Commit graph

100 commits

Author SHA1 Message Date
Vincent Ambo
5faa737ead fix(ops/besadii): Remove branch tag after checking for it
... oops. The problem with working on besadii is that testing it
always lags one commit behind.
2020-02-21 23:35:42 +00:00
Vincent Ambo
a2bb8a7e1d fix(ops/besadii): Do not trigger builds for deleted branches 2020-02-21 23:30:05 +00:00
Vincent Ambo
28560fcf8a fix(ops/besadii): Include branch name in build note 2020-02-21 23:27:41 +00:00
Vincent Ambo
ca7c8fe9f0 fix(ops/besadii): Clone from git.tazj.in, not git.camden.* 2020-02-21 23:20:22 +00:00
Vincent Ambo
5ed68f0f6b fix(ops/besadii): Only trigger builds for branches 2020-02-21 23:16:28 +00:00
Vincent Ambo
8fe90430ee chore(ops/besadii): Pin git version used in besadii 2020-02-21 23:13:53 +00:00
Vincent Ambo
c689df0dc7 fix(ops/besadii): Replace slashes in branch names
Submitting a build with a branch containing a slash (which is common
for my branches) returns this error:

    Invalid tag name, tags must use lowercase alphanumeric characters,
    underscores, dashes, or dots

This commit replaces all slashes with underscores to work around that.
2020-02-21 23:06:19 +00:00
Vincent Ambo
21b76cb023 feat(ops/besadii): Run 'git update-server-info' at startup
Since besadii is effectively the entire post-receive hook, it also
needs to do the entire job of the hook.
2020-02-21 22:58:34 +00:00
Vincent Ambo
8377fd48f5 fix(ops/besadii): Send auth token in correct format 2020-02-21 22:51:40 +00:00
Vincent Ambo
59d02771b5 refactor(ops/besadii): Log to syslog instead of stdout 2020-02-21 22:46:34 +00:00
Vincent Ambo
dcbe3d1f9b feat(ops/besadii): Use post-receive hook input to trigger builds
Parses the input passed to besadii from git to extract ref updates and
trigger builds.
2020-02-21 22:32:23 +00:00
Vincent Ambo
5058f3928a feat(ops/besadii): Read sourcehut token from secrets file on disk 2020-02-21 22:31:57 +00:00
Vincent Ambo
0a34810e27 chore(ops/besadii): Fail if sourcehut token is unset 2020-02-21 22:09:23 +00:00
Vincent Ambo
80c6680eda feat(ops/besadii): Refactored tool to trigger sourcehut builds
Refactors //ops/sync-gcsr which was previously responsible for
synchronising the git repository between GCSR and the git.tazj.in cgit
instance to simply be responsible for triggering builds on sourcehut.

This program is intended to run as a git post-update hook.

Note: Not yet feature complete, as interpolation of concrete git
values and also sourcehut secrets is missing.
2020-02-21 22:05:43 +00:00
Vincent Ambo
68d1d87a9b fix(ops/nixos/camden): Add missing quote in nginx config 2020-02-21 16:12:48 +00:00
Vincent Ambo
25d8e7ce25 feat(ops/nixos/camden): Modify nginx log format
This log format contains more structured and correctly typed
information, which I can now use for dashboards and stuff in Stackdriver.
2020-02-21 16:10:08 +00:00
Vincent Ambo
1e51a2135d fix(ops/nixos/camden): Configure nginx to not log hostnames
Hostname prefixes break JSON serialisation, leading to useless
Stackdriver Logging entries.
2020-02-21 16:01:54 +00:00
Vincent Ambo
703aebe6a9 feat(ops/nixos/camden): Install jq 2020-02-21 15:43:07 +00:00
Vincent Ambo
6e4df43f62 feat(ops/nixos/camden): Forward logs to Stackdriver Logging
Enables the journaldriver service to forward logs into a "home"
log-stream in the "tazjins-infrastructure" project.

The service account key for camden has been placed on the machine
manually.
2020-02-21 15:35:51 +00:00
Vincent Ambo
7290a18cb1 chore(ops/nixos/nugget): Remove input-fonts package
My default font is now Jetbrains Mono everywhere.
2020-02-21 13:54:53 +00:00
Vincent Ambo
4bbbb58cb5 chore: Rename pkgs->depot in all Nix file headers 2020-02-21 13:54:53 +00:00
Vincent Ambo
0e54b3eb6a Merge branch 'fix/camden-trusted-users' 2020-02-17 01:02:06 +00:00
Vincent Ambo
ce4042ede7 fix(ops/nixos/camden): Add myself to trusted Nix users 2020-02-17 01:00:12 +00:00
Vincent Ambo
494e006c6b fix(ops/nixos/camden): Use pounce from //third_party 2020-02-17 00:52:07 +00:00
Vincent Ambo
1b31b47ef1 feat(ops/nixos/camden): Install pounce on camden 2020-02-17 00:22:19 +00:00
Vincent Ambo
5bfd2f70ad feat(ops/nixos/camden): Enable support for mosh 2020-02-17 00:06:55 +00:00
Vincent Ambo
4fed63d892 Merge branch 'feat/camden-migration' 2020-02-17 00:04:38 +00:00
Vincent Ambo
120ec820d1 chore(ops/nixos/nugget): Add /etc/hosts entries for camden hostnames 2020-02-17 00:03:31 +00:00
Vincent Ambo
2fd6ec650b refactor(ops/nixos/camden): Merge ACME certificate blocks 2020-02-14 12:00:12 +00:00
Vincent Ambo
bcc797fa2f feat(camden): Move to actual tazj.in hostnames 2020-02-14 11:49:04 +00:00
Vincent Ambo
c5806a44a7 feat(ops/nixos/nugget): Add camden to /etc/hosts
At the moment there is no other way for requests from nugget to camden
to resolve correctly, as the Hyperoptic router is eating this traffic
on the LAN.
2020-02-12 01:11:10 +00:00
Vincent Ambo
4feb306763 feat(ops/nixos/camden): Add nginx vhost for cgit at git.camden 2020-02-12 01:09:03 +00:00
Vincent Ambo
7373edf73a feat(ops/nixos/camden): Move ACME configuration out of nginx
This makes it possible to re-use the same provisioning mechanism for
multiple related domains.
2020-02-12 01:08:27 +00:00
Vincent Ambo
8e52e74bd3 feat(ops/nixos/camden): Set up cgit service
Adds a user & group which are configured to own the local depot copy,
and a cgit service to serve it.

The depot checkout was configured as:

  mkdir -p /var/git && chown git: /var/git

  # now, as the git user, in /var/git
  git clone --bare ... depot
  chmod -R g+rw /var/git
  chmod g+s (find /var/git -type d)
  git init --bare --shared=all depot

My personal user is a member of the git group, which means that after
the above configuration I can push to the bare repo as my user and
things work.

Also, crucially, the `post-update` hook must be enabled as cgit uses
the dumb HTTP transport.
2020-02-12 01:04:12 +00:00
Vincent Ambo
b4c0292753 fix(nix/tailscale): Fix incorrect Tailscale ACL config type 2020-02-11 21:00:50 +00:00
Vincent Ambo
675fed2dca feat(ops/nixos/camden): Serve /blobs/ from /var/www/blobs
This directory is writeable by me and is intended to make it easy to
serve random blobs.
2020-02-11 20:54:50 +00:00
Vincent Ambo
31b021e629 feat(ops/nixos/camden): Enable haveged entropy "generator" 2020-02-11 20:54:31 +00:00
Vincent Ambo
dbb24e0377 feat(ops/nixos/nugget): Set up nginx serving homepage & blog
This nginx does not currently log access correctly because for some
impenetrable reason (as is tradition), neither /dev/stdout nor
/dev/fd/1 exist for nginx at runtime. This is probably systemd's
doing, but I'll debug it later.
2020-02-11 19:32:21 +00:00
Vincent Ambo
2e95822712 fix(ops/nixos/camden): Use package set from depot pin 2020-02-11 16:46:15 +00:00
Vincent Ambo
df1a4fef2b feat(nix/tailscale): Add function for generating tailscale ACLs
... and use it on Camden!
2020-02-11 16:36:28 +00:00
Vincent Ambo
44b57d095b feat(ops/nixos/camden): Join camden.tazj.in into Tailscale mesh 2020-02-11 16:27:34 +00:00
Vincent Ambo
aaa0119a37 fix(ops/nixos): Add camden to rebuilder script
This should probably be templated instead.
2020-02-11 15:49:29 +00:00
Vincent Ambo
3b88611336 feat(ops/nixos): Add initial configuration for host camden 2020-02-11 15:41:00 +00:00
Vincent Ambo
a8792f8372 feat(ops/nixos/nugget): Enable tailscale-relay 2020-02-11 00:55:46 +00:00
Vincent Ambo
b586a04a0a feat(ops/nixos): Add NixOS module for running tailscale
This uses the "legacy" tailscale Linux client, but built from source
as per the previous commits.
2020-02-11 00:53:09 +00:00
Vincent Ambo
77085f5876 chore(ops/nixos/nugget): Install tailscale on nugget 2020-02-11 00:09:34 +00:00
Vincent Ambo
21e0279e08 chore(ops/infra/k8s): Bump website replicas to 3
There are typically 3 machines in the cluster, might as well have 3
website instances!
2020-02-09 02:21:09 +00:00
Vincent Ambo
4a18b3971a fix(ops/infra/k8s): Send www.* to nginx for redirections 2020-02-09 01:54:13 +00:00
Vincent Ambo
d0800197c4 feat(ops/infra/k8s): Add website deployment configuration 2020-02-09 01:30:56 +00:00
Vincent Ambo
87967d5be3 docs: Update README with new website setup 2020-02-09 01:30:34 +00:00