aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeLines
* Move default server config to a templateGravatar Joe Banks2024-06-02-2/+2
|
* Issue certificate for hostname and sub-services, not both in oneGravatar Joe Banks2024-06-02-1/+2
|
* Deploy host-specific configs in NGINXGravatar Joe Banks2024-06-02-8/+20
|
* Create new reverse proxying config for PrometheusGravatar Joe Banks2024-06-02-0/+18
|
* Move files config to new NGINX turing host variablesGravatar Joe Banks2024-06-02-10/+13
|
* Add NGINX deployment to lovelaceGravatar Joe Banks2024-06-02-0/+1
|
* Remove Prometheus rules from nftablesGravatar Joe Banks2024-06-02-9/+0
|
* Revert Prometheus listen settings to HTTPGravatar Joe Banks2024-06-02-28/+0
|
* Bump ansible/roles/nftables from `015a7ed` to `4acd4ae`Gravatar dependabot[bot]2024-06-02-0/+0
| | | | | | | | | | | | Bumps [ansible/roles/nftables](https://github.com/jchristgit/ansible-role-nftables) from `015a7ed` to `4acd4ae`. - [Commits](https://github.com/jchristgit/ansible-role-nftables/compare/015a7ed269e7122dbd714c23eb6cec8a52176f0b...4acd4ae18f27c50d22d1f5db470ee561aeeb6375) --- updated-dependencies: - dependency-name: ansible/roles/nftables dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
* Update Hugo versions in CIGravatar Joe Banks2024-06-01-8/+10
|
* Update hugo-book theme to v10Gravatar Joe Banks2024-06-01-0/+0
|
* Template config instead of YAML copy for PrometheusGravatar Joe Banks2024-06-01-1/+1
|
* Update Prometheus config to include Postgres exporterGravatar Joe Banks2024-06-01-2/+15
| | | | | We dynamically fetch all hosts in the databases group and add them to the scrape targets with the PostgreSQL exporter port (9187)
* Update site secret with new database addressGravatar Joe Banks2024-06-01-0/+0
|
* add hba conf for metabase to connect to siteGravatar shtlrs2024-06-01-0/+11
|
* grant correct privileges to site and grafanaGravatar shtlrs2024-06-01-37/+75
|
* Make issuing pg grants configurable (#327)Gravatar Amrou Bellalouna2024-06-01-0/+53
| | | | | * add a task to issue pg grants for specific roles * document the postgres role
* whitelist ips of netcup and linode servers (#326)Gravatar Amrou Bellalouna2024-05-31-13/+18
|
* Add sudo.tls.pydis.wtf to allowed SANs for PrometheusGravatar Joe Banks2024-05-30-0/+1
|
* Enable mTLS SAN validationGravatar Joe Banks2024-05-30-0/+3
|
* Restart Prometheus instead of reload after web config updateGravatar Joe Banks2024-05-30-1/+1
|
* Update Prometheus web config with mTLS preferencesGravatar Joe Banks2024-05-30-0/+3
|
* Set secure modeGravatar Johannes Christ2024-05-30-0/+1
| | | | Co-authored-by: Dennis Schuster <[email protected]>
* Pleasure the style dictatorGravatar Johannes Christ2024-05-30-1/+5
| | | | Co-authored-by: Amrou Bellalouna <[email protected]>
* Install custom Prometheus versionGravatar Johannes Christ2024-05-30-2/+85
| | | | Co-authored-by: Joe William Murray Humphreys Banks <[email protected]>
* Add new users for Grafana and MetabaseGravatar Joe Banks2024-05-28-34/+73
| | | | | | Adds the new roles necessary for grafana and metabase, grants them access to the metricity table as well as giving them the pg_read_all_data role for read-only access to the metricity database.
* Update site and metricity with new metricity db user credentialsGravatar Joe Banks2024-05-28-0/+0
|
* Add new metricity PostgreSQL userGravatar Joe Banks2024-05-28-24/+40
|
* Update kube-system namespace docs with new metrics-server detailsGravatar Joe Banks2024-05-28-4/+5
|
* Add Helm deployment info for metrics-serverGravatar Joe Banks2024-05-28-0/+24
| | | | | | | Due to the way Linode seems to issue certificates for our nodes, we need to disable TLS verification for communications to fetch metric information. It's unfortunate but non-critical and it does restore metrics-server functionality.
* Add documentation on services deployed to the kube-system namespaceGravatar Joe Banks2024-05-28-0/+33
|
* Add user for StelercusGravatar Joe Banks2024-05-28-99/+145
|
* Add pydis-mtls role for distributing root CAGravatar Joe Banks2024-05-27-0/+64
| | | | | | | | | | | Adds a new role named pydis-mtls to distribute the mTLS certificate authority data to all nodes in the inventory. The defaults are sufficient here and are using the production CA that will be used for service authentication (tls.pydis.wtf). Other services can point to the value stored in pydis_mtls_location as the source of truth for the certificate authority to validate against.
* Change certificate directory ownership to cert-users groupGravatar Joe Banks2024-05-27-3/+26
| | | | | | | | | | This allows for non-root services that are in the cert-users group to still access and read certificate data that they need in order to operate. Doing things this way means that services still refer to a single-source-of-truth for the certificate store whilst retaining their non-root and non-privileged nature.
* Add new cert_users variable to certbot roleGravatar Joe Banks2024-05-27-0/+4
|
* Open port 9090 to allow hitting the prometheus instance (#317)Gravatar Amrou Bellalouna2024-05-27-2/+37
| | | | | | | * add a monitoring group for better hosts distinction * run prometheus with TLS * add prometheus connections nftables config
* Group and deploy certificates per target host (#316)Gravatar Amrou Bellalouna2024-05-27-69/+12
| | | | | * request certificates per target domain * run certbot role on all hosts
* Add new ServiceAccount for cert issuanceGravatar Joe Banks2024-05-27-0/+5
|
* Update mTLS bundle for ingress-nginxGravatar Joe Banks2024-05-27-36/+46
|
* Add Helm instructions for VaultGravatar Joe Banks2024-05-27-0/+54
|
* Add pydis.wtf cert to vault namespaceGravatar Joe Banks2024-05-27-2/+2
|
* Add DNS record for VaultGravatar Joe Banks2024-05-27-0/+8
|
* Set Poetry package-mode preference to falseGravatar Joe Banks2024-05-27-0/+1
|
* Dependency Bumps 27/05/2024Gravatar Joe Banks2024-05-27-201/+198
| | | | | | | - Explicitly bump octodns-cloudflare to 0.0.6 - Explicitly bump ansible-core to 2.17.0 - Explicitly bump ruff to 0.4.5 - Implicitly bump requests to 2.32.2
* Update Chris's user settingsGravatar Joe Banks2024-05-27-99/+99
|
* Fix AlertManager Discord instance formattingGravatar Joe Banks2024-05-27-1/+1
| | | | | | | | | | | We made a change to include the instance in alerts sent to Discord, but not all of our configured alerts send this field. As a result, we would have incorrectly formatted alerts being sent through to Discord which were tricky to read. The format template has now been changed to only conditionally render the instance label if it is present on a triggered alert.
* Add 404 fallback for files serverGravatar Joe Banks2024-05-27-1/+1
| | | | | | | | | Previously the files server would return a HTTP 500 if a matching file was not found, since internally NGINX would fall into a redirect loop trying to locate the relevant file. This adds a final 404 fallback handler so if there is not a direct match we return an error instead of returning a HTTP 500.
* Add new alias for file serverGravatar Joe Banks2024-05-27-1/+1
|
* Bump HassanAbouelela/actions from setup-python_v1.5.0 to 1.6.0Gravatar dependabot[bot]2024-05-27-4/+4
| | | | | | | | | | | | | Bumps [HassanAbouelela/actions](https://github.com/hassanabouelela/actions) from setup-python_v1.5.0 to 1.6.0. This release includes the previously tagged commit. - [Release notes](https://github.com/hassanabouelela/actions/releases) - [Commits](https://github.com/hassanabouelela/actions/compare/setup-python_v1.5.0...setup-python_v1.6.0) --- updated-dependencies: - dependency-name: HassanAbouelela/actions dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
* Generate a certificate for `prometheus.lovelace.box.pydis.wtf` (#305)Gravatar Amrou Bellalouna2024-05-26-0/+15
| | | | | * generate cert for prometheus.lovelace.box.pydis.wtf * add dns record for prometheus.lovelace.box