Commit graph

170 commits

Author SHA1 Message Date
tazjin
910adb50b8 revert(ops/code.tvl.fyi): fix josh-proxy cmdline args
This partially reverts commit eb167c71a7.

Reason for revert: Broke anonymous cloning.

Change-Id: I10d148f8deed5d9a200d1e731fe341b9ee0782c3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9625
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: tazjin <tazjin@tvl.su>
2023-10-10 06:36:50 +00:00
Florian Klink
eb167c71a7 fix(ops/code.tvl.fyi): fix josh-proxy cmdline args
It looks like josh is only listening on v4 currently:

1586eab062/josh-proxy/src/bin/josh-proxy.rs (L1429)

Also, the remote URL to push to is (or became) https://cl.tvl.fyi/a, not
just https://cl.tvl.fyi/, update it

Change-Id: Ic59bc51c28be913d833186c715e9a9eb960bbd6e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9591
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-10-09 14:42:25 +00:00
Brian McGee
4797a3fd8a chore(ops): expose nar-bridge for go get
Change-Id: I9d8f444ed625502cfaeea83e0b330f52dac24118
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9589
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-10-09 12:07:43 +00:00
Vincent Ambo
a63f991351 feat(ops/www): add experimental grep.tvl.fyi setup
This points a reverse proxy at a manually run, highly experimental
container. The actual setup is not yet nixified.

Change-Id: I8e1d5ec94a3f1e9b4b0bfc7ffd2a9badf4e79291
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9577
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
2023-10-09 07:03:05 +00:00
Vincent Ambo
f4787355a4 chore(ops/modules): enable passwordless sudo in users module
Change-Id: I8522a106bbadacf1b5720b4cd1102052aa360ff0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9575
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2023-10-08 19:45:25 +00:00
Vincent Ambo
5f32f7610a chore(users): remove inactive users
Change-Id: I3cfb425e4dac0a467e3917df996e9800a3ebe875
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9576
Reviewed-by: isomer <isomer@tvl.fyi>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
2023-10-08 18:18:08 +00:00
Vincent Ambo
713a70d154 fix(ops/modules): remove cloud-init from yandex-cloud module
cloud-init stopped working for unknown reasons, enabling it will break
DHCP and SSH, and make the image inaccessible.

This means that access needs to be provided by baking keys into the
image instead.

Change-Id: Ib8d32a02d0a8ea61d75921f147349d73a27ef751
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9572
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-10-08 18:13:49 +00:00
Vincent Ambo
053643c66f chore(ops): remove images.tvl.fyi
I don't even know what this is/was.

Change-Id: I743efa88258bbc13b7a3d4b8de8df222325b00ed
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9553
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
2023-10-06 09:17:22 +00:00
Florian Klink
c1a77e01b8 fix(ops/modules/tvl-buildkite): add /run/wrappers/bin to $PATH
It looks like since cl/9341, the tvix buildkite pipeline fails.

We're not yet sure what's causing it, it might be the lack of the
`fusermount` binary in $PATH.

Change-Id: Ie95678fbd07201e96ca3d43b53827781b49f1f46
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9386
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: Connor Brewster <cbrewster@hey.com>
2023-09-24 19:30:15 +00:00
Vincent Ambo
9eede1c4df chore(ops): move yandex-cloud image module out of corp
Change-Id: Idc8cc3a640fc895cd3882e93a193212adb743abb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9425
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2023-09-22 17:52:23 +00:00
Florian Klink
2aa0c70245 chore(ops/modules/www/code.tvl.fyi): add missing go get redirect
This was missing in cl/9370.

Change-Id: I02048b0e65d1192e9e300160bb8f78fe30a70da1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9405
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: Connor Brewster <cbrewster@hey.com>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-09-22 17:36:05 +00:00
Florian Klink
32f41458c0 refactor(tvix): move castore into tvix-castore crate
This splits the pure content-addressed layers from tvix-store into a
`castore` crate, and only leaves PathInfo related things, as well as the
CLI entrypoint in the tvix-store crate.

Notable changes:
 - `fixtures` and `utils` had to be moved out of the `test` cfg, so they
   can be imported from tvix-store.
 - Some ad-hoc fixtures in the test were moved to proper fixtures in the
   same step.
 - The protos are now created by a (more static) recipe in the protos/
   directory.

The (now two) golang targets are commented out, as it's not possible to
update them properly in the same CL. This will be done by a followup CL
once this is merged (and whitby deployed)

Bug: https://b.tvl.fyi/issues/301

Change-Id: I8d675d4bf1fb697eb7d479747c1b1e3635718107
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9370
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Reviewed-by: Connor Brewster <cbrewster@hey.com>
2023-09-22 12:51:21 +00:00
Florian Klink
9786255267 feat(ops/modules/code.tvl.fyi): fix go get for tvix store protos
There's a go.mod in in tvix/store/protos, which sets the module path to
code.tvl.fyi/tvix/store/protos.

While this path makes kinda sense, it's currently not possible to `go
get` it from that location, as we serve the cgit interface from there.

Fortunately, `go get` has a mechanism to determine clone URLs for a
given go module path, as documented in https://go.dev/ref/mod#vcs-find.

We simply need to serve a small HTML file at that path, describing the
proper clone URL.

This points the clone URL for code.tvl.fyi/tvix/store/protos to a josh-
provided subtree of just :/tvix/store/protos, which will contain the
root go.mod file.

We need another layer of indirection as nginx can't have an `alias`
directive inside a conditional block (but can have a redirect).

Contrary to https://b.tvl.fyi/issues/299#comment-464, it seems to work
for our usecase. It might become a problem if we actually serve `go.mod`
files in a nested fashion at some point, but let's look at that once we
get there.

Fixes b/299.

Change-Id: Idcad795105af5d57e6d06de6e232881dccf9110b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9290
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Reviewed-by: adisbladis <adisbladis@gmail.com>
Reviewed-by: tazjin <tazjin@tvl.su>
2023-09-10 11:43:29 +00:00
Vincent Ambo
e187a7bcb1 feat(ops/modules): deploy //web/pwcrypt to signup.tvl.fyi
I verified on whitby that the password hashes generated by
//web/pwcrypt are compatible with our OpenLDAP, so it's time to make
this thing public.

Change-Id: Icc2f095ca7ce4acff6de91a1642dea6461177423
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9266
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
2023-09-05 14:44:36 +00:00
Vincent Ambo
bde9bc1c1d fix(ops/nixery): switch nixery.dev to stable nixpkgs channel
The current unstable has a bunch of breakage which people have been
reporting, lets move the public instance to the stable channel until
that is sorted out.

Example breakage: https://github.com/tazjin/nixery/issues/159

Change-Id: Id5eb11ebd235928b85c01c178c32da3badea517f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9126
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-08-22 15:01:02 +00:00
Vincent Ambo
7d69e82be3 feat(tvl-users): grant wheel privileges to flokli
Flokli needs deploy access to whitby to ~~break auth~~ experiment with
Dex.

Change-Id: If39763192961e227ee569a312f6a0e3ae2c10786
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9113
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-08-21 11:06:51 +00:00
Florian Klink
5f42c8132d chore(ops/modules): remove oauth2_proxy module
This was dropped from whitby itself in cl/8905, but didn't drop the
module because we were worried someone else might still be using it.

However, this relies on the "oauth2-proxy" client ID, which only has the
following supported redirect uris (as per ops/keycloak/clients.tf):

 - https://login.tvl.fyi/oauth2/callback
 - http://localhost:4774/oauth2/callback

… which means, noone can really run this properly anyways, so let's
drop it.

We can always restore it from git.

Change-Id: I7d700f59a62cce1254ad4ba0792a7d7b3960b769
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8913
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
2023-07-01 23:35:13 +00:00
Vincent Ambo
8cdad7d45c feat(ops): introduce (head|tail)scale server at net.tvl.fyi
This runs a headscale server on sanduny which lets users join their
machines to the TVL tailscale network.

This would theoretically let people communicate with each other on the
internal network, but also more notably joined servers can advertise
exit node capability so that we can have our own "VPN network", for
starters with endpoints in Germany, UK and Russia (whitby, sanduny and
koptevo respectively).

This setup isn't fully stable yet, notably:

* The IP range used by tailscale is just the default one right now,
  I'm not sure if that should be changed or what.

* The system is stateful (on sanduny), but the state is not (yet)
  backed up anywhere. Use with caution.

* Machine joining is a manual process requiring SSH & root access to
  sanduny.

  The process is to log in to sanduny, then get a headscale shell with
  `sudo -u headscale bash`, and to use the `headscale` CLI within
  there to administrate access.

  I've opted to create a user account `tvl` for TVL-owned machines,
  and a personal account for myself and my machines.

Change-Id: I4f1be1fe8062a6c2e77203ff72fe8709f4e4dec8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8837
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-06-22 13:23:14 +00:00
Vincent Ambo
2936a95efd fix(ops/modules/quassel): use systemd LoadCredential to read certs
This avoids permission issues with nginx vs. quassel

Change-Id: I770f8284d8fd8fc6d38add93c1681f9daebe8749
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8786
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-06-15 21:34:36 +00:00
sterni
d2fa4e7c86 chore(3p/sources): Bump channels & overlays
* //ops/modules/depot-inbox: Adapt to upstream option type declaration.
  See nixpkgs commit b6ed3b8f402893df91a8e21ce993520301c2f076.

* //ops/machines/sanduny, //users/tazjin/polyanka:
  Remove boot.loader.grub.version options (no longer has any effect).

* //users/sterni/emacs: reflect rename emacsPgtk -> emacs-pgtk

* //3p/overlays: update tdlib to match emacs-overlay

* //3p/overlays: give EXWM from depot a separate name

* //users/grfn/system/home: disable Slack support in ntfy

Change-Id: I03bde088bc70e05b23925f244899807210cb7b20
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8547
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2023-06-15 17:09:02 +00:00
Florian Klink
b58f6f1d61 feat(ops/modules/open_eid): add support for Web eID extension
Most likely due to bad UX in browsers for hardware-backed TLS client
cert auth, most websites have switched from client-side TLS to the "Web
eID" extension.

Once installed, the extension uses [Native Messaging] to talk to a
`web-eid-app` application, which handles the communication with the
smart card itself.

This can be tested on https://web-eid.eu/ .

The commit needs nixpkgs to be bumped past
https://github.com/NixOS/nixpkgs/pull/227354 .

[Native Messaging]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging

Change-Id: Iffe6d81ecf7cee25406fa39a983ff52cf669c373
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8490
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-04-28 13:14:24 +00:00
Florian Klink
2363a194cd fix(ops/modules/open_eid): use libdigidocpp.bin
nixpkgs commit 134036f642a7f3ba9efeab509727c0989458b02b moved the
digidoc-tool binary to the `bin` output, so this wasn't actually
providing the digidoc-tool binary anymore.

Change-Id: Id5f7cc69d55b7cc058a6361512cc74de0e7bc1b2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8487
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
2023-04-19 09:11:34 +00:00
sterni
96d7f4f0ac chore(3p/sources): Bump channels & overlays
* Satisfy new assert that the corresponding shell needs to be enabled
  via programs.* if it is as the login shell of at least one user.

* //users/tazjin: “Address” removal of hardware.video.hidpi option.

* //3p/gerrit: update fetch sha256

Change-Id: Id0988a0ea7f393d6b7848a7104fc3526ee1177f4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8407
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-04-07 09:20:33 +00:00
Florian Klink
e9686f84d9 fix(views/kit): communicate :unsign in the tvl-kit URL directly
Instead of prepending :unsign to all URLs in josh-proxy, and for all
calls to filteredGitPush, explicitly use it only in the filter we use
for the `export-kit` extraStep.

This means, people cloning tvl-kit via

> https://code.tvl.fyi/depot.git:workspace=views/kit.git

now need to update the URL to point to

> https://code.tvl.fyi/depot.git:unsign:workspace=views/kit.git

instead.

git@github.com:tvlfyi/kit.git will keep the same hashes, as it's updated
to export the unsigned workspace view of it.

This is less invasive than dooming every josh workspace to have to strip
signatures.

Change-Id: I6de05182fad4c3695081388c3bbf37306521d255
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8369
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-03-31 08:46:01 +00:00
Vincent Ambo
73c12f7c4f fix(ops/www): allow all indexing on cl.tvl.fyi
I *want* search engines to index our CLs, they might be useful!

Change-Id: I956d92c80d812e1aefefb6daeba77a1588055b94
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8361
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
2023-03-29 12:17:56 +00:00
Vincent Ambo
0965600fe6 feat(ops): serve Tvix website & docs on (docs.)tvix.dev
Change-Id: I198ea197867f9b9a48e51665d0665f722202e02e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8299
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-03-14 22:10:40 +00:00
Vincent Ambo
89d9ce39b4 chore(3p/josh): update josh to recent master commit
It's been a long time since we updated josh, almost 400 commits in
between. I read through the entire changelog, and here are relevant
josh commits from in between that might be interesting to us:

  38eecee Fix optimisation bug for compose filter (#1159)
  e1d10b6 Add :rev(...) filter
  0f1a07b Initial implementation of refs locking (#929)
  88cea2a Initial work on meta repo support
  030ad93 Change magic refs to include "for"
  28b1d75 Add split changes feature (#904)
  1f908d7 Discover filters only on HEAD (#774)
  a368d8f Make --require-auth only apply to push
  8d80230 Add :linear filter (#741)
  3460ec2 Implement redundant refs filtering (#700)
  55b4e50 Implement stacked changes support (#699)
  ea1f814 Handle @sha urls by creating magic ref (#690)
  883a381 Run filter discovery only on changed refs (#685)
  4bb004f Prepend refs/heads to base parameter as default (#664)

Of particular interest is a368d8f, which allows us to drop our
authentication patch and use the standard --require-auth flag again.

The default behaviour of dropping signatures on commits (which are
invalid after filtering) has also been changed in josh, now only
occuring when the `:unsign` filter is present. Since this breaks
commit hashes with our existing exported histories, we are opting to
set a `:unsign` filter prefix on all proxy requests to ensure that the
hashes stay consistent.

During this update we found a bug (josh#1155) which was fixed in the
commit that this CL moves josh to.

Change-Id: I3afac1619f3aa90313a0441da91f0e4a96fe0a3b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8186
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-03-07 16:46:54 +00:00
Alyssa Ross
08b300aaa8 chore(ops/modules): add a GECOS for my user
This way, I won't have to teach my name one at a time to every program
that wants to know my it (e.g. git).

Change-Id: I45ddd9c2343a10cd4c13bacd9a97b7470db95c14
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8038
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-02-09 09:43:48 +00:00
Vincent Ambo
3caa4c4aa4 fix(ops/www): increase buffer memory size for auth.tvl.fyi
Keycloak seems to have decided today that it will now send headers
that are larger than what the nginx default configuration can handle.

The numbers are a mix of made up and taken from random nginx voodoo
posts on the internet, so they're as good a guess as anyone's.

Change-Id: If037bcba48eee371cc96304b150276c669930c75
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7992
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
2023-02-01 09:30:24 +00:00
Vincent Ambo
d62c7ddfda feat(ops/modules): enable mail address obfuscation in public web UI
Change-Id: I47b5313bee84893d405f86aefb3682cda3cfc6d7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7637
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2022-12-29 20:11:24 +00:00
Vincent Ambo
45fa75c0cd fix(ops/modules): list IMAP server on public-inbox page
This fix can only be applied after the upstream public-inbox
fix (https://github.com/NixOS/nixpkgs/pull/207693) has been merged.

Change-Id: I957473e2895b7e57baad25c9e908b36aa790f3a6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7636
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
2022-12-29 20:11:23 +00:00
Vincent Ambo
62e19a8321 feat(web/inbox): add landing page for inbox.tvl.su
This landing page explains how to use the public-inbox.

Change-Id: I37d74decad5173ab35051970593f1d28001af2b4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7645
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2022-12-28 08:17:45 +00:00
Vincent Ambo
eb62cb1421 style(ops/modules): add inbox email address to public-inbox header
Change-Id: Ib7d9089b63bba7ebc44d3438ed284e752f0595e9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7638
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2022-12-28 08:17:45 +00:00
Vincent Ambo
6552cf03b3 feat(ops/modules): enable NNTP on inbox.tvl.su
Change-Id: Iec564860a247fe51a5549129be294a3629645519
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7635
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2022-12-28 08:17:45 +00:00
Vincent Ambo
e665f53621 feat(ops/modules): enable IMAP access for public-inbox
This sets up IMAP on inbox.tvl.su:993

I added a hack to work around problems with the NixOS ACME module.
Spent way too much time of my life with problems with that module, so
I only use it with blunt force these days. Others are welcome to make
a cleaner solution.

Change-Id: Ice828766020856cf17d2f0a5b4491f4cec8ad9b4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7633
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-12-28 08:17:45 +00:00
Vincent Ambo
e68c2f3736 feat(ops/modules): index incoming mail in public-inbox
Change-Id: I8a3e2c0e789057fd1edd015ccb8fdcc0cbb52cd8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7631
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2022-12-27 19:46:11 +00:00
Vincent Ambo
aa0197ab83 feat(ops/modules): configure offlineimap for depot@tvl.su
On the machine running public-inbox, this will start automatically
fetching mails from depot@tvl.su and making them available to
public-inbox.

Change-Id: I2469207bd41d64eba747a74ae5fda9fed548cc83
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7630
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2022-12-27 19:46:11 +00:00
Vincent Ambo
d446143413 feat(ops/modules): set up public-inbox at inbox.tvl.su
Initial setup which does not yet include fetching mails at all, this
is for now only going to display a manually populated view of the
existing mailing list while the rest of this stuff is set up.

Change-Id: Ie1235bd257c9056fe37d0740dfca771ebdd880eb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7628
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2022-12-27 19:46:11 +00:00
Vincent Ambo
ee4b95e470 fix(ops/modules): regularly restart panettone for b/225
Change-Id: I27565e0e462ecb431d0f82bb3f6026b1eb369279
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7504
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-12-05 09:40:38 +00:00
sterni
83dabf8955 fix(ops/machines/whitby): serve grafana at status.tvl.su again
This is a follow up to cl/7191 which neglected to adjust the
status.tvl.su.nix module and re-enable it.

Change-Id: Icc1917004cd50e5eab61a29bc68b393ba9bd6325
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7226
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
2022-11-07 14:43:18 +00:00
Vincent Ambo
b9bfcf2f33 fix(ops/www): fix port templating for keycloak
Change-Id: I714b12f996d7dbe705f1f553d449f2dbc4910b1e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6848
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-10-03 17:42:56 +00:00
sterni
0c178a0ef6 chore(3p/sources): Bump channels & overlays
Upstream nixpkgs removed a lot of aliases this time, so we needed to do
the following transformations. It's a real shame that aliases only
really become discoverable easily when they are removed.

* runCommandNoCC -> runCommand
* gmailieer -> lieer
  We also need to work around the fact that home-manager hasn't catched
  on to this rename.
* mysql -> mariadb
* pkgconfig -> pkg-config
  This also affects our Nix fork which needs to be bumped.
* prometheus_client -> prometheus-client
* rxvt_unicode -> rxvt-unicode-unwrapped
* nix-review -> nixpkgs-review
* oauth2_proxy -> oauth2-proxy

Additionally, some Go-related builders decided to drop support for
passing the sha256 hash in directly, so we need to use the generic hash
arguments.

Change-Id: I84aaa225ef18962937f8616a9ff064822f0d5dc3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6792
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: wpcarro <wpcarro@gmail.com>
2022-09-28 08:02:31 +00:00
Luke Granger-Brown
adf092a26b feat(monorepo-gerrit): swap owners plugin for code-owners
Change-Id: I9e05384b58dac258bc2da41c22e321b20451ef00
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6686
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: lukegb <lukegb@tvl.fyi>
Tested-by: BuildkiteCI
2022-09-19 11:17:07 +00:00
Vincent Ambo
beb78c7104 feat(ops/modules): deploy tvixbolt to tvixbolt.tvl.su
Change-Id: I534cf918fc3e03ce8c14cf15f6d3280b6a657c8d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6536
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-09-13 11:05:54 +00:00
sterni
aaa994137a fix: reflect renames of Nix configuration options
Change-Id: I7e28ac3d71acd7d99a1d3ef97bef9422097e4abf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6154
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-08-25 16:34:39 +00:00
Vincent Ambo
20fc7bc0b2 chore(3p/sources): Bump channels & overlays
* tvl-slapd: move database to subdirectory (somehow now required)

Change-Id: I1792b856cf68b11959c0cc9caab4135e556f8c58
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6090
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
2022-08-13 14:43:05 +00:00
Vincent Ambo
d2176bb8fb feat(ops/www): add predlozhnik redirect on tazj.in
otherwise posting this to reddit's /r/russian is not possible, as they
ban all links to Russian-affiliated sites

Change-Id: I8d23f0961ec7ef097fc2dbdd0aaa178861a19c10
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5992
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-07-28 17:50:18 +00:00
Vincent Ambo
482e1b201c fix(ops/www): redirect very old tazj.in feed URLs correctly
at some point in the far past, there was an RSS feed at `/en/rss.xml`.
It seems to still get a single hit or so every hour, which currently
404s.

Change-Id: Ieb13c2c0232861a50a54bc2a4087d9ccb21185cf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5962
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-07-19 15:14:29 +00:00
Vincent Ambo
5d65d8e03a fix(ops/www): issue certificate for 'www.tazj.in'
Change-Id: I6179f785bb6bd6168a2a11836b90da5ee93adc69
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5953
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
2022-07-18 14:02:58 +00:00
Vincent Ambo
fcfd097e65 refactor(ops/cgit): make user configurable
on whitby, cgit runs as the gerrit user to get access to serving
gerrit's repositories directly.

on other machines (e.g. sanduny) this isn't necessary, as we have a
world-readable depot replica.

Change-Id: Ibf7e7cc08e5909e0fa182e561ab0cb472188edcb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5932
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-07-12 08:49:55 +00:00