systemd gets sad otherwise and it is very difficult to console it
Change-Id: Ic6405489532c407273e5634474185f2947420b37
Reviewed-on: https://cl.tvl.fyi/c/depot/+/851
Reviewed-by: glittershark <grfn@gws.fyi>
Reviewed-by: BuildkiteCI
Tested-by: BuildkiteCI
it's not glittershark because grfn is the username I have on my laptop
and I want to be able to ssh without an `@`.
Change-Id: Ie1fb6f5e12f3ac52a44680704179bd27a00a7768
Reviewed-on: https://cl.tvl.fyi/c/depot/+/850
Reviewed-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
This adds NixOS configuration for the machine whitby.tvl.fyi.
No interesting services are configured yet, so this configuration is
quite plain.
Change-Id: I67b7c75ebd6e298719b52e6b3bd83cc3be3c45d8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/843
Tested-by: BuildkiteCI
Reviewed-by: BuildkiteCI
Reviewed-by: isomer <isomer@tvl.fyi>
Reviewed-by: lukegb <lukegb@tvl.fyi>
This does not work for ARGON2 hashes.
Change-Id: I1e070fa0ff17ef21632e94e6777da637deb6f54f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/834
Reviewed-by: Kane York <rikingcoding@gmail.com>
Reviewed-by: BuildkiteCI
Tested-by: BuildkiteCI
This makes it possible to use {ARGON2} hashes instead of the current
salted SHA hashes, which is a much better idea.
Unfortunately the nixpkgs module does not have an option for
overridding the package used, so it is overlaid into the system
package set - this causes widespread rebuilds.
This is fine for us for now, but I have opened a PR upstream to add a
package option: https://github.com/NixOS/nixpkgs/pull/91963
Change-Id: Ib4be931d88e74b91566639f8656742cf096f6cc3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/831
Reviewed-by: BuildkiteCI
Reviewed-by: isomer <isomer@tvl.fyi>
Tested-by: BuildkiteCI
This points commit/file/etc. links from Gerrit to Sourcegraph instead
of cgit.
There's a minor problem with this: Some, but not all unsubmitted CLs
are missing in Sourcegraph for unclear reasons so they lead to 404s.
That problem is unrelated to this change and something we need to
investigate separately.
Change-Id: I9b0c1eca8781dc96984ba09b4a71960eb43583bd
Reviewed-on: https://cl.tvl.fyi/c/depot/+/541
Reviewed-by: lukegb <lukegb@tvl.fyi>
This attribute makes much more sense in this position semantically.
Change-Id: I16cc6304f42c577a2368bd7c9573fcb7dd276a9d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/448
Reviewed-by: riking <rikingcoding@gmail.com>
Implements a function that generates the LDIF record for each user and
templates it into the configuration.
This is slightly more user-friendly and less error-prone (people kept
getting the DNs wrong) than editing the contents manually.
Change-Id: Ic419d2ef464f9a94be5d54b666f7d53134b53eed
Reviewed-on: https://cl.tvl.fyi/c/depot/+/447
Reviewed-by: riking <rikingcoding@gmail.com>
We can always revert this if we want it back.
Change-Id: I1332b6dd541199584b7b5b94a8651172d79e53a9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/442
Reviewed-by: glittershark <grfn@gws.fyi>
Reviewed-by: lukegb <lukegb@tvl.fyi>
This module spins up the Sourcegraph container.
Builds:
Note that this is contrary to how our other deployments work, but
packaging Sourcegraph is quite difficult (it's a Gitlab style
deployment with a lot of moving parts and third-party things that it
bundles).
If we decide to keep it around, we will want to look at packaging it
in Nix in the future.
Deployment:
The deployment is a hack. Sourcegraph does not support public
instances, but we want it to be public. To work around this we have
configured HTTP-proxy based authentication (i.e. auth via a header)
and hardcoded a static header.
This works, but lets anonymous users change the "Anonymous" user's
settings. We can expect this to get defaced (profile picture, name
etc), until we figure out how to write some nginx configuration to
drop those requests. See git-bug for details.
The Sourcegraph configuration is also not checked in to the
repository. It's unclear where in the data directory it is stored.
Change-Id: I414ff11c3b49989b6792d697bffc8a0edf96c9cb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/425
Reviewed-by: lukegb <lukegb@tvl.fyi>
This plugin just blindly assigns everyone and, as q3k has already
pointed out, just isn't particularly useful.
We might want to roll our own, for example:
19: 40:41 <+Remosi> I want the virtual owner thing, we could call it
Gerrit Workgroup Synthesizer Queuing, or gwsq for short.
Change-Id: Ib12a921ae4047ac6a734035dd0900c8964fb12d8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/350
Reviewed-by: riking <rikingcoding@gmail.com>
Without these changes, the NixOS module isn't able to use the new
Gerrit derivation.
These changes are already deployed as I needed to make them to get
Gerrit back up.
Change-Id: Iad3aa6158789a014134fddccd40b508b81486100
Reviewed-on: https://cl.tvl.fyi/c/depot/+/301
Reviewed-by: lukegb <lukegb@tvl.fyi>
NixOS modules move one level up because it's unlikely that //ops/nixos
will contain actual systems at this point (they're user-specific).
This is the first users folder, so it is also added to the root
readTree invocation for the repository.
Change-Id: I546c701145fa204b7ba7518a8a56a783588629e0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/244
Reviewed-by: tazjin <mail@tazj.in>
Gerrit does not expect a bin/ there.
Change-Id: I907f96690b8c6bb614dc11889712d7b122c5d5cf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/181
Reviewed-by: tazjin <mail@tazj.in>
Loads the 'hooks' plugin into Gerrit, which - as per my interpretation
of the docs - is going to execute any hooks for which there are
matching binaries.
The intention here is that besadii should implement most of the hooks
we care about. As a start, it is symlinked here to the `ref-updated`
hook.
Change-Id: I6482a9d71cc08908c29dd10f786cbba32b33d04d
This enables the display of various download commands on change pages,
which makes things like checking out refs for review locally easier.
Change-Id: I3c29854aa0cf1aa393efb89b7516bbf84e0083d4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/162
Reviewed-by: lukegb <lukegb@tvl.fyi>
This is a prerequisite for setting up the download-commands plugin.
Change-Id: I7803ef18be759f95aec020e4a00ca8e0fb48bfe0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/161
Reviewed-by: lukegb <lukegb@tvl.fyi>
This adds a little tool that can be used to relay mail to Gmail (and
other SMTP servers). It is intended to be used by Gerrit, which is
incompatible with Gmail's SMTP servers.
Configuration has been tested by performing a few sends through the
tvlbot@tazj.in account.
Note that this is using the standard Gmail SMTP server. Using the
smtp-relay server relies on IP whitelisting, but camden.tazj.in has a
larger number of IPv6 addresses than can be whitelisted (the maximum
is 65k). This means that we are limited to 2000 mails per recipient
per day, which should be fine.
Change-Id: Ie43564d753030f5c800a9cdb4ae98292877d80dc
Reviewed-on: https://cl.tvl.fyi/c/depot/+/101
Reviewed-by: edef <edef@edef.eu>
Configures Gerrit send emails from tvlbot@tazj.in for outgoing review
notifications. Emails are always plain-text and can contain diffs (up
to a maximum size of 256KiB).
The configuration options for this are documented at:
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#sendemail
Note: The password for this user is stored on the host, in a file that
is not part of version-control and is only readable by the 'git' user.
We should probably figure out a way to do secrets management ...
Change-Id: I2f99b34b1a774c28d814b0aba1f1b78fd512854e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/92
Reviewed-by: riking <rikingcoding@gmail.com>
The old host at cs.tazj.in now redirects there, and I've added a
helper function for creating these redirections.
Change-Id: I66794d752df46c8e795e47aedfaffd8c27c45627
Reviewed-on: https://cl.tvl.fyi/c/depot/+/89
Reviewed-by: riking <rikingcoding@gmail.com>
Reviewed-by: tazjin <mail@tazj.in>
Moves the host at which cgit is served to 'code.tvl.fyi'.
Also updates related projects that link to this, most importantly:
* Hound's & Gerrit's cgit link bases have been updated
* besadii is updated to request CI builds for the new location
Change-Id: I44e3e584010ac29cc913ebb1a197c996eb024d80
Reviewed-on: https://cl.tvl.fyi/c/depot/+/71
Reviewed-by: lukegb <lukegb@tvl.fyi>
There are no remaining traces of Emacs breakage in unstable - as far
as I can tell.
Change-Id: I06c5d78aa3ff9c0cc00c62e6d6966c5079fb3b24
Reviewed-on: https://cl.tvl.fyi/c/depot/+/63
Reviewed-by: tazjin <mail@tazj.in>
This change makes Gerrit run as the 'git' user, which can be shared by
other services such as hound or cgit to access the git trees.
Change-Id: Ic6c91f3e852184f5ef21f4374738cbf687462194
Reviewed-on: https://cl.tvl.fyi/c/depot/+/21
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: isomer <isomer@tvl.in>
Because modules are not called via the default depot setup (for now
...), this introduces a dummy module that stores the depot tree itself
in the module configurations.
This makes it possible to write modules that use packages from the
depot.
These patches enable hardware-accelerated video decoding, which is
useful for Stadia.
The main issue with this is that Hydra doesn't currently cache
Chromium with these patches, which means that it is built from scratch
which takes in the order of 5 hours on an otherwise unused nugget.
The implementation for provisioning ACME certificates has changed in
nixos-unstable[0] and now requires a few extra options to be set.
[0]: https://github.com/NixOS/nixpkgs/pull/77578
Enables the journaldriver service to forward logs into a "home"
log-stream in the "tazjins-infrastructure" project.
The service account key for camden has been placed on the machine
manually.
At the moment there is no other way for requests from nugget to camden
to resolve correctly, as the Hyperoptic router is eating this traffic
on the LAN.
Adds a user & group which are configured to own the local depot copy,
and a cgit service to serve it.
The depot checkout was configured as:
mkdir -p /var/git && chown git: /var/git
# now, as the git user, in /var/git
git clone --bare ... depot
chmod -R g+rw /var/git
chmod g+s (find /var/git -type d)
git init --bare --shared=all depot
My personal user is a member of the git group, which means that after
the above configuration I can push to the bare repo as my user and
things work.
Also, crucially, the `post-update` hook must be enabled as cgit uses
the dumb HTTP transport.
This nginx does not currently log access correctly because for some
impenetrable reason (as is tradition), neither /dev/stdout nor
/dev/fd/1 exist for nginx at runtime. This is probably systemd's
doing, but I'll debug it later.
