Posts can now specify (optionally) tagfilter=true/false to toggle
escaping of HTML tags.
Change-Id: Ie4a1a45028570fc166fdffba708bf9d0e0c6ae81
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9277
Tested-by: BuildkiteCI
Reviewed-by: Mark Shevchenko <markshevchenko@gmail.com>
This allows pinning the name of the sparse tree derivation, which
stops the continous rebuilding of tvix-store-proto dependents.
I've opted to let the function take an attribute set instead and
refactored the call sites appropriately.
Change-Id: I3e57785094b1adbfffa24caf9f1c3384844fa200
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8965
Reviewed-by: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
The entry list is now much more condensed. It's maybe a little *too*
condensed, but already closer to what I'm looking for.
Note: A new "note" post type has snuck in and can now be used for
random musings or comments on previous entries. Notes do not show up
in the Atom feed.
Change-Id: I920c0c7650937474b8a5f30cba78416554d523ce
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8806
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
This generates the format expected in `//ops/users`.
Note that as of this commit I have not actually tested whether the
generated hashes work, as OpenLDAP doesn't ship with a tool to do that
and I have to actually use it, spin up an LDAP server and bind to it.
The plan is to host this at something like `tvl.fyi/signup`. There is
no plan to automatically submit the generated stuff to the repo,
people still have to email us (and display their street cred).
Note that currently the generated hashes have slightly different
parameters than what //tools/hash-password creates. This might not
matter, but it's probably still a good idea to try and explicitly set
Argon2 parameters.
Change-Id: Ic162afbf7fb0e05ca6efc131b3bb0a4187e28029
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8776
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
This landing page explains how to use the public-inbox.
Change-Id: I37d74decad5173ab35051970593f1d28001af2b4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7645
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
This might shorten the list of known CVEs ...
Change-Id: Ibe06317f0916f9d889c64e6bf694b737338cf54c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7495
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
This was broken in my blog for way too long.
Change-Id: I03c45c666d67006a4608a4b19d6167ab692e321d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5905
Reviewed-by: wpcarro <wpcarro@gmail.com>
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
... until I get my self-hosting situation dealt with.
Signed-off-by: Adam Joseph <adam@westernsemico.com>
Change-Id: I44764862f754286249b90278f3932c1470e8214c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7146
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
* add an explicit `tvix` node to track who arrived here through
Tvix-related means
* remove nodes that aren't actually relevant or informative for how
people got to TVL (e.g. `anon1` or `lgbtslack`).
* remove some people that have been missing for a long time and are
probably not coming back
Change-Id: I110180daa3c3c8f48593000b9e8d7cd4cf32b741
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7104
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: ezemtsov <eugene.zemtsov@gmail.com>
The text was a little cramped, which made the font hard to read. If
one gives it a little more breathing space, it gets easier to digest.
I couldn’t check the change locally, since `-A web.tvl` doesn’t
reference the static assets (it hardlinks to `static.tvl.su` from what
I can see). I only tested it directly in the browser css editor and
then added the values I found here.
Change-Id: Ic3cb78b2ed0f37e1c55ba70027fec2c62b43a52f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4055
Autosubmit: Profpatsch <mail@profpatsch.de>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
This should take care of the chrono advisory which has finally become
actionable.
Change-Id: I0c290c10893d2b112bc17281a96c760b62dff02f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6831
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Upstream nixpkgs removed a lot of aliases this time, so we needed to do
the following transformations. It's a real shame that aliases only
really become discoverable easily when they are removed.
* runCommandNoCC -> runCommand
* gmailieer -> lieer
We also need to work around the fact that home-manager hasn't catched
on to this rename.
* mysql -> mariadb
* pkgconfig -> pkg-config
This also affects our Nix fork which needs to be bumped.
* prometheus_client -> prometheus-client
* rxvt_unicode -> rxvt-unicode-unwrapped
* nix-review -> nixpkgs-review
* oauth2_proxy -> oauth2-proxy
Additionally, some Go-related builders decided to drop support for
passing the sha256 hash in directly, so we need to use the generic hash
arguments.
Change-Id: I84aaa225ef18962937f8616a9ff064822f0d5dc3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6792
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: wpcarro <wpcarro@gmail.com>
These otherwise look the same as the rest of a post, which is a bit
confusing.
Change-Id: I66ac7256fa379b9f9510de1e2b236c7206219d27
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6561
Reviewed-by: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Thanks to Danny Sichel for helping us out with this!
Change-Id: I95416d824fcf0e43316e4c0c014c210aeea3c18d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6575
Tested-by: BuildkiteCI
Reviewed-by: eta <tvl@eta.st>
Anyone is free to pen a post for tvl.fyi if they want, so being able
to attribute the author might be useful.
This wasn't originally a feature because I wrote //web/blog only for
tazj.in initially.
Change-Id: Ibc50b53f92113a82a53ce40bb5defa18e926cc10
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6560
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
This adds an initial version of the post which we can play with for
further layouting. The post is marked as `draft`, so it will become
available at the direct link, but have a banner on it telling people
not to share it yet.
Change-Id: Idac69e56bee027c2b566f50ef123b54aff6ebc3e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6538
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
It occured to me yesterday that with the config inside of the module
it is kind of difficult to test cgit locally.
This moves it back to a separate location (//web/cgit-tvl) and makes
the most important things configurable via overrides.
Change-Id: I9b0f4c60b75c31441e1718e63b5b55aba3100aae
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5893
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Because of math being upsetting, we were adding 4 padding characters to
an already-properly-padded base64 string, which broke tazjin.
This also breaks this function out into panettone.util, and adds a test
for it.
Change-Id: I7bc8a440ad9d0917272dd9f2e341081ea14693da
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5782
Autosubmit: grfn <grfn@gws.fyi>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
The JWT spec apparently specifies that base64 strings in jwts aren't to
be padded - but the common lisp base64 library doesn't know how to
decode unpadded base64 (it signals a condition in that case). This adds
the extra padding characters (a number of `=` characters such that the
length of the string is a multiple of 4) using some FORMAT wizardry (?).
Change-Id: Ic6b66f05db2699bf1f93f870f5dd614c37eccc2d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5781
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: grfn <grfn@gws.fyi>
Instead of directly connecting to LDAP and attempting to bind
usernames/password, authenticate users through an OAuth2 flow to
Keycloak.
This has the advantage of reusing the same SSO we already have for
Gerrit, Buildkite, ...
However, much of panettone's functionality makes assumptions about
LDAP being used. As a result there are some warts introduced by
this (for now):
* Since LDAP DNs are used as primary keys for users, we have to
construct fake DNs based on LDAP usernames
It might be sensible to migrate this to the UUIDs used by Keycloak
eventually.
* LDAP is part of the serving path for issues (for fetching user
information), however panettone no longer has a way to fetch
arbitrary user information unless it is persisted in its database.
To work around this, we construct a "fake" user based only on its
DN (i.e. only the username is going to be "correct") and use that to
serve issues.
* Email notifications no longer work (panettone can not access email
addresses)
Some of these need to be worked around by persisting some of that
information in the panettone database instead, as we don't want to
give the service the ability to access arbitrary user information
anymore.
We can probably do this with the user settings feature that already
exists and populate it on launch, but as of this commit email and
displayName functionality is simply broken.
Change-Id: Id32bf5e09d67f0f1e883024c6e013eb342f03b05
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5772
Reviewed-by: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Upcoming changes to the authentication model may mean that user
objects do not have an email address attached.
Change-Id: I4fddb810f723c790d243f779714ca7f189a02aeb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5770
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Don't render the <ol class="issue-history"> when we have nothing to put
in it, which is the case when there's no issue history and the user is
not logged in. This avoids an awkward-looking double bottom border on
issues with no comments for unauthenticated users.
Change-Id: I1c6aac40e4ba93e9428a0da589c67582b1589c17
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5445
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
The ancient `//web/cgit-taz` path stems from the time I had
code.tazj.in serving my initial version of the depot.
I've been meaning to clean this up for forever, so here we go.
Note that this leaves the git-serving module in a strange state where
it only deals with josh. I'll rename it accordingly.
Change-Id: I47ed1e9d90958299b5440a18a1b9075274754e33
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5294
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
Instead of managing Postgres connections on our own, use the
`with-connection` postmodern function with pooling enabled as a route
decorator.
This should resolve at least some of the issues from b/113 with
leaking connections, and an unreported issue with connections being
reused while transactions are in progress.
Change-Id: I1ed68667a3240900de1ae69df37d2d3018caf204
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5198
Tested-by: BuildkiteCI
Reviewed-by: eta <tvl@eta.st>
Autosubmit: tazjin <tazjin@tvl.su>
unbind & close the stream of newly created LDAP connections after
auth, which might prevent some of the resource leaking we've got going
on
i did actually verify in sly that this still works. yay.
Change-Id: I92c8ca20de642585ae4c24aa455d051ee6e44a87
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5193
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
* //3p/nix: probably not worth investing time into this anymore
* //users/sterni/emacs: The emoji problem disappeared by itself with a
newer emacs version, however a different one remains…
* //web/panettone: If we ever want to change the behavior, we should
just decide the behavior statically instead of using conditions and
restarts, as we only call it in one place, so making different
decisions depending on call sites is not really a use case we have.
Change-Id: Iff9d439ce356db41ce34d690fb7b6a01822022fa
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5223
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: sterni <sternenseemann@systemli.org>
Any other cgit configuration in depot would need this script wrapper as
well.
Change-Id: Ifa04e1c9de9c925eb3f60c5d3854221ae02ef06c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5206
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: sterni <sternenseemann@systemli.org>
(who:html-mode) needs to be set at macro expansion time to properly take
effect which wasn't the case before, but is ensured now by
:compile-toplevel. :load-toplevel ensures that who inside the repl will
behave the same.
Since the :html5 behavior is now actually used, we need to adjust some
of the test cases to account for the different :html5 escaping mode.
Change-Id: I4dfe1d2db38da6a2486fde86596f7e5f50ed8b9f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4885
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
We have a new channel visitor who joined via Matrix and pointed this
out. Apparently hackint reestablished the Matrix bridge.
Change-Id: I25ec7fdc5c1b68a9b0bc92b6c19ffe12ecb93c5f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4864
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>