs-unstable'
• Updated input 'tlaternet-webserver':
    'git+https://gitea.tlater.net/tlaternet/tlaternet.git?ref=master&rev=ff25f151d3c170c7290b83be5cbdb1fd84261997' (2021-04-09)
  → 'git+https://gitea.tlater.net/tlaternet/tlaternet.git?ref=master&rev=1232950c06ae16bf17fb16ac1f5f2231e971936b' (2021-10-05)
• Updated input 'tlaternet-webserver/naersk':
    'github:nmattia/naersk/e0fe990b478a66178a58c69cf53daec0478ca6f9' (2021-03-03)
  → 'github:nmattia/naersk/ee7edec50b49ab6d69b06d62f1de554efccb1ccd' (2021-09-21)
• Updated input 'tlaternet-webserver/naersk/nixpkgs':
    follows 'nixpkgs'
  → follows 'tlaternet-webserver/nixpkgs'
• Updated input 'tlaternet-webserver/rust-overlay':
    'github:oxalica/rust-overlay/38766381042021f547a168ebb3f10305dc6fde08' (2021-03-30)
  → 'github:oxalica/rust-overlay/9c2fc6a62ccbc6f420d71ecac6bf0b84dbbee64f' (2021-10-05)
• Updated input 'tlaternet-webserver/rust-overlay/flake-utils':
    follows 'flake-utils'
  → follows 'tlaternet-webserver/flake-utils'
• Updated input 'tlaternet-webserver/rust-overlay/nixpkgs':
    follows 'nixpkgs'
  → follows 'tlaternet-webserver/nixpkgs'
2021-10-05 12:50:05 +01:00
Tristan Daniël Maat a66eac3b17
minecraft: Add automatic restart scheduling
This starts/stops the server at 2 pm and 4 am respectively. This
should hopefully fix some of the issues caused by shoddy programming.
2021-08-27 18:10:19 +01:00