aboutsummaryrefslogtreecommitdiffstats
path: root/ansible (follow)
Commit message (Collapse)AuthorAgeLines
* Add automatic HBA rules for all users to connect via mTLSGravatar Joe Banks2024-06-04-3/+9
|
* Add devops user accountGravatar Joe Banks2024-06-04-42/+69
|
* Add CA file to postgresql.confGravatar Joe Banks2024-06-04-0/+2
|
* Add pg_ident.conf fileGravatar Joe Banks2024-06-04-1/+18
|
* Install PostgreSQL documentation packageGravatar Johannes Christ2024-06-04-0/+1
|
* add pixels user and dbGravatar shtlrs2024-06-02-39/+60
|
* Force line-endings to LF in Ansible gitattributesGravatar Joe Banks2024-06-02-1/+1
|
* add metabase user and databaseGravatar shtlrs2024-06-02-0/+8
|
* Add PostgreSQL alerts to Ansible Prometheus configurationGravatar Joe Banks2024-06-02-0/+30
|
* Filter CNs of client certificates for PrometheusGravatar Joe Banks2024-06-02-0/+8
|
* Allow node_exporter scraping in nftablesGravatar Joe Banks2024-06-02-0/+3
|
* Move default server config to a templateGravatar Joe Banks2024-06-02-2/+2
|
* Issue certificate for hostname and sub-services, not both in oneGravatar Joe Banks2024-06-02-1/+2
|
* Deploy host-specific configs in NGINXGravatar Joe Banks2024-06-02-8/+20
|
* Create new reverse proxying config for PrometheusGravatar Joe Banks2024-06-02-0/+18
|
* Move files config to new NGINX turing host variablesGravatar Joe Banks2024-06-02-10/+13
|
* Add NGINX deployment to lovelaceGravatar Joe Banks2024-06-02-0/+1
|
* Remove Prometheus rules from nftablesGravatar Joe Banks2024-06-02-9/+0
|
* Revert Prometheus listen settings to HTTPGravatar Joe Banks2024-06-02-28/+0
|
* Bump ansible/roles/nftables from `015a7ed` to `4acd4ae`Gravatar dependabot[bot]2024-06-02-0/+0
| | | | | | | | | | | | Bumps [ansible/roles/nftables](https://github.com/jchristgit/ansible-role-nftables) from `015a7ed` to `4acd4ae`. - [Commits](https://github.com/jchristgit/ansible-role-nftables/compare/015a7ed269e7122dbd714c23eb6cec8a52176f0b...4acd4ae18f27c50d22d1f5db470ee561aeeb6375) --- updated-dependencies: - dependency-name: ansible/roles/nftables dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
* Template config instead of YAML copy for PrometheusGravatar Joe Banks2024-06-01-1/+1
|
* Update Prometheus config to include Postgres exporterGravatar Joe Banks2024-06-01-2/+15
| | | | | We dynamically fetch all hosts in the databases group and add them to the scrape targets with the PostgreSQL exporter port (9187)
* add hba conf for metabase to connect to siteGravatar shtlrs2024-06-01-0/+11
|
* grant correct privileges to site and grafanaGravatar shtlrs2024-06-01-37/+75
|
* Make issuing pg grants configurable (#327)Gravatar Amrou Bellalouna2024-06-01-0/+53
| | | | | * add a task to issue pg grants for specific roles * document the postgres role
* whitelist ips of netcup and linode servers (#326)Gravatar Amrou Bellalouna2024-05-31-13/+18
|
* Add sudo.tls.pydis.wtf to allowed SANs for PrometheusGravatar Joe Banks2024-05-30-0/+1
|
* Enable mTLS SAN validationGravatar Joe Banks2024-05-30-0/+3
|
* Restart Prometheus instead of reload after web config updateGravatar Joe Banks2024-05-30-1/+1
|
* Update Prometheus web config with mTLS preferencesGravatar Joe Banks2024-05-30-0/+3
|
* Set secure modeGravatar Johannes Christ2024-05-30-0/+1
| | | | Co-authored-by: Dennis Schuster <[email protected]>
* Pleasure the style dictatorGravatar Johannes Christ2024-05-30-1/+5
| | | | Co-authored-by: Amrou Bellalouna <[email protected]>
* Install custom Prometheus versionGravatar Johannes Christ2024-05-30-2/+85
| | | | Co-authored-by: Joe William Murray Humphreys Banks <[email protected]>
* Add new users for Grafana and MetabaseGravatar Joe Banks2024-05-28-34/+73
| | | | | | Adds the new roles necessary for grafana and metabase, grants them access to the metricity table as well as giving them the pg_read_all_data role for read-only access to the metricity database.
* Add new metricity PostgreSQL userGravatar Joe Banks2024-05-28-24/+40
|
* Add user for StelercusGravatar Joe Banks2024-05-28-99/+145
|
* Add pydis-mtls role for distributing root CAGravatar Joe Banks2024-05-27-0/+64
| | | | | | | | | | | Adds a new role named pydis-mtls to distribute the mTLS certificate authority data to all nodes in the inventory. The defaults are sufficient here and are using the production CA that will be used for service authentication (tls.pydis.wtf). Other services can point to the value stored in pydis_mtls_location as the source of truth for the certificate authority to validate against.
* Change certificate directory ownership to cert-users groupGravatar Joe Banks2024-05-27-3/+26
| | | | | | | | | | This allows for non-root services that are in the cert-users group to still access and read certificate data that they need in order to operate. Doing things this way means that services still refer to a single-source-of-truth for the certificate store whilst retaining their non-root and non-privileged nature.
* Add new cert_users variable to certbot roleGravatar Joe Banks2024-05-27-0/+4
|
* Open port 9090 to allow hitting the prometheus instance (#317)Gravatar Amrou Bellalouna2024-05-27-2/+37
| | | | | | | * add a monitoring group for better hosts distinction * run prometheus with TLS * add prometheus connections nftables config
* Group and deploy certificates per target host (#316)Gravatar Amrou Bellalouna2024-05-27-69/+12
| | | | | * request certificates per target domain * run certbot role on all hosts
* Update Chris's user settingsGravatar Joe Banks2024-05-27-99/+99
|
* Add 404 fallback for files serverGravatar Joe Banks2024-05-27-1/+1
| | | | | | | | | Previously the files server would return a HTTP 500 if a matching file was not found, since internally NGINX would fall into a redirect loop trying to locate the relevant file. This adds a final 404 fallback handler so if there is not a direct match we return an error instead of returning a HTTP 500.
* Add new alias for file serverGravatar Joe Banks2024-05-27-1/+1
|
* Generate a certificate for `prometheus.lovelace.box.pydis.wtf` (#305)Gravatar Amrou Bellalouna2024-05-26-0/+1
| | | | | * generate cert for prometheus.lovelace.box.pydis.wtf * add dns record for prometheus.lovelace.box
* Enforce SSL for remote PostgreSQL connectionsGravatar Johannes Christ2024-05-19-5/+5
|
* Configure Prometheus PostgreSQL exporterGravatar Johannes Christ2024-05-18-0/+1
|
* craete codejam pg userGravatar shtlrs2024-05-18-21/+36
|
* add a blacknight pg userGravatar shtlrs2024-05-18-17/+32
|
* update bitwarden user's password to exclude ugly charsGravatar shtlrs2024-05-17-17/+17
|
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-03 16:29:57 +0000