62ff09234d
Merge pull request 'openssh: Temporary patch for CVE-2024-6387 mitigation' ( #30 ) from KokaKiwi/nixcfg:openssh-mitigation into main
...
Reviewed-on: Deuxfleurs/nixcfg#30
2024-07-02 13:26:15 +00:00
98feb96d27
Merge pull request 'dathomir: Updates' ( #29 ) from KokaKiwi/nixcfg:dathomir-update into main
...
Reviewed-on: Deuxfleurs/nixcfg#29
Reviewed-by: maximilien <me@mricher.fr>
2024-07-02 09:41:08 +00:00
b89b625f46
openssh: Temporary patch for CVE-2024-6387 mitigation
2024-07-01 14:04:25 +02:00
76186c3fb3
cluster(staging): Rename jupiter site to dathomir
2024-06-27 16:27:23 +02:00
be88b5d274
cluster(prod): Add new ortie node
2024-06-27 16:27:09 +02:00
fa510688d7
update guichet
2024-06-24 13:52:18 +02:00
Baptiste Jonglez
fc83048b02
staging: move bottin and guichet to docker, sync with prod config
2024-06-23 22:29:14 +02:00
86026c5642
cluster(prod/cryptpad): Update cryptpad image on Nomad cluster
2024-06-23 11:55:16 +02:00
Baptiste Jonglez
87464506ce
staging: Passage garage en mode docker
2024-06-23 11:34:36 +02:00
2f8b2c74f4
Merge pull request 'Upgrade cryptpad from 2024.3.0 to 2024.3.1' ( #27 ) from KokaKiwi/nixcfg:update-cryptpad-2024.3.1 into main
...
Reviewed-on: Deuxfleurs/nixcfg#27
Reviewed-by: maximilien <me@mricher.fr>
2024-06-23 09:05:41 +00:00
Baptiste Jonglez
7e88a88e04
prod: garage: Enable on-demand-tls check for *.garage S3 endpoint
...
We were hitting Let's Encrypt rate limits because we were generating
thousands of non-sense certificates like "foo.bar.baz.garage.deuxfleurs.fr"
See https://crt.sh
Subdomains of garage.deuxfleurs.fr only make sense when accessing buckets
through S3 with vhost-style, so let's enable the on-demand-tls check to
make sure that the bucket exists in Garage.
In the long term, we might want to have a wildcard certificate for this
usage, or simply stop supporting vhost-style S3 access.
2024-06-08 17:14:48 +02:00
Baptiste Jonglez
9fc22d72d4
garage: harmonize staging and prod (checks, services)
2024-06-08 16:43:18 +02:00
Baptiste Jonglez
cbb0093f2c
staging: garage: Handle *.garage.staging for vhost-style S3 and add on-demand TLS checks
2024-06-08 16:35:35 +02:00
Baptiste Jonglez
d4fb14347d
staging: Upgrade tricot for on-demand TLS checks
2024-06-08 16:34:16 +02:00
Baptiste Jonglez
67794c53a3
Disable DHCPv6 and DHCPv6-PD in all cases
2024-06-02 21:35:36 +02:00
Baptiste Jonglez
ba37244447
Add common terminfo for more terminal support
2024-06-02 21:35:22 +02:00
Baptiste Jonglez
8d475b2ee6
Fix nixos deprecation warning
2024-06-02 21:35:08 +02:00
Baptiste Jonglez
7aa220a2e1
Add small script to gather system information from machines
2024-05-31 11:35:00 +02:00
Baptiste Jonglez
1924f2f4ab
sshtool: improve usage message
2024-05-31 11:34:38 +02:00
Baptiste Jonglez
bdc7376df4
staging: make tricot config closer to prod
2024-05-30 23:47:38 +02:00
Baptiste Jonglez
22dba1f35c
staging: enable IPv4 diplonat (UPnP) for corrin site
2024-05-30 23:42:48 +02:00
Baptiste Jonglez
7c174d6746
Revert "staging: disable allocation of grafana on piranha"
...
piranha is accessible on a more reliable network now.
2024-05-30 21:33:32 +02:00
Baptiste Jonglez
02bdc5a0c0
Move piranha to new network
2024-05-30 10:12:48 +02:00
726f4b2f32
Merge pull request 'cluster(prod): Add dathomir site' ( #25 ) from KokaKiwi/nixcfg:add-dathomir into main
...
Reviewed-on: Deuxfleurs/nixcfg#25
Reviewed-by: maximilien <me@mricher.fr>
2024-05-26 21:04:01 +00:00
37a2f781eb
prod(cluster/dathomir): Open more SSH ports
2024-05-26 23:00:39 +02:00
435cbeebfb
cluster(prod): Add oseille
2024-05-26 18:24:28 +02:00
3776734e50
style: Fix spacetab in cluster/prod/ssh_config
2024-05-26 17:04:33 +02:00
57628b508e
cluster(prod): Add io
2024-05-26 17:04:18 +02:00
Armaël Guéneau
ef91461210
doc/architecture.md: ajout de la ligne de commande utile pour lancer la CLI garage
2024-05-26 12:43:03 +02:00
09c3d618e6
cluster/prod(app): Upgrade cryptpad from 2024.3.0 to 2024.3.1
2024-05-23 22:22:07 +02:00
ebfdc6d1a3
cluster/prod(app): Migrate from niv to npins for pinned sources for cryptpad
2024-05-23 22:21:11 +02:00
3e0df95fe9
use diplonat autodiscovery to set ip addr
2024-05-18 15:45:00 +02:00
602c003e1e
update neptune IP address
2024-05-18 15:27:48 +02:00
e746768de1
hotfix garage
2024-05-17 20:29:05 +02:00
a513690004
cluster(prod): Add dathomir site and onion node
2024-05-15 11:50:49 +02:00
f55891ba21
migration Cryptpad sur Courgette (Neptune) depuis Abricot (Scorpio), avec reconfiguration des backups
2024-05-12 22:02:22 +02:00
9a6935ac90
ajout Boris en admin sur Cryptpad
2024-05-12 20:35:04 +02:00
Armaël Guéneau
3b777ddeb6
Move emails from ananas (in scorpio) to celeri (in neptune)
2024-05-12 17:09:05 +02:00
Armaël Guéneau
ca59237057
staging: disable allocation of grafana on piranha
...
piranha does not seem to be available from the outside world currently
2024-05-01 00:44:09 +02:00
28b58b3776
ajout max et vincent en admin cryptpad
2024-04-30 10:10:40 +02:00
Baptiste Jonglez
7db40a8dcf
Fix coturn that was failing with newer Nomad/Docker
...
Coturn was failing to start with the following error:
failed to create task for container: failed to create shim task: OCI
runtime create failed: runc create failed: unable to start container
process: exec: "/usr/local/bin/docker-entrypoint.sh": permission denied:
unknown
It seems to be caused by the recent NixOS update.
Either because Docker/runc is now more strict when checking if the
entrypoint is executable [1]
And/or because Nomad may mount the secrets directory with "noexec" [2].
In any case, the "local" directory [2] looks more appropriate, because
it's shared with the task while not being accessible to other tasks.
[1] https://github.com/opencontainers/runc/issues/3715
[2] https://developer.hashicorp.com/nomad/docs/concepts/filesystem
2024-04-28 18:01:52 +02:00
Baptiste Jonglez
c56ce9134c
Update woodpecker to latest 2.4.1
2024-04-28 13:31:15 +02:00
1d40a3c7c0
Merge pull request 'Update Woodpecker to v2.4.0' ( #24 ) from tixie/nixcfg:update-woodpecker-2.4.0 into main
...
Reviewed-on: Deuxfleurs/nixcfg#24
2024-04-28 11:25:06 +00:00
Baptiste Jonglez
5dc7c3132b
Fix link in CI setup doc
2024-04-28 13:23:54 +02:00
Armaël Guéneau
14c6dae001
sshtool: handle sudo passwords that contain quotes or backslashes
2024-04-27 11:56:53 +02:00
Armaël Guéneau
6307f7e62f
caribou: update ipv6 address after ISP change
2024-04-26 18:00:56 +02:00
Armaël Guéneau
37192f9dff
tlsproxy: better error message when no argument is passed
2024-04-26 13:15:52 +02:00
e6bac83e02
Tricot ulimit
2024-04-25 09:13:06 +02:00
22fbadef2e
update woodpecker-agent to 2.4.0
2024-04-24 22:20:20 +02:00
43189a5fc2
update woodpecker-server to 2.4.0
2024-04-24 22:20:06 +02:00