Age | Commit message (Collapse) | Author | Files | Lines |
|
Change-Id: Ib2cbb2f531488e4e86d63e94b163864924c9189f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4783
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
The intent is to configure oauth2_proxy pointing at Keycloak to enable
usage with nginx auth_request directives.
I want to expose this as a function from within the module in which
nginx server configuration blocks can be wrapped, but the function for
that is currently a placeholder.
Change-Id: I5ed7deb9bf1c62818f516e68c33e8c5b632fccfe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4767
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
It looks like we won't need this for oauth2_proxy when combined with
nginx auth_request setups.
Change-Id: I2294aee6226b4f64a27bf6592c2d18092d0268cc
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4766
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
|
|
A formatting error broke this at some point (the let clauses were
outside of the definition list).
Change-Id: Iaa2dc9ad02d2f7e909ca9bf28705e782ad26060b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4765
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
|
|
This is *way* faster, as advertised
Change-Id: Iad452dc3b3b768331d7de0421f768f82e9b76a60
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4785
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
|
|
Can no longer be null and has been renamed to security.acme.defaults.email:
https://github.com/nixos/nixpkgs/commit/377c6bcefce8e8ccd471892a1b24621d5a909457
Change-Id: Icac9506185da176365369ed3c7db3c71ffc90b1b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4784
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: sterni <sternenseemann@systemli.org>
|
|
Change-Id: Ie6882b17380388e20c8d1e9406279c96283b936f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4757
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
Turns the anchor derivation into something that can actually be
built (a call creating a propagated build inputs file), and builds it.
This should fix the anchoring logic we have on canon.
Change-Id: If6a7662b82e2e396388980f65e332cf67a45b46e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4763
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Without some kind of physical organisation it's a little difficult to
understand whether things are going "in" (supplying users to Keycloak)
or "out" (getting auth/user info from Keycloak).
Change-Id: I516501081e3448c81c710fcbc79cc68ad2a80f3b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4762
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
|
|
This now happens in //nix/buildkite instead
Change-Id: Ie9e239ee4f28ac34aa4d3279dac55d70a2cb9d86
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4764
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Change-Id: I56f6887e1fd35551cfc83ad08cafebb611f4a341
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4760
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: Profpatsch <mail@profpatsch.de>
Autosubmit: tazjin <mail@tazj.in>
|
|
Change-Id: I489e611a3fb19b4a374a563aa1afd81a130b2e7f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4759
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <mail@tazj.in>
|
|
Change-Id: I4a79204e50cf519dce729e5c86bc397b82715008
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4758
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Change-Id: Ieac5bb499a9c3281ed8b9de8cf4551e5eea6f2b7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4761
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
|
|
Change-Id: I13e95b91351af33c2452f1c4de45cc47aeae1dc0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4745
Tested-by: BuildkiteCI
Reviewed-by: zseri <zseri.devel@ytrizja.de>
|
|
Change-Id: I85b0066574b45490d61ed1edf29587689ba63c6d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4744
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Autosubmit: zseri <zseri.devel@ytrizja.de>
Tested-by: BuildkiteCI
|
|
Change-Id: Icf40fb125cc3fe9e1c70de2ac253d70349a213d2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4743
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
|
|
Also sort, first by rsvp, then by signed in, then by last check, then by
name
Change-Id: I15d2e4a5693290d9c1cfd09196982e7a6957a138
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4742
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
|
|
More beginner problems/solutions for CTF-style challenges.
Change-Id: Ide229e99e3ccc1ede5a5ca1c2ad039498e49ea4c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4740
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
|
|
Just getting my feet wet...
Change-Id: Ia1db0c69fe7d5ea5cb5585853d0688ef97f2680a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4739
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
|
|
I'm mimmicking the setup of diogenes-1 until I switch everything over to the
terraform-defined diogenes.
Change-Id: Ic9b54909696616b5f206bbf982ff556f053c424e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4738
Tested-by: BuildkiteCI
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
Supporting SSH turned-out to be a bit of a saga... Thank you @espes and @grfn
for the pointers.
Problem: When I originally setup my Google VM, I followed this tutorial,
https://nixos.wiki/wiki/Install_NixOS_on_GCE, so I ended-up installing
`nixos-20-03`: an older version of NixOS, (the newest version in `gsutils ls -l
gs://nixos-images`). Critically, I missed this important footnote:
> NOTE: Newer images (from 20.09 on) won't be available at the bucket above, and
> will instead need to be found at
> <nixpkgs/nixos/modules/virtualisation/gce-images.nix>.
It turns out that *newer* images include this script...
https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/fetch-instance-ssh-keys.bash
...which reads the key, "sshKeys", from the Google metadata server and copies
the value into /root/.ssh/authorized_keys.
To make matters a bit misleading, the NixOS script expects the key to be
"sshKeys", but Google deprecated that in favor of "ssh-keys" (hence why both
versions appear in this commit).
TL;DR:
- upgrading to a newer NixOS image
- adding an empty access_config block so Google will assign my VM an external IP
- removing oslogin (not necessary to do, and I may add it back later)
- adding my public SSH key as metadata
Change-Id: If624fe77afd47b31fa7be0a1dd4a55512317eef0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4737
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
For now:
- git confg
- picom: X compositor
- dunst: system notifications (not working for quassel)
I still need to port various configs and ensure I support both gLinux and NixOS
machines.
Change-Id: I31a635eaacac25ef6219e079fc968d2ece026a5f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4736
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
|
|
Title: distributed builds without single points-of-failure
Change-Id: I54275ea75d7e29269162f6158743d64d17f79915
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4550
Tested-by: BuildkiteCI
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Autosubmit: zseri <zseri.devel@ytrizja.de>
|
|
This client definition was previously nonsense. What happened is that
I accidentally imported the client as an OIDC client, which Keycloak
accepted because apparently those are the same entities on the API
level, and that ended up getting mangled into some broken hybrid shape
by Terraform.
This sets up the Buildkite provider again but with the correct
SAML configuration this time.
Change-Id: Id7ba318984d2fcc9e2ca91ed45ccbfd227278bbe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4731
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: tazjin <mail@tazj.in>
|
|
Change-Id: I5feb7187bd9aee45478aa5759e94df49e92565bf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4734
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Change-Id: I59087cd855953d0ebdcaaea2374788e9e015e1ea
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4733
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Produces more useful output and also makes for a good target for the
upcoming extraSteps logic.
Change-Id: Ifd389d433d9e27f97940a48999f4fba35646e37a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4727
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Extracts the logic for generating our Buildkite pipeline (which has
been copy&pasted and slightly modified in some places outside of
depot) into a generic //nix/buildkite library.
This should cause no change in functionality.
Change-Id: Iad3201713945de41279b39e4f1b847f697c179f7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4726
Autosubmit: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Change-Id: Id608fe66b203c1d08958c85be44506a86eec56d5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4730
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Autosubmit: tazjin <mail@tazj.in>
|
|
This is going to be enforced in CI very shortly (it already kind of
was, but not really).
Change-Id: I8569d030e31230f077371bd1644b75f048271a0e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4728
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: wpcarro <wpcarro@gmail.com>
|
|
https: //hackage.haskell.org/package/nix-diff-1.0.17/changelog
Change-Id: Ied02395151ec62619721ad5e78d0841fa87d1b3c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4729
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
|
|
use case: system-wide 'testing' usage of content-addressed derivations
Change-Id: I1f63ddf679da7d53ff0d8a851642dd081a70fe55
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4551
Tested-by: BuildkiteCI
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Reviewed-by: tazjin <mail@tazj.in>
Autosubmit: zseri <zseri.devel@ytrizja.de>
|
|
When I include "80" and "443" in the allowed TCP ports, the ports don't appear
to be open, but when I add the tags "http-server" and "https-server", which I
don't control, they do. I'm not sure what's going on, but I don't want to let
perfect be the enemy of good...
Change-Id: I46097a9d80708d14261b0af34c16ab1129aa8107
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4725
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
|
|
Some reference commands for my future self (blog post forthcoming?):
```shell
$ nix-shell -p google-cloud-sdk terraform
$ gcloud auth application-default login # stateful
$ terraform init
$ terraform apply
```
What's left for feature parity?
- Encode 100GB external disk as resource
- Encode firewall as resource
- Ensure marcus can SSH to instance
Stretch goals:
- Spin-up fully NixOS-configured instances
Change-Id: If156a5b0a2a0f8bfdf2548a4b5f592a77409fcb5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4724
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
|
|
TL;DR:
- copy rendered posts to $out/posts
- update postUrl attr
- remove unused attrs
Change-Id: I027c20d6244e4626128788ad9aa1f1aad7855f32
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4723
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
|
|
`substituteAll` supports templating with @variables@, which I think really
cleans things up.
Change-Id: Icfad15ac9e174495ba02260d817f7330f1616c6f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4722
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
|
|
Change-Id: I592c8f2f82cef8fe4509e90a8c48504a0c74d133
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4688
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Autosubmit: zseri <zseri.devel@ytrizja.de>
Tested-by: BuildkiteCI
|
|
These records were previously configured manually in the GleSYS web UI
during our DNS outage (b/155).
Note that I could not find a way to `terraform import` these records
and have instead recreated the set and then cleaned up in the UI.
Change-Id: If7de9a7e6dad20953ba8b610589a62dce400e87b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4716
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
|
|
These records were previously configured manually in the GleSYS web UI
during our DNS outage (b/155).
Note that I could not find a way to `terraform import` these records
and have instead recreated the set and then cleaned up in the UI.
Since we often point things at whitby, I have extracted variables for
its IPs in this change.
Change-Id: I09fda94d3734e8aaa278fa858e160d046740da1e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4714
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
|
|
These records were previously configured manually in the GleSYS web UI
during our DNS outage (b/155).
Note that I could not find a way to `terraform import` these records
and have instead recreated the set and then cleaned up in the UI.
Change-Id: I2b7e0ed0931f50e7fa49c1f6e3400dfe958def04
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4713
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
|
|
Change-Id: I07b6e70ec4026644733e58a2c5f2aa6696a038f3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4719
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
|
|
Remove remaining references to blog.wpcarro.dev
Change-Id: I364763459b195fc17753da4a7c5918ce5136e891
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4718
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
|
|
TL;DR:
- Create an index page to list blog posts
- Drop blog.wpcarro.dev -> wpcarro.dev/blog
- Create fragments directory to host reusable static website components
- Consume fragments in wpcarro.dev and wpcarro.dev/blog for brand consistency
Change-Id: Ib8440300c008c3c0c5e5a6f207e4ea207dd41b47
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4717
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
Change-Id: I278c586db7a8641a9e254f05075ee4e8bdf78d67
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4715
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
|
|
Adds the secrets and some instructions for deploying the GleSYS
Terraform infrastructure.
Change-Id: I1a10f9cee7648d406b3d27ef45fc74b6923cbc30
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4712
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
This was previously configured in the UI.
Change-Id: I68361b1489093b76736adab2e38ed7b474b10881
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4711
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
This was previously configured in the UI.
Change-Id: Ib15b8ecca96d7814dc85d62199865b22bdb63f95
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4710
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
This should never sit around locally the way it does now.
Change-Id: Icfbdaf1949d6d948a796a0759282ea6144af3621
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4709
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
This file can be sourced (somehow, depending on the user) while
working with //ops/keycloak to get the relevant secrets.
Change-Id: Ibb3051c4b019f64824964475451c1c3996db6421
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4708
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|