Commit graph

701 commits

Author SHA1 Message Date
Vincent Ambo
e9e8e38db7 fix(ops/gerrit-tvl): Filter builds by commit hash
The patchsetSha is one of the things passed in to the `fetch()`
interface, and Buildkite's API (now?) supports filtering by the commit
hash in addition.

With this combination, we should not accidentally display builds for
the wrong patch set.

Change-Id: I6bb26dd7387f2dd00291990cadd38629ecda999b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5702
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-27 22:13:58 +00:00
Vincent Ambo
bdccd2c111 fix(ops/modules): Increase RestartSec= of oauth2_proxy service
When Keycloak and oauth2_proxy are restarted simultaneously, the
latter might try to come up (repeatedly!) before Keycloak can serve it
properly.

This leads to systemd considering the unit failed.

Since this all happens in the span of a second or so, slightly
increase the restart delay of the service to ensure it comes back
after Keycloak is ready.

A "proper" fix might be to add a script that runs before the actual
service and waits for Keycloak, but I don't want to prioritise that
right now.

Change-Id: I4dadba686de60ffc103fe889ce19f05ca1d7d4fe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5695
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-27 21:10:35 +00:00
Vincent Ambo
772f8f1b90 feat(ops/pipelines): Evaluate depot pipeline in restricted-eval mode
Change-Id: Ic5b98a0777860b68dabb9a9b59e8c682236a71c7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4884
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2022-05-26 16:57:16 +00:00
Vincent Ambo
7a0a4224a5 refactor(ops/nixos): Prepare for restricted eval
Change-Id: I7b5304dda3040830fe90fc188b35da3fd95451a0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5682
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
2022-05-26 16:24:34 +00:00
Vincent Ambo
48dfefe40d refactor(sanduny): Prepare for restricted-eval
Change-Id: I83a404dc7dbaf5ca53659d03df4e4de461a9d046
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5688
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
2022-05-26 14:17:33 +00:00
Vincent Ambo
250300f167 refactor(whitby): Prepare for restricted-eval
Change-Id: I7604ca29310d759b0ffee2ffb0048b6365a2894c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5683
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
2022-05-26 14:17:32 +00:00
Vincent Ambo
bc42c5a61b fix(ops/modules): adapt for changed ssh.knownHosts
Somehow this ended up generating an empty file, with this change it is
fine again. I was looking at the recent commits of the module in
nixpkgs but couldn't quite figure it out, there are also some vague
references to the attribute set key being used as a hostname, but this
doesn't seem to be true in practice.

To be clear, the previous code was wrong, but at some point it
generated a file that accidentally worked.

Change-Id: I42d55730c09daafe6d6fe0eb3647135e84737bca
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5670
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
2022-05-26 10:05:54 +00:00
Vincent Ambo
e3a31b702a feat(whitby): Deploy private SSH key for build agents
Change-Id: I5b1dfaaf28e835cac5b897e18b015d90ac3b2857
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5665
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
2022-05-25 23:53:09 +00:00
Vincent Ambo
77f096771d feat(ops/secrets): Add private SSH key for Buildkite agent(s)
The public key is:

  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIME13zAw3Fk6qsbWCe6mH2zkxOJ+NmG+FwMjLw00mcWt buildkite@tvl

Change-Id: Ia8591e5df42727e4068f26865d83d0af85424fde
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5664
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-25 23:53:09 +00:00
Klemens Nanni
3a53587c2a feat(ops/modules/open_eid.nix): Access all key slots
`onepin-opensc-pkcs11.so` only enables PIN1, but PIN2 is also required.

Change-Id: Ic1c34ca58a46c2978c7e27e7a9b7e6a4d335ac0c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5648
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: kn <klemens@posteo.de>
Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-25 20:38:11 +00:00
Klemens Nanni
45c46d4a73 feat(ops/modules/open_eid.nix): Add digidoc-tool(1) to PATH
libdigidocpp is a dependency of qdigidoc4(1) already.

This will need https://github.com/NixOS/nixpkgs/pull/174055
"libdigidocpp: Fix PKCS11 module library path" to work, though.

Change-Id: Ic8d671077977b1d1f099a8b4b23cc537b52aa954
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5647
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-25 20:37:53 +00:00
sterni
03d1986316 feat(3p/agenix): update to 2022-05-16 and add to niv
The new version brings the new secretsDir setting which means we no
longer have to hardcode /run/agenix everywhere.

Change-Id: I4b579d7233d315a780d7671869d5d06722d769fa
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5646
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: sterni <sternenseemann@systemli.org>
2022-05-25 15:00:37 +00:00
James Landrein
dc346bb8cf feat(ops/users): add j4m3s
I've only been a couple months lurking in the IRC ...

Change-Id: Idebf96d3bf1124f0a97e11e0f854e8c6d4be8d8e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5662
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
2022-05-24 23:39:44 +00:00
Vincent Ambo
f31edeec1b refactor(nixery): Modernise structure of binaries
Nixery is going to gain a new binary (used for building images without
a registry server); to prepare for this the server binary has moved to
cmd/server and the Nix build logic has been updated to wrap this
binary and set the required environment variables.

Change-Id: I9b4f49f47872ae76430463e2fcb8f68114070f72
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5603
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-23 15:04:56 +00:00
Vincent Ambo
045cf244b5 chore(ops/secrets): add key for tazjin/zamalek
Change-Id: Ieb2fe49a67940d7cfbd261edbe10d0a8577a466d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5628
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-17 10:14:02 +00:00
Vincent Ambo
302b754d7a feat(tazjin/nixos): Add system configuration for zamalek
This is my new Huawei MateBook X.

Change-Id: I32a8b77dd8f53b3c89bf63f448cd2880f9a457b7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5554
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
2022-05-10 13:41:33 +00:00
Florian Klink
e8855f4bef feat(ops/modules/open_eid.nix): document firefox
Firefox users can add p11-kit-proxy (or other SecurityDevices)
system-wide, by making use of the extraPolicies functionality.

Change-Id: Id58b6cab425199fb0e09e846db2a86d302c0de0d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5534
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
2022-05-08 13:52:27 +00:00
Florian Klink
84c62eb68b feat(ops/modules/open_eid.nix): use p11-kit-proxy
… instead of onepin-opensc-pkcs11.

This acts as a glue to multiple PKCS#11 modules, and reads configuration
files from /etc/pkcs11/modules.

p11-kit is also used to propagate the system trust store to NSS:
https://p11-glue.github.io/p11-glue/sharing-trust-policy.html

See-Also: https://p11-glue.github.io/p11-glue/p11-kit.html
Change-Id: I135c3a80a4eea0bd06f6b00089dc197c82476746
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5533
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2022-05-07 21:29:56 +00:00
sterni
fbbee5584b subtree(3p/cgit): update for git 2.36.0 support
Merge commit '51596ba1c25ff0dbba894153015203b4f1d3947b' into canon

Change-Id: Iaaf7a849d111aebc6bf85cec118439ba1d49f1e3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5521
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-04 16:18:51 +00:00
sterni
5fae8b0826 chore(3p/sources): Bump channels & overlays
* //nix/buildLisp: ccl dumped images have fixed themselves… again

* //3p/git: rebase patch on 2.36.0

* //3p/overlays/haskell: remove upstreamed workarounds

* Disable everything depending on cgit temporarily, since it doesn't
  compile with git 2.36 yet.

Change-Id: I9dc11c0846641341adbdcc7162cbf149a15fe0cb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5519
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-04 16:18:50 +00:00
Vincent Ambo
96aea32084 fix(ops/besadii): Fix output formatting for non-CL builds
Change-Id: Ie9ffb2d287f6c8a1e3ae45a7ad6671b9b8fa9c8a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5505
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: asmundo <asmundo@gmail.com>
2022-04-26 09:25:03 +00:00
Vincent Ambo
c05c4995ab chore(3p/sources): Bump channels and overlays
Changes:

* updated keycloak configuration for new version
* migrate to emacs28 outside of //users, re-add emacs27 but with a
  warning attached urging people to migrate

Change-Id: I3e5765a63934541f72f6c4a8673d3b4671850c93
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5501
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: wpcarro <wpcarro@gmail.com>
2022-04-21 16:54:07 +00:00
Vincent Ambo
6716bf018c chore(nixery): Housekeeping for depot compatibility
Cleans up a whole bunch of things I wanted to get out of the door
right away:

* depot internal references to //third_party/nixery have been replaced
  with //tools/nixery
* cleaned up files from Github
* fixed SPDX & Copyright headers
* code formatting and inclusion in //tools/depotfmt checks

Change-Id: Iea79f0fdf3aa04f71741d4f4032f88605ae415bb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5486
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
2022-04-20 15:31:16 +00:00
Vincent Ambo
34e95f514c chore(journaldriver): Bump dependencies
Change-Id: I8819639bf5ddcc52510f20a92ab4b93af873682d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5475
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-04-17 13:16:34 +00:00
William Carroll
d843f0bf4c feat(wpcarro/ava): Support new machine
ava is my new (NixOS!) work machine :)

Change-Id: I1f089f00c02519d5d1d93d011f29075d53500e74
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5450
Reviewed-by: wpcarro <wpcarro@gmail.com>
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
2022-04-15 19:07:51 +00:00
Vincent Ambo
e3cd8069ef feat(ops/open_eid): Add script for setting up browser integration
Change-Id: Ib339d62d862fd99dab2fda30376b8e47b337a26b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5441
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
2022-04-14 16:18:43 +00:00
Vincent Ambo
1a2fe4b063 feat(whitby): Increase prometheus retention time to 90d
Change-Id: I67287d7b1d8ee2c3004d381b5bc684bf4fc7d42c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5429
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-04-11 16:18:38 +00:00
Vincent Ambo
186c2822b0 feat(ops/modules): Add module for using Estonian e-residency card
Someone already packaged the required software, so I didn't have to do
that.

Change-Id: Ifc6a68fd4cd89f4718368a05acb6c6f536e01aab
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5431
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: tazjin <tazjin@tvl.su>
2022-04-09 08:49:06 +00:00
Vincent Ambo
017238a1be fix(ops/oauth_proxy): Depend on Keycloak service
If the Keycloak service is running on the same machine as the oauth2
proxy (spoiler alert: it is!), let the service depend on it.

Change-Id: I30e4222b4cd5589e08849ef6f37cf1fb4369f55a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5421
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-03-31 13:27:48 +00:00
Vincent Ambo
e70428e75b refactor(ops/pipelines): Configurable GraphQL token location
For external users of the pipeline construction, the token might be in
a different path than `/run/agenix/buildkite-graphql-token`.

It is made configurable through the BUILDKITE_TOKEN_PATH environment
variable. This should be configured on the pipeline level to apply to
all steps.

Change-Id: I23c52e2d705e4134b8b013f8603f92e5533a6e44
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5424
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: asmundo <asmundo@gmail.com>
2022-03-30 11:06:49 +00:00
sterni
508a62b603 chore(3p/sources): Bump channels & overlays
* Remove use of aliases that have been removed in nixpkgs commit
  a36f455905d55838a0d284656e096fbdb857cf3a:

  - ncat
  - x11
  - nologin
  - dbus_libs
  - emacsPackagesGen
  - man-pages
  - pulseaudioLight

Change-Id: Ide603bf48bc7f77e10e4aa715ba025aece3644fd
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5387
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: wpcarro <wpcarro@gmail.com>
2022-03-19 17:11:59 +00:00
Vincent Ambo
fb5f21067e fix(modules/quassel): Open firewall port automatically
Change-Id: Ie815495561f789590b5f49ecfd33441822f79047
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5382
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-03-11 21:38:40 +00:00
Vincent Ambo
2cff0712b3 refactor(journaldriver): Replace ureq with crimp
crimp is in TVL (//net/crimp), and it has fewer dependencies than
ureq (including - finally - no more old time or chrono).

Change-Id: I354f8f78b34a85abe3af671ffeffbe6a7fded5ee
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5318
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-20 15:46:57 +00:00
Vincent Ambo
2626d8348a chore(journaldriver): Bump medallion to 2.5
This version includes my patch for removing chrono from
medallion (https://gitea.cmdln.net/cmdln/medallion/commit/025b143d)

Change-Id: I2b745598538dd34e967e49c2b342be1b04ca9f27
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5316
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-20 15:46:57 +00:00
Vincent Ambo
e8756239a8 chore(ops/modules): Remove fix-nginx timer unit
This doesn't seem to be needed anymore.

Change-Id: Id8d4192840e8ab10adb652abc9bd6540009a3dcf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5319
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
2022-02-20 14:26:57 +00:00
Vincent Ambo
71d6a02ca1 refactor(journaldriver): Use time crate directly instead of chrono
With this change, we still depend on chrono (through medallion), but
but I'm going to try and fix that upstream as well.

Change-Id: Iefd3d8578ea8870961107f3222dea7f936c2dd9a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5311
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-18 11:52:26 +00:00
Vincent Ambo
af512558e6 test(journaldriver): Add test for serialising timestamps
Change-Id: I5b769f5974546fd4f4f853111bd17c9d22d73a5e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5310
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-18 11:52:26 +00:00
Vincent Ambo
19a13e08a8 chore(journaldriver): Migrate to Rust Edition 2021
Change-Id: I858738b6fc554060824bbb4e69d5ccd03789535d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5309
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
2022-02-18 11:52:25 +00:00
Vincent Ambo
c075a2c541 chore(journaldriver): Update crates within bounds
Basically just `cargo update`.

Change-Id: I86e58d73ff67d69201124d65136773325b240cbe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5308
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-18 11:52:24 +00:00
Vincent Ambo
ede837b687 refactor(journaldriver): Use anyhow instead of failure
Apparently failure is not hip anymore, and crate updates are forcing
the use of anyhow now. Whatever.

The functionality basically stays the same, maybe error messages will
look a little bit different now.

Change-Id: I173d644688785339c16161ddeec47a534123710f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5307
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
2022-02-18 11:52:24 +00:00
Vincent Ambo
4ce2b49cd9 feat(ops/glesys): add DNS record for AAAA sanduny.tvl.su.
Change-Id: I4a74cd173b326941c12b7611841ced2038650137
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5314
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2022-02-18 11:47:23 +00:00
Vincent Ambo
d68de096c7 feat(ops/glesys): add DNS record for A sanduny.tvl.su.
Change-Id: I12e678f161ca9bfb7e982ed067a0b8bd0325d737
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5296
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-02-18 11:41:13 +00:00
Vincent Ambo
ac6717fe3c fix(ops/modules/www): Make self-redirect to config a generic module
As suggested by sterni, this makes the self-redirect of a machine to
its configuration a generic module working by convention.

In the process of moving this two small fixes have been applied:

* redirect is only applied if the URI is `/`, this is required for
  ACME to work
* addSSL = true is added, otherwise we have a certificate but no TLS
  listener

Change-Id: Icaef041ff681253a61e36926417bdb2844e3f93d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5313
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2022-02-18 11:39:01 +00:00
Vincent Ambo
5b701ad713 feat(sanduny): Enable journaldriver module
Change-Id: I9026386664000448642ff635bd71a7af5ed546c3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5303
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-18 11:38:34 +00:00
Vincent Ambo
536e01e967 refactor(ops/modules): Move journaldriver configuration into module
This makes the journaldriver configuration machine-independent.
The secret is loaded from agenix instead of being persisted on disk.

Change-Id: I592ae7f5726fcb7f37a406f69dcf5ac498eeb1b7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5302
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-18 11:38:34 +00:00
Vincent Ambo
c72abe04f2 feat(sanduny): Configure Bitfolk nameservers
Change-Id: I81b252aedbf1ce3543a167b6c1942c404d4f1f1e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5312
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-18 11:35:21 +00:00
Vincent Ambo
95780174e1 feat(ops/machines): Add a module for known SSH keys
Change-Id: I443e479f3edf9c6540de7b5a33bc6f7e2a9c5183
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5305
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
2022-02-18 08:22:56 +00:00
Vincent Ambo
b936843bb0 feat(ops/modules): Redirect machine base names to their config
With this change, entering just "whitby.tvl.fyi" or "sanduny.tvl.su"
in a browser will redirect users to their machine configurations.

Change-Id: Ibf076a469bcce073e1b1970aa568d6fe16a5c75a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5304
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
2022-02-18 08:15:56 +00:00
Vincent Ambo
f4f1d97052 refactor(ops/modules): Move ACME base configuration into base.nix
This needs to be present on all machines that run ACME stuff.

I've switched the address for a .su one because I have a catchall for
these.

Change-Id: I7af8e1f1cb2fcfbcba4b7d1930ed0edef0106d72
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5306
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-18 08:15:56 +00:00
Vincent Ambo
6b3eed1fb5 feat(ops/secrets): Add journaldriver key
This changes the structure of secrets.nix a bit to split between
secrets for whitby, and secrets for all TVL machines.

Change-Id: I791f0ce42a16b33051e24a7a6c5b153761ed9eb3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5300
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
2022-02-17 18:11:58 +00:00