Age | Commit message (Collapse) | Author | Files | Lines |
|
This support reverse-DNS lookups.
I encountered a problem where I accidentally deleted my instance's
`nat_ip` (external, ephemeral IP). I needed to run...
```shell
terraform apply -replace=google_compute_instance.diogenes
```
...which invalidates terraform's local cache of the state. I believe this used
to be called `terraform taint`. Things are mostly WAI, with one known issue:
quasselcore and billandhiscomputer.com complain about missing SSL certs, but I
believe this is a race-condition. Calling...
```shell
systemctl restart quassel.service
```
...resolves the issue for quassel. Unfortunately the same doesn't work for
nginx.service, but after a bit of time https://billandhiscomputer.com "just
works". Clearly I'm not sure what's going on here. At least not yet...
Change-Id: I9f059655cb6e83d56618b77cfe4ed38283614ef6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4753
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
Add quassel to the nginx group because only user=acme and group=nginx can read
/var/lib/acme/*
Change-Id: If456b8ebf43ee098cd8007c3c6235c78c1071250
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4752
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
TL;DR:
- Mimmick depot's bin -> __dispatch.sh for personal utils
- Define deploy-diogenes to more tighten my feedback loop
Change-Id: I2b12a1c32a955574f5be5d4f38025bd97e9c7b77
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4751
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
source_tags means:
> the firewall will apply only to traffic with source IP that belongs to a tag
> listed in source tags.
This mechanism exists (presumably) for local networking between instances that I
manage. For ingress traffic, I'd like to open these ports to the wider
internet.
Change-Id: If0963c853f10f3c205581cce100671714a5f6a3a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4750
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
More DNS debugging tools
Change-Id: I5ac192a1f8811149ae3eb0133c7d06496753248b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4749
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
These are now available at https://billandhiscomputer.com. I still need to
update the website copy and transfer wpcarro.dev over from Google Domains. I
think I prefer billandhiscomputer (username bill, bill_and_his_computer,
bill-and-his-computer, the_real_bill), so I may deprecate wpcarro. We'll see...
Change-Id: Ia7831ee4813e2cf639047d22d59d302a50e06e66
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4748
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
TL;DR:
- Define googleCloudVM function to provision NixOS VMs on Google Cloud.
- Consume googleCloudVM in diogenes/default.nix
- Define README.md for basic usage instructions (subject to change).
- Delete diogenes's HCL
- Remove `diogenesSystem` from meta.targets
I'm still having trouble with DNS:
- I need to transfer the Google Domains config to Cloud DNS
- `host billandhiscomputer.com` is NXDOMAIN, so I don't trust my tf DNS config
- This is preventing me from getting SSL certs, which blocks my website, quassel
Change-Id: If315876c96298e83a5953f13b62784d2f65a1024
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4747
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
I wasn't sure if removing the email portion would be a schema error, but NixOS's
GCE image relies on the tripartite structure, and maybe other things do too.
Change-Id: I1b045fad974a7227d1980fff19c9d4f48ba58356
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4746
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
On non-NixOS configs, `git` has been complaining about missing `--global`
variables for `user` and `email`.
TODO(wpcarro): Support this in google-briefcase instead.
Change-Id: Iae29fe9aaa6c13295063137f241eeb5861d4b244
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4792
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
I rewrote my `README.md` most recently to show some managers what type
of side-projects I was working on. After successfully transfering to SRE
internally, I don't need the `README.md` to be a marketing document but
rather a tutorial for my future self. This change is a step in that
direction.
Change-Id: Ieaf0e72c8a33a163e6b6adefd76665ca675e8462
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4791
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
After receiving another computer from Google and attempting to "easily"
install my configuration, I realized that I had some holes. In reality
these could (and perhaps should) be easily tested using CI that attempts
to cleanly install my configuration on various platfoms (e.g. Debian,
NixOS), but I'm not interested in supporting something like that (at
least not at the moment).
For now, it suffices to nixify some of the lingering shell scripts with
implicit dependencies on tools like `stow`.
> Don't let perfect be the enemy of good?
Change-Id: Ifdeac2c855e46973e3a4ea416418109a748eb41d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4790
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
Adds a feature to emergency-stop deploys by simply running `touch
/var/lib/auto-deploy/stop`.
This can be useful in some situations, especially if there is a
process that reconciles service state (so that e.g. stopping the
unit's timer would be undone).
Change-Id: I233dfac365a578bfa4110eb605b50be079974ba4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4827
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: wpcarro <wpcarro@gmail.com>
|
|
The priority of binary caches is decided by the remotes in Nix (???),
and by default nix-serve (which is *very* slow) has a lower priority
than cache.nixos.org (which means that it will be preferred over the
faster cache for paths that exist on both).
To avoid this, override the hardcoded (????) priority by serving the
nix-cache-info response directly from nginx instead.
Change-Id: I15a2d6618386d16edaf69f1c9257a36bd72132d2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4823
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
|
|
This reverts commit 5e036ed9fc579d14353eb7da4af4b426c99f96e6.
Reason for revert: This introduced a logic error since the remaining
step runs at the wrong point in the pipeline. Temporarily reverting to
having duplicated waits in order to clean up later.
Change-Id: Ifa6ece50dd22924f02efd7b790a5863ca1189af7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4841
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
|
|
telega.el currently throws errors related to some broken internal
logic about media codecs, which breaks this check in CI.
Change-Id: I8518977dba801dec90b966c84771ff0f59dcbb3d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4824
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
We are going to have a 1:1 drop-in replacement for the old-style nix
tools, and this starts implementing the cli parser part.
The first step is to have a simple integration test suite that can
verify that we match the nix CLI.
clap is a super complicated parsing library, but looking through the
rest they are either too opinioated to be of use for us, or depend on
clap as implementation.
Change-Id: I4cf6051f3a4f782c3242fd0d2b9eab3fbe33d8ad
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4756
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: Profpatsch <mail@profpatsch.de>
|
|
First steps for baba
Change-Id: Id6a68c5630cb85f280f4dcc7b2acf10c02454fd6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4732
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
Change-Id: Id259341e251170c1caeeab5c9fcb6fbd973372f8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4816
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Change-Id: Ib2cbb2f531488e4e86d63e94b163864924c9189f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4783
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
The intent is to configure oauth2_proxy pointing at Keycloak to enable
usage with nginx auth_request directives.
I want to expose this as a function from within the module in which
nginx server configuration blocks can be wrapped, but the function for
that is currently a placeholder.
Change-Id: I5ed7deb9bf1c62818f516e68c33e8c5b632fccfe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4767
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
It looks like we won't need this for oauth2_proxy when combined with
nginx auth_request setups.
Change-Id: I2294aee6226b4f64a27bf6592c2d18092d0268cc
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4766
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
|
|
A formatting error broke this at some point (the let clauses were
outside of the definition list).
Change-Id: Iaa2dc9ad02d2f7e909ca9bf28705e782ad26060b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4765
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
|
|
This is *way* faster, as advertised
Change-Id: Iad452dc3b3b768331d7de0421f768f82e9b76a60
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4785
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
|
|
Can no longer be null and has been renamed to security.acme.defaults.email:
https://github.com/nixos/nixpkgs/commit/377c6bcefce8e8ccd471892a1b24621d5a909457
Change-Id: Icac9506185da176365369ed3c7db3c71ffc90b1b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4784
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: sterni <sternenseemann@systemli.org>
|
|
Change-Id: Ie6882b17380388e20c8d1e9406279c96283b936f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4757
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
Turns the anchor derivation into something that can actually be
built (a call creating a propagated build inputs file), and builds it.
This should fix the anchoring logic we have on canon.
Change-Id: If6a7662b82e2e396388980f65e332cf67a45b46e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4763
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Without some kind of physical organisation it's a little difficult to
understand whether things are going "in" (supplying users to Keycloak)
or "out" (getting auth/user info from Keycloak).
Change-Id: I516501081e3448c81c710fcbc79cc68ad2a80f3b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4762
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
|
|
This now happens in //nix/buildkite instead
Change-Id: Ie9e239ee4f28ac34aa4d3279dac55d70a2cb9d86
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4764
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Change-Id: I56f6887e1fd35551cfc83ad08cafebb611f4a341
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4760
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: Profpatsch <mail@profpatsch.de>
Autosubmit: tazjin <mail@tazj.in>
|
|
Change-Id: I489e611a3fb19b4a374a563aa1afd81a130b2e7f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4759
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <mail@tazj.in>
|
|
Change-Id: I4a79204e50cf519dce729e5c86bc397b82715008
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4758
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Change-Id: Ieac5bb499a9c3281ed8b9de8cf4551e5eea6f2b7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4761
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
|
|
Change-Id: I13e95b91351af33c2452f1c4de45cc47aeae1dc0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4745
Tested-by: BuildkiteCI
Reviewed-by: zseri <zseri.devel@ytrizja.de>
|
|
Change-Id: I85b0066574b45490d61ed1edf29587689ba63c6d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4744
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Autosubmit: zseri <zseri.devel@ytrizja.de>
Tested-by: BuildkiteCI
|
|
Change-Id: Icf40fb125cc3fe9e1c70de2ac253d70349a213d2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4743
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
|
|
Also sort, first by rsvp, then by signed in, then by last check, then by
name
Change-Id: I15d2e4a5693290d9c1cfd09196982e7a6957a138
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4742
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
|
|
More beginner problems/solutions for CTF-style challenges.
Change-Id: Ide229e99e3ccc1ede5a5ca1c2ad039498e49ea4c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4740
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
|
|
Just getting my feet wet...
Change-Id: Ia1db0c69fe7d5ea5cb5585853d0688ef97f2680a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4739
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
|
|
I'm mimmicking the setup of diogenes-1 until I switch everything over to the
terraform-defined diogenes.
Change-Id: Ic9b54909696616b5f206bbf982ff556f053c424e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4738
Tested-by: BuildkiteCI
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
Supporting SSH turned-out to be a bit of a saga... Thank you @espes and @grfn
for the pointers.
Problem: When I originally setup my Google VM, I followed this tutorial,
https://nixos.wiki/wiki/Install_NixOS_on_GCE, so I ended-up installing
`nixos-20-03`: an older version of NixOS, (the newest version in `gsutils ls -l
gs://nixos-images`). Critically, I missed this important footnote:
> NOTE: Newer images (from 20.09 on) won't be available at the bucket above, and
> will instead need to be found at
> <nixpkgs/nixos/modules/virtualisation/gce-images.nix>.
It turns out that *newer* images include this script...
https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/fetch-instance-ssh-keys.bash
...which reads the key, "sshKeys", from the Google metadata server and copies
the value into /root/.ssh/authorized_keys.
To make matters a bit misleading, the NixOS script expects the key to be
"sshKeys", but Google deprecated that in favor of "ssh-keys" (hence why both
versions appear in this commit).
TL;DR:
- upgrading to a newer NixOS image
- adding an empty access_config block so Google will assign my VM an external IP
- removing oslogin (not necessary to do, and I may add it back later)
- adding my public SSH key as metadata
Change-Id: If624fe77afd47b31fa7be0a1dd4a55512317eef0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4737
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
|
|
For now:
- git confg
- picom: X compositor
- dunst: system notifications (not working for quassel)
I still need to port various configs and ensure I support both gLinux and NixOS
machines.
Change-Id: I31a635eaacac25ef6219e079fc968d2ece026a5f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4736
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
|
|
Title: distributed builds without single points-of-failure
Change-Id: I54275ea75d7e29269162f6158743d64d17f79915
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4550
Tested-by: BuildkiteCI
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Autosubmit: zseri <zseri.devel@ytrizja.de>
|
|
This client definition was previously nonsense. What happened is that
I accidentally imported the client as an OIDC client, which Keycloak
accepted because apparently those are the same entities on the API
level, and that ended up getting mangled into some broken hybrid shape
by Terraform.
This sets up the Buildkite provider again but with the correct
SAML configuration this time.
Change-Id: Id7ba318984d2fcc9e2ca91ed45ccbfd227278bbe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4731
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: tazjin <mail@tazj.in>
|
|
Change-Id: I5feb7187bd9aee45478aa5759e94df49e92565bf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4734
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Change-Id: I59087cd855953d0ebdcaaea2374788e9e015e1ea
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4733
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Produces more useful output and also makes for a good target for the
upcoming extraSteps logic.
Change-Id: Ifd389d433d9e27f97940a48999f4fba35646e37a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4727
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Extracts the logic for generating our Buildkite pipeline (which has
been copy&pasted and slightly modified in some places outside of
depot) into a generic //nix/buildkite library.
This should cause no change in functionality.
Change-Id: Iad3201713945de41279b39e4f1b847f697c179f7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4726
Autosubmit: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Change-Id: Id608fe66b203c1d08958c85be44506a86eec56d5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4730
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Autosubmit: tazjin <mail@tazj.in>
|
|
This is going to be enforced in CI very shortly (it already kind of
was, but not really).
Change-Id: I8569d030e31230f077371bd1644b75f048271a0e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4728
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: wpcarro <wpcarro@gmail.com>
|
|
https: //hackage.haskell.org/package/nix-diff-1.0.17/changelog
Change-Id: Ied02395151ec62619721ad5e78d0841fa87d1b3c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4729
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
|