aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeLines
* Update issuersGravatar Joe Banks2024-05-08-4/+4
|
* Add Cloudflare API token secretGravatar Joe Banks2024-05-08-0/+0
|
* Add pydis.wtf certificateGravatar Joe Banks2024-05-08-0/+12
|
* Configure Prometheus alerting for failed systemd units (#278)Gravatar jchristgit2024-05-08-1/+16
| | | | | The two services that I would normally exclude are intentionally not excluded right now to test out the alertmanager setup. If all goes well, we should receive a notification on Discord.
* Correct scheme configuration for AlertmanagerGravatar Johannes Christ2024-05-07-3/+3
|
* install blackbox exporter as part of out monitoring stackGravatar shtlrs2024-05-06-47/+49
|
* Perform fail2ban bans directly via nftablesGravatar Johannes Christ2024-05-04-0/+2
| | | | | | See upstream at https://github.com/fail2ban/fail2ban/commit/d0d07285234871bad3dc0c359d0ec03365b6dddc, this will be incorporated into Debian at the next release.
* Skip tasks requiring all hosts when running with limitGravatar Johannes Christ2024-05-04-0/+2
|
* Configure default security limitsGravatar Johannes Christ2024-05-04-0/+15
| | | | | | | | | The new limits allow each user to run a maximum of 100 processes by default, allowing to manually raise this number to 200. When a custom "pydis" group or similar is introduced, I plan to expand this to also specify other limits to prevent user error from causing problems on the system.
* set backend to systemdGravatar shtlrs2024-05-04-0/+1
|
* Set up Prometheus alerting on NetcupGravatar Johannes Christ2024-05-04-2/+18
|
* Set up database group for database hostsGravatar Johannes Christ2024-05-03-3/+9
|
* Remove old groups from Vagrant inventoryGravatar Johannes Christ2024-05-03-30/+0
| | | | | These groups are no longer present in our proper inventory as we no longer plan on selfhosting Kubernetes on the netcup nodes.
* Harden SSH security and prevent some misconfigurationsGravatar Johannes Christ2024-05-01-8/+45
| | | | | | | | | | | Disable agent forwarding and X11 forwarding in the default configuration. Users can still forward this if they really want to by installing a custom forwarder and utilizing their shell access to spawn it, but with this, we're making it impossible for people to accidentally forward their agent or their X socket to the remote server. Additionally, change the SSH configuration such that only the Python Discord users are allowed to log in.
* Depend on ansible-core instead of AnsibleGravatar Johannes Christ2024-05-01-22/+83
| | | | Allow for faster local installation by only installing what we need.
* ignore pycharm's idea filesGravatar shtlrs2024-05-01-0/+1
|
* update the readme file to be more user friendlyGravatar shtlrs2024-05-01-14/+51
|
* Install dependencies using poetryGravatar shtlrs2024-05-01-8/+14
|
* bump the debian version usedGravatar shtlrs2024-05-01-4/+3
| | | | This also explicitly specifies the sync type to rsync
* Stop alerting for slow GitHub webhook filter endpoint calls (#235)Gravatar jchristgit2024-04-29-2/+2
| | | | | These are directly forwarded to GitHub with no time-consuming processing done on the site. We would therefore be alerting for GitHub's slowness, which is rather useless.
* Whitelist possible LKE addresses to PostgreSQL on lovelaceGravatar Johannes Christ2024-04-29-8/+26
| | | | | | | | This allows us to connect to PostgreSQL on lovelace from any possible LKE node location, whilst not opening up our PostgreSQL instances to the world. This has already been rolled out.
* Add LKE addresses to group variablesGravatar Johannes Christ2024-04-29-0/+9
|
* Update nftables roleGravatar Johannes Christ2024-04-29-0/+0
| | | | | The new commit includes automatic validation of the `nft` configuration to ensure that any deployed config is valid.
* Remove UFW and make ansible-lint happyGravatar Johannes Christ2024-04-29-33/+2
|
* Use nftables for firewallingGravatar Johannes Christ2024-04-29-39/+86
| | | | | | | | | nftables is the modern replacement for iptables, which ufw uses under the hood. It allows us to specify firewall rules in a simple text file (with as much or as little abstraction as we want) and is quick to update and read. The text-file format allows more liberty with commenting compared to UFW. The existing `ufw` role has been converted to simply remove UFW. This has already been deployed on lovelace.
* Updated postgres config from PGTuneGravatar Chris Lovering2024-04-29-2/+11
|
* update access table to netcup serversGravatar Amrou Bellalouna2024-04-29-1/+1
|
* Add ops site DNSGravatar Joe Banks2024-04-28-0/+8
|
* Connect netcup Prometheus to Kubernetes AlertmanagerGravatar Johannes Christ2024-04-28-1/+3
| | | | Closes #240.
* Add new zone entries for pydis.wtf service migrationGravatar Joe Banks2024-04-28-0/+64
| | | | Adds the necessary DNS entries for issue #230
* Add AAAA records for our box domainsGravatar Joe Banks2024-04-28-12/+24
|
* Bump actions/configure-pages from 4 to 5Gravatar dependabot[bot]2024-04-28-1/+1
| | | | | | | | | | | | | | Bumps [actions/configure-pages](https://github.com/actions/configure-pages) from 4 to 5. - [Release notes](https://github.com/actions/configure-pages/releases) - [Commits](https://github.com/actions/configure-pages/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/configure-pages dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
* Bump HassanAbouelela/actions from setup-python_v1.4.2 to 1.5.0Gravatar dependabot[bot]2024-04-28-4/+4
| | | | | | | | | | | | | Bumps [HassanAbouelela/actions](https://github.com/hassanabouelela/actions) from setup-python_v1.4.2 to 1.5.0. This release includes the previously tagged commit. - [Release notes](https://github.com/hassanabouelela/actions/releases) - [Commits](https://github.com/hassanabouelela/actions/compare/setup-python_v1.4.2...setup-python_v1.5.0) --- updated-dependencies: - dependency-name: HassanAbouelela/actions dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
* Document how to use Ansible on Windows (#247)Gravatar jchristgit2024-04-28-4/+9
|
* Update hugo theme submodule with dependabot (#246)Gravatar jchristgit2024-04-28-0/+7
|
* Do not use vault token for linting branches (#245)Gravatar jchristgit2024-04-28-9/+4
| | | | Prevent security problems from exposing the vault token on non-main branches.
* Install hugo properlyGravatar Johannes Christ2024-04-27-1/+2
|
* Move documentation to HugoGravatar Johannes Christ2024-04-27-372/+185
| | | | | | Shortly before merge, the repository settings need to be updated to set GitHub Actions as the deployment source, to prevent GitHub from trying to build with Jekyll.
* Use same indent for all fail2ban optionsGravatar Johannes Christ2024-04-27-1/+1
|
* Document the DNS system in dns/README.mdGravatar Joe Banks2024-04-27-1/+22
|
* Add DNS folders to README.mdGravatar Joe Banks2024-04-27-1/+4
|
* Don't run DNS comment workflow if no planned changesGravatar Joe Banks2024-04-27-0/+1
|
* Modify actions to use poetry install instead of requirements.txtGravatar Joe Banks2024-04-27-12/+8
|
* Add dependencies to new dns group in pyproject.tomlGravatar Joe Banks2024-04-27-5/+258
|
* Add workflow to deploy DNS changes to providersGravatar Joe Banks2024-04-27-0/+27
|
* Update all versions in the dry run workflowGravatar Joe Banks2024-04-27-6/+6
|
* Use a read-only token to generate the DNS planGravatar Joe Banks2024-04-27-1/+1
|
* Add GitHub Actions workflow for DNS planGravatar Joe Banks2024-04-27-1/+50
|
* Add zone files for all our domainsGravatar Joe Banks2024-04-27-0/+474
|
* Add OctoDNS configuration and documentationGravatar Joe Banks2024-04-27-0/+29
|
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-24 10:02:22 +0000