Age | Commit message (Collapse) | Author | Files | Lines |
|
This points to a "GitHub App" now
("https://github.com/organizations/tvlfyi/settings/apps"), rather than an
"OAuth App"
("https://github.com/organizations/tvlfyi/settings/applications").
Apparently this makes a big difference, and we should be using a "GitHub
App", not an "OAuth App".
The defails on why are in
https://github.com/keycloak/keycloak/issues/9429#issuecomment-1578953468
The App can be configured at
https://github.com/organizations/tvlfyi/settings/apps/tvl-keycloak .
With this, we should get rid of spurious Exceptions with some GitHub
users trying to log in, hopefully fixing https://b.tvl.fyi/issues/201.
Change-Id: I25d0d6cd1b05ad54ed3d760d3a48ce1f430c0e7d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12413
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: Ib83f22b8ee4c79b61b9be9d8cd176d759f6081ab
Reviewed-on: https://cl.tvl.fyi/c/depot/+/11772
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
|
|
For the duration of the sprint, this bot will take care of
synchronising the IRC channel with the Telegram group.
After the sprint, it will be removed again.
Change-Id: I6d5b1316fc85ddd26adf55e31f6bff742907fc24
Reviewed-on: https://cl.tvl.fyi/c/depot/+/11727
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
|
|
Change-Id: I6c6847fac56f0a9a1a2209792e00a3aec5e672b9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/10809
Autosubmit: aspen <root@gws.fyi>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
|
|
Enables the new autosubmit bot, albeit without rebase
functionality (this will be a separate change).
Change-Id: Ia42a4f08c0edca5e6cc8bf4770ec24dbf16a5db7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/10132
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
|
|
This was already removed from whitby a while ago, no reason to keep
this secret.
Change-Id: I4742dd0138a3eff91325c94e44e64b72c644ee3c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8915
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Change-Id: I9ede20028560f2da0fef89dfe431609c21bda51c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8005
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
|
|
Change-Id: I52299b39d1d68ee1b700b631f70ef809af682e26
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8004
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
|
|
Change-Id: If3b3981e5d68ceba2bcc85ed0ad9cc0b46148b74
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7629
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
|
|
For some reason Terraform decided that it would otherwise like
to *delete* this configuration, which is undesirable.
Note that there is a "magic" special behaviour when the `alias` and
`provider_id` are set to the name of a built-in supported
provider (github, gitlab etc.), which lets us skip the
authorization_url setup.
Change-Id: Ib66154c2896dda162c57bdc2d7964a9fa4e15f20
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6706
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
|
|
Change-Id: Iaf86d1fe635be8fbd9bc8a397999a2cffcc21606
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5914
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Change-Id: I0930f4fb34015ddcaa791b07e4d5d87d069d2b0a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5837
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
Change-Id: Icc53b161b260632e50b7bdc4c908912fd377bb87
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5771
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
The public key is:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIME13zAw3Fk6qsbWCe6mH2zkxOJ+NmG+FwMjLw00mcWt buildkite@tvl
Change-Id: Ia8591e5df42727e4068f26865d83d0af85424fde
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5664
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Change-Id: Ieb2fe49a67940d7cfbd261edbe10d0a8577a466d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5628
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
This changes the structure of secrets.nix a bit to split between
secrets for whitby, and secrets for all TVL machines.
Change-Id: I791f0ce42a16b33051e24a7a6c5b153761ed9eb3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5300
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
|
|
This CL can be used to compare the style of nixpkgs-fmt against other
formatters (nixpkgs, alejandra).
Change-Id: I87c6abff6bcb546b02ead15ad0405f81e01b6d9e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4397
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: wpcarro <wpcarro@gmail.com>
Reviewed-by: Profpatsch <mail@profpatsch.de>
Reviewed-by: kanepyork <rikingcoding@gmail.com>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: cynthia <cynthia@tvl.fyi>
Reviewed-by: edef <edef@edef.eu>
Reviewed-by: eta <tvl@eta.st>
Reviewed-by: grfn <grfn@gws.fyi>
|
|
This isn't actually used by anything that would use agenix, but this
seems like a vaguely sensible way of sharing the token with other people
regardless.
Anyone who finds this commit and wants to be added to the telegram
channel where the alerts go, lmk.
Change-Id: I06d6ed2d4bec099cbf68ede8fd00a5e6f4e7bc60
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5124
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
|
|
The cookie secret in the encrypted file was too long, because the
generation command in the oauth2_proxy docs is also wrong. Should
probably fix that upstream as well.
Also noticed that an extra '2' snuck into the service name and fixed
that.
Change-Id: I9a344a75993ab1f98299a8d45e7f5b2e146b7fc5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4957
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
The intent is to configure oauth2_proxy pointing at Keycloak to enable
usage with nginx auth_request directives.
I want to expose this as a function from within the module in which
nginx server configuration blocks can be wrapped, but the function for
that is currently a placeholder.
Change-Id: I5ed7deb9bf1c62818f516e68c33e8c5b632fccfe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4767
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
Change-Id: I489e611a3fb19b4a374a563aa1afd81a130b2e7f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4759
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <mail@tazj.in>
|
|
Change-Id: I592c8f2f82cef8fe4509e90a8c48504a0c74d133
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4688
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Autosubmit: zseri <zseri.devel@ytrizja.de>
Tested-by: BuildkiteCI
|
|
Adds the secrets and some instructions for deploying the GleSYS
Terraform infrastructure.
Change-Id: I1a10f9cee7648d406b3d27ef45fc74b6923cbc30
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4712
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
This should never sit around locally the way it does now.
Change-Id: Icfbdaf1949d6d948a796a0759282ea6144af3621
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4709
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
This file can be sourced (somehow, depending on the user) while
working with //ops/keycloak to get the relevant secrets.
Change-Id: Ibb3051c4b019f64824964475451c1c3996db6421
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4708
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
|
|
Grafana was still pointing at the (now non-existent) CAS setup. This
changes the endpoints to use Keycloak instead and updates the client
secret.
Change-Id: Ib25d38330aba2ef6d894e8c33d86852c884ab5be
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4706
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
|
|
Generalize out a reusable mkSecrets function from the
secrets-tree-building that's happening in //ops/secrets, so the same
thing can happen in other places in the depot (I want to use it for my
personal infrastructure).
Change-Id: I059295c8c257d78ad7fa0802859f57c2c105f29b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4679
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
|
|
Change-Id: Ic3fce02b071c09cf03e652510f16bafb795a5a1d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4614
Autosubmit: tazjin <mail@tazj.in>
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: grfn <grfn@gws.fyi>
|
|
Gerrit has OAuth2 and email related secrets which now live in agenix
instead of a random file on disk.
Change-Id: I6220fbb7a2e2ec0102a900b4bcf6150b8b4d32ef
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4612
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
|
|
Trialing this as an alternative to CAS that is a little easier to
configure and can help us delegate authentication to other OIDC
services.
Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
|
|
Currently in NixOS configuration using agenix secrets there is no
build time validation of secret paths - things fail at runtime (system
activation).
To prevent that, this CL makes the secrets part of the tree based on
the same configuration file used by agenix itself.
This guards against:
* agenix secrets.nix definition for a non-existent file
* age.secrets value in a NixOS config for a non-existent secret
Change-Id: I5b191dcbd5b2522566ff7c38f8a988bbf7679364
|
|
Change-Id: I14043c2bd9da43a6b7de65baf0ebb75eaf3c4e22
|
|
Change-Id: Idf13f7737dd51e74e87093e07cdf22ad24407944
|
|
... okay, this is like the 5th error related to something with this
and file paths. Need to write some validation logic.
Change-Id: I4314818aa1bc25b8cf7bd3593850d3836ccb867c
|
|
Relates to b/161
Change-Id: I508e5a0eacab668f4bd39a2c888d894b96bed093
|
|
... and also the public key, just to keep the distribution mechanism
the same.
Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0
|
|
We already checked this in, but this commit adds the configuration for
making use of it.
There are two copies of besadii's JSON configuration with different
permissions.
Note that the buildkite-graphql-token path needs to be updated in
static-pipeline.yml, but this needs to happen in a separate commit
after deploy because the pipeline will break otherwise.
Change-Id: I6fab4bf1a2e679df7cf76521e2b53bd9dadbac62
|
|
Change-Id: Id141758135c796881e91d20b950dae74c40d9ab3
|
|
Change-Id: I66df150ab5070a81a92f0741334639df9df1f86f
|
|
Change-Id: I8063ae804932e3815e9a499e0206806818b9b021
|
|
The irccat module uses DynamicUser, so to grant permission to it a new
group has been added for irccat.
I have some vague memory of DynamicUser + Group not behaving as one
would expect, but we'll see what happens.
Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac
|
|
Change-Id: Iae03ead7dda0509689a76f0d76f9cfeb8434e967
|
|
Relates to b/161
Change-Id: I5d3a698d437928966d8b78ce9e0ba226c1437655
|
|
Relates to b/161
Change-Id: I25445281b0dd3c3f3660f8bb0d8337506a1e427b
|
|
Relates to b/161
Change-Id: I7badf22ff93bb4e8b06e4dd4a8bf880b0bd48f09
|
|
Adds a systemd EnvironmentFile secret that contains the Gerrit
username & password for gerrit-queue.
Change-Id: I25acf87764c26774045138402b8a417b6813ee8f
|
|
Sets up the key set and adds an initial secret (besadii config with
tokens) to be deployed to whitby.
Change-Id: Ic07fd5e66b9e7a533013e04c35e052c2aa11f77d
|
|
This removes almost all of the GCP-infrastructure leftovers from my
previous setup.
The DNS configuration is retained, but moves to my user folder
instead.
Change-Id: I1867acd379443882f11a3c645846c9902eadd5b0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/782
Tested-by: BuildkiteCI
Reviewed-by: eta <eta@theta.eu.org>
Reviewed-by: isomer <isomer@tvl.fyi>
|
|
|
|
|