Commit graph

548 commits

Author SHA1 Message Date
schweby
3ee3c37ccb
sources: updates
CVE-2022-1162
2022-04-06 09:05:25 +02:00
39bec9fbd0
services/mattermost: bump to 6.5.0 2022-03-18 19:28:43 +01:00
5c85431847
mattermost: bump to 6.4.2 (security update) 2022-03-11 14:01:53 +01:00
schweby
2cf0119ec1
sources: updates
update kernel to proteced against CVE-2022-0847
2022-03-07 20:44:33 +01:00
schweby
a92ae39d65
gitlab-ci.yml: disable nixda build
It's known broken. No need to waste time and resources.
Reenable when fixed.
2022-02-27 12:22:30 +01:00
schweby
f1c3a2d082
sources: updates 2022-02-27 12:19:36 +01:00
schweby
93c13debe6
services/mattermost: bump to 6.4.1 2022-02-27 11:57:52 +01:00
3e95d6c222
bump nix/sources.json 2022-02-17 19:49:53 +01:00
ca19774c9e
services/mattermost: bump to 6.4.0 2022-02-17 19:49:38 +01:00
032c49c375
comment out services/workadventure
(we're not using it and it's eating build times, so I've disabled it for
now)
2022-02-17 19:48:45 +01:00
4b71a216ba
services/mattermost: bump to 6.1.3
(another security update)
2022-02-05 01:08:46 +01:00
schweby
17d695c00b
common: add niv 2022-02-04 08:51:39 +01:00
schweby
7815e32f9f
services/mail: reduce logspam
reduce logspam by out mail services by seeting them to logleven 5
(notice) and 3 (error)
2022-02-01 17:07:52 +01:00
99811b6711 bump update nixos-mailserver to 21.11 2022-02-01 14:44:47 +01:00
1aebabe8a0 parsons/restics: s3CredentialsFile is deprecated
This is untested, but the documentation on the s3CredentialsFile option
seems to suggest this should be correct.
2022-02-01 14:03:40 +01:00
10942ca464 bump home manager to 21.11 2022-02-01 14:00:35 +01:00
schweby
2d429492fe
services/mail: stop postfix from dying by rspamd 2022-01-31 21:43:25 +01:00
schweby
4bf804c025
services/syncthing: add Vorstands share
currently the receiveencrypted type is not supported by the nixos module
so we have to set it via the webinterface
2022-01-27 22:53:17 +01:00
schweby
8716f2b308
services/syncthing: update config format 2022-01-27 22:52:49 +01:00
hexchen
6de0b91beb fixer tous les things 2022-01-27 20:20:25 +00:00
9937d5ff94
fixing pad.hacc.space (hopefully)
(I haven't tested this, since I don't want to try the upgrade-adventure
a second time today, but I think this should fix it)
2022-01-27 20:38:06 +01:00
4ff0bdf3ec
whoops, apparently some rebase went wrong
(fixing it back into a buildable state)
2022-01-27 20:38:04 +01:00
676ba4fc31
services/hedgedocs: use socket auth for postgres 2022-01-27 20:37:42 +01:00
schweby
569c5652f2
sources: update 2022-01-27 20:37:40 +01:00
schweby
238c1b2c92
mediawiki cleanup 2022-01-27 20:36:34 +01:00
c2c0bd366a
bump nixpkgs to 21.11
This simply updates nixpkgs to 21.11 (along with a general update of
other sources), then follows the hints given out in the build process
until everything (on parsons) ran through fine.

Some things to note:
 - syncthing's declarative config is gone. Instead, declarative and
   non-declarative configuration can now be mixed, but with
   `overrideDevices` set to true, it _should_ ignore non-declarative
   settings and basically behave the same as before (or at least that's
   how I understood the documentation on that)
 - some postfix options now require a lib.mkForce, since the mail module
   also wants to set them — we should probably look into if the mail
   module has nicer ways of handling our settings now (which I didn't
   do)
 - we no longer import the vaultwarden module from unstable, since it's
   included in nixos 21.11 as-is. We _do_ still import the vaultwarden
   package from unstable, since downgrading sounds like a bad idea.
 - nix build will print a warning that `literalExample` is now
   depricated, but we don't seem to use that — I guess at some point
   we'll have to search through our sources if it doesn't go away

This was not yet deployed, and should probably considered a
work-in-progress.

Building Nixda currently fails decklink seems to have disappeared.
2022-01-27 20:36:17 +01:00
68afbe01b3 services/mattermost: bump to 6.1.2 (security update)
cf. https://mattermost.com/blog/mattermost-security-updates-6-3-1-6-2-2-6-1-2-5-37-7-released/

this supposedly fixes a "medium-level security vulnerability", but
they're not telling us what it is (for now …) :rolls_eyes:

anyways, seems to run fine on parsons.
2022-01-25 02:08:40 +01:00
schweby
fa347008fa
common/default.nix: add vgrep 2022-01-19 22:11:10 +01:00
schweby
c21b1b8ddf
services/syncthing: cleanup clients
remove no longer needed clients due to "new" password sharing
2022-01-19 21:35:03 +01:00
schweby
02a64a6f31
services/hedgedoc: lower loglevel to warn 2022-01-19 21:22:32 +01:00
b9aa3050d7 fix mumble website
This does two things:
 - add a group "mumblecert" which is allowed to read the mumble.hacc.space
   cert, and add both nginx and murmur's users to it
 - remove the website's derivation from services/murmur.nix and instead
   add it to the websites/ dir and handle it the same as all our other sites
2022-01-18 09:08:27 +01:00
schweby
6f0d8a6af9
hotfix: disable mumble website
disable the mumble website because of cert permission issues causes by ad9c1f4481
nginx doesn't start because it can read the cert of the website
2022-01-17 22:37:43 +01:00
ad9c1f4481
security/acme: mumble cert readable by murmur group
the postRun thing doesn't seem to work at all anymore?
2022-01-12 23:51:31 +01:00
f800057478
services/hedgedocs: remove unused module imports 2022-01-12 19:31:31 +01:00
ae67b38304 add the rest of our stativ web pages
however, for some reason, ACME still fails. Hopefully it's just the
rate limit, but it does look suspicious; there' still a
"www.muc.hacc.space" in the log that oughtn't be there …
2022-01-10 23:45:21 +01:00
eb07f34672 modules/website.nix init
idea is to have a directory `websites/` which contains all our static
sites, with the name of each subdirectory also being their domain. Then
Nix can just read that directory during build-time and automatically
generate nginx virtualHosts for all of them (note that the
subdirectories have to contain a `default.nix` specifying how to build
the site for that to work).

Thus we could avoid the dependency on gitlab pages.
2022-01-10 22:57:09 +01:00
c08ca5f85f
update readme
its incompleteness annoys me
2022-01-07 18:16:31 +01:00
a7896e718f
services/workadventure: re-add the hacc assembly map as default map 2022-01-07 17:29:10 +01:00
16245e830f
remove truelove-specific workadventure
This removes the special configuration to make our workadventure useable
for the truelove event and reverts it to just run at void.hacc.space
without authentication etc.

Tbh, not sure if that's actually what we want — do we need a running
workadventure instance at all? Or should we just remove the entire container?
2022-01-01 20:03:32 +01:00
schweby
9b38e5fba1 update sources 2021-12-30 22:58:23 +01:00
schweby
8c527ea552 enable ssh for stream user 2021-12-30 22:30:25 +01:00
schweby
b96a026565 cleanup default apps 2021-12-30 22:30:17 +01:00
schweby
ba60e3cf76 pkgs/blackmagic-desktop-video: update to 12.2.2 2021-12-19 17:13:51 +01:00
schweby
2a1e692522 services/lantifa: set mediawiki-version from 21.11
due to a wikiDB issue the mediawiki version in unstable (37) is not
compatible.
switching to 21.05 would mean a downgrade, so this is the hack until we
fully upgrade to 21.11
2021-12-11 13:20:42 +01:00
schweby
af8b16117f sources: add 21.11 as nixpkgs-new 2021-12-11 13:20:15 +01:00
schweby
bde7afa9ca sources: update 2021-12-11 12:54:02 +01:00
928d44fb95 Added stuebinm@hacc.space to mitglieder@hacc.space 2021-12-01 21:25:27 +00:00
3ad6a0d2df raphael@hacc.space added to voc@hacc.space 2021-12-01 21:22:53 +00:00
schweby
277d4a1fa7 services/nextcloud: fix downloads >1GB
should also gernerally improve performance when large(r) amounts of data
are exchanged
2021-11-22 20:58:39 +01:00
schweby
668a3fa4ee replace stdenv.lib with lib because deprecated 2021-11-19 19:54:19 +01:00