- 18 Sep, 2020 1 commit
-
-
3 days is a bit too late. Certbot renews the certificate 30 days before, so 25 days should be safe and shouldn't cause any "false positives" due to transient errors.
-
- 17 Sep, 2020 4 commits
-
-
Jelle van der Waa authored
-
Jelle van der Waa authored
/srv/http/archweb has to be readable for nginx to serve css/js static assets.
-
Jelle van der Waa authored
-
Jelle van der Waa authored
-
- 16 Sep, 2020 2 commits
-
-
Sven-Hendrik Haase authored
Ensure the Keycloak custom theme background works in all login related pages Closes #136 See merge request !83
-
Ira ㋡ authored
-
- 15 Sep, 2020 3 commits
-
-
Jelle van der Waa authored
Closes: #131
-
Levente Polyak authored
kernel: further default sysctl hardening See merge request !81
-
Levente Polyak authored
- unprivileged bpf: we do not need this on our infra, we can assume bpf() calls will happen with CAP_SYS_ADMIN if required. - unprivileged userns: we do not need this on our infra for none of our services or similar. Reduce attack surface by a huge margin including most recent CVE-2020-14386. - kptr restrict: we already check for CAP_SYSLOG and real ids but we really do not require any specific kernel pointers to be logged. Settings this to 2 instead to blank out all kernel pointers to protect against info leak. - kexec: disable kexec as we do never want to kexec our running servers into something else. Settings this sysctl disables kexec even if its compiled into the kernel. - bpf jit harden: harden BPF JIT compiler to mitigate JIT spraying for the sacrifices off a bit performance for all users including privileged.
-
- 12 Sep, 2020 9 commits
-
-
Jelle van der Waa authored
-
Jelle van der Waa authored
The prometheus-mysqld-exporter connects over localhost to collect stats, so networking has to be enabled. mariadb's default is to serve on 0.0.0.0, so change the configuration to serve on localhost.
-
Jelle van der Waa authored
-
Jelle van der Waa authored
Improve mariadb configuration See merge request !79
-
The default value is 128M and our servers have plenty of RAM for that.
-
The upstream default value is 2000 since 10.1.7: https://mariadb.com/kb/en/server-system-variables/#table_open_cache See also commit f164d000
-
Jelle van der Waa authored
-
Jelle van der Waa authored
-
Jelle van der Waa authored
We switched for monitoring to prometheus so zabbix-agent is unwanted and we don't want to accidently deploy it again.
-
- 10 Sep, 2020 3 commits
-
-
Sven-Hendrik Haase authored
Add Support Staff subgroups in Keycloak See merge request archlinux/infrastructure!57
-
Jelle van der Waa authored
Expand the Support group with subgroups for the Wiki, Forum, Security Tracker and Archweb. The subgroups are just a placeholder for groups for the roles which a user can be in for the service. New onboarded users should be assigned to correct groups for their Support staff team.
-
Jelle van der Waa authored
-
- 09 Sep, 2020 7 commits
-
-
Jelle van der Waa authored
Grafana See merge request !73
-
-
Configure Grafana to use Keycloak OpenID Connect for authentication. For now only DevOps is configured as admin and Arch Staff as general Viewer roles.
-
To show the session IP address in /profile in Grafana the X-Forwarded-For header has to be set.
-
As we are moving to prometheus it's no longer required.
-
Sven-Hendrik Haase authored
Use IPs from Hcloud See merge request !82
-
Sven-Hendrik Haase authored
Now that we manage DNS via Terraform and Hetzner DNS API, it makes sense to use the data provider from hcloud to get the server IPs.
-
- 08 Sep, 2020 7 commits
-
-
Sven-Hendrik Haase authored
Redo Keycloak flows and add WebAuthn support Closes #28 and #112 See merge request !80
-
Sven-Hendrik Haase authored
We had to redesign all flows when discovering that we can't design flows exactly the way we wanted in Keycloak.
-
Sven-Hendrik Haase authored
-
Broken by the last commit
-
Registering a new required action is currently not supported, so it needs to be done manually. See upstream bug: https://github.com/mrparkers/terraform-provider-keycloak/issues/354 Configuring the WebAuthn policy is currently not supported, so it needs to be done manully. See upstream bug: https://github.com/mrparkers/terraform-provider-keycloak/issues/355 Fix #28
-
Sven-Hendrik Haase authored
See https://github.com/timohirt/terraform-provider-hetznerdns/issues/20 for reference.
-
Sven-Hendrik Haase authored
Start managing Hetzner DNS with Terraform Closes #87 See merge request archlinux/infrastructure!62
-
- 07 Sep, 2020 1 commit
-
-
Sven-Hendrik Haase authored
-
- 06 Sep, 2020 3 commits
-
-
Jan Alexander Steffens (heftig) authored
-
Jelle van der Waa authored
Prometheus exporters See merge request archlinux/infrastructure!72
-
Jelle van der Waa authored
Record the rebuilderd queue length in prometheus so we can generate an alert for when the queue length keeps rising. As this could be an indication that the rebuilders have builds which are stuck.
-