about summary refs log tree commit diff
path: root/hosts (follow)
Commit message (Collapse)AuthorAgeFilesLines
* profiles: create default and serverFranck Cuny2023-05-022-5/+16
| | | | | | | | | | The NAS and the router are "servers", and we create a base profile for them. We add a default profile that will set things that are common to all my hosts, and we start with the locales. Update tahoe/carmel to use the server profile.
* profiles/workstation: consolidate sound related configurationsFranck Cuny2023-05-022-2/+0
|
* profiles/workstation: moved more things aroundFranck Cuny2023-05-013-16/+0
|
* profiles/laptop: consolidate services related to laptopFranck Cuny2023-05-012-6/+1
|
* profiles/workstation: reduce the number of moving partsFranck Cuny2023-05-011-13/+8
| | | | | | | | There's too many moving parts and layers of abstractions, for no benefits: I only have to manage 3-4 machines. Going to create profiles, move things there, and stop with the `enable` pattern.
* modules/rclone: delete the module and cleanupFranck Cuny2023-04-303-3/+0
| | | | | I'm not using rclone anymore and I'm not storing the backups to GCS buckets either.
* hosts/tahoe: enable rsync-ing backups to rsync.netFranck Cuny2023-04-303-0/+9
|
* modules/boot: always clean up /tmp on bootFranck Cuny2023-04-291-1/+0
|
* hosts/tahoe: disable rcloneFranck Cuny2023-04-291-1/+0
| | | | | Backups are not synchronized with rclone to gcloud, but instead with rsync to rsync.net.
* hosts/tahoe: update settings related to resticFranck Cuny2023-04-291-14/+5
| | | | | The path to the restic repository has changed, and we are a bit more specific about the paths we want to backup.
* hosts/aptos: configure backups properlyFranck Cuny2023-04-291-8/+16
| | | | | | | Configure correctly the systemd unit to run restic on aptos. Be more specific about the paths we want to backup, instead of backing up '/home' and maintaining a large exclusion list.
* hosts/tahoe: rename account for backup and enable sftp for itFranck Cuny2023-04-292-7/+18
| | | | | | | | | | | | | The dedicated account for backup should be named 'backup', as it's more generic. While it's a system account, I still need to be able to log in the host remotely with sftp, so we give it a UID (991). The account needs to be able to sftp to tahoe in order to store the backups from remote hosts. However we don't want this user to get a shell and be able to browse the host, so we configure sshd to chroot the user to where the backups are stored.
* hosts/aptos: do backups over sftp with a dedicated ssh keyFranck Cuny2023-04-233-1/+10
|
* hosts/tahoe: create a new user specifically for backupsFranck Cuny2023-04-231-0/+11
| | | | | | This is the user I'll be using to do my backups. This is a system user, and there's only one public key added to it. This key is only used for backups and will be managed in this repository.
* hosts/carmel: enable promtailFranck Cuny2023-04-231-1/+5
|
* hosts/tahoe: loki and prometheus listen only on the wg0 interfaceFranck Cuny2023-04-231-4/+7
| | | | | | | I don't want to have to deal with authentication and TLS certificates for these endpoints. If they are only listening on the wireguard interface I can trust that only authorized hosts are sending traffic to these endpoints. I trust what's running on these machines.
* modules/monitoring: consolidate all monitoring services togetherFranck Cuny2023-04-232-11/+13
| | | | | This will help to organize and structure monitoring modules a bit better.
* modules/services: add loki and promtailFranck Cuny2023-04-231-0/+7
|
* hosts/carmel: don't log dns queries in dnsmasqFranck Cuny2023-04-151-1/+0
| | | | This is way too verbose
* hosts/carmel: start dnsmasq once network interfaces are onlineFranck Cuny2023-04-151-0/+7
|
* hosts/carmel: don't release DHCP lease on wan interfaceFranck Cuny2023-04-151-0/+3
| | | | No need to release the lease if we are rebooting.
* hosts/carmel: serve the leases on port 8067Franck Cuny2023-04-061-4/+7
| | | | | Bind to the wireguard interface, and use the port 8067 (67 is the port used for DHCP requests).
* hosts/carmel: run dnsmasql-to-html when leases changeFranck Cuny2023-04-061-1/+4
| | | | | | The option `dhcp-script` can be used to run a script every time a new lease is added or deleted. We configure this option to run the script that generates a static HTML file with the leases.
* hosts/carmel: the wireguard interface is trustedFranck Cuny2023-04-051-1/+1
|
* hosts/carmel: add wireguard keyFranck Cuny2023-04-053-0/+23
|
* hosts/carmel: drop checkReversePathFranck Cuny2023-04-051-3/+0
| | | | This is managed in the tailscale module.
* hosts/carmel: enable tailscaleFranck Cuny2023-04-051-0/+2
|
* hosts/carmel: more options for dnsmasqFranck Cuny2023-04-031-0/+2
|
* hosts/carmel: add a few more options for dnsmasqFranck Cuny2023-04-031-0/+6
|
* hosts/carmel: enable prometheus exporter for DNSmasqFranck Cuny2023-04-031-0/+5
|
* hosts/carmel: reconfigure the host as a routerFranck Cuny2023-04-039-113/+210
| | | | | | | | | | | | I'm not using it as a desktop, and the current router is getting old and will likely fail in the near future. It's also a debian machine configured manually, so let's reconfigure carmel as our new router. There are three NICs in the host: 2 are 10Gb and one is 1Gb. The 1Gb will be used as the upstream interface, and one of the 10Gb will be for the LAN. There are 2 VLANs to configure: one for IoT devices and one for guest.
* modules/sendsms: gate the unit with a fileFranck Cuny2023-03-272-0/+2
| | | | | | | | | | To prevent the unit to be triggered multiple times if the host has already rebooted, we create a gate file when we're done running, and before running, we check if the file exists. Enable the service on tahoe. Don't restart the unit when its definition has changed.
* modules/console: larger font for EVERYONEFranck Cuny2023-03-261-8/+0
|
* hosts/tahoe: set a larger font for the TTYsFranck Cuny2023-03-261-0/+8
|
* hosts: it's time to switch to schedutilFranck Cuny2023-03-151-0/+2
|
* hosts/tahoe: set the consoleMode to "max"Franck Cuny2023-03-141-0/+3
|
* home/shell: switch the default shell back to zshFranck Cuny2023-03-112-2/+2
| | | | | | | | I keep running into issues when using fish: I'm not familiar with the syntax and I don't use it enough that it sticks. I also need to google stuff regularly to figure out how things are supposed to work. This is annoying enough that the supposed benefits of fish are not worth it for me.
* secrets: move aptos' gcloud secrets to homeageFranck Cuny2023-03-112-5/+0
| | | | This secret is not needed system wide, I only need it to run some tools.
* home/gnome: no more keyringFranck Cuny2023-03-101-1/+0
| | | | | | I used the keyring only to start the GPG agent and unlock the ssh keys. But since I'm storing the ssh keys on yubikeys and I don't use GPG, I can remove it.
* hosts/tahoe: delete unused secretsFranck Cuny2023-03-103-5/+0
|
* hosts/tahoe: re-key all the secrets with age identitiesFranck Cuny2023-03-1012-32/+41
| | | | | | | This is using the public keys from: - my user on my laptop - the root user on tahoe - the backup key stored on the USB drive
* hosts/aptos: re-key all the secrets with age identitiesFranck Cuny2023-03-106-18/+19
| | | | | | | This is now using the public keys from various age keys: - one for my user on the laptop - one for the root user on the laptop - one backup key stored on the USB drive
* ref(hosts/tahoe): don't install sendsmsFranck Cuny2023-03-021-1/+0
| | | | | It's not working as I want, let's fix it first then we can enable it again later.
* ref(home/drone): remove droneFranck Cuny2023-03-021-1/+0
| | | | It's not running anymore.
* feat(hosts/tahoe): install gitolite and cgitFranck Cuny2023-03-021-9/+6
| | | | | | | | Replace gitea with gitolite + cgit. I don't need a whole git forge for myself, especially since I don't use most of the features. The main thing I'm losing with this change is CI (via drone), but this is not really a big loss for now.
* feat(modules/pcscd): install the pcscd daemonFranck Cuny2023-02-201-0/+3
| | | | This is to use the yubikeys correctly
* feat(home/age): install tooling related to age and yubikeysFranck Cuny2023-02-201-0/+2
|
* ref(aptos/services): don't use autologinFranck Cuny2023-01-221-1/+0
| | | | | | This is not working as I thought it would: I was expecting this to only work with the first login, but any time I log out of my account it logs in right away again.
* ref(hosts/tahoe): exclude more paths from backupsFranck Cuny2023-01-191-0/+7
|
* ref(tahoe/backups): backup fewer thingsFranck Cuny2023-01-161-2/+10
| | | | | I don't need to backup videos, and the cache of my home directory. I also don't need to keep that many snapshots around.
* ref(home/matrix): replace element by fractalFranck Cuny2023-01-151-1/+1
| | | | | | | | | | | fractal(-next) is a client for matrix. It's GTK4 native and uses rust. While not much nicer looking than element, it's not an electron app, which I prefer (electron is slow, and element would freeze/crash from time to time). I renamed the module from element to matrix-client, in case I switch to something else in the future (or if there are additional configurations).
* ref(home/sway): auto login and enable systemd integrationFranck Cuny2023-01-151-0/+1
| | | | | | | | | When the laptop boots, I already have to enter a passphrase to unlock the disks, I can trust that it's me and can automatically log into the system. Enable systemd integration for sway so that the correct session is started and environment variables are imported properly.
* feat(hosts/tahoe): rotate the screen 90 degreeFranck Cuny2023-01-101-2/+6
| | | | The machine is connected to a rotated screen.
* fix(hosts/tahoe): workaround md raid boot uuid issue in 22.11Franck Cuny2023-01-101-2/+2
| | | | | | | Due to md device uuid availability issue in initrd. Refs: - https://github.com/NixOS/nixpkgs/issues/196800 - https://github.com/NixOS/nixpkgs/issues/199551
* fix(hosts/tahoe): mask mdmonitorFranck Cuny2023-01-091-0/+5
| | | | | This is a broken unit and I don't need it (see https://github.com/nixos/nixpkgs/issues/72394).
* fix(modules/unifi): proper monitoring and latest versionFranck Cuny2023-01-081-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | They've recently removed from nixpkgs the version of mongodb that was used by unifi. I updated to the latest version (7) and did the migration of the DB manually (see https://github.com/NixOS/nixpkgs/pull/207382): ``` nix-shell -p mongodb-3_4 mongodb-tools mongod --dbpath /var/lib/unifi/data/db --logpath /var/log/unifi/repair.log --repair mongod --dbpath /var/lib/unifi/data/db --logpath /var/log/unifi/repair.log --journal --fork mongodump --out=/root/mongodump pkill mongod exit nix-shell -p mongodb-4_2 mongodb-tools mv /var/lib/unifi/data/db /var/lib/unifi/data/db_bak mkdir /var/lib/unifi/data/db mongod --dbpath /var/lib/unifi/data/db --logpath /var/log/unifi/repair.log --journal --fork mongorestore /root/mongodump pkill mongod ``` Once this was done, the exporter was also broken, has it has been renamed. There are two different services for it in nixpkgs: `services.unpoller` and `services.prometheus.exporters.unpoller`. Only the last one works. From what I can tell, everything is working now.
* feat(hosts/tahoe): enable `sendsms` moduleFranck Cuny2022-11-303-0/+14
|
* ref(gerrit): delete modules/docs/configs for gerrit/buildkiteFranck Cuny2022-11-075-52/+0
|
* fix(services/drone): enable droneFranck Cuny2022-11-065-5/+12
| | | | | The URL for drone changed to https://ci.fcuny.net. The secrets also changed (and we remove the unencrypted file with secrets).
* Revert "ref(drone): remove all modules and configurations"Franck Cuny2022-11-052-0/+5
| | | | This reverts commit 614fc2fcce0e9ae0bcfdc6e08d3c4bac846d02a8.
* feat(hosts/tahoe): enable gitea againFranck Cuny2022-11-051-0/+4
|
* ref(hosts/tahoe): disable cgit/gerrit/buildkite/sourcegraphFranck Cuny2022-10-291-10/+0
| | | | | Since I'm moving everything back to GitHub I don't need to run these services anymore.
* fix(hosts): the WM manager needs to be in home.nixFranck Cuny2022-09-234-6/+8
|
* ref(home-manager): don't use home-manager when building the hostFranck Cuny2022-09-223-18/+4
| | | | | | | | | | | | | | | | | | | When rebuilding the host (through `nixos-rebuild switch --flake`) I don't want to rebuild also my home-manager configuration. I want these to be two different steps. I rebuild the home-manager configuration more frequently and it's a waste of time and CPU to rebuild the world every time. This is a pretty large refactoring: - move checks back into the flake: if I modify a check, the configuration for `pre-commits` is not regenerated, as the file with the checks is not monitored with `direnv` (I could probably configure it for it, but not now) - remove `home.nix` from the host level configuration - introduce a `mkHomeManagerConfiguration` function to manage the different user@host - fix a warning with the rust overlay
* feat(rust): add an overlay to install rustFranck Cuny2022-08-221-0/+1
| | | | | | | | Installing the rust overlay to get the various tools installed. This is done by a new module for home-manager, and is installed only on my laptop at the moment. Change-Id: I80c1633ca04da82f4321a0687a05d1df7c523702
* fix(tahoe/secrets): configuration for rclone-sync to GCPFranck Cuny2022-08-081-0/+0
| | | | | | | | | | | | The configuration needs to be updated, we set the value for `bucket_policy_only` to true now that we've set the bucket to use uniform bucket level access (https://cloud.google.com/storage/docs/uniform-bucket-level-access). Change-Id: I7e9516709af4be35a3964937c1dbd728bcfe1f01 Reviewed-on: https://cl.fcuny.net/c/world/+/709 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(home/terraform): install terraform when neededFranck Cuny2022-08-081-0/+1
| | | | | | | Change-Id: Ie87672629ff23eeb93f5308898014cc737490b7c Reviewed-on: https://cl.fcuny.net/c/world/+/708 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(hosts/tahoe): add a token for graphql for buildkite agentsFranck Cuny2022-08-062-0/+16
| | | | | | | Change-Id: I17ea0baab0d74888ed1b21342c583495d3f52643 Reviewed-on: https://cl.fcuny.net/c/world/+/705 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(modules/gerrit): manage secure configuration with nixFranck Cuny2022-07-182-0/+6
| | | | | | | | | | | | Currently the secure configuration for gerrit is not managed by nix. This is likely going to break in the future and I'll hate myself for that. Let's move it into nix and encrypt it with age, like we do for other secrets. Change-Id: Ia7a006748a3ad64fa4b97ca9e8cbd98c99433982 Reviewed-on: https://cl.fcuny.net/c/world/+/622 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* fix(tahoe/backups): don't backup some directoriesFranck Cuny2022-07-081-0/+1
| | | | | | | | | I don't need to backup these directories in my home. Change-Id: Ia2302f2ebe74033090b86b52864787d2a63ecb4b Reviewed-on: https://cl.fcuny.net/c/world/+/620 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* fix(new-lines): add or remove new lines where neededFranck Cuny2022-07-023-3/+0
| | | | | | | | | | | The pre-commit hook for new lines reported and correct a number of issues, so let's commit them now and after that we ca enable the hook for the repository. Change-Id: I5bb882d3c2cca870ef94301303f029acfb308740 Reviewed-on: https://cl.fcuny.net/c/world/+/592 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(hosts/home): use fish as my default shell everywhereFranck Cuny2022-06-232-2/+2
| | | | | | | Change-Id: I75df9d3ba133e3f7380a518e1b8c70a564f60482 Reviewed-on: https://cl.fcuny.net/c/world/+/481 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(home/shell): switch default shell to fishFranck Cuny2022-06-201-1/+1
| | | | | | | Change-Id: I905ce6eddc35e4c51a0ab27c8984e0da0fdee7a7 Reviewed-on: https://cl.fcuny.net/c/world/+/457 Reviewed-by: Franck Cuny <franck@fcuny.net> Tested-by: CI
* ref(home/shell): make it easier to share common things between shellsFranck Cuny2022-06-203-4/+4
| | | | | | | | | | | | | | | | | | | | I'm considering trying again fish, and there are a number of things that should be common between zsh and fish (aliases, environment variables, ...). Instead of duplicating these settings multiple time, I'm consolidating the shell configurations under `home/shell`, and I can set the shell I want to use with `my.home.shell.name`. The first step is to move the modules for fish and zsh under `home/shell`, add an interface to pick which one I want to use, and modify the `host/home.nix` configuration to keep using zsh with the new interface. Change-Id: Idb66b1a6fcc11a6eeaf5fd2d32dd3698d2d85bdf Reviewed-on: https://cl.fcuny.net/c/world/+/455 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(drone): remove all modules and configurationsFranck Cuny2022-06-112-5/+0
| | | | | | | | | I do not use drone anymore, no need to keep this around. Change-Id: I8f9564747939a6d1a2b95bcfe8e2c70e46d8bc1e Reviewed-on: https://cl.fcuny.net/c/world/+/411 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* fix(fmt): correct formatting for all nix filesFranck Cuny2022-06-105-5/+10
| | | | | | | | | This was done by running `nixpkgs-fmt .'. Change-Id: I4ea6c1e759bf468d08074be2111cbc7af72df295 Reviewed-on: https://cl.fcuny.net/c/world/+/404 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
* fix(secrets): buildKite agents can read gerrit secretsFranck Cuny2022-06-091-0/+4
| | | | | | | | | We need to ensure the agents can read the secrets / tokens to vote after a build. Change-Id: I066c2482a795b21badaa9cc3c525373d7945b084 Reviewed-on: https://cl.fcuny.net/c/world/+/341 Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(profiles): get rid of all the profilesFranck Cuny2022-06-096-11/+30
| | | | | | | | | | | | | | All the modules that are setup by the profiles are now managed at the host level. This simplify some configuration, and will make it easier to adjust things at the host instead of trying to squeeze everything into profiles. This will also help the refactoring later, when I'll split nixos and home-manager configuration. Change-Id: I17ffda8b0b5d15bf1915c6fae5030380523d74b5 Reviewed-on: https://cl.fcuny.net/c/world/+/297 Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(GTK): remove the profile for GTKFranck Cuny2022-06-094-0/+8
| | | | | | | | All the configuration is done at the host level. Change-Id: Ib5ef71ea7955f6872fb08f576e48b24a70600693 Reviewed-on: https://cl.fcuny.net/c/world/+/296 Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(home): structure and add commentsFranck Cuny2022-06-093-36/+75
| | | | | | Change-Id: I9abd49136df79a9ed040c9ec0e12eea30736c9ff Reviewed-on: https://cl.fcuny.net/c/world/+/295 Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(desktop): move all the modules for home-manager to host levelFranck Cuny2022-06-092-0/+18
| | | | | | Change-Id: I92abe7d6c9a1f7c5ef3f157137c59cde751d50f0 Reviewed-on: https://cl.fcuny.net/c/world/+/294 Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(trusted): consume modules within host's configurationFranck Cuny2022-06-094-4/+23
| | | | | | | | | Remove the trusted profiles, the modules are installed directly within the host configuration. Change-Id: I0566fb359803da16bdd3a38e2901deac477fb078 Reviewed-on: https://cl.fcuny.net/c/world/+/293 Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(multimedia): move multimedia modules to hostsFranck Cuny2022-06-093-4/+9
| | | | | | | | | Consume the modules related to multimedia applications at the host level, instead of having a level of indirection with a profile. Change-Id: I567f0e01cbfe591beaa2e9086e33434402a4a002 Reviewed-on: https://cl.fcuny.net/c/world/+/292 Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(sane): move sane's configuration to correct placeFranck Cuny2022-06-092-3/+3
| | | | | | Change-Id: Ibb55ee455423c101fb6d3e62a2e9e4593682cf16 Reviewed-on: https://cl.fcuny.net/c/world/+/291 Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(laptop): move services related to laptop to host's configurationFranck Cuny2022-06-092-2/+6
| | | | | | | | | | As for the bluetooth configuration, we don't need that level of indirection. The laptop can consume these services directly, and we can drop the profile for laptop. Change-Id: Ia434d336ae581bd040fbc4963e5856806183d55e Reviewed-on: https://cl.fcuny.net/c/world/+/290 Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(bluetooth): remove the profileFranck Cuny2022-06-092-1/+2
| | | | | | | | | | | I don't need a profile for this, the module can be consumed directly from the host's hardware configuration. It removes one level of indirection and helps us toward the goal of completely removing all the profiles. Change-Id: I95a6fdc985420e7fe0ad737e7576d10d5c7eb114 Reviewed-on: https://cl.fcuny.net/c/world/+/289 Reviewed-by: Franck Cuny <franck@fcuny.net>
* fix(gerrit-hook): update the configuration with correct URLFranck Cuny2022-06-041-10/+12
| | | | | | Change-Id: Iae8860631a9d313d5b4f78d171d0dfebc6ef6ff9 Reviewed-on: https://cl.fcuny.net/c/world/+/283 Reviewed-by: Franck Cuny <franck@fcuny.net>
* fix(secrets): set the owner for buildkite agent secretsFranck Cuny2022-06-041-0/+1
| | | | | | | | | There's one user per agent. If we don't set an owner for that file, it will be owned by root. Let's set the ownership to the first builder. Change-Id: I1270e6858c0bf2797bd12c2557d84a494cef5081 Reviewed-on: https://cl.fcuny.net/c/world/+/281 Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(drone): remove secret and CLI for droneFranck Cuny2022-06-041-5/+0
| | | | | | | | | I'm not using drone anymore. I don't need the CLI and the secret to be installed. Change-Id: I9c8ecfe5f051fd70d78f0e2e9aaa705e48627714 Reviewed-on: https://cl.fcuny.net/c/world/+/261 Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(gerrit): add secret for gerrit-hookFranck Cuny2022-06-042-0/+16
| | | | | | | | | | | The secret is the configuration for the gerrit-hook tool. It contains the URL to our gerrit instance, the username/password for the gerrit user used by the tool, the API token for buildKite and the name of the organization in buildKite. Change-Id: I58233e085c92d4c5db5635eb9942a5e87ee9e55d Reviewed-on: https://cl.fcuny.net/c/world/+/204 Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(hosts/tahoe): enable buildkite agentFranck Cuny2022-05-301-0/+1
| | | | | | Change-Id: I12cc741bdfb074f7d2a006547860362176afe372 Reviewed-on: https://cl.fcuny.net/c/world/+/169 Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(buildkite): add the auth tokenFranck Cuny2022-05-302-0/+7
| | | | | | Change-Id: I652a3326caf8f949e9734849d1492f7b9764a766 Reviewed-on: https://cl.fcuny.net/c/world/+/167 Reviewed-by: Franck Cuny <franck@fcuny.net>
* ref(tahoe): remove droneFranck Cuny2022-05-291-9/+1
| | | | | | | | | I will not be using drone anymore, and will likely replace it with buildkite. Change-Id: I45d91c43090aaba119855158e071dae377c1897f Reviewed-on: https://cl.fcuny.net/c/world/+/162 Reviewed-by: Franck Cuny <franck@fcuny.net>
* feat(hosts/tahoe): replace gitea by cgitFranck Cuny2022-05-271-2/+1
| | | | | | Change-Id: I3b00408d7550d7660fb33940ae2cd0806076f4d2 Reviewed-on: https://cl.fcuny.net/c/world/+/62 Reviewed-by: Franck Cuny <franck.cuny@gmail.com>
* feat(tahoe): enable gerritFranck Cuny2022-05-261-0/+4
|
* feat(tahoe): enable sourcegraphFranck Cuny2022-05-221-0/+4
|
* bluetooh: enable on aptosFranck Cuny2022-05-161-0/+1
|
* zsh: switch to zsh as the default shellFranck Cuny2022-05-153-3/+3
| | | | | | | | | | `zsh' is available everywhere and is compatible with bash. When using `fish' I need to remember how to do things. While the completion style is nicer, I don't care about the rest. I prefer to have a consistent experience in the shell, no matter where am I. This is an initial configuration, I might need to make a few changes as I go.
* aptos: enable bluetoothFranck Cuny2022-05-121-0/+1
|
* secrets: add a new secrets for gcloud (aptos only)Franck Cuny2022-05-072-0/+5
| | | | | This is the configuration needed to interact with GCP from this repository. We only want it on aptos for now.
* tahoe: enable exec runner for droneFranck Cuny2022-05-021-1/+1
|
* backups: do backups for the laptopFranck Cuny2022-04-245-1/+36
| | | | | | | | | | | | | From the laptop I only backup /home/fcuny, as the rest should be straightforward to rebuild with nix. I run that backup as my own user, since I need my ssh key to use the remote repository (which is on the NAS). I also need a new secret for it (I might have been able to use `pass' for this, but well, that's easy enough). For the NAS, I update the list of directories to backup to include home, this will be on the systems backup.
* scanner: install tools on the laptopFranck Cuny2022-04-241-0/+4
|
* syncthing: enable on trusted machinesFranck Cuny2022-04-214-2/+16
| | | | Add the cert and key for aptos.
* syncthing: don't run from homeFranck Cuny2022-04-211-1/+0
|
* syncthing: configure the keys for tahoeFranck Cuny2022-04-213-0/+20
|
* syncthing: enable on tahoeFranck Cuny2022-04-211-0/+1
|
* syncthing: let's run it from home-managerFranck Cuny2022-04-211-0/+1
|
* drone: configuration fixesFranck Cuny2022-04-131-1/+1
|
* drone: initial attempt at configuring itFranck Cuny2022-04-134-0/+16
|
* modules: make the vhost be configurableFranck Cuny2022-04-131-3/+9
|
* grafana: correct domain name ...Franck Cuny2022-04-131-1/+1
|
* grafana: the vhost is configurableFranck Cuny2022-04-131-1/+4
|
* tahoe: set owner for secret related to ACMEFranck Cuny2022-04-131-1/+4
|
* secrets: re-key all secrets for tahoeFranck Cuny2022-04-138-30/+27
|
* grafana: try to configure the domain with acme+dnsFranck Cuny2022-04-133-1/+9
|
* nginx: get a simple solution to work firstFranck Cuny2022-04-131-13/+1
|
* nginx: add nginx as a reverse proxyFranck Cuny2022-04-131-1/+14
| | | | This will ultimately replace traefik.
* secrets: move the actual secrets with hosts configFranck Cuny2022-04-139-0/+43
| | | | | | Having the secrets closer to the host is easier to manage. At the moment I don't have secrets that are shared across multiple hosts, so that's an OK approach.
* tahoe: fix backup configurationFranck Cuny2022-04-111-2/+3
|
* secrets: move all the secrets under module/Franck Cuny2022-04-101-3/+3
| | | | | Refactor a bit the configuration, which should simplify the management and usage of secrets from now on.
* add a module for backup with resticFranck Cuny2022-04-101-10/+4
| | | | Do a single backup for the host, instead of running multiple ones.
* tahoe: enable network with early bootFranck Cuny2022-04-092-11/+19
| | | | So we can unlock the disks remotely.
* small fixesFranck Cuny2022-04-091-1/+1
|
* add a few more modules to home/ and delete stuffFranck Cuny2022-04-092-0/+3
|
* carmel: configure the desktop properlyFranck Cuny2022-04-083-1/+22
|
* hosts: rename hardware-configuration to hardwareFranck Cuny2022-04-086-3/+3
|
* hosts: add services to tahoeFranck Cuny2022-04-083-11/+10
|
* delete unneeded modulesFranck Cuny2022-04-083-96/+0
|
* delete unused moduleFranck Cuny2022-04-081-25/+0
|
* aptos: consume the new profilesFranck Cuny2022-04-083-3/+21
| | | | aptos is now using the new home-manager setup.
* initial attempt to reconfigure home-managerFranck Cuny2022-04-072-0/+18
| | | | | | | | | | All the modules that are needed for home-manager should be under `home/`, and each host will have a `host.nix` where the modules are enabled as needed. Later on we can create some profiles to make it easier to consume the configuration. I apply this only to tahoe for now, as the amount of packages needed for my user are pretty limited.
* refactor transmission and metrics-exporterFranck Cuny2022-04-064-50/+2
|
* refactor traefikFranck Cuny2022-04-062-97/+1
|
* refactor rclone to a moduleFranck Cuny2022-04-062-33/+1
|
* refactor gitea as a moduleFranck Cuny2022-04-062-42/+4
|
* refactor grafana as a moduleFranck Cuny2022-04-067-26433/+1
|
* refactor prometheus as a moduleFranck Cuny2022-04-062-180/+1
|
* refactor unifi to a moduleFranck Cuny2022-04-062-82/+1
|
* refactor navidrome to a moduleFranck Cuny2022-04-062-28/+9
|
* enable AMD module correctlyFranck Cuny2022-04-062-2/+2
|
* refactor samba to a proper moduleFranck Cuny2022-04-062-34/+5
| | | | The list of public share is configurable too.
* refactor boot configuration to a moduleFranck Cuny2022-04-068-62/+19
| | | | | | | | | We don't need the previous `hosts/common/system` configs anymore, as everything has been moved out. We keep some boot configuration for carmel in the host configuration for now, but I need to check why I don't have similar settings for tahoe (since I also need to unlock the host remotely).
* refactor configuration for AMDFranck Cuny2022-04-062-66/+65
|
* refactor intel related configurationFranck Cuny2022-04-054-37/+26
|
* refactor modules for btrfs, ssd, and fwupdFranck Cuny2022-04-052-9/+1
|
* refactor network configurationFranck Cuny2022-04-056-28/+58
|
* refactor security to a moduleFranck Cuny2022-04-052-6/+1
|
* refactor users to a moduleFranck Cuny2022-04-052-33/+1
|
* refactor default packages to a moduleFranck Cuny2022-04-052-58/+2
|
* move locale configuration to a moduleFranck Cuny2022-04-052-13/+0
|
* console configuration is moved to a moduleFranck Cuny2022-04-051-5/+0
|
* create a profile for laptopFranck Cuny2022-04-051-1/+1
|
* carmel: enable the soundFranck Cuny2022-04-051-0/+1
|
* network: move tailscale in modulesFranck Cuny2022-04-057-62/+64
| | | | Move the networking configuration for the hosts to its own file.
* ssh: refactor to a moduleFranck Cuny2022-04-052-7/+0
| | | | Also install mosh and ensure the firewall opens the correct ports.
* nix: refactor to a moduleFranck Cuny2022-04-052-19/+0
|
* sound: add a new moduleFranck Cuny2022-04-056-42/+16
| | | | | | | | | | This is the start of yet another refactoring of the configuration. Sound configuration is moving to a module, and we enable it as needed at the host level. It takes care of configuring pipewire and install the packages needed too. This module is applied to the laptop and the desktop.
* dashboard: remove ping metricsFranck Cuny2022-04-041-96/+3
| | | | We're using the ones from the prober
* prometheus: fix configurationFranck Cuny2022-04-041-3/+1
|
* prometheus: we need to specify the IP protocolFranck Cuny2022-04-041-1/+5
| | | | | | | | If we don't, by default we try over ipv6, and this is not going to work well for us (yet): ``` ts=2022-04-05T01:39:13.830414184Z caller=main.go:130 module=https_2xx target=https://notes.fcuny.net level=error msg="Error for HTTP request" err="Get \"https://[2a09:8280:1::a:2aed]\": dial tcp [2a09:8280:1::a:2aed]:443: connect: network is unreachable" ```
* prometheus: I'll get this right this timeFranck Cuny2022-04-041-5/+3
|
* prometheus: set the scheme for the URLsFranck Cuny2022-04-041-5/+5
|
* prometheus: add scraper for HTTPFranck Cuny2022-04-041-0/+28
|
* prometheus: configure correctly the blackboxFranck Cuny2022-04-041-10/+23
|
* prometheus: attempt to configure blackbox exporterFranck Cuny2022-04-041-0/+34
|
* dashboard: more update for traefikFranck Cuny2022-04-041-452/+1478
|
* dashboards: more updates for traefikFranck Cuny2022-04-041-1/+2
|
* grafana: try to configure the data sourceFranck Cuny2022-04-041-9/+28
|
* grafana: add dashboard for traefikFranck Cuny2022-04-041-0/+783
|
* grafana: show last 6 hours for node exporterFranck Cuny2022-04-031-2/+2
|
* users: ensure I'm in the docker groupFranck Cuny2022-04-031-1/+1
|
* Revert "create a new role for navidrome"Franck Cuny2022-04-033-35/+26
| | | | This reverts commit 814a495e9c74e3211c6b6640397111115832207b.
* create a new role for navidromeFranck Cuny2022-04-033-26/+35
| | | | Apply the role to tahoe.
* nas: add videos to the backupsFranck Cuny2022-04-021-7/+2
| | | | | We also don't need the music-organizer anymore since we're switching to beets.
* nas: backup navidrome data and add music subdomainFranck Cuny2022-03-282-0/+14
|
* nas: bind navidrome to all interfacesFranck Cuny2022-03-281-1/+4
|
* nas: initial setup for navidromeFranck Cuny2022-03-282-0/+9
|
* nas: install music-organizer from the main branchFranck Cuny2022-03-271-0/+1
|
* nas: install correctly music-organizerFranck Cuny2022-03-271-1/+1
|
* nas: install music-organizerFranck Cuny2022-03-271-3/+5
|
* prometheus: stop scraping the NASFranck Cuny2022-03-261-4/+2
| | | | we're shutting it down!
* common: ensure zsh is installedFranck Cuny2022-03-251-0/+1
|
* gitea: remove invalid configurationFranck Cuny2022-03-251-1/+0
|
* shell: switch from zsh to fishFranck Cuny2022-03-252-3/+3
| | | | why not ?
* rclone: correct path for the backupsFranck Cuny2022-03-151-2/+2
|
* rclone: fix the pathFranck Cuny2022-03-141-1/+1
|
* prometheus: scrape gitea metricsFranck Cuny2022-03-131-0/+6
|
* gitea: enable metrics endpointFranck Cuny2022-03-131-0/+1
|
* server: typoFranck Cuny2022-03-131-4/+2
|
* rclone: rewrite the service unitFranck Cuny2022-03-131-5/+6
|
* default: install ethtool everywhereFranck Cuny2022-03-121-0/+1
|
* prometheus: collect more stuffFranck Cuny2022-03-121-1/+1
|
* hosts: add profilesFranck Cuny2022-03-124-17/+18
| | | | Profiles contain a collection of modules.
* users: add another ssh keyFranck Cuny2022-03-121-2/+8
|
* containers: enable dockerd and containerd on aptosFranck Cuny2022-03-121-0/+11
|
* rclone: add users backupFranck Cuny2022-03-111-11/+12
|
* nas: enable rclone configurationFranck Cuny2022-03-111-0/+1
|
* prometheus: scrap more endpointsFranck Cuny2022-03-111-0/+30
|
* rclone: synchronize restic repo to GCSFranck Cuny2022-03-111-0/+29
| | | | | | Add a couple of secrets to store the configuration and the service account, and add a timer to synchronize the restic repository to a GCS bucket once a day.
* traefik: typoFranck Cuny2022-03-091-1/+1
|
* traefik: make the rules as specific as possibleFranck Cuny2022-03-091-2/+4
| | | | Otherwise, `git` will conflict, since it exists on both domains.
* traefik: typoFranck Cuny2022-03-091-5/+5
|
* gitea: typoFranck Cuny2022-03-091-1/+1
|
* traefik: handle fcuny.net and fcuny.xyzFranck Cuny2022-03-091-7/+15
| | | | | | | | | | | | | fcuny.net is for public facing domains, while fcuny.xyz are for domains on the tailscale network. I need to support configuration in traefik for both. The main difference, for traefik, is the domain name and which let's encrypt challenge to use (DNS for TS, HTTP for public). Refactor the function `mkServiceConfig` to accept the domain and LE challenge as argument, and add new entries for git.fcuny.net and git.fcuny.xyz.
* gitea: do a backup with resticFranck Cuny2022-03-091-0/+12
|
* gitea: we need to specify the user for the DBFranck Cuny2022-03-091-1/+4
|
* system: install sqliteFranck Cuny2022-03-091-3/+3
| | | | It's always useful to have it around.
* gitea: initial configurationFranck Cuny2022-03-082-0/+28
|
* nas: backup photos and musicFranck Cuny2022-03-081-0/+12
| | | | | | | Instead of rsync-ing these folders to a GCS bucket, I should instead do a backup. If I screw up something, the content will be sync-ed, and I won't be able to restore it. It's better (maybe more expensive, but that's OK) to keep snapshots and be able to restore.
* backups: spread them so they don't clashFranck Cuny2022-03-073-0/+3
| | | | | If they start running at the same time, they won't be able to succeed since there's a global lock on the repository.
* grafana: backup the data directoryFranck Cuny2022-03-071-0/+14
|
* prometheus: backup the data directoryFranck Cuny2022-03-071-0/+14
|
* unifi: backup the data to the local reoFranck Cuny2022-03-071-0/+14
|
* prometheus: scrap unifi poller on the correct IPFranck Cuny2022-03-061-1/+1
|
* prometheus: scrape from unifi-pollerFranck Cuny2022-03-061-31/+40
|
* unifi: set the correct name for the poller's unitFranck Cuny2022-03-061-2/+2
|
* traefik: proper configuration for unifiFranck Cuny2022-03-061-0/+14
|
* unifi: configure the pollerFranck Cuny2022-03-061-5/+18
|
* unifi: add unifi on the NASFranck Cuny2022-03-062-0/+54
|
* transmission: disable the rpc allowlistFranck Cuny2022-03-061-2/+1
| | | | This is not working as I think, will follow up later.
* traefik: add transmission (bt.fcuny.xyz)Franck Cuny2022-03-061-2/+4
|
* nas: install transmissionFranck Cuny2022-03-062-0/+36
| | | | | Create a user and group 'nas' so we can run tranmission in it. This will also help us to enable some specific permissions on some directories.
* grafana: rename the instance for the routerFranck Cuny2022-03-061-16/+16
|
* grafana: add a few more dashboardsFranck Cuny2022-03-063-0/+10539
|
* tahoe: enable tailscaleFranck Cuny2022-03-061-0/+1
|
* traefik: getting a working configurationFranck Cuny2022-03-061-22/+21
|
* traefik: second attempt, simpleFranck Cuny2022-03-062-52/+35
|
* traefik: initial configurationFranck Cuny2022-03-062-0/+87
| | | | | | | | | I want to run traefik on the NAS, so I can reach grafana and other future services running on that host. To manage TLS, we use let's encrypt with a DNS challenge. For this to work we need a service account configuration, that is encrypted with age.
* backups: unit to run maintenance on my backupsFranck Cuny2022-03-052-0/+26
| | | | | This will be run via a timer once a day, to perform maintenance on my backups on the nas.
* prometheus: scrape nodeexporter for the rtrFranck Cuny2022-03-051-15/+24
|
* samba: fix path for music, add videosFranck Cuny2022-03-051-1/+7
|
* tahoe: remove creation of some directoriesFranck Cuny2022-03-051-29/+9
|
* tahoe: new hardware configuratioFranck Cuny2022-03-051-21/+13
|
* aptos: remove mem_sleep_defaultFranck Cuny2022-03-051-1/+0
| | | | The laptop was rebooting when I'd open the lid.
* tailscale: add tailscale to the laptop (aptos)Franck Cuny2022-03-052-0/+7
|
* aptos: nixfmtFranck Cuny2022-03-041-17/+10
|
* tahoe: enable wireguardFranck Cuny2022-03-021-0/+1
|
* grafana: disable analytics correctlyFranck Cuny2022-03-021-1/+2
|
* wireguard: drop configuration for aptosFranck Cuny2022-03-021-7/+0
| | | | This is done in the module itself.
* prometheus: relabel some machinesFranck Cuny2022-03-021-12/+20
| | | | | Don't use the IP from wireguard as the name of the host, let's map to the actual hostname.
* users: remove rsa keyFranck Cuny2022-03-021-1/+0
|
* grafana: disable analyticsFranck Cuny2022-03-021-0/+1
|
* grafana: provision dashboardsFranck Cuny2022-02-282-0/+14120
| | | | Start with node-exporter-full dashboard.
* grafana: setup provisioning correctlyFranck Cuny2022-02-281-6/+9
|
* grafana: fixFranck Cuny2022-02-281-1/+1
|
* grafana: configure admin user and data sourcesFranck Cuny2022-02-281-1/+9
|
* grafana: initial configurationFranck Cuny2022-02-282-0/+10
|
* prometheus: initial configuration for the serverFranck Cuny2022-02-282-0/+30
| | | | | | | Run prometheus via systemd, and configure to pull node-exporter's metrics from two hosts. The retention is set for 3 years.
* users: change my ssh key for the laptopFranck Cuny2022-02-271-1/+2
|