about summary refs log tree commit diff
path: root/ops/modules
AgeCommit message (Collapse)AuthorFilesLines
2021-11-30 r/3118 fix(ops/www): Strip `.html` from TVL blog post URLsVincent Ambo1-0/+8
Change-Id: I4d1f9284ec004931c07c04d614b01f28eedea508
2021-11-21 r/3078 fix(ops/restic): Move whitby's backup to GleSYS object storageVincent Ambo1-12/+16
Since GCP nuked us, the backups are now moving to GleSYS' S3-compatible object storage. This refactors the restic module to support S3-compatible storage instead of GCP, and switches to the appropriate new secret paths. The secrets were placed on whitby manually and I verified that the backups work. This fixes b/157 Change-Id: I6a9d2b0581967605ce736605a3befb44cdeae7e1 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3883 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-10-01 r/2946 feat(whitby): serve static.tvl.{fyi|su} with max cache settingsVincent Ambo1-0/+42
The setup is explained in the comment, but TL;DR: Use the derivation hash of static files to create permanent URLs. Relates to b/151. Change-Id: Ib1ca3a1a00c90a47f4bf39c29a8b4bbf5b215e7d Reviewed-on: https://cl.tvl.fyi/c/depot/+/3664 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-10-01 r/2941 feat(whitby): Serve //corp/website on tvl.suVincent Ambo1-0/+20
Change-Id: I21e1ddf9a32568cac8ad2595869ac8670867efa9 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3658 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2021-09-24 r/2914 chore(ops/git-serving): Remove josh state from whitby backupsVincent Ambo1-2/+0
As cschilling explained on cl/3563, there isn't actually anything in this state that we *need* to persist. We're still keeping it in a persistent directory on disk as this serves as an optimisation after restarts of josh. Change-Id: Ia88886792a5acac34508b5b8a669bd519ca033de Reviewed-on: https://cl.tvl.fyi/c/depot/+/3631 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-09-18 r/2890 refactor(whitby): Move restic path configuration into modulesVincent Ambo3-0/+8
This lets each service declare their backup paths together with the configuration for the service, which is a lot more sensible than what we had before. Fixes b/147 Change-Id: If76fe62639f4cc0e6fbb63a2959d584479d8f0fb Reviewed-on: https://cl.tvl.fyi/c/depot/+/3583 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-09-18 r/2889 fix(ops/restic): types.string -> types.strVincent Ambo1-3/+3
I can never remember which is which. Change-Id: I69b8235862b8c5b49030a74bfca25aaa113273b7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3582 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-09-16 r/2878 refactor(ops/restic): Move restic configuration into a new moduleVincent Ambo1-0/+57
Relates to b/147. First step towards giving depot modules the ability to declare their own backup directories by moving all restic configuration into a new module and adding a NixOS option for inclusion/exclusion paths for backups. This still keeps all backup paths within the whitby config. Change-Id: Ia96833668f1a3d02da892261153d8b02156b8ac0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3565 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de>
2021-09-16 r/2877 feat(git-serving): Configure josh to serve the depot over HTTPVincent Ambo2-2/+66
Previously we served the dumb git HTTP protocol from code.tvl.fyi via cgit. This CL disables this feature and instead runs josh in the same location (by redirecting appropriately), but while also enabling partial cloning of all subtrees of the depot. For example, after this CL the following would result in an independent clone of //nix/readTree: git clone https://code.tvl.fyi/depot.git:/nix/readTree.git Note that there are no josh workspaces configured at all for now, these references are only for static depot subpaths. Please refer to the documentation for josh for more information on available kinds of josh filters. Josh state is kept in a systemd state directory in /var/lib/josh and backed up to Restic. Backing this up is necessary, as josh uses stateful information to do things like tracking merges and rewriting history per subtree appropriately to avoid cloned repositories ending up in peculiar states. Change-Id: I156f0298c2aa42e3bdbf5a0e86109070d640c56e Reviewed-on: https://cl.tvl.fyi/c/depot/+/3563 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de>
2021-09-11 r/2847 fix(deploys.*): Folder for diffs is in /diff/Vincent Ambo1-1/+1
... this was missing before. Change-Id: I5b79cb78665f24fdb7cc6496e3782d3940dc77b6 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3527 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-09-11 r/2846 feat(sourcegraph): Upgrade 3.30.4 -> 3.31.2Vincent Ambo1-1/+1
This one seems a little more involved: https://docs.sourcegraph.com/admin/migration/3_31 I believe we skip that corruption issue in the previous CL though, by simply never deploying a version with that weird broken image. See b/144 Change-Id: I3bbf1b719d00905e08a92011ace5485467f504ef Reviewed-on: https://cl.tvl.fyi/c/depot/+/3525 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-09-11 r/2845 feat(sourcegraph): Upgrade 3.29.1 -> 3.30.4Vincent Ambo1-1/+1
See b/144 Change-Id: Ied9490f3ce6fb3fda8cbb9983416b02ea451fb44 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3524 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-09-11 r/2844 feat(sourcegraph): Upgrade 3.28.0 -> 3.29.1Vincent Ambo1-1/+1
See b/144 Change-Id: Ia62d4cbf581caaefa0dba455376eec60b8c817d6 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3523 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-09-11 r/2843 fix(sourcegraph): Temporarily comment out our syntax highlighterVincent Ambo1-1/+2
We changed away from the default sourcegraph one because it didn't support Nix, but it seems that there's been a change in the interaction protocol. Change-Id: I3a2691df6a87672cf83b819143f25d93d9cd6d13 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3531 Tested-by: BuildkiteCI Reviewed-by: eta <tvl@eta.st> Reviewed-by: sterni <sternenseemann@systemli.org>
2021-09-11 r/2842 feat(sourcegraph): Upgrade 3.27.5 -> 3.28.0Vincent Ambo1-1/+1
See b/144 Change-Id: Ia09ad2af6043dcac6681c549103d1e6f52b4e0a0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3522 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-09-11 r/2841 feat(sourcegraph): Upgrade 3.26.0 -> 3.27.5Vincent Ambo1-1/+1
See b/144 Change-Id: I50d417c51b05bafcd3fe7e285f30079db8be499a Reviewed-on: https://cl.tvl.fyi/c/depot/+/3521 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-09-10 r/2837 feat(whitby): Serve static HTML dir for deploys.tvl.fyiGriffin Smith1-0/+20
Add a new domain and nginx virtual host at deploys.tvl.fyi, serving out of a static directory on whitby which is created by systemd-tmpfiles. This will be used to serve diffs rendered by nix-diff for pending deploys for whitby Since this contains stateful data, it is added to the restic backups on whitby. Refs: b/110 Change-Id: I5869d40800bbf5fb8fb39878a857f66ff5787830 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3144 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2021-08-24 r/2758 fix(tvl-sso): set memory limit to 512MLuke Granger-Brown1-0/+1
This is because I'm bored of CAS gradually consuming all the RAM on Whitby. Change-Id: Idcc14c19d99a6d3553739c5765be3faf2bdf9d84 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3233 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: tazjin <mail@tazj.in>
2021-08-24 r/2751 feat(ops): Serve nixery.dev from whitbyVincent Ambo1-0/+21
Adds a new module for the nixery.dev domain and serves it from whitby. Note that the DNS records do *not* point to whitby yet, so deploying this will lead to a failed TLS provisioning unit - but this is intentional. Change-Id: I911f67a0aa24f8df3cb52d2cfc49a8b6132cf718 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3383 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-08-15 r/2735 fix(monorepo-gerrit): Enable adding new email addresses to accountsVincent Ambo1-0/+3
This is required when people change their email addresses (e.g. cl/3349) as nothing in Gerrit will update that information from the OAuth provider. Change-Id: I1eafdf22efd37898dcd0d06bb9a5d1471ffb5e31 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3356 Tested-by: BuildkiteCI Reviewed-by: eta <eta@theta.eu.org> Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-08-13 r/2726 feat(ops/www): Point images.tvl.* at NixeryVincent Ambo1-0/+22
Change-Id: I39f979c68e7b74f6da6a7da0f07aaa470886d451 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3346 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de> Reviewed-by: sterni <sternenseemann@systemli.org>
2021-08-12 r/2721 feat(ops/modules): Add module for running NixeryVincent Ambo1-0/+42
This sets up a very simple Nixery instance with some things lacking: * no support for garbage-collecting image fragments (yet) * no popularity setup The plan is to use this to get the ball rolling on a separate domain (e.g. images.tvl.fyi), iron things out and then look into flipping over nixery.dev Change-Id: Ic594809f9d487fec7a0f632d608752a3f9c61315 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3280 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de> Reviewed-by: sterni <sternenseemann@systemli.org>
2021-08-12 r/2719 fix(monorepo-gerrit): Pin JVM version used for GerritVincent Ambo1-0/+7
Change-Id: Ib22cdc415cbd5a8345b9589b2c34b3908996dd57 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3322 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-06-12 r/2651 refactor(ops): Break out prometheus-fail2ban-exporter moduleGriffin Smith1-0/+52
Break out the configuration for the prometheus fail2ban exporter, which is a simple python script that exports stats from fail2ban as a prometheus-scrapable textfile, from Mugwump into a reusable nixos module in //ops/nixos/modules. Change-Id: I5451c9c5de6c7bc4431150ae596a9c758bf1b693 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3136 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2021-05-25 r/2631 fix(wigglydonke.rs): Don't rebuild nginx config unnecessarilyVincent Ambo1-1/+1
This fix is essentially the same as the one in cl/1263. Change-Id: I27be280a610914fcfbb6d7fee7aebaa56b993812 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3158 Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
2021-05-25 r/2630 chore(nixpkgs): Bump channels to 2021-05-25Vincent Ambo5-15/+8
* users/grfn/system/home/yeren: remove obsolete awscli2 overrides * ops: make new isSystemUser || isNormalUser assertion happy * users/grfn/system/system/mugwump: make buildkite agents system users * users/tazjin/nixos/camden: set isSystemUser = true for git * users/tazjin/emacs: Remove missing & broken packages * third_party/openldap: remove, as the argon2 module is now enabled upstream * third_party/gerrit_plugins: Pinned new unstable hashes * third_party/nix, third_party/grpc: Disabled CI as these are broken * third_party/overlays/emacs: Bumped version to stay in sync with channel * third_party/buzz: Update LIBCLANG_PATH to reference libclang.lib, since libclang's default output no longer contains libclang.so * users/grfn/system/home: Install julia-stable instead of julia (which aliases to julia-lts), as the latter depends on an insecure version of libgit Change-Id: Iff33b0ecb0ef07a82d1de35e23c40d2f4bf0f8ed Reviewed-on: https://cl.tvl.fyi/c/depot/+/3001 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi>
2021-05-24 r/2627 fix(tvl-slapd): Replace deprecated OpenLDAP module optionsVincent Ambo1-5/+7
Use the new module settings which apply configuration in cn=config instead of slapd.conf. The module performed this update via lib.mkChangedModuleOption, I've applied the transformations contained therein manually. Note that some of the settings were already in place, which means that the `suffix` and `database` options seemingly disappear into the void. Fixes b/105. Change-Id: I8a968c1eb8cb7827618cb732cdb46006a5d011f9 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3157 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-05-22 r/2609 chore: Replace Freenode mentions with HackIntVincent Ambo1-1/+2
This doesn't replace all of them in the repo, but at least the ones that are relevant to our move. Change-Id: I842e7594b4c16af30d880272417874f6b29afd22 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3134 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: grfn <grfn@gws.fyi>
2021-05-22 r/2606 feat(ops/owothia): Add owothia module and deploy on whitbyVincent Ambo1-0/+67
This configures owothia to use her new bouncer to HackInt. Change-Id: I80eb8191c2b0f2a6f8a31d19b60250ade27c1913 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3129 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-05-21 r/2599 feat(apereo-cas): move away from 127.0.0.1:8443Florian Klink1-1/+1
The following commit itends to bind on port 8443 on all interfaces, so let's move this to something else. Change-Id: Ibb94a0f4e6892b6e543b542b89bcdaaefb617f23 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3126 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2021-05-06 r/2571 chore(sourcegraph): Increase nofile ulimit for SourcegraphVincent Ambo1-0/+6
Sourcegraph logs warnings about this on startup otherwise. Unclear to what degree it really affects operation though. Change-Id: I6ee7c5358631aafd9a7f8155150361bf7499314d Reviewed-on: https://cl.tvl.fyi/c/depot/+/3098 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2021-05-05 r/2568 fix(ops/www): Fix typo in nginx configurationVincent Ambo1-1/+1
Change-Id: I5ee7307acae548cc7779fe715ea4aad620fe8f5c Reviewed-on: https://cl.tvl.fyi/c/depot/+/3096 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-05-05 r/2567 feat(ops/www): Configure atward.tvl.fyi and its aliasesVincent Ambo1-0/+33
Change-Id: I20dfb057f8184899226bcb4527010a6982d426f0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3094 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-05-05 r/2566 refactor(atward): Configure listen addressVincent Ambo1-1/+7
This appeases the flokli. Change-Id: Ib6a6c1a2cc8780e7944913d9204b42505b29fdc0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3093 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-05-03 r/2562 feat(ops): Add NixOS module for atwardVincent Ambo1-0/+31
Very standard, nothing fancy. Change-Id: Ibb286f221a4752abfb62e971b98e9496357040f5 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3090 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de>
2021-04-20 r/2529 feat(ops/modules/www): Disable FLoC tracking for all TVL pagesVincent Ambo1-0/+4
.. this is actually likely not disabling it for some pages, that will need this to be copy & pasted, but it's hard to tell just from the nginx docs. We'll make sure after deploying. Change-Id: I2fa6e31ca10835a206673b858594fa071e729d82 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3020 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-04-18 r/2524 fix(automatic-gc): Fix garbage collection scriptVincent Ambo1-1/+1
It needs to refer to this by full path of course. Change-Id: I911c876ba18877681accb722426314d92b9f2318 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3042 Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
2021-04-14 r/2512 fix(modules/automatic-gc): Add nix-daemon to requisitesVincent Ambo1-0/+1
This will require the daemon to be running when launching GC, but won't start it if it happens to not be running for some reason. Change-Id: If48fe336030173f028428fc00a81d339ef4b8bce Reviewed-on: https://cl.tvl.fyi/c/depot/+/3015 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-04-14 r/2511 feat(ops/modules): Add module for automatically collecting garbageVincent Ambo1-0/+90
Adds a module that automatically collects garbage based on disk space thresholds, and configures it to run hourly on whitby. This is implemented as an alternative to cl/2937, which I've been told uses a Nix feature that doesn't actually work. Under-the-hood this is simply a systemd timer running a shell script which checks available disk space and runs GC when necessary. Change-Id: I3c6b5de85b74ea52e7e16c53f2f900e0911c9805 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3014 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-04-12 r/2498 feat(whitby): Enable Grafana at status.tvl.suVincent Ambo1-0/+25
Enables a Grafana service pointing to whitby's local Prometheus instance, accessible at status.tvl.su. I've no idea how to configure Grafana and if it's possible to link it to CAS, but we'll see about that later. Notes: * the explicit fixpoint for whitby config has been removed as we have the `config` parameter available now * backups are enabled for the Grafana storage location Change-Id: If5ffe0c1a3378d1c88529129487c643642705fd2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2948 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-04-12 r/2497 refactor: Replace 'depotPath' with 'depot.path'Vincent Ambo1-1/+1
Instead of having two ways of accessing the path to the depot (one of which was stuttering, depot.depotPath) we settle on only one: depot.path. This was mostly used for NixOS module imports. Co-Authored-By: Florian Klink <flokli@flokli.de> Change-Id: I2c0db23383fc34f6ca76baaad4cc4af2d9dfae15 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2962 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: sterni <sternenseemann@systemli.org>
2021-04-12 r/2485 refactor(users/glittershark): Rename to grfnGriffin Smith1-1/+1
Rename my //users directory and all places that refer to glittershark to grfn, including nix references and documentation. This may require some extra attention inside of gerrit's database after it lands to allow me to actually push things. Change-Id: I4728b7ec2c60024392c1c1fa6e0d4a59b3e266fa Reviewed-on: https://cl.tvl.fyi/c/depot/+/2933 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: glittershark <grfn@gws.fyi>
2021-04-11 r/2482 refactor(ops): Split //ops/nixos into different locationsVincent Ambo26-0/+1069
Splits //ops/nixos into: * //ops/nixos.nix - utility functions for building systems * //ops/machines - shared machine definitions (read by readTree) * //ops/modules - shared NixOS modules (skipped by readTree) This simplifies working with the configuration fixpoint in whitby, and is overall a bit more in line with how NixOS systems in user folders currently work. Change-Id: I1322ec5cc76c0207c099c05d44828a3df0b3ffc1 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2931 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: glittershark <grfn@gws.fyi>