1 files changed, 85 insertions, 98 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 940cfc910a..6a8ee56abc 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -12,14 +12,13 @@ in
     (mod "atward.nix")
     (mod "cgit.nix")
     (mod "clbot.nix")
-    (mod "gerrit-queue.nix")
+    (mod "gerrit-autosubmit.nix")
     (mod "irccat.nix")
     (mod "josh.nix")
     (mod "journaldriver.nix")
     (mod "known-hosts.nix")
+    (mod "livegrep.nix")
     (mod "monorepo-gerrit.nix")
-    (mod "nixery.nix")
-    (mod "oauth2_proxy.nix")
     (mod "owothia.nix")
     (mod "panettone.nix")
     (mod "paroxysm.nix")
@@ -37,17 +36,19 @@ in
     (mod "www/code.tvl.fyi.nix")
     (mod "www/cs.tvl.fyi.nix")
     (mod "www/deploys.tvl.fyi.nix")
-    (mod "www/images.tvl.fyi.nix")
-    (mod "www/nixery.dev.nix")
     (mod "www/self-redirect.nix")
+    (mod "www/signup.tvl.fyi.nix")
     (mod "www/static.tvl.fyi.nix")
     (mod "www/status.tvl.su.nix")
-    (mod "www/tazj.in.nix")
     (mod "www/todo.tvl.fyi.nix")
+    (mod "www/tvix.dev.nix")
     (mod "www/tvl.fyi.nix")
     (mod "www/tvl.su.nix")
     (mod "www/wigglydonke.rs.nix")
 
+    # experimental!
+    (mod "www/grep.tvl.fyi.nix")
+
     (depot.third_party.agenix.src + "/modules/age.nix")
   ];
 
@@ -57,7 +58,7 @@ in
   };
 
   boot = {
-    tmpOnTmpfs = true;
+    tmp.useTmpfs = true;
     kernelModules = [ "kvm-amd" ];
     supportedFilesystems = [ "zfs" ];
 
@@ -82,7 +83,7 @@ in
           authorizedKeys =
             depot.users.tazjin.keys.all
             ++ depot.users.lukegb.keys.all
-            ++ [ depot.users.grfn.keys.whitby ];
+            ++ [ depot.users.aspen.keys.whitby ];
 
           hostKeys = [
             /etc/secrets/initrd_host_ed25519_key
@@ -103,7 +104,6 @@ in
 
     loader.grub = {
       enable = true;
-      version = 2;
       efiSupport = true;
       efiInstallAsRemovable = true;
       device = "/dev/disk/by-id/nvme-SAMSUNG_MZQLB1T9HAJR-00007_S439NA0N201620";
@@ -184,24 +184,24 @@ in
 
   nix = {
     nrBuildUsers = 256;
-    maxJobs = lib.mkDefault 64;
-    extraOptions = ''
-      secret-key-files = /run/agenix/nix-cache-priv
-    '';
-
-    trustedUsers = [
-      "grfn"
-      "lukegb"
-      "tazjin"
-      "sterni"
-    ];
+    settings = {
+      max-jobs = lib.mkDefault 64;
+      secret-key-files = "/run/agenix/nix-cache-priv";
+
+      trusted-users = [
+        "aspen"
+        "lukegb"
+        "tazjin"
+        "sterni"
+      ];
+    };
 
     sshServe = {
       enable = true;
       keys = with depot.users;
         tazjin.keys.all
         ++ lukegb.keys.all
-        ++ [ grfn.keys.whitby ]
+        ++ [ aspen.keys.whitby ]
         ++ sterni.keys.all
       ;
     };
@@ -211,8 +211,10 @@ in
   programs.mosh.enable = true;
   services.openssh = {
     enable = true;
-    passwordAuthentication = false;
-    challengeResponseAuthentication = false;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
   };
 
   # Configure secrets for services that need them.
@@ -222,12 +224,11 @@ in
     in
     {
       clbot.file = secretFile "clbot";
-      gerrit-queue.file = secretFile "gerrit-queue";
+      gerrit-autosubmit.file = secretFile "gerrit-autosubmit";
       grafana.file = secretFile "grafana";
       irccat.file = secretFile "irccat";
       keycloak-db.file = secretFile "keycloak-db";
       nix-cache-priv.file = secretFile "nix-cache-priv";
-      oauth2_proxy.file = secretFile "oauth2_proxy";
       owothia.file = secretFile "owothia";
       panettone.file = secretFile "panettone";
       smtprelay.file = secretFile "smtprelay";
@@ -344,7 +345,7 @@ in
   # Start the Gerrit->IRC bot
   services.depot.clbot = {
     enable = true;
-    channels = [ "#tvl" ];
+    channels = [ "#tvix-dev" "#tvl" ];
 
     # See //fun/clbot for details.
     flags = {
@@ -369,6 +370,9 @@ in
     # Run a SourceGraph code search instance
     sourcegraph.enable = true;
 
+    # Run a livegrep code search instance
+    livegrep.enable = true;
+
     # Run the Panettone issue tracker
     panettone = {
       enable = true;
@@ -409,9 +413,6 @@ in
     # Run atward, the search engine redirection thing.
     atward.enable = true;
 
-    # Run a Nixery instance
-    nixery.enable = true;
-
     # Run cgit & josh to serve git
     cgit = {
       enable = true;
@@ -431,15 +432,13 @@ in
     };
 
     # Run autosubmit bot for Gerrit
-    gerrit-queue.enable = true;
-
-    # Run oauth2_proxy for internal service auth
-    oauth2_proxy.enable = true;
+    gerrit-autosubmit.enable = true;
   };
 
   services.postgresql = {
     enable = true;
     enableTCPIP = true;
+    package = pkgs.postgresql_16;
 
     authentication = lib.mkForce ''
       local all all trust
@@ -455,9 +454,7 @@ in
 
     ensureUsers = [{
       name = "panettone";
-      ensurePermissions = {
-        "DATABASE panettone" = "ALL PRIVILEGES";
-      };
+      ensureDBOwnership = true;
     }];
   };
 
@@ -547,70 +544,52 @@ in
 
   services.grafana = {
     enable = true;
-    port = 4723; # "graf" on phone keyboard
-    domain = "status.tvl.su";
-    rootUrl = "https://status.tvl.su";
-    analytics.reporting.enable = false;
-    extraOptions =
-      let
-        options = {
-          auth = {
-            generic_oauth = {
-              enabled = true;
-              client_id = "grafana";
-              scopes = "openid profile email";
-              name = "TVL";
-              email_attribute_path = "mail";
-              login_attribute_path = "sub";
-              name_attribute_path = "displayName";
-              auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth";
-              token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token";
-              api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo";
-
-              # Give lukegb, grfn, tazjin "Admin" rights.
-              role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'";
-
-              # Allow creating new Grafana accounts from OAuth accounts.
-              allow_sign_up = true;
-            };
-
-            anonymous = {
-              enabled = true;
-              org_name = "The Virus Lounge";
-              org_role = "Viewer";
-            };
-
-            basic.enabled = false;
-            oauth_auto_login = true;
-            disable_login_form = true;
-          };
-        };
-        inherit (builtins) typeOf replaceStrings listToAttrs concatLists;
-        inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep;
-
-        # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED.
-        encodeName = raw: replaceStrings [ "." ] [ "_" ] (toUpper (concatStringsSep "_" raw));
-
-        # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "".
-        optionToString = value:
-          if (typeOf value) == "bool" then
-            if value then "true" else "false"
-          else builtins.toString value;
-
-        # Turn an nested options attrset into a flat listToAttrs-compatible list.
-        encodeOptions = prefix: inp: concatLists (mapAttrsToList
-          (name: value:
-            if (typeOf value) == "set"
-            then encodeOptions (prefix ++ [ name ]) value
-            else [ (nameValuePair (encodeName (prefix ++ [ name ])) (optionToString value)) ]
-          )
-          inp);
-      in
-      listToAttrs (encodeOptions [ ] options);
+
+    settings = {
+      server = {
+        http_port = 4723; # "graf" on phone keyboard
+        domain = "status.tvl.su";
+        root_url = "https://status.tvl.su";
+      };
+
+      analytics.reporting_enabled = false;
+
+      "auth.generic_oauth" = {
+        enabled = true;
+        client_id = "grafana";
+        scopes = "openid profile email";
+        name = "TVL";
+        email_attribute_path = "mail";
+        login_attribute_path = "sub";
+        name_attribute_path = "displayName";
+        auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth";
+        token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token";
+        api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo";
+
+        # Give lukegb, aspen, tazjin "Admin" rights.
+        role_attribute_path = "((sub == 'lukegb' || sub == 'aspen' || sub == 'tazjin') && 'Admin') || 'Editor'";
+
+        # Allow creating new Grafana accounts from OAuth accounts.
+        allow_sign_up = true;
+      };
+
+      "auth.anonymous" = {
+        enabled = true;
+        org_name = "The Virus Lounge";
+        org_role = "Viewer";
+      };
+
+      "auth.basic".enabled = false;
+
+      auth = {
+        oauth_auto_login = true;
+        disable_login_form = true;
+      };
+    };
 
     provision = {
       enable = true;
-      datasources = [{
+      datasources.settings.datasources = [{
         name = "Prometheus";
         type = "prometheus";
         url = "http://localhost:9090";
@@ -623,9 +602,9 @@ in
 
   services.keycloak = {
     enable = true;
-    httpPort = "5925"; # "kycl"
 
     settings = {
+      http-port = 5925; # kycl
       hostname = "auth.tvl.fyi";
       http-relative-path = "/auth";
       proxy = "edge";
@@ -638,6 +617,12 @@ in
     };
   };
 
+  # Join TVL Tailscale network at net.tvl.fyi
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "server"; # for exit-node usage
+  };
+
   # Allow Keycloak access to the LDAP module by forcing in the JVM
   # configuration
   systemd.services.keycloak.environment.PREPEND_JAVA_OPTS =
@@ -661,5 +646,7 @@ in
     };
   };
 
+  zramSwap.enable = true;
+
   system.stateVersion = "20.03";
 }