Commit graph

44 commits

Author SHA1 Message Date
Tristan Daniël Maat fa73574dba
nginx: Factor nginx configuration into a separate module 2024-03-12 06:07:24 +01:00
Tristan Daniël Maat 1c6e7ec106
acme: Don't attempt to get certs if the domain is wrong 2024-03-11 03:42:29 +01:00
Tristan Daniël Maat ddda6f534b
hetzner: Add new server config 2024-03-11 03:42:28 +01:00
Tristan Daniël Maat 95b5d4b3bd
nginx: Reduce number of rotated logs kept around 2023-12-15 17:04:42 +01:00
Tristan Daniël Maat 55a4aaf48b
metrics: Add metrics with victoriametrics + grafana 2023-10-12 20:41:04 +02:00
Tristan Daniël Maat 87dd9daa4f
backups: Add atomic backups with restic 2023-10-12 20:27:34 +02:00
Tristan Daniël Maat 828d3f3878
services: Update outdated options 2023-07-28 11:23:56 +02:00
Tristan Daniël Maat acd7cc802b
networking: Set up static IP address 2023-05-11 22:09:32 +01:00
Tristan Daniël Maat bb397841ee
refactoring: Use flake-inputs instead of awkwardly passing through 2023-02-26 05:59:09 +00:00
Tristan Daniël Maat b7726af1c4
config: Make changes suggested post 22.11 update 2023-01-11 02:38:56 +00:00
Tristan Daniël Maat 957ab110c5
firewall: Open Minecraft ports for port forwarding 2023-01-11 02:38:53 +00:00
Tristan Daniël Maat a28d385b17
conduit: Enable TURNS with a ZeroSSL-provided certificate 2022-11-05 22:26:52 +00:00
Tristan Daniël Maat 997707021b
config: Enable authorization through ssh agent
This enables sudo-via-yubikey and therefore makes `-t` obsolete, in
turn fixing a whole sleuth of issues with deploy-rs.

*And* seems more secure and convenient at the same time.
2022-11-05 18:01:07 +00:00
Tristan Daniël Maat 0528f73187
nginx: Remove mitigation for openssl CVE
This has been fixed, instead we just update to the latest openssl.
2022-11-05 17:33:28 +00:00
Tristan Daniël Maat 2304711359
config: Mitigate upcoming SSL CVE
See
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

As 1.1 is unaffected, this override should be sufficient to evade this
problem.
2022-10-31 16:07:41 +00:00
Tristan Daniël Maat b3e8b0e85c
default.nix: Turn on minimal profile 2022-10-30 18:26:45 +00:00
Tristan Daniël Maat c72953e1ef
matrix: Add coturn support for calls 2022-10-29 01:39:09 +01:00
Tristan Daniël Maat c56de6cf7e
conduit: Add new conduit service 2022-10-22 21:22:55 +01:00
Tristan Daniël Maat 61d3008bc3
nextcloud: Fetch apps using nvfetcher 2022-10-17 11:00:02 +01:00
Tristan Daniël Maat c4fa991b62
treewide: Add fail2ban 2022-10-14 06:27:11 +01:00
Tristan Daniël Maat 78ecfd63a1
starbound: Fix post-update issues 2022-10-14 05:58:15 +01:00
Tristan Daniël Maat e8b16459d9
treewide: Refactor in order to clean up flake.nix 2022-10-14 05:58:13 +01:00
Tristan Daniël Maat 068e6d5d77
webserver: Use a hardened systemd unit instead of a container 2022-10-14 05:58:11 +01:00
Tristan Daniël Maat b6594cea54
gitea: Use a hardened systemd unit instead of a container 2022-10-14 05:58:08 +01:00
Tristan Daniël Maat 3cedb9f978
nextcloud: Use a hardened systemd unit instead of a container 2022-10-14 05:58:05 +01:00
Tristan Daniël Maat 6a81ce4c1d
sops: Improve secrets provisioning to split out staging 2022-10-12 23:22:50 +01:00
Tristan Daniël Maat ab3aa19481
treewide: Perform another nitpicking sweep 2022-10-12 23:22:42 +01:00
Tristan Daniël Maat 7095ab2631
treewide: Remove minecraft server
This has fallen into disuse since the big Java vulnerability, and I
have ideas for better ways of doing this. Meanwhile it's making
maintenance and refactoring more difficult.

Hence I'll remove the server completely for the time being.
2022-10-12 13:12:04 +01:00
Tristan Daniël Maat 046a88905d
treewide: Reformat project with alejandra 2022-10-10 13:03:18 +01:00
Tristan Daniël Maat 58e52dd119
ssh: Allow proxy connections with gatewayPorts 2022-10-10 13:01:26 +01:00
Tristan Daniël Maat cd92ec64c2
Add starbound server 2022-04-23 08:47:13 +01:00
Tristan Daniël Maat e7102adec1
Add sops-nix 2022-04-23 08:47:07 +01:00
Tristan Daniël Maat 3bdbe66fe4
nginx: Enable HSTS 2021-10-12 13:53:08 +01:00
Tristan Daniël Maat 4fe3b8b22b
minecraft: Fix ridiculous CPU usage
Tapes over https://bugs.mojang.com/browse/MC-183518, which schedules
things completely stupidly on Linux starting with 1.14.
2021-08-25 20:06:05 +01:00
Tristan Daniël Maat 343c7fcc36
nginx: Don't override extra options in the host helper 2021-05-17 00:13:58 +01:00
Tristan Daniël Maat 5f8899d542
nginx: Make VM testing easier by binding virtualHosts to localhost 2021-05-17 00:13:38 +01:00
Tristan Daniël Maat 458f6c7f7b
nginx: Avoid connection issues caused by IPv6 resolution
If localhost is specified in the proxyPass url, nginx will happily
resolve IPv6 addresses, even if the upstream doesn't support them.

This can result in connection issues, especially with containers that
don't support IPv6.
2021-05-16 01:34:03 +01:00
Tristan Daniël Maat 939c768280
nix: Add the wheel group to trusted users to allow remote builds 2021-04-28 00:22:21 +01:00
Tristan Daniël Maat b474f7e97c
Add forge minecraft service 2021-04-25 04:44:07 +01:00
Tristan Daniël Maat a3b72d11bd
Set limited permissions for the webserver container 2021-04-19 02:03:18 +01:00
Tristan Daniël Maat 40002ac76e
Add webserver service 2021-04-12 01:58:11 +01:00
Tristan Daniël Maat 98cf95a922
Add nextcloud service 2021-04-12 01:58:09 +01:00
Tristan Daniël Maat 4689a153b9
Add gitea service 2021-04-12 01:58:07 +01:00
Tristan Daniël Maat 5e87a5ec0c
Start reworking the server for nix flakes
This removes all existing services as well, in preparation of moving
them to `podman`. These are easier to update to
virtualisation.oci-containers while retaining the "networks" through
pods.
2021-04-12 01:58:03 +01:00