| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Similar to the castore-go CL before, this also updates the store-go
bindings to the new layout.
Change-Id: Id73d7ad43f7d70171ab021728e303300c5db71f0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9788
Tested-by: BuildkiteCI
Reviewed-by: Connor Brewster <cbrewster@hey.com>
|
|
Have `tvix/castore/protos` only contain the protos, no go noise.
Make the `.pb.go` file generation a pure Nix build
at `//tvix/castore/protos:go-bindings`, and have a script at
`//tvix:castore-go-generate` (TBD) that copies the results to
`tvix/castore-go`.
`//tvix:castore-go`, with sources in `tvix/castore-go` now contains the
tooling around the generated bindings, and the generated bindings
themselves (So go mod replace workflows still work).
An additional CI step is added from there to ensure idempotenty of
the .pb.go files.
The code.tvl.fyi webserver config is updated to the new source code
path. I'm still unsure if we want to also update the go.mod name. While
being a backwards-incompatible change, it'll probbaly make it easier
where to find these files, and the amount of external consumers is still
low enough.
Part of b/323.
Change-Id: I2edadd118c22ec08e57c693f6cc2ef3261c62489
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9787
Reviewed-by: Connor Brewster <cbrewster@hey.com>
Tested-by: BuildkiteCI
|
|
It looks like josh is only listening on v4 currently:
https://github.com/josh-project/josh/blob/1586eab06284ce668779c87f00a1fb5fa9763be0/josh-proxy/src/bin/josh-proxy.rs#L1429
Also, the remote URL to push to is (or became) https://cl.tvl.fyi/a, not
just https://cl.tvl.fyi/, update it
Change-Id: Ic59bc51c28be913d833186c715e9a9eb960bbd6e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9591
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
|
|
Change-Id: I9d8f444ed625502cfaeea83e0b330f52dac24118
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9589
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
|
|
This points a reverse proxy at a manually run, highly experimental
container. The actual setup is not yet nixified.
Change-Id: I8e1d5ec94a3f1e9b4b0bfc7ffd2a9badf4e79291
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9577
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
|
|
I don't even know what this is/was.
Change-Id: I743efa88258bbc13b7a3d4b8de8df222325b00ed
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9553
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
This was missing in cl/9370.
Change-Id: I02048b0e65d1192e9e300160bb8f78fe30a70da1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9405
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: Connor Brewster <cbrewster@hey.com>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
This splits the pure content-addressed layers from tvix-store into a
`castore` crate, and only leaves PathInfo related things, as well as the
CLI entrypoint in the tvix-store crate.
Notable changes:
- `fixtures` and `utils` had to be moved out of the `test` cfg, so they
can be imported from tvix-store.
- Some ad-hoc fixtures in the test were moved to proper fixtures in the
same step.
- The protos are now created by a (more static) recipe in the protos/
directory.
The (now two) golang targets are commented out, as it's not possible to
update them properly in the same CL. This will be done by a followup CL
once this is merged (and whitby deployed)
Bug: https://b.tvl.fyi/issues/301
Change-Id: I8d675d4bf1fb697eb7d479747c1b1e3635718107
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9370
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Reviewed-by: Connor Brewster <cbrewster@hey.com>
|
|
There's a go.mod in in tvix/store/protos, which sets the module path to
code.tvl.fyi/tvix/store/protos.
While this path makes kinda sense, it's currently not possible to `go
get` it from that location, as we serve the cgit interface from there.
Fortunately, `go get` has a mechanism to determine clone URLs for a
given go module path, as documented in https://go.dev/ref/mod#vcs-find.
We simply need to serve a small HTML file at that path, describing the
proper clone URL.
This points the clone URL for code.tvl.fyi/tvix/store/protos to a josh-
provided subtree of just :/tvix/store/protos, which will contain the
root go.mod file.
We need another layer of indirection as nginx can't have an `alias`
directive inside a conditional block (but can have a redirect).
Contrary to https://b.tvl.fyi/issues/299#comment-464, it seems to work
for our usecase. It might become a problem if we actually serve `go.mod`
files in a nested fashion at some point, but let's look at that once we
get there.
Fixes b/299.
Change-Id: Idcad795105af5d57e6d06de6e232881dccf9110b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9290
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Reviewed-by: adisbladis <adisbladis@gmail.com>
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
I verified on whitby that the password hashes generated by
//web/pwcrypt are compatible with our OpenLDAP, so it's time to make
this thing public.
Change-Id: Icc2f095ca7ce4acff6de91a1642dea6461177423
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9266
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
|
|
I *want* search engines to index our CLs, they might be useful!
Change-Id: I956d92c80d812e1aefefb6daeba77a1588055b94
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8361
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
|
|
Change-Id: I198ea197867f9b9a48e51665d0665f722202e02e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8299
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Keycloak seems to have decided today that it will now send headers
that are larger than what the nginx default configuration can handle.
The numbers are a mix of made up and taken from random nginx voodoo
posts on the internet, so they're as good a guess as anyone's.
Change-Id: If037bcba48eee371cc96304b150276c669930c75
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7992
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
|
|
This landing page explains how to use the public-inbox.
Change-Id: I37d74decad5173ab35051970593f1d28001af2b4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7645
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
|
|
Initial setup which does not yet include fetching mails at all, this
is for now only going to display a manually populated view of the
existing mailing list while the rest of this stuff is set up.
Change-Id: Ie1235bd257c9056fe37d0740dfca771ebdd880eb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7628
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
|
|
This is a follow up to cl/7191 which neglected to adjust the
status.tvl.su.nix module and re-enable it.
Change-Id: Icc1917004cd50e5eab61a29bc68b393ba9bd6325
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7226
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
|
|
Change-Id: I714b12f996d7dbe705f1f553d449f2dbc4910b1e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6848
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: I534cf918fc3e03ce8c14cf15f6d3280b6a657c8d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6536
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
otherwise posting this to reddit's /r/russian is not possible, as they
ban all links to Russian-affiliated sites
Change-Id: I8d23f0961ec7ef097fc2dbdd0aaa178861a19c10
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5992
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
at some point in the far past, there was an RSS feed at `/en/rss.xml`.
It seems to still get a single hit or so every hour, which currently
404s.
Change-Id: Ieb13c2c0232861a50a54bc2a4087d9ccb21185cf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5962
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: I6179f785bb6bd6168a2a11836b90da5ee93adc69
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5953
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
|
|
This doesn't seem to be needed anymore.
Change-Id: Id8d4192840e8ab10adb652abc9bd6540009a3dcf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5319
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
|
|
As suggested by sterni, this makes the self-redirect of a machine to
its configuration a generic module working by convention.
In the process of moving this two small fixes have been applied:
* redirect is only applied if the URI is `/`, this is required for
ACME to work
* addSSL = true is added, otherwise we have a certificate but no TLS
listener
Change-Id: Icaef041ff681253a61e36926417bdb2844e3f93d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5313
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
|
|
With this change, entering just "whitby.tvl.fyi" or "sanduny.tvl.su"
in a browser will redirect users to their machine configurations.
Change-Id: Ibf076a469bcce073e1b1970aa568d6fe16a5c75a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5304
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
|
|
This needs to be present on all machines that run ACME stuff.
I've switched the address for a .su one because I have a catchall for
these.
Change-Id: I7af8e1f1cb2fcfbcba4b7d1930ed0edef0106d72
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5306
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
cgit has its own module now
Change-Id: I9b4cc322374517b8bd3db43345831e2bf43c4bb1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5295
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Since our blog index is on the index page, this makes slightly more
sense.
Change-Id: I7b8164490c133e23d892abef21275f8bfed50b66
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5123
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
|
|
This was already happening without the trailing slash, but needs to
happen separately with it.
Fixes: b/172
Change-Id: Ic3423fd7a2eaf76a073badd80965cee953df4ce9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5121
Tested-by: BuildkiteCI
Autosubmit: grfn <grfn@gws.fyi>
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
This means it will end up in journaldriver.
Change-Id: I66f781085b5dac9946b3b9a2bf30e447863e1213
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5122
Reviewed-by: lukegb <lukegb@tvl.fyi>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
|
|
The priority of binary caches is decided by the remotes in Nix (???),
and by default nix-serve (which is *very* slow) has a lower priority
than cache.nixos.org (which means that it will be preferred over the
faster cache for paths that exist on both).
To avoid this, override the hardcoded (????) priority by serving the
nix-cache-info response directly from nginx instead.
Change-Id: I15a2d6618386d16edaf69f1c9257a36bd72132d2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4823
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
|
|
It looks like we won't need this for oauth2_proxy when combined with
nginx auth_request setups.
Change-Id: I2294aee6226b4f64a27bf6592c2d18092d0268cc
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4766
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
|
|
Trialing this as an alternative to CAS that is a little easier to
configure and can help us delegate authentication to other OIDC
services.
Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
|
|
... and also the public key, just to keep the distribution mechanism
the same.
Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0
|
|
The blog index page is at the root and people may manually edit the
URL.
Change-Id: I6cdaaaee6223524a9e950584379cfac34f8be160
|
|
Change-Id: I4d1f9284ec004931c07c04d614b01f28eedea508
|
|
The setup is explained in the comment, but TL;DR: Use the derivation
hash of static files to create permanent URLs.
Relates to b/151.
Change-Id: Ib1ca3a1a00c90a47f4bf39c29a8b4bbf5b215e7d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3664
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
Change-Id: I21e1ddf9a32568cac8ad2595869ac8670867efa9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3658
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
|
|
This lets each service declare their backup paths together with the
configuration for the service, which is a lot more sensible than what
we had before.
Fixes b/147
Change-Id: If76fe62639f4cc0e6fbb63a2959d584479d8f0fb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3583
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Previously we served the dumb git HTTP protocol from code.tvl.fyi via
cgit. This CL disables this feature and instead runs josh in the same
location (by redirecting appropriately), but while also enabling
partial cloning of all subtrees of the depot.
For example, after this CL the following would result in an
independent clone of //nix/readTree:
git clone https://code.tvl.fyi/depot.git:/nix/readTree.git
Note that there are no josh workspaces configured at all for now,
these references are only for static depot subpaths.
Please refer to the documentation for josh for more information on
available kinds of josh filters.
Josh state is kept in a systemd state directory in /var/lib/josh and
backed up to Restic. Backing this up is necessary, as josh uses
stateful information to do things like tracking merges and rewriting
history per subtree appropriately to avoid cloned repositories ending
up in peculiar states.
Change-Id: I156f0298c2aa42e3bdbf5a0e86109070d640c56e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3563
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
|
|
... this was missing before.
Change-Id: I5b79cb78665f24fdb7cc6496e3782d3940dc77b6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3527
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Add a new domain and nginx virtual host at deploys.tvl.fyi, serving out
of a static directory on whitby which is created by systemd-tmpfiles.
This will be used to serve diffs rendered by nix-diff for
pending deploys for whitby
Since this contains stateful data, it is added to the restic backups
on whitby.
Refs: b/110
Change-Id: I5869d40800bbf5fb8fb39878a857f66ff5787830
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3144
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
|
|
Adds a new module for the nixery.dev domain and serves it from whitby.
Note that the DNS records do *not* point to whitby yet, so deploying
this will lead to a failed TLS provisioning unit - but this is
intentional.
Change-Id: I911f67a0aa24f8df3cb52d2cfc49a8b6132cf718
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3383
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Change-Id: I39f979c68e7b74f6da6a7da0f07aaa470886d451
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3346
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
This fix is essentially the same as the one in cl/1263.
Change-Id: I27be280a610914fcfbb6d7fee7aebaa56b993812
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3158
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
|
|
This doesn't replace all of them in the repo, but at least the ones
that are relevant to our move.
Change-Id: I842e7594b4c16af30d880272417874f6b29afd22
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3134
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: grfn <grfn@gws.fyi>
|
|
The following commit itends to bind on port 8443 on all interfaces,
so let's move this to something else.
Change-Id: Ibb94a0f4e6892b6e543b542b89bcdaaefb617f23
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3126
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
|
|
Change-Id: I5ee7307acae548cc7779fe715ea4aad620fe8f5c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3096
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Change-Id: I20dfb057f8184899226bcb4527010a6982d426f0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3094
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
.. this is actually likely not disabling it for some pages, that will
need this to be copy & pasted, but it's hard to tell just from the
nginx docs. We'll make sure after deploying.
Change-Id: I2fa6e31ca10835a206673b858594fa071e729d82
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3020
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
|
|
Enables a Grafana service pointing to whitby's local Prometheus
instance, accessible at status.tvl.su.
I've no idea how to configure Grafana and if it's possible to link it
to CAS, but we'll see about that later.
Notes:
* the explicit fixpoint for whitby config has been removed as we
have the `config` parameter available now
* backups are enabled for the Grafana storage location
Change-Id: If5ffe0c1a3378d1c88529129487c643642705fd2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2948
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
