about summary refs log tree commit diff
path: root/ops/modules (follow)
AgeCommit message (Collapse)AuthorFilesLines
2023-06-22 r/6343 feat(ops): introduce (head|tail)scale server at net.tvl.fyiVincent Ambo1-0/+62
This runs a headscale server on sanduny which lets users join their machines to the TVL tailscale network. This would theoretically let people communicate with each other on the internal network, but also more notably joined servers can advertise exit node capability so that we can have our own "VPN network", for starters with endpoints in Germany, UK and Russia (whitby, sanduny and koptevo respectively). This setup isn't fully stable yet, notably: * The IP range used by tailscale is just the default one right now, I'm not sure if that should be changed or what. * The system is stateful (on sanduny), but the state is not (yet) backed up anywhere. Use with caution. * Machine joining is a manual process requiring SSH & root access to sanduny. The process is to log in to sanduny, then get a headscale shell with `sudo -u headscale bash`, and to use the `headscale` CLI within there to administrate access. I've opted to create a user account `tvl` for TVL-owned machines, and a personal account for myself and my machines. Change-Id: I4f1be1fe8062a6c2e77203ff72fe8709f4e4dec8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8837 Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2023-06-15 r/6317 fix(ops/modules/quassel): use systemd LoadCredential to read certsVincent Ambo1-1/+5
This avoids permission issues with nginx vs. quassel Change-Id: I770f8284d8fd8fc6d38add93c1681f9daebe8749 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8786 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-06-15 r/6311 chore(3p/sources): Bump channels & overlayssterni1-1/+1
* //ops/modules/depot-inbox: Adapt to upstream option type declaration. See nixpkgs commit b6ed3b8f402893df91a8e21ce993520301c2f076. * //ops/machines/sanduny, //users/tazjin/polyanka: Remove boot.loader.grub.version options (no longer has any effect). * //users/sterni/emacs: reflect rename emacsPgtk -> emacs-pgtk * //3p/overlays: update tdlib to match emacs-overlay * //3p/overlays: give EXWM from depot a separate name * //users/grfn/system/home: disable Slack support in ntfy Change-Id: I03bde088bc70e05b23925f244899807210cb7b20 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8547 Autosubmit: sterni <sternenseemann@systemli.org> Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2023-04-28 r/6117 feat(ops/modules/open_eid): add support for Web eID extensionFlorian Klink1-20/+37
Most likely due to bad UX in browsers for hardware-backed TLS client cert auth, most websites have switched from client-side TLS to the "Web eID" extension. Once installed, the extension uses [Native Messaging] to talk to a `web-eid-app` application, which handles the communication with the smart card itself. This can be tested on https://web-eid.eu/ . The commit needs nixpkgs to be bumped past https://github.com/NixOS/nixpkgs/pull/227354 . [Native Messaging]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging Change-Id: Iffe6d81ecf7cee25406fa39a983ff52cf669c373 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8490 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-04-19 r/6099 fix(ops/modules/open_eid): use libdigidocpp.binFlorian Klink1-1/+1
nixpkgs commit 134036f642a7f3ba9efeab509727c0989458b02b moved the digidoc-tool binary to the `bin` output, so this wasn't actually providing the digidoc-tool binary anymore. Change-Id: Id5f7cc69d55b7cc058a6361512cc74de0e7bc1b2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8487 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Autosubmit: flokli <flokli@flokli.de>
2023-04-07 r/6072 chore(3p/sources): Bump channels & overlayssterni1-3/+3
* Satisfy new assert that the corresponding shell needs to be enabled via programs.* if it is as the login shell of at least one user. * //users/tazjin: “Address” removal of hardware.video.hidpi option. * //3p/gerrit: update fetch sha256 Change-Id: Id0988a0ea7f393d6b7848a7104fc3526ee1177f4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8407 Autosubmit: sterni <sternenseemann@systemli.org> Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-03-31 r/6064 fix(views/kit): communicate :unsign in the tvl-kit URL directlyFlorian Klink1-1/+1
Instead of prepending :unsign to all URLs in josh-proxy, and for all calls to filteredGitPush, explicitly use it only in the filter we use for the `export-kit` extraStep. This means, people cloning tvl-kit via > https://code.tvl.fyi/depot.git:workspace=views/kit.git now need to update the URL to point to > https://code.tvl.fyi/depot.git:unsign:workspace=views/kit.git instead. git@github.com:tvlfyi/kit.git will keep the same hashes, as it's updated to export the unsigned workspace view of it. This is less invasive than dooming every josh workspace to have to strip signatures. Change-Id: I6de05182fad4c3695081388c3bbf37306521d255 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8369 Autosubmit: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-03-29 r/6054 fix(ops/www): allow all indexing on cl.tvl.fyiVincent Ambo1-0/+4
I *want* search engines to index our CLs, they might be useful! Change-Id: I956d92c80d812e1aefefb6daeba77a1588055b94 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8361 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: flokli <flokli@flokli.de>
2023-03-14 r/6005 feat(ops): serve Tvix website & docs on (docs.)tvix.devVincent Ambo1-0/+39
Change-Id: I198ea197867f9b9a48e51665d0665f722202e02e Reviewed-on: https://cl.tvl.fyi/c/depot/+/8299 Reviewed-by: flokli <flokli@flokli.de> Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-03-07 r/5895 chore(3p/josh): update josh to recent master commitVincent Ambo1-1/+1
It's been a long time since we updated josh, almost 400 commits in between. I read through the entire changelog, and here are relevant josh commits from in between that might be interesting to us: 38eecee Fix optimisation bug for compose filter (#1159) e1d10b6 Add :rev(...) filter 0f1a07b Initial implementation of refs locking (#929) 88cea2a Initial work on meta repo support 030ad93 Change magic refs to include "for" 28b1d75 Add split changes feature (#904) 1f908d7 Discover filters only on HEAD (#774) a368d8f Make --require-auth only apply to push 8d80230 Add :linear filter (#741) 3460ec2 Implement redundant refs filtering (#700) 55b4e50 Implement stacked changes support (#699) ea1f814 Handle @sha urls by creating magic ref (#690) 883a381 Run filter discovery only on changed refs (#685) 4bb004f Prepend refs/heads to base parameter as default (#664) Of particular interest is a368d8f, which allows us to drop our authentication patch and use the standard --require-auth flag again. The default behaviour of dropping signatures on commits (which are invalid after filtering) has also been changed in josh, now only occuring when the `:unsign` filter is present. Since this breaks commit hashes with our existing exported histories, we are opting to set a `:unsign` filter prefix on all proxy requests to ensure that the hashes stay consistent. During this update we found a bug (josh#1155) which was fixed in the commit that this CL moves josh to. Change-Id: I3afac1619f3aa90313a0441da91f0e4a96fe0a3b Reviewed-on: https://cl.tvl.fyi/c/depot/+/8186 Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2023-02-09 r/5844 chore(ops/modules): add a GECOS for my userAlyssa Ross1-0/+1
This way, I won't have to teach my name one at a time to every program that wants to know my it (e.g. git). Change-Id: I45ddd9c2343a10cd4c13bacd9a97b7470db95c14 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8038 Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2023-02-01 r/5798 fix(ops/www): increase buffer memory size for auth.tvl.fyiVincent Ambo1-0/+4
Keycloak seems to have decided today that it will now send headers that are larger than what the nginx default configuration can handle. The numbers are a mix of made up and taken from random nginx voodoo posts on the internet, so they're as good a guess as anyone's. Change-Id: If037bcba48eee371cc96304b150276c669930c75 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7992 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de> Autosubmit: tazjin <tazjin@tvl.su>
2022-12-29 r/5547 feat(ops/modules): enable mail address obfuscation in public web UIVincent Ambo1-3/+11
Change-Id: I47b5313bee84893d405f86aefb3682cda3cfc6d7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7637 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de>
2022-12-29 r/5546 fix(ops/modules): list IMAP server on public-inbox pageVincent Ambo1-0/+1
This fix can only be applied after the upstream public-inbox fix (https://github.com/NixOS/nixpkgs/pull/207693) has been merged. Change-Id: I957473e2895b7e57baad25c9e908b36aa790f3a6 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7636 Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su>
2022-12-28 r/5515 feat(web/inbox): add landing page for inbox.tvl.suVincent Ambo1-2/+9
This landing page explains how to use the public-inbox. Change-Id: I37d74decad5173ab35051970593f1d28001af2b4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7645 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de>
2022-12-28 r/5513 style(ops/modules): add inbox email address to public-inbox headerVincent Ambo1-1/+1
Change-Id: Ib7d9089b63bba7ebc44d3438ed284e752f0595e9 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7638 Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2022-12-28 r/5512 feat(ops/modules): enable NNTP on inbox.tvl.suVincent Ambo1-2/+14
Change-Id: Iec564860a247fe51a5549129be294a3629645519 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7635 Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2022-12-28 r/5511 feat(ops/modules): enable IMAP access for public-inboxVincent Ambo1-1/+27
This sets up IMAP on inbox.tvl.su:993 I added a hack to work around problems with the NixOS ACME module. Spent way too much time of my life with problems with that module, so I only use it with blunt force these days. Others are welcome to make a cleaner solution. Change-Id: Ice828766020856cf17d2f0a5b4491f4cec8ad9b4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7633 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2022-12-27 r/5506 feat(ops/modules): index incoming mail in public-inboxVincent Ambo1-0/+4
Change-Id: I8a3e2c0e789057fd1edd015ccb8fdcc0cbb52cd8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7631 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de>
2022-12-27 r/5505 feat(ops/modules): configure offlineimap for depot@tvl.suVincent Ambo1-1/+48
On the machine running public-inbox, this will start automatically fetching mails from depot@tvl.su and making them available to public-inbox. Change-Id: I2469207bd41d64eba747a74ae5fda9fed548cc83 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7630 Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2022-12-27 r/5503 feat(ops/modules): set up public-inbox at inbox.tvl.suVincent Ambo2-0/+74
Initial setup which does not yet include fetching mails at all, this is for now only going to display a manually populated view of the existing mailing list while the rest of this stuff is set up. Change-Id: Ie1235bd257c9056fe37d0740dfca771ebdd880eb Reviewed-on: https://cl.tvl.fyi/c/depot/+/7628 Reviewed-by: flokli <flokli@flokli.de> Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
2022-12-05 r/5390 fix(ops/modules): regularly restart panettone for b/225Vincent Ambo1-0/+11
Change-Id: I27565e0e462ecb431d0f82bb3f6026b1eb369279 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7504 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-11-07 r/5260 fix(ops/machines/whitby): serve grafana at status.tvl.su againsterni1-1/+1
This is a follow up to cl/7191 which neglected to adjust the status.tvl.su.nix module and re-enable it. Change-Id: Icc1917004cd50e5eab61a29bc68b393ba9bd6325 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7226 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: grfn <grfn@gws.fyi>
2022-10-03 r/5025 fix(ops/www): fix port templating for keycloakVincent Ambo1-1/+1
Change-Id: I714b12f996d7dbe705f1f553d449f2dbc4910b1e Reviewed-on: https://cl.tvl.fyi/c/depot/+/6848 Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-09-28 r/4980 chore(3p/sources): Bump channels & overlayssterni5-6/+6
Upstream nixpkgs removed a lot of aliases this time, so we needed to do the following transformations. It's a real shame that aliases only really become discoverable easily when they are removed. * runCommandNoCC -> runCommand * gmailieer -> lieer We also need to work around the fact that home-manager hasn't catched on to this rename. * mysql -> mariadb * pkgconfig -> pkg-config This also affects our Nix fork which needs to be bumped. * prometheus_client -> prometheus-client * rxvt_unicode -> rxvt-unicode-unwrapped * nix-review -> nixpkgs-review * oauth2_proxy -> oauth2-proxy Additionally, some Go-related builders decided to drop support for passing the sha256 hash in directly, so we need to use the generic hash arguments. Change-Id: I84aaa225ef18962937f8616a9ff064822f0d5dc3 Reviewed-on: https://cl.tvl.fyi/c/depot/+/6792 Autosubmit: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: wpcarro <wpcarro@gmail.com>
2022-09-19 r/4923 feat(monorepo-gerrit): swap owners plugin for code-ownersLuke Granger-Brown1-1/+10
Change-Id: I9e05384b58dac258bc2da41c22e321b20451ef00 Reviewed-on: https://cl.tvl.fyi/c/depot/+/6686 Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: lukegb <lukegb@tvl.fyi> Tested-by: BuildkiteCI
2022-09-13 r/4829 feat(ops/modules): deploy tvixbolt to tvixbolt.tvl.suVincent Ambo1-0/+19
Change-Id: I534cf918fc3e03ce8c14cf15f6d3280b6a657c8d Reviewed-on: https://cl.tvl.fyi/c/depot/+/6536 Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-08-25 r/4490 fix: reflect renames of Nix configuration optionssterni1-3/+3
Change-Id: I7e28ac3d71acd7d99a1d3ef97bef9422097e4abf Reviewed-on: https://cl.tvl.fyi/c/depot/+/6154 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2022-08-13 r/4426 chore(3p/sources): Bump channels & overlaysVincent Ambo1-1/+1
* tvl-slapd: move database to subdirectory (somehow now required) Change-Id: I1792b856cf68b11959c0cc9caab4135e556f8c58 Reviewed-on: https://cl.tvl.fyi/c/depot/+/6090 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi>
2022-07-28 r/4337 feat(ops/www): add predlozhnik redirect on tazj.inVincent Ambo1-0/+4
otherwise posting this to reddit's /r/russian is not possible, as they ban all links to Russian-affiliated sites Change-Id: I8d23f0961ec7ef097fc2dbdd0aaa178861a19c10 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5992 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-07-19 r/4306 fix(ops/www): redirect very old tazj.in feed URLs correctlyVincent Ambo1-0/+4
at some point in the far past, there was an RSS feed at `/en/rss.xml`. It seems to still get a single hit or so every hour, which currently 404s. Change-Id: Ieb13c2c0232861a50a54bc2a4087d9ccb21185cf Reviewed-on: https://cl.tvl.fyi/c/depot/+/5962 Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-07-18 r/4305 fix(ops/www): issue certificate for 'www.tazj.in'Vincent Ambo1-0/+1
Change-Id: I6179f785bb6bd6168a2a11836b90da5ee93adc69 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5953 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: tazjin <tazjin@tvl.su>
2022-07-12 r/4295 refactor(ops/cgit): make user configurableVincent Ambo1-3/+19
on whitby, cgit runs as the gerrit user to get access to serving gerrit's repositories directly. on other machines (e.g. sanduny) this isn't necessary, as we have a world-readable depot replica. Change-Id: Ibf7e7cc08e5909e0fa182e561ab0cb472188edcb Reviewed-on: https://cl.tvl.fyi/c/depot/+/5932 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-07-12 r/4294 fix(depot-replica): make the depot replica world readableVincent Ambo1-1/+1
Change-Id: Idc0b5210793ab0d83b3ac99cf36d7f7f02a35a37 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5931 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-07-03 r/4274 feat(ops): configure depot replication to sandunyVincent Ambo1-0/+13
this configures gerrit's built-in replication plugin to push every change in depot to sanduny. this allows us to serve a replica of depot from sanduny. manual config that was needed which needs to be automated: * system-wide known_hosts does not work, needed one in /var/lib/git * .ssh/config MUST be present and configured for sanduny.tvl.su Change-Id: Iba399f2328abb5acb65dae19a36e265eea0952ac Reviewed-on: https://cl.tvl.fyi/c/depot/+/5915 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-07-03 r/4272 feat(ops/modules): add module for receiving a depot replicaVincent Ambo1-0/+45
This module sets up a user with an SSH key and permissions to receive a (pushed) replica of depot from Gerrit. This still needs appropriate configuration in Gerrit's replication plugin on the other end. This module has been enabled for sanduny. For now it does not (yet) configure git serving. Change-Id: I0fb6f7e696609e71008308e855bdf305dcbcd4f7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5913 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-06-27 r/4254 refactor(web/cgit-tvl): Move cgit config back out of moduleVincent Ambo3-105/+39
It occured to me yesterday that with the config inside of the module it is kind of difficult to test cgit locally. This moves it back to a separate location (//web/cgit-tvl) and makes the most important things configurable via overrides. Change-Id: I9b0f4c60b75c31441e1718e63b5b55aba3100aae Reviewed-on: https://cl.tvl.fyi/c/depot/+/5893 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-28 r/4174 chore(ops/sourcegraph): Bump to 3.40.0Vincent Ambo1-1/+1
Change-Id: I77438201d8ed5237095b3d2e8a855dec3e58b641 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5766 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4173 chore(ops/sourcegraph): Bump to 3.39.1Vincent Ambo1-1/+1
Change-Id: I76d0a3ede7cc23a9a6e8db61ed7e9d91670f1699 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5765 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4172 chore(ops/sourcegraph): Bump to 3.38.1Vincent Ambo1-1/+1
Change-Id: Ib1f4f9591acab537607c9d9c9b123e9c711e331b Reviewed-on: https://cl.tvl.fyi/c/depot/+/5764 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4171 chore(ops/sourcegraph): Bump to 3.37.0Vincent Ambo1-1/+1
Change-Id: If333f28dd0bec4eb965a6e3005ef5aca810c86f3 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5763 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4170 chore(ops/sourcegraph): Bump to 3.36.3Vincent Ambo1-1/+1
Change-Id: I3a6caeeb06919b25a9c1200c8f286b0bd34916b2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5762 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4169 chore(ops/sourcegraph): Bump to 3.35.2Vincent Ambo1-1/+1
Change-Id: Ia829b4ffa2e7e37438f766d0ff98e504c0d856b4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5755 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4167 chore(ops/sourcegraph): Bump to 3.34.2Vincent Ambo1-1/+1
Change-Id: I865335006a091986f8a98e4d5da7161a25e948d9 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5754 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4166 chore(ops/sourcegraph): Bump to 3.33.2Vincent Ambo1-1/+1
Change-Id: I6568e3226a7ff0796cbf3748c0dab1530fb0fb6a Reviewed-on: https://cl.tvl.fyi/c/depot/+/5753 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4165 chore(ops/sourcegraph): Bump to 3.32.1Vincent Ambo1-1/+1
Change-Id: I8efdf3dbfc5575f24c8e6996a7716d308f1446df Reviewed-on: https://cl.tvl.fyi/c/depot/+/5752 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-27 r/4164 fix(tvl-slapd): load argon2 module with new nameVincent Ambo1-1/+1
This became an "official" module and dropped the `pw-` prefix. Relates to b/184 Change-Id: I963f83b55b83015b022ab1b8330ea710d2258631 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5751 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-27 r/4147 fix(ops/modules): Increase `RestartSec=` of oauth2_proxy serviceVincent Ambo1-0/+1
When Keycloak and oauth2_proxy are restarted simultaneously, the latter might try to come up (repeatedly!) before Keycloak can serve it properly. This leads to systemd considering the unit failed. Since this all happens in the span of a second or so, slightly increase the restart delay of the service to ensure it comes back after Keycloak is ready. A "proper" fix might be to add a script that runs before the actual service and waits for Keycloak, but I don't want to prioritise that right now. Change-Id: I4dadba686de60ffc103fe889ce19f05ca1d7d4fe Reviewed-on: https://cl.tvl.fyi/c/depot/+/5695 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-26 r/4122 fix(ops/modules): adapt for changed ssh.knownHostsVincent Ambo1-3/+3
Somehow this ended up generating an empty file, with this change it is fine again. I was looking at the recent commits of the module in nixpkgs but couldn't quite figure it out, there are also some vague references to the attribute set key being used as a hostname, but this doesn't seem to be true in practice. To be clear, the previous code was wrong, but at some point it generated a file that accidentally worked. Change-Id: I42d55730c09daafe6d6fe0eb3647135e84737bca Reviewed-on: https://cl.tvl.fyi/c/depot/+/5670 Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su>
2022-05-25 r/4118 feat(whitby): Deploy private SSH key for build agentsVincent Ambo1-0/+1
Change-Id: I5b1dfaaf28e835cac5b897e18b015d90ac3b2857 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5665 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi>