jonmro/pvv-nixos-config
1
0
Fork 0
forked from Drift/pvv-nixos-config
Code Pull Requests Activity
1,115 Commits 17 Branches 0 Tags
170fb2a9800a6f5227915ee72a2a8d1906cf86e4
Commit Graph

596 Commits

Author SHA1 Message Date
oysteikt 170fb2a980 bicep/synapse: fix dbname option 2026-06-22 18:55:14 +09:00
oysteikt 3fee83ec05 ildkule/loki: restrict incoming connections to pvv + ntnu 2026-06-22 01:23:16 +09:00
oysteikt a1f02fc39d {ildkule/loki,base/fluentbit}: send data over https 2026-06-22 01:23:16 +09:00
adriangl 6e37635aac ildkule/loki: firewall all endpoints except push API 
Co-authored-by: Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
 2026-06-22 01:23:14 +09:00
oysteikt cdc3ad488b bicep/postgres: add script for updating all collations 2026-06-22 01:12:59 +09:00
oysteikt aa2712005a temmie/nfs-mounts: create by-uid bindmounts 2026-06-17 13:43:19 +09:00
oysteikt 89921b533b temmie/userweb: further harden log-processor 2026-06-17 12:31:02 +09:00
oysteikt 75f87ffab8 temmie/userweb: run passwd sync in different unit 2026-06-17 12:15:23 +09:00
oysteikt b910cf9563 temmie/userweb: suppress erroneous access log for documentRoot 2026-06-17 08:57:55 +09:00
oysteikt d23adbd4c2 temmie/userweb: deny access to documentRoot 2026-06-17 08:49:44 +09:00
oysteikt 48c0a4e504 temmie/userweb: fix directory denylist enforcement 2026-06-17 08:23:08 +09:00
oysteikt d84cc73819 temmie/userweb: handle more .php\d suffixes 2026-06-16 19:07:58 +09:00
oysteikt b738f08c09 temmie/userweb: render path denylist into Directory/Files directives 2026-06-16 19:07:57 +09:00
oysteikt 8252bba3ad temmie/userweb: enable httpd trace on debugMode 2026-06-16 19:07:57 +09:00
oysteikt a776a5a5fe temmie/userweb: explicitly override mod_perl and mod_userdir 2026-06-16 19:07:57 +09:00
oysteikt ed57744ec3 temmie/userweb: add more patterns to denylist 2026-06-16 16:07:32 +09:00
oysteikt 226db1f46e temmie/userweb: add more DirectoryIndex variants 2026-06-16 16:07:32 +09:00
oysteikt 51e1656177 temmie/userweb: disable ~pvv 2026-06-16 15:53:52 +09:00
oysteikt 47d2dcf9ff temmie/userweb: add bro server to userweb slice 2026-06-16 03:37:28 +09:00
oysteikt 254b1d9b14 temmie/userweb: split into more modules 2026-06-16 03:33:28 +09:00
oysteikt 2301672a21 temmie/userweb: run log processors as separate systemd units 
This lets us divide up some of the logic making httpd itself less
brittle, and also reduces the amount of privileges for httpd.
 2026-06-16 02:56:28 +09:00
oysteikt 526b55c49a {ildkule/prometheus,base}: send stats over HTTPS through nginx 2026-06-13 02:54:28 +09:00
oysteikt e80189c6eb temmie/userweb: stop cating passwd on startup 2026-06-13 01:41:05 +09:00
oysteikt 56a51e4c6f temmie/userweb: mount homedirs under /amd 2026-06-13 01:39:20 +09:00
oysteikt f54109f6f3 temmie/userweb: set handlers for php and perl scripts 2026-06-13 01:26:27 +09:00
oysteikt b848e0f1cc temmie/userweb: add log processor for apache 2026-06-07 06:03:18 +09:00
oysteikt c671329b93 temmie/userweb: inject users from passwd into httpd sandbox 2026-06-07 05:28:24 +09:00
oysteikt 2d6b09cb32 bikkje: label ports in firewall port list 2026-06-06 04:08:16 +09:00
oysteikt 88892115b5 base: enable autoScrub for all btrfs machine by default 2026-06-06 04:05:26 +09:00
oysteikt 8a290d30e7 modules/drumknotty: split into several parts 
This also fixes a few issues, such as enabling `createLocalDatabase` for
multiple programs, and wraps all the screen logic within a screenrc
file. Some assertions were also added to avoid some easy-to-make
mistakes.
 2026-06-05 14:21:35 +02:00
vegardbm 009d89f959 set default settings for worblehat and dibbler 2026-06-05 14:09:06 +02:00
vegardbm 7e754ade71 drumknotty: init 2026-06-05 14:08:58 +02:00
oysteikt 966081ebfc bicep/mysql: enable userstat 2026-06-03 15:31:27 +09:00
oysteikt 39d313579c bicep/mysql: rotate slow query logs 2026-06-03 15:21:18 +09:00
oysteikt 3386153b8b ildkule/prometheus/exim: make scheme explicit 2026-06-03 13:35:13 +09:00
oysteikt 56906241f6 bekkalokk/roundcube: temporary fix for webmail redirects 2026-06-01 03:52:09 +09:00
oysteikt 3fe71d21f6 bekkalokk/roundcube: webdir moved to public_html within package 2026-06-01 02:57:43 +09:00
oysteikt 1ce3372683 lupine/binfmt: enable 2026-06-01 01:00:50 +09:00
adriangl 5f14c15679 feat: add radicale to bekkalokk 2026-06-01 00:59:54 +09:00
oysteikt 64843087be kommode/gitea: only allow webhooks to external hosts 
We don't have any servers with intranet IPs, and we want webhooks that
hook back to kommode to pass through its firewall.
 2026-05-29 12:58:26 +09:00
oysteikt 0c45345050 bicep/matrix-ooye harden 2026-05-28 16:07:36 +09:00
oysteikt 788f23bf04 bicep/matrix-hookshot: harden 2026-05-28 15:58:04 +09:00
oysteikt 8416014aeb bicep/mjolnir: harden 2026-05-28 15:58:04 +09:00
oysteikt 5bf0de1d0d bekkalokk/website/fetch-gallery: use proper shellscript builder 2026-05-28 03:58:08 +09:00
oysteikt a550bbf1e0 bekkalokk/roundcube: use specialized builder for nginx root dir 2026-05-28 03:46:59 +09:00
oysteikt 6d9bd8256f kommode/gitea/install-customization: disable networking 2026-05-28 03:15:47 +09:00
oysteikt 5c859d9809 kommode/gitea/install-customization: remove ExecStart bash wrapper 2026-05-28 03:15:06 +09:00
oysteikt dfbed75cd9 kommode/gitea/gpg: remove ExecStart bash wrapper 2026-05-28 03:06:07 +09:00
oysteikt 6237a0a0e7 bicep/minecraft-heatmap: remove ExecStartPre bash wrapper 2026-05-28 03:03:38 +09:00
oysteikt bd2263a0a9 kommode/gitea/import-users: remove ExecStartPre bash wrapper 2026-05-28 03:02:59 +09:00