Commit graph

901 commits

Author SHA1 Message Date
Vincent Ambo
053643c66f chore(ops): remove images.tvl.fyi
I don't even know what this is/was.

Change-Id: I743efa88258bbc13b7a3d4b8de8df222325b00ed
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9553
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
2023-10-06 09:17:22 +00:00
Florian Klink
c1a77e01b8 fix(ops/modules/tvl-buildkite): add /run/wrappers/bin to $PATH
It looks like since cl/9341, the tvix buildkite pipeline fails.

We're not yet sure what's causing it, it might be the lack of the
`fusermount` binary in $PATH.

Change-Id: Ie95678fbd07201e96ca3d43b53827781b49f1f46
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9386
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: Connor Brewster <cbrewster@hey.com>
2023-09-24 19:30:15 +00:00
Vincent Ambo
8de0d6ad48 chore(ops/glesys): point nixery.dev to nixery-01.tvl.fyi
Change-Id: I0bfa713511f1565bd2fa9b3c1989fda16e8dfa4a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9428
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2023-09-22 17:52:23 +00:00
Vincent Ambo
1fe6c0c7fa feat(ops/glesys): add DNS record for nixery-01 host
Change-Id: I9fe8497688764a6a0934a2c02264f93b2078fb1c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9427
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2023-09-22 17:52:23 +00:00
Vincent Ambo
6b607976ea feat(ops): add nixery-01 instance for hosting nixery.dev
Change-Id: Ida21ac7240a532bb6063b362155f2b14b2859aae
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9426
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2023-09-22 17:52:23 +00:00
Vincent Ambo
9eede1c4df chore(ops): move yandex-cloud image module out of corp
Change-Id: Idc8cc3a640fc895cd3882e93a193212adb743abb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9425
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2023-09-22 17:52:23 +00:00
Florian Klink
2aa0c70245 chore(ops/modules/www/code.tvl.fyi): add missing go get redirect
This was missing in cl/9370.

Change-Id: I02048b0e65d1192e9e300160bb8f78fe30a70da1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9405
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: Connor Brewster <cbrewster@hey.com>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-09-22 17:36:05 +00:00
Florian Klink
32f41458c0 refactor(tvix): move castore into tvix-castore crate
This splits the pure content-addressed layers from tvix-store into a
`castore` crate, and only leaves PathInfo related things, as well as the
CLI entrypoint in the tvix-store crate.

Notable changes:
 - `fixtures` and `utils` had to be moved out of the `test` cfg, so they
   can be imported from tvix-store.
 - Some ad-hoc fixtures in the test were moved to proper fixtures in the
   same step.
 - The protos are now created by a (more static) recipe in the protos/
   directory.

The (now two) golang targets are commented out, as it's not possible to
update them properly in the same CL. This will be done by a followup CL
once this is merged (and whitby deployed)

Bug: https://b.tvl.fyi/issues/301

Change-Id: I8d675d4bf1fb697eb7d479747c1b1e3635718107
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9370
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Reviewed-by: Connor Brewster <cbrewster@hey.com>
2023-09-22 12:51:21 +00:00
Eugene Lomov
95ee688f03 feat(ops/users): add totikom to users
Change-Id: Id2577449ec0a52f8c16f13150896ec0680f02051
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9325
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: tazjin <tazjin@tvl.su>
2023-09-12 22:11:57 +00:00
Vincent Ambo
c82b926e31 chore(ops/yandex-cloud-rs): bump API definitions to 2023-09-04
Change-Id: I6ef83796a01014b01ac8aef6c7f500863f5cbf03
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9305
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
2023-09-12 12:57:15 +00:00
Florian Klink
9786255267 feat(ops/modules/code.tvl.fyi): fix go get for tvix store protos
There's a go.mod in in tvix/store/protos, which sets the module path to
code.tvl.fyi/tvix/store/protos.

While this path makes kinda sense, it's currently not possible to `go
get` it from that location, as we serve the cgit interface from there.

Fortunately, `go get` has a mechanism to determine clone URLs for a
given go module path, as documented in https://go.dev/ref/mod#vcs-find.

We simply need to serve a small HTML file at that path, describing the
proper clone URL.

This points the clone URL for code.tvl.fyi/tvix/store/protos to a josh-
provided subtree of just :/tvix/store/protos, which will contain the
root go.mod file.

We need another layer of indirection as nginx can't have an `alias`
directive inside a conditional block (but can have a redirect).

Contrary to https://b.tvl.fyi/issues/299#comment-464, it seems to work
for our usecase. It might become a problem if we actually serve `go.mod`
files in a nested fashion at some point, but let's look at that once we
get there.

Fixes b/299.

Change-Id: Idcad795105af5d57e6d06de6e232881dccf9110b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9290
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Reviewed-by: adisbladis <adisbladis@gmail.com>
Reviewed-by: tazjin <tazjin@tvl.su>
2023-09-10 11:43:29 +00:00
Vincent Ambo
e187a7bcb1 feat(ops/modules): deploy //web/pwcrypt to signup.tvl.fyi
I verified on whitby that the password hashes generated by
//web/pwcrypt are compatible with our OpenLDAP, so it's time to make
this thing public.

Change-Id: Icc2f095ca7ce4acff6de91a1642dea6461177423
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9266
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
2023-09-05 14:44:36 +00:00
Vincent Ambo
816f76494c feat(ops/glesys): delegate signup.tvl.fyi to whitby in DNS
Change-Id: I7ca1e970228239e87581fd4d65c50334932d85a5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9265
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2023-09-05 14:44:35 +00:00
Vincent Ambo
bde9bc1c1d fix(ops/nixery): switch nixery.dev to stable nixpkgs channel
The current unstable has a bunch of breakage which people have been
reporting, lets move the public instance to the stable channel until
that is sorted out.

Example breakage: https://github.com/tazjin/nixery/issues/159

Change-Id: Id5eb11ebd235928b85c01c178c32da3badea517f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9126
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-08-22 15:01:02 +00:00
Vincent Ambo
7d69e82be3 feat(tvl-users): grant wheel privileges to flokli
Flokli needs deploy access to whitby to ~~break auth~~ experiment with
Dex.

Change-Id: If39763192961e227ee569a312f6a0e3ae2c10786
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9113
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-08-21 11:06:51 +00:00
Vincent Ambo
b12cd279a4 fix(ops/whitby): remove tazj.in module
this moved out of whitby some time ago (to koptevo.tazj.in), but is
now causing failures because of ACME cert renewal

Change-Id: I4da5512db0d85d416511a1d10f784e978c5ccc93
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8948
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2023-07-10 08:22:07 +00:00
Alain Zscheile
56c776d9e9 fix(users): rename zseri -> fogti
in accordnace with similar renaming on other sites
(e.g. GitHub, Exozyme, chaos.social)

My experience with exozyme tells me that fully applying
this change might require manual editing of gerrits database
anyways to fix broken references/patch ownerships.

Change-Id: I024ff264c09b25d8f854c489d93458d1fce7e9f4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8919
Autosubmit: lukegb <lukegb@tvl.fyi>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: zseri <zseri.devel@ytrizja.de>
2023-07-07 20:06:02 +00:00
sterni
a72e67c8af feat(tools/git-r): git subcommand to display r/numbers for commits
Sadly, this can't quite be an alias (which would be difficult to
automatically set up anyways), since we want to check if an r/number is
part of the (upstream) canon branch.

The test script for the subcommand doubles up as a soundness check for
our pipelines ref creation.

Change-Id: I840af6556e50187c69490668bd8a18dd7dc25a86
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8844
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: flokli <flokli@flokli.de>
2023-07-05 12:37:09 +00:00
Florian Klink
bfeef06d5d chore(ops/secrets): drop oauth2_proxy.age
This was already removed from whitby a while ago, no reason to keep
this secret.

Change-Id: I4742dd0138a3eff91325c94e44e64b72c644ee3c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8915
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2023-07-01 23:35:14 +00:00
Florian Klink
6020b71752 chore(ops/keycloak): drop oauth2-proxy client
Nothing is using this, so it can be removed.

Change-Id: I1b812b6df89d4f79ed313e646e141909519c6083
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8914
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: flokli <flokli@flokli.de>
2023-07-01 23:35:13 +00:00
Florian Klink
5f42c8132d chore(ops/modules): remove oauth2_proxy module
This was dropped from whitby itself in cl/8905, but didn't drop the
module because we were worried someone else might still be using it.

However, this relies on the "oauth2-proxy" client ID, which only has the
following supported redirect uris (as per ops/keycloak/clients.tf):

 - https://login.tvl.fyi/oauth2/callback
 - http://localhost:4774/oauth2/callback

… which means, noone can really run this properly anyways, so let's
drop it.

We can always restore it from git.

Change-Id: I7d700f59a62cce1254ad4ba0792a7d7b3960b769
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8913
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
2023-07-01 23:35:13 +00:00
Vincent Ambo
763c57b456 chore(ops/whitby): remove broken oauth2_proxy service
this never worked and was never used, but for now the module itself is
still around in case somebody wants it for something

Change-Id: Id8e449e08c8012786bca0ea57d9c7b97056a1f3d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8905
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-06-30 20:21:24 +00:00
sterni
f46a0f7d6e chore(ops/whitby): drop obsolete grub version option
Change-Id: I8f89f00d3eca5cef23dc7698208b08e0b6826393
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8854
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2023-06-23 23:20:51 +00:00
Vincent Ambo
8cdad7d45c feat(ops): introduce (head|tail)scale server at net.tvl.fyi
This runs a headscale server on sanduny which lets users join their
machines to the TVL tailscale network.

This would theoretically let people communicate with each other on the
internal network, but also more notably joined servers can advertise
exit node capability so that we can have our own "VPN network", for
starters with endpoints in Germany, UK and Russia (whitby, sanduny and
koptevo respectively).

This setup isn't fully stable yet, notably:

* The IP range used by tailscale is just the default one right now,
  I'm not sure if that should be changed or what.

* The system is stateful (on sanduny), but the state is not (yet)
  backed up anywhere. Use with caution.

* Machine joining is a manual process requiring SSH & root access to
  sanduny.

  The process is to log in to sanduny, then get a headscale shell with
  `sudo -u headscale bash`, and to use the `headscale` CLI within
  there to administrate access.

  I've opted to create a user account `tvl` for TVL-owned machines,
  and a personal account for myself and my machines.

Change-Id: I4f1be1fe8062a6c2e77203ff72fe8709f4e4dec8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8837
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-06-22 13:23:14 +00:00
Vincent Ambo
15152e0d11 feat(ops/glesys): add net.tvl.fyi CNAME for sanduny
This will host a headscale server for TVL.

Change-Id: I8769852aaaf7a02a2d63f48ecf5adfd86747ff72
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8835
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2023-06-20 12:21:10 +00:00
Vincent Ambo
2936a95efd fix(ops/modules/quassel): use systemd LoadCredential to read certs
This avoids permission issues with nginx vs. quassel

Change-Id: I770f8284d8fd8fc6d38add93c1681f9daebe8749
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8786
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-06-15 21:34:36 +00:00
sterni
d2fa4e7c86 chore(3p/sources): Bump channels & overlays
* //ops/modules/depot-inbox: Adapt to upstream option type declaration.
  See nixpkgs commit b6ed3b8f402893df91a8e21ce993520301c2f076.

* //ops/machines/sanduny, //users/tazjin/polyanka:
  Remove boot.loader.grub.version options (no longer has any effect).

* //users/sterni/emacs: reflect rename emacsPgtk -> emacs-pgtk

* //3p/overlays: update tdlib to match emacs-overlay

* //3p/overlays: give EXWM from depot a separate name

* //users/grfn/system/home: disable Slack support in ntfy

Change-Id: I03bde088bc70e05b23925f244899807210cb7b20
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8547
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2023-06-15 17:09:02 +00:00
Vincent Ambo
d5748475d8 fix(ops/yandex-cloud-rs): fix dev-dependencies for examples
Change-Id: Ib99755d2b49464a6a30442b696ecfeda03038066
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8767
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-06-14 10:06:37 +00:00
Vincent Ambo
ded30c1ba9 docs(ops/yandex-cloud-rs): link to folder with usage examples
Change-Id: If2596b5a3dc542dca9a06a51a5a0f509034665c8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8766
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-06-14 10:06:37 +00:00
Vincent Ambo
1bdb3e5ba8 chore(ops/yandex-cloud-rs): bump API definitions to 2023-06-13
Change-Id: Iad2d85eaffe96de0cf9ecb490fe5ba87209e1005
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8765
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2023-06-14 10:06:37 +00:00
Vincent Ambo
2e893dca1d refactor(ops/yandex-cloud-rs): allow TokenProvider impls to fail
It's actually quite common that a token provider might fail, for
example when fetching a token from instance metadata.

Change-Id: Ie0126fb92c6c613ad36b5583fd68505fdd97f2c1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8764
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2023-06-14 10:06:37 +00:00
Vincent Ambo
ed388f019a chore(ops/yandex-cloud-rs): re-export some tonic types
These are useful for downstream users of the library, who might not
need all the rest of the tonic stuff.

Change-Id: Iab4d941696ae3c7a33b25815b72f92598aa82b80
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8763
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-06-14 10:06:37 +00:00
Vincent Ambo
6f912f5ecf fix(ops/yandex-cloud-rs): add Bearer prefix to auth token
Change-Id: I27d23de0598e3ca926a85cba3022f2dfff25f6be
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8762
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2023-06-14 10:06:37 +00:00
Vincent Ambo
6d9ebd7b7c chore(ops/yandex-cloud-rs): bump API specs to 2023-05-23
Change-Id: Ibc98d3878690099d6d95dfe1a2741d551ed7a72a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8608
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-05-23 10:17:24 +00:00
Vincent Ambo
03958a5446 chore(ops/yandex-cloud-rs): explicitly set include in manifest
This makes publishing a bit easier without the build script
interfering and other wonkiness.

Change-Id: Iadb144aabbdeabae8899ebdc62636315239e5f08
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8601
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
2023-05-19 09:42:47 +00:00
Vincent Ambo
fd92ea9be3 fix(ops/yandex-cloud-rs): set license in Cargo manifest
Change-Id: Icc15953557585cbb2708a1267ab509caca8b258e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8600
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-05-19 09:29:44 +00:00
Vincent Ambo
1076b509ae chore(ops/yandex-cloud-rs): bump API definitions (2023-05-19)
Change-Id: I0c4e77587b9fac14017449eb6a4630265b07950e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8599
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-05-19 09:23:08 +00:00
Vincent Ambo
e9efa579a7 docs(ops/yandex-cloud-rs): add developer-facing README
Mostly to remind myself about the wonky release process.

Change-Id: I76ea8d9a2ed600ebb31f4b1a5368f3cefa0556d6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8598
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2023-05-19 09:23:08 +00:00
Florian Klink
14a8ea9eab feat(ops/terraform/deploy-nixos): make target_user_ssh_key optional
In case `target_user_ssh_key` points to an empty string, nixos-copy.sh
just doesn't set `IdentityFile=` at all.

This allows using deploy-nixos without any explicitly passed ssh keys,
but picking up whatever ssh setup the user has configured locally.

Change-Id: If335ce8434627e61da13bf6923b9767085af08a5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8576
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-05-16 09:55:23 +00:00
sterni
b22b685f0b chore: address renames of boot & tmp related options
Change-Id: I78f2116a63675fff5a36826b3e5390798ab9db9f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8526
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: flokli
2023-05-11 10:10:58 +00:00
Florian Klink
b58f6f1d61 feat(ops/modules/open_eid): add support for Web eID extension
Most likely due to bad UX in browsers for hardware-backed TLS client
cert auth, most websites have switched from client-side TLS to the "Web
eID" extension.

Once installed, the extension uses [Native Messaging] to talk to a
`web-eid-app` application, which handles the communication with the
smart card itself.

This can be tested on https://web-eid.eu/ .

The commit needs nixpkgs to be bumped past
https://github.com/NixOS/nixpkgs/pull/227354 .

[Native Messaging]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging

Change-Id: Iffe6d81ecf7cee25406fa39a983ff52cf669c373
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8490
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-04-28 13:14:24 +00:00
Vincent Ambo
ea1383682d feat(ops/yandex-cloud-rs): generated gRPC clients for Yandex Cloud
This uses tonic to generate the full set of gRPC clients for Yandex
Cloud. Includes some utility functions like an authentication
interceptor to make these actually work.

Since the upstream protos are exported regularly I've decided that the
versioning will simply be date-based.

The point of this is journaldriver integration, of course, hence also
the log-centric example code.

Change-Id: I00a615dcba80030e7f9bcfd476b2cfdb298f130d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8525
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2023-04-28 12:50:33 +00:00
Johannes Kirschbauer
f1ca5a3096 feat(ops/users): Add hsjobeki to users
Change-Id: Ib5f8c314d2c7ad6af948ff23754eeb895b1f1e94
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8529
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: flokli <flokli@flokli.de>
2023-04-28 11:17:20 +00:00
Florian Klink
2363a194cd fix(ops/modules/open_eid): use libdigidocpp.bin
nixpkgs commit 134036f642a7f3ba9efeab509727c0989458b02b moved the
digidoc-tool binary to the `bin` output, so this wasn't actually
providing the digidoc-tool binary anymore.

Change-Id: Id5f7cc69d55b7cc058a6361512cc74de0e7bc1b2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8487
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
2023-04-19 09:11:34 +00:00
sterni
faa45f076d chore: adapt to ssh option renames
Change-Id: I6fc2aaefe40e449bd1937bb68f3a2ab4abaa5cd0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8372
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
2023-04-11 14:29:06 +00:00
sterni
96d7f4f0ac chore(3p/sources): Bump channels & overlays
* Satisfy new assert that the corresponding shell needs to be enabled
  via programs.* if it is as the login shell of at least one user.

* //users/tazjin: “Address” removal of hardware.video.hidpi option.

* //3p/gerrit: update fetch sha256

Change-Id: Id0988a0ea7f393d6b7848a7104fc3526ee1177f4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8407
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-04-07 09:20:33 +00:00
Florian Klink
e9686f84d9 fix(views/kit): communicate :unsign in the tvl-kit URL directly
Instead of prepending :unsign to all URLs in josh-proxy, and for all
calls to filteredGitPush, explicitly use it only in the filter we use
for the `export-kit` extraStep.

This means, people cloning tvl-kit via

> https://code.tvl.fyi/depot.git:workspace=views/kit.git

now need to update the URL to point to

> https://code.tvl.fyi/depot.git:unsign:workspace=views/kit.git

instead.

git@github.com:tvlfyi/kit.git will keep the same hashes, as it's updated
to export the unsigned workspace view of it.

This is less invasive than dooming every josh workspace to have to strip
signatures.

Change-Id: I6de05182fad4c3695081388c3bbf37306521d255
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8369
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-03-31 08:46:01 +00:00
Vincent Ambo
73c12f7c4f fix(ops/www): allow all indexing on cl.tvl.fyi
I *want* search engines to index our CLs, they might be useful!

Change-Id: I956d92c80d812e1aefefb6daeba77a1588055b94
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8361
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
2023-03-29 12:17:56 +00:00
Vincent Ambo
0965600fe6 feat(ops): serve Tvix website & docs on (docs.)tvix.dev
Change-Id: I198ea197867f9b9a48e51665d0665f722202e02e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8299
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-03-14 22:10:40 +00:00
Vincent Ambo
790eac5a5c feat(ops/glesys): add CNAME for docs.tvix.dev
Change-Id: Ie1994ac4d14344c82ae184f4e3cd9f5292d96c84
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8297
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-03-14 21:59:40 +00:00
Vincent Ambo
3370724062 feat(ops/glesys): point tvix.dev at whitby
Change-Id: Ied022e6c1a8039a9db375a8593afb76edcaa6dbd
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8295
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-03-14 21:59:40 +00:00
Florian Klink
f7439d2526 fix(ops/terraform): s/TARGET_ADDRESS/TARGET_HOST
We missed renaming this as well while iterating over
https://cl.tvl.fyi/c/depot/+/7950.

Change-Id: I704d3b60bb3beb1a2148e27bdd4a49075a6649b3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8230
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-03-08 16:59:19 +00:00
Vincent Ambo
89d9ce39b4 chore(3p/josh): update josh to recent master commit
It's been a long time since we updated josh, almost 400 commits in
between. I read through the entire changelog, and here are relevant
josh commits from in between that might be interesting to us:

  38eecee Fix optimisation bug for compose filter (#1159)
  e1d10b6 Add :rev(...) filter
  0f1a07b Initial implementation of refs locking (#929)
  88cea2a Initial work on meta repo support
  030ad93 Change magic refs to include "for"
  28b1d75 Add split changes feature (#904)
  1f908d7 Discover filters only on HEAD (#774)
  a368d8f Make --require-auth only apply to push
  8d80230 Add :linear filter (#741)
  3460ec2 Implement redundant refs filtering (#700)
  55b4e50 Implement stacked changes support (#699)
  ea1f814 Handle @sha urls by creating magic ref (#690)
  883a381 Run filter discovery only on changed refs (#685)
  4bb004f Prepend refs/heads to base parameter as default (#664)

Of particular interest is a368d8f, which allows us to drop our
authentication patch and use the standard --require-auth flag again.

The default behaviour of dropping signatures on commits (which are
invalid after filtering) has also been changed in josh, now only
occuring when the `:unsign` filter is present. Since this breaks
commit hashes with our existing exported histories, we are opting to
set a `:unsign` filter prefix on all proxy requests to ensure that the
hashes stay consistent.

During this update we found a bug (josh#1155) which was fixed in the
commit that this CL moves josh to.

Change-Id: I3afac1619f3aa90313a0441da91f0e4a96fe0a3b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8186
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-03-07 16:46:54 +00:00
Florian Klink
774194652b feat(ops/terraform): add trigger to deploy-nixos, remove target_name
This allows passing in custom triggers to trigger a (re)deploy.

For example, a caller can put an AWS instance ID into the triggers to
cause a redeploy whenever the instance ID has changed.

The `target_name` terraform variable was doing something similar, but
`triggers` is more generic, allowing multiple triggers, without having
to stringify them.

We also don't need to trigger on the attrpath - it can be changed, and
as long as it still evaluates to the same
`data.external.nixos_system.result.drv` (which is checked on every
plan), no redeploy needs to be made.

Change-Id: I94ce787a50830b87b6f53c08e042e4abe4036bdd
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8191
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: flokli <flokli@flokli.de>
2023-03-03 14:53:43 +00:00
Florian Klink
c3750079f7 feat(ops/terraform): allow specifying an entrypoint for the attrset
This adds an additional parameter `entrypoint`, pointing to a .nix file
(or a directory containing a `default.nix` file) that's providing the
attribute path asked for.

If not set / kept at the default (empty string), it falls back to the
root dir of the repository as before.

Change-Id: I2e63114f21660c842153ac15424b3491d66624d2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8190
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
2023-03-03 14:53:43 +00:00
Vincent Ambo
dbca46d052 feat(ops/terraform): add module for deploying NixOS system closures
This module makes it fairly easy to deploy NixOS system closures using
Terraform, while properly separating the evaluation of a
derivation (to determine whether a deploy is needed) from the building
and copying of the closure itself.

This has been on my stack for a while. It was originally developed for
Resoptima, who agreed to open-sourcing it in depot back when we
completed our work with them. Their contribution has been acknowledged
in the README.

Co-Authored-By: Florian Klink <flokli@flokli.de>
Change-Id: Ica4c170658cd25f1fb7072c9a45735fcc4351474
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7950
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-03-03 10:48:13 +00:00
Alyssa Ross
3c68159b81 chore(whitby): enable zram swap
Whitby has a lot of memory, but I've still been fighting with the OOM
Killer trying to build a few big packages at the same time.  Besides,
it's generally a good idea to always have swap available even if
there's lots of memory for caching optimisation reasons[1], and zram
swap is efficient enough to basically provide bonus memory for free.

[1]: https://haydenjames.io/linux-performance-almost-always-add-swap-space/

Change-Id: I1fbe60f7975ebfa38e341e0de76848ec79b6fcf0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8065
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2023-02-11 12:14:35 +00:00
Alyssa Ross
08b300aaa8 chore(ops/modules): add a GECOS for my user
This way, I won't have to teach my name one at a time to every program
that wants to know my it (e.g. git).

Change-Id: I45ddd9c2343a10cd4c13bacd9a97b7470db95c14
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8038
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-02-09 09:43:48 +00:00
Florian Klink
30c4454056 fix(ops/buildkite): set default_branch explicitly
It looks like this needs to be set for the tvix pipeline to succeed.

It was set to `canon` for `tvl-kit` (not sure if manually, or some
autodetection previously did it for us that's not present anymore).

Anyways, this sets it to how it's set in the web interface, to hopefully
fix it.

Change-Id: Ic3eb60e3f421fa949a84dcdaa928823ff45f679a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8008
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
2023-02-01 17:25:06 +00:00
Florian Klink
88d86741dc feat(ops/pipelines): trigger tvix buildkite pipeline
Change-Id: I4e81694b9686f977a6590c5e1703a4ef413b0cf4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8003
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-02-01 17:11:50 +00:00
Florian Klink
4a7ec1006d feat(ops/buildkite): add tvix pipeline
Change-Id: Ie701e0b77c596e07600efd1a59749d05068f0dbc
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8006
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
2023-02-01 17:11:50 +00:00
Vincent Ambo
8ed81cf755 feat(ops/secrets): add flokli to terraform secrets access
Change-Id: I9ede20028560f2da0fef89dfe431609c21bda51c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8005
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-02-01 16:39:32 +00:00
Florian Klink
964367044d feat(ops/secrets): add key for flokli
Change-Id: I52299b39d1d68ee1b700b631f70ef809af682e26
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8004
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-02-01 16:25:54 +00:00
Vincent Ambo
3caa4c4aa4 fix(ops/www): increase buffer memory size for auth.tvl.fyi
Keycloak seems to have decided today that it will now send headers
that are larger than what the nginx default configuration can handle.

The numbers are a mix of made up and taken from random nginx voodoo
posts on the internet, so they're as good a guess as anyone's.

Change-Id: If037bcba48eee371cc96304b150276c669930c75
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7992
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
2023-02-01 09:30:24 +00:00
Vincent Ambo
9a500c3e9b chore(journaldriver): bump version number
Changes basically only include dependency bumps. This is r/5656.

Change-Id: If2ad8914c45b61de6525e2640a15d167fef1dfd4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7819
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2023-01-13 08:31:14 +00:00
Vincent Ambo
6e66e988df chore(journaldriver): simple dependency bumps
This bumps all dependencies to their newest version that does not
require code changes.

Change-Id: I7c7f01ce08de0cced86bab93b441327d3061f12d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7818
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2023-01-13 08:24:03 +00:00
Vincent Ambo
d62c7ddfda feat(ops/modules): enable mail address obfuscation in public web UI
Change-Id: I47b5313bee84893d405f86aefb3682cda3cfc6d7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7637
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2022-12-29 20:11:24 +00:00
Vincent Ambo
45fa75c0cd fix(ops/modules): list IMAP server on public-inbox page
This fix can only be applied after the upstream public-inbox
fix (https://github.com/NixOS/nixpkgs/pull/207693) has been merged.

Change-Id: I957473e2895b7e57baad25c9e908b36aa790f3a6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7636
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
2022-12-29 20:11:23 +00:00
Vincent Ambo
ee7a724b60 fix(ops/pipelines): explicitly set contexts for annotations
I think what might be going on with b/231 is that the annotations
somehow started conflicting because they don't have contexts set.

Lets try setting a context and see if it changs anything ...

Change-Id: I62ed57f9e24f08e4e7215f05d35cfa769e2e2c24
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7640
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-12-28 16:35:20 +00:00
Vincent Ambo
62e19a8321 feat(web/inbox): add landing page for inbox.tvl.su
This landing page explains how to use the public-inbox.

Change-Id: I37d74decad5173ab35051970593f1d28001af2b4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7645
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2022-12-28 08:17:45 +00:00
Vincent Ambo
eb62cb1421 style(ops/modules): add inbox email address to public-inbox header
Change-Id: Ib7d9089b63bba7ebc44d3438ed284e752f0595e9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7638
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2022-12-28 08:17:45 +00:00
Vincent Ambo
6552cf03b3 feat(ops/modules): enable NNTP on inbox.tvl.su
Change-Id: Iec564860a247fe51a5549129be294a3629645519
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7635
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2022-12-28 08:17:45 +00:00
Vincent Ambo
e665f53621 feat(ops/modules): enable IMAP access for public-inbox
This sets up IMAP on inbox.tvl.su:993

I added a hack to work around problems with the NixOS ACME module.
Spent way too much time of my life with problems with that module, so
I only use it with blunt force these days. Others are welcome to make
a cleaner solution.

Change-Id: Ice828766020856cf17d2f0a5b4491f4cec8ad9b4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7633
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-12-28 08:17:45 +00:00
Vincent Ambo
81fd9caf3e docs: change email address mentions to depot@tvl.su
This is the new address which leads to the public inbox at inbox.tvl.su

Change-Id: I45d98a373b8acda49b05c4f74669ffb9ad1f1a3c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7632
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2022-12-27 19:46:11 +00:00
Vincent Ambo
e68c2f3736 feat(ops/modules): index incoming mail in public-inbox
Change-Id: I8a3e2c0e789057fd1edd015ccb8fdcc0cbb52cd8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7631
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2022-12-27 19:46:11 +00:00
Vincent Ambo
aa0197ab83 feat(ops/modules): configure offlineimap for depot@tvl.su
On the machine running public-inbox, this will start automatically
fetching mails from depot@tvl.su and making them available to
public-inbox.

Change-Id: I2469207bd41d64eba747a74ae5fda9fed548cc83
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7630
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2022-12-27 19:46:11 +00:00
Vincent Ambo
477873d7ea feat(ops/secrets): add secret for IMAP to depot@tvl.su
Change-Id: If3b3981e5d68ceba2bcc85ed0ad9cc0b46148b74
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7629
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2022-12-27 19:46:11 +00:00
Vincent Ambo
d446143413 feat(ops/modules): set up public-inbox at inbox.tvl.su
Initial setup which does not yet include fetching mails at all, this
is for now only going to display a manually populated view of the
existing mailing list while the rest of this stuff is set up.

Change-Id: Ie1235bd257c9056fe37d0740dfca771ebdd880eb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7628
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2022-12-27 19:46:11 +00:00
Vincent Ambo
3b59f1edc1 feat(ops/glesys): set up DNS record for inbox.tvl.su
Change-Id: I85365e5e0bb3e464b439266cb6efad9b2e3763cb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7627
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2022-12-25 10:27:29 +00:00
Ryan Lahfa
a553e758f1 feat(ops/users): add raitobezarius to users
Change-Id: Ia6cb935f4358526891ece20538d0fa60cfc81095
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7621
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-12-24 21:52:14 +00:00
William Carroll
9166a9915a feat(wpcarro/nixos): Support kyoko
Yet Another NixOS System

Change-Id: I29590c5e7c2a651f3ef56642018649dddd9f06b6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7297
Reviewed-by: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: wpcarro <wpcarro@gmail.com>
2022-12-12 18:46:16 +00:00
aaqa ishtyaq
2afcbbc451 feat(ops/users): add aaqaishtyaq to users.
Signed-off-by: Aaqa Ishtyaq <aaqaishtyaq@gmail.com>
Change-Id: I0ee0142d6a57c05347de45305d333d1b705928e9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7552
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-12-10 15:16:32 +00:00
Vincent Ambo
ee4b95e470 fix(ops/modules): regularly restart panettone for b/225
Change-Id: I27565e0e462ecb431d0f82bb3f6026b1eb369279
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7504
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-12-05 09:40:38 +00:00
Geoffrey Huntley
eda6b93505 feat(ops/users): add ghuntley to users
Fixed syntax error in the original patch (superfluous quote).

Co-authored-by: sterni <sternenseemann@systemli.org>
Change-Id: I9b6aac345906def185e30f2a9bbecde84848863a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7527
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
2022-12-05 01:01:39 +00:00
Vincent Ambo
abaa90c3ab fix(ops/pipelines): limit concurrency of 🦙
When pushing a large chain of CLs, builds can fail with OOM issues as
many Nix evaluations of the depot are happening simultaneously.

To work around this, we limit the concurrency of simultaneous Nix
evaluations (i.e. the `:llama` step). This can slow down the start of
builds in a large chain of small changes, but that is a better
tradeoff than failing the builds entirely and making people click
buttons.

Change-Id: If351aaad22d52e2bcf871377f22ab1df594c518d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7501
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-12-03 14:11:04 +00:00
Lyle Mantooth
4cd4111d0d feat(ops/users): add IslandUsurper to users.
Change-Id: Id6bda45acd33dc4e57775321aa8f318164ca7ee0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7469
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-12-01 10:42:47 +00:00
Márton Boros
c06840ff87 feat(ops/users): Add brainrake to users
Change-Id: I6bb611fd802ed3f1e748d4c75dc2fd4bea9cc91a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7365
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-11-23 13:55:53 +00:00
Vo Minh Thu
888b7faa18 feat(ops/users): Add noteed to users
Change-Id: I40b99a46b76d0df40b811350f3560c629babdbc4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7319
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-11-21 13:40:33 +00:00
jhahn
40826e664d feat(ops/users): Add jrhahn to users
Change-Id: I00913a302ecc23fec2e60875dc164b24d73ba4ad
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7257
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2022-11-09 21:57:54 +00:00
sterni
83dabf8955 fix(ops/machines/whitby): serve grafana at status.tvl.su again
This is a follow up to cl/7191 which neglected to adjust the
status.tvl.su.nix module and re-enable it.

Change-Id: Icc1917004cd50e5eab61a29bc68b393ba9bd6325
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7226
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
2022-11-07 14:43:18 +00:00
Griffin Smith
8240b2959e chore(whitby): Update grafana config
Uncomment and update the grafana config for whitby based on the new
config format that nixos accepts. I've validated this locally by
visually inspecting the resulting `ini` file, but not actually run it
yet.

Change-Id: I12d78ae48146e1b01bd2a4152276d4c6b16c1a3d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7191
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
2022-11-05 15:06:41 +00:00
sterni
57cf952ea9 chore(3p/sources): Bump channels & overlays (OpenSSL edition)
* //ops/machines/whitby: Disable grafana, since the grafana module was
  changed upstream in a way that our configuration no longer works.
  Since the OpenSSL security update is relatively pressing, adapting the
  grafana configuration beforehand is not a hard requirement. See
  https://github.com/NixOS/nixpkgs/pull/191768.

* //tools/depotfmt: keep Go at version 1.18 to forgo a reformat of the
  tree.

* //nix/buildGo: keep Go at version 1.18, as 1.19 changed the CLI
  interface (?) in a way that breaks buildGo.

* //3p/overlays/tvl: drop upstreamed tdlib upgrade.

* //3p/overlays/tvl: patch buf to work around breakage due to git 2.38.1

TODO items for Go are tracked in b/215.

Change-Id: Ie08fef49cf3db12e6b5225a8b992a990ddc5b642
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7141
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: tazjin <tazjin@tvl.su>
2022-11-03 15:10:39 +00:00
Florian Klink
79ef6ee283 chore(ops/pipelines/depot/protoCheck): include name in label
Change-Id: I2010bd6e4600e9f1dd6e6af40e81ecbbb72c20d0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7054
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2022-10-27 20:34:58 +00:00
sterni
ca3bd5c7ca feat(ops/pipelines): allow accessing the nix store
This is already allowed de facto, since there seems to be a special
exception for reading from derivation outputs. What is forbidden, is
access to files imported to the store (even via builtins.toFile) and
derivation files. The latter is required for doing dependency analysis
on arbitrary derivations, unfortunately.

Access to the store allows kind of evil things, but it should
be (hopefully) hard to do this by accident, and accessing derivation
files is not impure, though it relies on store implementation internals
so to speak.

Change-Id: I33a7de83ef0ee20a7076690329d62f6caffffe5f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6835
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2022-10-08 10:59:45 +00:00
Vincent Ambo
b9bfcf2f33 fix(ops/www): fix port templating for keycloak
Change-Id: I714b12f996d7dbe705f1f553d449f2dbc4910b1e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6848
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-10-03 17:42:56 +00:00
Vincent Ambo
e255aff849 chore(ops/whitby): use renamed 'kbdInteractiveAuthentication' option
Relates to b/200

Change-Id: Ica7a32e3d2392aba22c2de93cc9be49c4a57eeb9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6838
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-10-02 14:19:33 +00:00
Vincent Ambo
b5cf6b148c chore(ops/whitby): use new keycloak HTTP port option
Relates to b/200

Change-Id: Id8f415d5c4a8947b56031e1671f4f84ac5f2665d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6837
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-10-02 14:19:33 +00:00
sterni
0c178a0ef6 chore(3p/sources): Bump channels & overlays
Upstream nixpkgs removed a lot of aliases this time, so we needed to do
the following transformations. It's a real shame that aliases only
really become discoverable easily when they are removed.

* runCommandNoCC -> runCommand
* gmailieer -> lieer
  We also need to work around the fact that home-manager hasn't catched
  on to this rename.
* mysql -> mariadb
* pkgconfig -> pkg-config
  This also affects our Nix fork which needs to be bumped.
* prometheus_client -> prometheus-client
* rxvt_unicode -> rxvt-unicode-unwrapped
* nix-review -> nixpkgs-review
* oauth2_proxy -> oauth2-proxy

Additionally, some Go-related builders decided to drop support for
passing the sha256 hash in directly, so we need to use the generic hash
arguments.

Change-Id: I84aaa225ef18962937f8616a9ff064822f0d5dc3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6792
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: wpcarro <wpcarro@gmail.com>
2022-09-28 08:02:31 +00:00
Vincent Ambo
6576c2f15f feat(ops/keycloak): import github identity provider configuration
For some reason Terraform decided that it would otherwise like
to *delete* this configuration, which is undesirable.

Note that there is a "magic" special behaviour when the `alias` and
`provider_id` are set to the name of a built-in supported
provider (github, gitlab etc.), which lets us skip the
authorization_url setup.

Change-Id: Ib66154c2896dda162c57bdc2d7964a9fa4e15f20
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6706
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-09-20 09:28:45 +00:00
Vincent Ambo
3a1f4831a8 feat(ops/keycloak): add SMTP settings in configuration
I think these were set up in the UI and previously not supported in
the Terraform config, now they're supported and Terraform wanted to
delete them ...

Change-Id: I83eb49ceb774ac835dc81638f962e937c7e936c6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6707
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-09-20 09:28:45 +00:00