about summary refs log tree commit diff
path: root/ops/modules
AgeCommit message (Collapse)AuthorFilesLines
2022-05-28 r/4165 chore(ops/sourcegraph): Bump to 3.32.1Vincent Ambo1-1/+1
Change-Id: I8efdf3dbfc5575f24c8e6996a7716d308f1446df Reviewed-on: https://cl.tvl.fyi/c/depot/+/5752 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-27 r/4164 fix(tvl-slapd): load argon2 module with new nameVincent Ambo1-1/+1
This became an "official" module and dropped the `pw-` prefix. Relates to b/184 Change-Id: I963f83b55b83015b022ab1b8330ea710d2258631 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5751 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-27 r/4147 fix(ops/modules): Increase `RestartSec=` of oauth2_proxy serviceVincent Ambo1-0/+1
When Keycloak and oauth2_proxy are restarted simultaneously, the latter might try to come up (repeatedly!) before Keycloak can serve it properly. This leads to systemd considering the unit failed. Since this all happens in the span of a second or so, slightly increase the restart delay of the service to ensure it comes back after Keycloak is ready. A "proper" fix might be to add a script that runs before the actual service and waits for Keycloak, but I don't want to prioritise that right now. Change-Id: I4dadba686de60ffc103fe889ce19f05ca1d7d4fe Reviewed-on: https://cl.tvl.fyi/c/depot/+/5695 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-26 r/4122 fix(ops/modules): adapt for changed ssh.knownHostsVincent Ambo1-3/+3
Somehow this ended up generating an empty file, with this change it is fine again. I was looking at the recent commits of the module in nixpkgs but couldn't quite figure it out, there are also some vague references to the attribute set key being used as a hostname, but this doesn't seem to be true in practice. To be clear, the previous code was wrong, but at some point it generated a file that accidentally worked. Change-Id: I42d55730c09daafe6d6fe0eb3647135e84737bca Reviewed-on: https://cl.tvl.fyi/c/depot/+/5670 Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su>
2022-05-25 r/4118 feat(whitby): Deploy private SSH key for build agentsVincent Ambo1-0/+1
Change-Id: I5b1dfaaf28e835cac5b897e18b015d90ac3b2857 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5665 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi>
2022-05-25 r/4115 feat(ops/modules/open_eid.nix): Access all key slotsKlemens Nanni1-3/+4
`onepin-opensc-pkcs11.so` only enables PIN1, but PIN2 is also required. Change-Id: Ic1c34ca58a46c2978c7e27e7a9b7e6a4d335ac0c Reviewed-on: https://cl.tvl.fyi/c/depot/+/5648 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de> Reviewed-by: kn <klemens@posteo.de> Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-25 r/4114 feat(ops/modules/open_eid.nix): Add digidoc-tool(1) to PATHKlemens Nanni1-0/+1
libdigidocpp is a dependency of qdigidoc4(1) already. This will need https://github.com/NixOS/nixpkgs/pull/174055 "libdigidocpp: Fix PKCS11 module library path" to work, though. Change-Id: Ic8d671077977b1d1f099a8b4b23cc537b52aa954 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5647 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-25 r/4112 feat(3p/agenix): update to 2022-05-16 and add to nivsterni8-8/+8
The new version brings the new secretsDir setting which means we no longer have to hardcode /run/agenix everywhere. Change-Id: I4b579d7233d315a780d7671869d5d06722d769fa Reviewed-on: https://cl.tvl.fyi/c/depot/+/5646 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: sterni <sternenseemann@systemli.org>
2022-05-23 r/4106 refactor(nixery): Modernise structure of binariesVincent Ambo1-1/+1
Nixery is going to gain a new binary (used for building images without a registry server); to prepare for this the server binary has moved to cmd/server and the Nix build logic has been updated to wrap this binary and set the required environment variables. Change-Id: I9b4f49f47872ae76430463e2fcb8f68114070f72 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5603 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-08 r/4017 feat(ops/modules/open_eid.nix): document firefoxFlorian Klink1-0/+3
Firefox users can add p11-kit-proxy (or other SecurityDevices) system-wide, by making use of the extraPolicies functionality. Change-Id: Id58b6cab425199fb0e09e846db2a86d302c0de0d Reviewed-on: https://cl.tvl.fyi/c/depot/+/5534 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Autosubmit: flokli <flokli@flokli.de>
2022-05-07 r/4016 feat(ops/modules/open_eid.nix): use p11-kit-proxyFlorian Klink1-7/+11
… instead of onepin-opensc-pkcs11. This acts as a glue to multiple PKCS#11 modules, and reads configuration files from /etc/pkcs11/modules. p11-kit is also used to propagate the system trust store to NSS: https://p11-glue.github.io/p11-glue/sharing-trust-policy.html See-Also: https://p11-glue.github.io/p11-glue/p11-kit.html Change-Id: I135c3a80a4eea0bd06f6b00089dc197c82476746 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5533 Reviewed-by: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2022-04-20 r/3982 chore(nixery): Housekeeping for depot compatibilityVincent Ambo1-1/+1
Cleans up a whole bunch of things I wanted to get out of the door right away: * depot internal references to //third_party/nixery have been replaced with //tools/nixery * cleaned up files from Github * fixed SPDX & Copyright headers * code formatting and inclusion in //tools/depotfmt checks Change-Id: Iea79f0fdf3aa04f71741d4f4032f88605ae415bb Reviewed-on: https://cl.tvl.fyi/c/depot/+/5486 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: tazjin <tazjin@tvl.su>
2022-04-14 r/3948 feat(ops/open_eid): Add script for setting up browser integrationVincent Ambo1-0/+18
Change-Id: Ib339d62d862fd99dab2fda30376b8e47b337a26b Reviewed-on: https://cl.tvl.fyi/c/depot/+/5441 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de> Autosubmit: tazjin <tazjin@tvl.su>
2022-04-09 r/3938 feat(ops/modules): Add module for using Estonian e-residency cardVincent Ambo1-0/+10
Someone already packaged the required software, so I didn't have to do that. Change-Id: Ifc6a68fd4cd89f4718368a05acb6c6f536e01aab Reviewed-on: https://cl.tvl.fyi/c/depot/+/5431 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: tazjin <tazjin@tvl.su>
2022-03-31 r/3927 fix(ops/oauth_proxy): Depend on Keycloak serviceVincent Ambo1-0/+6
If the Keycloak service is running on the same machine as the oauth2 proxy (spoiler alert: it is!), let the service depend on it. Change-Id: I30e4222b4cd5589e08849ef6f37cf1fb4369f55a Reviewed-on: https://cl.tvl.fyi/c/depot/+/5421 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-03-19 r/3917 chore(3p/sources): Bump channels & overlayssterni1-2/+2
* Remove use of aliases that have been removed in nixpkgs commit a36f455905d55838a0d284656e096fbdb857cf3a: - ncat - x11 - nologin - dbus_libs - emacsPackagesGen - man-pages - pulseaudioLight Change-Id: Ide603bf48bc7f77e10e4aa715ba025aece3644fd Reviewed-on: https://cl.tvl.fyi/c/depot/+/5387 Tested-by: BuildkiteCI Autosubmit: sterni <sternenseemann@systemli.org> Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: wpcarro <wpcarro@gmail.com>
2022-03-11 r/3905 fix(modules/quassel): Open firewall port automaticallyVincent Ambo1-0/+2
Change-Id: Ie815495561f789590b5f49ecfd33441822f79047 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5382 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2022-02-20 r/3859 chore(ops/modules): Remove fix-nginx timer unitVincent Ambo1-22/+0
This doesn't seem to be needed anymore. Change-Id: Id8d4192840e8ab10adb652abc9bd6540009a3dcf Reviewed-on: https://cl.tvl.fyi/c/depot/+/5319 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de> Autosubmit: tazjin <tazjin@tvl.su>
2022-02-18 r/3849 fix(ops/modules/www): Make self-redirect to config a generic moduleVincent Ambo3-33/+27
As suggested by sterni, this makes the self-redirect of a machine to its configuration a generic module working by convention. In the process of moving this two small fixes have been applied: * redirect is only applied if the URI is `/`, this is required for ACME to work * addSSL = true is added, otherwise we have a certificate but no TLS listener Change-Id: Icaef041ff681253a61e36926417bdb2844e3f93d Reviewed-on: https://cl.tvl.fyi/c/depot/+/5313 Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
2022-02-18 r/3847 refactor(ops/modules): Move journaldriver configuration into moduleVincent Ambo1-0/+26
This makes the journaldriver configuration machine-independent. The secret is loaded from agenix instead of being persisted on disk. Change-Id: I592ae7f5726fcb7f37a406f69dcf5ac498eeb1b7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5302 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-18 r/3844 feat(ops/machines): Add a module for known SSH keysVincent Ambo1-0/+21
Change-Id: I443e479f3edf9c6540de7b5a33bc6f7e2a9c5183 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5305 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: tazjin <tazjin@tvl.su>
2022-02-18 r/3843 feat(ops/modules): Redirect machine base names to their configVincent Ambo2-0/+33
With this change, entering just "whitby.tvl.fyi" or "sanduny.tvl.su" in a browser will redirect users to their machine configurations. Change-Id: Ibf076a469bcce073e1b1970aa568d6fe16a5c75a Reviewed-on: https://cl.tvl.fyi/c/depot/+/5304 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: tazjin <tazjin@tvl.su>
2022-02-18 r/3842 refactor(ops/modules): Move ACME base configuration into base.nixVincent Ambo1-0/+5
This needs to be present on all machines that run ACME stuff. I've switched the address for a .su one because I have a catchall for these. Change-Id: I7af8e1f1cb2fcfbcba4b7d1930ed0edef0106d72 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5306 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-17 r/3838 refactor(ops/modules): Move user configuration into moduleVincent Ambo1-0/+94
Rather than defining all system users inline on whitby, move them into a module that can be imported on multiple machines. Configuration for terminfos that we've added follows along. Note that while doing this I've disabled logins for riking and isomer since they are currently inactive in TVL. Change-Id: Id18031d355afc34079c5e6e49dc6943e61809a8f Reviewed-on: https://cl.tvl.fyi/c/depot/+/5298 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: tazjin <tazjin@tvl.su>
2022-02-16 r/3837 refactor(ops/modules): Rename git-serving -> joshVincent Ambo2-6/+6
cgit has its own module now Change-Id: I9b4cc322374517b8bd3db43345831e2bf43c4bb1 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5295 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-16 r/3836 refactor(ops/modules): Move cgit configuration into a moduleVincent Ambo3-22/+106
The ancient `//web/cgit-taz` path stems from the time I had code.tazj.in serving my initial version of the depot. I've been meaning to clean this up for forever, so here we go. Note that this leaves the git-serving module in a strange state where it only deals with josh. I'll rename it accordingly. Change-Id: I47ed1e9d90958299b5440a18a1b9075274754e33 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5294 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-31 r/3723 style: format entire depot with nixpkgs-fmtVincent Ambo20-74/+101
This CL can be used to compare the style of nixpkgs-fmt against other formatters (nixpkgs, alejandra). Change-Id: I87c6abff6bcb546b02ead15ad0405f81e01b6d9e Reviewed-on: https://cl.tvl.fyi/c/depot/+/4397 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: wpcarro <wpcarro@gmail.com> Reviewed-by: Profpatsch <mail@profpatsch.de> Reviewed-by: kanepyork <rikingcoding@gmail.com> Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: cynthia <cynthia@tvl.fyi> Reviewed-by: edef <edef@edef.eu> Reviewed-by: eta <tvl@eta.st> Reviewed-by: grfn <grfn@gws.fyi>
2022-01-29 r/3713 fix(www/tvl.fyi): Anchor /blog redirects at #blogVincent Ambo1-2/+2
Since our blog index is on the index page, this makes slightly more sense. Change-Id: I7b8164490c133e23d892abef21275f8bfed50b66 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5123 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-01-29 r/3712 fix(tvl.fyi): Redirect /blog/ (with trailing /) to /Griffin Smith1-0/+4
This was already happening without the trailing slash, but needs to happen separately with it. Fixes: b/172 Change-Id: Ic3423fd7a2eaf76a073badd80965cee953df4ce9 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5121 Tested-by: BuildkiteCI Autosubmit: grfn <grfn@gws.fyi> Reviewed-by: tazjin <tazjin@tvl.su>
2022-01-29 r/3711 feat(ops/www): Write JSON access log to journaldVincent Ambo1-0/+18
This means it will end up in journaldriver. Change-Id: I66f781085b5dac9946b3b9a2bf30e447863e1213 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5122 Reviewed-by: lukegb <lukegb@tvl.fyi> Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su>
2022-01-17 r/3616 fix(ops/oauth2_proxy): Fix cookie secret lengthVincent Ambo1-1/+1
The cookie secret in the encrypted file was too long, because the generation command in the oauth2_proxy docs is also wrong. Should probably fix that upstream as well. Also noticed that an extra '2' snuck into the service name and fixed that. Change-Id: I9a344a75993ab1f98299a8d45e7f5b2e146b7fc5 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4957 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-07 r/3526 feat(ops/auto-deploy): Support emergency stops via stop fileVincent Ambo1-0/+9
Adds a feature to emergency-stop deploys by simply running `touch /var/lib/auto-deploy/stop`. This can be useful in some situations, especially if there is a process that reconciles service state (so that e.g. stopping the unit's timer would be undone). Change-Id: I233dfac365a578bfa4110eb605b50be079974ba4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4827 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: wpcarro <wpcarro@gmail.com>
2022-01-07 r/3525 chore(cache.tvl.su): Raise cache priority to 50Vincent Ambo1-0/+5
The priority of binary caches is decided by the remotes in Nix (???), and by default nix-serve (which is *very* slow) has a lower priority than cache.nixos.org (which means that it will be preferred over the faster cache for paths that exist on both). To avoid this, override the hardcoded (????) priority by serving the nix-cache-info response directly from nginx instead. Change-Id: I15a2d6618386d16edaf69f1c9257a36bd72132d2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4823 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: grfn <grfn@gws.fyi>
2022-01-04 r/3518 feat(ops): Add initial oauth2_proxy configurationVincent Ambo1-0/+52
The intent is to configure oauth2_proxy pointing at Keycloak to enable usage with nginx auth_request directives. I want to expose this as a function from within the module in which nginx server configuration blocks can be wrapped, but the function for that is currently a placeholder. Change-Id: I5ed7deb9bf1c62818f516e68c33e8c5b632fccfe Reviewed-on: https://cl.tvl.fyi/c/depot/+/4767 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2022-01-04 r/3517 chore(ops): Remove login.tvl.fyi moduleVincent Ambo1-24/+0
It looks like we won't need this for oauth2_proxy when combined with nginx auth_request setups. Change-Id: I2294aee6226b4f64a27bf6592c2d18092d0268cc Reviewed-on: https://cl.tvl.fyi/c/depot/+/4766 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: grfn <grfn@gws.fyi>
2022-01-01 r/3509 refactor(modules/smtprelay): Load credentials via agenixVincent Ambo1-7/+14
Change-Id: I56f6887e1fd35551cfc83ad08cafebb611f4a341 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4760 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: Profpatsch <mail@profpatsch.de> Autosubmit: tazjin <mail@tazj.in>
2021-12-26 r/3446 fix(auto-deploy): Add missing packages to pathGriffin Smith1-3/+5
Building nix derivations needs tar (provided by gnutar) and gzip on the PATH in order to extract .tar.gz archives. Change-Id: Ia2df7a3a770cfd342dfede58ad34e04805fbd1f8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4685 Tested-by: BuildkiteCI Autosubmit: grfn <grfn@gws.fyi> Reviewed-by: wpcarro <wpcarro@gmail.com>
2021-12-26 r/3414 feat(ops/auto-deploy): Support auto-deployWilliam Carroll2-0/+93
Automatically rebuild the current system's NixOS config from the latest checkout of depot. Change-Id: I23aa7af50e16e985ac34df214e0905e770316e5e Reviewed-on: https://cl.tvl.fyi/c/depot/+/4390 Reviewed-by: wpcarro <wpcarro@gmail.com> Reviewed-by: zseri <zseri.devel@ytrizja.de> Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: wpcarro <wpcarro@gmail.com> Tested-by: BuildkiteCI
2021-12-26 r/3411 chore: friendship ended with cas, now keycloak is our best friendVincent Ambo1-28/+0
Note that the login.tvl.fyi WWW configuration is still kind of hanging around until we've settled where Keycloak lives. Change-Id: Iaca4e394a7371cafa3716ca66ef09c4eca5b1520 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4626 Autosubmit: tazjin <mail@tazj.in> Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-12-26 r/3410 feat(monorepo-gerrit): Configure for Keycloak compatibilityVincent Ambo1-5/+6
Change-Id: Ic3fce02b071c09cf03e652510f16bafb795a5a1d Reviewed-on: https://cl.tvl.fyi/c/depot/+/4614 Autosubmit: tazjin <mail@tazj.in> Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: grfn <grfn@gws.fyi>
2021-12-25 r/3401 feat(whitby): Configure initial Keycloak setupVincent Ambo1-0/+24
Trialing this as an alternative to CAS that is a little easier to configure and can help us delegate authentication to other OIDC services. Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-12-19 r/3302 feat(whitby): Add buildkite agents to docker groupGriffin Smith1-1/+1
I'd like to be able to run extra CI steps that include running docker containers (to integration test things like webapps that connect to a database). To do this the buildkite agents themselves need permission to do docker things. Change-Id: I3c9a488708f0e12a508754ac41f04148ca7aedac Reviewed-on: https://cl.tvl.fyi/c/depot/+/4408 Tested-by: BuildkiteCI Autosubmit: grfn <grfn@gws.fyi> Reviewed-by: tazjin <mail@tazj.in>
2021-12-16 r/3266 feat(ops/modules): Provide some modules to all nixosesGriffin Smith1-0/+13
For modules that are gated behind a mkEnableOption, it's reasonable to just provide them to all Depot-built nixos systems without requiring people to explicitly import them. This defines a special module called `default-imports.nix` which imports these modules (currently just tvl-cache.nix and automatic-gc.nix, as I'm being rather conservative adding things here to avoid breaking anyone's system), then provides that module as one of the `modules` passed at the top-level nixos/eval-config invocation. Change-Id: I3be299ab10ae4c451ef11c514edb3c89318a2278 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4345 Tested-by: BuildkiteCI Autosubmit: grfn <grfn@gws.fyi> Reviewed-by: tazjin <mail@tazj.in>
2021-12-15 r/3261 feat(ops/modules): Add shared module for TVL cacheGriffin Smith1-0/+19
Add a shared nixos module for configuring whitby as a binary nix cache, and refactor tverskoy to use this module. This is enabled via an option to pave the way for including it as an import in all depot-generated nixos configs at some point in the future. Change-Id: I6dcc0e8eb48b1ac34457666dceebeedd5da6c526 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4344 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: wpcarro <wpcarro@gmail.com> Autosubmit: grfn <grfn@gws.fyi>
2021-12-14 r/3244 docs(ops/irccat): link to credentials RFEFlorian Klink1-0/+4
https://cl.tvl.fyi/c/depot/+/4264 did move merging config with secrets into ExecStart=, which is tracked in an RFE upstream: https://github.com/systemd/systemd/issues/19604#issuecomment-989279884 We didn't link to this so far, neither in the commit message, nor in a comment. Let's add a comment, so people know when we can undo this. Change-Id: I7bed370b671093bb876592b4dccd562f1c256cd2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4326 Tested-by: BuildkiteCI Autosubmit: flokli <flokli@flokli.de> Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi>
2021-12-10 r/3204 fix(tvl-buildkite): Use supported credential helper binary nameVincent Ambo1-1/+1
Git only allows binary names prefixed with `git-credential-` if the path to the helper is not absolute. Why? Who knows. Change-Id: I216b2a621f62a73f05e21def7ec8016b29ede892
2021-12-10 r/3203 refactor(ops): Move panettone secrets to agenixVincent Ambo1-0/+1
Relates to b/161 Change-Id: I508e5a0eacab668f4bd39a2c888d894b96bed093
2021-12-10 r/3200 refactor(tvl-buildkite): Prepare gerrit credentials helperVincent Ambo1-0/+6
Currently this functionality is provided by a shell script stored in /etc/secrets (which has the password value hardcoded). This needs to happen in a separate commit from the one that changes the pipeline to avoid breaking it (it needs to be deployed first). Change-Id: I680754c828ccefbacfcf0d5c813a4bc19493ba4c
2021-12-10 r/3199 refactor(ops): Move Nix cache secret to agenixVincent Ambo1-1/+1
... and also the public key, just to keep the distribution mechanism the same. Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0
2021-12-10 r/3198 refactor(ops): Use besadii configuration from agenixVincent Ambo2-2/+2
We already checked this in, but this commit adds the configuration for making use of it. There are two copies of besadii's JSON configuration with different permissions. Note that the buildkite-graphql-token path needs to be updated in static-pipeline.yml, but this needs to happen in a separate commit after deploy because the pipeline will break otherwise. Change-Id: I6fab4bf1a2e679df7cf76521e2b53bd9dadbac62