about summary refs log tree commit diff
path: root/ops/modules/www
AgeCommit message (Collapse)AuthorFilesLines
2023-09-10 r/6575 feat(ops/modules/code.tvl.fyi): fix go get for tvix store protosFlorian Klink1-1/+11
There's a go.mod in in tvix/store/protos, which sets the module path to code.tvl.fyi/tvix/store/protos. While this path makes kinda sense, it's currently not possible to `go get` it from that location, as we serve the cgit interface from there. Fortunately, `go get` has a mechanism to determine clone URLs for a given go module path, as documented in https://go.dev/ref/mod#vcs-find. We simply need to serve a small HTML file at that path, describing the proper clone URL. This points the clone URL for code.tvl.fyi/tvix/store/protos to a josh- provided subtree of just :/tvix/store/protos, which will contain the root go.mod file. We need another layer of indirection as nginx can't have an `alias` directive inside a conditional block (but can have a redirect). Contrary to https://b.tvl.fyi/issues/299#comment-464, it seems to work for our usecase. It might become a problem if we actually serve `go.mod` files in a nested fashion at some point, but let's look at that once we get there. Fixes b/299. Change-Id: Idcad795105af5d57e6d06de6e232881dccf9110b Reviewed-on: https://cl.tvl.fyi/c/depot/+/9290 Autosubmit: flokli <flokli@flokli.de> Tested-by: BuildkiteCI Reviewed-by: adisbladis <adisbladis@gmail.com> Reviewed-by: tazjin <tazjin@tvl.su>
2023-09-05 r/6552 feat(ops/modules): deploy //web/pwcrypt to signup.tvl.fyiVincent Ambo1-0/+19
I verified on whitby that the password hashes generated by //web/pwcrypt are compatible with our OpenLDAP, so it's time to make this thing public. Change-Id: Icc2f095ca7ce4acff6de91a1642dea6461177423 Reviewed-on: https://cl.tvl.fyi/c/depot/+/9266 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de> Autosubmit: tazjin <tazjin@tvl.su>
2023-03-29 r/6054 fix(ops/www): allow all indexing on cl.tvl.fyiVincent Ambo1-0/+4
I *want* search engines to index our CLs, they might be useful! Change-Id: I956d92c80d812e1aefefb6daeba77a1588055b94 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8361 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: flokli <flokli@flokli.de>
2023-03-14 r/6005 feat(ops): serve Tvix website & docs on (docs.)tvix.devVincent Ambo1-0/+39
Change-Id: I198ea197867f9b9a48e51665d0665f722202e02e Reviewed-on: https://cl.tvl.fyi/c/depot/+/8299 Reviewed-by: flokli <flokli@flokli.de> Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-02-01 r/5798 fix(ops/www): increase buffer memory size for auth.tvl.fyiVincent Ambo1-0/+4
Keycloak seems to have decided today that it will now send headers that are larger than what the nginx default configuration can handle. The numbers are a mix of made up and taken from random nginx voodoo posts on the internet, so they're as good a guess as anyone's. Change-Id: If037bcba48eee371cc96304b150276c669930c75 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7992 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de> Autosubmit: tazjin <tazjin@tvl.su>
2022-12-28 r/5515 feat(web/inbox): add landing page for inbox.tvl.suVincent Ambo1-2/+9
This landing page explains how to use the public-inbox. Change-Id: I37d74decad5173ab35051970593f1d28001af2b4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7645 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de>
2022-12-27 r/5503 feat(ops/modules): set up public-inbox at inbox.tvl.suVincent Ambo1-0/+24
Initial setup which does not yet include fetching mails at all, this is for now only going to display a manually populated view of the existing mailing list while the rest of this stuff is set up. Change-Id: Ie1235bd257c9056fe37d0740dfca771ebdd880eb Reviewed-on: https://cl.tvl.fyi/c/depot/+/7628 Reviewed-by: flokli <flokli@flokli.de> Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
2022-11-07 r/5260 fix(ops/machines/whitby): serve grafana at status.tvl.su againsterni1-1/+1
This is a follow up to cl/7191 which neglected to adjust the status.tvl.su.nix module and re-enable it. Change-Id: Icc1917004cd50e5eab61a29bc68b393ba9bd6325 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7226 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: grfn <grfn@gws.fyi>
2022-10-03 r/5025 fix(ops/www): fix port templating for keycloakVincent Ambo1-1/+1
Change-Id: I714b12f996d7dbe705f1f553d449f2dbc4910b1e Reviewed-on: https://cl.tvl.fyi/c/depot/+/6848 Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-09-13 r/4829 feat(ops/modules): deploy tvixbolt to tvixbolt.tvl.suVincent Ambo1-0/+19
Change-Id: I534cf918fc3e03ce8c14cf15f6d3280b6a657c8d Reviewed-on: https://cl.tvl.fyi/c/depot/+/6536 Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-07-28 r/4337 feat(ops/www): add predlozhnik redirect on tazj.inVincent Ambo1-0/+4
otherwise posting this to reddit's /r/russian is not possible, as they ban all links to Russian-affiliated sites Change-Id: I8d23f0961ec7ef097fc2dbdd0aaa178861a19c10 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5992 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-07-19 r/4306 fix(ops/www): redirect very old tazj.in feed URLs correctlyVincent Ambo1-0/+4
at some point in the far past, there was an RSS feed at `/en/rss.xml`. It seems to still get a single hit or so every hour, which currently 404s. Change-Id: Ieb13c2c0232861a50a54bc2a4087d9ccb21185cf Reviewed-on: https://cl.tvl.fyi/c/depot/+/5962 Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-07-18 r/4305 fix(ops/www): issue certificate for 'www.tazj.in'Vincent Ambo1-0/+1
Change-Id: I6179f785bb6bd6168a2a11836b90da5ee93adc69 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5953 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: tazjin <tazjin@tvl.su>
2022-02-20 r/3859 chore(ops/modules): Remove fix-nginx timer unitVincent Ambo1-22/+0
This doesn't seem to be needed anymore. Change-Id: Id8d4192840e8ab10adb652abc9bd6540009a3dcf Reviewed-on: https://cl.tvl.fyi/c/depot/+/5319 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de> Autosubmit: tazjin <tazjin@tvl.su>
2022-02-18 r/3849 fix(ops/modules/www): Make self-redirect to config a generic moduleVincent Ambo3-33/+27
As suggested by sterni, this makes the self-redirect of a machine to its configuration a generic module working by convention. In the process of moving this two small fixes have been applied: * redirect is only applied if the URI is `/`, this is required for ACME to work * addSSL = true is added, otherwise we have a certificate but no TLS listener Change-Id: Icaef041ff681253a61e36926417bdb2844e3f93d Reviewed-on: https://cl.tvl.fyi/c/depot/+/5313 Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
2022-02-18 r/3843 feat(ops/modules): Redirect machine base names to their configVincent Ambo2-0/+33
With this change, entering just "whitby.tvl.fyi" or "sanduny.tvl.su" in a browser will redirect users to their machine configurations. Change-Id: Ibf076a469bcce073e1b1970aa568d6fe16a5c75a Reviewed-on: https://cl.tvl.fyi/c/depot/+/5304 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: tazjin <tazjin@tvl.su>
2022-02-18 r/3842 refactor(ops/modules): Move ACME base configuration into base.nixVincent Ambo1-0/+5
This needs to be present on all machines that run ACME stuff. I've switched the address for a .su one because I have a catchall for these. Change-Id: I7af8e1f1cb2fcfbcba4b7d1930ed0edef0106d72 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5306 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-16 r/3837 refactor(ops/modules): Rename git-serving -> joshVincent Ambo1-1/+1
cgit has its own module now Change-Id: I9b4cc322374517b8bd3db43345831e2bf43c4bb1 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5295 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-29 r/3713 fix(www/tvl.fyi): Anchor /blog redirects at #blogVincent Ambo1-2/+2
Since our blog index is on the index page, this makes slightly more sense. Change-Id: I7b8164490c133e23d892abef21275f8bfed50b66 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5123 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-01-29 r/3712 fix(tvl.fyi): Redirect /blog/ (with trailing /) to /Griffin Smith1-0/+4
This was already happening without the trailing slash, but needs to happen separately with it. Fixes: b/172 Change-Id: Ic3423fd7a2eaf76a073badd80965cee953df4ce9 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5121 Tested-by: BuildkiteCI Autosubmit: grfn <grfn@gws.fyi> Reviewed-by: tazjin <tazjin@tvl.su>
2022-01-29 r/3711 feat(ops/www): Write JSON access log to journaldVincent Ambo1-0/+18
This means it will end up in journaldriver. Change-Id: I66f781085b5dac9946b3b9a2bf30e447863e1213 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5122 Reviewed-by: lukegb <lukegb@tvl.fyi> Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su>
2022-01-07 r/3525 chore(cache.tvl.su): Raise cache priority to 50Vincent Ambo1-0/+5
The priority of binary caches is decided by the remotes in Nix (???), and by default nix-serve (which is *very* slow) has a lower priority than cache.nixos.org (which means that it will be preferred over the faster cache for paths that exist on both). To avoid this, override the hardcoded (????) priority by serving the nix-cache-info response directly from nginx instead. Change-Id: I15a2d6618386d16edaf69f1c9257a36bd72132d2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4823 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: grfn <grfn@gws.fyi>
2022-01-04 r/3517 chore(ops): Remove login.tvl.fyi moduleVincent Ambo1-24/+0
It looks like we won't need this for oauth2_proxy when combined with nginx auth_request setups. Change-Id: I2294aee6226b4f64a27bf6592c2d18092d0268cc Reviewed-on: https://cl.tvl.fyi/c/depot/+/4766 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: grfn <grfn@gws.fyi>
2021-12-25 r/3401 feat(whitby): Configure initial Keycloak setupVincent Ambo1-0/+24
Trialing this as an alternative to CAS that is a little easier to configure and can help us delegate authentication to other OIDC services. Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-12-10 r/3199 refactor(ops): Move Nix cache secret to agenixVincent Ambo1-1/+1
... and also the public key, just to keep the distribution mechanism the same. Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0
2021-12-01 r/3131 fix(ops/www): Redirect tvl.fyi/blog -> tvl.fyiVincent Ambo1-0/+4
The blog index page is at the root and people may manually edit the URL. Change-Id: I6cdaaaee6223524a9e950584379cfac34f8be160
2021-11-30 r/3118 fix(ops/www): Strip `.html` from TVL blog post URLsVincent Ambo1-0/+8
Change-Id: I4d1f9284ec004931c07c04d614b01f28eedea508
2021-10-01 r/2946 feat(whitby): serve static.tvl.{fyi|su} with max cache settingsVincent Ambo1-0/+42
The setup is explained in the comment, but TL;DR: Use the derivation hash of static files to create permanent URLs. Relates to b/151. Change-Id: Ib1ca3a1a00c90a47f4bf39c29a8b4bbf5b215e7d Reviewed-on: https://cl.tvl.fyi/c/depot/+/3664 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-10-01 r/2941 feat(whitby): Serve //corp/website on tvl.suVincent Ambo1-0/+20
Change-Id: I21e1ddf9a32568cac8ad2595869ac8670867efa9 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3658 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2021-09-18 r/2890 refactor(whitby): Move restic path configuration into modulesVincent Ambo1-0/+2
This lets each service declare their backup paths together with the configuration for the service, which is a lot more sensible than what we had before. Fixes b/147 Change-Id: If76fe62639f4cc0e6fbb63a2959d584479d8f0fb Reviewed-on: https://cl.tvl.fyi/c/depot/+/3583 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-09-16 r/2877 feat(git-serving): Configure josh to serve the depot over HTTPVincent Ambo1-2/+12
Previously we served the dumb git HTTP protocol from code.tvl.fyi via cgit. This CL disables this feature and instead runs josh in the same location (by redirecting appropriately), but while also enabling partial cloning of all subtrees of the depot. For example, after this CL the following would result in an independent clone of //nix/readTree: git clone https://code.tvl.fyi/depot.git:/nix/readTree.git Note that there are no josh workspaces configured at all for now, these references are only for static depot subpaths. Please refer to the documentation for josh for more information on available kinds of josh filters. Josh state is kept in a systemd state directory in /var/lib/josh and backed up to Restic. Backing this up is necessary, as josh uses stateful information to do things like tracking merges and rewriting history per subtree appropriately to avoid cloned repositories ending up in peculiar states. Change-Id: I156f0298c2aa42e3bdbf5a0e86109070d640c56e Reviewed-on: https://cl.tvl.fyi/c/depot/+/3563 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de>
2021-09-11 r/2847 fix(deploys.*): Folder for diffs is in /diff/Vincent Ambo1-1/+1
... this was missing before. Change-Id: I5b79cb78665f24fdb7cc6496e3782d3940dc77b6 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3527 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-09-10 r/2837 feat(whitby): Serve static HTML dir for deploys.tvl.fyiGriffin Smith1-0/+20
Add a new domain and nginx virtual host at deploys.tvl.fyi, serving out of a static directory on whitby which is created by systemd-tmpfiles. This will be used to serve diffs rendered by nix-diff for pending deploys for whitby Since this contains stateful data, it is added to the restic backups on whitby. Refs: b/110 Change-Id: I5869d40800bbf5fb8fb39878a857f66ff5787830 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3144 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2021-08-24 r/2751 feat(ops): Serve nixery.dev from whitbyVincent Ambo1-0/+21
Adds a new module for the nixery.dev domain and serves it from whitby. Note that the DNS records do *not* point to whitby yet, so deploying this will lead to a failed TLS provisioning unit - but this is intentional. Change-Id: I911f67a0aa24f8df3cb52d2cfc49a8b6132cf718 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3383 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-08-13 r/2726 feat(ops/www): Point images.tvl.* at NixeryVincent Ambo1-0/+22
Change-Id: I39f979c68e7b74f6da6a7da0f07aaa470886d451 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3346 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de> Reviewed-by: sterni <sternenseemann@systemli.org>
2021-05-25 r/2631 fix(wigglydonke.rs): Don't rebuild nginx config unnecessarilyVincent Ambo1-1/+1
This fix is essentially the same as the one in cl/1263. Change-Id: I27be280a610914fcfbb6d7fee7aebaa56b993812 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3158 Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
2021-05-22 r/2609 chore: Replace Freenode mentions with HackIntVincent Ambo1-1/+2
This doesn't replace all of them in the repo, but at least the ones that are relevant to our move. Change-Id: I842e7594b4c16af30d880272417874f6b29afd22 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3134 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: grfn <grfn@gws.fyi>
2021-05-21 r/2599 feat(apereo-cas): move away from 127.0.0.1:8443Florian Klink1-1/+1
The following commit itends to bind on port 8443 on all interfaces, so let's move this to something else. Change-Id: Ibb94a0f4e6892b6e543b542b89bcdaaefb617f23 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3126 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2021-05-05 r/2568 fix(ops/www): Fix typo in nginx configurationVincent Ambo1-1/+1
Change-Id: I5ee7307acae548cc7779fe715ea4aad620fe8f5c Reviewed-on: https://cl.tvl.fyi/c/depot/+/3096 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-05-05 r/2567 feat(ops/www): Configure atward.tvl.fyi and its aliasesVincent Ambo1-0/+33
Change-Id: I20dfb057f8184899226bcb4527010a6982d426f0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3094 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-04-20 r/2529 feat(ops/modules/www): Disable FLoC tracking for all TVL pagesVincent Ambo1-0/+4
.. this is actually likely not disabling it for some pages, that will need this to be copy & pasted, but it's hard to tell just from the nginx docs. We'll make sure after deploying. Change-Id: I2fa6e31ca10835a206673b858594fa071e729d82 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3020 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-04-12 r/2498 feat(whitby): Enable Grafana at status.tvl.suVincent Ambo1-0/+25
Enables a Grafana service pointing to whitby's local Prometheus instance, accessible at status.tvl.su. I've no idea how to configure Grafana and if it's possible to link it to CAS, but we'll see about that later. Notes: * the explicit fixpoint for whitby config has been removed as we have the `config` parameter available now * backups are enabled for the Grafana storage location Change-Id: If5ffe0c1a3378d1c88529129487c643642705fd2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2948 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-04-12 r/2497 refactor: Replace 'depotPath' with 'depot.path'Vincent Ambo1-1/+1
Instead of having two ways of accessing the path to the depot (one of which was stuttering, depot.depotPath) we settle on only one: depot.path. This was mostly used for NixOS module imports. Co-Authored-By: Florian Klink <flokli@flokli.de> Change-Id: I2c0db23383fc34f6ca76baaad4cc4af2d9dfae15 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2962 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: sterni <sternenseemann@systemli.org>
2021-04-12 r/2485 refactor(users/glittershark): Rename to grfnGriffin Smith1-1/+1
Rename my //users directory and all places that refer to glittershark to grfn, including nix references and documentation. This may require some extra attention inside of gerrit's database after it lands to allow me to actually push things. Change-Id: I4728b7ec2c60024392c1c1fa6e0d4a59b3e266fa Reviewed-on: https://cl.tvl.fyi/c/depot/+/2933 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: glittershark <grfn@gws.fyi>
2021-04-11 r/2482 refactor(ops): Split //ops/nixos into different locationsVincent Ambo11-0/+324
Splits //ops/nixos into: * //ops/nixos.nix - utility functions for building systems * //ops/machines - shared machine definitions (read by readTree) * //ops/modules - shared NixOS modules (skipped by readTree) This simplifies working with the configuration fixpoint in whitby, and is overall a bit more in line with how NixOS systems in user folders currently work. Change-Id: I1322ec5cc76c0207c099c05d44828a3df0b3ffc1 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2931 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: glittershark <grfn@gws.fyi>