6d3e14ec27
feat: finer-grained ACLs for server accesses
...
In the process of adding multi-tenant infrastructure, it seems relevant
to add finer-grained ACLs.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-05 16:20:19 +02:00
f321ab6450
users: add winterqt
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-09-28 21:09:06 +02:00
9a04ef909b
feat(nixpkgs): run oxidized channel scripts
...
We don't need weird Perl scripts where we are going. Here's a streaming
channel-scripts deployment with plenty of bells, including OTLP.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 19:32:23 +02:00
c969625b0f
fix(sniproxy): outside/inside of infra, the ingress IPs are different
...
In my infrastructure, the source node is 99::1, outside of my infra,
it's ::1.
All of this machinery was never really meant to be used on this scale,
so oopsie.
We should build our own sniproxy at some point.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-30 19:01:44 +02:00
0eaaf860d1
feat(common): enable system wide diff in the activation output
...
This helps me to review what changes could be problematic in advance.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-23 20:43:00 +02:00
ce3a40671c
acme: make ToS and contact config common
2024-08-16 09:03:08 +02:00
50fadb45e2
common: define TZ in base server configs, remove heretical host-specific configuration
2024-08-13 22:38:40 +02:00
37bcb261ab
ssh-keys: add build-coord, rekey secrets
2024-08-13 22:36:30 +02:00
3f2909dd8a
public-keys: add public01 SSH host key
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-13 19:15:05 +02:00
b1c28cfc7c
bagel-cache.s3-web.delroth.net -> cache.forkos.org
2024-08-06 13:26:15 +02:00
8390caee53
users: Add thubrecht
2024-07-23 23:14:39 +02:00
1b82c2f8fd
common/{admin,ssh-keys}: add hexchen
2024-07-23 23:07:12 +02:00
26c5e56605
common/{admins,ssh-keys}: sort users
2024-07-23 23:06:17 +02:00
56a04a6faf
buildbot: init
...
Reviewed-on: #68
2024-07-18 08:57:56 +00:00
e00d0331ec
common/known-ssh-keys: init
...
Let's ensure that all our servers are aware of all host keys to avoid
host key verification issues when needed.
(example: buildbot → gerrit)
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-17 18:00:51 +02:00
c3394264ba
hosts/buildbot: init
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-17 18:00:51 +02:00
7789e9ce75
services/buildbot: init
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-17 18:00:51 +02:00
81fc914d79
feat: change the default shell to zsh
...
Reviewed-on: #59
2024-07-17 12:56:45 +00:00
ab9caaf520
systems: add git.forkos.org
2024-07-16 15:44:08 +02:00
d4caf7b71a
admins: add emilylange
2024-07-16 15:43:58 +02:00
af515792cc
admins: add janik
2024-07-13 01:10:39 +00:00
bed5ef022f
change the default user shell to zsh
2024-07-12 19:50:34 +02:00
329f267b02
enable nftables on all hosts
2024-07-11 02:05:35 +02:00
58325e30dd
common/nix: use bagel-cache by default
2024-07-10 18:17:30 +02:00
70e608a8f7
common: provide a pinned nixpkgs on all infra machines
2024-07-10 17:17:18 +02:00
3cbdbc45f7
more quality of life improvements...
2024-07-10 15:54:30 +02:00
787b3af638
Add wob-vpn-gw key, rekey metrics push password for it
2024-07-10 15:13:05 +03:00
e608b92e4f
Add htop and btop to default machine config
2024-07-10 15:01:09 +03:00
9e7e6d42ab
Make nginx/loki/mimir go fast
2024-07-10 14:55:28 +03:00
39d2352bbc
general quality of life improvements
2024-07-09 23:26:12 +00:00
a7d21e96a0
add global hardening options
2024-07-09 23:26:12 +00:00
bc8ef7b5fc
ssh-keys: remove raito's key which is too NSA'd for agenix
2024-07-10 01:04:48 +02:00
61e8048445
sysadmin: remove pwru, does not build on latest nixpkgs
2024-07-10 01:01:27 +02:00
f9f955214f
ssh-keys: add raito to secrets set
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-10 00:59:22 +02:00
eb21cb6916
add baremetal builders
2024-07-10 00:35:01 +02:00
c0e1d05b3c
admins: add yuka
2024-07-09 10:34:30 +02:00
48579e8818
feat: add gdb to sysadmin tooling
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-08 22:10:06 +00:00
d4e9dcc2a6
admins: provision lukegb
...
hello I can be trusted with your infrastructure
2024-07-08 21:55:41 +00:00
e803c198c1
admins: provision jade
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-07 13:15:27 +00:00
578e24e634
systems: add fodwatch.forkos.org
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-07 13:15:27 +00:00
3ad481c125
Clean up SSH key dupes, add Maxine
2024-07-05 16:10:31 +00:00
fa1bc1ced9
Merge pull request 'gerrit01: those who finetune even further' ( #20 ) from gerrit-finetuning into main
...
Reviewed-on: delroth/bagel-infra#20
2024-07-05 12:37:43 +00:00
e27f152f00
common/base-server: use ambiant stable lix by default
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-05 13:29:47 +02:00
6fb584109a
common/raito-vm: disable useDHCP
...
We are using networkd by default…
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-05 13:12:35 +02:00
0b01e9a99f
gerrit01: those who finetune even further
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-05 12:23:44 +02:00
832b0784d8
common/admins: add K900
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-04 23:57:05 +02:00
bf8fe65f9f
bagel-box: update ssh host key & rekey
2024-07-04 13:59:18 +02:00
98a33e4300
gerrit01: init
...
With:
- A package hierarchy
- A source-based Gerrit deployment
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-01 21:22:36 +02:00
e3f3c87c0d
meta01: init
...
Includes:
- Raito VM module
- Raito proxy aware NGINX module
- Base server module
- Sysadmin module
- New SSH keys
- Netbox module
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-01 19:40:37 +02:00
04bd33e32c
infra: add agenix, add s3 credentials
2024-06-24 18:03:20 +02:00
