* users/grfn/system/home/yeren: remove obsolete awscli2 overrides
* ops: make new isSystemUser || isNormalUser assertion happy
* users/grfn/system/system/mugwump: make buildkite agents system users
* users/tazjin/nixos/camden: set isSystemUser = true for git
* users/tazjin/emacs: Remove missing & broken packages
* third_party/openldap: remove, as the argon2 module is now enabled upstream
* third_party/gerrit_plugins: Pinned new unstable hashes
* third_party/nix, third_party/grpc: Disabled CI as these are broken
* third_party/overlays/emacs: Bumped version to stay in sync with channel
* third_party/buzz: Update LIBCLANG_PATH to reference libclang.lib,
since libclang's default output no longer contains libclang.so
* users/grfn/system/home: Install julia-stable instead of julia (which
aliases to julia-lts), as the latter depends on an insecure version of
libgit
Change-Id: Iff33b0ecb0ef07a82d1de35e23c40d2f4bf0f8ed
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3001
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
This changes the evaluation order for the `depot` argument and ensures
it is partially evaluated before the module system starts resolving
imports.
This way we can import modules from `depot.path` without `depot`
having to come from readTree.
Fixes b/129.
Change-Id: Icf4dd2be15011055dac8b27e991a4ff6a12bf827
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3156
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
* This was mostly for //third_party/nix and its dependencies which now
have been set to use llvmPackages_11 manually.
* For //users/grfn/achilles we also manually select the newer LLVM version.
* //tools/cheddar doesn't seem to need llvm anymore.
* //third_party/buzz also compiles with clang 7.1.0
* replace clang-tools everywhere with new attribute clang-tools_11
For the future we may want to have something similar again, but it may
not be necessary to invest too much time into it: nixpkgs is set to
upgrade their default llvmPackages to LLVM 11 as well at some point in
the near future.
Co-Authored-By: sterni <sternenseemann@systemli.org>
Change-Id: Id83868dbc476a6c776b59518b856c933f30ea79d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3135
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
This drops the msmtp requirement from my configuration; there's still
some cleanup to be done but I need to double-check this in a few
environments first.
Change-Id: I298f4ff77b45cb214fbccee84e9bbd861508d11a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3132
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
This is a simple Go module build for https://litestream.io/
If this ends up being useful, we should upstream this to nixpkgs.
Change-Id: I3beb64c9adb3b57fcef4e1dfb27f293a15f90a76
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3085
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
The following commit itends to bind on port 8443 on all interfaces,
so let's move this to something else.
Change-Id: Ibb94a0f4e6892b6e543b542b89bcdaaefb617f23
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3126
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
We have a bunch of crates in `third_party/rust-crates`; it would be
great if we could check them for existing CVEs.
This tool does that, it takes the rust security advisory database,
parses the applicable CVEs, and cross-checks them against the actual
crate versions we list in our package database.
The dumb parser we wrote is tested against all entries in the
database, so we will notice when upstream breaks their shit.
Checking the semver stuff is easy enough with the semver crate.
If an advisory matches, it prints the whole thing and fails the build.
Change-Id: I9e912c43d37a685d9d7a4424defc467a171ea3c4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2818
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: sterni <sternenseemann@systemli.org>
This lets us drop the patch for pinning the git library, as this one
is now pinned to something upstream.
Change-Id: Ib8026f5f22e2e49371a2bad83aa726c2951570e4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3086
Tested-by: BuildkiteCI
Reviewed-by: eta <eta@theta.eu.org>
A small go TUI framework based on the Elm Architecture.
Change-Id: I0c400a7b25af682735bfc5061db179e5d1dd75ab
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2853
Reviewed-by: Profpatsch <mail@profpatsch.de>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Tested-by: BuildkiteCI
We don't need these in the depot anymore as the Emacs overlay now
provides newer versions of them, or because they are not used anymore.
Change-Id: I393e1580b66450d0bb128213bc79668172dadacc
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3005
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
We've had josh in here previously, but it was kind of immature back
then. The repository looks much better now and I'd like to give it
another try.
Josh is a Rust project, the build here is done with naersk.
Change-Id: I3731340d00ce1eb4cef55de114e1915579e47ef3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3017
Reviewed-by: lukegb <lukegb@tvl.fyi>
Tested-by: BuildkiteCI
Adds all TVL Emacs packages to the emacsPackages fixpoint unter
`tvlPackages` ... one step closer to native compilation.
Change-Id: I938689ccab057164babfb88cd467a490b3efd39b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3004
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: adisbladis <adisbladis@gmail.com>
Adds a new internal builder that makes it possible to override the
`emacsPackages` passed to our Emacs packages, which in turn makes it
possible to inject them into the emacsPackages fixpoint and use them
with features like Emacs native compilation.
Change-Id: I80dad57115c83cf5693ae6ba4e4cf3105d103d5e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3003
Tested-by: BuildkiteCI
Reviewed-by: adisbladis <adisbladis@gmail.com>
Reviewed-by: grfn <grfn@gws.fyi>
This adds adisbladis' Emacs overlay, which makes bleeding-edge
functionality such as native compilation of Elisp available.
Change-Id: I29861cb4da37bf8bf7fdb6fba5f2525c7a024356
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3002
Reviewed-by: adisbladis <adisbladis@gmail.com>
Tested-by: BuildkiteCI
CAS nested attributes produce a key called "attributes", which is
disliked by Grafana, because it expects any key called attributes to be
a map<string, list<string>>, whereas CAS just produces a map<string,
string>.
As part of setting up Grafana SSO we need therefore to fix Gerrit so it
can adapt to the new syntax that we're adopting.
Change-Id: Ia79dae78c0eae6e21135a06cd5850606f82bcdb8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2981
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Instead of having two ways of accessing the path to the depot (one of
which was stuttering, depot.depotPath) we settle on only one:
depot.path.
This was mostly used for NixOS module imports.
Co-Authored-By: Florian Klink <flokli@flokli.de>
Change-Id: I2c0db23383fc34f6ca76baaad4cc4af2d9dfae15
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2962
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: sterni <sternenseemann@systemli.org>
Rename my //users directory and all places that refer to glittershark to
grfn, including nix references and documentation.
This may require some extra attention inside of gerrit's database after
it lands to allow me to actually push things.
Change-Id: I4728b7ec2c60024392c1c1fa6e0d4a59b3e266fa
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2933
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: glittershark <grfn@gws.fyi>
sbcl 2.0.9 introduced a new warning:
> minor incompatible change: the compiler signals a warning at
> compile-time when an initform of T, NIL or 0 does not match
> a STANDARD-CLASS slot's declared type.
This broke a few packages, but they all have been fixed upstream in the
meantime and we only need to bump their versions. The culprits are:
* defclass-std which possibly has become unmaintained since the fix
(december 2020).
* cl-prevalence which also needs one symbol from bt now
* lisp-binary which also includes a new file now
Change-Id: I06bb47a129d5ef912a623315c1281aedd1ceac2a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2934
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: glittershark <grfn@gws.fyi>
Fixes included:
* exposed gtest in the package set, required for protobuf
* pinned SBCL to version 2.0.8: The channel moved it to >2.1, and a
bunch of warnings seemed to be killing our builds - we should
investigate this later.
* removed kernel patches from //users/tazjin/frog: this machine is
currently out of service anyways, not worth fixing while it's offline
* removed steam & lutris from frog (they're currently broken)
* removed Haskell overrides for hedgehog-classes & hgeometry-combinatorial
* use gRPC sources from upstream and inject Abseil via Nix instead
* fix for renamed grpc import in //third_party/nix
* use libfprint-tod from upstream nixpkgs in glittershark/yeren and
delete glittershark/pkgs/fprintd entirely, since all of the patches used
there are available and working from upstream now (and stopped working
here after the bump)
Change-Id: Ia90e6f774f7b88bc9e60d28351b900ca43ee2695
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2901
Reviewed-by: glittershark <grfn@gws.fyi>
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Tested-by: BuildkiteCI
The random_1_2_0 attribute of haskellPackages currently holds random
1.2.0 which is what we want to have. We need to disable tests because
they cause an infinite recursion as basically all testing libraries
depend on random. This has the nice side effect that we no longer need
import from derivation for random 1.2.0 (but owothia and xanthous still
use it).
Re-enable CI for xanthous.
Additinonally we need to deal with the fallout of the haskellPackages
overlay now also being pulled in for some machines since cl/2910 and
let pandoc compile with random 1.2.0.
Change-Id: I78d220e5bd35f3469d80d69e77e712a529f21d33
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2924
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: glittershark <grfn@gws.fyi>
This lets the import of the depot root accept an additional argument
called `externalArgs`, which can be used to pass additional arguments
into a depot package set.
This is used in //third_party/nixpkgs for replacing the source of the
nixos-unstable channel with a path. With this we can bisect the
nixpkgs used in third_party easily.
Change-Id: I4f65eb3d6b521ed9f437649b7b068f1e6ab8210f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2925
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Please read b/108 to make sense of this.
This gets rid of the explicit list of exposed packages from nixpkgs,
and instead makes the entire package set available at
`third_party.nixpkgs`.
To accommodate this, a LOT of things have to be very slightly shuffled
around. Some of this was done in already submitted CLs, but this
change is unfortunately still quite noisy.
Pay extra attention to:
* overlay-like functionality that was partially moved to actual
overlays (partially as in, the minimum required to get a green
build)
* modified uses of the package set path, esp. in NixOS systems
Special notes:
* xanthous has been disabled in CI because of issues with the Haskell
overlay
* //third_party/nix has been disabled because of other unclear
dependency issues
Both of these will be tackled in a followup CL.
Change-Id: I2f9c60a4d275fdb5209264be0addfd7e06c53118
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2910
Reviewed-by: glittershark <grfn@gws.fyi>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
adisbladis fixed the tdlib/telega versioning issues in nixpkgs at some
point, so this isn't required anymore.
Change-Id: Ib98e73d0e4394765f08f5f3741f70adab459c22f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2909
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
nixpkgs_exposed is going away, and the haskell overlay is independent
from that.
See also b/108, cl/2910
Change-Id: I3aea6dfc427a914f3f88146fd0b45d60dfd45a1a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2918
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
This is part of paving the way for clearly distinguishing between
packages from nixpkgs and //third_party.
See also: b/108, cl/2910
Change-Id: I28b5abd1f0f9fa3c4478c9f255b2025f4a4139f1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2917
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: Profpatsch <mail@profpatsch.de>
Reviewed-by: tazjin <mail@tazj.in>
In preparation for the solution of b/108, we need to consistently use
`depot.third_party` for packages that are only packed in the TVL depot
and `pkgs` for things that come from nixpkgs.
This commit cleans up a huge chunk of these uses in //fun
Change-Id: I45a7b392a9749fa7859ff5100dcea415bda807c3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2914
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
In preparation for the solution of b/108, we need to consistently use
`depot.third_party` for packages that are only packed in the TVL depot
and `pkgs` for things that come from nixpkgs.
This commit cleans up a huge chunk of these uses in //third_party
Change-Id: Ic382c0cdea7330a84d5f0b7d109c824ddceb94e7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2912
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Writing Gerrit plugins that don't use the in-tree build system is more
convenient if the API is actually exposed in the derivation's output.
Change-Id: I3408d35498ca879576d532b005e36fde8ff2ea61
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2871
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Having a space between the number and the unit is not valid CSS.
I was aware of this problem, but apparently forgot to amend the fix.
Change-Id: I74936db515799763038669d0a11da53f28f722be
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2867
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
We override the default `buildRustCrate` with our default options.
Kinda amazing how many crates still default to the 2015 edition;
probably to be backwards compatible with older compilers?
Change-Id: Ic571f527b1575a03b8b58e6b75bcf12c4b9b7d9c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2842
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
This reverts commit f59c6214c4.
Reason for revert: new gerrit's JS appears to not have compiled correctly; rolling back until I can figure out why
Change-Id: If16fe341aad25bef30ed7be8c6ac49cadf2a732c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2821
Reviewed-by: lukegb <lukegb@tvl.fyi>
Tested-by: BuildkiteCI
A bit less noisy in the definitions and the nix parser can already
detect it being misspelled.
Change-Id: I979da11471187e36cde5c015aaf654f925757a8b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2814
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
I think it is good practice to always get dependencies from the depot
fix point if they are exposed. The reasoning for this is that if we
improve the support for overriding in depot, say by introducing a
depot.extend functions or even full blown overlay support, this will
already work as expected.
Change-Id: Ibb8dffcf32e8f46817a2db2da26139fabdce55bc
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2770
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
Profpatsch and me are basically the only users of
depot.users.Profpatsch.writers.rustSimple*. To pull in the odd
dependency we usually use buildRustCrate which is rather convenient.
However we've picked up the bad habit of inlining these in a let
somewhere instead of managing them in a more central location although
there has been an (unsuccesful) attempt at this in
//users/Profpatsch/rust-crates.nix.
This CL moves all buildRustCrate based derivations into
third_party.rust-crates and deletes any duplicate derivations we have
accumulated in the tree.
Change-Id: I8f68b95ebd546708e9af07dca36d72dba9ca8c77
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2769
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: Profpatsch <mail@profpatsch.de>
Panettone currently uses the LDAP DN as the user key, so we collect it
here so that we can later make sure its exposed to Panettone.
Change-Id: Ia2048cb479a2afe6fe9f47181115ae7ec13dedf3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2811
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: glittershark <grfn@gws.fyi>
There's some non-secret config that made its way into the secrets file.
This CL moves it into git so we can track it properly.
Change-Id: I3f5bf5e1f7addabb199997fb7b1f805b9157fbbe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2810
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Add the OAuth gerrit plugin to our mini collection of Gerrit plugins.
This includes a patch to make the plugin work correctly with CAS 6.x,
which has changed the attributes into a JSON object with the attributes
nested inside, instead of a JSON list.
Change-Id: I4741f137cca9c8eb45b9ea660fb4cbf6962be9a4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2782
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
I'm dropping the leaveDotGit and deepClone bits; they were set like that
purely to try to make the build stamping work. In practice, not only
does the build stamping not work, but it also means we hit some
inconveniently-different hashes from time to time when gitiles does...
something??? on its backend.
I'm also putting some gcroots for these on whitby, which should also
help a bit, although it's a bit of a hack.
Change-Id: Ie6082248393e62795c18b1971fc2d16f4e8cc81d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2781
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Decreased text width for the /about pages should increase readability
considerably as jumping back to the beginning is hard for longer
lines. The result is still not perfect as the font size for the /about
pages is rather small and many lines thus get broken somewhat awkwardly.
We could probably migitate that using a larger font size.
The implementation choice of adding a tvl-extra.css which we inject into
cgit.css in preBuild is for simplicity: We don't need to worry about
routing an extra CSS file and loading it from the right location via
extra cgit head entries and serving it at the correct location using
either nginx or thttpd.
A drawback of this is however that iteration is slowed down by cgit's
compilation time.
Additionally, this should be the basis for implementing a bubblegum
themed cgit for Profpatsch.
Change-Id: I18060f735167acd623cef7a17c83408978461249
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2756
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
This gives a decent compilation speedup even on slow machines, so seems
worth it. Let's hope the cgit build process is not racy.
Change-Id: Ic4ae72789da2ccae16fd48e46aec624244b25035
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2755
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
So here is what has been keeping me up at night: At some point I
realized that nix actually made a somewhat passable language for CGI
programming:
* That `builtins.getEnv` exists as one of the impurities of Nix is
perfect as environment variables are the main way of communication
from the web server to the CGI application.
* We can actually read from the filesystem via builtins.readDir and
builtins.readFile with bearable overhead if we avoid importing the
used paths into the nix store.
* Templating and routing are convenient to implement via indented strings
and attribute sets respectively.
Of course there are obvious limitation:
* The overhead of derivations is probably much to great for them to be
useful via IfD.
* Even without derivations, nix evaluation is very slow to the point
were a trivial application takes between 100ms and 400ms to produce a
response.
* We can't really cause effects other than producing a response which
makes it not viable for a lot of applications. There are some ways
around this:
* With a custom interpreter we could have streaming and multiplexed
I/O (using lazy lists emulated via attrsets) to cause such effects,
but it would probably perform terribly.
* We can use builtins.fetchurl to call other HTTP-based microservices,
but only in very limited constraints, i. e. only GET, no headers,
and only if the tarball ttl is set to 0 in the global nix.conf.
* Terrible error handling capabilities because builtins.tryEval actually
doesn't catch a lot of errors.
To prove that it actually works, there are some demo applications,
which I invite you to run and potentially break horribly:
nix-build -A web.bubblegum.examples && ./result
# navigate to http://localhost:9000
The setup uses thttpd and executes the nix CGI scripts using
users.sterni.nint which automatically passed `depot`, so they can
import the cgi library.
Change-Id: I3a22a749612211627e5f8301c31ec2e7a872812c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2746
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
`hii` is a derived rewrite of suckless’s `ii`.
It is not backwards compatible.
Change-Id: Ife2a43863b5b6ba38333d7ae5f2cb9bd4787b5fc
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2706
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: sterni <sternenseemann@systemli.org>
About to do some dhalllll! \o/
Change-Id: Ie58c335d80f4a5abeb8296ece5a24377f07e6369
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2585
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>