Commit graph

15472 commits

Author SHA1 Message Date
Bartosz Stebel
f43324e141 fix(3p/apereo-cas): Mitigate CVE-2021-44228
Same approach as in cl/4270.

Change-Id: I3a5a3533ab97513a4b9d8cacc26d013b58441f93
2021-12-10 17:52:49 +01:00
Vincent Ambo
62450bb1c5 feat(depot): Add grfn and sterni to top-level owners
Change-Id: Id2012e3ec6db21ff724245095a99d36ff9d7ad71
2021-12-10 18:11:16 +03:00
Vincent Ambo
b8267c261c fix(ops/irccat): Avoid permissions issue with LoadCredentials=
The DynamicUser + Group configuration does not work as planned, thus
the systemd LoadCredentials feature is used instead which makes the
file (which itself is only readable by root) available in a
memory-backed location only readable by the service.

The secret is only available to `ExecStart` commands, so units using
this feature can not be used with pre/post units and the like if those
commands need secrets.

To accommodate this, the merge of configuration files has been moved
into the service launch script, which is now the ExecStart= process.

For details take a look at https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LoadCredential=ID:PATH

Change-Id: I693fe5677cc0d63c7aa485c2c7472457c5262166
2021-12-10 15:09:09 +00:00
Vincent Ambo
67bde5ecc3 fix(tvl-buildkite): Explicitly set runtimePackages
It turns out the lib.mkAfter call doesn't behave as expected -
only *some* of the packages that are defaulted end up in the $PATH.

I suspect this is actually something else, e.g. these packages are
always added for some reason or another, and the option is completely
overridden every time.

Change-Id: I854c7198520d82b00e6338ed0fe653836226dc6d
2021-12-10 15:06:08 +00:00
Vincent Ambo
2ba481451c chore(ops/secrets): Reencrypt with grfn's key included
Change-Id: I66df150ab5070a81a92f0741334639df9df1f86f
2021-12-10 17:52:08 +03:00
Griffin Smith
a85ab68b12 chore(ops/users): Rotate password for grfn
Just a regular password rotation, plus I wasn't using argon2 unlike
everyone else.

Change-Id: Ic57fe79a2dbfdc15397d20f6b2b47c6aac911d29
2021-12-10 09:45:17 -05:00
Griffin Smith
66a1d3d5d4 feat(ops/secrets): Add key for grfn
Change-Id: I8063ae804932e3815e9a499e0206806818b9b021
2021-12-10 09:44:34 -05:00
Vincent Ambo
2fc64dc277 fix(clbot): Use change *owner* and not *uploader*
In autosubmit cases that require rebases, the change *uploader* might
be clbot which would cause besadii to use clbot as the owner.

This is incorrect, but luckily the change-merged event has an actual
owner field instead.

Change-Id: Ia35b52085f94628e61eb358807b3b85565521b60
2021-12-10 13:50:14 +00:00
Vincent Ambo
bc3d35f3d0 fix(tvl-buildkite): Add missing runtimePackages back
Turns out that the type of this option is not concatenative and it
replaces the packages needed to run Buildkite if set.

Change-Id: I9f52572bc165bccdd8c6518cfdf7b8967f7a50d0
2021-12-10 13:14:11 +00:00
Vincent Ambo
d4403638cf refactor(ops): Move irccat secret into agenix
The irccat module uses DynamicUser, so to grant permission to it a new
group has been added for irccat.

I have some vague memory of DynamicUser + Group not behaving as one
would expect, but we'll see what happens.

Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac
2021-12-10 16:13:31 +03:00
Vincent Ambo
002d183876 refactor(ops): Move clbot SSH key into agenix
Change-Id: Iae03ead7dda0509689a76f0d76f9cfeb8434e967
2021-12-10 16:13:31 +03:00
Vincent Ambo
0fa937551e refactor(gerrit-queue): Remove dependency on gin
Unnecessary dependency & complexity.

(Patch originally contributed by an anonymous contributor)

Change-Id: Id49dc362cb0c1b29937404447bb0b1f9794dc117
2021-12-10 13:09:10 +00:00
Vincent Ambo
6e4decf19b refactor(gerrit-queue): Gracefully handle missing changesets
(Patch contributed by an anonymous contributor)

Change-Id: I29fd7dd008d4e509ea074a38d3948946b26da7ab
2021-12-10 13:09:09 +00:00
Vincent Ambo
811e6d7d9f chore(whitby): Remove shadowsocks service
No longer required on whitby.

Change-Id: I93951c6b708eae81ddb03df920a4068c1ccde9e7
2021-12-10 13:07:09 +00:00
Vincent Ambo
7e3308df64 feat(fun/clbot): Add distinct messages for auto-submitted CLs
Detects autosubmitted CLs (other people's CLs submitted by clbot) and
modifies the text submitted to IRC accordingly.

If a CL is autosubmitted, we opt to highlight its author rather than
invoking noping.

Change-Id: Ibc21b7eeb2f0f2087097404baef6976384d68b09
2021-12-10 15:34:53 +03:00
Vincent Ambo
fc14c21bb9 fix(ops/pipelines): Move to static pipeline
This step would get inserted at the wrong point in the build pipeline
otherwise, causing a dependency cycle and causing the pipeline to fail.

Change-Id: I534568eec77f74ae6c47276820f8a9e99493a3ea
2021-12-10 11:01:21 +03:00
Vincent Ambo
e4231c9816 refactor(ops/pipelines): Move 🦆 logic into static pipeline
This simplifies the fallback logic used in case of Nix evaluation
failure and makes it so that the evaluation step itself is the one
that is marked as failed in Buildkite.

This is possible because the pipeline upload command will insert new
steps at the point where it runs in the pipeline, and not later.

Change-Id: I870534c004ebc457a1602623c4e5f9c0c68e28fc
2021-12-10 07:55:34 +00:00
Vincent Ambo
9ea4d55d81 refactor(ops): Move buildkite-agent-token into agenix
Relates to b/161

Change-Id: I5d3a698d437928966d8b78ce9e0ba226c1437655
2021-12-10 10:32:44 +03:00
Vincent Ambo
a123b9e0a2 refactor(ops): Move owothia secret into agenix
Relates to b/161

Change-Id: I25445281b0dd3c3f3660f8bb0d8337506a1e427b
2021-12-10 10:32:14 +03:00
Vincent Ambo
78744c00f5 refactor(ops): Move clbot secret into agenix
Relates to b/161

Change-Id: I7badf22ff93bb4e8b06e4dd4a8bf880b0bd48f09
2021-12-10 10:32:14 +03:00
Vincent Ambo
496d899428 feat(ops/secrets): Configure secrets for gerrit-queue
Adds a systemd EnvironmentFile secret that contains the Gerrit
username & password for gerrit-queue.

Change-Id: I25acf87764c26774045138402b8a417b6813ee8f
2021-12-10 10:32:14 +03:00
Vincent Ambo
4870b1a2ff feat(ops/modules): Add module for running gerrit-queue
This is not yet including the secret configuration for gerrit-queue,
and just expects the secret (gerrit username & password) to be
available in /etc/secrets.

Change-Id: Ia465ef7f3f521c70d606d7fdeba9aa83c7e1b98b
2021-12-10 10:32:14 +03:00
Vincent Ambo
a9dd719e7c chore(tvl-buildkite): Add jq and curl to agent paths
This is required for a simplification of the build pipeline (following
CL) and needs to be in a separate commit as it can not be done
atomically (merging the other commit to deploy it would immediately
break pipelines otherwise).

Change-Id: I5d8ec8f3238f79b5518d799486bf98d1d9516c43
2021-12-10 10:21:34 +03:00
Vincent Ambo
59f97332b3 subtree(3p/gerrit-queue): Vendor at commit '24f5a642'
Imported from github/tvlfyi/gerrit-queue, originally from
github/tweag/gerrit-queue but that upstream is unmaintained.

git-subtree-dir: third_party/gerrit-queue
git-subtree-mainline: ff10b7ab83
git-subtree-split: 24f5a642af
Change-Id: I307cc38185ab9e25eb102c95096298a150ae13a2
2021-12-09 16:13:56 +03:00
Vincent Ambo
ff10b7ab83 chore(3p): Remove gerrit-queue folder in preparation for vendoring
The upstream isn't really maintained anymore, so we may as well take
it over since we're patching it anyways.

Change-Id: I7dddc03ab90b00611520a77a26e73a5be1c2cfb8
2021-12-09 16:11:01 +03:00
Vincent Ambo
afa2d08fe7 feat(3p/gerrit-queue): Patch to use Gerrit 'Autosubmit' label
... instead of a hashtag in Gerrit.

Might be easier to review here:

24f5a642af

Change-Id: I1ae8d4607f7cb858135f88411c82e1a353b28105
2021-12-09 11:16:30 +00:00
Vincent Ambo
417a1ba9eb feat(3p/gerrit-queue): Add derivation for gerrit-queue
This is a Gerrit autosubmit bot (actually written by flokli) which we
intend to use.

For now we're using the plain upstream version, but we'll want to
patch some of the behaviours of it so there's a vendoring on the
horizon.

Change-Id: I021d41b55f9f678435d9aec6d359545577cb9ec0
2021-12-09 11:16:15 +00:00
Vincent Ambo
24f5a642af gerrit: Use a Gerrit label instead of hashtag for autosubmit
This moves to using a Gerrit label ('Autosubmit') with boolean values
for determining whether a developer wants to have a change
automatically submitted.

See also https://cl.tvl.fyi/c/depot/+/4172
2021-12-09 13:49:16 +03:00
Vincent Ambo
5fd3140cf3 fix(tazjin/emacs): Gerrit remote is now 'origin'
Change-Id: I44998510ff4be2fa137ea4c81f888e63ea438a56
2021-12-09 13:24:20 +03:00
Vincent Ambo
623de7920f feat(tazjin/russian): Add words 601-700
Change-Id: I17b1362502952d96b8787ad3c055d66f212fd60b
2021-12-09 08:58:32 +00:00
Griffin Smith
a0fcec54cd feat(grfn/emacs): Tweak rust async_test snippets
Add a stop at the `flavor` argument, since some async tests can use the
default config.

Change-Id: Iffd726b304d0d9dd94938bf23b2688715d1f4e20
2021-12-09 02:08:50 +00:00
Griffin Smith
d4c765743e feat(tvl.el): Add magit-gerrit-cherry-pick
Bound to `A g`, this behaves similarly to `magit-gerrit-checkout` - it
prompts for a CL number, then cherry-picks the latest patchset of that
CL number

Change-Id: Ieef970b99d96170e8c960cc7687ead9022948f8b
2021-12-09 02:08:42 +00:00
Griffin Smith
49d4d12a73 feat(grfn/emacs): Add a prolog use_module snippet
Change-Id: Ib5226a1ad0f084d3755cbfe40bf3556b3fa7fb2b
2021-12-09 02:08:42 +00:00
Griffin Smith
91f33b1a96 feat(grfn/emacs): Add some prolog-mode mappings
Change-Id: If1677024f9a211eee5d42a03413b5058dd797b9a
2021-12-09 02:08:42 +00:00
tazjin
2d4fa60ae7 Merge "subtree(3p/exwm): Update to upstream '10bd1223'" into canon 2021-12-08 19:24:37 +00:00
Vincent Ambo
57b37cdc83 subtree(3p/exwm): Update to upstream '10bd1223'
A lot has happened in the meantime (EXWM maintainer change) and this
pulls in all the relevant changes since then.

It may become unnecessary to keep EXWM subtreed, but we'll get to that
later.

Change-Id: I45cc06d747d84b3d28fd0db0e4bb3b749a956583
2021-12-08 22:17:42 +03:00
Vincent Ambo
f1e1f71883 feat(ops/secrets): Bootstrap agenix secrets folder
Sets up the key set and adds an initial secret (besadii config with
tokens) to be deployed to whitby.

Change-Id: Ic07fd5e66b9e7a533013e04c35e052c2aa11f77d
2021-12-08 18:22:00 +00:00
Vincent Ambo
2fa157ccd6 fix(readTree): Apply .skip-subtree to Nix-file children as well
This behaviour was previously confusing, since readTree's data
structure treats children from Nix files and directories as identical
but only one of them would be affected by .skip-subtree

The "subtree" to be skipped here refers to all children of the
structure.

Change-Id: Idf596c9823f09cc2acf49523916bde4b801b8519
2021-12-08 18:22:00 +00:00
Vincent Ambo
14bf3f3cd9 feat(tazjin/russian): Add words 551-600
Change-Id: Ie2a670fc2aa24457a9fc7f3f22d5336d97e7789f
2021-12-08 20:37:49 +03:00
Vincent Ambo
b5dcb4e6df feat(tazjin/russian): Add words 501-550
Change-Id: Id9e4b9eb5e330a5331ca0cc2c7af2c4ade4a6ace
2021-12-08 20:23:09 +03:00
Vincent Ambo
a39ab958da feat(tazjin/russian): Add words 451-500
Change-Id: I5e0c8d61be0c0170370298aa4c6ee0a6607f24b7
2021-12-08 20:03:59 +03:00
Vincent Ambo
3f614a4e17 feat(tazjin/russian): Add words 401-450
Change-Id: I1101ebf2252390fc4ae308de43f09f606118615b
2021-12-08 01:19:46 +03:00
sterni
5c34d6645c chore(3p): bump NixOS unstable to 2021-12-07
Contains fix for unauthentictaed arbitrary file system access in
grafana.

Change-Id: Ic15f5376be32fb03b20824d1efb2f837ca2b2411
2021-12-07 19:27:54 +00:00
Griffin Smith
9246425407 fix(tvl.el): s/fourth/cadddr
Apparently some emacsen don't have functions like `fourth` etc.

Change-Id: I3d8b698685ce3b1757b427b32d8e27938cc26661
2021-12-07 19:19:18 +00:00
Vincent Ambo
214f422572 feat(3p/agenix): Import latest version from GitHub
It's time to automate secrets deployment on hosts like whitby.

Change-Id: If7006124b4b5fec16b4c3570488c11e484f93888
2021-12-07 18:27:54 +00:00
Vincent Ambo
c1479a6221 chore(besadii): Improve error messages on parse failure
Change-Id: I3cc4637aca8a940a0fdeca2d8bd6ac620ea384c0
2021-12-07 18:27:44 +00:00
Vincent Ambo
8a944484f0 fix(ops/besadii): Unquote Gerrit's extra-quotes around emails
Gerrit wraps RFC5322 emails in another layer of quotes when passing
them as flags, and this needs to be unquoted.

Otherwise hook invocations fail with cryptic errors.

Change-Id: Ieeb74c662873d99a4154f8cbc92da77b039cb88e
2021-12-07 18:27:44 +00:00
Vincent Ambo
6faf0edaff fix(ops): Correctly pass command name to besadii invocations
Ensure that besadii sees $0 as the correct command name, since that is
the sole mechanism by which its functionality is switched around.

There was a lingering commit that introduced this bug and hadn't been
deployed in a couple of days. Maybe time to tighten deploy cycles soon
...

Change-Id: Ie4284c0f6e5e06d71a71a3702ec7e092260e0ce5
2021-12-07 18:27:44 +00:00
sterni
6ef5162a93 chore(3p): bump NixOS channels and emacs overlay to 2021-12-07
* //third_party/cgit: apply patch [1] for Git 2.34 compatibility to
  reflect dropping of the string_list_init function in 770fed [2].
  Patch hasn't been applied on cgit's master yet, over concern about a
  breaking change in git (?) [3].

[1]: https://lists.zx2c4.com/pipermail/cgit/2021-November/004666.html
[2]: 770fedaf9f
[3]: https://lists.zx2c4.com/pipermail/cgit/2021-November/004667.html

Change-Id: Ie10c99c017ae5a43f4369b42151e19ecf07f7949
2021-12-07 10:36:17 +00:00
Vincent Ambo
7f2f5d07f2 fix(ops/besadii): Pass Build.Author to Buildkite
Extracts author information from the flags passed by Gerrit and moves
them along to Buildkite. This should display the owners of builds
correctly in the UI, rather than marking everything as coming from me.

Change-Id: If9efe5553a13f0dbdb8bf3936c1d341ae5922318
2021-12-06 17:42:57 +03:00