... this is going to break so much stuff. Lets have some fun.
Change-Id: If0185e0323391c7055d47b797083bb5afde57cb5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1829
Reviewed-by: glittershark <grfn@gws.fyi>
Tested-by: BuildkiteCI
Adds the ability to post to multiple channels by simply running
multiple instances of clbot.
We should probably implement support for this in clbot itself, but
right now I can't be bothered to write Go.
Change-Id: I5cffd0dc10a7f6cc19c37c5834c5610166b4ae23
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1771
Tested-by: BuildkiteCI
Reviewed-by: kanepyork <rikingcoding@gmail.com>
Reviewed-by: lukegb <lukegb@tvl.fyi>
It tries to write this to ~/.cache otherwise, which worked for the git
user but does not work for root (??)
Change-Id: I02d04da7d8e2b8782ce70bc72bce0b90c3961aa0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1546
Reviewed-by: glittershark <grfn@gws.fyi>
Tested-by: BuildkiteCI
Changes the restic backup service to run as root, rather than git, and
include the PostgreSQL dumps in its scope.
The on-machine credentials have already been placed in the right
location in /var/backup/restic
Fixes: 27
Change-Id: Iae76357442f07596a2297ce7b6d51aae392d2074
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1541
Reviewed-by: kanepyork <rikingcoding@gmail.com>
Reviewed-by: glittershark <grfn@gws.fyi>
Tested-by: BuildkiteCI
... daily is just the default cron pattern for this, but we might also
want this to happen more frequently. Not sure yet.
Change-Id: I4e433fefebd93488891e765b5842fdb6537e3c6d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1518
Tested-by: BuildkiteCI
Reviewed-by: kanepyork <rikingcoding@gmail.com>
Now that we've migrated over all the data to postgresql, we can get rid
of cl-prevalence as a dependency from Panettone along with all code that
mentions it.
Change-Id: I945f50a88fea5770aac5b4a058342b8269c0bea2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1495
Reviewed-by: kanepyork <rikingcoding@gmail.com>
Reviewed-by: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
It appears this didn't even *work* without a password, so we've been
forced into being more secure.
Change-Id: I4ff9d04961a703a85299dafb79e8447b0a933fc1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1491
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
This is how panettone is currently connecting, so this needs to be here
in order for it to work. Shortly I'll update all of this to use
passwords, but for now this gets things up and running again
Change-Id: If87f4dbce0800dcbc4f7bf10e88f3e591410b416
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1488
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Create a running Postgres database server along with a user and database
for Panettone, and pass configuration for it to the panettone module
Change-Id: I333994288131be328e62069382d6d40f8034c400
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1466
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Otherwise I have to set TERM to something else so that I can actually use the
machine when I'm booted into Linux and it's incredibly tedious and I hate it.
Change-Id: Icfb5aacfea8cd6227743d29d9b07dc1b745d22c5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1435
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Deploy Panettone to whitby as a systemd service, proxied to from an
nginx virtual host listening at b.tvl.fyi
Change-Id: I69755566151a45120e6b3453751af0e9291fa241
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1339
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
I don't have time for bash's history.
Change-Id: I741107d33f09999ef43a7609079ad926e8127e69
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1362
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
... also bootstraps her user directory to store the key in.
Change-Id: Iecd341c655adc7d81be5ce9eb765c531b7512e80
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1361
Tested-by: BuildkiteCI
Reviewed-by: Alyssa Ross <hi@alyssa.is>
This is inline with how other user keys are managed.
Change-Id: Ica0b3b30336aee02a78e019b13e1cf576e4e1943
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1360
Tested-by: BuildkiteCI
Reviewed-by: isomer <isomer@tvl.fyi>
Note that this is not yet updated automatically, so the page will be
stale until somebody rebuilds whitby.
Change-Id: I91f4b03c9309aed289df055fac292a214dca7668
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1297
Reviewed-by: Alyssa Ross <hi@alyssa.is>
Tested-by: BuildkiteCI
Not having this set led to gerrit setting the committer to
"qyliss <hi@alyssa.is>", which is wrong.
Change-Id: I3fe02264e22dd6d739575b34ceb1221d1d6a9d98
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1267
Tested-by: BuildkiteCI
Reviewed-by: qyliss <hi@alyssa.is>
The Hetzner DNS servers were unhappy after today's Cloudflare outage,
and that broke some of our builds - this wouldn't have happened with
Google DNS!
Change-Id: Ib74c6de9526e739f55d4a9830d945ece35b72138
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1259
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>
... and enable it on whitby
Change-Id: Ife45f15227f9d95823ebd3b97d2a17175b84eaff
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1064
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
There is only one minor configuration change: CLBot now connects to
cl.tvl.fyi, instead of localhost, because Gerrit is still on camden.
Change-Id: Ibd8d46ec2c18312a270471a2f0be3e58eaf0cbab
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1062
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
This is required for the Gerrit setup.
Change-Id: I02e03dafe36e6c47ffabf4d590e0c6f1dea027e6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1061
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
This prevents a request that takes >1s on each page load.
Change-Id: Ic91bb602e3059b1f17681aa468739bb0a103f8cf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1003
Tested-by: BuildkiteCI
Reviewed-by: isomer <isomer@tvl.fyi>
The upstream module is not flexible enough for my needs, so I made my
own.
Change-Id: Ie9f786da7eb8c878e0782b07a075c064ad8cd253
Reviewed-on: https://cl.tvl.fyi/c/depot/+/953
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>
- X-Forwarded-Proto support so it knows it's behind TLS
- Remove extraneous logs and just log to stdout so it's caught be systemd
Change-Id: I650777bbfd24a1922f26967ffff7da06d14b6639
Reviewed-on: https://cl.tvl.fyi/c/depot/+/952
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>
This adds a first crack at one idea for a generic, non-user-specific
rebuild-system script to ops.nixos.rebuild-system. The idea here is that
we enumerate all the nixos systems stored in the monorepo (similarly to
what we do for ci-builds right now) then search through them by hostname
to find the one matching the hostname of the current system, which is an
attempt at a more generic version of tazjin's rebuilder script which
does the same thing but with an explicit case block.
As a caveat, it feels like there's a slight possibility that this way of
finding systems is going to get slow to evaluate - on my system it feels
fine but if it grows out of hand it's probably feasible to just bake
this into the built script as a dynamically generated case statement.
Change-Id: I2e4c5401913b6f4d936ab48ba2f95f96e0e78eb4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/894
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
This *should* translate to the required invocation to make sudo allow
nopasswd for users in the wheel group.
Change-Id: I3713862b8df9087cfbaa72d7e824bc43469f7c1c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/857
Reviewed-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Tested-by: BuildkiteCI
This is the point of the machine, afterall.
Change-Id: I15c11600c1c18fa8962d57f75f99a72e1553f9c2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/853
Reviewed-by: glittershark <grfn@gws.fyi>
Reviewed-by: BuildkiteCI
Tested-by: BuildkiteCI
systemd gets sad otherwise and it is very difficult to console it
Change-Id: Ic6405489532c407273e5634474185f2947420b37
Reviewed-on: https://cl.tvl.fyi/c/depot/+/851
Reviewed-by: glittershark <grfn@gws.fyi>
Reviewed-by: BuildkiteCI
Tested-by: BuildkiteCI
it's not glittershark because grfn is the username I have on my laptop
and I want to be able to ssh without an `@`.
Change-Id: Ie1fb6f5e12f3ac52a44680704179bd27a00a7768
Reviewed-on: https://cl.tvl.fyi/c/depot/+/850
Reviewed-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
This adds NixOS configuration for the machine whitby.tvl.fyi.
No interesting services are configured yet, so this configuration is
quite plain.
Change-Id: I67b7c75ebd6e298719b52e6b3bd83cc3be3c45d8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/843
Tested-by: BuildkiteCI
Reviewed-by: BuildkiteCI
Reviewed-by: isomer <isomer@tvl.fyi>
Reviewed-by: lukegb <lukegb@tvl.fyi>
This does not work for ARGON2 hashes.
Change-Id: I1e070fa0ff17ef21632e94e6777da637deb6f54f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/834
Reviewed-by: Kane York <rikingcoding@gmail.com>
Reviewed-by: BuildkiteCI
Tested-by: BuildkiteCI
This makes it possible to use {ARGON2} hashes instead of the current
salted SHA hashes, which is a much better idea.
Unfortunately the nixpkgs module does not have an option for
overridding the package used, so it is overlaid into the system
package set - this causes widespread rebuilds.
This is fine for us for now, but I have opened a PR upstream to add a
package option: https://github.com/NixOS/nixpkgs/pull/91963
Change-Id: Ib4be931d88e74b91566639f8656742cf096f6cc3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/831
Reviewed-by: BuildkiteCI
Reviewed-by: isomer <isomer@tvl.fyi>
Tested-by: BuildkiteCI
This points commit/file/etc. links from Gerrit to Sourcegraph instead
of cgit.
There's a minor problem with this: Some, but not all unsubmitted CLs
are missing in Sourcegraph for unclear reasons so they lead to 404s.
That problem is unrelated to this change and something we need to
investigate separately.
Change-Id: I9b0c1eca8781dc96984ba09b4a71960eb43583bd
Reviewed-on: https://cl.tvl.fyi/c/depot/+/541
Reviewed-by: lukegb <lukegb@tvl.fyi>
This attribute makes much more sense in this position semantically.
Change-Id: I16cc6304f42c577a2368bd7c9573fcb7dd276a9d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/448
Reviewed-by: riking <rikingcoding@gmail.com>
Implements a function that generates the LDIF record for each user and
templates it into the configuration.
This is slightly more user-friendly and less error-prone (people kept
getting the DNs wrong) than editing the contents manually.
Change-Id: Ic419d2ef464f9a94be5d54b666f7d53134b53eed
Reviewed-on: https://cl.tvl.fyi/c/depot/+/447
Reviewed-by: riking <rikingcoding@gmail.com>
We can always revert this if we want it back.
Change-Id: I1332b6dd541199584b7b5b94a8651172d79e53a9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/442
Reviewed-by: glittershark <grfn@gws.fyi>
Reviewed-by: lukegb <lukegb@tvl.fyi>
This module spins up the Sourcegraph container.
Builds:
Note that this is contrary to how our other deployments work, but
packaging Sourcegraph is quite difficult (it's a Gitlab style
deployment with a lot of moving parts and third-party things that it
bundles).
If we decide to keep it around, we will want to look at packaging it
in Nix in the future.
Deployment:
The deployment is a hack. Sourcegraph does not support public
instances, but we want it to be public. To work around this we have
configured HTTP-proxy based authentication (i.e. auth via a header)
and hardcoded a static header.
This works, but lets anonymous users change the "Anonymous" user's
settings. We can expect this to get defaced (profile picture, name
etc), until we figure out how to write some nginx configuration to
drop those requests. See git-bug for details.
The Sourcegraph configuration is also not checked in to the
repository. It's unclear where in the data directory it is stored.
Change-Id: I414ff11c3b49989b6792d697bffc8a0edf96c9cb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/425
Reviewed-by: lukegb <lukegb@tvl.fyi>
This plugin just blindly assigns everyone and, as q3k has already
pointed out, just isn't particularly useful.
We might want to roll our own, for example:
19: 40:41 <+Remosi> I want the virtual owner thing, we could call it
Gerrit Workgroup Synthesizer Queuing, or gwsq for short.
Change-Id: Ib12a921ae4047ac6a734035dd0900c8964fb12d8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/350
Reviewed-by: riking <rikingcoding@gmail.com>
Without these changes, the NixOS module isn't able to use the new
Gerrit derivation.
These changes are already deployed as I needed to make them to get
Gerrit back up.
Change-Id: Iad3aa6158789a014134fddccd40b508b81486100
Reviewed-on: https://cl.tvl.fyi/c/depot/+/301
Reviewed-by: lukegb <lukegb@tvl.fyi>
NixOS modules move one level up because it's unlikely that //ops/nixos
will contain actual systems at this point (they're user-specific).
This is the first users folder, so it is also added to the root
readTree invocation for the repository.
Change-Id: I546c701145fa204b7ba7518a8a56a783588629e0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/244
Reviewed-by: tazjin <mail@tazj.in>