Commit graph

203 commits

Author SHA1 Message Date
Vincent Ambo
8cdad7d45c feat(ops): introduce (head|tail)scale server at net.tvl.fyi
This runs a headscale server on sanduny which lets users join their
machines to the TVL tailscale network.

This would theoretically let people communicate with each other on the
internal network, but also more notably joined servers can advertise
exit node capability so that we can have our own "VPN network", for
starters with endpoints in Germany, UK and Russia (whitby, sanduny and
koptevo respectively).

This setup isn't fully stable yet, notably:

* The IP range used by tailscale is just the default one right now,
  I'm not sure if that should be changed or what.

* The system is stateful (on sanduny), but the state is not (yet)
  backed up anywhere. Use with caution.

* Machine joining is a manual process requiring SSH & root access to
  sanduny.

  The process is to log in to sanduny, then get a headscale shell with
  `sudo -u headscale bash`, and to use the `headscale` CLI within
  there to administrate access.

  I've opted to create a user account `tvl` for TVL-owned machines,
  and a personal account for myself and my machines.

Change-Id: I4f1be1fe8062a6c2e77203ff72fe8709f4e4dec8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8837
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-06-22 13:23:14 +00:00
Vincent Ambo
2936a95efd fix(ops/modules/quassel): use systemd LoadCredential to read certs
This avoids permission issues with nginx vs. quassel

Change-Id: I770f8284d8fd8fc6d38add93c1681f9daebe8749
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8786
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-06-15 21:34:36 +00:00
sterni
d2fa4e7c86 chore(3p/sources): Bump channels & overlays
* //ops/modules/depot-inbox: Adapt to upstream option type declaration.
  See nixpkgs commit b6ed3b8f402893df91a8e21ce993520301c2f076.

* //ops/machines/sanduny, //users/tazjin/polyanka:
  Remove boot.loader.grub.version options (no longer has any effect).

* //users/sterni/emacs: reflect rename emacsPgtk -> emacs-pgtk

* //3p/overlays: update tdlib to match emacs-overlay

* //3p/overlays: give EXWM from depot a separate name

* //users/grfn/system/home: disable Slack support in ntfy

Change-Id: I03bde088bc70e05b23925f244899807210cb7b20
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8547
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2023-06-15 17:09:02 +00:00
Florian Klink
b58f6f1d61 feat(ops/modules/open_eid): add support for Web eID extension
Most likely due to bad UX in browsers for hardware-backed TLS client
cert auth, most websites have switched from client-side TLS to the "Web
eID" extension.

Once installed, the extension uses [Native Messaging] to talk to a
`web-eid-app` application, which handles the communication with the
smart card itself.

This can be tested on https://web-eid.eu/ .

The commit needs nixpkgs to be bumped past
https://github.com/NixOS/nixpkgs/pull/227354 .

[Native Messaging]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging

Change-Id: Iffe6d81ecf7cee25406fa39a983ff52cf669c373
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8490
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-04-28 13:14:24 +00:00
Florian Klink
2363a194cd fix(ops/modules/open_eid): use libdigidocpp.bin
nixpkgs commit 134036f642a7f3ba9efeab509727c0989458b02b moved the
digidoc-tool binary to the `bin` output, so this wasn't actually
providing the digidoc-tool binary anymore.

Change-Id: Id5f7cc69d55b7cc058a6361512cc74de0e7bc1b2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8487
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
2023-04-19 09:11:34 +00:00
sterni
96d7f4f0ac chore(3p/sources): Bump channels & overlays
* Satisfy new assert that the corresponding shell needs to be enabled
  via programs.* if it is as the login shell of at least one user.

* //users/tazjin: “Address” removal of hardware.video.hidpi option.

* //3p/gerrit: update fetch sha256

Change-Id: Id0988a0ea7f393d6b7848a7104fc3526ee1177f4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8407
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-04-07 09:20:33 +00:00
Florian Klink
e9686f84d9 fix(views/kit): communicate :unsign in the tvl-kit URL directly
Instead of prepending :unsign to all URLs in josh-proxy, and for all
calls to filteredGitPush, explicitly use it only in the filter we use
for the `export-kit` extraStep.

This means, people cloning tvl-kit via

> https://code.tvl.fyi/depot.git:workspace=views/kit.git

now need to update the URL to point to

> https://code.tvl.fyi/depot.git:unsign:workspace=views/kit.git

instead.

git@github.com:tvlfyi/kit.git will keep the same hashes, as it's updated
to export the unsigned workspace view of it.

This is less invasive than dooming every josh workspace to have to strip
signatures.

Change-Id: I6de05182fad4c3695081388c3bbf37306521d255
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8369
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-03-31 08:46:01 +00:00
Vincent Ambo
73c12f7c4f fix(ops/www): allow all indexing on cl.tvl.fyi
I *want* search engines to index our CLs, they might be useful!

Change-Id: I956d92c80d812e1aefefb6daeba77a1588055b94
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8361
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
2023-03-29 12:17:56 +00:00
Vincent Ambo
0965600fe6 feat(ops): serve Tvix website & docs on (docs.)tvix.dev
Change-Id: I198ea197867f9b9a48e51665d0665f722202e02e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8299
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-03-14 22:10:40 +00:00
Vincent Ambo
89d9ce39b4 chore(3p/josh): update josh to recent master commit
It's been a long time since we updated josh, almost 400 commits in
between. I read through the entire changelog, and here are relevant
josh commits from in between that might be interesting to us:

  38eecee Fix optimisation bug for compose filter (#1159)
  e1d10b6 Add :rev(...) filter
  0f1a07b Initial implementation of refs locking (#929)
  88cea2a Initial work on meta repo support
  030ad93 Change magic refs to include "for"
  28b1d75 Add split changes feature (#904)
  1f908d7 Discover filters only on HEAD (#774)
  a368d8f Make --require-auth only apply to push
  8d80230 Add :linear filter (#741)
  3460ec2 Implement redundant refs filtering (#700)
  55b4e50 Implement stacked changes support (#699)
  ea1f814 Handle @sha urls by creating magic ref (#690)
  883a381 Run filter discovery only on changed refs (#685)
  4bb004f Prepend refs/heads to base parameter as default (#664)

Of particular interest is a368d8f, which allows us to drop our
authentication patch and use the standard --require-auth flag again.

The default behaviour of dropping signatures on commits (which are
invalid after filtering) has also been changed in josh, now only
occuring when the `:unsign` filter is present. Since this breaks
commit hashes with our existing exported histories, we are opting to
set a `:unsign` filter prefix on all proxy requests to ensure that the
hashes stay consistent.

During this update we found a bug (josh#1155) which was fixed in the
commit that this CL moves josh to.

Change-Id: I3afac1619f3aa90313a0441da91f0e4a96fe0a3b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8186
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-03-07 16:46:54 +00:00
Alyssa Ross
08b300aaa8 chore(ops/modules): add a GECOS for my user
This way, I won't have to teach my name one at a time to every program
that wants to know my it (e.g. git).

Change-Id: I45ddd9c2343a10cd4c13bacd9a97b7470db95c14
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8038
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-02-09 09:43:48 +00:00
Vincent Ambo
3caa4c4aa4 fix(ops/www): increase buffer memory size for auth.tvl.fyi
Keycloak seems to have decided today that it will now send headers
that are larger than what the nginx default configuration can handle.

The numbers are a mix of made up and taken from random nginx voodoo
posts on the internet, so they're as good a guess as anyone's.

Change-Id: If037bcba48eee371cc96304b150276c669930c75
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7992
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
2023-02-01 09:30:24 +00:00
Vincent Ambo
d62c7ddfda feat(ops/modules): enable mail address obfuscation in public web UI
Change-Id: I47b5313bee84893d405f86aefb3682cda3cfc6d7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7637
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2022-12-29 20:11:24 +00:00
Vincent Ambo
45fa75c0cd fix(ops/modules): list IMAP server on public-inbox page
This fix can only be applied after the upstream public-inbox
fix (https://github.com/NixOS/nixpkgs/pull/207693) has been merged.

Change-Id: I957473e2895b7e57baad25c9e908b36aa790f3a6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7636
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
2022-12-29 20:11:23 +00:00
Vincent Ambo
62e19a8321 feat(web/inbox): add landing page for inbox.tvl.su
This landing page explains how to use the public-inbox.

Change-Id: I37d74decad5173ab35051970593f1d28001af2b4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7645
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2022-12-28 08:17:45 +00:00
Vincent Ambo
eb62cb1421 style(ops/modules): add inbox email address to public-inbox header
Change-Id: Ib7d9089b63bba7ebc44d3438ed284e752f0595e9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7638
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2022-12-28 08:17:45 +00:00
Vincent Ambo
6552cf03b3 feat(ops/modules): enable NNTP on inbox.tvl.su
Change-Id: Iec564860a247fe51a5549129be294a3629645519
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7635
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2022-12-28 08:17:45 +00:00
Vincent Ambo
e665f53621 feat(ops/modules): enable IMAP access for public-inbox
This sets up IMAP on inbox.tvl.su:993

I added a hack to work around problems with the NixOS ACME module.
Spent way too much time of my life with problems with that module, so
I only use it with blunt force these days. Others are welcome to make
a cleaner solution.

Change-Id: Ice828766020856cf17d2f0a5b4491f4cec8ad9b4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7633
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-12-28 08:17:45 +00:00
Vincent Ambo
e68c2f3736 feat(ops/modules): index incoming mail in public-inbox
Change-Id: I8a3e2c0e789057fd1edd015ccb8fdcc0cbb52cd8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7631
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2022-12-27 19:46:11 +00:00
Vincent Ambo
aa0197ab83 feat(ops/modules): configure offlineimap for depot@tvl.su
On the machine running public-inbox, this will start automatically
fetching mails from depot@tvl.su and making them available to
public-inbox.

Change-Id: I2469207bd41d64eba747a74ae5fda9fed548cc83
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7630
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2022-12-27 19:46:11 +00:00
Vincent Ambo
d446143413 feat(ops/modules): set up public-inbox at inbox.tvl.su
Initial setup which does not yet include fetching mails at all, this
is for now only going to display a manually populated view of the
existing mailing list while the rest of this stuff is set up.

Change-Id: Ie1235bd257c9056fe37d0740dfca771ebdd880eb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7628
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2022-12-27 19:46:11 +00:00
Vincent Ambo
ee4b95e470 fix(ops/modules): regularly restart panettone for b/225
Change-Id: I27565e0e462ecb431d0f82bb3f6026b1eb369279
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7504
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-12-05 09:40:38 +00:00
sterni
83dabf8955 fix(ops/machines/whitby): serve grafana at status.tvl.su again
This is a follow up to cl/7191 which neglected to adjust the
status.tvl.su.nix module and re-enable it.

Change-Id: Icc1917004cd50e5eab61a29bc68b393ba9bd6325
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7226
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
2022-11-07 14:43:18 +00:00
Vincent Ambo
b9bfcf2f33 fix(ops/www): fix port templating for keycloak
Change-Id: I714b12f996d7dbe705f1f553d449f2dbc4910b1e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6848
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-10-03 17:42:56 +00:00
sterni
0c178a0ef6 chore(3p/sources): Bump channels & overlays
Upstream nixpkgs removed a lot of aliases this time, so we needed to do
the following transformations. It's a real shame that aliases only
really become discoverable easily when they are removed.

* runCommandNoCC -> runCommand
* gmailieer -> lieer
  We also need to work around the fact that home-manager hasn't catched
  on to this rename.
* mysql -> mariadb
* pkgconfig -> pkg-config
  This also affects our Nix fork which needs to be bumped.
* prometheus_client -> prometheus-client
* rxvt_unicode -> rxvt-unicode-unwrapped
* nix-review -> nixpkgs-review
* oauth2_proxy -> oauth2-proxy

Additionally, some Go-related builders decided to drop support for
passing the sha256 hash in directly, so we need to use the generic hash
arguments.

Change-Id: I84aaa225ef18962937f8616a9ff064822f0d5dc3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6792
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: wpcarro <wpcarro@gmail.com>
2022-09-28 08:02:31 +00:00
Luke Granger-Brown
adf092a26b feat(monorepo-gerrit): swap owners plugin for code-owners
Change-Id: I9e05384b58dac258bc2da41c22e321b20451ef00
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6686
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: lukegb <lukegb@tvl.fyi>
Tested-by: BuildkiteCI
2022-09-19 11:17:07 +00:00
Vincent Ambo
beb78c7104 feat(ops/modules): deploy tvixbolt to tvixbolt.tvl.su
Change-Id: I534cf918fc3e03ce8c14cf15f6d3280b6a657c8d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6536
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-09-13 11:05:54 +00:00
sterni
aaa994137a fix: reflect renames of Nix configuration options
Change-Id: I7e28ac3d71acd7d99a1d3ef97bef9422097e4abf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6154
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-08-25 16:34:39 +00:00
Vincent Ambo
20fc7bc0b2 chore(3p/sources): Bump channels & overlays
* tvl-slapd: move database to subdirectory (somehow now required)

Change-Id: I1792b856cf68b11959c0cc9caab4135e556f8c58
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6090
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
2022-08-13 14:43:05 +00:00
Vincent Ambo
d2176bb8fb feat(ops/www): add predlozhnik redirect on tazj.in
otherwise posting this to reddit's /r/russian is not possible, as they
ban all links to Russian-affiliated sites

Change-Id: I8d23f0961ec7ef097fc2dbdd0aaa178861a19c10
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5992
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-07-28 17:50:18 +00:00
Vincent Ambo
482e1b201c fix(ops/www): redirect very old tazj.in feed URLs correctly
at some point in the far past, there was an RSS feed at `/en/rss.xml`.
It seems to still get a single hit or so every hour, which currently
404s.

Change-Id: Ieb13c2c0232861a50a54bc2a4087d9ccb21185cf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5962
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-07-19 15:14:29 +00:00
Vincent Ambo
5d65d8e03a fix(ops/www): issue certificate for 'www.tazj.in'
Change-Id: I6179f785bb6bd6168a2a11836b90da5ee93adc69
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5953
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
2022-07-18 14:02:58 +00:00
Vincent Ambo
fcfd097e65 refactor(ops/cgit): make user configurable
on whitby, cgit runs as the gerrit user to get access to serving
gerrit's repositories directly.

on other machines (e.g. sanduny) this isn't necessary, as we have a
world-readable depot replica.

Change-Id: Ibf7e7cc08e5909e0fa182e561ab0cb472188edcb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5932
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-07-12 08:49:55 +00:00
Vincent Ambo
39d589b84b fix(depot-replica): make the depot replica world readable
Change-Id: Idc0b5210793ab0d83b3ac99cf36d7f7f02a35a37
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5931
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-07-12 08:49:55 +00:00
Vincent Ambo
c08e47903e feat(ops): configure depot replication to sanduny
this configures gerrit's built-in replication plugin to push every
change in depot to sanduny.

this allows us to serve a replica of depot from sanduny.

manual config that was needed which needs to be automated:

* system-wide known_hosts does not work, needed one in /var/lib/git
* .ssh/config MUST be present and configured for sanduny.tvl.su

Change-Id: Iba399f2328abb5acb65dae19a36e265eea0952ac
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5915
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-07-03 20:54:06 +00:00
Vincent Ambo
6ab6724e4c feat(ops/modules): add module for receiving a depot replica
This module sets up a user with an SSH key and permissions to receive
a (pushed) replica of depot from Gerrit.

This still needs appropriate configuration in Gerrit's replication
plugin on the other end.

This module has been enabled for sanduny. For now it does not (yet)
configure git serving.

Change-Id: I0fb6f7e696609e71008308e855bdf305dcbcd4f7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5913
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-07-03 15:02:21 +00:00
Vincent Ambo
1094306aa9 refactor(web/cgit-tvl): Move cgit config back out of module
It occured to me yesterday that with the config inside of the module
it is kind of difficult to test cgit locally.

This moves it back to a separate location (//web/cgit-tvl) and makes
the most important things configurable via overrides.

Change-Id: I9b0f4c60b75c31441e1718e63b5b55aba3100aae
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5893
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-06-27 14:15:07 +00:00
Vincent Ambo
6c3465dc59 chore(ops/sourcegraph): Bump to 3.40.0
Change-Id: I77438201d8ed5237095b3d2e8a855dec3e58b641
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5766
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-05-28 11:58:34 +00:00
Vincent Ambo
b4c4ea074a chore(ops/sourcegraph): Bump to 3.39.1
Change-Id: I76d0a3ede7cc23a9a6e8db61ed7e9d91670f1699
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5765
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-05-28 11:57:20 +00:00
Vincent Ambo
e6ed840788 chore(ops/sourcegraph): Bump to 3.38.1
Change-Id: Ib1f4f9591acab537607c9d9c9b123e9c711e331b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5764
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-05-28 11:55:27 +00:00
Vincent Ambo
291dd44044 chore(ops/sourcegraph): Bump to 3.37.0
Change-Id: If333f28dd0bec4eb965a6e3005ef5aca810c86f3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5763
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-05-28 11:53:41 +00:00
Vincent Ambo
793081905e chore(ops/sourcegraph): Bump to 3.36.3
Change-Id: I3a6caeeb06919b25a9c1200c8f286b0bd34916b2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5762
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-05-28 11:48:27 +00:00
Vincent Ambo
d32fa2bd33 chore(ops/sourcegraph): Bump to 3.35.2
Change-Id: Ia829b4ffa2e7e37438f766d0ff98e504c0d856b4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5755
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-05-28 11:37:15 +00:00
Vincent Ambo
c06d47b787 chore(ops/sourcegraph): Bump to 3.34.2
Change-Id: I865335006a091986f8a98e4d5da7161a25e948d9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5754
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-05-28 11:29:01 +00:00
Vincent Ambo
c6024e7a41 chore(ops/sourcegraph): Bump to 3.33.2
Change-Id: I6568e3226a7ff0796cbf3748c0dab1530fb0fb6a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5753
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-05-28 11:26:03 +00:00
Vincent Ambo
a99e33a107 chore(ops/sourcegraph): Bump to 3.32.1
Change-Id: I8efdf3dbfc5575f24c8e6996a7716d308f1446df
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5752
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-28 11:21:27 +00:00
Vincent Ambo
9bff3ae373 fix(tvl-slapd): load argon2 module with new name
This became an "official" module and dropped the `pw-` prefix.

Relates to b/184

Change-Id: I963f83b55b83015b022ab1b8330ea710d2258631
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5751
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-27 23:48:37 +00:00
Vincent Ambo
bdccd2c111 fix(ops/modules): Increase RestartSec= of oauth2_proxy service
When Keycloak and oauth2_proxy are restarted simultaneously, the
latter might try to come up (repeatedly!) before Keycloak can serve it
properly.

This leads to systemd considering the unit failed.

Since this all happens in the span of a second or so, slightly
increase the restart delay of the service to ensure it comes back
after Keycloak is ready.

A "proper" fix might be to add a script that runs before the actual
service and waits for Keycloak, but I don't want to prioritise that
right now.

Change-Id: I4dadba686de60ffc103fe889ce19f05ca1d7d4fe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5695
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-27 21:10:35 +00:00
Vincent Ambo
bc42c5a61b fix(ops/modules): adapt for changed ssh.knownHosts
Somehow this ended up generating an empty file, with this change it is
fine again. I was looking at the recent commits of the module in
nixpkgs but couldn't quite figure it out, there are also some vague
references to the attribute set key being used as a hostname, but this
doesn't seem to be true in practice.

To be clear, the previous code was wrong, but at some point it
generated a file that accidentally worked.

Change-Id: I42d55730c09daafe6d6fe0eb3647135e84737bca
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5670
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
2022-05-26 10:05:54 +00:00
Vincent Ambo
e3a31b702a feat(whitby): Deploy private SSH key for build agents
Change-Id: I5b1dfaaf28e835cac5b897e18b015d90ac3b2857
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5665
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
2022-05-25 23:53:09 +00:00
Klemens Nanni
3a53587c2a feat(ops/modules/open_eid.nix): Access all key slots
`onepin-opensc-pkcs11.so` only enables PIN1, but PIN2 is also required.

Change-Id: Ic1c34ca58a46c2978c7e27e7a9b7e6a4d335ac0c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5648
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: kn <klemens@posteo.de>
Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-25 20:38:11 +00:00
Klemens Nanni
45c46d4a73 feat(ops/modules/open_eid.nix): Add digidoc-tool(1) to PATH
libdigidocpp is a dependency of qdigidoc4(1) already.

This will need https://github.com/NixOS/nixpkgs/pull/174055
"libdigidocpp: Fix PKCS11 module library path" to work, though.

Change-Id: Ic8d671077977b1d1f099a8b4b23cc537b52aa954
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5647
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-25 20:37:53 +00:00
sterni
03d1986316 feat(3p/agenix): update to 2022-05-16 and add to niv
The new version brings the new secretsDir setting which means we no
longer have to hardcode /run/agenix everywhere.

Change-Id: I4b579d7233d315a780d7671869d5d06722d769fa
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5646
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: sterni <sternenseemann@systemli.org>
2022-05-25 15:00:37 +00:00
Vincent Ambo
f31edeec1b refactor(nixery): Modernise structure of binaries
Nixery is going to gain a new binary (used for building images without
a registry server); to prepare for this the server binary has moved to
cmd/server and the Nix build logic has been updated to wrap this
binary and set the required environment variables.

Change-Id: I9b4f49f47872ae76430463e2fcb8f68114070f72
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5603
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-23 15:04:56 +00:00
Florian Klink
e8855f4bef feat(ops/modules/open_eid.nix): document firefox
Firefox users can add p11-kit-proxy (or other SecurityDevices)
system-wide, by making use of the extraPolicies functionality.

Change-Id: Id58b6cab425199fb0e09e846db2a86d302c0de0d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5534
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
2022-05-08 13:52:27 +00:00
Florian Klink
84c62eb68b feat(ops/modules/open_eid.nix): use p11-kit-proxy
… instead of onepin-opensc-pkcs11.

This acts as a glue to multiple PKCS#11 modules, and reads configuration
files from /etc/pkcs11/modules.

p11-kit is also used to propagate the system trust store to NSS:
https://p11-glue.github.io/p11-glue/sharing-trust-policy.html

See-Also: https://p11-glue.github.io/p11-glue/p11-kit.html
Change-Id: I135c3a80a4eea0bd06f6b00089dc197c82476746
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5533
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2022-05-07 21:29:56 +00:00
Vincent Ambo
6716bf018c chore(nixery): Housekeeping for depot compatibility
Cleans up a whole bunch of things I wanted to get out of the door
right away:

* depot internal references to //third_party/nixery have been replaced
  with //tools/nixery
* cleaned up files from Github
* fixed SPDX & Copyright headers
* code formatting and inclusion in //tools/depotfmt checks

Change-Id: Iea79f0fdf3aa04f71741d4f4032f88605ae415bb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5486
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
2022-04-20 15:31:16 +00:00
Vincent Ambo
e3cd8069ef feat(ops/open_eid): Add script for setting up browser integration
Change-Id: Ib339d62d862fd99dab2fda30376b8e47b337a26b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5441
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
2022-04-14 16:18:43 +00:00
Vincent Ambo
186c2822b0 feat(ops/modules): Add module for using Estonian e-residency card
Someone already packaged the required software, so I didn't have to do
that.

Change-Id: Ifc6a68fd4cd89f4718368a05acb6c6f536e01aab
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5431
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: tazjin <tazjin@tvl.su>
2022-04-09 08:49:06 +00:00
Vincent Ambo
017238a1be fix(ops/oauth_proxy): Depend on Keycloak service
If the Keycloak service is running on the same machine as the oauth2
proxy (spoiler alert: it is!), let the service depend on it.

Change-Id: I30e4222b4cd5589e08849ef6f37cf1fb4369f55a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5421
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-03-31 13:27:48 +00:00
sterni
508a62b603 chore(3p/sources): Bump channels & overlays
* Remove use of aliases that have been removed in nixpkgs commit
  a36f455905d55838a0d284656e096fbdb857cf3a:

  - ncat
  - x11
  - nologin
  - dbus_libs
  - emacsPackagesGen
  - man-pages
  - pulseaudioLight

Change-Id: Ide603bf48bc7f77e10e4aa715ba025aece3644fd
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5387
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: wpcarro <wpcarro@gmail.com>
2022-03-19 17:11:59 +00:00
Vincent Ambo
fb5f21067e fix(modules/quassel): Open firewall port automatically
Change-Id: Ie815495561f789590b5f49ecfd33441822f79047
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5382
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-03-11 21:38:40 +00:00
Vincent Ambo
e8756239a8 chore(ops/modules): Remove fix-nginx timer unit
This doesn't seem to be needed anymore.

Change-Id: Id8d4192840e8ab10adb652abc9bd6540009a3dcf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5319
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
2022-02-20 14:26:57 +00:00
Vincent Ambo
ac6717fe3c fix(ops/modules/www): Make self-redirect to config a generic module
As suggested by sterni, this makes the self-redirect of a machine to
its configuration a generic module working by convention.

In the process of moving this two small fixes have been applied:

* redirect is only applied if the URI is `/`, this is required for
  ACME to work
* addSSL = true is added, otherwise we have a certificate but no TLS
  listener

Change-Id: Icaef041ff681253a61e36926417bdb2844e3f93d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5313
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2022-02-18 11:39:01 +00:00
Vincent Ambo
536e01e967 refactor(ops/modules): Move journaldriver configuration into module
This makes the journaldriver configuration machine-independent.
The secret is loaded from agenix instead of being persisted on disk.

Change-Id: I592ae7f5726fcb7f37a406f69dcf5ac498eeb1b7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5302
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-18 11:38:34 +00:00
Vincent Ambo
95780174e1 feat(ops/machines): Add a module for known SSH keys
Change-Id: I443e479f3edf9c6540de7b5a33bc6f7e2a9c5183
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5305
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
2022-02-18 08:22:56 +00:00
Vincent Ambo
b936843bb0 feat(ops/modules): Redirect machine base names to their config
With this change, entering just "whitby.tvl.fyi" or "sanduny.tvl.su"
in a browser will redirect users to their machine configurations.

Change-Id: Ibf076a469bcce073e1b1970aa568d6fe16a5c75a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5304
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
2022-02-18 08:15:56 +00:00
Vincent Ambo
f4f1d97052 refactor(ops/modules): Move ACME base configuration into base.nix
This needs to be present on all machines that run ACME stuff.

I've switched the address for a .su one because I have a catchall for
these.

Change-Id: I7af8e1f1cb2fcfbcba4b7d1930ed0edef0106d72
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5306
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-18 08:15:56 +00:00
Vincent Ambo
dd5ce78dbd refactor(ops/modules): Move user configuration into module
Rather than defining all system users inline on whitby, move them into
a module that can be imported on multiple machines.

Configuration for terminfos that we've added follows along.

Note that while doing this I've disabled logins for riking and isomer
since they are currently inactive in TVL.

Change-Id: Id18031d355afc34079c5e6e49dc6943e61809a8f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5298
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
2022-02-17 18:08:19 +00:00
Vincent Ambo
c72c1efdeb refactor(ops/modules): Rename git-serving -> josh
cgit has its own module now

Change-Id: I9b4cc322374517b8bd3db43345831e2bf43c4bb1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5295
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-16 23:03:06 +00:00
Vincent Ambo
cb8f050b9c refactor(ops/modules): Move cgit configuration into a module
The ancient `//web/cgit-taz` path stems from the time I had
code.tazj.in serving my initial version of the depot.

I've been meaning to clean this up for forever, so here we go.

Note that this leaves the git-serving module in a strange state where
it only deals with josh. I'll rename it accordingly.

Change-Id: I47ed1e9d90958299b5440a18a1b9075274754e33
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5294
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-16 23:03:06 +00:00
Vincent Ambo
aa122cbae7 style: format entire depot with nixpkgs-fmt
This CL can be used to compare the style of nixpkgs-fmt against other
formatters (nixpkgs, alejandra).

Change-Id: I87c6abff6bcb546b02ead15ad0405f81e01b6d9e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4397
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: wpcarro <wpcarro@gmail.com>
Reviewed-by: Profpatsch <mail@profpatsch.de>
Reviewed-by: kanepyork <rikingcoding@gmail.com>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: cynthia <cynthia@tvl.fyi>
Reviewed-by: edef <edef@edef.eu>
Reviewed-by: eta <tvl@eta.st>
Reviewed-by: grfn <grfn@gws.fyi>
2022-01-31 16:11:53 +00:00
Vincent Ambo
dddeb04679 fix(www/tvl.fyi): Anchor /blog redirects at #blog
Since our blog index is on the index page, this makes slightly more
sense.

Change-Id: I7b8164490c133e23d892abef21275f8bfed50b66
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5123
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-01-29 22:37:55 +00:00
Griffin Smith
be91bc97a9 fix(tvl.fyi): Redirect /blog/ (with trailing /) to /
This was already happening without the trailing slash, but needs to
happen separately with it.

Fixes: b/172
Change-Id: Ic3423fd7a2eaf76a073badd80965cee953df4ce9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5121
Tested-by: BuildkiteCI
Autosubmit: grfn <grfn@gws.fyi>
Reviewed-by: tazjin <tazjin@tvl.su>
2022-01-29 22:27:54 +00:00
Vincent Ambo
7b7dfa3bf2 feat(ops/www): Write JSON access log to journald
This means it will end up in journaldriver.

Change-Id: I66f781085b5dac9946b3b9a2bf30e447863e1213
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5122
Reviewed-by: lukegb <lukegb@tvl.fyi>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
2022-01-29 22:24:53 +00:00
Vincent Ambo
1f3aa71cf2 fix(ops/oauth2_proxy): Fix cookie secret length
The cookie secret in the encrypted file was too long, because the
generation command in the oauth2_proxy docs is also wrong. Should
probably fix that upstream as well.

Also noticed that an extra '2' snuck into the service name and fixed
that.

Change-Id: I9a344a75993ab1f98299a8d45e7f5b2e146b7fc5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4957
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-17 13:51:47 +00:00
Vincent Ambo
7cac51a995 feat(ops/auto-deploy): Support emergency stops via stop file
Adds a feature to emergency-stop deploys by simply running `touch
/var/lib/auto-deploy/stop`.

This can be useful in some situations, especially if there is a
process that reconciles service state (so that e.g. stopping the
unit's timer would be undone).

Change-Id: I233dfac365a578bfa4110eb605b50be079974ba4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4827
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: wpcarro <wpcarro@gmail.com>
2022-01-07 17:17:33 +00:00
Vincent Ambo
b8e011f792 chore(cache.tvl.su): Raise cache priority to 50
The priority of binary caches is decided by the remotes in Nix (???),
and by default nix-serve (which is *very* slow) has a lower priority
than cache.nixos.org (which means that it will be preferred over the
faster cache for paths that exist on both).

To avoid this, override the hardcoded (????) priority by serving the
nix-cache-info response directly from nginx instead.

Change-Id: I15a2d6618386d16edaf69f1c9257a36bd72132d2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4823
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
2022-01-07 01:30:00 +00:00
Vincent Ambo
73288ba569 feat(ops): Add initial oauth2_proxy configuration
The intent is to configure oauth2_proxy pointing at Keycloak to enable
usage with nginx auth_request directives.

I want to expose this as a function from within the module in which
nginx server configuration blocks can be wrapped, but the function for
that is currently a placeholder.

Change-Id: I5ed7deb9bf1c62818f516e68c33e8c5b632fccfe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4767
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2022-01-04 18:04:27 +00:00
Vincent Ambo
3806cea40b chore(ops): Remove login.tvl.fyi module
It looks like we won't need this for oauth2_proxy when combined with
nginx auth_request setups.

Change-Id: I2294aee6226b4f64a27bf6592c2d18092d0268cc
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4766
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
2022-01-04 18:04:20 +00:00
Vincent Ambo
2bf39d7101 refactor(modules/smtprelay): Load credentials via agenix
Change-Id: I56f6887e1fd35551cfc83ad08cafebb611f4a341
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4760
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: Profpatsch <mail@profpatsch.de>
Autosubmit: tazjin <mail@tazj.in>
2022-01-01 15:30:17 +00:00
Griffin Smith
7ea212ee07 fix(auto-deploy): Add missing packages to path
Building nix derivations needs tar (provided by gnutar) and gzip on the
PATH in order to extract .tar.gz archives.

Change-Id: Ia2df7a3a770cfd342dfede58ad34e04805fbd1f8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4685
Tested-by: BuildkiteCI
Autosubmit: grfn <grfn@gws.fyi>
Reviewed-by: wpcarro <wpcarro@gmail.com>
2021-12-26 21:33:36 +00:00
William Carroll
80ef71e995 feat(ops/auto-deploy): Support auto-deploy
Automatically rebuild the current system's NixOS config from the latest checkout
of depot.

Change-Id: I23aa7af50e16e985ac34df214e0905e770316e5e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4390
Reviewed-by: wpcarro <wpcarro@gmail.com>
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
2021-12-26 14:55:42 +00:00
Vincent Ambo
28a80e0251 chore: friendship ended with cas, now keycloak is our best friend
Note that the login.tvl.fyi WWW configuration is still kind of hanging
around until we've settled where Keycloak lives.

Change-Id: Iaca4e394a7371cafa3716ca66ef09c4eca5b1520
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4626
Autosubmit: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-12-26 00:10:10 +00:00
Vincent Ambo
738cca62c1 feat(monorepo-gerrit): Configure for Keycloak compatibility
Change-Id: Ic3fce02b071c09cf03e652510f16bafb795a5a1d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4614
Autosubmit: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-26 00:10:09 +00:00
Vincent Ambo
d8a1802b3e feat(whitby): Configure initial Keycloak setup
Trialing this as an alternative to CAS that is a little easier to
configure and can help us delegate authentication to other OIDC
services.

Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-12-25 21:11:40 +00:00
Griffin Smith
7f593781f3 feat(whitby): Add buildkite agents to docker group
I'd like to be able to run extra CI steps that include running docker
containers (to integration test things like webapps that connect to a
database). To do this the buildkite agents themselves need permission to
do docker things.

Change-Id: I3c9a488708f0e12a508754ac41f04148ca7aedac
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4408
Tested-by: BuildkiteCI
Autosubmit: grfn <grfn@gws.fyi>
Reviewed-by: tazjin <mail@tazj.in>
2021-12-19 12:58:35 +00:00
Griffin Smith
d85c6a1b56 feat(ops/modules): Provide some modules to all nixoses
For modules that are gated behind a mkEnableOption, it's reasonable to
just provide them to all Depot-built nixos systems without requiring
people to explicitly import them. This defines a special module called
`default-imports.nix` which imports these modules (currently just
tvl-cache.nix and automatic-gc.nix, as I'm being rather conservative
adding things here to avoid breaking anyone's system), then provides
that module as one of the `modules` passed at the top-level
nixos/eval-config invocation.

Change-Id: I3be299ab10ae4c451ef11c514edb3c89318a2278
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4345
Tested-by: BuildkiteCI
Autosubmit: grfn <grfn@gws.fyi>
Reviewed-by: tazjin <mail@tazj.in>
2021-12-16 14:17:35 +00:00
Griffin Smith
0f5cc25697 feat(ops/modules): Add shared module for TVL cache
Add a shared nixos module for configuring whitby as a binary nix cache,
and refactor tverskoy to use this module.

This is enabled via an option to pave the way for including it as an
import in all depot-generated nixos configs at some point in the future.

Change-Id: I6dcc0e8eb48b1ac34457666dceebeedd5da6c526
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4344
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: grfn <grfn@gws.fyi>
2021-12-15 23:36:22 +00:00
Florian Klink
46a2c75a59 docs(ops/irccat): link to credentials RFE
https://cl.tvl.fyi/c/depot/+/4264 did move merging config with secrets
into ExecStart=, which is tracked in an RFE upstream:

https://github.com/systemd/systemd/issues/19604#issuecomment-989279884

We didn't link to this so far, neither in the commit message, nor in a
comment.

Let's add a comment, so people know when we can undo this.

Change-Id: I7bed370b671093bb876592b4dccd562f1c256cd2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4326
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-14 17:30:33 +00:00
Vincent Ambo
aa5bf312e8 fix(tvl-buildkite): Use supported credential helper binary name
Git only allows binary names prefixed with `git-credential-` if the
path to the helper is not absolute.

Why? Who knows.

Change-Id: I216b2a621f62a73f05e21def7ec8016b29ede892
2021-12-10 23:37:57 +03:00
Vincent Ambo
2f1c654c14 refactor(ops): Move panettone secrets to agenix
Relates to b/161

Change-Id: I508e5a0eacab668f4bd39a2c888d894b96bed093
2021-12-10 23:19:56 +03:00
Vincent Ambo
5baa9b6d87 refactor(tvl-buildkite): Prepare gerrit credentials helper
Currently this functionality is provided by a shell script stored in
/etc/secrets (which has the password value hardcoded).

This needs to happen in a separate commit from the one that changes
the pipeline to avoid breaking it (it needs to be deployed first).

Change-Id: I680754c828ccefbacfcf0d5c813a4bc19493ba4c
2021-12-10 19:52:39 +00:00
Vincent Ambo
2fe8d724d7 refactor(ops): Move Nix cache secret to agenix
... and also the public key, just to keep the distribution mechanism
the same.

Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0
2021-12-10 19:48:26 +00:00
Vincent Ambo
82a885a750 refactor(ops): Use besadii configuration from agenix
We already checked this in, but this commit adds the configuration for
making use of it.

There are two copies of besadii's JSON configuration with different
permissions.

Note that the buildkite-graphql-token path needs to be updated in
static-pipeline.yml, but this needs to happen in a separate commit
after deploy because the pipeline will break otherwise.

Change-Id: I6fab4bf1a2e679df7cf76521e2b53bd9dadbac62
2021-12-10 19:31:36 +00:00
Vincent Ambo
b2d46aed2b fix(tvl-buildkite): Add more missing programs to agent path
... this option really is a pitfall! The list of programs is now the
same as in the upstream module, plus curl and jq.

Change-Id: I29edae4b2400a2724f62df9efa1dc184a8b0af5f
2021-12-10 17:13:22 +00:00
Vincent Ambo
b8267c261c fix(ops/irccat): Avoid permissions issue with LoadCredentials=
The DynamicUser + Group configuration does not work as planned, thus
the systemd LoadCredentials feature is used instead which makes the
file (which itself is only readable by root) available in a
memory-backed location only readable by the service.

The secret is only available to `ExecStart` commands, so units using
this feature can not be used with pre/post units and the like if those
commands need secrets.

To accommodate this, the merge of configuration files has been moved
into the service launch script, which is now the ExecStart= process.

For details take a look at https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LoadCredential=ID:PATH

Change-Id: I693fe5677cc0d63c7aa485c2c7472457c5262166
2021-12-10 15:09:09 +00:00
Vincent Ambo
67bde5ecc3 fix(tvl-buildkite): Explicitly set runtimePackages
It turns out the lib.mkAfter call doesn't behave as expected -
only *some* of the packages that are defaulted end up in the $PATH.

I suspect this is actually something else, e.g. these packages are
always added for some reason or another, and the option is completely
overridden every time.

Change-Id: I854c7198520d82b00e6338ed0fe653836226dc6d
2021-12-10 15:06:08 +00:00
Vincent Ambo
bc3d35f3d0 fix(tvl-buildkite): Add missing runtimePackages back
Turns out that the type of this option is not concatenative and it
replaces the packages needed to run Buildkite if set.

Change-Id: I9f52572bc165bccdd8c6518cfdf7b8967f7a50d0
2021-12-10 13:14:11 +00:00
Vincent Ambo
d4403638cf refactor(ops): Move irccat secret into agenix
The irccat module uses DynamicUser, so to grant permission to it a new
group has been added for irccat.

I have some vague memory of DynamicUser + Group not behaving as one
would expect, but we'll see what happens.

Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac
2021-12-10 16:13:31 +03:00