about summary refs log tree commit diff
path: root/ops/nixos
AgeCommit message (Collapse)AuthorFilesLines
2020-07-23 r/1439 feat(ops/nixos): Deploy Panettone to WhitbyGriffin Smith3-2/+64
Deploy Panettone to whitby as a systemd service, proxied to from an nginx virtual host listening at b.tvl.fyi Change-Id: I69755566151a45120e6b3453751af0e9291fa241 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1339 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2020-07-23 r/1432 fix(whitby): Use fish shell as my default shellVincent Ambo1-0/+1
I don't have time for bash's history. Change-Id: I741107d33f09999ef43a7609079ad926e8127e69 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1362 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2020-07-23 r/1431 feat(whitby): Add SSH key for qylissVincent Ambo1-0/+6
... also bootstraps her user directory to store the key in. Change-Id: Iecd341c655adc7d81be5ce9eb765c531b7512e80 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1361 Tested-by: BuildkiteCI Reviewed-by: Alyssa Ross <hi@alyssa.is>
2020-07-23 r/1430 chore(whitby): Move isomer's SSH key to user directoryVincent Ambo1-3/+1
This is inline with how other user keys are managed. Change-Id: Ica0b3b30336aee02a78e019b13e1cf576e4e1943 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1360 Tested-by: BuildkiteCI Reviewed-by: isomer <isomer@tvl.fyi>
2020-07-19 r/1405 feat(whitby): Deploy todo.tvl.fyi page with //web/todolistVincent Ambo2-0/+25
Note that this is not yet updated automatically, so the page will be stale until somebody rebuilds whitby. Change-Id: I91f4b03c9309aed289df055fac292a214dca7668 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1297 Reviewed-by: Alyssa Ross <hi@alyssa.is> Tested-by: BuildkiteCI
2020-07-18 r/1385 chore(whitby): add rikingKane York1-0/+6
Change-Id: I33cc1324eac9a13be56d296d09cfdbe066d90e13 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1256 Tested-by: BuildkiteCI Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: tazjin <mail@tazj.in>
2020-07-18 r/1375 chore(tvl-slapd): add display name for qylissAlyssa Ross1-0/+1
Not having this set led to gerrit setting the committer to "qyliss <hi@alyssa.is>", which is wrong. Change-Id: I3fe02264e22dd6d739575b34ceb1221d1d6a9d98 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1267 Tested-by: BuildkiteCI Reviewed-by: qyliss <hi@alyssa.is>
2020-07-18 r/1374 chore(tvl-slapd): change display name to a username-likeKane York1-1/+1
Change-Id: I289400de6638844586a32a729333cb65a0dca4a0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1254 Tested-by: BuildkiteCI Reviewed-by: isomer <isomer@tvl.fyi> Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: tazjin <mail@tazj.in>
2020-07-17 r/1364 feat(tvl-slapd): add qylissAlyssa Ross1-0/+5
Change-Id: Ia95c77be8a9c123f2e52174f76c4b01d44272191 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1260 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2020-07-17 r/1363 feat(whitby): Hardcode Google DNS serversVincent Ambo1-2/+18
The Hetzner DNS servers were unhappy after today's Cloudflare outage, and that broke some of our builds - this wouldn't have happened with Google DNS! Change-Id: Ib74c6de9526e739f55d4a9830d945ece35b72138 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1259 Tested-by: BuildkiteCI Reviewed-by: glittershark <grfn@gws.fyi>
2020-07-17 r/1347 chore(whitby): += Isomerisomer1-0/+8
Change-Id: I446ab16d009dc24340606ab2f411197af24d79c2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1142 Reviewed-by: isomer <isomer@tvl.fyi> Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: glittershark <grfn@gws.fyi> Tested-by: BuildkiteCI
2020-07-12 r/1268 feat(whitby): Configure Gerrit backups on whitbyVincent Ambo1-0/+22
Change-Id: I84245fb809725853a301f217cdb11eacc1984cae Reviewed-on: https://cl.tvl.fyi/c/depot/+/1103 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-07-12 r/1267 chore(whitby): Give the git user a home directoryVincent Ambo1-0/+2
Change-Id: I5e6e13fa8a1656434ca897c83fe7ac48eb869369 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1102 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-07-12 r/1265 fix(www/base): Add nginx fix timerVincent Ambo1-1/+23
Change-Id: Iec66fea0f3991ba74aede3911ea9f6ae5adb0188 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1082 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-07-12 r/1264 feat(whitby): Enable Gerrit & cgit deploymentsVincent Ambo3-1/+67
Change-Id: Ic701552e130252cfff005938d9c4e98423a7a96a Reviewed-on: https://cl.tvl.fyi/c/depot/+/1069 Reviewed-by: lukegb <lukegb@tvl.fyi> Tested-by: BuildkiteCI
2020-07-12 r/1262 feat(whitby): Enable SourceGraph serverVincent Ambo2-1/+36
Change-Id: Ia8a20d54a4ac77d64f5e3fd2255ffad78dce0fb0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1067 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-07-12 r/1261 chore(sourcegraph): Bump version to 3.17.3Vincent Ambo1-1/+1
Change-Id: I6bc25d039cbe497bc9aa8784ac2f95219b5c617c Reviewed-on: https://cl.tvl.fyi/c/depot/+/1066 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-07-12 r/1260 feat(nixos/sourcegraph): Move cheddar server to module & make ports configurableVincent Ambo1-6/+30
Change-Id: Iaf0c854b148062e30d426c2e92638932caf2e92e Reviewed-on: https://cl.tvl.fyi/c/depot/+/1065 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-07-12 r/1259 feat(nixos/www): Add configuration for tvl.fyi homepageVincent Ambo2-0/+31
... and enable it on whitby Change-Id: Ife45f15227f9d95823ebd3b97d2a17175b84eaff Reviewed-on: https://cl.tvl.fyi/c/depot/+/1064 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-07-11 r/1257 feat(whitby): Move over clbot deployment from camdenVincent Ambo1-0/+22
There is only one minor configuration change: CLBot now connects to cl.tvl.fyi, instead of localhost, because Gerrit is still on camden. Change-Id: Ibd8d46ec2c18312a270471a2f0be3e58eaf0cbab Reviewed-on: https://cl.tvl.fyi/c/depot/+/1062 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-07-11 r/1256 feat(whitby): Enable smtprelay moduleVincent Ambo1-1/+13
This is required for the Gerrit setup. Change-Id: I02e03dafe36e6c47ffabf4d590e0c6f1dea027e6 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1061 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-07-11 r/1255 fix(monorepo-gerrit): Use Google's CDN to serve static assetsVincent Ambo1-2/+9
Change-Id: Ib4ffc1d9b030a5982b9063c1d6322fb87ba7f910 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1022 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-07-11 r/1254 chore(monorepo-gerrit): Increase Gerrit's heap limit to 4gVincent Ambo1-0/+2
(this translates to -Xmx) Change-Id: I31bbbd247952fa6a592cb66ad144025af640d2db Reviewed-on: https://cl.tvl.fyi/c/depot/+/1021 Tested-by: BuildkiteCI Reviewed-by: isomer <isomer@tvl.fyi>
2020-07-11 r/1253 fix(monorepo-gerrit): Explicitly set gerrit.docUrlVincent Ambo1-0/+1
This prevents a request that takes >1s on each page load. Change-Id: Ic91bb602e3059b1f17681aa468739bb0a103f8cf Reviewed-on: https://cl.tvl.fyi/c/depot/+/1003 Tested-by: BuildkiteCI Reviewed-by: isomer <isomer@tvl.fyi>
2020-07-10 r/1248 feat(tvl-slapd): add `andi`Andreas Rammhold1-0/+5
Message-Id: <20200710190623.26573-1-andi@notmuch.email> Change-Id: Ibd74f93f589beecbf7fa9090550ecf95caa0a3b0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/982 Reviewed-by: tazjin <mail@tazj.in> Tested-by: BuildkiteCI
2020-07-08 r/1241 feat(ops/nixos): Add module for running a Quassel daemonVincent Ambo1-0/+76
The upstream module is not flexible enough for my needs, so I made my own. Change-Id: Ie9f786da7eb8c878e0782b07a075c064ad8cd253 Reviewed-on: https://cl.tvl.fyi/c/depot/+/953 Tested-by: BuildkiteCI Reviewed-by: glittershark <grfn@gws.fyi>
2020-07-08 r/1239 chore(apereo-cas): fix up configurationLuke Granger-Brown1-0/+1
- X-Forwarded-Proto support so it knows it's behind TLS - Remove extraneous logs and just log to stdout so it's caught be systemd Change-Id: I650777bbfd24a1922f26967ffff7da06d14b6639 Reviewed-on: https://cl.tvl.fyi/c/depot/+/952 Tested-by: BuildkiteCI Reviewed-by: glittershark <grfn@gws.fyi>
2020-07-06 r/1236 chore(ops/nixos/tvl-sso): add secretsLuke Granger-Brown1-0/+1
Change-Id: I29f5e762852593f05b9936d5635aadcc7eba2840 Reviewed-on: https://cl.tvl.fyi/c/depot/+/951 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2020-07-06 r/1235 fix(ops/nixos/tvl-sso): correct path to executableLuke Granger-Brown1-1/+1
Change-Id: I29f5e762852593f05b9936d5635aadcc7eba283f Reviewed-on: https://cl.tvl.fyi/c/depot/+/950 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2020-07-06 r/1234 feat(whitby): add apereo-cas/tvl-ssoLuke Granger-Brown2-0/+24
Change-Id: I29f5e762852593f05b9936d5635aadcc7eba283e Reviewed-on: https://cl.tvl.fyi/c/depot/+/935 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2020-07-06 r/1230 feat(ops/nixos/www): create login.tvl.fyi hostLuke Granger-Brown3-0/+43
Change-Id: Ifad80915a61a1a5ac14e598a9d788aec3482693c Reviewed-on: https://cl.tvl.fyi/c/depot/+/936 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2020-07-06 r/1221 feat(ops/nixos): Add generic rebuild-system scriptGriffin Smith3-7/+49
This adds a first crack at one idea for a generic, non-user-specific rebuild-system script to ops.nixos.rebuild-system. The idea here is that we enumerate all the nixos systems stored in the monorepo (similarly to what we do for ci-builds right now) then search through them by hostname to find the one matching the hostname of the current system, which is an attempt at a more generic version of tazjin's rebuilder script which does the same thing but with an explicit case block. As a caveat, it feels like there's a slight possibility that this way of finding systems is going to get slow to evaluate - on my system it feels fine but if it grows out of hand it's probably feasible to just bake this into the built script as a dynamically generated case statement. Change-Id: I2e4c5401913b6f4d936ab48ba2f95f96e0e78eb4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/894 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-07-05 r/1213 feat(whitby): enable tvl-slapd on whitbyLuke Granger-Brown1-0/+1
Change-Id: I3fac108802671abfb9a508359390b063bce16202 Reviewed-on: https://cl.tvl.fyi/c/depot/+/923 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2020-07-04 r/1210 chore(whitby): add lukegb to trusted-users for remote buildsLuke Granger-Brown1-0/+1
Change-Id: Id1e67bb30bb7f4d329006688f1783b900d16d164 Reviewed-on: https://cl.tvl.fyi/c/depot/+/914 Tested-by: BuildkiteCI Reviewed-by: isomer <isomer@tvl.fyi>
2020-07-03 r/1185 feat(whitby): Enable nix.sshServeVincent Ambo1-3/+9
This exposes a binary cache over SSH. Change-Id: Ib934a118cd7315ef76f3dfe795c76a570fbbc47a Reviewed-on: https://cl.tvl.fyi/c/depot/+/895 Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: BuildkiteCI Tested-by: BuildkiteCI
2020-07-02 r/1174 feat(whitby): Allow wheel users to sudo without a passwordGriffin Smith1-0/+7
This *should* translate to the required invocation to make sudo allow nopasswd for users in the wheel group. Change-Id: I3713862b8df9087cfbaa72d7e824bc43469f7c1c Reviewed-on: https://cl.tvl.fyi/c/depot/+/857 Reviewed-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi> Tested-by: BuildkiteCI
2020-07-02 r/1172 feat(whitby): Add grfn as a trusted userGriffin Smith1-0/+4
So I can remote builder Change-Id: I8106244d3d197c010b618e4337a9ccfc13a116f8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/856 Reviewed-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Tested-by: BuildkiteCI
2020-07-02 r/1171 feat(whitby): Run a handful of Buildkite agentsVincent Ambo1-0/+21
This is the point of the machine, afterall. Change-Id: I15c11600c1c18fa8962d57f75f99a72e1553f9c2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/853 Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: BuildkiteCI Tested-by: BuildkiteCI
2020-07-02 r/1170 feat(whitby): Enable Nix signing for the binary cacheVincent Ambo1-0/+3
Change-Id: I9047667cc1a40668c0c7da72c070044b91b53014 Reviewed-on: https://cl.tvl.fyi/c/depot/+/852 Reviewed-by: BuildkiteCI Reviewed-by: glittershark <grfn@gws.fyi> Tested-by: BuildkiteCI
2020-07-02 r/1169 fix(whitby): Explicitly set an interface for the v6 default gwVincent Ambo1-1/+5
systemd gets sad otherwise and it is very difficult to console it Change-Id: Ic6405489532c407273e5634474185f2947420b37 Reviewed-on: https://cl.tvl.fyi/c/depot/+/851 Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: BuildkiteCI Tested-by: BuildkiteCI
2020-07-02 r/1168 feat(whitby): Add grfnGriffin Smith1-0/+8
it's not glittershark because grfn is the username I have on my laptop and I want to be able to ssh without an `@`. Change-Id: Ie1fb6f5e12f3ac52a44680704179bd27a00a7768 Reviewed-on: https://cl.tvl.fyi/c/depot/+/850 Reviewed-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Tested-by: BuildkiteCI
2020-07-02 r/1166 feat(whitby): add lukegbLuke Granger-Brown2-0/+7
Change-Id: I26356632b86a64519128bc673178f1cd1b55b99b Reviewed-on: https://cl.tvl.fyi/c/depot/+/848 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: BuildkiteCI
2020-07-02 r/1163 fix(whitby): Set correct IPv6 default gateway for Hetzner envVincent Ambo1-0/+1
Change-Id: Ic3d4c6ebf7c40e27a453e08295bb0f2f999c0d88 Reviewed-on: https://cl.tvl.fyi/c/depot/+/845 Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: BuildkiteCI Tested-by: BuildkiteCI
2020-07-02 r/1160 feat(nixos/whitby): Hello, World!Vincent Ambo2-0/+161
This adds NixOS configuration for the machine whitby.tvl.fyi. No interesting services are configured yet, so this configuration is quite plain. Change-Id: I67b7c75ebd6e298719b52e6b3bd83cc3be3c45d8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/843 Tested-by: BuildkiteCI Reviewed-by: BuildkiteCI Reviewed-by: isomer <isomer@tvl.fyi> Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-07-02 r/1158 chore(nixos/whitby): Bootstrap //ops/nixos/whitby folderVincent Ambo2-0/+10
Change-Id: I7d77c3ea48b181d7b9f754ac4807ed44735a8925 Reviewed-on: https://cl.tvl.fyi/c/depot/+/841 Reviewed-by: BuildkiteCI Reviewed-by: isomer <isomer@tvl.fyi> Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: glittershark <grfn@gws.fyi> Tested-by: BuildkiteCI
2020-07-02 r/1157 chore(tvl-slapd): rotate password for rikingKane York1-1/+1
Change-Id: I3ec53d5223a4ff0871eed7615f11f534ed74653b Reviewed-on: https://cl.tvl.fyi/c/depot/+/839 Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: BuildkiteCI Tested-by: BuildkiteCI
2020-07-01 r/1152 chore(tvl-slapd): Remove old password generation scriptVincent Ambo1-5/+0
This does not work for ARGON2 hashes. Change-Id: I1e070fa0ff17ef21632e94e6777da637deb6f54f Reviewed-on: https://cl.tvl.fyi/c/depot/+/834 Reviewed-by: Kane York <rikingcoding@gmail.com> Reviewed-by: BuildkiteCI Tested-by: BuildkiteCI
2020-07-01 r/1150 chore(tvl-slapd): Rotate my LDAP passwords and use ARGON2 hashesVincent Ambo1-2/+2
Change-Id: Id1a60121e4254e7ccff77ac17fd39d0955aedc8f Reviewed-on: https://cl.tvl.fyi/c/depot/+/832 Reviewed-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: isomer <isomer@tvl.fyi> Tested-by: BuildkiteCI
2020-07-01 r/1149 feat(tvl-slapd): Load Argon2 password module in OpenLDAPVincent Ambo1-0/+15
This makes it possible to use {ARGON2} hashes instead of the current salted SHA hashes, which is a much better idea. Unfortunately the nixpkgs module does not have an option for overridding the package used, so it is overlaid into the system package set - this causes widespread rebuilds. This is fine for us for now, but I have opened a PR upstream to add a package option: https://github.com/NixOS/nixpkgs/pull/91963 Change-Id: Ib4be931d88e74b91566639f8656742cf096f6cc3 Reviewed-on: https://cl.tvl.fyi/c/depot/+/831 Reviewed-by: BuildkiteCI Reviewed-by: isomer <isomer@tvl.fyi> Tested-by: BuildkiteCI
2020-06-30 r/1142 feat(nixos/clbot): Add a module for running clbotVincent Ambo1-0/+52
Change-Id: I9c10906441c3222b74bcc820a67f11d96462fcfa Reviewed-on: https://cl.tvl.fyi/c/depot/+/821 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: BuildkiteCI