Commit graph

15761 commits

Author SHA1 Message Date
Griffin Smith
479e9ea279 feat(third_party/arion): Init
Change-Id: Iadf53a3cfa8ed6e7c55b3681d813239cd95bd29e
2021-12-13 21:32:54 -05:00
Griffin Smith
a8ef116421 feat(third_party/clj2nix): Init
Change-Id: Iaf04d71352740552c1101d1e8cbb80a770b40a7b
2021-12-13 21:32:54 -05:00
sterni
b5eb90196e refactor(sterni/aoc/2021): determine width/height in the same fold
Change-Id: I39410171402cedc3ee8d9ac972557656ed12de53
2021-12-14 00:56:31 +01:00
sterni
1303f3fc71 feat(sterni/aoc/2021): day 13 solution
Change-Id: I9cfa8a28854cbee7e8e1b457faf9c572353e803f
2021-12-13 23:39:50 +00:00
sterni
7a1a8aa3aa refactor(sterni/aoc/2021): name input data more consistently
Change-Id: Ibcea43d2e51f14d8b1b021050310f88d44d970d3
2021-12-13 23:39:49 +00:00
William Carroll
8f1b1c94d2 feat(users/wpcarro): add OWNERS file
Change-Id: Id6eeee0f97b9a7195664e5c2434e9d545929a042
2021-12-13 23:23:45 +00:00
Vincent Ambo
019f8fd211 subtree(users/wpcarro): docking briefcase at '24f5a642'
git-subtree-dir: users/wpcarro
git-subtree-mainline: 464bbcb15c
git-subtree-split: 24f5a642af
Change-Id: I6105b3762b79126b3488359c95978cadb3efa789
2021-12-14 02:15:47 +03:00
sterni
464bbcb15c feat(sterni/aoc/2021): day 9 solution
Change-Id: I90e7a47d5418abeff1ae7cc5757b6a8b3b0d1086
2021-12-13 22:13:29 +01:00
sterni
343b811bbc feat(sterni/aoc/2021): day 7 solution
Change-Id: I8c8b535defb42f15eafc816ebe953e51b11ea702
2021-12-13 21:58:15 +01:00
sterni
f78a7467f1 feat(sterni/aoc/2021): day 3 solution
Change-Id: Id14281f7b18ddaf6875e5dd8398249a10a9474af
2021-12-13 21:58:15 +01:00
sterni
b3d4305700 refactor(sterni/aoc/2021): allow variable bases ≤ 10 for ReadInt
Change-Id: Ie035134a4b3d478ce836aa00016122e0f49a5a28
2021-12-13 21:58:15 +01:00
sterni
4b38ba2d0a feat(sterni/aoc/2021): day 2 "solution"
Change-Id: Ifbd50274f0b09305991a49e7453ac1f13089e57e
2021-12-13 21:58:15 +01:00
Vincent Ambo
b97d6b0f1b feat(ops/users): Add wpcarro
... this was overdue!

Change-Id: I435768007db4a0f3663e1aa9376e8cae4d1d0381
2021-12-13 23:54:12 +03:00
Vincent Ambo
79b4e0e1a4 chore(ops/users): Rotate password hash for asmundo
New hash received via an authenticated channel, of course.

Change-Id: Idca688d8a8bb2e943aef3937f54d292b48f79fad
2021-12-13 23:51:43 +03:00
sterni
fe0e19ead4 feat(ops/whitby): install alacritty terminfo
alacritty is used by grfn atm.

Change-Id: I10dacd301044f9c37790e22e955cb068fcbd2cfc
2021-12-13 19:40:28 +00:00
Vincent Ambo
5f0a64273c fix(tazjin/emacs): Fix tdlib version check if max-version is set
This version interpolated in by Nix in the lines above instead of
being loaded from Elisp, as that would require starting telega inside
of that build (which is a bit messy because of async elisp).

Change-Id: I775844acb6928db76516f06188b19c713f765ab8
2021-12-13 19:54:49 +03:00
Vincent Ambo
2d33005597 feat(tazjin/emacs): Check telega/tdlib compatibility in depot CI
This keeps biting me at runtime whenever these are out of sync.

Change-Id: If523974e6ad2754ea19123eda0e5fda0a865f408
2021-12-13 18:53:54 +03:00
Vincent Ambo
0fbd6f0aeb fix(tazjin/emacs): Use telega from MELPA
The stable versions are too old to be compatible with nixpkgs-unstable

Change-Id: I8edb125024460f605ff640cd486779877fa0d256
2021-12-13 18:53:54 +03:00
Vincent Ambo
db117176f2 fix(passively): Load known terms on startup
Change-Id: Ia32f0a1c158255a098e7d4017bb585b5c4e3c657
2021-12-13 16:36:59 +03:00
Vincent Ambo
396e3a0d68 fix(tazjin/russian): Minor Elisp fixes
Change-Id: I759182ccb49d7a72ca8a031c829608c9eee70277
2021-12-13 16:36:19 +03:00
Vincent Ambo
53f8a04b33 feat(tazjin/tverskoy): Ensure ~/screenshots exists
Change-Id: Icae43b17a95c638429351273bb16111097c3e594
2021-12-13 16:24:37 +03:00
sterni
cdf7480662 feat(ops/whitby): add terminfos for other terminals used
* foot (me)
* kitty (lukegb)

Change-Id: I65303e39c4adb05e362792a544134fc2884175bf
2021-12-13 12:56:12 +00:00
Vincent Ambo
961443c23c feat(whitby): Add some more useful programs
I keep using these in nix-shell but really they should just be
installed.

Change-Id: Ic2c36bae8b582fef88029b288accdfd3c8bc0f1b
2021-12-13 15:48:41 +03:00
Vincent Ambo
3a410a78df feat(ops/secrets): Make (encrypted) secrets part of the tree
Currently in NixOS configuration using agenix secrets there is no
build time validation of secret paths - things fail at runtime (system
activation).

To prevent that, this CL makes the secrets part of the tree based on
the same configuration file used by agenix itself.

This guards against:

* agenix secrets.nix definition for a non-existent file
* age.secrets value in a NixOS config for a non-existent secret

Change-Id: I5b191dcbd5b2522566ff7c38f8a988bbf7679364
2021-12-12 11:19:24 +03:00
Vincent Ambo
8cbb42006a chore(ops/secrets): Reencrypt all secrets with sterni included
Change-Id: I14043c2bd9da43a6b7de65baf0ebb75eaf3c4e22
2021-12-11 18:51:36 +03:00
sterni
40096c2931 feat(ops/secrets): add keys for sterni
Change-Id: Idf13f7737dd51e74e87093e07cdf22ad24407944
2021-12-11 15:41:55 +00:00
Vincent Ambo
40888c9630 fix(tvl.el): Fix use of label command in refs
The l= is part of the command, not of the shape of commands, and the
previous command concatenation logic was wrong because of that.

Fix is done in the most obvious way: Make the l= part of the command.

Change-Id: Ia3c08c3da60fe5fc38f29a2d94adcd123e4f3052
2021-12-10 21:08:48 +00:00
Vincent Ambo
f9bd68e247 fix(ops/secrets): Fix missing file
... okay, this is like the 5th error related to something with this
and file paths. Need to write some validation logic.

Change-Id: I4314818aa1bc25b8cf7bd3593850d3836ccb867c
2021-12-10 23:53:50 +03:00
Vincent Ambo
aa5bf312e8 fix(tvl-buildkite): Use supported credential helper binary name
Git only allows binary names prefixed with `git-credential-` if the
path to the helper is not absolute.

Why? Who knows.

Change-Id: I216b2a621f62a73f05e21def7ec8016b29ede892
2021-12-10 23:37:57 +03:00
Vincent Ambo
2f1c654c14 refactor(ops): Move panettone secrets to agenix
Relates to b/161

Change-Id: I508e5a0eacab668f4bd39a2c888d894b96bed093
2021-12-10 23:19:56 +03:00
Vincent Ambo
2b9be81ea0 refactor(ops/pipelines): Use agenix-deployed besadii secrets
I *think* this is the final step for b/161

Change-Id: Ie7a2198a045f2f1866a245884ab0f5414e205327
2021-12-10 23:14:41 +03:00
Vincent Ambo
60f96d2b17 fix(whitby): Fix typo in buildkite-agents group name
... really would like some assertion helpers for this sort of stuff.

Change-Id: I32d1de18ebfbbdfa5128a8fbdad2efcc511f8514
2021-12-10 23:01:20 +03:00
Vincent Ambo
5baa9b6d87 refactor(tvl-buildkite): Prepare gerrit credentials helper
Currently this functionality is provided by a shell script stored in
/etc/secrets (which has the password value hardcoded).

This needs to happen in a separate commit from the one that changes
the pipeline to avoid breaking it (it needs to be deployed first).

Change-Id: I680754c828ccefbacfcf0d5c813a4bc19493ba4c
2021-12-10 19:52:39 +00:00
Vincent Ambo
2fe8d724d7 refactor(ops): Move Nix cache secret to agenix
... and also the public key, just to keep the distribution mechanism
the same.

Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0
2021-12-10 19:48:26 +00:00
Vincent Ambo
82a885a750 refactor(ops): Use besadii configuration from agenix
We already checked this in, but this commit adds the configuration for
making use of it.

There are two copies of besadii's JSON configuration with different
permissions.

Note that the buildkite-graphql-token path needs to be updated in
static-pipeline.yml, but this needs to happen in a separate commit
after deploy because the pipeline will break otherwise.

Change-Id: I6fab4bf1a2e679df7cf76521e2b53bd9dadbac62
2021-12-10 19:31:36 +00:00
Vincent Ambo
b1108821a9 refactor(ops): Move grafana secret into agenix
Change-Id: Id141758135c796881e91d20b950dae74c40d9ab3
2021-12-10 19:31:36 +00:00
Vincent Ambo
1b94d2c0ba feat(tvl.el): Add autosubmit feature to magit-gerrit-rubberstamp
This makes this function a true rubberstamp again, leading to
rubberstamped CLs automatically being merged after CI passes.

This is similar to the initial functionality we had last year, where
this directly submitted changes, but with the addition of the CI
checks.

Change-Id: I946b074b968eb18a64c4edb0043f7a4af28759b4
2021-12-10 22:00:39 +03:00
Vincent Ambo
7cb9b204e9 feat(tvl.el): Add shortcut for push with Autosubmit+1
This almost makes for a sort of fire&forget button, except we don't
have a way to automatically pick reviewers yet :)

Change-Id: I6f446270f8aaf0409ccb6321bdbb5c349079cd19
2021-12-10 18:54:32 +00:00
Vincent Ambo
b2d46aed2b fix(tvl-buildkite): Add more missing programs to agent path
... this option really is a pitfall! The list of programs is now the
same as in the upstream module, plus curl and jq.

Change-Id: I29edae4b2400a2724f62df9efa1dc184a8b0af5f
2021-12-10 17:13:22 +00:00
Bartosz Stebel
f43324e141 fix(3p/apereo-cas): Mitigate CVE-2021-44228
Same approach as in cl/4270.

Change-Id: I3a5a3533ab97513a4b9d8cacc26d013b58441f93
2021-12-10 17:52:49 +01:00
Vincent Ambo
62450bb1c5 feat(depot): Add grfn and sterni to top-level owners
Change-Id: Id2012e3ec6db21ff724245095a99d36ff9d7ad71
2021-12-10 18:11:16 +03:00
Vincent Ambo
b8267c261c fix(ops/irccat): Avoid permissions issue with LoadCredentials=
The DynamicUser + Group configuration does not work as planned, thus
the systemd LoadCredentials feature is used instead which makes the
file (which itself is only readable by root) available in a
memory-backed location only readable by the service.

The secret is only available to `ExecStart` commands, so units using
this feature can not be used with pre/post units and the like if those
commands need secrets.

To accommodate this, the merge of configuration files has been moved
into the service launch script, which is now the ExecStart= process.

For details take a look at https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LoadCredential=ID:PATH

Change-Id: I693fe5677cc0d63c7aa485c2c7472457c5262166
2021-12-10 15:09:09 +00:00
Vincent Ambo
67bde5ecc3 fix(tvl-buildkite): Explicitly set runtimePackages
It turns out the lib.mkAfter call doesn't behave as expected -
only *some* of the packages that are defaulted end up in the $PATH.

I suspect this is actually something else, e.g. these packages are
always added for some reason or another, and the option is completely
overridden every time.

Change-Id: I854c7198520d82b00e6338ed0fe653836226dc6d
2021-12-10 15:06:08 +00:00
Vincent Ambo
2ba481451c chore(ops/secrets): Reencrypt with grfn's key included
Change-Id: I66df150ab5070a81a92f0741334639df9df1f86f
2021-12-10 17:52:08 +03:00
Griffin Smith
a85ab68b12 chore(ops/users): Rotate password for grfn
Just a regular password rotation, plus I wasn't using argon2 unlike
everyone else.

Change-Id: Ic57fe79a2dbfdc15397d20f6b2b47c6aac911d29
2021-12-10 09:45:17 -05:00
Griffin Smith
66a1d3d5d4 feat(ops/secrets): Add key for grfn
Change-Id: I8063ae804932e3815e9a499e0206806818b9b021
2021-12-10 09:44:34 -05:00
Vincent Ambo
2fc64dc277 fix(clbot): Use change *owner* and not *uploader*
In autosubmit cases that require rebases, the change *uploader* might
be clbot which would cause besadii to use clbot as the owner.

This is incorrect, but luckily the change-merged event has an actual
owner field instead.

Change-Id: Ia35b52085f94628e61eb358807b3b85565521b60
2021-12-10 13:50:14 +00:00
Vincent Ambo
bc3d35f3d0 fix(tvl-buildkite): Add missing runtimePackages back
Turns out that the type of this option is not concatenative and it
replaces the packages needed to run Buildkite if set.

Change-Id: I9f52572bc165bccdd8c6518cfdf7b8967f7a50d0
2021-12-10 13:14:11 +00:00
Vincent Ambo
d4403638cf refactor(ops): Move irccat secret into agenix
The irccat module uses DynamicUser, so to grant permission to it a new
group has been added for irccat.

I have some vague memory of DynamicUser + Group not behaving as one
would expect, but we'll see what happens.

Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac
2021-12-10 16:13:31 +03:00
Vincent Ambo
002d183876 refactor(ops): Move clbot SSH key into agenix
Change-Id: Iae03ead7dda0509689a76f0d76f9cfeb8434e967
2021-12-10 16:13:31 +03:00