| commit | 22428b0d31a9de020ff5ab50c863578fbb6c8766 | [log] [tgz] |
|---|---|---|
| author | Skyler Grey <minion@clicks.codes> | Sun Nov 19 13:20:56 2023 +0000 |
| committer | Skyler Grey <minion@clicks.codes> | Sun Nov 19 22:58:06 2023 +0000 |
| tree | eed49c13b2704c0d91dea7d70be7da878cfa59d6 | |
| parent | f68685dc7059e31dcd58135137f601cbd881c30a [diff] |
Separate configs into a1d2 and fix related issues
This commit was made while a1d1's drive failed. This means there's a lot of
changes that may initially seem unrelated to separating configurations and that
this change has been deployed for several days before being pushed. It's also
expected to bypass review.
Here's a full list of changes:
- All modules have been moved from modules to modules/common
- Hardware configuration is now on a per-server basis, by Clicks device ID
- For the uninformed, everything is given an 'area' and a 'device'. As an
example, my house is 'Area 2'. My Mac is 'Device 1' in 'Area 2'. An ID is an
'a' followed by the area number then 'd' followed by the device number. For
example, my Mac is 'a2d1'.
- A 'backups' user has been provisioned. This user must have full root
permissions. On a1d2 this user has been given an ssh key which the a1d2 user
on a1d3 ('chickadee') has been given. When a1d1 is restored, a similar key
will be provisioned for it.
- The port of gerrit has been changed to conform to the normal minimum of 1024.
Note that when deploying gerrit, running its init script is required. Changing
the port will not fix this
- Due to redeployment, keycloak client secrets have changed
- Vaultwarden extra paths have been removed, due to needing to create them on
launch and this not happening by default
- A HIBP license has been bought and related options have been enabled in
vaultwarden
- Collabora has been setup in docker, as the built-in code server was not
working and the standalone nix module I've been working on is not ready
- ACME now registers certificates for mailcow, and moves its certificates into
mailcow directories after renewal. This avoids mailcow having to use its own
ACME
- Gerrit has been allowed to send and receive email. Feel free to mail in your
patches, and you'll also be able to receive mail notifications about changes
you should review
Change-Id: Ie4d50fb8f16da193195beb139922a366b72b0b0a
Reviewed-on: https://git.clicks.codes/c/Clicks/NixFiles/+/1
Tested-by: Skyler Grey <minion@clicks.codes>
Reviewed-by: Samuel Shuert <coded@clicks.codes>
To deploy these files to our server we use deploy-rs. If you've got a flakes-enabled nix installed on your system you can run
nix run github:serokell/deploy-rs
You can also install deploy-rs to your profile, at which point you'll be able to run
deploy
Secrets are stored in SOPS and deployed using scalpel.
If you have a service which needs to store secrets in its config file, please set systemd reloadTriggers and restartTriggers to automatically reload/restart the service whenever the configuration changes.
It's notable that changing the secrets will not trigger a reload/restart of the service. If you want to update the secrets without updating the rest of the configuration you currently need to manually restart the service. It's possible that this could be solved by using systemd paths to watch the files (see https://superuser.com/questions/1171751/restart-systemd-service-automatically-whenever-a-directory-changes-any-file-ins) but this is not a priority