about summary refs log tree commit diff
path: root/hosts/tahoe/secrets (follow)
Commit message (Collapse)AuthorAgeFilesLines
* delete configuration for old machinesFranck Cuny2023-12-0811-112/+0
| | | | These machines are gone, no need to keep the configuration around.
* remove custom toolsFranck Cuny2023-08-211-2/+0
|
* profile/acme: default DNS provider is gandiFranck Cuny2023-05-082-0/+16
| | | | | | | | | | Add the API key for gandi to the secrest, create a profile for acme with my defaults. The profile is loaded by tahoe since that's where our services are running on. Update all the servers in nginx to listen on their wireguard interface.
* modules/rclone: delete the module and cleanupFranck Cuny2023-04-303-3/+0
| | | | | I'm not using rclone anymore and I'm not storing the backups to GCS buckets either.
* hosts/tahoe: enable rsync-ing backups to rsync.netFranck Cuny2023-04-302-0/+2
|
* modules/sendsms: gate the unit with a fileFranck Cuny2023-03-271-0/+0
| | | | | | | | | | To prevent the unit to be triggered multiple times if the host has already rebooted, we create a gate file when we're done running, and before running, we check if the file exists. Enable the service on tahoe. Don't restart the unit when its definition has changed.
* hosts/tahoe: delete unused secretsFranck Cuny2023-03-103-5/+0
|
* hosts/tahoe: re-key all the secrets with age identitiesFranck Cuny2023-03-1012-32/+41
| | | | | | | This is using the public keys from: - my user on my laptop - the root user on tahoe - the backup key stored on the USB drive
* fix(modules/unifi): proper monitoring and latest versionFranck Cuny2023-01-081-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | They've recently removed from nixpkgs the version of mongodb that was used by unifi. I updated to the latest version (7) and did the migration of the DB manually (see https://github.com/NixOS/nixpkgs/pull/207382): ``` nix-shell -p mongodb-3_4 mongodb-tools mongod --dbpath /var/lib/unifi/data/db --logpath /var/log/unifi/repair.log --repair mongod --dbpath /var/lib/unifi/data/db --logpath /var/log/unifi/repair.log --journal --fork mongodump --out=/root/mongodump pkill mongod exit nix-shell -p mongodb-4_2 mongodb-tools mv /var/lib/unifi/data/db /var/lib/unifi/data/db_bak mkdir /var/lib/unifi/data/db mongod --dbpath /var/lib/unifi/data/db --logpath /var/log/unifi/repair.log --journal --fork mongorestore /root/mongodump pkill mongod ``` Once this was done, the exporter was also broken, has it has been renamed. There are two different services for it in nixpkgs: `services.unpoller` and `services.prometheus.exporters.unpoller`. Only the last one works. From what I can tell, everything is working now.
* feat(hosts/tahoe): enable `sendsms` moduleFranck Cuny2022-11-302-0/+13
|
* ref(gerrit): delete modules/docs/configs for gerrit/buildkiteFranck Cuny2022-11-075-52/+0
|
* fix(services/drone): enable droneFranck Cuny2022-11-063-5/+5
| | | | | The URL for drone changed to https://ci.fcuny.net. The secrets also changed (and we remove the unencrypted file with secrets).
* Revert "ref(drone): remove all modules and configurations"Franck Cuny2022-11-052-0/+5
| | | | This reverts commit 614fc2fcce0e9ae0bcfdc6e08d3c4bac846d02a8.
* fix(tahoe/secrets): configuration for rclone-sync to GCPFranck Cuny2022-08-081-0/+0
| | | | | | | | | | | | The configuration needs to be updated, we set the value for `bucket_policy_only` to true now that we've set the bucket to use uniform bucket level access (https://cloud.google.com/storage/docs/uniform-bucket-level-access). Change-Id: I7e9516709af4be35a3964937c1dbd728bcfe1f01 Reviewed-on: https://cl.fcuny.net/c/world/+/709 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(hosts/tahoe): add a token for graphql for buildkite agentsFranck Cuny2022-08-062-0/+16
| | | | | | | Change-Id: I17ea0baab0d74888ed1b21342c583495d3f52643 Reviewed-on: https://cl.fcuny.net/c/world/+/705 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(modules/gerrit): manage secure configuration with nixFranck Cuny2022-07-182-0/+6
| | | | | | | | | | | | Currently the secure configuration for gerrit is not managed by nix. This is likely going to break in the future and I'll hate myself for that. Let's move it into nix and encrypt it with age, like we do for other secrets. Change-Id: Ia7a006748a3ad64fa4b97ca9e8cbd98c99433982 Reviewed-on: https://cl.fcuny.net/c/world/+/622 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(drone): remove all modules and configurationsFranck Cuny2022-06-112-5/+0
| | | | | | | | | I do not use drone anymore, no need to keep this around. Change-Id: I8f9564747939a6d1a2b95bcfe8e2c70e46d8bc1e Reviewed-on: https://cl.fcuny.net/c/world/+/411 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* fix(fmt): correct formatting for all nix filesFranck Cuny2022-06-101-1/+2
| | | | | | | | | This was done by running `nixpkgs-fmt .'. Change-Id: I4ea6c1e759bf468d08074be2111cbc7af72df295 Reviewed-on: https://cl.fcuny.net/c/world/+/404 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* fix(secrets): buildKite agents can read gerrit secretsFranck Cuny2022-06-091-0/+4
| | | | | | | | | We need to ensure the agents can read the secrets / tokens to vote after a build. Change-Id: I066c2482a795b21badaa9cc3c525373d7945b084 Reviewed-on: https://cl.fcuny.net/c/world/+/341 Reviewed-by: Franck Cuny <franck@fcuny.net>
* fix(gerrit-hook): update the configuration with correct URLFranck Cuny2022-06-041-10/+12
| | | | | | Change-Id: Iae8860631a9d313d5b4f78d171d0dfebc6ef6ff9 Reviewed-on: https://cl.fcuny.net/c/world/+/283 Reviewed-by: Franck Cuny <franck@fcuny.net>
* fix(secrets): set the owner for buildkite agent secretsFranck Cuny2022-06-041-0/+1
| | | | | | | | | There's one user per agent. If we don't set an owner for that file, it will be owned by root. Let's set the ownership to the first builder. Change-Id: I1270e6858c0bf2797bd12c2557d84a494cef5081 Reviewed-on: https://cl.fcuny.net/c/world/+/281 Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(drone): remove secret and CLI for droneFranck Cuny2022-06-041-5/+0
| | | | | | | | | I'm not using drone anymore. I don't need the CLI and the secret to be installed. Change-Id: I9c8ecfe5f051fd70d78f0e2e9aaa705e48627714 Reviewed-on: https://cl.fcuny.net/c/world/+/261 Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(gerrit): add secret for gerrit-hookFranck Cuny2022-06-042-0/+16
| | | | | | | | | | | The secret is the configuration for the gerrit-hook tool. It contains the URL to our gerrit instance, the username/password for the gerrit user used by the tool, the API token for buildKite and the name of the organization in buildKite. Change-Id: I58233e085c92d4c5db5635eb9942a5e87ee9e55d Reviewed-on: https://cl.fcuny.net/c/world/+/204 Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(buildkite): add the auth tokenFranck Cuny2022-05-302-0/+7
| | | | | | Change-Id: I652a3326caf8f949e9734849d1492f7b9764a766 Reviewed-on: https://cl.fcuny.net/c/world/+/167 Reviewed-by: Franck Cuny <franck@fcuny.net>
* syncthing: configure the keys for tahoeFranck Cuny2022-04-213-0/+20
|
* drone: initial attempt at configuring itFranck Cuny2022-04-133-0/+10
|
* tahoe: set owner for secret related to ACMEFranck Cuny2022-04-131-1/+4
|
* secrets: re-key all secrets for tahoeFranck Cuny2022-04-138-30/+27
|
* grafana: try to configure the domain with acme+dnsFranck Cuny2022-04-133-1/+9
|
* secrets: move the actual secrets with hosts configFranck Cuny2022-04-137-0/+39
Having the secrets closer to the host is easier to manage. At the moment I don't have secrets that are shared across multiple hosts, so that's an OK approach.