Commit graph

86 commits

Author SHA1 Message Date
Tristan Daniël Maat dd41fa1ac4
hetzner: Add new server config 2024-03-11 00:32:47 +01:00
Tristan Daniël Maat 3e1c95797c
WIP: gitea: Migrate to forgejo 2023-12-30 22:09:32 +01:00
Tristan Daniël Maat ebc45a9af1
treewide: Upgrade to NixOS 23.11 2023-12-30 19:41:06 +01:00
Tristan Daniël Maat 4a966412b8
staging: Use a static ssh host key 2023-12-29 16:48:23 +01:00
Tristan Daniël Maat 95b5d4b3bd
nginx: Reduce number of rotated logs kept around 2023-12-15 17:04:42 +01:00
Tristan Daniël Maat eb3bd485c4
metrics: Add size limit to victoriametrics 2023-12-15 17:04:39 +01:00
Tristan Daniël Maat 759a9c7c0c
conduit: Fix acme issue
letsencrypt will prod on port 80 to verify the domain. `listen`
overrides `addSSL`, so none of the NixOS modules' setup will actually
work.

This means the conduit virtualhost never listened on port 80, and
couldn't verify letsencrypt requests.

How this *ever* worked is beyond me, but this commit resolves the
problems (don't worry, `forceSSL` does what it says on the tin and
overrides the `listen` again).
2023-10-13 06:08:26 +02:00
Tristan Daniël Maat 55a4aaf48b
metrics: Add metrics with victoriametrics + grafana 2023-10-12 20:41:04 +02:00
Tristan Daniël Maat 78a9eac9bb
sops: Sort secrets alphabetically 2023-10-12 20:27:43 +02:00
Tristan Daniël Maat 87dd9daa4f
backups: Add atomic backups with restic 2023-10-12 20:27:34 +02:00
Tristan Daniël Maat ab5e088016
conduit: Add Element X support 2023-09-18 04:17:16 +02:00
Tristan Daniël Maat bb3ffbbd90
nextcloud: Configure redis caching 2023-07-29 18:17:39 +02:00
Tristan Daniël Maat 0c5755d2f0
nextcloud: Upgrade to version 27 2023-07-29 18:17:24 +02:00
Tristan Daniël Maat 88d96f198b
nextcloud: Apply recommended PHP setting 2023-07-28 12:19:00 +02:00
Tristan Daniël Maat 828d3f3878
services: Update outdated options 2023-07-28 11:23:56 +02:00
Tristan Daniël Maat a3e2d2931c
services: Add FoundryVTT service 2023-05-11 22:22:30 +01:00
Tristan Daniël Maat 14d29fa49d
services: Add wireguard service 2023-05-11 22:09:39 +01:00
Tristan Daniël Maat acd7cc802b
networking: Set up static IP address 2023-05-11 22:09:32 +01:00
Tristan Daniël Maat 74f38614a0
matrix: Add heisenbridge 2023-02-28 04:26:55 +00:00
Tristan Daniël Maat 33ec32a8da
conduit: Update to 0.5.0 2023-02-26 05:59:54 +00:00
Tristan Daniël Maat bb397841ee
refactoring: Use flake-inputs instead of awkwardly passing through 2023-02-26 05:59:09 +00:00
Tristan Daniël Maat b7feffc52f
hardware-configuration: Update to new auto-generated settings 2023-01-11 02:38:58 +00:00
Tristan Daniël Maat b7726af1c4
config: Make changes suggested post 22.11 update 2023-01-11 02:38:56 +00:00
Tristan Daniël Maat 957ab110c5
firewall: Open Minecraft ports for port forwarding 2023-01-11 02:38:53 +00:00
Tristan Daniël Maat f6e39e09a5
gitea: Update configuration for 22.11 2023-01-11 02:38:50 +00:00
Tristan Daniël Maat b798efb2c0
nextcloud: Update the service and apps for 22.11 2023-01-11 02:38:42 +00:00
Tristan Daniël Maat a28d385b17
conduit: Enable TURNS with a ZeroSSL-provided certificate 2022-11-05 22:26:52 +00:00
Tristan Daniël Maat 997707021b
config: Enable authorization through ssh agent
This enables sudo-via-yubikey and therefore makes `-t` obsolete, in
turn fixing a whole sleuth of issues with deploy-rs.

*And* seems more secure and convenient at the same time.
2022-11-05 18:01:07 +00:00
Tristan Daniël Maat 0528f73187
nginx: Remove mitigation for openssl CVE
This has been fixed, instead we just update to the latest openssl.
2022-11-05 17:33:28 +00:00
Tristan Daniël Maat 598c439002
conduit: Disable turns, remove the user limits and add all relay IPs 2022-11-05 17:10:39 +00:00
Tristan Daniël Maat 2304711359
config: Mitigate upcoming SSL CVE
See
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

As 1.1 is unaffected, this override should be sufficient to evade this
problem.
2022-10-31 16:07:41 +00:00
Tristan Daniël Maat b3e8b0e85c
default.nix: Turn on minimal profile 2022-10-30 18:26:45 +00:00
Tristan Daniël Maat c72953e1ef
matrix: Add coturn support for calls 2022-10-29 01:39:09 +01:00
Tristan Daniël Maat c56de6cf7e
conduit: Add new conduit service 2022-10-22 21:22:55 +01:00
Tristan Daniël Maat 61d3008bc3
nextcloud: Fetch apps using nvfetcher 2022-10-17 11:00:02 +01:00
Tristan Daniël Maat c4fa991b62
treewide: Add fail2ban 2022-10-14 06:27:11 +01:00
Tristan Daniël Maat 1ddf23bd01
nextcloud: Update nextcloud version 2022-10-14 05:58:18 +01:00
Tristan Daniël Maat 78ecfd63a1
starbound: Fix post-update issues 2022-10-14 05:58:15 +01:00
Tristan Daniël Maat e8b16459d9
treewide: Refactor in order to clean up flake.nix 2022-10-14 05:58:13 +01:00
Tristan Daniël Maat 068e6d5d77
webserver: Use a hardened systemd unit instead of a container 2022-10-14 05:58:11 +01:00
Tristan Daniël Maat b6594cea54
gitea: Use a hardened systemd unit instead of a container 2022-10-14 05:58:08 +01:00
Tristan Daniël Maat 3cedb9f978
nextcloud: Use a hardened systemd unit instead of a container 2022-10-14 05:58:05 +01:00
Tristan Daniël Maat 6a81ce4c1d
sops: Improve secrets provisioning to split out staging 2022-10-12 23:22:50 +01:00
Tristan Daniël Maat ab3aa19481
treewide: Perform another nitpicking sweep 2022-10-12 23:22:42 +01:00
Tristan Daniël Maat 7095ab2631
treewide: Remove minecraft server
This has fallen into disuse since the big Java vulnerability, and I
have ideas for better ways of doing this. Meanwhile it's making
maintenance and refactoring more difficult.

Hence I'll remove the server completely for the time being.
2022-10-12 13:12:04 +01:00
Tristan Daniël Maat 046a88905d
treewide: Reformat project with alejandra 2022-10-10 13:03:18 +01:00
Tristan Daniël Maat 58e52dd119
ssh: Allow proxy connections with gatewayPorts 2022-10-10 13:01:26 +01:00
Tristan Daniël Maat ed74cfa576
starbound: Fix permissions for a syscall steamcmd needs 2022-04-23 09:31:21 +01:00
Tristan Daniël Maat cd92ec64c2
Add starbound server 2022-04-23 08:47:13 +01:00
Tristan Daniël Maat e7102adec1
Add sops-nix 2022-04-23 08:47:07 +01:00