Commit graph

669 commits

Author SHA1 Message Date
Vincent Ambo
b8267c261c fix(ops/irccat): Avoid permissions issue with LoadCredentials=
The DynamicUser + Group configuration does not work as planned, thus
the systemd LoadCredentials feature is used instead which makes the
file (which itself is only readable by root) available in a
memory-backed location only readable by the service.

The secret is only available to `ExecStart` commands, so units using
this feature can not be used with pre/post units and the like if those
commands need secrets.

To accommodate this, the merge of configuration files has been moved
into the service launch script, which is now the ExecStart= process.

For details take a look at https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LoadCredential=ID:PATH

Change-Id: I693fe5677cc0d63c7aa485c2c7472457c5262166
2021-12-10 15:09:09 +00:00
Vincent Ambo
67bde5ecc3 fix(tvl-buildkite): Explicitly set runtimePackages
It turns out the lib.mkAfter call doesn't behave as expected -
only *some* of the packages that are defaulted end up in the $PATH.

I suspect this is actually something else, e.g. these packages are
always added for some reason or another, and the option is completely
overridden every time.

Change-Id: I854c7198520d82b00e6338ed0fe653836226dc6d
2021-12-10 15:06:08 +00:00
Vincent Ambo
2ba481451c chore(ops/secrets): Reencrypt with grfn's key included
Change-Id: I66df150ab5070a81a92f0741334639df9df1f86f
2021-12-10 17:52:08 +03:00
Griffin Smith
a85ab68b12 chore(ops/users): Rotate password for grfn
Just a regular password rotation, plus I wasn't using argon2 unlike
everyone else.

Change-Id: Ic57fe79a2dbfdc15397d20f6b2b47c6aac911d29
2021-12-10 09:45:17 -05:00
Griffin Smith
66a1d3d5d4 feat(ops/secrets): Add key for grfn
Change-Id: I8063ae804932e3815e9a499e0206806818b9b021
2021-12-10 09:44:34 -05:00
Vincent Ambo
bc3d35f3d0 fix(tvl-buildkite): Add missing runtimePackages back
Turns out that the type of this option is not concatenative and it
replaces the packages needed to run Buildkite if set.

Change-Id: I9f52572bc165bccdd8c6518cfdf7b8967f7a50d0
2021-12-10 13:14:11 +00:00
Vincent Ambo
d4403638cf refactor(ops): Move irccat secret into agenix
The irccat module uses DynamicUser, so to grant permission to it a new
group has been added for irccat.

I have some vague memory of DynamicUser + Group not behaving as one
would expect, but we'll see what happens.

Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac
2021-12-10 16:13:31 +03:00
Vincent Ambo
002d183876 refactor(ops): Move clbot SSH key into agenix
Change-Id: Iae03ead7dda0509689a76f0d76f9cfeb8434e967
2021-12-10 16:13:31 +03:00
Vincent Ambo
811e6d7d9f chore(whitby): Remove shadowsocks service
No longer required on whitby.

Change-Id: I93951c6b708eae81ddb03df920a4068c1ccde9e7
2021-12-10 13:07:09 +00:00
Vincent Ambo
fc14c21bb9 fix(ops/pipelines): Move to static pipeline
This step would get inserted at the wrong point in the build pipeline
otherwise, causing a dependency cycle and causing the pipeline to fail.

Change-Id: I534568eec77f74ae6c47276820f8a9e99493a3ea
2021-12-10 11:01:21 +03:00
Vincent Ambo
e4231c9816 refactor(ops/pipelines): Move 🦆 logic into static pipeline
This simplifies the fallback logic used in case of Nix evaluation
failure and makes it so that the evaluation step itself is the one
that is marked as failed in Buildkite.

This is possible because the pipeline upload command will insert new
steps at the point where it runs in the pipeline, and not later.

Change-Id: I870534c004ebc457a1602623c4e5f9c0c68e28fc
2021-12-10 07:55:34 +00:00
Vincent Ambo
9ea4d55d81 refactor(ops): Move buildkite-agent-token into agenix
Relates to b/161

Change-Id: I5d3a698d437928966d8b78ce9e0ba226c1437655
2021-12-10 10:32:44 +03:00
Vincent Ambo
a123b9e0a2 refactor(ops): Move owothia secret into agenix
Relates to b/161

Change-Id: I25445281b0dd3c3f3660f8bb0d8337506a1e427b
2021-12-10 10:32:14 +03:00
Vincent Ambo
78744c00f5 refactor(ops): Move clbot secret into agenix
Relates to b/161

Change-Id: I7badf22ff93bb4e8b06e4dd4a8bf880b0bd48f09
2021-12-10 10:32:14 +03:00
Vincent Ambo
496d899428 feat(ops/secrets): Configure secrets for gerrit-queue
Adds a systemd EnvironmentFile secret that contains the Gerrit
username & password for gerrit-queue.

Change-Id: I25acf87764c26774045138402b8a417b6813ee8f
2021-12-10 10:32:14 +03:00
Vincent Ambo
4870b1a2ff feat(ops/modules): Add module for running gerrit-queue
This is not yet including the secret configuration for gerrit-queue,
and just expects the secret (gerrit username & password) to be
available in /etc/secrets.

Change-Id: Ia465ef7f3f521c70d606d7fdeba9aa83c7e1b98b
2021-12-10 10:32:14 +03:00
Vincent Ambo
a9dd719e7c chore(tvl-buildkite): Add jq and curl to agent paths
This is required for a simplification of the build pipeline (following
CL) and needs to be in a separate commit as it can not be done
atomically (merging the other commit to deploy it would immediately
break pipelines otherwise).

Change-Id: I5d8ec8f3238f79b5518d799486bf98d1d9516c43
2021-12-10 10:21:34 +03:00
Vincent Ambo
f1e1f71883 feat(ops/secrets): Bootstrap agenix secrets folder
Sets up the key set and adds an initial secret (besadii config with
tokens) to be deployed to whitby.

Change-Id: Ic07fd5e66b9e7a533013e04c35e052c2aa11f77d
2021-12-08 18:22:00 +00:00
Vincent Ambo
c1479a6221 chore(besadii): Improve error messages on parse failure
Change-Id: I3cc4637aca8a940a0fdeca2d8bd6ac620ea384c0
2021-12-07 18:27:44 +00:00
Vincent Ambo
8a944484f0 fix(ops/besadii): Unquote Gerrit's extra-quotes around emails
Gerrit wraps RFC5322 emails in another layer of quotes when passing
them as flags, and this needs to be unquoted.

Otherwise hook invocations fail with cryptic errors.

Change-Id: Ieeb74c662873d99a4154f8cbc92da77b039cb88e
2021-12-07 18:27:44 +00:00
Vincent Ambo
6faf0edaff fix(ops): Correctly pass command name to besadii invocations
Ensure that besadii sees $0 as the correct command name, since that is
the sole mechanism by which its functionality is switched around.

There was a lingering commit that introduced this bug and hadn't been
deployed in a couple of days. Maybe time to tighten deploy cycles soon
...

Change-Id: Ie4284c0f6e5e06d71a71a3702ec7e092260e0ce5
2021-12-07 18:27:44 +00:00
Vincent Ambo
7f2f5d07f2 fix(ops/besadii): Pass Build.Author to Buildkite
Extracts author information from the flags passed by Gerrit and moves
them along to Buildkite. This should display the owners of builds
correctly in the UI, rather than marking everything as coming from me.

Change-Id: If9efe5553a13f0dbdb8bf3936c1d341ae5922318
2021-12-06 17:42:57 +03:00
Vincent Ambo
b679bb4034 refactor(ops/besadii): Get config from home directory by default
Slightly more ergonomic in some setups.

Change-Id: I565f2d242852ffd299ef5d5740a47520187dd4b4
2021-12-02 17:13:49 +03:00
Vincent Ambo
dcb2410982 refactor(ops/besadii): Generalise for use with non-TVL URLs
This makes it possible to use besadii for any TVL-ish setup using
Gerrit and Buildkite, with the same hook functionality as for TVL.

Change-Id: I1144b68d7ec01c4c8e34f7bee4da590f2ff8c53c
2021-12-02 13:10:21 +03:00
Vincent Ambo
e48ae26e8e feat(ops/besadii): Add other missing configuration keys
Adds configuration keys and rudimentary validation for all other
besadii settings that are currently hardcoded.

This adds the config options:

* repository: Name of the repository in Gerrit.
* branch: Name of the HEAD branch in the repository.
* gerritUrl: Base URL of the Gerrit instance
* gerritUser: Username of the Gerrit user
* gerritPassword: Password of the Gerrit user
* buildkiteOrg: Name of the Buildkite organisation
* buildkiteProject: Name of the pipeline inside the Buildkite
  organisation
* buildkiteToken: Auth token for Buildkite access

All of these configuration options are required.

Change-Id: Ie6b109de9cd8484a3773c6351d7fd140f39a49ed
2021-12-02 13:10:21 +03:00
Vincent Ambo
ee635d4645 chore(ops/modules): Configure besadii call sites to load config
On whitby, the besadii config will live in
/etc/secrets/besadii.json. This CL updates the call sites to pass this
config path to besadii so that it can load Sourcegraph configuration.

Change-Id: Ia139b9fa3b827e7a5f2386214390acc6fe19a75a
2021-12-02 13:10:20 +03:00
Vincent Ambo
168114df52 refactor(ops/besadii): Move Sourcegraph config to a file
Initial step towards moving besadii away from hardcoded values and
onto config files. This is required because I want to reuse besadii
outside of the TVL context.

Change-Id: Id4fa7a49c5d4f876a02b202f04a421ab5ba0dcc4
2021-12-02 13:10:20 +03:00
Vincent Ambo
c53d6d3453 fix(ops/nixery): Temporarily stop serving depot packages in Nixery
Change the Nixery configuration to use the plain nixpkgs package path
instead of the depot path. AFAIK, nobody uses this to fetches depot
packages at the moment - but plenty of people fetch non-depot
packages.

This means that Nixery is cache-busted less often (previously on every
commit => every deploy).

We'll figure out another way to have a depot Nixery later.

Change-Id: Iba632333346181c3d2ce992fbab396ed0d9f86aa
2021-12-02 09:16:52 +03:00
Vincent Ambo
433f0ae5cd fix(ops/www): Redirect tvl.fyi/blog -> tvl.fyi
The blog index page is at the root and people may manually edit the
URL.

Change-Id: I6cdaaaee6223524a9e950584379cfac34f8be160
2021-12-01 23:41:23 +03:00
Vincent Ambo
c1aab56a02 feat(besadii): Support invocation as different Gerrit hooks
Removes besadii support for the previously used 'ref-updated' hook and
instead introduces support for the 'change-merged' and
'patchset-created' hooks.

These hooks more accurately capture the semantics of when besadii
should trigger CI builds and using them will avoid problems such as
skipping 'canon' builds if chains of CLs are submitted together.

Change-Id: Ib90356c069780bf0c0250e56b927e46a5b31ce7f
2021-12-01 12:49:31 +03:00
Vincent Ambo
68d1f834a3 fix(ops/www): Strip .html from TVL blog post URLs
Change-Id: I4d1f9284ec004931c07c04d614b01f28eedea508
2021-11-30 13:56:29 +03:00
Vincent Ambo
6edfdd0773 refactor(ops/pipelines): Query build status from Buildkite API
Instead of manually tracking the build status through Buildkite
metadata, use the Buildkite GraphQL API in the `🦆` build
step (i.e. the one that determines the status of the entire pipeline
to be reported back to Gerrit) to fetch the number of failed jobs.

This way we have less manual state accounting in the pipeline.

The downside is that the GraphQL query embedded here is a little hard
to read.

Notes:

  * This needs an access token for Buildkite. We already have one for
    besadii which is also run by the agents, so I've given it GraphQL
    permissions and reused it.

  * I almost introduced a very rare bug here: My initial intuition was
    to simply `exit $FAILED_JOBS` - in the extremely rare case where
    `$FAILED_JOBS % 256 = 0` this would mean we would ... fail to fail
    the build :)

Change-Id: I61976b11b591d722494d3010a362b544efe2cb25
2021-11-29 23:38:24 +03:00
Vincent Ambo
4d57898af4 chore(ops/users): Update password hash for asmundo
... some issue snuck in on the first one, as is tradition.

Change-Id: I06ce4df82cde26231cd1ab3df500de02e981d9bc
2021-11-29 18:12:19 +03:00
asmundo
78f51edf8c feat(ops/users): Add user asmundo
Change-Id: Ie666b6556d91513babd884b2ed1140cd6c0ed2a9
2021-11-29 14:14:04 +00:00
Vincent Ambo
eca2bc572e refactor(besadii): Rename refUpdated -> buildTrigger
We are changing the Gerrit hooks which invoke besadii, but this
structure will be used for both kinds.

Change-Id: Idb1cb0c640d2c42db8e7af39f3ab372a97bfef91
2021-11-29 13:54:47 +00:00
Vincent Ambo
104f002a07 fix(ops/besadii): Trim whitespace of auth tokens
This is causing failures when trying to update Sourcegraph at least,
for good measure I've trimmed both.

Change-Id: I40266ee83b4e266ffe50f16bb365eb2e51952513
2021-11-28 10:34:36 +00:00
Vincent Ambo
4f1249e46f refactor(readTree): Move 'drvTargets' into readTree
This function is also generally useful for readTree consumers that
have the concept of subtargets.

Change-Id: Ic7fc03380dec6953fb288763a28e50ab3624d233
2021-11-23 14:42:08 +00:00
Vincent Ambo
15cb37f877 fix(ops/restic): Move whitby's backup to GleSYS object storage
Since GCP nuked us, the backups are now moving to GleSYS'
S3-compatible object storage.

This refactors the restic module to support S3-compatible storage
instead of GCP, and switches to the appropriate new secret paths.

The secrets were placed on whitby manually and I verified that the
backups work.

This fixes b/157

Change-Id: I6a9d2b0581967605ce736605a3befb44cdeae7e1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3883
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-11-21 12:01:26 +00:00
Vincent Ambo
099f36e5ee fix(ops/pipelines): Fix tagging of commit revisions
It seems that shell variables don't work as expected inside the
Buildkite pipeline, so usage of variables has been removed.

We also don't echo the revision anymore because of that, but it does
still appear in the log of `git push`.

Change-Id: I124e3b09af896da898f2a78715ed371651a1c5f8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3780
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-11-06 00:33:23 +00:00
Vincent Ambo
4b33401a36 refactor(ops/pipelines): Move revision tagging into static pipeline
This makes the revision number available much earlier (before the rest
of the pipeline runs, while Nix eval is happening) which should only
be a few seconds after a commit to canon.

It is also more readable in this shape.

Change-Id: Iccbb17dfef6afe68f54fda41e8d10c4dc52b08c2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3775
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-11-05 14:24:53 +00:00
Vincent Ambo
00ae396eeb feat(ops/pipelines): Create revision numbers in CI
This automatically pushes a new ref at refs/r/$revision to Gerrit
whenever a CI run completes on canon.

Revision numbers can be fetched from Gerrit with this command:

    git fetch gerrit "refs/r/*:refs/r/*"

Note that this build step requires credentials to be provisioned on
the CI runner machine.

Change-Id: I37bb14346832f891240aa47bb55affaace3d5f21
2021-11-04 15:16:08 +01:00
Smitty' via Issues & Patches
8696726244 fix(ops/users): correct password hash for smitop
The previous hash had a weird salt length and a trailing newline.
This fixes it.

Change-Id: I1f03238181d0caad38e1f1dbc477356bc20fc32d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3689
Reviewed-by: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
2021-10-05 23:52:14 +00:00
sterni
3f0de23d61 feat(ops/users): add smitop to users
Change-Id: I1fc67c0e33e1e1add8a4ea53c8c94e90e53d8bd5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3687
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: tazjin <mail@tazj.in>
2021-10-05 22:20:51 +00:00
Vincent Ambo
0eef0e343f feat(whitby): serve static.tvl.{fyi|su} with max cache settings
The setup is explained in the comment, but TL;DR: Use the derivation
hash of static files to create permanent URLs.

Relates to b/151.

Change-Id: Ib1ca3a1a00c90a47f4bf39c29a8b4bbf5b215e7d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3664
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-10-01 20:45:50 +00:00
Vincent Ambo
9f177062c7 feat(ops/dns): add static.tvl.{fyi|su}
This hostname can be used for hosting static assets with aggressive
caching for everything, or potentially CDNing stuff if we ever have
large things here.

Change-Id: I10afdad5eb08125d8d09108e9e099f5573362fe5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3663
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2021-10-01 15:59:53 +00:00
Vincent Ambo
ce575bf65b feat(whitby): Serve //corp/website on tvl.su
Change-Id: I21e1ddf9a32568cac8ad2595869ac8670867efa9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3658
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-10-01 15:24:35 +00:00
Vincent Ambo
94cebe41f3 chore(ops/git-serving): Remove josh state from whitby backups
As cschilling explained on cl/3563, there isn't actually anything in
this state that we *need* to persist. We're still keeping it in a
persistent directory on disk as this serves as an optimisation after
restarts of josh.

Change-Id: Ia88886792a5acac34508b5b8a669bd519ca033de
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3631
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-09-24 16:14:30 +00:00
Vincent Ambo
0e3858b5e5 refactor(whitby): Move restic path configuration into modules
This lets each service declare their backup paths together with the
configuration for the service, which is a lot more sensible than what
we had before.

Fixes b/147

Change-Id: If76fe62639f4cc0e6fbb63a2959d584479d8f0fb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3583
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-09-18 15:10:34 +00:00
Vincent Ambo
86a114ac45 fix(ops/restic): types.string -> types.str
I can never remember which is which.

Change-Id: I69b8235862b8c5b49030a74bfca25aaa113273b7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3582
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-09-18 14:38:19 +00:00
Vincent Ambo
98e4d4b18f feat(besadii): Link to started builds in CL comments
This makes it easier to click through to a build from Gerrit after
submitting a CL.

Change-Id: Ic5c6eeb81c87bc4ea23c5c5ca25704434b081fd0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3572
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-09-18 14:28:26 +00:00
Vincent Ambo
ae93094ebf refactor(besadii): Extract logic for posting review comments
Currently besadii only posts comments when builds succeed, but it
might be very useful to also have a link to a build when the build is
started.

This just shuffles code around. The only functional change is that the
`labels` field in the review input is marked as `omitempty`, as this
will not be needed when posting the build start comment.

Change-Id: Id4a43fad8817c9a15da02f01ab2b781d48b46978
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3571
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-09-18 14:28:26 +00:00
Vincent Ambo
b6957923ff docs(kontemplate): Remove mention of kontemplate website
This doesn't exist anymore.

Change-Id: I4535e056acba3bbc7bbd1e764a0b3043639b0877
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3570
Reviewed-by: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
2021-09-18 12:35:47 +00:00
Vincent Ambo
80fb67a75d docs(kontemplate): Update cloning docs in README
Change-Id: I42bf2524650bf09104e48c1c1a54c97f3470b628
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3566
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2021-09-16 20:34:05 +00:00
Vincent Ambo
387c55582b refactor(ops/restic): Move restic configuration into a new module
Relates to b/147.

First step towards giving depot modules the ability to declare their
own backup directories by moving all restic configuration into a new
module and adding a NixOS option for inclusion/exclusion paths for
backups.

This still keeps all backup paths within the whitby config.

Change-Id: Ia96833668f1a3d02da892261153d8b02156b8ac0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3565
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2021-09-16 20:34:05 +00:00
Vincent Ambo
ec38839c33 feat(git-serving): Configure josh to serve the depot over HTTP
Previously we served the dumb git HTTP protocol from code.tvl.fyi via
cgit. This CL disables this feature and instead runs josh in the same
location (by redirecting appropriately), but while also enabling
partial cloning of all subtrees of the depot.

For example, after this CL the following would result in an
independent clone of //nix/readTree:

    git clone https://code.tvl.fyi/depot.git:/nix/readTree.git

Note that there are no josh workspaces configured at all for now,
these references are only for static depot subpaths.

Please refer to the documentation for josh for more information on
available kinds of josh filters.

Josh state is kept in a systemd state directory in /var/lib/josh and
backed up to Restic. Backing this up is necessary, as josh uses
stateful information to do things like tracking merges and rewriting
history per subtree appropriately to avoid cloned repositories ending
up in peculiar states.

Change-Id: I156f0298c2aa42e3bdbf5a0e86109070d640c56e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3563
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2021-09-16 20:34:05 +00:00
Vincent Ambo
48091a3416 fix(deploy-whitby): Add jq to script $PATH
Change-Id: Ide669bce545394335b8643fa2896a242cac3df65
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3528
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-09-11 14:33:42 +00:00
Vincent Ambo
933edf7764 fix(deploys.*): Folder for diffs is in /diff/
... this was missing before.

Change-Id: I5b79cb78665f24fdb7cc6496e3782d3940dc77b6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3527
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-09-11 14:33:42 +00:00
Vincent Ambo
f5f0b80843 feat(sourcegraph): Upgrade 3.30.4 -> 3.31.2
This one seems a little more involved:
https://docs.sourcegraph.com/admin/migration/3_31

I believe we skip that corruption issue in the previous CL though, by
simply never deploying a version with that weird broken image.

See b/144

Change-Id: I3bbf1b719d00905e08a92011ace5485467f504ef
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3525
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-09-11 14:11:52 +00:00
Vincent Ambo
4d0eb5037a feat(sourcegraph): Upgrade 3.29.1 -> 3.30.4
See b/144

Change-Id: Ied9490f3ce6fb3fda8cbb9983416b02ea451fb44
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3524
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-09-11 14:08:36 +00:00
Vincent Ambo
90971e07a1 feat(sourcegraph): Upgrade 3.28.0 -> 3.29.1
See b/144

Change-Id: Ia62d4cbf581caaefa0dba455376eec60b8c817d6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3523
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-09-11 14:04:50 +00:00
Vincent Ambo
c148f89251 fix(sourcegraph): Temporarily comment out our syntax highlighter
We changed away from the default sourcegraph one because it didn't
support Nix, but it seems that there's been a change in the
interaction protocol.

Change-Id: I3a2691df6a87672cf83b819143f25d93d9cd6d13
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3531
Tested-by: BuildkiteCI
Reviewed-by: eta <tvl@eta.st>
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-09-11 14:00:38 +00:00
Vincent Ambo
5e61c5d246 feat(sourcegraph): Upgrade 3.27.5 -> 3.28.0
See b/144

Change-Id: Ia09ad2af6043dcac6681c549103d1e6f52b4e0a0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3522
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-09-11 13:47:10 +00:00
Vincent Ambo
52c040eed5 feat(sourcegraph): Upgrade 3.26.0 -> 3.27.5
See b/144

Change-Id: I50d417c51b05bafcd3fe7e285f30079db8be499a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3521
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-09-11 11:30:37 +00:00
Vincent Ambo
164fc97b4f fix(deploy-whitby): Make diffs world-readable
Change-Id: I1610a8d189f95908bab4cd00057cc080ae47a21a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3530
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-09-11 01:41:36 +00:00
Vincent Ambo
3a80ab2ba5 fix(deploy-whitby): Add .html suffix to diff filenames
This makes nginx' content-type recognition work correctly.

Change-Id: I990b00f1e0f4ef311f53a8885718fa33d249c886
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3529
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-09-11 01:41:36 +00:00
Griffin Smith
9c038cbff0 feat(ops/deploy-whitby): Add the start of a script to deploy whitby
Add the beginnings of an auto-deploy script for whitby, intended to
be (eventually) suitable for running automatically in a systemd timer.
The current iteration of the script doesn't actually do any deploying,
but instead takes as an argument a revision, creates a new git worktree
in /tmp with that revision checked out, runs a nix-diff of whitby's
system derivation in the running system and at that closure, puts an
html-rendered version of that diff in the public directory used by
deploy.tvl.fyi, and finally sends a message to IRC via irccat with a
link to that HTML page.

Refs: b/110
Change-Id: Id40525567f8845590c909568befd8d00c07a481c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3145
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: kn <klemens@posteo.de>
2021-09-10 16:13:20 +00:00
Griffin Smith
79b39bb66e feat(whitby): Serve static HTML dir for deploys.tvl.fyi
Add a new domain and nginx virtual host at deploys.tvl.fyi, serving out
of a static directory on whitby which is created by systemd-tmpfiles.

This will be used to serve diffs rendered by nix-diff for
pending deploys for whitby

Since this contains stateful data, it is added to the restic backups
on whitby.

Refs: b/110
Change-Id: I5869d40800bbf5fb8fb39878a857f66ff5787830
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3144
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-09-10 14:37:36 +00:00
Mike Johnson
9fc206f072 fix(ops/users): Another try at a working password hash for mdjnsn
Change-Id: I8b4aea53abb2004585241ad17c5fdfd9186c58f4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3481
Reviewed-by: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
2021-08-31 20:23:00 +00:00
Mike Johnson
fa8dd0f3ab feat(ops/users): Add mdjnsn to users
Change-Id: I94975d848287c32e11b1d3986986f2dbc6c220b9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3466
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2021-08-31 18:43:49 +00:00
Vincent Ambo
43269730e6 refactor(ops/pipelines): Move failure status zeroing to setup
We changed the configured pipeline in Buildkite to upload
`static-pipeline.yaml` instead of containing the steps of that
pipeline itself.

This makes it easier to test changes to builds and such, but adds
another build step with scheduling overhead etc.

However - we can work around this by killing one of the existing build
steps. There's no reason the failure status zeroing (required for
status reporting) shouldn't be part of the pipeline setup, so I've
moved it there instead and nuked that step.

This should mean that the pipeline is configurable from within the
repo, but without slowing anything down.

Change-Id: I206ecc02647de42a461e33c02879ab84daf5ed2b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3461
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-08-29 12:37:04 +00:00
Griffin Smith
d857d5ad68 refactor(gs/system): Remove chupacabra
This machine no longer exists

Change-Id: I8e549b8397777a01404bd84c10c195e80f281744
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3431
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: tazjin <mail@tazj.in>
2021-08-26 19:41:42 +00:00
Vincent Ambo
60b25b49de fix(ops/pipelines/depot): Buildkite branches use full ref names
... otherwise the filtering also applies to canon.

Change-Id: Ia1c67b99282fb8fd0e4d22e997535170f0326e33
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3432
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
2021-08-26 16:35:44 +00:00
Vincent Ambo
d5ddfb7b96 feat(pipelines/depot): Skip build steps if their out paths exist
Skip build steps if they have already been built, reducing pipelines
to the things that actually changed between builds. On canon all
targets are always built (we require this for anchoring).

Note that this is not perfect, garbage collection and competing
pipelines may affect each other.

Also note that we have some impure targets that change on every
commit.

Change-Id: Ic6bae3b6c8e1e7fd2116ec252f5089f471854ab6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3427
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
2021-08-26 16:29:32 +00:00
sterni
17d78867bb feat(ops/pipelines/depot): only evaluate once if possible
We currently evaluate every target twice -- once when the depot pipeline
is built and once when actually running the build step in question. Nix
evaluation is quite slow especially given heavy use of import from
derivation in depot, so avoiding the second evaluation is desireable.

Evaluating a derivation yields a `drv` file in the nix store which can
be passed to `nix-store --realise` in order to build it eliminating the
need to wait for evaluation. We can obtain the path to the `drv` file
while building the pipeline via `target.drvPath` and remember it for the
build later.

However we need to work around a flaw (or oversight) in Nix's dependency
tracking via string context: This is based on derivations, not output
path (because this is what evaluation deals with, likely). This is no
problem per se, but an issue is that Nix can't express a dependency on
a `drv` file without any of its output paths. This means for us that we
either have to build all output paths at evaluation time (which we don't
want, obviously) or to deal with the fact that the `drv` file we need
may be garbage collected at any moment after discarding the string
context -- then nix is unable to track the reference from the pipeline
to the `drv` file in the store.

So to prevent a race condition between the pipeline and the garbage
collector we fall back to the normal nix-build invocation as we did
before.

Change-Id: I9ef8bd233085dc6e30eba54f403ea03ac2d35748
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3426
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-08-26 15:24:33 +00:00
Luke Granger-Brown
febf340303 fix(tvl-sso): set memory limit to 512M
This is because I'm bored of CAS gradually consuming all the RAM on Whitby.

Change-Id: Idcc14c19d99a6d3553739c5765be3faf2bdf9d84
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3233
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: tazjin <mail@tazj.in>
2021-08-24 16:28:14 +00:00
Griffin Smith
330b7067a0 feat(besadii): Tag gerrit comments as autogenerated
This is a bit of an under-documented feature, but if the "tag" field for
a gerrit review starts with the string
"autogenerated:<something>~<something-else>", only the last comment per
instance of <something> will be shown by default on the CL page (with
the rest viewable by toggling the "Show all entries" switch). The idea
behind the "<something-else>" tag is to be used for the "type" of
comment within a particular system - gerrit's documentation gives the
example of one tag for "the build is running" and another for "the build
has finished, here's the result".

Change-Id: I9199a6ed97beca1b3a51ec5d6230c6c8358ba2b3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3374
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-08-24 13:00:59 +00:00
Vincent Ambo
eb6c7fd3bf feat(ops/dns): Point nixery.dev to whitby
The dropping of `www.` is intentional, that was unused.

Change-Id: I300f82bb6e5626e2658be8fc5b5e3cf872ab7099
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3384
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-08-24 11:53:10 +00:00
Vincent Ambo
f218f2fd56 feat(ops): Serve nixery.dev from whitby
Adds a new module for the nixery.dev domain and serves it from whitby.
Note that the DNS records do *not* point to whitby yet, so deploying
this will lead to a failed TLS provisioning unit - but this is
intentional.

Change-Id: I911f67a0aa24f8df3cb52d2cfc49a8b6132cf718
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3383
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-08-24 11:30:16 +00:00
Vincent Ambo
b033871638 chore(ops/dns): Reduce Nixery TTLs to 1 minute temporarily
We'll need to do a DNS switchover, likely with a short amount of
downtime due to TLS provisioning.

It would be possible to avoid this by provisioning a cert manually
pre-hoc through the DNS challenge and then configuring whitby to use
that, however I simply don't have time for that right now and the
Google Cloud Project for Nixery is going away in O(days) for $reasons.

Change-Id: I88dface5aaacec5acfa525ae117462f8ad296d92
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3382
Tested-by: BuildkiteCI
Reviewed-by: kn <klemens@posteo.de>
2021-08-24 11:30:16 +00:00
Vincent Ambo
03c3d49b87 fix(monorepo-gerrit): Enable adding new email addresses to accounts
This is required when people change their email addresses (e.g.
cl/3349) as nothing in Gerrit will update that information from the
OAuth provider.

Change-Id: I1eafdf22efd37898dcd0d06bb9a5d1471ffb5e31
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3356
Tested-by: BuildkiteCI
Reviewed-by: eta <eta@theta.eu.org>
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-08-15 13:59:18 +00:00
eta
80ecce37b4 chore(ops/users): change my email address to tvl@eta.st
I got a new domain, etc.

Change-Id: Ic8ffc01f4e5e89dc2458d80a9c38757438cfa764
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3349
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
2021-08-13 11:21:19 +00:00
Vincent Ambo
7c16a71156 feat(ops/www): Point images.tvl.* at Nixery
Change-Id: I39f979c68e7b74f6da6a7da0f07aaa470886d451
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3346
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-08-13 10:57:53 +00:00
Vincent Ambo
6cc065ea09 chore(ops/dns): Move nixery.dev to tvl-fyi GCP project
Change-Id: Ifbe7939a98a12d52ffbed3fb198558e6a7743e93
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3344
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-08-12 18:04:30 +00:00
Vincent Ambo
aad636c8ae feat(ops/dns): Add images.tvl.* record
This record is intended to serve Nixery.

Change-Id: I575dedac18c98f9f4bd5e459babe79e850361651
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3343
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-08-12 15:20:27 +00:00
Vincent Ambo
47409b9610 feat(ops/modules): Add module for running Nixery
This sets up a very simple Nixery instance with some things lacking:

* no support for garbage-collecting image fragments (yet)
* no popularity setup

The plan is to use this to get the ball rolling on a separate
domain (e.g. images.tvl.fyi), iron things out and then look into
flipping over nixery.dev

Change-Id: Ic594809f9d487fec7a0f632d608752a3f9c61315
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3280
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-08-12 14:55:59 +00:00
Vincent Ambo
79c9506eea fix(monorepo-gerrit): Pin JVM version used for Gerrit
Change-Id: Ib22cdc415cbd5a8345b9589b2c34b3908996dd57
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3322
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-08-12 13:07:55 +00:00
Vincent Ambo
c72f3a73ee feat(ops/dns): Import current nixery.dev zone
Change-Id: I3c5684fedb516740c7048c117cdfda01a2a23260
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3278
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-08-06 13:24:48 +00:00
Griffin Smith
702594ca64 refactor(ops): Break out prometheus-fail2ban-exporter module
Break out the configuration for the prometheus fail2ban exporter, which
is a simple python script that exports stats from fail2ban as a
prometheus-scrapable textfile, from Mugwump into a reusable nixos module
in //ops/nixos/modules.

Change-Id: I5451c9c5de6c7bc4431150ae596a9c758bf1b693
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3136
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-06-12 15:51:49 +00:00
Vincent Ambo
b36a75a223 fix(wigglydonke.rs): Don't rebuild nginx config unnecessarily
This fix is essentially the same as the one in cl/1263.

Change-Id: I27be280a610914fcfbb6d7fee7aebaa56b993812
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3158
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
2021-05-25 17:10:50 +00:00
Vincent Ambo
65be8f20e0 chore(nixpkgs): Bump channels to 2021-05-25
* users/grfn/system/home/yeren: remove obsolete awscli2 overrides

* ops: make new isSystemUser || isNormalUser assertion happy

* users/grfn/system/system/mugwump: make buildkite agents system users

* users/tazjin/nixos/camden: set isSystemUser = true for git

* users/tazjin/emacs: Remove missing & broken packages

* third_party/openldap: remove, as the argon2 module is now enabled upstream

* third_party/gerrit_plugins: Pinned new unstable hashes

* third_party/nix, third_party/grpc: Disabled CI as these are broken

* third_party/overlays/emacs: Bumped version to stay in sync with channel

* third_party/buzz: Update LIBCLANG_PATH to reference libclang.lib,
  since libclang's default output no longer contains libclang.so

* users/grfn/system/home: Install julia-stable instead of julia (which
  aliases to julia-lts), as the latter depends on an insecure version of
  libgit

Change-Id: Iff33b0ecb0ef07a82d1de35e23c40d2f4bf0f8ed
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3001
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
2021-05-25 17:09:28 +00:00
Vincent Ambo
878957d2f6 chore(whitby): Add ZNC state to Restic backups
Until we have declarative ZNC config (which requires a solution for
secrets handling in it), make sure we back this up as well.

Change-Id: Idb186327da171eb6d3dbbd83801639f1f9321a40
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3159
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-05-25 08:15:19 +00:00
Vincent Ambo
46b136c22e fix(tvl-slapd): Replace deprecated OpenLDAP module options
Use the new module settings which apply configuration in cn=config
instead of slapd.conf.

The module performed this update via lib.mkChangedModuleOption, I've
applied the transformations contained therein manually. Note that some
of the settings were already in place, which means that the `suffix`
and `database` options seemingly disappear into the void.

Fixes b/105.

Change-Id: I8a968c1eb8cb7827618cb732cdb46006a5d011f9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3157
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-05-24 22:52:59 +00:00
Vincent Ambo
4a89bcd6a5 refactor(ops/nixos): Pass depot as a special argument
This changes the evaluation order for the `depot` argument and ensures
it is partially evaluated before the module system starts resolving
imports.

This way we can import modules from `depot.path` without `depot`
having to come from readTree.

Fixes b/129.

Change-Id: Icf4dd2be15011055dac8b27e991a4ff6a12bf827
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3156
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-05-24 21:48:37 +00:00
Cynthia Revström
ab7c409530 chore(ops/users): Update email address for cynthia
Change-Id: Ieb59d9215c5c1159113375dea0dd96d3d29e1303
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3154
Reviewed-by: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
2021-05-24 20:22:53 +00:00
Klemens Nanni
a26c4a1c77 fix(ops/users): Rehash password for kn
This time using `tools.hash-password` because login did not work with the
initially created hash.

Change-Id: I1eb62a496d2d8497d27573af47bf8bf70dac9bbb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3153
Reviewed-by: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
2021-05-24 18:31:10 +00:00
Klemens Nanni
c420f122f3 feat(ops/users): Add kn
Change-Id: Ib615743fc57357b0de17600c9a3f400c48fd0f70
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3151
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
2021-05-24 17:30:36 +00:00
Griffin Smith
4aa8f7d7e3 feat(dns): Add record for deploys.tvl.fyi
This will be used to serve (nix-) diffs for pending deploys of whitby

Change-Id: Ia864993b1fcb3b7ce5fcc21f32a27528a4c31f08
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3149
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-05-23 21:22:17 +00:00
Vincent Ambo
4b584e5259 fix(whitby): Fix irccat configuration for incorrectly named option
irccat is passing the realname option as the ident of the user, which
doesn't match what is in ZNC.

It hasn't seen any upstream commits in a long time, so I'm just
leaving this as is and fixing it locally in our config.

Change-Id: I3bf865f37b8df9c1cd891a94245ca3fad376bbe1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3150
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
2021-05-23 20:34:10 +00:00
Vincent Ambo
9bb8736a45 feat(whitby): Let sterni bear the wheel
Change-Id: Ib4f7dcbdc754d2fc271f501a9ea270e983a3645f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3147
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-05-23 19:06:15 +00:00
Vincent Ambo
6c243d40a3 fix(ops/users): Fix hash format for cschilling
Change-Id: Ib0c53e8f6bc030cbdfe31020ed9d6764bd732a62
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3146
Reviewed-by: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
2021-05-23 17:53:47 +00:00
sterni
c8dff5fc5f feat(ops/users): Add cschilling to users
Change-Id: I8afc23c749a5318d7c2ce893903980112ff13c12
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3137
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: tazjin <mail@tazj.in>
2021-05-23 12:41:09 +00:00
Griffin Smith
75f19a05a1 feat(whitby): Enable fail2ban
I like running fail2ban on any machine that has stuff like ssh
world-open, to limit the potential for password brute-force attacks etc.

Change-Id: I0c60811ae5a2fddb44f04679fb455e646b8e39c5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3138
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-05-23 12:40:00 +00:00
Vincent Ambo
780bb86eff chore: Replace Freenode mentions with HackInt
This doesn't replace all of them in the repo, but at least the ones
that are relevant to our move.

Change-Id: I842e7594b4c16af30d880272417874f6b29afd22
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3134
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: grfn <grfn@gws.fyi>
2021-05-22 21:37:13 +00:00
Vincent Ambo
687f978b1c feat(ops/owothia): Add owothia module and deploy on whitby
This configures owothia to use her new bouncer to HackInt.

Change-Id: I80eb8191c2b0f2a6f8a31d19b60250ade27c1913
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3129
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-05-22 19:40:45 +00:00
Vincent Ambo
814feed0ce chore(whitby): Move clbot to HackInt
Points clbot at the new local ZNC instead. This will make it part of
the things happening through the `tvlbot` account.

Relates to b/101

Change-Id: I1c15ffa5720d3af34475c15bee3fdaa537ac659b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3127
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
2021-05-22 17:57:32 +00:00
Vincent Ambo
1aad1d9beb chore(whitby): Move irccat & panettone notifications to HackInt
Change-Id: I6bd5c183d2c1c28b8c6b0201bdf22a66333d4aea
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3131
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-05-22 17:52:01 +00:00
Florian Klink
48b052c1e4 feat(whitby): Add shadowsocks server
This adds a shadowsocks service, running on port 8443, tcp and udp.

The password is read from /etc/secrets/shadowsocks-secret.sec, and needs
to be populated externally.

Change-Id: I6797150db108ba14459502dee43d8e4ed6cfa910
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3125
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-05-22 13:28:36 +00:00
Florian Klink
cd2e889f41 feat(apereo-cas): move away from 127.0.0.1:8443
The following commit itends to bind on port 8443 on all interfaces,
so let's move this to something else.

Change-Id: Ibb94a0f4e6892b6e543b542b89bcdaaefb617f23
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3126
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-05-21 11:33:13 +00:00
Vincent Ambo
5036ae4376 feat(whitby): Initial ZNC configuration
Bouncer to be used for TVL's IRC bots, see b/101

Change-Id: Ic9f71ecd94365d3baa31e0552b1ce16362f94557
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3124
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2021-05-21 11:30:42 +00:00
Vincent Ambo
dbb011850a fix(ops/nixos): Fix typo in NIX_PATH name
Change-Id: Ic29b219ca1c536f8a99860ecdf2957a62ba95889
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3123
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2021-05-20 23:11:02 +00:00
Vincent Ambo
c7af7ca91d chore(sourcegraph): Increase nofile ulimit for Sourcegraph
Sourcegraph logs warnings about this on startup otherwise. Unclear
to what degree it really affects operation though.

Change-Id: I6ee7c5358631aafd9a7f8155150361bf7499314d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3098
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-05-06 19:28:14 +00:00
Vincent Ambo
55c4b8d4c0 fix(ops/www): Fix typo in nginx configuration
Change-Id: I5ee7307acae548cc7779fe715ea4aad620fe8f5c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3096
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-05-05 09:48:49 +00:00
Vincent Ambo
7926482f1c feat(ops/www): Configure atward.tvl.fyi and its aliases
Change-Id: I20dfb057f8184899226bcb4527010a6982d426f0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3094
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-05-05 09:02:58 +00:00
Vincent Ambo
47d07e7b5f refactor(atward): Configure listen address
This appeases the flokli.

Change-Id: Ib6a6c1a2cc8780e7944913d9204b42505b29fdc0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3093
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-05-05 09:02:58 +00:00
Vincent Ambo
790c0d938e feat(ops): Add NixOS module for atward
Very standard, nothing fancy.

Change-Id: Ibb286f221a4752abfb62e971b98e9496357040f5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3090
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2021-05-03 23:47:30 +00:00
Vincent Ambo
5b45eae276 feat(ops/dns): Add hostnames for atward (at.*, atward.*)
The shorter one is going to be more convenient when we get
go-link (or, well, at-link) support.

Change-Id: Ic24adcdad679b893c40c87731add818660259dac
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3091
Tested-by: BuildkiteCI
Reviewed-by: isomer <isomer@tvl.fyi>
2021-05-03 22:55:36 +00:00
Evgeny Zemtsov
e98afefc00 feat(ops/users): Add ezemtsov to users
Change-Id: I78a06540e97c0f294d81abe65c15122ed422dd8a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3059
Reviewed-by: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
2021-04-28 21:38:54 +00:00
Vincent Ambo
54f59a5cc5 feat(ops/modules/www): Disable FLoC tracking for all TVL pages
.. this is actually likely not disabling it for some pages, that will
need this to be copy & pasted, but it's hard to tell just from the
nginx docs. We'll make sure after deploying.

Change-Id: I2fa6e31ca10835a206673b858594fa071e729d82
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3020
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-04-20 10:44:43 +00:00
Vincent Ambo
5f19e8e6a7 refactor(ops/nixos): Ensure that pkgs == depot.third_party.nixpkgs
This is currently done ad-hoc in a bunch of our systems, but we should
just do it centrally.

The commit message is a bit of a lie, as this doesn't yet update
grfn's systems.

Change-Id: Ic771c1a1da78ec5de9cffbf94c296dce5e11fd84
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3047
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-04-20 10:43:19 +00:00
Vincent Ambo
7e74e17931 fix(automatic-gc): Fix garbage collection script
It needs to refer to this by full path of course.

Change-Id: I911c876ba18877681accb722426314d92b9f2318
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3042
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2021-04-18 09:44:04 +00:00
Vincent Ambo
75d507223b fix(modules/automatic-gc): Add nix-daemon to requisites
This will require the daemon to be running when launching GC, but
won't start it if it happens to not be running for some reason.

Change-Id: If48fe336030173f028428fc00a81d339ef4b8bce
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3015
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-04-14 19:53:14 +00:00
Vincent Ambo
cc903bc3b0 feat(ops/modules): Add module for automatically collecting garbage
Adds a module that automatically collects garbage based on disk space
thresholds, and configures it to run hourly on whitby.

This is implemented as an alternative to cl/2937, which I've been told
uses a Nix feature that doesn't actually work.

Under-the-hood this is simply a systemd timer running a shell script
which checks available disk space and runs GC when necessary.

Change-Id: I3c6b5de85b74ea52e7e16c53f2f900e0911c9805
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3014
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-04-14 19:37:21 +00:00
Luke Granger-Brown
a0cfa097e0 feat(whitby/grafana): use CAS SSO
There's a hard-coded list of Admin usernames for the moment. We should
revisit this and get an actual groups setup in LDAP that's propagated
through...

Change-Id: Ic3601f1a9753573076769f4912038e9f1b60e139
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2982
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
2021-04-13 00:08:36 +00:00
Vincent Ambo
da5512f2e9 feat(whitby): Enable Grafana at status.tvl.su
Enables a Grafana service pointing to whitby's local Prometheus
instance, accessible at status.tvl.su.

I've no idea how to configure Grafana and if it's possible to link it
to CAS, but we'll see about that later.

Notes:
* the explicit fixpoint for whitby config has been removed as we
  have the `config` parameter available now
* backups are enabled for the Grafana storage location

Change-Id: If5ffe0c1a3378d1c88529129487c643642705fd2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2948
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-04-12 22:01:05 +00:00
Vincent Ambo
f520bd40ca refactor: Replace 'depotPath' with 'depot.path'
Instead of having two ways of accessing the path to the depot (one of
which was stuttering, depot.depotPath) we settle on only one:
depot.path.

This was mostly used for NixOS module imports.

Co-Authored-By: Florian Klink <flokli@flokli.de>
Change-Id: I2c0db23383fc34f6ca76baaad4cc4af2d9dfae15
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2962
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-04-12 21:55:07 +00:00
Vincent Ambo
e09b44bdec chore(besadii): Stop passing explicit messages to Buildkite
Dropping the message field will make Buildkite use the commit messages
instead, which makes for much more readable build logs.

Change-Id: I1849f811632526893b700f117c9f6cf64888c329
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2949
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-04-12 17:42:36 +00:00
Vincent Ambo
adc9d026e0 feat(whitby): Enable Prometheus instance on whitby
Enables Prometheus with a local node exporter, and nothing else for
now.

Some additional collectors have been enabled for things that might be
relevant on whitby:

* systemd: all our services run in systemd
* processes: might be interesting for build-related stats
* logind: might be interesting for interactive usage stats

Change-Id: I48dacdd9c68b4be9edff7b3cb6256dad562498c4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2930
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-04-12 17:32:48 +00:00
sterni
0e6ac814c6 feat(ops/pipelines): pass --show-trace to nix-build
--show-trace should make it easier to debug tricky evaluation errors
without running nix-build -A ops.pipelines.depot locally again.

Change-Id: Ice540562c3b389fc2a49ec1fc0adacb17db2a528
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2947
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-04-12 15:50:43 +00:00
Griffin Smith
6266c5d32f refactor(users/glittershark): Rename to grfn
Rename my //users directory and all places that refer to glittershark to
grfn, including nix references and documentation.

This may require some extra attention inside of gerrit's database after
it lands to allow me to actually push things.

Change-Id: I4728b7ec2c60024392c1c1fa6e0d4a59b3e266fa
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2933
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: glittershark <grfn@gws.fyi>
2021-04-12 14:45:51 +00:00
Vincent Ambo
90281c4eac refactor(ops): Split //ops/nixos into different locations
Splits //ops/nixos into:

* //ops/nixos.nix - utility functions for building systems
* //ops/machines - shared machine definitions (read by readTree)
* //ops/modules - shared NixOS modules (skipped by readTree)

This simplifies working with the configuration fixpoint in whitby, and
is overall a bit more in line with how NixOS systems in user folders
currently work.

Change-Id: I1322ec5cc76c0207c099c05d44828a3df0b3ffc1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2931
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: glittershark <grfn@gws.fyi>
2021-04-11 22:18:22 +00:00
Vincent Ambo
9073ac18c4 fix(pipelines/depot): Buildkite refers to branches by full ref
This change is required to run the  step on canon builds.

Change-Id: Ib3cebac67c9f5337b27a948f120b0a9ba834ef2a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2932
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: glittershark <grfn@gws.fyi>
2021-04-11 21:18:59 +00:00
Vincent Ambo
d7b89df748 feat(ops/pipelines): Add gcroots for depot builds on canon
Adds a conditional build step that only runs on the canon branch, and
only if 🦆 (the status reporting step) succeeds, which creates a
new Nix GC root for all depot targets named `depot-canon`.

In practice this might be a bit racey, as canon builds are not
guaranteed to succeed in order (though it is likely). This shouldn't
matter much in practice: We only want to prevent rebuilds of the whole
world.

This fixes b/102

Change-Id: Id3d0bf4158bffcb1ed6929888a29d31609b6ece1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2904
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>
2021-04-11 20:09:53 +00:00
Vincent Ambo
6c3585f764 fix(tvl-buildkite): Set agents' primary group to buildkite-agents
This ensures files created by the Buildkite agents are always owned by
the same group, without having to manually chgrp afterwards.

Change-Id: Idbaedec43c16b2ee137d1a95719a05d46db8f900
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2929
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2021-04-11 16:03:17 +00:00
Vincent Ambo
473604f567 refactor: Move nixpkgs attribute to third_party.nixpkgs
Please read b/108 to make sense of this.

This gets rid of the explicit list of exposed packages from nixpkgs,
and instead makes the entire package set available at
`third_party.nixpkgs`.

To accommodate this, a LOT of things have to be very slightly shuffled
around. Some of this was done in already submitted CLs, but this
change is unfortunately still quite noisy.

Pay extra attention to:

* overlay-like functionality that was partially moved to actual
  overlays (partially as in, the minimum required to get a green
  build)

* modified uses of the package set path, esp. in NixOS systems

Special notes:

* xanthous has been disabled in CI because of issues with the Haskell
  overlay
* //third_party/nix has been disabled because of other unclear
  dependency issues

Both of these will be tackled in a followup CL.

Change-Id: I2f9c60a4d275fdb5209264be0addfd7e06c53118
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2910
Reviewed-by: glittershark <grfn@gws.fyi>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2021-04-10 21:18:55 +00:00
Vincent Ambo
d8ec573bc7 feat(ops/nixos/www): Enable short links for b/ and cl/
This configures accepting requests for b/ and cl/ on plain HTTP ports,
and redirecting to b.tvl.fyi & cl.tvl.fyi appropriately.

Additionally, Panettone request URIs that only contain decimals are
redirected to `/issues/$request_uri` to enable issue short-links.

This fixes b/32.

Change-Id: I56954d8d69a3624267778b467520c509f4daa6c5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2908
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-04-10 15:33:55 +00:00
Vincent Ambo
f205d8ee73 feat(gerrit): Auto link 'cl/123'-style shortlinks
Same as linking to bugs (e.g. b/108).

Change-Id: I447020bc07059c98c53322d745f961d8d471d9a4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2919
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2021-04-10 15:28:59 +00:00
Vincent Ambo
9c5b5600ea refactor(ops): Consistent use of depot.third_party vs. pkgs
In preparation for the solution of b/108, we need to consistently use
`depot.third_party` for packages that are only packed in the TVL depot
and `pkgs` for things that come from nixpkgs.

This commit cleans up a huge chunk of these uses in //ops

Change-Id: I00faeb969eaa70760a26256274925b07998c2351
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2915
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-04-10 12:09:20 +00:00
Vincent Ambo
4b78875726 feat(tvl-buildkite): Add all buildkite agent users to a local group
This lets us grant permissions to them, e.g. on local folders.

Change-Id: I823ac414be1cb7d6baa4f17d95003709e5911b04
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2905
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-04-09 19:58:28 +00:00
Vincent Ambo
c021370213 refactor(whitby): Extract Buildkite agents into a module
There will be more Buildkite-agent specific configuration, and it's
already more than just the module setup, so extracting this makes
sense.

Change-Id: I56ce205c0cb4365317ed7ed5f2d525a0b425b861
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2906
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-04-09 19:08:24 +00:00
Luke Granger-Brown
6d008f6412 feat(gerrit-tvl): add Buildkite-backed Checks plugin implementation
This small(*) pile of JavaScript queries the Buildkite API for the
latest builds for the depot and displays the results in the rebooted
Check UI.

Change-Id: I7025a1c6d0d0afa000a9df4682133e03824ea10d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2881
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-04-07 11:19:04 +00:00
Luke Granger-Brown
21765a1407 feat(ops/gerrit-tvl): init TVL Gerrit plugin
This is just going to be a grab bag of things which do TVL-specific
things to Gerrit, whether that be exposing new Prolog predicates or, as
I intend to do as the first thing, expose Buildkite builds as checks.

Change-Id: Iaeab987a1fdbd078b85e274691c986489903bf3a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2872
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-04-06 18:43:04 +00:00
Vincent Ambo
0f1d3de26f feat(whitby): Configure nix-serve on cache.tvl.su
Having a slow cache is better than having no cache.

Change-Id: Ie3cfcd4a2937d90b0e2ad899816bc31ae806631f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2847
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-04-04 18:54:19 +00:00
Luke Granger-Brown
8ae128af77 feat(monorepo-gerrit): use CAS for authentication
This drops the old LDAP configuration and uses CAS instead. All hail the
hypnotoad.

Change-Id: I515a213f09073bb52bfb75afe2988b935a076087
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2783
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-04-03 19:11:18 +00:00
Vincent Ambo
5111d9d493 feat(www/tazj.in): Add a temporary route for serving static blobs
Until I come up with a better idea.

Change-Id: Ie44cae4c2df264cbe1a70f5ebcca814262dd2800
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2771
Reviewed-by: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
2021-04-03 11:44:51 +00:00
Luke Granger-Brown
0456de3733 chore(ops/nixos): finish removal of depot.nix
All user configs and modules have been migrated to using the depot
module parameter. All hail the hypnotoad.

Change-Id: Ic05c61fccba3ac505a339283b6ef3105a2d0711c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2765
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-04-02 18:00:14 +00:00
Luke Granger-Brown
b35e358eb5 refactor(ops/nixos): migrate to depot module arg
Previously the depot argument was provided as config.depot, but the "new
way" of doing things (which is more like the args list provided in the
rest of the depot) is to provide this as the "depot" NixOS module
argument instead.

Change-Id: Ib48b1c7c1bdff9c1eb0618c6cbacc22b651f5f98
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2763
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: glittershark <grfn@gws.fyi>
2021-04-02 18:00:14 +00:00
Luke Granger-Brown
4bfcd09682 refactor(ops/nixos): add "depot" argument to NixOS modules
For the moment I've opted to not import all of the other things we'd
usually provide to things imports via readTree, because I think it's a
bit dangerous to accidentally overwrite things like NixOS' notion of
"lib" with our own version.

So for the moment, baseModule provides only "depot".

Change-Id: I3db9132a3d9227055d4c1b00f02effcb84edcc53
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2760
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-04-02 18:00:14 +00:00
Vincent Ambo
817cd6f166 feat(ops/nixos/www): Enable tvl.su aliases for dev tools
This is not for the domain root though, as that's going to be
something else eventually.

The canonical URLs are the .fyi ones (at least for now), and some of
these tools will eventually generate links that make user sessions
started from *.tvl.su converge on *.tvl.fyi.

Relates to b/98

Change-Id: I1c3bcf72a3063059002e4b0bdd57c269a410a8bc
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2758
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2021-04-02 11:10:51 +00:00
sterni
8cc1dcf588 feat(ops/users): add milan to users
Change-Id: I77e5e9a0ae1bf2ee59ac4967c5481b9044f97934
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2757
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-04-02 10:21:37 +00:00
sterni
27b300fe34 feat(ops/whitby): add sterni to trusted users
I am somewhat trustworthy… maybe? Also I tend to gc depot stuff so ssh
serve would be neat.

Change-Id: I4672f20a32a756692dd156b5e40e5a7f37ba5ad0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2660
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: glittershark <grfn@gws.fyi>
2021-04-02 10:21:32 +00:00
Vincent Ambo
53d8dd6a1e feat(ops/nixos/www): Serve rendered Tvix component SVG (hack!)
This is a quick hack to make it possible to view the rendered SVG on
https://code.tvl.fyi/about/tvix/docs/components.md

We want to be able to do this sort of thing dynamically in the future,
but we can't yet, so ... well. Deal with it.

Change-Id: Id2b819679d748b6f517018a9c6e72d5c1d806c4c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2743
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2021-03-31 23:10:54 +00:00
tazjin
99148c9b8f revert(monorepo-gerrit): Revert to using cgit for Gerrit
This reverts commit 3b05be2fd0.

Reason for revert: Sourcegraph still does not support fetching arbitrary refs, so we'll have to wait until its Gerrit integration lands before this will work correctly.

Change-Id: Icee82c50f92c34ba1741b608449aed16538ccbaa
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2721
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-03-31 21:48:06 +00:00
Vincent Ambo
03a2616ccb feat(ops/dns): Add GSuite site aliases for tvl.su
Change-Id: Ib18b5bef23a198e7ca031f48290cf0ff0655d8dd
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2687
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2021-03-27 11:06:56 +00:00
Florian Klink
372b35dffa feat(ops/nixos/whitby): add flokli user
Change-Id: Ibdb5b498f8bbc837fffdb38cdf95499b279773aa
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2683
Reviewed-by: lukegb <lukegb@tvl.fyi>
Tested-by: BuildkiteCI
2021-03-26 20:31:48 +00:00
Vincent Ambo
93af4644ab chore(ops/users): Purge some inactive users from LDAP
Change-Id: Iab2d2d6b7096ef302ea2fd8b051041426c6c8ca6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2670
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>
2021-03-26 20:00:22 +00:00
Florian Klink
3026891302 feat(ops/users): Add flokli to users
Change-Id: I87ca0f20663ff858237f641ef2245778601e0416
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2671
Reviewed-by: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
2021-03-26 19:31:37 +00:00
Vincent Ambo
743993d7b1 feat(ops/dns): Configure email settings for tvl.su.
Change-Id: Ida5beca7b4efd39fad15ba220dc1fc887ed79b4c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2669
Tested-by: BuildkiteCI
Reviewed-by: adisbladis <adisbladis@gmail.com>
2021-03-26 19:31:10 +00:00
Vincent Ambo
5a90c8276b feat(ops/dns): Add Google Workspace verification for tvl.su.
Change-Id: I44db2bca7aa5814bbefd8943d727cc66ab800fd5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2668
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-03-26 18:26:34 +00:00
Griffin Smith
f2963cffcd fix(ops/whitby): Set tcp congestion control to bbr
Some quick testing shows that this improves my data transfer speed to
whitby by roughly 200%.

Change-Id: Id94de975b1ae0930f8d0fe038582dbac0037676c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2659
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: ben <tvl@benjojo.co.uk>
2021-03-26 02:42:37 +00:00
Vincent Ambo
d34c527372 refactor: Replace some uses of builtins.toFile with pkgs.writeText
I'm looking at removing some of these because they can cause
unnecessary build steps during CI pipeline generation.

Change-Id: I84742968918090c050d2eedab8a1b42692632a42
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2655
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2021-03-25 19:14:36 +00:00
Vincent Ambo
a747b46f19 chore(ops/nixos): Update Sourcegraph to 3.26.0
Reading through the changelogs, this includes the following two
changes that may require us to do something:

* For users of single-image Sourcegraph instance, please delete the
  secret key file /var/lib/sourcegraph/token inside the container before
  attempting to upgrade to 3.21.x.

* A campaigns.restrictToAdmins site configuration option has been
  added to prevent non site-admin users from using campaigns.

Change-Id: Ieacf85a9059ad5222800f8d7d4a43435f489a39f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2638
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-03-22 20:46:31 +00:00
Vincent Ambo
1c719cdc14 feat(ops/dns): Add status subdomain
I want to host something like Vigil[0] on this to show the status of
Gerrit, SourceGraph and maybe other components.

(Yes, the status page will be on the same infrastructure ... but this
is mostly for service failure cases).

[0]: https://github.com/valeriansaliou/vigil

Change-Id: If71496300b94035976a685d9bf166d525d89fc5e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2637
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-03-22 16:15:07 +00:00
Vincent Ambo
2f7cb2b6c4 chore(whitby): Remove SSH key from root
This was a leftover from the time we were installing.

Change-Id: Id875b907d7f76081a45e7f8f2666b7fba6aefc86
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2632
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>
2021-03-21 18:04:22 +00:00
Vincent Ambo
6e94b3ca2f feat(tazjin/nixos): Initial check in of new host (tverskoy)
This is my new X13 AMD Thinkpad, on which many fun things will be done.

Change-Id: I4de114a8c5ebb37d2f4844f407d2dc0e7cc9557e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2620
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-03-21 00:55:58 +00:00
sterni
c32e8424be refactor(ops/dns): use drvTargets for meta.targets population
Since we have a dedicated util for this, we may as well use it
to reduce code duplication.

Change-Id: Ie52647be8c786d0b6a4dceb2fa6778b94625fafc
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2604
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-03-15 22:16:19 +00:00
Vincent Ambo
5b9229186f feat(ops/dns): Configure tvl.su zone
Change-Id: I6016d92e9c231a257e06644dfcf44a4aaa12ac4d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2601
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-03-15 21:23:35 +00:00
Vincent Ambo
b4e87f8254 feat(ops/dns): Import tvl.fyi DNS zone into depot
Imports the current state of the tvl.fyi zone and configures simple CI
checks on the file format.

No deployment automation exists for this (yet?).

Change-Id: Ia7d72e02b9f6d3adef994c5dc1898cc0df9dfcfb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2600
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-03-15 21:23:35 +00:00
Adam H
4d193f2395 feat(users/adisbladis): Add to users
Change-Id: I2a3532605c602dd6ba44a6c723333db219a55907
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2599
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-03-13 19:55:24 +00:00
Vincent Ambo
c9726d8a00 chore(ops/journaldriver): Expand wildcard imports
... to appease Profpatsch.

Change-Id: Id8576645a6920312c2304ea7880524d9cda8e21b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2544
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-02-24 14:07:22 +00:00
Vincent Ambo
3a45e029af fix(ops/www/tazj.in): Force SSL for git.tazj.in redirect
Change-Id: If5b8096cb693d96936f9b954e2ebe3dc9b63af66
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2521
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-02-10 17:56:29 +00:00
Vincent Ambo
8d7c24d3db fix(ops/www/tazj.in): Redirect git.tazj.in to our cgit
Change-Id: Ia0be95e2618aeb4f8d394a8e3602c73faec0d72f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2508
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-02-10 17:38:05 +00:00
sterni
e91d5e4e61 fix(config): remove ciBuilds inherit
The ciBuilds attribute seems to no longer exist and it breaks the
evaluation of the config attribute. It's only appearance was in
besadii which doesn't actually use the attribute.

Removing the ciBuilds inherit fixes these issues.

Change-Id: Ibbf3413ba6efe10ad868cf57cf0711d574860f97
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2487
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-02-06 17:54:18 +00:00
Profpatsch
e7ad8143e4 fix(ops/piplines/static-pipeline): add --show-trace to nix-build
Change-Id: Ib0473f916b1436934844e620ce981f52d11e8512
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2467
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-01-30 09:02:09 +00:00
Vincent Ambo
8f57ca92bd chore(3p|nix): Remove typed Go
Nobody has actually done any experimentation with typed Go, so we're
getting rid of it for now - it's causing annoying IFD during build
graph generation.

Change-Id: Ibac3dea98ebed1b3ee08acda184d24c500cf695d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2458
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-01-30 08:20:45 +00:00
multi
4ac51ea504 chore(users/multi): remove user from the depot.
This commit removes my user directory in the depot, my user account on whitby,
my entry in the LDAP database, and my entry in the website graph. I've had my
fun with TVL, but I want to move on to spending time on some other things.

This additionally removes aranea from the website graph, which they have
requested in private.

Change-Id: I2d098c8fe239f20d9f6c6cbf66a3dfb4a955a4cf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2436
Tested-by: BuildkiteCI
Reviewed-by: multi <depot@in-addr.xyz>
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-01-23 21:13:39 +00:00
V
29db630a39 chore: Remove banned user
Change-Id: Icd61f7c567a327c74a4f381168e94737b2b30702
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2422
Tested-by: BuildkiteCI
Reviewed-by: edef <edef@edef.eu>
Reviewed-by: tazjin <mail@tazj.in>
2021-01-19 10:30:19 +00:00
sterni
2d136e0327 feat(todolist): use static slapd user data for knownUsers
Since the slapd data is static and generated using nix, we can simply
move the user list into ops/users, so it's recognized by readTree and we
can use it as ops.users both in ops/nixos/tvl-slapd and web/todolist as
a general purpose user registry for depot.

Update docs/REVIEWS.md as well.

Change-Id: I35caaaab70a5578c47cedc7f33077dd513766290
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2419
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-01-18 23:18:55 +00:00
Vincent Ambo
c033229a61 chore(ops/whitby): Move ACME registrations to an @tvl.fyi address
Change-Id: I371550aa456c0fb64da4789feed494cc50497522
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2410
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: glittershark <grfn@gws.fyi>
2021-01-18 00:54:33 +00:00
Vincent Ambo
e4976c49dc feat(ops/nixos): Serve tazj.in from whitby temporarily
camden.tazj.in (the host in my flat) is going down as my belongings
are being moved into storage.

Change-Id: Id66512fd2ec6dbdcb6dfc3862af49cfadb15cfa1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2405
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: glittershark <grfn@gws.fyi>
2021-01-17 05:42:55 +00:00
multi
2fe90c34c0 feat(ops/nixos/whitby): Enable remote use of whitby for my Thinkpad.
My main workstation is a Thinkpad without a great deal of compute
power available, so enabling the use of whitby as both a substituter
(services.sshServe) and a remote builder (openssh.authorizedKeys) will save me
some time when working on nix things and depot things.

Change-Id: I17bfcbb9860f42fb667603ad819e38e82e6052da
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2399
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Tested-by: BuildkiteCI
2021-01-15 13:06:33 +00:00
sterni
e93a2fc48f feat(ops/nixos/whitby): add sterni user
Change-Id: Ia6790913ea2777a9d4ca89830436623766991c13
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2368
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-01-13 22:05:33 +00:00
sternenseemann
dd323b5c0d feat(tvl-slapd): add sterni to slapd
Change-Id: I4b832f60c69e1bdd1a6bf0595d523c052aa8f794
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2348
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-01-11 10:58:52 +00:00
Vincent Ambo
88bf43878f chore(3p): Bump NixOS channels to 2020-12-28
Changes:

* ops/nixos/tvl-slapd: The NixOS module for OpenLDAP has removed the
  ability to configure OpenLDAP directly and now forces users to use
  some kind of weird Nix->OLC mapping that is mostly undocumented.

  This moves the config we need to the new format in a way that may or
  may not work and does the other arbitrary dance steps that someone
  decided to impose on us. Note that this now throws lots of warnings,
  but I can't be bothered to fix them.

* 3p: Random package removals accomodated

* users/glittershark: Pin grfn's kernel to 5.9, because the CK patch
  is not yet updated for 5.10

* users/glittershark: Update vendor hash for pg-dump-upsert, I suspect
  this changed because of something in the Go build machinery in
  nixpkgs. The deleteVendor flag also has no effect anymore and has been
  removed.

* users/glittershark: agda build is broken, commenting out development
  home-manager environment until it can be fixed

* third_party/haskell_overlay: updating random needs upper boundarles
  of a few dependencies relaxed (curse them)

* third_party/gerrit_plugins: for some cursed reason the fixed-output
  hash of the gerrit owners plugin fetchgit changed, updated.
  Same for the checks plugin.

Change-Id: Ica37995fe8039d3ba80eab643867f98795c56734
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2295
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
Reviewed-by: glittershark <grfn@gws.fyi>
Reviewed-by: tazjin <mail@tazj.in>
2021-01-09 13:21:00 +00:00
Vincent Ambo
4a86a06466 chore(whitby): Double number of build users
more = betterer

Change-Id: I6d5414d6ebb087e7f9fb912d5a514c31ebcd8b7e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2296
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-12-26 14:56:20 +00:00
Vincent Ambo
c3bbb861b8 fix(whitby): Include lukegb's & grfn's SSH keys in initrd
Change-Id: I8921d645b1a81510e04314e519195c1c01d3fd14
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2286
Reviewed-by: lukegb <lukegb@tvl.fyi>
Tested-by: BuildkiteCI
2020-12-20 22:03:39 +00:00
Vincent Ambo
86ec8c1b94 fix(whitby): Disable git's gc.autoDetach feature
This feature can cause object removal to happen while the git folder
is in use in Buildkite, causing CI to fail semi-reegularly.

Change-Id: Ide1a9b2f1761be029e97a058c1983b4cff5e27bf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2285
Tested-by: BuildkiteCI
Reviewed-by: multi <depot@in-addr.xyz>
2020-12-20 17:54:19 +00:00
Griffin Smith
d4fb573cf7 feat(gs/system): Init yeren
My new work laptop, a dell XPS 13.

Change-Id: Ieab06622c9b280182025edfa63adf649e5fc70d8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2205
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>
Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-11-30 00:03:50 +00:00
Luke Granger-Brown
b344ae8783 fix(cl.tvl.fyi): Correct Gerrit shortlink redirects.
Before: http://cl.tvl.fyi/123 -> https://cl.tvl.fyi:80/c/depot/+/123/
After: http://cl.tvl.fyi/123 -> https://cl.tvl.fyi/c/depot/+/123/

I think Jetty changed it's behaviour, and Gerrit is now configuring it
incorrectly.

Fixes #88.

Change-Id: I9238c0922b9f627e06eb81fa99dc748dada8909a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2202
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>
2020-11-29 11:50:53 +00:00
Jamie McClymont
3cbef06629 feat(tvl-slapd): add jamie to slapd
o/

- Jamie

Change-Id: I9c21e9a58c4514160f08133465a9cca720055cbf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2148
Reviewed-by: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
2020-11-26 00:36:06 +00:00
Griffin Smith
64ef09c475 feat(whitby): Move wigglydonke.rs to whitby
Mugwump is too unstable for such an important internet service

Change-Id: Ic714200ce5ce51f366777f538b4a6f443f010960
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2124
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2020-11-22 22:55:49 +00:00
Griffin Smith
9f4d37e5df feat(ops/nixos): Give all nixoses a config.depot
Add the depot.nix module and a depot config option to all nixos system
derivations that're build through the `bin/rebuild-system` machinery.
I can't imagine a scenario where we wouldn't want this level of
integration.

Change-Id: Ieeb98db2eee23919256adb4654bc45d540e055ec
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2128
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-11-22 21:59:58 +00:00
Vincent Ambo
73c862279a feat(ops/pipelines): Check in the static pipeline
This file represents the static pipeline which is configured in the
Buildkite web UI. Updates to this file should be applied in the admin
interface.

These steps are responsible for launching the dynamic pipeline
evaluation, or falling back to the fallback pipeline if evaluation fails.

Change-Id: I6d7dd623cde65e8c69faea729f737c9bba00c2fb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2103
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>
2020-11-17 22:33:11 +00:00
Vincent Ambo
1857334d37 feat(ops/pipelines): Add a fallback Buildkite configuration
This adds a simple fallback Buildkite pipeline configuration which
always fails the pipeline, but correctly reports back the failure
status.

Note that this also requires changes in the Buildkite configuration
that is not in version-control.

Relates to b/66.

Change-Id: I6802a6f76448c3893798a06d514e6ccba0f50dd2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2102
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>
2020-11-17 22:33:11 +00:00
Vincent Ambo
77097f8056 feat(ops/panettone): Add configuration for irccat
Adds configuration options for the (inconsistently named) environment
variables that configure irccat integration with Panettone.

The defaults match the irccat setup on whitby.

Change-Id: I6857512a2e3f29f16777493eb981cc69ce3c045f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2080
Tested-by: BuildkiteCI
Reviewed-by: kanepyork <rikingcoding@gmail.com>
2020-11-17 22:00:52 +00:00
Vincent Ambo
1442c5c8ac feat(whitby): Enable irccat module
Enables irccat, running as 'tvlbot' on ##tvl and ##tvl-dev and listening on TCP 4722.

Change-Id: Ia1eb533d0aacb0c15d6b3fa1cfd854ffbce27d23
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2075
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>
Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-11-08 18:38:08 +00:00
Vincent Ambo
cbfcf14301 feat(ops/irccat): Add a NixOS module for launching irccat
This module configures irccat by creating a JSON configuration file
from a user-supplied Nix struct (this is not checked for correctness),
and merging it recursively with secrets from
`/etc/secrets/irccat.json` at service launch time.

This way we get the ability to configure (most) options declaratively
via Nix, while providing the secrets outside of Nix.

Side note: We need to figure out a secrets distribution mechanism.

Tested: Wrote a dummy config in whitby/default.nix locally and checked
that this builds, but I have not actually run the service yet. I
expect that some minor tweaks will end up being necessary.

Change-Id: I02a2e8dc40a7f8417fd77afcf8a12ac3df117988
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2074
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: glittershark <grfn@gws.fyi>
2020-11-08 18:38:08 +00:00
Vincent Ambo
e84f9ef0ad fix(whitby): Use new IRC bouncer location for clbot
... I found this location in the logs, because the certs are now valid
for this, but I'm not actually sure if it's right.

Change-Id: I5ac88073e3bf6a95fead4c1d34515622c4416c6a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2070
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-11-05 14:22:01 +00:00
Griffin Smith
e39b7e002c feat(ops/nixos/paroxysm): Set Restart = "always"
Sometimes (like today) paroxysm crashes. We'd like it to restart if that
happens.

Change-Id: I98841096bcd6605c4279744ae5c65a9c92092a21
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2069
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2020-11-05 13:30:42 +00:00
Elis Hirwing
2a6be2b484 feat(tvl-slapd): add etu to slapd
Change-Id: I39ecf2167fd65f305853bf0e48c6208d94a5bf1f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2055
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2020-10-22 13:26:25 +00:00
htbf
41f1b01ba4 feat(tvl-slapd): add htbf
Change-Id: I6da03700708bcafc4f476b01c0a27d27fb85cc4a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2050
Reviewed-by: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
2020-10-18 02:20:19 +00:00