about summary refs log tree commit diff
path: root/hosts/tahoe (follow)
Commit message (Collapse)AuthorAgeFilesLines
* hosts/tahoe: rename account for backup and enable sftp for itFranck Cuny2023-04-292-7/+18
| | | | | | | | | | | | | The dedicated account for backup should be named 'backup', as it's more generic. While it's a system account, I still need to be able to log in the host remotely with sftp, so we give it a UID (991). The account needs to be able to sftp to tahoe in order to store the backups from remote hosts. However we don't want this user to get a shell and be able to browse the host, so we configure sshd to chroot the user to where the backups are stored.
* hosts/tahoe: create a new user specifically for backupsFranck Cuny2023-04-231-0/+11
| | | | | | This is the user I'll be using to do my backups. This is a system user, and there's only one public key added to it. This key is only used for backups and will be managed in this repository.
* hosts/tahoe: loki and prometheus listen only on the wg0 interfaceFranck Cuny2023-04-231-4/+7
| | | | | | | I don't want to have to deal with authentication and TLS certificates for these endpoints. If they are only listening on the wireguard interface I can trust that only authorized hosts are sending traffic to these endpoints. I trust what's running on these machines.
* modules/monitoring: consolidate all monitoring services togetherFranck Cuny2023-04-231-10/+12
| | | | | This will help to organize and structure monitoring modules a bit better.
* modules/services: add loki and promtailFranck Cuny2023-04-231-0/+7
|
* hosts/carmel: reconfigure the host as a routerFranck Cuny2023-04-031-0/+3
| | | | | | | | | | | | I'm not using it as a desktop, and the current router is getting old and will likely fail in the near future. It's also a debian machine configured manually, so let's reconfigure carmel as our new router. There are three NICs in the host: 2 are 10Gb and one is 1Gb. The 1Gb will be used as the upstream interface, and one of the 10Gb will be for the LAN. There are 2 VLANs to configure: one for IoT devices and one for guest.
* modules/sendsms: gate the unit with a fileFranck Cuny2023-03-272-0/+2
| | | | | | | | | | To prevent the unit to be triggered multiple times if the host has already rebooted, we create a gate file when we're done running, and before running, we check if the file exists. Enable the service on tahoe. Don't restart the unit when its definition has changed.
* modules/console: larger font for EVERYONEFranck Cuny2023-03-261-8/+0
|
* hosts/tahoe: set a larger font for the TTYsFranck Cuny2023-03-261-0/+8
|
* hosts: it's time to switch to schedutilFranck Cuny2023-03-151-0/+2
|
* hosts/tahoe: set the consoleMode to "max"Franck Cuny2023-03-141-0/+3
|
* home/shell: switch the default shell back to zshFranck Cuny2023-03-111-1/+1
| | | | | | | | I keep running into issues when using fish: I'm not familiar with the syntax and I don't use it enough that it sticks. I also need to google stuff regularly to figure out how things are supposed to work. This is annoying enough that the supposed benefits of fish are not worth it for me.
* hosts/tahoe: delete unused secretsFranck Cuny2023-03-103-5/+0
|
* hosts/tahoe: re-key all the secrets with age identitiesFranck Cuny2023-03-1012-32/+41
| | | | | | | This is using the public keys from: - my user on my laptop - the root user on tahoe - the backup key stored on the USB drive
* ref(hosts/tahoe): don't install sendsmsFranck Cuny2023-03-021-1/+0
| | | | | It's not working as I want, let's fix it first then we can enable it again later.
* feat(hosts/tahoe): install gitolite and cgitFranck Cuny2023-03-021-9/+6
| | | | | | | | Replace gitea with gitolite + cgit. I don't need a whole git forge for myself, especially since I don't use most of the features. The main thing I'm losing with this change is CI (via drone), but this is not really a big loss for now.
* ref(hosts/tahoe): exclude more paths from backupsFranck Cuny2023-01-191-0/+7
|
* ref(tahoe/backups): backup fewer thingsFranck Cuny2023-01-161-2/+10
| | | | | I don't need to backup videos, and the cache of my home directory. I also don't need to keep that many snapshots around.
* feat(hosts/tahoe): rotate the screen 90 degreeFranck Cuny2023-01-101-2/+6
| | | | The machine is connected to a rotated screen.
* fix(hosts/tahoe): workaround md raid boot uuid issue in 22.11Franck Cuny2023-01-101-2/+2
| | | | | | | Due to md device uuid availability issue in initrd. Refs: - https://github.com/NixOS/nixpkgs/issues/196800 - https://github.com/NixOS/nixpkgs/issues/199551
* fix(hosts/tahoe): mask mdmonitorFranck Cuny2023-01-091-0/+5
| | | | | This is a broken unit and I don't need it (see https://github.com/nixos/nixpkgs/issues/72394).
* fix(modules/unifi): proper monitoring and latest versionFranck Cuny2023-01-081-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | They've recently removed from nixpkgs the version of mongodb that was used by unifi. I updated to the latest version (7) and did the migration of the DB manually (see https://github.com/NixOS/nixpkgs/pull/207382): ``` nix-shell -p mongodb-3_4 mongodb-tools mongod --dbpath /var/lib/unifi/data/db --logpath /var/log/unifi/repair.log --repair mongod --dbpath /var/lib/unifi/data/db --logpath /var/log/unifi/repair.log --journal --fork mongodump --out=/root/mongodump pkill mongod exit nix-shell -p mongodb-4_2 mongodb-tools mv /var/lib/unifi/data/db /var/lib/unifi/data/db_bak mkdir /var/lib/unifi/data/db mongod --dbpath /var/lib/unifi/data/db --logpath /var/log/unifi/repair.log --journal --fork mongorestore /root/mongodump pkill mongod ``` Once this was done, the exporter was also broken, has it has been renamed. There are two different services for it in nixpkgs: `services.unpoller` and `services.prometheus.exporters.unpoller`. Only the last one works. From what I can tell, everything is working now.
* feat(hosts/tahoe): enable `sendsms` moduleFranck Cuny2022-11-303-0/+14
|
* ref(gerrit): delete modules/docs/configs for gerrit/buildkiteFranck Cuny2022-11-075-52/+0
|
* fix(services/drone): enable droneFranck Cuny2022-11-064-5/+11
| | | | | The URL for drone changed to https://ci.fcuny.net. The secrets also changed (and we remove the unencrypted file with secrets).
* Revert "ref(drone): remove all modules and configurations"Franck Cuny2022-11-052-0/+5
| | | | This reverts commit 614fc2fcce0e9ae0bcfdc6e08d3c4bac846d02a8.
* feat(hosts/tahoe): enable gitea againFranck Cuny2022-11-051-0/+4
|
* ref(hosts/tahoe): disable cgit/gerrit/buildkite/sourcegraphFranck Cuny2022-10-291-10/+0
| | | | | Since I'm moving everything back to GitHub I don't need to run these services anymore.
* ref(home-manager): don't use home-manager when building the hostFranck Cuny2022-09-221-2/+1
| | | | | | | | | | | | | | | | | | | When rebuilding the host (through `nixos-rebuild switch --flake`) I don't want to rebuild also my home-manager configuration. I want these to be two different steps. I rebuild the home-manager configuration more frequently and it's a waste of time and CPU to rebuild the world every time. This is a pretty large refactoring: - move checks back into the flake: if I modify a check, the configuration for `pre-commits` is not regenerated, as the file with the checks is not monitored with `direnv` (I could probably configure it for it, but not now) - remove `home.nix` from the host level configuration - introduce a `mkHomeManagerConfiguration` function to manage the different user@host - fix a warning with the rust overlay
* fix(tahoe/secrets): configuration for rclone-sync to GCPFranck Cuny2022-08-081-0/+0
| | | | | | | | | | | | The configuration needs to be updated, we set the value for `bucket_policy_only` to true now that we've set the bucket to use uniform bucket level access (https://cloud.google.com/storage/docs/uniform-bucket-level-access). Change-Id: I7e9516709af4be35a3964937c1dbd728bcfe1f01 Reviewed-on: https://cl.fcuny.net/c/world/+/709 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(hosts/tahoe): add a token for graphql for buildkite agentsFranck Cuny2022-08-062-0/+16
| | | | | | | Change-Id: I17ea0baab0d74888ed1b21342c583495d3f52643 Reviewed-on: https://cl.fcuny.net/c/world/+/705 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(modules/gerrit): manage secure configuration with nixFranck Cuny2022-07-182-0/+6
| | | | | | | | | | | | Currently the secure configuration for gerrit is not managed by nix. This is likely going to break in the future and I'll hate myself for that. Let's move it into nix and encrypt it with age, like we do for other secrets. Change-Id: Ia7a006748a3ad64fa4b97ca9e8cbd98c99433982 Reviewed-on: https://cl.fcuny.net/c/world/+/622 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* fix(tahoe/backups): don't backup some directoriesFranck Cuny2022-07-081-0/+1
| | | | | | | | | I don't need to backup these directories in my home. Change-Id: Ia2302f2ebe74033090b86b52864787d2a63ecb4b Reviewed-on: https://cl.fcuny.net/c/world/+/620 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* fix(new-lines): add or remove new lines where neededFranck Cuny2022-07-021-1/+0
| | | | | | | | | | | The pre-commit hook for new lines reported and correct a number of issues, so let's commit them now and after that we ca enable the hook for the repository. Change-Id: I5bb882d3c2cca870ef94301303f029acfb308740 Reviewed-on: https://cl.fcuny.net/c/world/+/592 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(hosts/home): use fish as my default shell everywhereFranck Cuny2022-06-231-1/+1
| | | | | | | Change-Id: I75df9d3ba133e3f7380a518e1b8c70a564f60482 Reviewed-on: https://cl.fcuny.net/c/world/+/481 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(home/shell): make it easier to share common things between shellsFranck Cuny2022-06-201-2/+2
| | | | | | | | | | | | | | | | | | | | I'm considering trying again fish, and there are a number of things that should be common between zsh and fish (aliases, environment variables, ...). Instead of duplicating these settings multiple time, I'm consolidating the shell configurations under `home/shell`, and I can set the shell I want to use with `my.home.shell.name`. The first step is to move the modules for fish and zsh under `home/shell`, add an interface to pick which one I want to use, and modify the `host/home.nix` configuration to keep using zsh with the new interface. Change-Id: Idb66b1a6fcc11a6eeaf5fd2d32dd3698d2d85bdf Reviewed-on: https://cl.fcuny.net/c/world/+/455 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(drone): remove all modules and configurationsFranck Cuny2022-06-112-5/+0
| | | | | | | | | I do not use drone anymore, no need to keep this around. Change-Id: I8f9564747939a6d1a2b95bcfe8e2c70e46d8bc1e Reviewed-on: https://cl.fcuny.net/c/world/+/411 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* fix(fmt): correct formatting for all nix filesFranck Cuny2022-06-102-2/+4
| | | | | | | | | This was done by running `nixpkgs-fmt .'. Change-Id: I4ea6c1e759bf468d08074be2111cbc7af72df295 Reviewed-on: https://cl.fcuny.net/c/world/+/404 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* fix(secrets): buildKite agents can read gerrit secretsFranck Cuny2022-06-091-0/+4
| | | | | | | | | We need to ensure the agents can read the secrets / tokens to vote after a build. Change-Id: I066c2482a795b21badaa9cc3c525373d7945b084 Reviewed-on: https://cl.fcuny.net/c/world/+/341 Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(home): structure and add commentsFranck Cuny2022-06-091-2/+11
| | | | | | Change-Id: I9abd49136df79a9ed040c9ec0e12eea30736c9ff Reviewed-on: https://cl.fcuny.net/c/world/+/295 Reviewed-by: Franck Cuny <franck@fcuny.net>
* fix(gerrit-hook): update the configuration with correct URLFranck Cuny2022-06-041-10/+12
| | | | | | Change-Id: Iae8860631a9d313d5b4f78d171d0dfebc6ef6ff9 Reviewed-on: https://cl.fcuny.net/c/world/+/283 Reviewed-by: Franck Cuny <franck@fcuny.net>
* fix(secrets): set the owner for buildkite agent secretsFranck Cuny2022-06-041-0/+1
| | | | | | | | | There's one user per agent. If we don't set an owner for that file, it will be owned by root. Let's set the ownership to the first builder. Change-Id: I1270e6858c0bf2797bd12c2557d84a494cef5081 Reviewed-on: https://cl.fcuny.net/c/world/+/281 Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(drone): remove secret and CLI for droneFranck Cuny2022-06-041-5/+0
| | | | | | | | | I'm not using drone anymore. I don't need the CLI and the secret to be installed. Change-Id: I9c8ecfe5f051fd70d78f0e2e9aaa705e48627714 Reviewed-on: https://cl.fcuny.net/c/world/+/261 Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(gerrit): add secret for gerrit-hookFranck Cuny2022-06-042-0/+16
| | | | | | | | | | | The secret is the configuration for the gerrit-hook tool. It contains the URL to our gerrit instance, the username/password for the gerrit user used by the tool, the API token for buildKite and the name of the organization in buildKite. Change-Id: I58233e085c92d4c5db5635eb9942a5e87ee9e55d Reviewed-on: https://cl.fcuny.net/c/world/+/204 Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(hosts/tahoe): enable buildkite agentFranck Cuny2022-05-301-0/+1
| | | | | | Change-Id: I12cc741bdfb074f7d2a006547860362176afe372 Reviewed-on: https://cl.fcuny.net/c/world/+/169 Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(buildkite): add the auth tokenFranck Cuny2022-05-302-0/+7
| | | | | | Change-Id: I652a3326caf8f949e9734849d1492f7b9764a766 Reviewed-on: https://cl.fcuny.net/c/world/+/167 Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(tahoe): remove droneFranck Cuny2022-05-291-9/+1
| | | | | | | | | I will not be using drone anymore, and will likely replace it with buildkite. Change-Id: I45d91c43090aaba119855158e071dae377c1897f Reviewed-on: https://cl.fcuny.net/c/world/+/162 Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(hosts/tahoe): replace gitea by cgitFranck Cuny2022-05-271-2/+1
| | | | | | Change-Id: I3b00408d7550d7660fb33940ae2cd0806076f4d2 Reviewed-on: https://cl.fcuny.net/c/world/+/62 Reviewed-by: Franck Cuny <franck.cuny@gmail.com>
* feat(tahoe): enable gerritFranck Cuny2022-05-261-0/+4
|
* feat(tahoe): enable sourcegraphFranck Cuny2022-05-221-0/+4
|
* zsh: switch to zsh as the default shellFranck Cuny2022-05-151-1/+1
| | | | | | | | | | `zsh' is available everywhere and is compatible with bash. When using `fish' I need to remember how to do things. While the completion style is nicer, I don't care about the rest. I prefer to have a consistent experience in the shell, no matter where am I. This is an initial configuration, I might need to make a few changes as I go.
* tahoe: enable exec runner for droneFranck Cuny2022-05-021-1/+1
|
* backups: do backups for the laptopFranck Cuny2022-04-241-1/+2
| | | | | | | | | | | | | From the laptop I only backup /home/fcuny, as the rest should be straightforward to rebuild with nix. I run that backup as my own user, since I need my ssh key to use the remote repository (which is on the NAS). I also need a new secret for it (I might have been able to use `pass' for this, but well, that's easy enough). For the NAS, I update the list of directories to backup to include home, this will be on the systems backup.
* syncthing: don't run from homeFranck Cuny2022-04-211-1/+0
|
* syncthing: configure the keys for tahoeFranck Cuny2022-04-213-0/+20
|
* syncthing: enable on tahoeFranck Cuny2022-04-211-0/+1
|
* syncthing: let's run it from home-managerFranck Cuny2022-04-211-0/+1
|
* drone: configuration fixesFranck Cuny2022-04-131-1/+1
|
* drone: initial attempt at configuring itFranck Cuny2022-04-134-0/+16
|
* modules: make the vhost be configurableFranck Cuny2022-04-131-3/+9
|
* grafana: correct domain name ...Franck Cuny2022-04-131-1/+1
|
* grafana: the vhost is configurableFranck Cuny2022-04-131-1/+4
|
* tahoe: set owner for secret related to ACMEFranck Cuny2022-04-131-1/+4
|
* secrets: re-key all secrets for tahoeFranck Cuny2022-04-138-30/+27
|
* grafana: try to configure the domain with acme+dnsFranck Cuny2022-04-133-1/+9
|
* nginx: get a simple solution to work firstFranck Cuny2022-04-131-13/+1
|
* nginx: add nginx as a reverse proxyFranck Cuny2022-04-131-1/+14
| | | | This will ultimately replace traefik.
* secrets: move the actual secrets with hosts configFranck Cuny2022-04-137-0/+39
| | | | | | Having the secrets closer to the host is easier to manage. At the moment I don't have secrets that are shared across multiple hosts, so that's an OK approach.
* tahoe: fix backup configurationFranck Cuny2022-04-111-2/+3
|
* secrets: move all the secrets under module/Franck Cuny2022-04-101-3/+3
| | | | | Refactor a bit the configuration, which should simplify the management and usage of secrets from now on.
* add a module for backup with resticFranck Cuny2022-04-101-10/+4
| | | | Do a single backup for the host, instead of running multiple ones.
* tahoe: enable network with early bootFranck Cuny2022-04-092-11/+19
| | | | So we can unlock the disks remotely.
* hosts: rename hardware-configuration to hardwareFranck Cuny2022-04-082-1/+1
|
* hosts: add services to tahoeFranck Cuny2022-04-082-1/+45
|
* initial attempt to reconfigure home-managerFranck Cuny2022-04-072-0/+18
| | | | | | | | | | All the modules that are needed for home-manager should be under `home/`, and each host will have a `host.nix` where the modules are enabled as needed. Later on we can create some profiles to make it easier to consume the configuration. I apply this only to tahoe for now, as the amount of packages needed for my user are pretty limited.
* enable AMD module correctlyFranck Cuny2022-04-061-1/+1
|
* refactor boot configuration to a moduleFranck Cuny2022-04-061-1/+4
| | | | | | | | | We don't need the previous `hosts/common/system` configs anymore, as everything has been moved out. We keep some boot configuration for carmel in the host configuration for now, but I need to check why I don't have similar settings for tahoe (since I also need to unlock the host remotely).
* refactor configuration for AMDFranck Cuny2022-04-061-38/+39
|
* refactor network configurationFranck Cuny2022-04-051-3/+19
|
* network: move tailscale in modulesFranck Cuny2022-04-052-20/+23
| | | | Move the networking configuration for the hosts to its own file.
* Revert "create a new role for navidrome"Franck Cuny2022-04-031-4/+2
| | | | This reverts commit 814a495e9c74e3211c6b6640397111115832207b.
* create a new role for navidromeFranck Cuny2022-04-031-2/+4
| | | | Apply the role to tahoe.
* hosts: add profilesFranck Cuny2022-03-121-1/+1
| | | | Profiles contain a collection of modules.
* tahoe: enable tailscaleFranck Cuny2022-03-061-0/+1
|
* tahoe: remove creation of some directoriesFranck Cuny2022-03-051-29/+9
|
* tahoe: new hardware configuratioFranck Cuny2022-03-051-21/+13
|
* tahoe: enable wireguardFranck Cuny2022-03-021-0/+1
|
* tahoe: create some directoriesFranck Cuny2022-02-271-0/+15
| | | | Ensure at least /data/media/music is created with the proper ownership.
* tahoe: include NAS profileFranck Cuny2022-02-271-0/+1
|
* hosts: add tahoe, the new NASFranck Cuny2022-02-272-0/+111
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-12-26 07:03:41 +0000