about summary refs log tree commit diff
path: root/ops/nixos
AgeCommit message (Collapse)AuthorFilesLines
2020-07-02 r/1174 feat(whitby): Allow wheel users to sudo without a passwordGriffin Smith1-0/+7
This *should* translate to the required invocation to make sudo allow nopasswd for users in the wheel group. Change-Id: I3713862b8df9087cfbaa72d7e824bc43469f7c1c Reviewed-on: https://cl.tvl.fyi/c/depot/+/857 Reviewed-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi> Tested-by: BuildkiteCI
2020-07-02 r/1172 feat(whitby): Add grfn as a trusted userGriffin Smith1-0/+4
So I can remote builder Change-Id: I8106244d3d197c010b618e4337a9ccfc13a116f8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/856 Reviewed-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Tested-by: BuildkiteCI
2020-07-02 r/1171 feat(whitby): Run a handful of Buildkite agentsVincent Ambo1-0/+21
This is the point of the machine, afterall. Change-Id: I15c11600c1c18fa8962d57f75f99a72e1553f9c2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/853 Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: BuildkiteCI Tested-by: BuildkiteCI
2020-07-02 r/1170 feat(whitby): Enable Nix signing for the binary cacheVincent Ambo1-0/+3
Change-Id: I9047667cc1a40668c0c7da72c070044b91b53014 Reviewed-on: https://cl.tvl.fyi/c/depot/+/852 Reviewed-by: BuildkiteCI Reviewed-by: glittershark <grfn@gws.fyi> Tested-by: BuildkiteCI
2020-07-02 r/1169 fix(whitby): Explicitly set an interface for the v6 default gwVincent Ambo1-1/+5
systemd gets sad otherwise and it is very difficult to console it Change-Id: Ic6405489532c407273e5634474185f2947420b37 Reviewed-on: https://cl.tvl.fyi/c/depot/+/851 Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: BuildkiteCI Tested-by: BuildkiteCI
2020-07-02 r/1168 feat(whitby): Add grfnGriffin Smith1-0/+8
it's not glittershark because grfn is the username I have on my laptop and I want to be able to ssh without an `@`. Change-Id: Ie1fb6f5e12f3ac52a44680704179bd27a00a7768 Reviewed-on: https://cl.tvl.fyi/c/depot/+/850 Reviewed-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Tested-by: BuildkiteCI
2020-07-02 r/1166 feat(whitby): add lukegbLuke Granger-Brown2-0/+7
Change-Id: I26356632b86a64519128bc673178f1cd1b55b99b Reviewed-on: https://cl.tvl.fyi/c/depot/+/848 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: BuildkiteCI
2020-07-02 r/1163 fix(whitby): Set correct IPv6 default gateway for Hetzner envVincent Ambo1-0/+1
Change-Id: Ic3d4c6ebf7c40e27a453e08295bb0f2f999c0d88 Reviewed-on: https://cl.tvl.fyi/c/depot/+/845 Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: BuildkiteCI Tested-by: BuildkiteCI
2020-07-02 r/1160 feat(nixos/whitby): Hello, World!Vincent Ambo2-0/+161
This adds NixOS configuration for the machine whitby.tvl.fyi. No interesting services are configured yet, so this configuration is quite plain. Change-Id: I67b7c75ebd6e298719b52e6b3bd83cc3be3c45d8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/843 Tested-by: BuildkiteCI Reviewed-by: BuildkiteCI Reviewed-by: isomer <isomer@tvl.fyi> Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-07-02 r/1158 chore(nixos/whitby): Bootstrap //ops/nixos/whitby folderVincent Ambo2-0/+10
Change-Id: I7d77c3ea48b181d7b9f754ac4807ed44735a8925 Reviewed-on: https://cl.tvl.fyi/c/depot/+/841 Reviewed-by: BuildkiteCI Reviewed-by: isomer <isomer@tvl.fyi> Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: glittershark <grfn@gws.fyi> Tested-by: BuildkiteCI
2020-07-02 r/1157 chore(tvl-slapd): rotate password for rikingKane York1-1/+1
Change-Id: I3ec53d5223a4ff0871eed7615f11f534ed74653b Reviewed-on: https://cl.tvl.fyi/c/depot/+/839 Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: BuildkiteCI Tested-by: BuildkiteCI
2020-07-01 r/1152 chore(tvl-slapd): Remove old password generation scriptVincent Ambo1-5/+0
This does not work for ARGON2 hashes. Change-Id: I1e070fa0ff17ef21632e94e6777da637deb6f54f Reviewed-on: https://cl.tvl.fyi/c/depot/+/834 Reviewed-by: Kane York <rikingcoding@gmail.com> Reviewed-by: BuildkiteCI Tested-by: BuildkiteCI
2020-07-01 r/1150 chore(tvl-slapd): Rotate my LDAP passwords and use ARGON2 hashesVincent Ambo1-2/+2
Change-Id: Id1a60121e4254e7ccff77ac17fd39d0955aedc8f Reviewed-on: https://cl.tvl.fyi/c/depot/+/832 Reviewed-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: isomer <isomer@tvl.fyi> Tested-by: BuildkiteCI
2020-07-01 r/1149 feat(tvl-slapd): Load Argon2 password module in OpenLDAPVincent Ambo1-0/+15
This makes it possible to use {ARGON2} hashes instead of the current salted SHA hashes, which is a much better idea. Unfortunately the nixpkgs module does not have an option for overridding the package used, so it is overlaid into the system package set - this causes widespread rebuilds. This is fine for us for now, but I have opened a PR upstream to add a package option: https://github.com/NixOS/nixpkgs/pull/91963 Change-Id: Ib4be931d88e74b91566639f8656742cf096f6cc3 Reviewed-on: https://cl.tvl.fyi/c/depot/+/831 Reviewed-by: BuildkiteCI Reviewed-by: isomer <isomer@tvl.fyi> Tested-by: BuildkiteCI
2020-06-30 r/1142 feat(nixos/clbot): Add a module for running clbotVincent Ambo1-0/+52
Change-Id: I9c10906441c3222b74bcc820a67f11d96462fcfa Reviewed-on: https://cl.tvl.fyi/c/depot/+/821 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: BuildkiteCI
2020-06-30 r/1141 feat(tvl-slapd): update camsbury in slapdCameron Kingsbury1-1/+1
Change-Id: Idce92352ad01f85bd7fbb102decdd1df26dda5f4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/823 Reviewed-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Tested-by: BuildkiteCI
2020-06-30 r/1140 fix(nixos/smtprelay): Only enable if the user asks for itVincent Ambo1-1/+2
Change-Id: Ifbdf9bf9e89a1da68e8c823f61a33275183afcb1 Reviewed-on: https://cl.tvl.fyi/c/depot/+/822 Reviewed-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Tested-by: BuildkiteCI
2020-06-27 r/1095 chore(tvl-slapd): sort alphabeticallyProfpatsch1-5/+5
bad ericvolp12 Change-Id: I508c7de48d4c2a7c734c38f79d0efeafec5d1e34 Reviewed-on: https://cl.tvl.fyi/c/depot/+/622 Reviewed-by: Profpatsch <mail@profpatsch.de>
2020-06-27 r/1094 feat(tvl-slapd): add ProfpatschProfpatsch1-0/+5
Change-Id: I2d865a5271e7a3a2fe17009b306fe3f561a1290f Reviewed-on: https://cl.tvl.fyi/c/depot/+/621 Reviewed-by: tazjin <mail@tazj.in>
2020-06-26 r/1093 feat(tvl-slapd): add artemist to slapdArtemis Tosini1-0/+5
Signed-off-by: Artemis Tosini <me@artem.ist> Change-Id: I11fc0cb58660d3cc55c6cf5489cc872a51454cb5 Reviewed-on: https://cl.tvl.fyi/c/depot/+/609 Reviewed-by: tazjin <mail@tazj.in>
2020-06-23 r/1071 feat(tvl-slapd): add camsbury to slapdCameron Kingsbury1-0/+5
add camsbury From ccd385879ed384389983f4ddc55ef675f40e6119 Mon Sep 17 00:00:00 2001 From: Cameron Kingsbury <camsbury7@gmail.com> Date: Tue, 23 Jun 2020 14:13:51 -0400 Subject: [PATCH] feat(tvl-slapd): add camsbury to slapd Change-Id: I0fbf05ca80a006c9b2055509661fc1e93211e30f Reviewed-on: https://cl.tvl.fyi/c/depot/+/565 Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: tazjin <mail@tazj.in>
2020-06-20 r/1047 feat(monorepo-gerrit): Use Sourcegraph as the gitweb for GerritVincent Ambo1-10/+10
This points commit/file/etc. links from Gerrit to Sourcegraph instead of cgit. There's a minor problem with this: Some, but not all unsubmitted CLs are missing in Sourcegraph for unclear reasons so they lead to 404s. That problem is unrelated to this change and something we need to investigate separately. Change-Id: I9b0c1eca8781dc96984ba09b4a71960eb43583bd Reviewed-on: https://cl.tvl.fyi/c/depot/+/541 Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-06-20 r/1046 chore(nixos/sourcegraph): Configure Sourcegraph to use CheddarVincent Ambo1-0/+2
Change-Id: I2b91bef97c16254ffefcbc4da48ef161a859e7a0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/521 Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-06-17 r/1008 fix(monorepo-gerrit): Use displayName attribute as accountFullNameVincent Ambo1-1/+1
This attribute makes much more sense in this position semantically. Change-Id: I16cc6304f42c577a2368bd7c9573fcb7dd276a9d Reviewed-on: https://cl.tvl.fyi/c/depot/+/448 Reviewed-by: riking <rikingcoding@gmail.com>
2020-06-17 r/1007 refactor(tvl-slapd): Move user definitions into Nix codeVincent Ambo2-125/+107
Implements a function that generates the LDIF record for each user and templates it into the configuration. This is slightly more user-friendly and less error-prone (people kept getting the DNs wrong) than editing the contents manually. Change-Id: Ic419d2ef464f9a94be5d54b666f7d53134b53eed Reviewed-on: https://cl.tvl.fyi/c/depot/+/447 Reviewed-by: riking <rikingcoding@gmail.com>
2020-06-16 r/1002 chore: Remove traces of HoundVincent Ambo1-62/+0
We can always revert this if we want it back. Change-Id: I1332b6dd541199584b7b5b94a8651172d79e53a9 Reviewed-on: https://cl.tvl.fyi/c/depot/+/442 Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-06-16 r/1000 fix(monorepo-gerrit): Don't expire sessions unreasonably quicklyVincent Ambo1-0/+1
Changes the default session timeout to 3 months, which is a lot more reasonable than the default of 12 hours. See https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#cache.name.maxAge Change-Id: I33bce8b072d64ab07f1b954c11068595dca5def7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/431 Reviewed-by: riking <rikingcoding@gmail.com>
2020-06-16 r/995 feat(nixos/sourcegraph): Add a module for running SourceGraphVincent Ambo1-0/+26
This module spins up the Sourcegraph container. Builds: Note that this is contrary to how our other deployments work, but packaging Sourcegraph is quite difficult (it's a Gitlab style deployment with a lot of moving parts and third-party things that it bundles). If we decide to keep it around, we will want to look at packaging it in Nix in the future. Deployment: The deployment is a hack. Sourcegraph does not support public instances, but we want it to be public. To work around this we have configured HTTP-proxy based authentication (i.e. auth via a header) and hardcoded a static header. This works, but lets anonymous users change the "Anonymous" user's settings. We can expect this to get defaced (profile picture, name etc), until we figure out how to write some nginx configuration to drop those requests. See git-bug for details. The Sourcegraph configuration is also not checked in to the repository. It's unclear where in the data directory it is stored. Change-Id: I414ff11c3b49989b6792d697bffc8a0edf96c9cb Reviewed-on: https://cl.tvl.fyi/c/depot/+/425 Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-06-16 r/984 feat(tvl-slapd): Enable ericvolp12 user in LDAPEric Volpert1-0/+9
Thanks. Change-Id: I5df1e5075b2e056ebde3e66e1cf17b220d650977 Reviewed-on: https://cl.tvl.fyi/c/depot/+/398 Reviewed-by: tazjin <mail@tazj.in>
2020-06-15 r/972 fix(ops/nixos/tvl-slapd): Sort users & fix glittershark's DNVincent Ambo1-9/+9
Change-Id: I33feedacfadaae53da000aff7d42fa06d2189f52 Reviewed-on: https://cl.tvl.fyi/c/depot/+/391 Reviewed-by: tazjin <mail@tazj.in>
2020-06-15 r/971 chore(ops/nixos/tvl-slapd): add glittersharkGriffin Smith1-0/+9
Change-Id: I2e537079b88a3857964c6b7c66cd9221ca580958 Reviewed-on: https://cl.tvl.fyi/c/depot/+/390 Reviewed-by: tazjin <mail@tazj.in>
2020-06-15 r/961 chore(monorepo-gerrit): Remove 'owners-autoassign' pluginVincent Ambo1-1/+0
This plugin just blindly assigns everyone and, as q3k has already pointed out, just isn't particularly useful. We might want to roll our own, for example: 19: 40:41 <+Remosi> I want the virtual owner thing, we could call it Gerrit Workgroup Synthesizer Queuing, or gwsq for short. Change-Id: Ib12a921ae4047ac6a734035dd0900c8964fb12d8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/350 Reviewed-by: riking <rikingcoding@gmail.com>
2020-06-14 r/955 fix(3p/gerrit): Fix Gerrit derivation name and module configurationVincent Ambo1-0/+2
Without these changes, the NixOS module isn't able to use the new Gerrit derivation. These changes are already deployed as I needed to make them to get Gerrit back up. Change-Id: Iad3aa6158789a014134fddccd40b508b81486100 Reviewed-on: https://cl.tvl.fyi/c/depot/+/301 Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-06-14 r/944 feat(tvl-slapd): add cynthia to slapdCynthia Revström1-0/+9
Change-Id: Ifb55ebd234d15fbaa6ef2e71f97ba7b8203ffcd9 Reviewed-on: https://cl.tvl.fyi/c/depot/+/255 Reviewed-by: tazjin <mail@tazj.in>
2020-06-13 r/941 refactor(ops/nixos): Move my NixOS configurations to //users/tazjinVincent Ambo20-1258/+7
NixOS modules move one level up because it's unlikely that //ops/nixos will contain actual systems at this point (they're user-specific). This is the first users folder, so it is also added to the root readTree invocation for the repository. Change-Id: I546c701145fa204b7ba7518a8a56a783588629e0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/244 Reviewed-by: tazjin <mail@tazj.in>
2020-06-13 r/937 feat(tvl-slapd): add eta to slapdeta1-0/+9
Change-Id: Ib34d59006645b992bd7b6cbd04fc7121ad3f0219 Reviewed-on: https://cl.tvl.fyi/c/depot/+/223 Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-06-13 r/936 feat(monorepo-gerrit): Include owners & owners-autoassign pluginsVincent Ambo1-0/+5
Change-Id: I62b90fb94293fc5148fe0fd7a06ea3d0e4d44199 Reviewed-on: https://cl.tvl.fyi/c/depot/+/222 Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-06-13 r/934 fix(monorepo-gerrit): Do not place hooks in $out/binVincent Ambo1-2/+2
Gerrit does not expect a bin/ there. Change-Id: I907f96690b8c6bb614dc11889712d7b122c5d5cf Reviewed-on: https://cl.tvl.fyi/c/depot/+/181 Reviewed-by: tazjin <mail@tazj.in>
2020-06-13 r/933 feat(camden): add builds shortlinkKane York1-1/+2
Change-Id: Iedd524d775349f24c13fe7c118830b7d4dfdec49 Reviewed-on: https://cl.tvl.fyi/c/depot/+/81 Reviewed-by: tazjin <mail@tazj.in>
2020-06-13 r/932 feat(monorepo-gerrit): Enable Gerrit hooks & configure besadiiVincent Ambo1-2/+11
Loads the 'hooks' plugin into Gerrit, which - as per my interpretation of the docs - is going to execute any hooks for which there are matching binaries. The intention here is that besadii should implement most of the hooks we care about. As a start, it is symlinked here to the `ref-updated` hook. Change-Id: I6482a9d71cc08908c29dd10f786cbba32b33d04d
2020-06-13 r/930 feat(monorepo-gerrit): Enable download-commands pluginVincent Ambo1-0/+9
This enables the display of various download commands on change pages, which makes things like checking out refs for review locally easier. Change-Id: I3c29854aa0cf1aa393efb89b7516bbf84e0083d4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/162 Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-06-13 r/929 fix(monorepo-gerrit): Configure advertised address for SSH correctlyVincent Ambo1-0/+1
This is a prerequisite for setting up the download-commands plugin. Change-Id: I7803ef18be759f95aec020e4a00ca8e0fb48bfe0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/161 Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-06-13 r/927 chore(monorepo-gerrit): Point SMTP configuration at smtprelayVincent Ambo1-5/+4
Change-Id: I33085974fb3764f8a6df7f16245b2f5602f94118 Reviewed-on: https://cl.tvl.fyi/c/depot/+/102 Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-06-13 r/926 feat(tvl-slapd): Add nyanotech to slapd, sort the listnyanotech1-19/+28
Change-Id: I9ffd2fb3b9ae3f6c8c381f496769eb8977caadeb Reviewed-on: https://cl.tvl.fyi/c/depot/+/124 Reviewed-by: riking <rikingcoding@gmail.com>
2020-06-13 r/924 feat(nixos/smtprelay): Add derivation & module for SMTP relayVincent Ambo2-0/+64
This adds a little tool that can be used to relay mail to Gmail (and other SMTP servers). It is intended to be used by Gerrit, which is incompatible with Gmail's SMTP servers. Configuration has been tested by performing a few sends through the tvlbot@tazj.in account. Note that this is using the standard Gmail SMTP server. Using the smtp-relay server relies on IP whitelisting, but camden.tazj.in has a larger number of IPv6 addresses than can be whitelisted (the maximum is 65k). This means that we are limited to 2000 mails per recipient per day, which should be fine. Change-Id: Ie43564d753030f5c800a9cdb4ae98292877d80dc Reviewed-on: https://cl.tvl.fyi/c/depot/+/101 Reviewed-by: edef <edef@edef.eu>
2020-06-12 r/923 feat(monorepo-gerrit): Configure outbound emails for reviewsVincent Ambo1-0/+19
Configures Gerrit send emails from tvlbot@tazj.in for outgoing review notifications. Emails are always plain-text and can contain diffs (up to a maximum size of 256KiB). The configuration options for this are documented at: https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#sendemail Note: The password for this user is stored on the host, in a file that is not part of version-control and is only readable by the 'git' user. We should probably figure out a way to do secrets management ... Change-Id: I2f99b34b1a774c28d814b0aba1f1b78fd512854e Reviewed-on: https://cl.tvl.fyi/c/depot/+/92 Reviewed-by: riking <rikingcoding@gmail.com>
2020-06-12 r/920 feat(camden): Move hound to cs.tvl.fyiVincent Ambo1-13/+22
The old host at cs.tazj.in now redirects there, and I've added a helper function for creating these redirections. Change-Id: I66794d752df46c8e795e47aedfaffd8c27c45627 Reviewed-on: https://cl.tvl.fyi/c/depot/+/89 Reviewed-by: riking <rikingcoding@gmail.com> Reviewed-by: tazjin <mail@tazj.in>
2020-06-12 r/919 fix(camden): addSSL -> forceSSL for all pagesVincent Ambo1-4/+4
Change-Id: I451d1bc1a21d4ff25c0c70c963cf17bb924961db Reviewed-on: https://cl.tvl.fyi/c/depot/+/84 Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-06-12 r/918 chore(ops/nixos/modules): Add edef to slapdedef1-0/+9
Change-Id: I063a09cdc3bb81397a44f7356f1c11ebd715f74f Reviewed-on: https://cl.tvl.fyi/c/depot/+/88 Reviewed-by: tazjin <mail@tazj.in>
2020-06-12 r/917 feat(camden): add /irc/ shortlinkKane York1-0/+2
Change-Id: If17c758c323aaf00fdf26ddfafaea10acbf1453e Reviewed-on: https://cl.tvl.fyi/c/depot/+/70 Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: riking <rikingcoding@gmail.com>