Tristan Daniël Maat
d63edbecc7
postgres: Set auth method to "reject"
...
This will reject connections from anywhere except 127.0.0.1, i.e., the
pod's network namespace.
This makes password authentication properly obsolete, instead of just
hiding the password (but still never authenticating with it), but
required a change upstream:
https://github.com/docker-library/postgres/pull/859
2021-06-11 01:48:54 +01:00
Tristan Daniël Maat
e3f0095b47
flake.lock: Update
...
Flake input changes:
* Updated 'flake-utils': 'github:numtide/flake-utils/b543720b25df6ffdfcf9227afafc5b8c1fabfae8' -> 'github:numtide/flake-utils/7d706970d94bc5559077eb1a6600afddcd25a7c8'
* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/c4399b921fa7ff5f93ee10b3521b56b722ed74d8' -> 'github:nixos/nixos-hardware/fccbee72df707c3fb074854668deee6e1ff02351'
2021-06-08 23:34:37 +01:00
Tristan Daniël Maat
7c0d02690f
Upgrade to NixOS 21.05
2021-06-08 23:31:47 +01:00
Tristan Daniël Maat
4c94932490
webserver: Use SIGKILL instead of SIGTERM
2021-05-17 00:18:51 +01:00
Tristan Daniël Maat
343c7fcc36
nginx: Don't override extra options in the host helper
2021-05-17 00:13:58 +01:00
Tristan Daniël Maat
5f8899d542
nginx: Make VM testing easier by binding virtualHosts to localhost
2021-05-17 00:13:38 +01:00
Tristan Daniël Maat
b8bf3bd3a2
minecraft: Clean up use of pkgs.lib
2021-05-17 00:13:28 +01:00
Tristan Daniël Maat
458f6c7f7b
nginx: Avoid connection issues caused by IPv6 resolution
...
If localhost is specified in the proxyPass url, nginx will happily
resolve IPv6 addresses, even if the upstream doesn't support them.
This can result in connection issues, especially with containers that
don't support IPv6.
2021-05-16 01:34:03 +01:00
Tristan Daniël Maat
517f4f0080
postgres: Get rid of password authentication
...
Podman pods make this obsolete; though we need to explicitly set
slirp4netns, otherwise podman will not create private network
namespaces for the pods.
2021-05-16 00:40:09 +01:00
Tristan Daniël Maat
2d61711e07
flake.lock: Update
...
Flake input changes:
* Updated 'flake-utils': 'github:numtide/flake-utils/2ebf2558e5bf978c7fb8ea927dfaed8fefab2e28' -> 'github:numtide/flake-utils/b543720b25df6ffdfcf9227afafc5b8c1fabfae8'
* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/f7540d6c27704ec0fe56ecc8b2a9b663181850b0' -> 'github:nixos/nixos-hardware/c4399b921fa7ff5f93ee10b3521b56b722ed74d8'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/d4e7af972158a14ebdd9c828b1c2e07e2ce7ef1c' -> 'github:nixos/nixpkgs/17d3dab8647a31a00d8a11433a56cc12d84b5ab4'
2021-05-15 20:57:59 +01:00
Tristan Daniël Maat
2ccaadd557
minecraft: Add supplementaries mod
2021-05-11 22:13:31 +01:00
Tristan Daniël Maat
9e06fcf917
gitea: Use a defined service UID
...
The default of 1000 mapped to my admin user, which was both a bit
concerning and a bit of an annoyance.
2021-04-28 23:18:30 +01:00
Tristan Daniël Maat
0a20fc3cd5
README: Document deployment procedure
2021-04-28 00:53:05 +01:00
Tristan Daniël Maat
939c768280
nix: Add the wheel group to trusted users to allow remote builds
2021-04-28 00:22:21 +01:00
Tristan Daniël Maat
486a68078f
flake.lock: Update
...
Flake input changes:
* Updated 'flake-utils': 'github:numtide/flake-utils/b2c27d1a81b0dc266270fa8aeecebbd1807fc610' -> 'github:numtide/flake-utils/2ebf2558e5bf978c7fb8ea927dfaed8fefab2e28'
* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/7c00c8b5cab5dedb6519eabba7ca6d069e2dfdae' -> 'github:nixos/nixos-hardware/f7540d6c27704ec0fe56ecc8b2a9b663181850b0'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/a7ff7a57c96588fd89370568b72751dd15d24e72' -> 'github:nixos/nixpkgs/d4e7af972158a14ebdd9c828b1c2e07e2ce7ef1c'
2021-04-28 00:05:23 +01:00
Tristan Daniël Maat
322ce9759d
flake: Fix remote install
2021-04-28 00:04:30 +01:00
Tristan Daniël Maat
d6a7df08fb
forge-server: Fix installation dir not being writeable
...
Not sure how I could miss this before pushing; I presume my nix store
wasn't cleaned thoroughly and this was some odd side-effect?
2021-04-25 22:38:51 +01:00
Tristan Daniël Maat
c3aea6e305
forge-server: Fix issues caused by the installer's reproducibility
...
This seems to mostly be due to mcpatcher patches being not quite
bit-for-bit reproducible. Oh well, at least this derivation should
work now.
2021-04-25 22:17:05 +01:00
Tristan Daniël Maat
71d783ec11
forge-server: Fix potential duplicate definition of config
2021-04-25 21:05:47 +01:00
Tristan Daniël Maat
70e5b6206e
Tweak voor-kia modpack config
...
In a nutshell:
- Apotheosis
- Don't clutter the world with super tall reed
- Don't ruin spawners - it's nice to build buildings in more
locations
- Ice and fire
- *Really* tone down the griefing and amount of spawns
- Iron furnaces
- *Hopefully* disable the annoying update chat messages
- Quark
- Disable matrix enchanting so that apotheosis works
2021-04-25 06:23:17 +01:00
Tristan Daniël Maat
7ad729f2ca
Add voor-kia modpack with default configuration
2021-04-25 06:23:15 +01:00
Tristan Daniël Maat
ad110fbbea
Add voor-kia minecraft modpack
2021-04-25 06:23:10 +01:00
Tristan Daniël Maat
a9e3610744
Add support for building minecraft modpacks
2021-04-25 06:23:08 +01:00
Tristan Daniël Maat
b474f7e97c
Add forge minecraft service
2021-04-25 04:44:07 +01:00
Tristan Daniël Maat
1d95c40075
Boot VM in text mode
2021-04-25 02:41:38 +01:00
Tristan Daniël Maat
a3b72d11bd
Set limited permissions for the webserver container
2021-04-19 02:03:18 +01:00
Tristan Daniël Maat
04c00b9877
Fix NixOS profile imports
2021-04-18 02:58:49 +01:00
Tristan Daniël Maat
df76dcbf11
Rename the postgres named volumes
2021-04-17 22:14:21 +01:00
Tristan Daniël Maat
40002ac76e
Add webserver service
2021-04-12 01:58:11 +01:00
Tristan Daniël Maat
98cf95a922
Add nextcloud service
2021-04-12 01:58:09 +01:00
Tristan Daniël Maat
4689a153b9
Add gitea service
2021-04-12 01:58:07 +01:00
Tristan Daniël Maat
2df8a6892c
Implement podman pods option
2021-04-12 01:58:05 +01:00
Tristan Daniël Maat
5e87a5ec0c
Start reworking the server for nix flakes
...
This removes all existing services as well, in preparation of moving
them to `podman`. These are easier to update to
virtualisation.oci-containers while retaining the "networks" through
pods.
2021-04-12 01:58:03 +01:00
Tristan Daniël Maat
ce1a3fc3c1
Set new nextcloud/gitea database volumes
...
This changed because of a migration from postgresql 12 -> 13. Future
versions should probably be named with the database version appended,
rather than "new", but for now this is how the system is set up.
2021-01-19 01:00:31 +00:00
Tristan Daniël Maat
d8b479ddf7
Add access to the nextcloud network to the nextcloud cron service
...
This is apparently required for certain update operations, should not
have been missing originally.
2020-09-29 15:19:43 +01:00
Tristan Daniël Maat
7d15e4c60b
Add the nextcloud cron service
...
This is necessary for some apps to work, in this instance it is being
enabled for the news app.
2020-09-29 12:57:04 +01:00
Tristan Daniël Maat
8e9b6169b1
minecraft: Run with a non-headless java to include awt
...
Quark requires awt on the server side to draw some things.
2020-08-16 21:24:27 +01:00
Tristan Daniël Maat
92131a0ec0
Correctly name the server.properties file in the minecraft container
...
Previously this would add a checksum to the name because it would use
the name provided by nixos, which of course would make minecraft not
read the server properties file.
2020-07-27 21:23:12 +01:00
Tristan Daniël Maat
af04f7433a
Specify ${pkgs.buxybox} for cp in the minecraft entrypoint
...
The binary was previously not included in the image, causing the
server properties to be misdefined.
2020-07-27 21:10:46 +01:00
Tristan Daniël Maat
b5ea90a258
Add a volume to contain the minecraft world files
2020-07-27 20:56:17 +01:00
Tristan Daniël Maat
1d6ba77c7c
Fix nextcloud device authorization
...
This previously didn't work because nextcloud believed we were running
http, when in reality we were running https.
Overwrite the protocol, so that nextcloud can authorize devices.
2020-07-27 18:11:30 +01:00
Tristan Daniël Maat
c434f513cd
Use a full entrypoint instead of a runAsRoot script for minecraft
...
This needs to be done because the server does not support qemu, and
NixOS requires qemu to use the runAsRoot feature for docker images.
Instead, create the required files as part of the entrypoint.
Fixes #6
2020-07-27 18:06:32 +01:00
Tristan Daniël Maat
240bad3a6f
Fix broken tlaternet-templates location
...
I missed the .nix suffix, and due to lacking CI, I didn't catch the
error before merging.
Whoops!
2020-07-20 21:09:21 +01:00
Tristan Daniël Maat
dd1335cb36
Update the templates
2020-07-20 21:03:01 +01:00
Tristan Daniël Maat
a57565678a
Update the rust webserver
2020-07-20 20:57:00 +01:00
Tristan Daniël Maat
da2a3c00de
Add linode hardware configuration
2020-07-20 20:33:11 +01:00
Tristan Daniël Maat
1f0c70f1c2
Add minecraft service
...
This is an initial configuration to restore old services.
Obviously, vendoring everything in a tarball is pretty awful, and if I
ever wanted to open source this, that would be a problem.
I intend to create a proper derivation in time, but including mods is
difficult from some initial experimentation.
2020-07-19 21:14:21 +01:00
Tristan Daniël Maat
74a19ed164
Make tlater part of the wheel group again
...
Trying to go sudo-less immediately was probably a bit too
ambitious. Once we have a working continuous deployment setup this may
be applied again.
2020-07-13 21:46:02 +01:00
Tristan Daniël Maat
5a5fad7c82
Set usePredictableinterfacenames
...
We do this to allow eth0 to be set up for dhcp automagically. Linode
recommends this, and it makes our configuration simpler.
2020-07-13 21:46:00 +01:00
Tristan Daniël Maat
d59a8b8fc6
Add client_max_body_size configuration to nginx-proxy
...
Technically I could use a per-host configuration here and forego the
whole nextcloud nginx container, but for the time being it's simpler
to set the global upload limit to 16G as well.
2020-07-13 21:45:57 +01:00