Age | Commit message (Collapse) | Author | Files | Lines |
|
Instead of directly connecting to LDAP and attempting to bind
usernames/password, authenticate users through an OAuth2 flow to
Keycloak.
This has the advantage of reusing the same SSO we already have for
Gerrit, Buildkite, ...
However, much of panettone's functionality makes assumptions about
LDAP being used. As a result there are some warts introduced by
this (for now):
* Since LDAP DNs are used as primary keys for users, we have to
construct fake DNs based on LDAP usernames
It might be sensible to migrate this to the UUIDs used by Keycloak
eventually.
* LDAP is part of the serving path for issues (for fetching user
information), however panettone no longer has a way to fetch
arbitrary user information unless it is persisted in its database.
To work around this, we construct a "fake" user based only on its
DN (i.e. only the username is going to be "correct") and use that to
serve issues.
* Email notifications no longer work (panettone can not access email
addresses)
Some of these need to be worked around by persisting some of that
information in the panettone database instead, as we don't want to
give the service the ability to access arbitrary user information
anymore.
We can probably do this with the user settings feature that already
exists and populate it on launch, but as of this commit email and
displayName functionality is simply broken.
Change-Id: Id32bf5e09d67f0f1e883024c6e013eb342f03b05
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5772
Reviewed-by: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
|
|
Change-Id: Icc53b161b260632e50b7bdc4c908912fd377bb87
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5771
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
Upcoming changes to the authentication model may mean that user
objects do not have an email address attached.
Change-Id: I4fddb810f723c790d243f779714ca7f189a02aeb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5770
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
Change-Id: Idb4352e3bbf412df5569aa988a78c6438063f93a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5769
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
Buildkite can't handle more than one filter for the query; as of the
last commit it just returned an empty list.
I've verified with curl based on the request the previous attempt
constructed that this works as intended with only setting the commit.
Behaviour is probably undefined if there are two builds for the same
commit (i.e. a retry). Which one will you see? Who knows!
However, since the commit hash contains the Change-Id, we can't get a
situation where the build was for two different CLs at the same
commit. Gerrit wouldn't allow that.
Change-Id: I0dcd0ff44c28d3d15cba23461970bfc8483f4e48
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5768
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
I want to use this utility in a deploy script where the .drv is
nix-copy-closure-d to a remote host and realized there. Consequently it
doesn't make sense that the local deploy script depends on the
derivation's outputs which drvPath does by default.
This also came up when working on //nix/buildkite, although we didn't
end up using it there.
Change-Id: I952bbfd4d7e9de212569d5ee12182eb50d360f53
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5767
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
Change-Id: I77438201d8ed5237095b3d2e8a855dec3e58b641
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5766
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: I76d0a3ede7cc23a9a6e8db61ed7e9d91670f1699
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5765
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: Ib1f4f9591acab537607c9d9c9b123e9c711e331b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5764
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: If333f28dd0bec4eb965a6e3005ef5aca810c86f3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5763
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: I3a6caeeb06919b25a9c1200c8f286b0bd34916b2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5762
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: Ia829b4ffa2e7e37438f766d0ff98e504c0d856b4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5755
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Due to [nix#6579] the heuristic which allowed us to determine if a
symlink points to a directory is not reliable – if restrict-eval is
enabled it _will_ return wrong results. Until upstream resolves
this (and we backport the patch) it is probably best to not expose this
functionality at all.
[nix#6579]: https://github.com/NixOS/nix/issues/6579
Change-Id: Id847c794bb279be909c5426953c4fe13c2493343
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5761
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
Change-Id: I865335006a091986f8a98e4d5da7161a25e948d9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5754
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: I6568e3226a7ff0796cbf3748c0dab1530fb0fb6a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5753
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: I8efdf3dbfc5575f24c8e6996a7716d308f1446df
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5752
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
This became an "official" module and dropped the `pw-` prefix.
Relates to b/184
Change-Id: I963f83b55b83015b022ab1b8330ea710d2258631
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5751
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
This tests loading of the argon2 OpenLDAP module. Relates to b/184
Change-Id: I661af4ddc238ad02d082b3a0cede55af5ef13f1b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5750
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Tailscale is warning about this in `nix-build` via `trace`.
Change-Id: Ia44100f5a3cd12fbf9fd10dbf40bef10805aff12
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5749
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
See the comment or other CLs I've made in the past about earlyoom.
Change-Id: Ia4c0c61784aa3e76644de91a95e8b9fbdd743b54
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5748
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
This naughty RealTek wireless module crashes my machine. I'm also moving other
`boot`-prefixed options out of `hardware.nix` and into `default.nix`. In
general, I'm not *really* a fan of the distinction between the two files in the
first place.
Change-Id: Iabdc776afc78f00971f426c5931b7235c8c0ee20
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5747
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
For `M-x ssh-cd-home`
Change-Id: I8c16d9d0c420cb9feafcb466c4a416a04a4b1a26
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5746
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
For `M-x ssh-cd-home`
Change-Id: Iacb236793414b905071284e72d64e9dab3116319
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5745
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
Change-Id: Iae09dd79494d65e4025e1e34ab1d848ef2b9cd47
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5722
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
* //third_party/nix is no more
* //users/tazjin/blog was promoted to //web
* We merged in cgit-pink and might as well do a bit of advertising.
Change-Id: I70c26a687517c196970fd2e7cd1397e430f3201f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5721
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
These docs get stale pretty often. Maybe my installation should be similar
like...
```shell
$ # pseudocode
$ nix-build https://code.tvl.fyi/depot.tar -A users.wpcarro.baseSystem
```
...where that automates more toil 🤷
Change-Id: I548142d9dff284afeb233ecf23036655b7f7c2df
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5744
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
|
|
Named after the Mexican restaurant, El Tarasco, in El Porto, which I live 3m
walking distance from.
Change-Id: I2cd4b68eaa974ad6c8fec73e0566bc0b831c57a8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5743
Reviewed-by: wpcarro <wpcarro@gmail.com>
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
|
|
I broke LVM (Logical Volume Manager - maybe?) when I did the following:
```shell
$ HOSTNAME=ava sudo rebuild-system
$ sudo reboot now
```
I had to rollback to the initial NixOS version and try again.
Change-Id: If90e5e23767392202425181be986f81deb5ddff7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5742
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
|
|
Thank you for your service
Change-Id: I2e13aa7c28f461e80bd7ffcbc13cbe79594e0aee
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5741
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
|
|
Change-Id: I3cf2d66fdc6c258ca9d3a502ce9eacc5926a8546
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5703
Autosubmit: grfn <grfn@gws.fyi>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
The patchsetSha is one of the things passed in to the `fetch()`
interface, and Buildkite's API (now?) supports filtering by the commit
hash in addition.
With this combination, we should not accidentally display builds for
the wrong patch set.
Change-Id: I6bb26dd7387f2dd00291990cadd38629ecda999b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5702
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
* //nix/buildLisp: disable CCL once again due to
The Mysterious Runtime Bug™.
* //users/tazjin/nixos: uninstall dmd which is broken in nixpkgs atm.
Change-Id: I8dd2220af48a7e087584b6f50529fb8477e6a2fb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5699
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
Not used by anything.
Change-Id: I31822e02ee34964c25952f7c0ee928a0de62aff7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5700
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
|
|
When Keycloak and oauth2_proxy are restarted simultaneously, the
latter might try to come up (repeatedly!) before Keycloak can serve it
properly.
This leads to systemd considering the unit failed.
Since this all happens in the span of a second or so, slightly
increase the restart delay of the service to ensure it comes back
after Keycloak is ready.
A "proper" fix might be to add a script that runs before the actual
service and waits for Keycloak, but I don't want to prioritise that
right now.
Change-Id: I4dadba686de60ffc103fe889ce19f05ca1d7d4fe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5695
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
This fixes an issue with object storage instances that don't have the
default credential, which is actually the case for one of ours.
Change-Id: I805b4957d85a0a5e91e7027cce30e5fd69d8fb69
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5694
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: tazjin <tazjin@tvl.su>
|
|
Change-Id: I57f174c66b06212cf6fbce26ec9097a83b24abd0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5693
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: Ic5b98a0777860b68dabb9a9b59e8c682236a71c7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4884
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
Change-Id: Ieb3b28d56ecd2819c3a7c08c22e33493d9e0be7f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5687
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Strange start to my Monday where I spent ~2h debugging my hanging
NixOS. Strangely I'm not sure I made any changes to my configuration to trigger
this, and I was finding this hard to reproduce:
- graphical X sessions hung (once when opening Chrome)
- TTYs hung (during `nix-build` and `rebuild-system`)
Per kn's recommendations whenever a system is hanging, see if it's reachable
over the network (e.g. SSH). Since I didn't have my laptop, I downloaded Termius
on my iPhone, which I used to mosh into ava, which is a surprisingly nice UX.
I suspect my machine (with only 8GB of RAM) was OOMing, but I'm not
certain. Thanks to grfn I installed `earlyoom`. For more commentary, check-out
Profpatsch's blog post about this: https://profpatsch.de/notes/preventing-oom
What went well:
- Thankfully I installed a Matrix client on my iPhone last week, which allowed
me to troubleshoot with the #tvl folks
AIs:
- I'd like some instrumentation like Prometheus, Loki (`journald`, `dmesg`), so
that I can accumulate troubleshooting information that isn't destroyed when I
reboot my machine (which I did 1/2-dozen times today).
- Consider adding `git` metadata to `system.nixos.label` to get more useful
information in a GRUB/EFI context.
More unknowns:
- Why can't I switch back to EFI (from GRUB) for my bootloader?
Change-Id: Ie2a5a15f5c0ead346d50e331fa2937f8f3453960
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5625
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
This is broken for (as of yet unclear reasons) with restricted
evaluation mode.
Change-Id: Idbc16e7e21dfb113995c045659fefe2c1a535741
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5691
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
|
|
Change-Id: I672ad0898b2ef6a11f8bc9233da0ded4a296fe0e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5686
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
Change-Id: I7b5304dda3040830fe90fc188b35da3fd95451a0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5682
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
|
|
Change-Id: Ia73db534634b11c6361e4e88a4d73a1512d969ca
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5685
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
|
|
Change-Id: I4baa94f65a16248023b5fb0e2dd305d6984566c8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5690
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: I83a404dc7dbaf5ca53659d03df4e4de461a9d046
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5688
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
|
|
Change-Id: I1e577400717833c3de75bfef38950565716580bb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5684
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
|
|
Change-Id: I7604ca29310d759b0ffee2ffb0048b6365a2894c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5683
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
|
|
Change-Id: I6adbe1d53581dddc4c7c3a44516fbed3a661daff
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5689
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: Idd0d09c47466f77cc04a628c95152d306af563d5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5680
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Change-Id: I1a81feca1bde663d1fbea1e2520f25f0bb57453c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5679
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|