When I include "80" and "443" in the allowed TCP ports, the ports don't appear
to be open, but when I add the tags "http-server" and "https-server", which I
don't control, they do. I'm not sure what's going on, but I don't want to let
perfect be the enemy of good...
Change-Id: I46097a9d80708d14261b0af34c16ab1129aa8107
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4725
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
These records were previously configured manually in the GleSYS web UI
during our DNS outage (b/155).
Note that I could not find a way to `terraform import` these records
and have instead recreated the set and then cleaned up in the UI.
Change-Id: If7de9a7e6dad20953ba8b610589a62dce400e87b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4716
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
These records were previously configured manually in the GleSYS web UI
during our DNS outage (b/155).
Note that I could not find a way to `terraform import` these records
and have instead recreated the set and then cleaned up in the UI.
Since we often point things at whitby, I have extracted variables for
its IPs in this change.
Change-Id: I09fda94d3734e8aaa278fa858e160d046740da1e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4714
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
These records were previously configured manually in the GleSYS web UI
during our DNS outage (b/155).
Note that I could not find a way to `terraform import` these records
and have instead recreated the set and then cleaned up in the UI.
Change-Id: I2b7e0ed0931f50e7fa49c1f6e3400dfe958def04
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4713
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
TL;DR:
- Create an index page to list blog posts
- Drop blog.wpcarro.dev -> wpcarro.dev/blog
- Create fragments directory to host reusable static website components
- Consume fragments in wpcarro.dev and wpcarro.dev/blog for brand consistency
Change-Id: Ib8440300c008c3c0c5e5a6f207e4ea207dd41b47
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4717
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Adds the secrets and some instructions for deploying the GleSYS
Terraform infrastructure.
Change-Id: I1a10f9cee7648d406b3d27ef45fc74b6923cbc30
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4712
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
This was previously configured in the UI.
Change-Id: I68361b1489093b76736adab2e38ed7b474b10881
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4711
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
This was previously configured in the UI.
Change-Id: Ib15b8ecca96d7814dc85d62199865b22bdb63f95
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4710
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
This should never sit around locally the way it does now.
Change-Id: Icfbdaf1949d6d948a796a0759282ea6144af3621
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4709
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
This file can be sourced (somehow, depending on the user) while
working with //ops/keycloak to get the relevant secrets.
Change-Id: Ibb3051c4b019f64824964475451c1c3996db6421
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4708
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Grafana was still pointing at the (now non-existent) CAS setup. This
changes the endpoints to use Keycloak instead and updates the client
secret.
Change-Id: Ib25d38330aba2ef6d894e8c33d86852c884ab5be
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4706
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
Figured this out by opening web inspector for the discord web app and
looking at the responses for role memeber counts.
Change-Id: I0fa6418c4d1781a65ef50c9ed14665e2b142ae32
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4707
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Hugo is a bit too heavyweight for my taste.
Change-Id: I331bc5898bd40f1a03bbde8ad69fe3cc9f72c18b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4704
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
Two minor "quality of life" improvements:
- automatically set SSL_CERT_FILE environment variable,
so that programs relying on OpenSSL for certificate
validation can actually validate certificates
(the certificates are included no matter what since
we add the "cacert" package to all iamges)
- if the requested image includes an interactive shell
(e.g. if it includes the "shell" metapackage), set
the image Cmd to "bash", which allows to execute
"docker run nixery.dev/shell" and get a shell)
I'm happy to split this PR in two if you'd like, but
since both features touch the Config structure and are
rather small, I thought it would make sense to bundle
them together.
while trying to yantsify `mkSecrets` in https://cl.tvl.fyi/c/depot/+/4688,
I(zseri) needed to debug a failing evaluation which boiled down
to a result.ok containing something which wasn't boolean,
but the error message didn't indicate where that value came from.
I debugged yants and found that the only place which didn't
simply combine boolean values or use functions which always
return booleans, I managed to isolate the error to the
`pred v` expression. To avoid the necessity to debug yants
to find this, I improve the error message for this case
to mention that
- a restriction predicate is invalid
- what's the name of the failing restriction
- the unexpected predicate return value
Change-Id: I6c570a33ccc5afc445f208e2e8855c49fb37abaf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4698
Tested-by: BuildkiteCI
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Reviewed-by: tazjin <mail@tazj.in>
Autosubmit: zseri <zseri.devel@ytrizja.de>
I have a (unconfirmed) suspicion that this is paying more in CPU time
than it's saving in disk space - regardless, I have a bounty of the
latter and a deficit of the former.
Change-Id: I3375b8d904e0878fd47c1845e3c3b9b6c6359189
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4700
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
This was originally intended to work around the issue caused by me
accidentally ending up proxy_set_header'ing the Host header twice (which
nginx *concatenates with slashes*, rather than overwriting!), but seems
sensible regardless to make that whole thing (hopefully) a bit less
brittle
Change-Id: I877fa594b46e88d1ba05e793832beab3d0aaccdd
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4697
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Also update log deps so things actually log, using a new :outdated alias
based on antq
Change-Id: I6f87f474bea101fa1b396c519b234eb3aac1c4f1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4696
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Start of a production deployment of the app with nixos+terraform, using
provisioners and null-resources to provision nixos machines a'la espes.
Change-Id: I2ddaed76d0037dadbf9fc9e2ee27e9e67a852228
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4695
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Start setting up agenix with secrets in //users/grfn/secrets for
mugwump, starting with my cloudflare API key which I use for the ddns
from my home apartment
Change-Id: Ida66cb91da3415357a512039d6c23402f0ae9388
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4683
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Generalize out a reusable mkSecrets function from the
secrets-tree-building that's happening in //ops/secrets, so the same
thing can happen in other places in the depot (I want to use it for my
personal infrastructure).
Change-Id: I059295c8c257d78ad7fa0802859f57c2c105f29b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4679
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Let's see what mosh is all about...
Change-Id: I0439130f55dc056370397c3e4ea8039f888703c3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4690
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
Building nix derivations needs tar (provided by gnutar) and gzip on the
PATH in order to extract .tar.gz archives.
Change-Id: Ia2df7a3a770cfd342dfede58ad34e04805fbd1f8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4685
Tested-by: BuildkiteCI
Autosubmit: grfn <grfn@gws.fyi>
Reviewed-by: wpcarro <wpcarro@gmail.com>
The content needs small gutters to improve readability on my iPhone 12.
Change-Id: I751ae5387ad93c95729e642c21c37e481412c00e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4678
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
