Commit Graph

235 Commits

Author SHA1 Message Date
Oystein Kristoffer Tveit 067a97bfbc
common/nix: add github access tokens 2024-06-25 20:21:16 +02:00
Oystein Kristoffer Tveit f74c1f7aa8
secrets: split secrets per machine to reduce conflicts 2024-06-25 19:27:23 +02:00
Oystein Kristoffer Tveit 96a2a3b3a0
kasei: add binfmt.emulatedSystems 2024-06-25 19:03:00 +02:00
Oystein Kristoffer Tveit f3bcaad18b
fcitx5: move configuration to home-manager 2024-06-25 19:01:07 +02:00
Oystein Kristoffer Tveit 73f527559e
tsuki/nginx: add vhost for experimental mutable bluemap setup 2024-06-10 00:50:11 +02:00
Oystein Kristoffer Tveit a6c24b04a1
tsuki/nhk-easy-news-scraper: temporarily disable statedir + bindmount 2024-06-10 00:48:02 +02:00
Oystein Kristoffer Tveit e3cedee060
tsuki/matrix-synapse: add dependencies to systemd slice 2024-06-10 00:46:49 +02:00
Oystein Kristoffer Tveit 53c6c32fb8
tsuki/plex: remove security hardening, included in nixos 24.05 2024-06-10 00:45:19 +02:00
Oystein Kristoffer Tveit 3a81abb683
tsuki/matrix-stickers: update hash for stickerpack 2024-06-10 00:44:39 +02:00
Oystein Kristoffer Tveit 9d090da7cd
rebase: remove mx-puppet-discord 2024-06-10 00:43:55 +02:00
Oystein Kristoffer Tveit 9187a62d6f
tsuki: use `ensureDBOwnership` for postgres for nixos 24.05 migration 2024-06-10 00:43:04 +02:00
Oystein Kristoffer Tveit 68bf2cd1b0
inputs/maunium-stickerpicker-nix: pin to release 2024-06-09 16:18:42 +02:00
Oystein Kristoffer Tveit c7123f23ac
tsuki/invidious: remove 2024-06-09 16:13:32 +02:00
Oystein Kristoffer Tveit e943f2fe5f
tsuki/headscale: disable 2024-06-09 16:13:32 +02:00
Oystein Kristoffer Tveit 830e5477f3
tsuki/navidrome: remove 2024-06-09 16:13:31 +02:00
Oystein Kristoffer Tveit 7f36a1b8c8
tsuki/mx-puppet-discord: remove 2024-06-09 16:13:31 +02:00
Oystein Kristoffer Tveit 2a388e29a5
tsuki/mautrix-facebook: remove 2024-06-09 16:13:31 +02:00
Oystein Kristoffer Tveit 2b0968283d
tsuki/gitea: remove 2024-06-09 16:13:31 +02:00
Oystein Kristoffer Tveit a20bb288aa
tsuki/jupyter: remove 2024-06-09 15:40:57 +02:00
Oystein Kristoffer Tveit 3b736e4c61
tsuki/pgadmin: remove 2024-06-09 15:34:09 +02:00
Oystein Kristoffer Tveit 358a668aa7
tsuki/hydra: remove 2024-06-09 15:30:17 +02:00
Oystein Kristoffer Tveit 37a43a2bd9
tsuki/gitea-runners: init 2024-06-09 15:25:47 +02:00
Oystein Kristoffer Tveit 43cabb09ef
kasei/avahi: setup 2024-06-08 12:47:46 +02:00
Oystein Kristoffer Tveit 5bdf629e2f
nix-ld: setup 2024-06-08 12:45:43 +02:00
Oystein Kristoffer Tveit 89a667ec7e
nix: remove repl-flake experimental feature 2024-06-08 12:45:16 +02:00
Oystein Kristoffer Tveit 8dc56e4aa7
treewide: override several programs to conform to xdg dir spec 2024-06-08 12:37:01 +02:00
Oystein Kristoffer Tveit 9caab9f6a7
start update to nixpkgs 24.05 by updating kasei and common 2024-06-02 17:17:24 +02:00
Oystein Kristoffer Tveit 8f73eaf1b4
fonts: fix deprecated option names 2024-06-02 16:36:22 +02:00
Oystein Kristoffer Tveit 299eee4238
common: add more nix builder declarations 2024-06-02 16:34:07 +02:00
Oystein Kristoffer Tveit 29579969a4
common: declare local flake registry 2024-06-02 16:32:23 +02:00
Oystein Kristoffer Tveit 5dca478291
fcitx: use declarative config 2024-06-02 16:31:08 +02:00
Oystein Kristoffer Tveit a8bfbbc532
common: add h7x4 to wireshark group 2024-06-02 16:30:31 +02:00
Oystein Kristoffer Tveit 4f561c1dae
gnupg: use curses pinentry 2024-06-02 16:30:09 +02:00
Oystein Kristoffer Tveit c902040ade
common: move sudo-lecture out of etc 2024-06-02 16:29:48 +02:00
Oystein Kristoffer Tveit 347a731839
kasei: misc general config 2024-06-02 16:26:44 +02:00
Oystein Kristoffer Tveit fce206e772
kasei: setup keybase using module 2024-06-02 16:18:56 +02:00
Oystein Kristoffer Tveit dd800a3794
tsuki/nhk-scraper: WIP changes 2024-01-23 05:51:37 +01:00
Oystein Kristoffer Tveit 9f2e7f7ac1
tsuki/nginx: remove proxmox vhost 2024-01-23 05:49:17 +01:00
Oystein Kristoffer Tveit df5f0dc9c4
tsuki/matrix: use postgres through socket 2024-01-23 05:46:24 +01:00
Oystein Kristoffer Tveit 4f020f4cdd
tsuki/matrix: downscale workers 2024-01-23 05:46:06 +01:00
Oystein Kristoffer Tveit b8daea8fc1
tsuki/headscale: conditional config 2024-01-23 05:40:52 +01:00
Oystein Kristoffer Tveit 4d2875d168
tsuki/hedgedoc: use upstream module 2024-01-23 05:40:19 +01:00
Oystein Kristoffer Tveit 22f5345026
tsuki/hydra: harden server unit 2024-01-23 05:36:39 +01:00
Oystein Kristoffer Tveit ce5c3666b9
tsuki/jupyter: set up tmpdirs for notebooks 2024-01-23 05:35:58 +01:00
Oystein Kristoffer Tveit 1ea23dc42e
tsuki: set system.stateVersion 2024-01-23 05:35:20 +01:00
Oystein Kristoffer Tveit 56df2f5e10
tsuki: lowercase hostname 2024-01-23 05:33:48 +01:00
Oystein Kristoffer Tveit 8ce9100913
kanidm: explicitly bind to localhost 2024-01-23 05:32:34 +01:00
Oystein Kristoffer Tveit d629eedaaf
tsuki/navidrome: conditional config 2024-01-23 05:31:26 +01:00
Oystein Kristoffer Tveit 72e7626e9d
tsuki/postgres: tune for bare metal setup 2024-01-23 05:31:06 +01:00
Oystein Kristoffer Tveit f49d3665fc
tsuki/vaultwarden: disable invitations 2024-01-23 05:30:14 +01:00
Oystein Kristoffer Tveit fe50d92f8c
tsuki/vaultwarden: conditional config 2024-01-23 05:29:57 +01:00
Oystein Kristoffer Tveit 3d2825d1ec
tsuki/samba: init 2024-01-23 05:29:17 +01:00
Oystein Kristoffer Tveit 1efd3d4f0a
tsuki/kanidm: set up backups 2024-01-23 05:27:43 +01:00
Oystein Kristoffer Tveit 851d0c1fd0
tsuki/prometehus: set up slice for exporters 2024-01-23 05:26:22 +01:00
Oystein Kristoffer Tveit 0d3e805611
tsuki: move to bare metal, set up zfs 2024-01-23 05:24:47 +01:00
Oystein Kristoffer Tveit 3a52ba8901
treewide: update to nixos 23.11 2023-12-18 20:59:48 +01:00
Oystein Kristoffer Tveit b1650e91a6
kasei: split services into `services` directory 2023-12-11 13:27:40 +01:00
Oystein Kristoffer Tveit 7193a12ac2
tsuki/services: remove some uses of secret ports 2023-10-06 18:27:21 +02:00
Oystein Kristoffer Tveit 3d613d1ac9
tsuki/invidious: use socket activation 2023-10-06 18:27:19 +02:00
Oystein Kristoffer Tveit 424fea0dc8
tsuki/jupyter: use socket activation 2023-10-06 18:27:18 +02:00
Oystein Kristoffer Tveit 5bb10df9e1
tsuki/borg: partial systemd hardening
There's still quite a bit to do, but the service fails on a weird option
that I've not been able to pin down. At least this is better than
nothing ¯\_(ツ)_/¯
2023-10-06 18:27:17 +02:00
Oystein Kristoffer Tveit 450d26cf4b
tsuki/atuin: use socket activation 2023-10-06 18:27:16 +02:00
Oystein Kristoffer Tveit aca2962eec
tsuki/vaultwarden: use socket activation 2023-10-06 18:27:15 +02:00
Oystein Kristoffer Tveit caedfe1810
tsuki/matrix/stickers: use new module and add lots of stickerpacks 2023-10-06 18:27:14 +02:00
Oystein Kristoffer Tveit 6663a8f280
tsuki/atuin: systemd harden 2023-07-28 22:25:50 +02:00
Oystein Kristoffer Tveit dec150ae98
gpg agent: systemwide -> homemanager 2023-07-28 22:23:43 +02:00
Oystein Kristoffer Tveit 5f7eb0c8a5
tsuki/prometheus: add exporters for hedgedoc and gitea 2023-07-28 22:09:43 +02:00
Oystein Kristoffer Tveit d74ed2d045
tsuki/grafana: enable oauth2, misc hardening 2023-07-28 22:05:23 +02:00
Oystein Kristoffer Tveit 816a46603a
tsuki/vaultwarden: systemd harden 2023-07-28 22:05:22 +02:00
Oystein Kristoffer Tveit b5874e2bcd
tsuki/navidrome: init 2023-07-28 22:05:22 +02:00
Oystein Kristoffer Tveit c2026eefeb
tsuki/nginx: small refactor 2023-07-28 22:05:22 +02:00
Oystein Kristoffer Tveit e6605b3a73
common/sshd: socket activate 2023-07-28 22:05:21 +02:00
Oystein Kristoffer Tveit c98a1a0541
tsuki/jupyter: harden security with sops and systemd 2023-07-28 22:00:07 +02:00
Oystein Kristoffer Tveit 4456244f2d
modules: add modules for socket activation 2023-07-28 21:32:13 +02:00
Oystein Kristoffer Tveit f1e8c87acd
tsuki/configuration.nix: remove a few unused imports 2023-07-12 23:43:23 +02:00
Oystein Kristoffer Tveit 1f5832074b
tsuki/taskserver: (unfinished) start setting up taskserver and taskwarrior 2023-07-12 23:42:07 +02:00
Oystein Kristoffer Tveit 6c2bd3f2d5
tsuki/invidious: remove redundant code, add comments 2023-07-12 23:38:41 +02:00
Oystein Kristoffer Tveit 394a932988
tsuki/nginx: misc:
- Move temporary website into its own file
- Collect all http uris into upstreams
- Convert some upstreams to UNIX sockets, as changed in the last few
  commits
2023-07-12 23:36:57 +02:00
Oystein Kristoffer Tveit 24a02d386c
tsuki/hedgedoc: misc:
- Experiment with reducing the number of options in the module
- Use UNIX socket behind nginx
- "Upstream" systemd hardening to module
2023-07-12 23:34:23 +02:00
Oystein Kristoffer Tveit 5ea58f1b98
tsuki/gitea: use UNIX socket behind gitea 2023-07-12 23:30:39 +02:00
Oystein Kristoffer Tveit fd052eea5a
tsuki/grafana: use UNIX socket behind nginx 2023-07-12 23:27:10 +02:00
Oystein Kristoffer Tveit 1f3b5addd3
tsuki/hedgedoc: misc:
- configure oauth2 (this requires a custom module for now,
    will be resolved in 23.11)
- harden systemd service
- add systemd requires list
- use socket postgres uri
2023-07-12 02:30:00 +02:00
Oystein Kristoffer Tveit 5250d40457
grub: remove version, attr for 23.05 2023-07-12 02:06:41 +02:00
Oystein Kristoffer Tveit cf42debf37
tsuki/invidious: misc:
- bind to 127.0.0.1
- depend on postgresql systemd unit
2023-07-12 02:06:41 +02:00
Oystein Kristoffer Tveit c8db83b925
tsuki/plex: harden systemd unit 2023-07-12 02:06:41 +02:00
Oystein Kristoffer Tveit 20de3c260f
tsuki/postgres: misc:
- add postgresql backup service
- harden systemd unit
- increase max_connections
2023-07-12 02:06:40 +02:00
Oystein Kristoffer Tveit 82ea6e9f5a
tsuki: add timed nhk easy news scraper 2023-07-12 02:06:40 +02:00
Oystein Kristoffer Tveit dddc92877c
tsuki/matrix/matrix-appservice-irc: enable lainchan irc bouncer 2023-07-12 02:06:40 +02:00
Oystein Kristoffer Tveit 68b181fc05
tsuki/matrix/mx-puppet-discord: disable temporarily
This still uses an old version of node that is disabled
in nixpkgs 23.05, disabling for now
2023-07-12 02:06:39 +02:00
Oystein Kristoffer Tveit 98745298c7
tsuki/matrix/mautrix-facebook: disable
Got banned one too many times, disabling for now.
2023-07-12 02:06:39 +02:00
Oystein Kristoffer Tveit 8a42e97014
tsuki/monitoring: misc:
- Secure grafana better, it had secrets in the nix store
- Set up prometheus exporters for nginx and php-fpm
- Add urls for dashboards
- Disable automatic updates
2023-07-12 02:06:39 +02:00
Oystein Kristoffer Tveit 25b6f0f3e9
tsuki/vaultwarden: add vaultwarden, password manager 2023-07-12 02:06:38 +02:00
Oystein Kristoffer Tveit 40e95ce030
tsuki/borg: set up borgbackup 2023-07-12 02:06:37 +02:00
Oystein Kristoffer Tveit 0e3a4c35d2
tsuki/atuin: set up atuin server 2023-07-12 02:06:16 +02:00
Oystein Kristoffer Tveit fc0e4f6c52
tsuki/nginx/www: real website dead, add temporary website 2023-07-12 02:04:57 +02:00
Oystein Kristoffer Tveit 949f228c97
tsuki/hydra: put all services below `system-hydra.slice` 2023-07-12 02:04:56 +02:00
Oystein Kristoffer Tveit 7f8d60057d
tsuki/headscale: fix oauth2, and set up tailscale 2023-07-12 02:04:53 +02:00
Oystein Kristoffer Tveit dc14eaa086
sops: add kasei to sops 2023-05-08 02:50:47 +02:00
Oystein Kristoffer Tveit 3267e5f687
tsuki/headscale: start working on oidc login 2023-05-08 02:36:17 +02:00
Oystein Kristoffer Tveit cc03b64376
common: use machinevars to determine whether to use x11 2023-05-08 02:36:15 +02:00