aboutsummaryrefslogtreecommitdiffstats
path: root/ansible (follow)
Commit message (Collapse)AuthorAgeLines
...
* add hba conf for metabase to connect to siteGravatar shtlrs2024-06-01-0/+11
|
* grant correct privileges to site and grafanaGravatar shtlrs2024-06-01-37/+75
|
* Make issuing pg grants configurable (#327)Gravatar Amrou Bellalouna2024-06-01-0/+53
| | | | | * add a task to issue pg grants for specific roles * document the postgres role
* whitelist ips of netcup and linode servers (#326)Gravatar Amrou Bellalouna2024-05-31-13/+18
|
* Add sudo.tls.pydis.wtf to allowed SANs for PrometheusGravatar Joe Banks2024-05-30-0/+1
|
* Enable mTLS SAN validationGravatar Joe Banks2024-05-30-0/+3
|
* Restart Prometheus instead of reload after web config updateGravatar Joe Banks2024-05-30-1/+1
|
* Update Prometheus web config with mTLS preferencesGravatar Joe Banks2024-05-30-0/+3
|
* Set secure modeGravatar Johannes Christ2024-05-30-0/+1
| | | | Co-authored-by: Dennis Schuster <[email protected]>
* Pleasure the style dictatorGravatar Johannes Christ2024-05-30-1/+5
| | | | Co-authored-by: Amrou Bellalouna <[email protected]>
* Install custom Prometheus versionGravatar Johannes Christ2024-05-30-2/+85
| | | | Co-authored-by: Joe William Murray Humphreys Banks <[email protected]>
* Add new users for Grafana and MetabaseGravatar Joe Banks2024-05-28-34/+73
| | | | | | Adds the new roles necessary for grafana and metabase, grants them access to the metricity table as well as giving them the pg_read_all_data role for read-only access to the metricity database.
* Add new metricity PostgreSQL userGravatar Joe Banks2024-05-28-24/+40
|
* Add user for StelercusGravatar Joe Banks2024-05-28-99/+145
|
* Add pydis-mtls role for distributing root CAGravatar Joe Banks2024-05-27-0/+64
| | | | | | | | | | | Adds a new role named pydis-mtls to distribute the mTLS certificate authority data to all nodes in the inventory. The defaults are sufficient here and are using the production CA that will be used for service authentication (tls.pydis.wtf). Other services can point to the value stored in pydis_mtls_location as the source of truth for the certificate authority to validate against.
* Change certificate directory ownership to cert-users groupGravatar Joe Banks2024-05-27-3/+26
| | | | | | | | | | This allows for non-root services that are in the cert-users group to still access and read certificate data that they need in order to operate. Doing things this way means that services still refer to a single-source-of-truth for the certificate store whilst retaining their non-root and non-privileged nature.
* Add new cert_users variable to certbot roleGravatar Joe Banks2024-05-27-0/+4
|
* Open port 9090 to allow hitting the prometheus instance (#317)Gravatar Amrou Bellalouna2024-05-27-2/+37
| | | | | | | * add a monitoring group for better hosts distinction * run prometheus with TLS * add prometheus connections nftables config
* Group and deploy certificates per target host (#316)Gravatar Amrou Bellalouna2024-05-27-69/+12
| | | | | * request certificates per target domain * run certbot role on all hosts
* Update Chris's user settingsGravatar Joe Banks2024-05-27-99/+99
|
* Add 404 fallback for files serverGravatar Joe Banks2024-05-27-1/+1
| | | | | | | | | Previously the files server would return a HTTP 500 if a matching file was not found, since internally NGINX would fall into a redirect loop trying to locate the relevant file. This adds a final 404 fallback handler so if there is not a direct match we return an error instead of returning a HTTP 500.
* Add new alias for file serverGravatar Joe Banks2024-05-27-1/+1
|
* Generate a certificate for `prometheus.lovelace.box.pydis.wtf` (#305)Gravatar Amrou Bellalouna2024-05-26-0/+1
| | | | | * generate cert for prometheus.lovelace.box.pydis.wtf * add dns record for prometheus.lovelace.box
* Enforce SSL for remote PostgreSQL connectionsGravatar Johannes Christ2024-05-19-5/+5
|
* Configure Prometheus PostgreSQL exporterGravatar Johannes Christ2024-05-18-0/+1
|
* craete codejam pg userGravatar shtlrs2024-05-18-21/+36
|
* add a blacknight pg userGravatar shtlrs2024-05-18-17/+32
|
* update bitwarden user's password to exclude ugly charsGravatar shtlrs2024-05-17-17/+17
|
* Disable alerts for known problematic servicesGravatar Johannes Christ2024-05-17-2/+1
|
* add bitwarden postgres user & db configGravatar shtlrs2024-05-17-14/+29
|
* Revert "Skip tasks requiring all hosts when running with limit"Gravatar Johannes Christ2024-05-17-2/+0
| | | | This reverts commit 566c0ad557fafe148dc51463e5071ff64f980c24.
* configure hba rules separatelyGravatar shtlrs2024-05-16-3/+17
|
* Add a postgresql.conf file templateGravatar Chris Lovering2024-05-16-0/+63
|
* grant pg users their predefined rolesGravatar shtlrs2024-05-16-0/+14
|
* define the blackbox user and its db rolesGravatar shtlrs2024-05-16-11/+20
|
* Readd nftables submoduleGravatar Chris Lovering2024-05-15-0/+0
|
* Deploy a pinnwand instance that used lovelace's pg database (#293)Gravatar Amrou Bellalouna2024-05-15-0/+0
| | | | | | | | | | | * add a deployment config for pinnwand on lovelace * add a dns entry for the new pastebin * Add database URI for pinnwand to connect to psql on lovelace --------- Co-authored-by: Chris Lovering <[email protected]>
* Pleasure the style dictator (#291)Gravatar jchristgit2024-05-14-16/+25
| | | Fix warnings with argsplat in postgres role
* add the task that configures host based authenticationGravatar shtlrs2024-05-14-0/+16
|
* add the db_passwords secrets fileGravatar shtlrs2024-05-14-7/+24
| | | | | | This contains the encrypted passwords for all database users This also moves variables under the /vars/main folder to allow ansible to load all variable folders automatically
* add a handler to reload postgresGravatar shtlrs2024-05-14-1/+10
| | | | | | This also renames the handler that restarts it. You're welcome Johannes.
* ignore .ansible file upon syncingGravatar shtlrs2024-05-14-1/+1
| | | | This will avoid the copying of a potentially empty .ansible file on host, rendering the guest playbooks unrunnable
* Update Ansible Prometheus to point to pydis.wtf alertmanagerGravatar Joe Banks2024-05-14-1/+1
|
* Remove obsolete cleanup tasksGravatar Johannes Christ2024-05-12-18/+0
|
* Configure sudo in separate fileGravatar Johannes Christ2024-05-12-2/+17
|
* Properly load Prometheus rulesGravatar Johannes Christ2024-05-08-0/+1
|
* Configure Prometheus alerting for failed systemd units (#278)Gravatar jchristgit2024-05-08-1/+16
| | | | | The two services that I would normally exclude are intentionally not excluded right now to test out the alertmanager setup. If all goes well, we should receive a notification on Discord.
* Correct scheme configuration for AlertmanagerGravatar Johannes Christ2024-05-07-3/+3
|
* install blackbox exporter as part of out monitoring stackGravatar shtlrs2024-05-06-47/+49
|
* Perform fail2ban bans directly via nftablesGravatar Johannes Christ2024-05-04-0/+2
| | | | | | See upstream at https://github.com/fail2ban/fail2ban/commit/d0d07285234871bad3dc0c359d0ec03365b6dddc, this will be incorporated into Debian at the next release.
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-24 12:45:39 +0000