Refactors //ops/sync-gcsr which was previously responsible for
synchronising the git repository between GCSR and the git.tazj.in cgit
instance to simply be responsible for triggering builds on sourcehut.
This program is intended to run as a git post-update hook.
Note: Not yet feature complete, as interpolation of concrete git
values and also sourcehut secrets is missing.
Enables the journaldriver service to forward logs into a "home"
log-stream in the "tazjins-infrastructure" project.
The service account key for camden has been placed on the machine
manually.
This change, which I've been meaning to do for a while, renames the
attributes passed by readTree to things in the tree so that:
* the depot root is now 'depot'
* depot.third_party is additionally passed as 'pkgs' (for
compatibility with exported subtrees)
It's broken at the moment: https://hydra.nixos.org/build/105746055
Also it pulls in GHC which is a pretty big dependency.
(cherry picked from commit b4e260d887441fde9ab568dff7c21a77d7cff904)
- At the top of the release notes, we announce sandboxing is now enabled by default,
then at the bottom it says it's now disabled when missing kernel support. These
can be merged into one point for clarity.
- The point about `max-jobs` defaulting to 1 appears unrelated to sandboxing.
(cherry picked from commit 5d24e18e29ea1fff8fa316701fd95be6941da770)
Otherwise `chmod .`'ing the build directory doesn't work anymore, which
is done in nixpkgs if sourceRoot is set to '.'.
(cherry picked from commit f8dbde0813c4e8beed6dfd09b093589e027a6675)
At the moment there is no other way for requests from nugget to camden
to resolve correctly, as the Hyperoptic router is eating this traffic
on the LAN.
Adds a user & group which are configured to own the local depot copy,
and a cgit service to serve it.
The depot checkout was configured as:
mkdir -p /var/git && chown git: /var/git
# now, as the git user, in /var/git
git clone --bare ... depot
chmod -R g+rw /var/git
chmod g+s (find /var/git -type d)
git init --bare --shared=all depot
My personal user is a member of the git group, which means that after
the above configuration I can push to the bare repo as my user and
things work.
Also, crucially, the `post-update` hook must be enabled as cgit uses
the dumb HTTP transport.
This nginx does not currently log access correctly because for some
impenetrable reason (as is tradition), neither /dev/stdout nor
/dev/fd/1 exist for nginx at runtime. This is probably systemd's
doing, but I'll debug it later.
