Commit graph

726 commits

Author SHA1 Message Date
Vincent Ambo
5a88e47b71 refactor(ops/pipelines): Split build/post steps into separate chunks
This will create `build-chunk-$n.json` files for steps that should run
_before_ duck, and `post-chunk-$n.json` files for steps that should
run after duck.

The post steps are not yet uploaded to Buildkite, but we also don't
have any right now.

Change-Id: I7e1b59cf55a8bf1d97266f6e988aa496959077bf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5047
Tested-by: BuildkiteCI
Reviewed-by: ezemtsov <eugene.zemtsov@gmail.com>
Autosubmit: tazjin <tazjin@tvl.su>
2022-01-22 11:59:08 +00:00
Vincent Ambo
f12ceaa622 refactor(ops/pipelines): Use branches filter for canon-only steps
Using this instead of a conditional leads to nicer output in the UI,
but has no semantic difference.

Change-Id: I5b368d663f417d256e4792d2d46b84fc50d42d0e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5045
Reviewed-by: ezemtsov <eugene.zemtsov@gmail.com>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
2022-01-22 11:59:08 +00:00
Vincent Ambo
a4aabaff68 refactor(ops/pipelines): Move :git: step up in the pipeline
This step is independent of the build result and can be scheduled at
the beginning while pipeline eval is still in progress.

Change-Id: I2ee268e4c333efa654dcb12c0b1562b43231d241
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5044
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: ezemtsov <eugene.zemtsov@gmail.com>
2022-01-22 11:29:04 +00:00
Vincent Ambo
4b9bd8afd7 feat(ops/pipelines): Always upload entire pipeline output
Previously we only stored the drvmap, but we will also need the build
chunks to refactor the generation of dynamic post-steps.

Change-Id: I256fffe13af8f8c4521835257f5d87dda323b248
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5043
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: ezemtsov <eugene.zemtsov@gmail.com>
2022-01-22 11:29:04 +00:00
Vincent Ambo
3e9aa7722d refactor(depotfmt): Move formatting check into an extra step
Change-Id: I7e4cf6bb2351bd11a5396f1663c0d4cc97c0d94e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5009
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: ezemtsov <eugene.zemtsov@gmail.com>
2022-01-21 11:49:03 +00:00
Vincent Ambo
ac7e989571 feat(ops/pipelines): Trigger pipeline for tvl-kit through canon
This CI pipeline in Buildkite verifies the external (josh-provided)
view of the depot at //views/kit.

See https://buildkite.com/tvl/tvl-kit

Note that this always triggers a build of HEAD. This is because we
don't know the transformed commit ID, and we currently have no way to
pass a ref through. The pipeline is configured to skip intermediate
builds.

I asked Buildkite for some ideas on how to improve this, lets see.

Change-Id: I6c60fb1ea7606c1c90219ef04fd7bada64661529
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5010
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-20 17:35:18 +00:00
Vincent Ambo
0652ac0ace refactor(nix/buildkite): Move fetch-parent-targets script here
This is no longer TVL-specific and should live here with the other
generalised stuff.

Change-Id: I95a1b4c0321f34812162d6fd40568269abf639dd
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5006
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: ezemtsov <eugene.zemtsov@gmail.com>
2022-01-19 17:22:36 +00:00
Vincent Ambo
c2e6c0719c refactor(ops/pipelines): Generalise fetch-parent-targets script
Removes all TVL-specific values in favour of environment variables
supplied by Buildkite.

This makes it possible to reuse this script outside of TVL.

Change-Id: Ic543bc41e4c81e65ee349ad241c515231e97ab30
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5005
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: ezemtsov <eugene.zemtsov@gmail.com>
2022-01-19 17:22:36 +00:00
Åsmund Østvold
6e4b0f3cef feat(ops/besadii): make text 'cl' posted BuildKite configurable
Some companies do not know the 'cl' term. They do know of 'change' and
would maybe not like to introduce one more synonym.

This cl introduce an optional entry 'gerritChangeName' in
besadii.json. The string has to match `^[a-z0-9]+$` for readability.

Change-Id: Id70fcb1e45158869f88bf37669be49b8b8a3b295
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4825
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: asmundo <asmundo@gmail.com>
2022-01-19 10:31:52 +00:00
Vincent Ambo
1f3aa71cf2 fix(ops/oauth2_proxy): Fix cookie secret length
The cookie secret in the encrypted file was too long, because the
generation command in the oauth2_proxy docs is also wrong. Should
probably fix that upstream as well.

Also noticed that an extra '2' snuck into the service name and fixed
that.

Change-Id: I9a344a75993ab1f98299a8d45e7f5b2e146b7fc5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4957
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-17 13:51:47 +00:00
Vincent Ambo
9596c642d5 feat(ops/pipelines): Fetch parent target map for pipeline generation
Change-Id: I1c7d48fc0974549d67146a15f79ddb0b6ddfe805
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4947
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-17 11:49:01 +00:00
Vincent Ambo
0779f96687 feat(nix/buildkite): Check target map of parent to determine skips
This changes the logic for build pipeline generation to inspect
an (optional) parentTargetMap attribute which contains the derivation
map of a target commit.

Targets that existed in a parent commit with the same drv hash will be
skipped, as they are not considered to have changed.

This does not yet wire up any logic for retrieving the target map from
storage, meaning that at this commit all targets are always built.

The intention is that we will have logic to fetch the target
map (initially from Buildkite artefact storage), which we then pass to
the depot via externalArgs when actually generating the pipeline.

Change-Id: I3373c60aaf4b56b94c6ab64e2e5eef68dea9287c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4946
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-17 11:49:01 +00:00
Vincent Ambo
0a21da2bb4 feat(ops/pipelines): Create drvmap structure for each commit
Always create a structure that maps all targets to derivations, and
persist it as a JSON file.

This relates to some of the ideas expressed in:

https://docs.google.com/document/d/16A0a5oUxH1VoiSM8hyFyLW0WiUYpNo2e2D6FTW4BlH8/edit

The file is always uploaded to Buildkite as an artifact. This allows
for retrieving it based on the commit ID in a Buildkite GraphQL query.

By default, Buildkite stores artefacts for 6 months. Storage location
can be overridden (with custom retention) through some environment
variables, but for now at TVL the Buildkite-managed storage is fine.
See also: https://buildkite.com/docs/pipelines/artifacts

In the subsequent filtering implementation, when diffing commits
across a time-range that exceeds artefact retention time, we should
simply default to building everything.

Change-Id: I6d808461cd1c1fdd6983ba8c8ef075736d42caa7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3662
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-17 10:26:08 +00:00
Vincent Ambo
005cd4037a fix(gerrit-tvl): Handle "broken" (skipped) jobs correctly
by simply skipping them

Change-Id: I9cbec3b79469ae01b1873d6a42e990b98cc4110a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4921
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-01-14 20:44:56 +00:00
Vincent Ambo
a5c9b11a6b fix(gerrit-tvl): Exclude non-command jobs from check results
Change-Id: I13727d30ac7a568f02614a4bbc778afed6a286ba
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4891
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Autosubmit: tazjin <tazjin@tvl.su>
2022-01-14 20:30:53 +00:00
Vincent Ambo
86a205220f fix(gerrit-tvl): Explicitly specify patchset on check runs
Since we now group patchsets inside of Buildkite, the results are no
longer guaranteed to be for the right patchset.

There might be some metadata passed in from Gerrit that would let us
do this with the commit ID instead, but I haven't checked.

Change-Id: I5b74a17697511160fcc89d3dbef23517d974dc6f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4890
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Autosubmit: tazjin <tazjin@tvl.su>
2022-01-14 20:30:53 +00:00
Vincent Ambo
e8bf17317e fix(gerrit-tvl): Mark job as failed on all failure states
Change-Id: If0fa85d8178b9e457305d0244ddf67d12a4b3051
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4889
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Autosubmit: tazjin <tazjin@tvl.su>
2022-01-14 20:30:52 +00:00
Vincent Ambo
e1ffaee1dd fix(gerrit-tvl): Support all documented Buildkite job statuses
I'm not sure where the previous list originated, but it was missing
some officially documented statuses. However, the API definitely
returns statuses that are documented to only appear in other types, so
this commit simply maps ALL statuses that Buildkite has documented for
any type.

Also adds a log statement in case we encounter a brand new, unknown,
undocumented status.

Change-Id: Iff003a3bd2608702019ae0f4137958435ad0856f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4888
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-01-14 20:30:52 +00:00
Vincent Ambo
058bf61193 fix(gerrit-tvl): Fix construction of ref used in Buildkite
... and remove a spammy log statement.

This changed in besadii a while ago and lead to the behaviour of
failing silently, instead of failing with an error saying "undefined
undefined".

Note that with this change merged the plugin probably still won't work
again, but it gets us a step closer to the real error.

Change-Id: I3db25d246f4b1c634d316cd92574e27fb220d769
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4887
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-01-14 20:30:52 +00:00
Vincent Ambo
ee52fbc46c feat(besadii): Skip builds of patchsets with no code changes
Currently Gerrit is configured to copy forward the scores of the
'Verified' label if the tree of the commit does not change (e.g. only
author information or commit message is modified).

Besadii still triggers builds for these patchsets though. With this
change it will inspect the (previously ignored) "kind" of the patchset
and skip patchsets with the same tree as their predecessor.

See Gerrit docs for the semantics of "kind":

https://gerrit-review.googlesource.com/Documentation/json.html#patchSet

Note that an argument can be made that we should do the exact opposite
- stop carrying over 'Verified' at all and always build all patchsets.

I think this depends on whether we intend to use commit metadata in CI
runs at all. Adding a few people to the review for opinions.

Change-Id: I48a96a1ad1e07d92330d84e5cfdc820a39395297
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4867
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: asmundo <asmundo@gmail.com>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-14 17:35:45 +00:00
Vincent Ambo
bce5192566 feat(whitby): Install a handful of systemPackages
Adds more things I keep using via nix-shell, as well as the
deploy-whitby script (which is independent of a particular depot
checkout).

Change-Id: I36f87de7645768a05268c90ba9b3ab833bacca05
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4881
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-13 08:39:03 +00:00
Vincent Ambo
9c025d62a0 refactor(deploy-whitby): use nvd instead of nix-diff
nvd only shows us changed versions of packages, as well as
added/removed packages, which means that for the majority of depot
packages nothing will be displayed

however, the current output of nix-diff is not usable anyways, so
having something that can be looked at is better than nothing

Change-Id: Iefbd8139c7ccf5c88ed1209897abdb2ae9302e91
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4868
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2022-01-13 08:14:00 +00:00
sterni
d99132f45a fix: resolve remaining security.acme.email warnings
These were missed in cl/4784.

Change-Id: I01a5827900c1b3bdfdf9b1c36dcca8d6b59073a1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4866
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: sterni <sternenseemann@systemli.org>
2022-01-12 18:30:34 +00:00
Åsmund Østvold
d4b997d832 fix(ops/besadii) no need to ref CL number in post to Gerrit
The comment posted to the Gerrit change do not need to contain the CL
number as it is given by the context of the Gerrit UI.

Change-Id: I172645e7f4d82e2fbebe179578babd42ea29737f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4826
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: asmundo <asmundo@gmail.com>
2022-01-12 09:37:01 +00:00
William Carroll
1e730c859d fix(wpcarro/all-systems): Remove diogenes from my top-level systems
When `findSystem` attempts to evaluate `system.config.networking.hostName`,
diogenes (because I've refactored its definition) causes the following error:

> You're trying to declare a value of type `string'
> rather than an attribute-set for the option
> `system'!

Change-Id: Ib23cb9aa9cadc1f71ad3369c903e587762d12cc0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4830
Reviewed-by: wpcarro <wpcarro@gmail.com>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
2022-01-08 10:04:00 +00:00
Vincent Ambo
7cac51a995 feat(ops/auto-deploy): Support emergency stops via stop file
Adds a feature to emergency-stop deploys by simply running `touch
/var/lib/auto-deploy/stop`.

This can be useful in some situations, especially if there is a
process that reconciles service state (so that e.g. stopping the
unit's timer would be undone).

Change-Id: I233dfac365a578bfa4110eb605b50be079974ba4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4827
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: wpcarro <wpcarro@gmail.com>
2022-01-07 17:17:33 +00:00
Vincent Ambo
b8e011f792 chore(cache.tvl.su): Raise cache priority to 50
The priority of binary caches is decided by the remotes in Nix (???),
and by default nix-serve (which is *very* slow) has a lower priority
than cache.nixos.org (which means that it will be preferred over the
faster cache for paths that exist on both).

To avoid this, override the hardcoded (????) priority by serving the
nix-cache-info response directly from nginx instead.

Change-Id: I15a2d6618386d16edaf69f1c9257a36bd72132d2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4823
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
2022-01-07 01:30:00 +00:00
tazjin
1bd6c2a85b revert: "fix(ops/pipelines): Remove duplicated wait step"
This reverts commit 5e036ed9fc.

Reason for revert: This introduced a logic error since the remaining
step runs at the wrong point in the pipeline. Temporarily reverting to
having duplicated waits in order to clean up later.

Change-Id: Ifa6ece50dd22924f02efd7b790a5863ca1189af7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4841
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
2022-01-07 01:06:56 +00:00
Vincent Ambo
73288ba569 feat(ops): Add initial oauth2_proxy configuration
The intent is to configure oauth2_proxy pointing at Keycloak to enable
usage with nginx auth_request directives.

I want to expose this as a function from within the module in which
nginx server configuration blocks can be wrapped, but the function for
that is currently a placeholder.

Change-Id: I5ed7deb9bf1c62818f516e68c33e8c5b632fccfe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4767
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2022-01-04 18:04:27 +00:00
Vincent Ambo
3806cea40b chore(ops): Remove login.tvl.fyi module
It looks like we won't need this for oauth2_proxy when combined with
nginx auth_request setups.

Change-Id: I2294aee6226b4f64a27bf6592c2d18092d0268cc
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4766
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
2022-01-04 18:04:20 +00:00
Vincent Ambo
4ab061ed98 fix(ops/pipelines): Realise anchor derivation for rooting
Turns the anchor derivation into something that can actually be
built (a call creating a propagated build inputs file), and builds it.

This should fix the anchoring logic we have on canon.

Change-Id: If6a7662b82e2e396388980f65e332cf67a45b46e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4763
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-02 22:25:42 +00:00
Vincent Ambo
5a6f984222 refactor(ops/keycloak): Split out clients & user-sources
Without some kind of physical organisation it's a little difficult to
understand whether things are going "in" (supplying users to Keycloak)
or "out" (getting auth/user info from Keycloak).

Change-Id: I516501081e3448c81c710fcbc79cc68ad2a80f3b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4762
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
2022-01-02 21:22:17 +00:00
Vincent Ambo
5e036ed9fc fix(ops/pipelines): Remove duplicated wait step
This now happens in //nix/buildkite instead

Change-Id: Ie9e239ee4f28ac34aa4d3279dac55d70a2cb9d86
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4764
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-02 19:09:19 +00:00
Vincent Ambo
2bf39d7101 refactor(modules/smtprelay): Load credentials via agenix
Change-Id: I56f6887e1fd35551cfc83ad08cafebb611f4a341
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4760
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: Profpatsch <mail@profpatsch.de>
Autosubmit: tazjin <mail@tazj.in>
2022-01-01 15:30:17 +00:00
Vincent Ambo
58c64aa81a feat(ops/secrets): Add smtprelay credentials
Change-Id: I489e611a3fb19b4a374a563aa1afd81a130b2e7f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4759
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <mail@tazj.in>
2022-01-01 15:30:17 +00:00
Vincent Ambo
b763f183f7 fix(ops/keycloak): redefine buildkite client, correctly this time
This client definition was previously nonsense. What happened is that
I accidentally imported the client as an OIDC client, which Keycloak
accepted because apparently those are the same entities on the API
level, and that ended up getting mangled into some broken hybrid shape
by Terraform.

This sets up the Buildkite provider again but with the correct
SAML configuration this time.

Change-Id: Id7ba318984d2fcc9e2ca91ed45ccbfd227278bbe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4731
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: tazjin <mail@tazj.in>
2021-12-28 17:37:22 +00:00
Vincent Ambo
7ecb2a1144 refactor(tools/depotfmt): Move depotfmt check into a real build step
Produces more useful output and also makes for a good target for the
upcoming extraSteps logic.

Change-Id: Ifd389d433d9e27f97940a48999f4fba35646e37a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4727
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-12-28 15:37:10 +00:00
Vincent Ambo
b7ef2a579b refactor: Generalise pipeline generation in //nix/buildkite
Extracts the logic for generating our Buildkite pipeline (which has
been copy&pasted and slightly modified in some places outside of
depot) into a generic //nix/buildkite library.

This should cause no change in functionality.

Change-Id: Iad3201713945de41279b39e4f1b847f697c179f7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4726
Autosubmit: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-12-28 15:34:39 +00:00
Vincent Ambo
88d7075b30 fix(ops/users): change my email to the @tvl.su one
Change-Id: Id608fe66b203c1d08958c85be44506a86eec56d5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4730
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Autosubmit: tazjin <mail@tazj.in>
2021-12-28 13:00:54 +00:00
zseri
52369a11e3 refactor(ops/secrets): optimize + typecheck mkSecrets
Change-Id: I592c8f2f82cef8fe4509e90a8c48504a0c74d133
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4688
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Autosubmit: zseri <zseri.devel@ytrizja.de>
Tested-by: BuildkiteCI
2021-12-27 23:16:31 +00:00
Vincent Ambo
d8cdd629f4 feat(ops/glesys): Import DNS records for tvl.su
These records were previously configured manually in the GleSYS web UI
during our DNS outage (b/155).

Note that I could not find a way to `terraform import` these records
and have instead recreated the set and then cleaned up in the UI.

Change-Id: If7de9a7e6dad20953ba8b610589a62dce400e87b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4716
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 16:45:54 +00:00
Vincent Ambo
228138395b feat(ops/glesys): Import DNS records for tvl.fyi
These records were previously configured manually in the GleSYS web UI
during our DNS outage (b/155).

Note that I could not find a way to `terraform import` these records
and have instead recreated the set and then cleaned up in the UI.

Since we often point things at whitby, I have extracted variables for
its IPs in this change.

Change-Id: I09fda94d3734e8aaa278fa858e160d046740da1e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4714
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 16:42:53 +00:00
Vincent Ambo
b2c151cebb feat(ops/glesys): Import DNS records for nixery.dev
These records were previously configured manually in the GleSYS web UI
during our DNS outage (b/155).

Note that I could not find a way to `terraform import` these records
and have instead recreated the set and then cleaned up in the UI.

Change-Id: I2b7e0ed0931f50e7fa49c1f6e3400dfe958def04
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4713
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 16:42:52 +00:00
Vincent Ambo
df8edcb5f7 feat(ops/secrets): Import secrets for tf-glesys
Adds the secrets and some instructions for deploying the GleSYS
Terraform infrastructure.

Change-Id: I1a10f9cee7648d406b3d27ef45fc74b6923cbc30
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4712
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 15:53:57 +00:00
Vincent Ambo
23693ca898 feat(ops/keycloak): Import Buildkite OIDC client
This was previously configured in the UI.

Change-Id: I68361b1489093b76736adab2e38ed7b474b10881
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4711
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 15:53:57 +00:00
Vincent Ambo
fb7d45abc4 feat(ops/keycloak): Import Gerrit OIDC client
This was previously configured in the UI.

Change-Id: Ib15b8ecca96d7814dc85d62199865b22bdb63f95
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4710
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 15:53:57 +00:00
Vincent Ambo
98be390576 fix(ops/keycloak): Move Terraform state to GleSYS bucket
This should never sit around locally the way it does now.

Change-Id: Icfbdaf1949d6d948a796a0759282ea6144af3621
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4709
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 15:53:57 +00:00
Vincent Ambo
e616f978d0 feat(ops/secrets): Add tf-keycloak secrets file
This file can be sourced (somehow, depending on the user) while
working with //ops/keycloak to get the relevant secrets.

Change-Id: Ibb3051c4b019f64824964475451c1c3996db6421
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4708
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 15:53:57 +00:00
Vincent Ambo
4f030f085d feat(ops/keycloak): Add OIDC client for Grafana
Completely forgot about Grafana, so it's currently broken. Oops!

Change-Id: Ia4e6405428ad8e514d6e61635f9692c57f61defe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4705
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: tazjin <mail@tazj.in>
2021-12-27 15:53:57 +00:00
Vincent Ambo
906d6553c6 fix(whitby): Point grafana at new auth provider
Grafana was still pointing at the (now non-existent) CAS setup. This
changes the endpoints to use Keycloak instead and updates the client
secret.

Change-Id: Ib25d38330aba2ef6d894e8c33d86852c884ab5be
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4706
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 14:44:38 +00:00
Griffin Smith
ef62e51b7b refactor(ops/secrets): generalize out a mkSecrets function
Generalize out a reusable mkSecrets function from the
secrets-tree-building that's happening in //ops/secrets, so the same
thing can happen in other places in the depot (I want to use it for my
personal infrastructure).

Change-Id: I059295c8c257d78ad7fa0802859f57c2c105f29b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4679
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
2021-12-27 03:46:26 +00:00
Griffin Smith
9b3374b091 feat(ops/machines/all-systems): Add grfn/mugwump
Change-Id: I7770b58c44a5700e86c80d1058e89e9fa65d719b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4686
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
2021-12-26 21:33:36 +00:00
Griffin Smith
7ea212ee07 fix(auto-deploy): Add missing packages to path
Building nix derivations needs tar (provided by gnutar) and gzip on the
PATH in order to extract .tar.gz archives.

Change-Id: Ia2df7a3a770cfd342dfede58ad34e04805fbd1f8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4685
Tested-by: BuildkiteCI
Autosubmit: grfn <grfn@gws.fyi>
Reviewed-by: wpcarro <wpcarro@gmail.com>
2021-12-26 21:33:36 +00:00
Vincent Ambo
fc16f1e467 fix(ops/keycloak): set up client for usage with oauth2_proxy
This will be useful for things like panettone, pending a NixOS module
for oauth2-proxy (the upstream one is too complicated and doesn't
support what we need).

Change-Id: I4ca193e10a94a29b1fb9003e945896ff8eb61116
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4662
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
Autosubmit: tazjin <mail@tazj.in>
2021-12-26 16:59:01 +00:00
Vincent Ambo
a8923242be fix(ops/keycloak): trust email addresses from LDAP
Verified emails are required for some things, like e.g. oauth2_proxy

Change-Id: Ifb124be40d6d2863cd1b7ed5fbdfcf4827e8808c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4661
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-12-26 16:59:01 +00:00
Vincent Ambo
e8fa347fd1 feat(ops/keycloak): Set up oauth2_proxy client
Change-Id: I996d9644ed7e870d6e5a42af117eafbf841da679
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4640
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-12-26 16:59:01 +00:00
Vincent Ambo
7b3c0b3e2f feat(ops/keycloak): Check in initial Keycloak configuration
This is still missing most of the client configuration etc., in part
due to bugs in the provider which are preventing resource imports.

Change-Id: Ic224ffc001f8e1fe6dcd47b7d002580fdf7b0774
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4628
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-12-26 16:45:59 +00:00
William Carroll
80ef71e995 feat(ops/auto-deploy): Support auto-deploy
Automatically rebuild the current system's NixOS config from the latest checkout
of depot.

Change-Id: I23aa7af50e16e985ac34df214e0905e770316e5e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4390
Reviewed-by: wpcarro <wpcarro@gmail.com>
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
2021-12-26 14:55:42 +00:00
Vincent Ambo
28a80e0251 chore: friendship ended with cas, now keycloak is our best friend
Note that the login.tvl.fyi WWW configuration is still kind of hanging
around until we've settled where Keycloak lives.

Change-Id: Iaca4e394a7371cafa3716ca66ef09c4eca5b1520
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4626
Autosubmit: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-12-26 00:10:10 +00:00
Vincent Ambo
738cca62c1 feat(monorepo-gerrit): Configure for Keycloak compatibility
Change-Id: Ic3fce02b071c09cf03e652510f16bafb795a5a1d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4614
Autosubmit: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-26 00:10:09 +00:00
Vincent Ambo
e4d20cdaec refactor(ops/whitby): Move Gerrit secrets into agenix
Gerrit has OAuth2 and email related secrets which now live in agenix
instead of a random file on disk.

Change-Id: I6220fbb7a2e2ec0102a900b4bcf6150b8b4d32ef
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4612
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-12-25 21:15:41 +00:00
Vincent Ambo
d8a1802b3e feat(whitby): Configure initial Keycloak setup
Trialing this as an alternative to CAS that is a little easier to
configure and can help us delegate authentication to other OIDC
services.

Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-12-25 21:11:40 +00:00
Vincent Ambo
21b2055eb1 feat(ops/glesys): Provide tf-glesys wrapper
This provides the right Terraform provider with a wrapper in $PATH.

Change-Id: Idcb4fa89dff0161e8a73addfce81959e825c331e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4562
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-24 19:21:48 +00:00
Vincent Ambo
8ca69b1caa style(ops/glesys): apply terraform fmt
Change-Id: Ibbba78aaecc3b3cba23961a1b10ce5a8eb8ff296
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4580
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-24 18:55:44 +00:00
Vincent Ambo
677f72cb9d feat(ops/glesys): Add gitignore for Terraform files
Change-Id: I67b971f875819fd9daa3b2e952604206b89ee216
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4578
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-24 18:54:44 +00:00
Vincent Ambo
13dc0793cf feat(ops/glesys): Create objectstorage key for litestream
Change-Id: I8b3e4f767440ae7763c1e6ce9fd97c557fe516ee
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4577
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-24 18:54:43 +00:00
Vincent Ambo
e2596e930e feat(ops/glesys): Move Terraform state to GleSYS bucket
Change-Id: Ib14fba9a5f06ecdb065dd14580c8088f98e9cb3a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4576
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-24 18:38:40 +00:00
Vincent Ambo
ef92f8b231 feat(ops/glesys): Create bucket & key for storing terraform state
Change-Id: I73cfaa614d46afb65ba312e767d1e924669fbae1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4575
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-24 18:38:40 +00:00
Vincent Ambo
afe648bbb2 feat(ops/glesys): Import existing object storage instance
Change-Id: I5a5269ef0d385d864dd8f62eb2332e6ae2cb2672
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4574
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-24 18:38:39 +00:00
sterni
7de43fe4ee style(ops/besadii): run depotfmt
Unclear if this reformat is caused by the channel update or if this file
was ignored previously.

Change-Id: I3498ab181c7fff1b132419783e33a96f7bebfe42
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4520
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-12-21 14:19:28 +00:00
Vincent Ambo
4ad94b9cf8 feat(ops/pipelines): annotate patchset builds with Gerrit URLs
If available, provide a link back to Gerrit on the overview page of a
build.

Uses the default style (i.e. style unset), which makes it
non-intrusive visually.

Change-Id: I4271d589d548015b75762fd0584f3958bfcc53e5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4442
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-19 21:23:51 +00:00
Vincent Ambo
562236085b style: format all Go code
The code in //users/wpcarro/tools/monzo_ynab/ynab/client.go was not
valid Go and has been commented out.

Change-Id: Icb4003607f30294dcbf60132eb7722702c7f0d84
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4400
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-12-19 18:05:04 +00:00
Vincent Ambo
eea2dbadd0 fix(ops/besadii): fix Gerrit URL format ... again
got into some kind of race with different patchsets of this CL
somehow, idk

Change-Id: I3dcdb708f141829b866fbd786483710b43ea9824
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4481
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
2021-12-19 17:08:08 +00:00
Vincent Ambo
1d4715781c fix(ops/besadii): Only set branch to CL when building patchsets
If we set this for canon, then stuff starts to fail in non-obvious ways.

Change-Id: I3bf38e29151c6066aaf4eba68ae387272d8a82c2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4463
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-19 16:53:47 +00:00
Vincent Ambo
f8b4029b17 fix(ops/besadii): Stop path.Join from eating our URL
apparently this chomps away at things inside of fragment strings

Change-Id: Ie60d52d101dc4281b3a62c228af076791e1c7928
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4462
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-19 16:46:00 +00:00
Vincent Ambo
3a2a5ffa9d feat(ops/besadii): Pass Gerrit link to builds as an envvar
This makes it possible to annotate builds with a link back to Gerrit.

Change-Id: If351785d3b631b96753d41f417ca94bc7a95ac54
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4441
Reviewed-by: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
2021-12-19 16:27:29 +00:00
Griffin Smith
b075b1df9d feat(ops/besadii): Make branch key cl/XXXX
The branch key for buildkite builds isn't actually used to fetch if a
commit is given - instead, it's just a visual grouping of multiple
builds. This means we can just make the branch key cl/<cl number>, which
is the convention we already use to refer to CLs and gets us a nice
visual grouping of builds of successive patchsets of the same CL number,
even though the ref we're providing isn't a real ref.

Change-Id: Iaa9111297a88f965fda94cd8266240106f58a100
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4347
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Autosubmit: grfn <grfn@gws.fyi>
2021-12-19 16:16:56 +00:00
Griffin Smith
7f593781f3 feat(whitby): Add buildkite agents to docker group
I'd like to be able to run extra CI steps that include running docker
containers (to integration test things like webapps that connect to a
database). To do this the buildkite agents themselves need permission to
do docker things.

Change-Id: I3c9a488708f0e12a508754ac41f04148ca7aedac
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4408
Tested-by: BuildkiteCI
Autosubmit: grfn <grfn@gws.fyi>
Reviewed-by: tazjin <mail@tazj.in>
2021-12-19 12:58:35 +00:00
William Carroll
06a20ba3df fix(ops/diogenes): Ensure diogenes builds
diogenes "passed" CI because the file was named configuration.nix
(vestage from the NixOS default /etc/nixos/configuration). This CL fixes
some issues I encountered after running depot/bin/rebuild-system.

TL;DR:
- rename configuration.nix -> default.nix to trigger CI
- add diogenes to my systems
- add public SSH key

Change-Id: I24197b8936c201267db6f71f00099dce590eac1d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4388
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Reviewed-by: tazjin <mail@tazj.in>
Autosubmit: wpcarro <wpcarro@gmail.com>
2021-12-17 22:12:40 +00:00
William Carroll
1ca4c6d2be feat(wpcarro/marcus): Add marcus to the depot
me: marcus, meet depot. depot, meet marcus.
Change-Id: Ic6a25ac85e4c7f6dfea2a42b46a4400f92df70a2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4351
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-16 22:07:02 +00:00
zseri
3e18b034bb feat(ops/users): Add user zseri
Submitted via IRC, instead of the usual Google Groups
due to email issues.

Change-Id: I71a2bdfd10b02370df61bbba4dabc2f45b6c1009
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4384
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <mail@tazj.in>
2021-12-16 19:13:02 +00:00
Griffin Smith
d85c6a1b56 feat(ops/modules): Provide some modules to all nixoses
For modules that are gated behind a mkEnableOption, it's reasonable to
just provide them to all Depot-built nixos systems without requiring
people to explicitly import them. This defines a special module called
`default-imports.nix` which imports these modules (currently just
tvl-cache.nix and automatic-gc.nix, as I'm being rather conservative
adding things here to avoid breaking anyone's system), then provides
that module as one of the `modules` passed at the top-level
nixos/eval-config invocation.

Change-Id: I3be299ab10ae4c451ef11c514edb3c89318a2278
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4345
Tested-by: BuildkiteCI
Autosubmit: grfn <grfn@gws.fyi>
Reviewed-by: tazjin <mail@tazj.in>
2021-12-16 14:17:35 +00:00
Griffin Smith
0f5cc25697 feat(ops/modules): Add shared module for TVL cache
Add a shared nixos module for configuring whitby as a binary nix cache,
and refactor tverskoy to use this module.

This is enabled via an option to pave the way for including it as an
import in all depot-generated nixos configs at some point in the future.

Change-Id: I6dcc0e8eb48b1ac34457666dceebeedd5da6c526
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4344
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: grfn <grfn@gws.fyi>
2021-12-15 23:36:22 +00:00
Griffin Smith
50b43cfb66 fix(ops/besadii): Don't send notifications for CI status
Don't notify reviewers ever on CI status changes, and only notify the
owner if the build fails.

Change-Id: If2cf63581b49e3de77181024ce8a4213031f4bd5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4337
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Autosubmit: grfn <grfn@gws.fyi>
2021-12-15 19:01:55 +00:00
Vincent Ambo
743bee8686 fix(ops/pipelines): Allow steps to run immediately after upload
This fix was recommended by Buildkite and is explained in the comment.

Change-Id: I3f1c1c07cba0b417857d69c021c8af4750d645c4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4334
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-12-15 16:55:03 +00:00
Vincent Ambo
38ec27e834 fix(ops/pipelines): Chunk build pipeline into multiple uploads
The number of jobs in the depot pipeline is reaching the limits of the
Buildkite backend's ability for a single pipeline upload. Based on a
conversation with their support my understanding is that this has to
do with internal locking mechanisms at Buildkite.

To work around this, we can instead chunk the pipeline into several
smaller chunks that are uploaded serially.

This commit introduces logic to chunk the pipeline accordingly. The
chunk size chosen is 256 for now (a multiple of our number of agents,
which is useful if we can get builds from the first chunk to start
before the next ones are uploaded).

Note that this chunk size is significantly below even the current
number of targets (~460 as of this commit), but choosing a lower chunk
size might alleviate problems we've been seeing with timeouts during
pipeline uploads.

Change-Id: I77030aaf8b874c330218b78c77d15216e13b9af7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4332
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: tazjin <mail@tazj.in>
2021-12-15 15:49:40 +00:00
Florian Klink
46a2c75a59 docs(ops/irccat): link to credentials RFE
https://cl.tvl.fyi/c/depot/+/4264 did move merging config with secrets
into ExecStart=, which is tracked in an RFE upstream:

https://github.com/systemd/systemd/issues/19604#issuecomment-989279884

We didn't link to this so far, neither in the commit message, nor in a
comment.

Let's add a comment, so people know when we can undo this.

Change-Id: I7bed370b671093bb876592b4dccd562f1c256cd2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4326
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-14 17:30:33 +00:00
sterni
9f22b4f1c8 docs(ops/pipelines/depot): correct comment about fallback build cmd
We can gcroot the derivation files and drop this step, but have
elected not to do so for the moment, see cl/3436.

Change-Id: I993a1f3921e9f21e18fa260e76d3dd15ffa556bd
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4327
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <mail@tazj.in>
2021-12-14 17:02:29 +00:00
Åsmund Østvold
6842e25f14 feat(besadii): Make Gerrit label configurable
By default besadii will set the `Verified` label in Gerrit. This adds
a config option to set a different label instead if desired.

Co-authored-by: Vincent Ambo <mail@tazj.in>
Change-Id: I254159e46994e01182987ed5e5e26e27c57f46ce
2021-12-14 09:28:09 +01:00
Vincent Ambo
b97d6b0f1b feat(ops/users): Add wpcarro
... this was overdue!

Change-Id: I435768007db4a0f3663e1aa9376e8cae4d1d0381
2021-12-13 23:54:12 +03:00
Vincent Ambo
79b4e0e1a4 chore(ops/users): Rotate password hash for asmundo
New hash received via an authenticated channel, of course.

Change-Id: Idca688d8a8bb2e943aef3937f54d292b48f79fad
2021-12-13 23:51:43 +03:00
sterni
fe0e19ead4 feat(ops/whitby): install alacritty terminfo
alacritty is used by grfn atm.

Change-Id: I10dacd301044f9c37790e22e955cb068fcbd2cfc
2021-12-13 19:40:28 +00:00
sterni
cdf7480662 feat(ops/whitby): add terminfos for other terminals used
* foot (me)
* kitty (lukegb)

Change-Id: I65303e39c4adb05e362792a544134fc2884175bf
2021-12-13 12:56:12 +00:00
Vincent Ambo
961443c23c feat(whitby): Add some more useful programs
I keep using these in nix-shell but really they should just be
installed.

Change-Id: Ic2c36bae8b582fef88029b288accdfd3c8bc0f1b
2021-12-13 15:48:41 +03:00
Vincent Ambo
3a410a78df feat(ops/secrets): Make (encrypted) secrets part of the tree
Currently in NixOS configuration using agenix secrets there is no
build time validation of secret paths - things fail at runtime (system
activation).

To prevent that, this CL makes the secrets part of the tree based on
the same configuration file used by agenix itself.

This guards against:

* agenix secrets.nix definition for a non-existent file
* age.secrets value in a NixOS config for a non-existent secret

Change-Id: I5b191dcbd5b2522566ff7c38f8a988bbf7679364
2021-12-12 11:19:24 +03:00
Vincent Ambo
8cbb42006a chore(ops/secrets): Reencrypt all secrets with sterni included
Change-Id: I14043c2bd9da43a6b7de65baf0ebb75eaf3c4e22
2021-12-11 18:51:36 +03:00
sterni
40096c2931 feat(ops/secrets): add keys for sterni
Change-Id: Idf13f7737dd51e74e87093e07cdf22ad24407944
2021-12-11 15:41:55 +00:00
Vincent Ambo
f9bd68e247 fix(ops/secrets): Fix missing file
... okay, this is like the 5th error related to something with this
and file paths. Need to write some validation logic.

Change-Id: I4314818aa1bc25b8cf7bd3593850d3836ccb867c
2021-12-10 23:53:50 +03:00
Vincent Ambo
aa5bf312e8 fix(tvl-buildkite): Use supported credential helper binary name
Git only allows binary names prefixed with `git-credential-` if the
path to the helper is not absolute.

Why? Who knows.

Change-Id: I216b2a621f62a73f05e21def7ec8016b29ede892
2021-12-10 23:37:57 +03:00
Vincent Ambo
2f1c654c14 refactor(ops): Move panettone secrets to agenix
Relates to b/161

Change-Id: I508e5a0eacab668f4bd39a2c888d894b96bed093
2021-12-10 23:19:56 +03:00
Vincent Ambo
2b9be81ea0 refactor(ops/pipelines): Use agenix-deployed besadii secrets
I *think* this is the final step for b/161

Change-Id: Ie7a2198a045f2f1866a245884ab0f5414e205327
2021-12-10 23:14:41 +03:00
Vincent Ambo
60f96d2b17 fix(whitby): Fix typo in buildkite-agents group name
... really would like some assertion helpers for this sort of stuff.

Change-Id: I32d1de18ebfbbdfa5128a8fbdad2efcc511f8514
2021-12-10 23:01:20 +03:00
Vincent Ambo
5baa9b6d87 refactor(tvl-buildkite): Prepare gerrit credentials helper
Currently this functionality is provided by a shell script stored in
/etc/secrets (which has the password value hardcoded).

This needs to happen in a separate commit from the one that changes
the pipeline to avoid breaking it (it needs to be deployed first).

Change-Id: I680754c828ccefbacfcf0d5c813a4bc19493ba4c
2021-12-10 19:52:39 +00:00
Vincent Ambo
2fe8d724d7 refactor(ops): Move Nix cache secret to agenix
... and also the public key, just to keep the distribution mechanism
the same.

Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0
2021-12-10 19:48:26 +00:00
Vincent Ambo
82a885a750 refactor(ops): Use besadii configuration from agenix
We already checked this in, but this commit adds the configuration for
making use of it.

There are two copies of besadii's JSON configuration with different
permissions.

Note that the buildkite-graphql-token path needs to be updated in
static-pipeline.yml, but this needs to happen in a separate commit
after deploy because the pipeline will break otherwise.

Change-Id: I6fab4bf1a2e679df7cf76521e2b53bd9dadbac62
2021-12-10 19:31:36 +00:00
Vincent Ambo
b1108821a9 refactor(ops): Move grafana secret into agenix
Change-Id: Id141758135c796881e91d20b950dae74c40d9ab3
2021-12-10 19:31:36 +00:00
Vincent Ambo
b2d46aed2b fix(tvl-buildkite): Add more missing programs to agent path
... this option really is a pitfall! The list of programs is now the
same as in the upstream module, plus curl and jq.

Change-Id: I29edae4b2400a2724f62df9efa1dc184a8b0af5f
2021-12-10 17:13:22 +00:00
Vincent Ambo
b8267c261c fix(ops/irccat): Avoid permissions issue with LoadCredentials=
The DynamicUser + Group configuration does not work as planned, thus
the systemd LoadCredentials feature is used instead which makes the
file (which itself is only readable by root) available in a
memory-backed location only readable by the service.

The secret is only available to `ExecStart` commands, so units using
this feature can not be used with pre/post units and the like if those
commands need secrets.

To accommodate this, the merge of configuration files has been moved
into the service launch script, which is now the ExecStart= process.

For details take a look at https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LoadCredential=ID:PATH

Change-Id: I693fe5677cc0d63c7aa485c2c7472457c5262166
2021-12-10 15:09:09 +00:00
Vincent Ambo
67bde5ecc3 fix(tvl-buildkite): Explicitly set runtimePackages
It turns out the lib.mkAfter call doesn't behave as expected -
only *some* of the packages that are defaulted end up in the $PATH.

I suspect this is actually something else, e.g. these packages are
always added for some reason or another, and the option is completely
overridden every time.

Change-Id: I854c7198520d82b00e6338ed0fe653836226dc6d
2021-12-10 15:06:08 +00:00
Vincent Ambo
2ba481451c chore(ops/secrets): Reencrypt with grfn's key included
Change-Id: I66df150ab5070a81a92f0741334639df9df1f86f
2021-12-10 17:52:08 +03:00
Griffin Smith
a85ab68b12 chore(ops/users): Rotate password for grfn
Just a regular password rotation, plus I wasn't using argon2 unlike
everyone else.

Change-Id: Ic57fe79a2dbfdc15397d20f6b2b47c6aac911d29
2021-12-10 09:45:17 -05:00
Griffin Smith
66a1d3d5d4 feat(ops/secrets): Add key for grfn
Change-Id: I8063ae804932e3815e9a499e0206806818b9b021
2021-12-10 09:44:34 -05:00
Vincent Ambo
bc3d35f3d0 fix(tvl-buildkite): Add missing runtimePackages back
Turns out that the type of this option is not concatenative and it
replaces the packages needed to run Buildkite if set.

Change-Id: I9f52572bc165bccdd8c6518cfdf7b8967f7a50d0
2021-12-10 13:14:11 +00:00
Vincent Ambo
d4403638cf refactor(ops): Move irccat secret into agenix
The irccat module uses DynamicUser, so to grant permission to it a new
group has been added for irccat.

I have some vague memory of DynamicUser + Group not behaving as one
would expect, but we'll see what happens.

Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac
2021-12-10 16:13:31 +03:00
Vincent Ambo
002d183876 refactor(ops): Move clbot SSH key into agenix
Change-Id: Iae03ead7dda0509689a76f0d76f9cfeb8434e967
2021-12-10 16:13:31 +03:00
Vincent Ambo
811e6d7d9f chore(whitby): Remove shadowsocks service
No longer required on whitby.

Change-Id: I93951c6b708eae81ddb03df920a4068c1ccde9e7
2021-12-10 13:07:09 +00:00
Vincent Ambo
fc14c21bb9 fix(ops/pipelines): Move to static pipeline
This step would get inserted at the wrong point in the build pipeline
otherwise, causing a dependency cycle and causing the pipeline to fail.

Change-Id: I534568eec77f74ae6c47276820f8a9e99493a3ea
2021-12-10 11:01:21 +03:00
Vincent Ambo
e4231c9816 refactor(ops/pipelines): Move 🦆 logic into static pipeline
This simplifies the fallback logic used in case of Nix evaluation
failure and makes it so that the evaluation step itself is the one
that is marked as failed in Buildkite.

This is possible because the pipeline upload command will insert new
steps at the point where it runs in the pipeline, and not later.

Change-Id: I870534c004ebc457a1602623c4e5f9c0c68e28fc
2021-12-10 07:55:34 +00:00
Vincent Ambo
9ea4d55d81 refactor(ops): Move buildkite-agent-token into agenix
Relates to b/161

Change-Id: I5d3a698d437928966d8b78ce9e0ba226c1437655
2021-12-10 10:32:44 +03:00
Vincent Ambo
a123b9e0a2 refactor(ops): Move owothia secret into agenix
Relates to b/161

Change-Id: I25445281b0dd3c3f3660f8bb0d8337506a1e427b
2021-12-10 10:32:14 +03:00
Vincent Ambo
78744c00f5 refactor(ops): Move clbot secret into agenix
Relates to b/161

Change-Id: I7badf22ff93bb4e8b06e4dd4a8bf880b0bd48f09
2021-12-10 10:32:14 +03:00
Vincent Ambo
496d899428 feat(ops/secrets): Configure secrets for gerrit-queue
Adds a systemd EnvironmentFile secret that contains the Gerrit
username & password for gerrit-queue.

Change-Id: I25acf87764c26774045138402b8a417b6813ee8f
2021-12-10 10:32:14 +03:00
Vincent Ambo
4870b1a2ff feat(ops/modules): Add module for running gerrit-queue
This is not yet including the secret configuration for gerrit-queue,
and just expects the secret (gerrit username & password) to be
available in /etc/secrets.

Change-Id: Ia465ef7f3f521c70d606d7fdeba9aa83c7e1b98b
2021-12-10 10:32:14 +03:00
Vincent Ambo
a9dd719e7c chore(tvl-buildkite): Add jq and curl to agent paths
This is required for a simplification of the build pipeline (following
CL) and needs to be in a separate commit as it can not be done
atomically (merging the other commit to deploy it would immediately
break pipelines otherwise).

Change-Id: I5d8ec8f3238f79b5518d799486bf98d1d9516c43
2021-12-10 10:21:34 +03:00
Vincent Ambo
f1e1f71883 feat(ops/secrets): Bootstrap agenix secrets folder
Sets up the key set and adds an initial secret (besadii config with
tokens) to be deployed to whitby.

Change-Id: Ic07fd5e66b9e7a533013e04c35e052c2aa11f77d
2021-12-08 18:22:00 +00:00
Vincent Ambo
c1479a6221 chore(besadii): Improve error messages on parse failure
Change-Id: I3cc4637aca8a940a0fdeca2d8bd6ac620ea384c0
2021-12-07 18:27:44 +00:00
Vincent Ambo
8a944484f0 fix(ops/besadii): Unquote Gerrit's extra-quotes around emails
Gerrit wraps RFC5322 emails in another layer of quotes when passing
them as flags, and this needs to be unquoted.

Otherwise hook invocations fail with cryptic errors.

Change-Id: Ieeb74c662873d99a4154f8cbc92da77b039cb88e
2021-12-07 18:27:44 +00:00
Vincent Ambo
6faf0edaff fix(ops): Correctly pass command name to besadii invocations
Ensure that besadii sees $0 as the correct command name, since that is
the sole mechanism by which its functionality is switched around.

There was a lingering commit that introduced this bug and hadn't been
deployed in a couple of days. Maybe time to tighten deploy cycles soon
...

Change-Id: Ie4284c0f6e5e06d71a71a3702ec7e092260e0ce5
2021-12-07 18:27:44 +00:00
Vincent Ambo
7f2f5d07f2 fix(ops/besadii): Pass Build.Author to Buildkite
Extracts author information from the flags passed by Gerrit and moves
them along to Buildkite. This should display the owners of builds
correctly in the UI, rather than marking everything as coming from me.

Change-Id: If9efe5553a13f0dbdb8bf3936c1d341ae5922318
2021-12-06 17:42:57 +03:00
Vincent Ambo
b679bb4034 refactor(ops/besadii): Get config from home directory by default
Slightly more ergonomic in some setups.

Change-Id: I565f2d242852ffd299ef5d5740a47520187dd4b4
2021-12-02 17:13:49 +03:00
Vincent Ambo
dcb2410982 refactor(ops/besadii): Generalise for use with non-TVL URLs
This makes it possible to use besadii for any TVL-ish setup using
Gerrit and Buildkite, with the same hook functionality as for TVL.

Change-Id: I1144b68d7ec01c4c8e34f7bee4da590f2ff8c53c
2021-12-02 13:10:21 +03:00
Vincent Ambo
e48ae26e8e feat(ops/besadii): Add other missing configuration keys
Adds configuration keys and rudimentary validation for all other
besadii settings that are currently hardcoded.

This adds the config options:

* repository: Name of the repository in Gerrit.
* branch: Name of the HEAD branch in the repository.
* gerritUrl: Base URL of the Gerrit instance
* gerritUser: Username of the Gerrit user
* gerritPassword: Password of the Gerrit user
* buildkiteOrg: Name of the Buildkite organisation
* buildkiteProject: Name of the pipeline inside the Buildkite
  organisation
* buildkiteToken: Auth token for Buildkite access

All of these configuration options are required.

Change-Id: Ie6b109de9cd8484a3773c6351d7fd140f39a49ed
2021-12-02 13:10:21 +03:00
Vincent Ambo
ee635d4645 chore(ops/modules): Configure besadii call sites to load config
On whitby, the besadii config will live in
/etc/secrets/besadii.json. This CL updates the call sites to pass this
config path to besadii so that it can load Sourcegraph configuration.

Change-Id: Ia139b9fa3b827e7a5f2386214390acc6fe19a75a
2021-12-02 13:10:20 +03:00
Vincent Ambo
168114df52 refactor(ops/besadii): Move Sourcegraph config to a file
Initial step towards moving besadii away from hardcoded values and
onto config files. This is required because I want to reuse besadii
outside of the TVL context.

Change-Id: Id4fa7a49c5d4f876a02b202f04a421ab5ba0dcc4
2021-12-02 13:10:20 +03:00
Vincent Ambo
c53d6d3453 fix(ops/nixery): Temporarily stop serving depot packages in Nixery
Change the Nixery configuration to use the plain nixpkgs package path
instead of the depot path. AFAIK, nobody uses this to fetches depot
packages at the moment - but plenty of people fetch non-depot
packages.

This means that Nixery is cache-busted less often (previously on every
commit => every deploy).

We'll figure out another way to have a depot Nixery later.

Change-Id: Iba632333346181c3d2ce992fbab396ed0d9f86aa
2021-12-02 09:16:52 +03:00
Vincent Ambo
433f0ae5cd fix(ops/www): Redirect tvl.fyi/blog -> tvl.fyi
The blog index page is at the root and people may manually edit the
URL.

Change-Id: I6cdaaaee6223524a9e950584379cfac34f8be160
2021-12-01 23:41:23 +03:00
Vincent Ambo
c1aab56a02 feat(besadii): Support invocation as different Gerrit hooks
Removes besadii support for the previously used 'ref-updated' hook and
instead introduces support for the 'change-merged' and
'patchset-created' hooks.

These hooks more accurately capture the semantics of when besadii
should trigger CI builds and using them will avoid problems such as
skipping 'canon' builds if chains of CLs are submitted together.

Change-Id: Ib90356c069780bf0c0250e56b927e46a5b31ce7f
2021-12-01 12:49:31 +03:00
Vincent Ambo
68d1f834a3 fix(ops/www): Strip .html from TVL blog post URLs
Change-Id: I4d1f9284ec004931c07c04d614b01f28eedea508
2021-11-30 13:56:29 +03:00
Vincent Ambo
6edfdd0773 refactor(ops/pipelines): Query build status from Buildkite API
Instead of manually tracking the build status through Buildkite
metadata, use the Buildkite GraphQL API in the `🦆` build
step (i.e. the one that determines the status of the entire pipeline
to be reported back to Gerrit) to fetch the number of failed jobs.

This way we have less manual state accounting in the pipeline.

The downside is that the GraphQL query embedded here is a little hard
to read.

Notes:

  * This needs an access token for Buildkite. We already have one for
    besadii which is also run by the agents, so I've given it GraphQL
    permissions and reused it.

  * I almost introduced a very rare bug here: My initial intuition was
    to simply `exit $FAILED_JOBS` - in the extremely rare case where
    `$FAILED_JOBS % 256 = 0` this would mean we would ... fail to fail
    the build :)

Change-Id: I61976b11b591d722494d3010a362b544efe2cb25
2021-11-29 23:38:24 +03:00
Vincent Ambo
4d57898af4 chore(ops/users): Update password hash for asmundo
... some issue snuck in on the first one, as is tradition.

Change-Id: I06ce4df82cde26231cd1ab3df500de02e981d9bc
2021-11-29 18:12:19 +03:00
asmundo
78f51edf8c feat(ops/users): Add user asmundo
Change-Id: Ie666b6556d91513babd884b2ed1140cd6c0ed2a9
2021-11-29 14:14:04 +00:00
Vincent Ambo
eca2bc572e refactor(besadii): Rename refUpdated -> buildTrigger
We are changing the Gerrit hooks which invoke besadii, but this
structure will be used for both kinds.

Change-Id: Idb1cb0c640d2c42db8e7af39f3ab372a97bfef91
2021-11-29 13:54:47 +00:00
Vincent Ambo
104f002a07 fix(ops/besadii): Trim whitespace of auth tokens
This is causing failures when trying to update Sourcegraph at least,
for good measure I've trimmed both.

Change-Id: I40266ee83b4e266ffe50f16bb365eb2e51952513
2021-11-28 10:34:36 +00:00
Vincent Ambo
4f1249e46f refactor(readTree): Move 'drvTargets' into readTree
This function is also generally useful for readTree consumers that
have the concept of subtargets.

Change-Id: Ic7fc03380dec6953fb288763a28e50ab3624d233
2021-11-23 14:42:08 +00:00
Vincent Ambo
15cb37f877 fix(ops/restic): Move whitby's backup to GleSYS object storage
Since GCP nuked us, the backups are now moving to GleSYS'
S3-compatible object storage.

This refactors the restic module to support S3-compatible storage
instead of GCP, and switches to the appropriate new secret paths.

The secrets were placed on whitby manually and I verified that the
backups work.

This fixes b/157

Change-Id: I6a9d2b0581967605ce736605a3befb44cdeae7e1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3883
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-11-21 12:01:26 +00:00
Vincent Ambo
099f36e5ee fix(ops/pipelines): Fix tagging of commit revisions
It seems that shell variables don't work as expected inside the
Buildkite pipeline, so usage of variables has been removed.

We also don't echo the revision anymore because of that, but it does
still appear in the log of `git push`.

Change-Id: I124e3b09af896da898f2a78715ed371651a1c5f8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3780
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-11-06 00:33:23 +00:00
Vincent Ambo
4b33401a36 refactor(ops/pipelines): Move revision tagging into static pipeline
This makes the revision number available much earlier (before the rest
of the pipeline runs, while Nix eval is happening) which should only
be a few seconds after a commit to canon.

It is also more readable in this shape.

Change-Id: Iccbb17dfef6afe68f54fda41e8d10c4dc52b08c2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3775
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-11-05 14:24:53 +00:00
Vincent Ambo
00ae396eeb feat(ops/pipelines): Create revision numbers in CI
This automatically pushes a new ref at refs/r/$revision to Gerrit
whenever a CI run completes on canon.

Revision numbers can be fetched from Gerrit with this command:

    git fetch gerrit "refs/r/*:refs/r/*"

Note that this build step requires credentials to be provisioned on
the CI runner machine.

Change-Id: I37bb14346832f891240aa47bb55affaace3d5f21
2021-11-04 15:16:08 +01:00
Smitty' via Issues & Patches
8696726244 fix(ops/users): correct password hash for smitop
The previous hash had a weird salt length and a trailing newline.
This fixes it.

Change-Id: I1f03238181d0caad38e1f1dbc477356bc20fc32d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3689
Reviewed-by: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
2021-10-05 23:52:14 +00:00
sterni
3f0de23d61 feat(ops/users): add smitop to users
Change-Id: I1fc67c0e33e1e1add8a4ea53c8c94e90e53d8bd5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3687
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: tazjin <mail@tazj.in>
2021-10-05 22:20:51 +00:00