about summary refs log tree commit diff
path: root/ops/secrets
AgeCommit message (Collapse)AuthorFilesLines
2024-09-01 r/8634 fix(ops/keycloak): update client ID and client secretFlorian Klink1-0/+0
This points to a "GitHub App" now ("https://github.com/organizations/tvlfyi/settings/apps"), rather than an "OAuth App" ("https://github.com/organizations/tvlfyi/settings/applications"). Apparently this makes a big difference, and we should be using a "GitHub App", not an "OAuth App". The defails on why are in https://github.com/keycloak/keycloak/issues/9429#issuecomment-1578953468 The App can be configured at https://github.com/organizations/tvlfyi/settings/apps/tvl-keycloak . With this, we should get rid of spurious Exceptions with some GitHub users trying to log in, hopefully fixing https://b.tvl.fyi/issues/201. Change-Id: I25d0d6cd1b05ad54ed3d760d3a48ce1f430c0e7d Reviewed-on: https://cl.tvl.fyi/c/depot/+/12413 Autosubmit: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2024-06-09 r/8234 feat(tazjin/keys): add SSH key for arbatVincent Ambo1-0/+3
Change-Id: Ib83f22b8ee4c79b61b9be9d8cd176d759f6081ab Reviewed-on: https://cl.tvl.fyi/c/depot/+/11772 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: tazjin <tazjin@tvl.su>
2024-05-26 r/8171 feat(ops/modules): launch teleirc for Volga SprintVincent Ambo2-0/+4
For the duration of the sprint, this bot will take care of synchronising the IRC channel with the Telegram group. After the sprint, it will be removed again. Change-Id: I6d5b1316fc85ddd26adf55e31f6bff742907fc24 Reviewed-on: https://cl.tvl.fyi/c/depot/+/11727 Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2024-02-14 r/7511 chore(users): grfn -> aspenAspen Smith1-5/+5
Change-Id: I6c6847fac56f0a9a1a2209792e00a3aec5e672b9 Reviewed-on: https://cl.tvl.fyi/c/depot/+/10809 Autosubmit: aspen <root@gws.fyi> Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2023-11-27 r/7078 chore(ops): move from gerrit-queue to gerrit-autosubmitVincent Ambo2-1/+1
Enables the new autosubmit bot, albeit without rebase functionality (this will be a separate change). Change-Id: Ia42a4f08c0edca5e6cc8bf4770ec24dbf16a5db7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/10132 Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su>
2023-07-01 r/6383 chore(ops/secrets): drop oauth2_proxy.ageFlorian Klink2-1/+0
This was already removed from whitby a while ago, no reason to keep this secret. Change-Id: I4742dd0138a3eff91325c94e44e64b72c644ee3c Reviewed-on: https://cl.tvl.fyi/c/depot/+/8915 Autosubmit: flokli <flokli@flokli.de> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2023-02-01 r/5810 feat(ops/secrets): add flokli to terraform secrets accessVincent Ambo25-138/+135
Change-Id: I9ede20028560f2da0fef89dfe431609c21bda51c Reviewed-on: https://cl.tvl.fyi/c/depot/+/8005 Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2023-02-01 r/5808 feat(ops/secrets): add key for flokliFlorian Klink1-0/+3
Change-Id: I52299b39d1d68ee1b700b631f70ef809af682e26 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8004 Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2022-12-27 r/5504 feat(ops/secrets): add secret for IMAP to depot@tvl.suVincent Ambo2-0/+18
Change-Id: If3b3981e5d68ceba2bcc85ed0ad9cc0b46148b74 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7629 Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2022-09-20 r/4930 feat(ops/keycloak): import github identity provider configurationVincent Ambo1-0/+0
For some reason Terraform decided that it would otherwise like to *delete* this configuration, which is undesirable. Note that there is a "magic" special behaviour when the `alias` and `provider_id` are set to the name of a built-in supported provider (github, gitlab etc.), which lets us skip the authorization_url setup. Change-Id: Ib66154c2896dda162c57bdc2d7964a9fa4e15f20 Reviewed-on: https://cl.tvl.fyi/c/depot/+/6706 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-07-03 r/4273 feat(ops/secrets): add private key for depot git replicationVincent Ambo2-1/+2
Change-Id: Iaf86d1fe635be8fbd9bc8a397999a2cffcc21606 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5914 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-06-06 r/4211 feat(ops/secrets): Add Buildkite API token for TerraformVincent Ambo2-0/+17
Change-Id: I0930f4fb34015ddcaa791b07e4d5d87d069d2b0a Reviewed-on: https://cl.tvl.fyi/c/depot/+/5837 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-28 r/4179 feat(ops/secrets): Add OAuth2 client secret for panettoneVincent Ambo1-15/+16
Change-Id: Icc53b161b260632e50b7bdc4c908912fd377bb87 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5771 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2022-05-25 r/4117 feat(ops/secrets): Add private SSH key for Buildkite agent(s)Vincent Ambo2-0/+1
The public key is: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIME13zAw3Fk6qsbWCe6mH2zkxOJ+NmG+FwMjLw00mcWt buildkite@tvl Change-Id: Ia8591e5df42727e4068f26865d83d0af85424fde Reviewed-on: https://cl.tvl.fyi/c/depot/+/5664 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-17 r/4092 chore(ops/secrets): add key for tazjin/zamalekVincent Ambo21-105/+123
Change-Id: Ieb2fe49a67940d7cfbd261edbe10d0a8577a466d Reviewed-on: https://cl.tvl.fyi/c/depot/+/5628 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2022-02-17 r/3841 feat(ops/secrets): Add journaldriver keyVincent Ambo2-20/+23
This changes the structure of secrets.nix a bit to split between secrets for whitby, and secrets for all TVL machines. Change-Id: I791f0ce42a16b33051e24a7a6c5b153761ed9eb3 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5300 Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su>
2022-01-31 r/3723 style: format entire depot with nixpkgs-fmtVincent Ambo2-4/+5
This CL can be used to compare the style of nixpkgs-fmt against other formatters (nixpkgs, alejandra). Change-Id: I87c6abff6bcb546b02ead15ad0405f81e01b6d9e Reviewed-on: https://cl.tvl.fyi/c/depot/+/4397 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: wpcarro <wpcarro@gmail.com> Reviewed-by: Profpatsch <mail@profpatsch.de> Reviewed-by: kanepyork <rikingcoding@gmail.com> Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: cynthia <cynthia@tvl.fyi> Reviewed-by: edef <edef@edef.eu> Reviewed-by: eta <tvl@eta.st> Reviewed-by: grfn <grfn@gws.fyi>
2022-01-29 r/3714 feat(ops/secrets): Add secret for telegram alerts bot tokenGriffin Smith2-0/+15
This isn't actually used by anything that would use agenix, but this seems like a vaguely sensible way of sharing the token with other people regardless. Anyone who finds this commit and wants to be added to the telegram channel where the alerts go, lmk. Change-Id: I06d6ed2d4bec099cbf68ede8fd00a5e6f4e7bc60 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5124 Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-01-17 r/3616 fix(ops/oauth2_proxy): Fix cookie secret lengthVincent Ambo1-0/+0
The cookie secret in the encrypted file was too long, because the generation command in the oauth2_proxy docs is also wrong. Should probably fix that upstream as well. Also noticed that an extra '2' snuck into the service name and fixed that. Change-Id: I9a344a75993ab1f98299a8d45e7f5b2e146b7fc5 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4957 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-04 r/3518 feat(ops): Add initial oauth2_proxy configurationVincent Ambo2-0/+1
The intent is to configure oauth2_proxy pointing at Keycloak to enable usage with nginx auth_request directives. I want to expose this as a function from within the module in which nginx server configuration blocks can be wrapped, but the function for that is currently a placeholder. Change-Id: I5ed7deb9bf1c62818f516e68c33e8c5b632fccfe Reviewed-on: https://cl.tvl.fyi/c/depot/+/4767 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2022-01-01 r/3508 feat(ops/secrets): Add smtprelay credentialsVincent Ambo2-0/+15
Change-Id: I489e611a3fb19b4a374a563aa1afd81a130b2e7f Reviewed-on: https://cl.tvl.fyi/c/depot/+/4759 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: tazjin <mail@tazj.in>
2021-12-27 r/3482 refactor(ops/secrets): optimize + typecheck mkSecretszseri1-11/+19
Change-Id: I592c8f2f82cef8fe4509e90a8c48504a0c74d133 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4688 Reviewed-by: zseri <zseri.devel@ytrizja.de> Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: zseri <zseri.devel@ytrizja.de> Tested-by: BuildkiteCI
2021-12-27 r/3474 feat(ops/secrets): Import secrets for tf-glesysVincent Ambo2-0/+1
Adds the secrets and some instructions for deploying the GleSYS Terraform infrastructure. Change-Id: I1a10f9cee7648d406b3d27ef45fc74b6923cbc30 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4712 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3471 fix(ops/keycloak): Move Terraform state to GleSYS bucketVincent Ambo1-12/+13
This should never sit around locally the way it does now. Change-Id: Icfbdaf1949d6d948a796a0759282ea6144af3621 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4709 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3470 feat(ops/secrets): Add tf-keycloak secrets fileVincent Ambo2-0/+14
This file can be sourced (somehow, depending on the user) while working with //ops/keycloak to get the relevant secrets. Change-Id: Ibb3051c4b019f64824964475451c1c3996db6421 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4708 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3468 fix(whitby): Point grafana at new auth providerVincent Ambo1-14/+12
Grafana was still pointing at the (now non-existent) CAS setup. This changes the endpoints to use Keycloak instead and updates the client secret. Change-Id: Ib25d38330aba2ef6d894e8c33d86852c884ab5be Reviewed-on: https://cl.tvl.fyi/c/depot/+/4706 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3453 refactor(ops/secrets): generalize out a mkSecrets functionGriffin Smith2-21/+22
Generalize out a reusable mkSecrets function from the secrets-tree-building that's happening in //ops/secrets, so the same thing can happen in other places in the depot (I want to use it for my personal infrastructure). Change-Id: I059295c8c257d78ad7fa0802859f57c2c105f29b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4679 Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: zseri <zseri.devel@ytrizja.de> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
2021-12-26 r/3410 feat(monorepo-gerrit): Configure for Keycloak compatibilityVincent Ambo1-0/+0
Change-Id: Ic3fce02b071c09cf03e652510f16bafb795a5a1d Reviewed-on: https://cl.tvl.fyi/c/depot/+/4614 Autosubmit: tazjin <mail@tazj.in> Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: grfn <grfn@gws.fyi>
2021-12-25 r/3402 refactor(ops/whitby): Move Gerrit secrets into agenixVincent Ambo2-0/+16
Gerrit has OAuth2 and email related secrets which now live in agenix instead of a random file on disk. Change-Id: I6220fbb7a2e2ec0102a900b4bcf6150b8b4d32ef Reviewed-on: https://cl.tvl.fyi/c/depot/+/4612 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-12-25 r/3401 feat(whitby): Configure initial Keycloak setupVincent Ambo2-0/+1
Trialing this as an alternative to CAS that is a little easier to configure and can help us delegate authentication to other OIDC services. Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-12-12 r/3209 feat(ops/secrets): Make (encrypted) secrets part of the treeVincent Ambo1-0/+21
Currently in NixOS configuration using agenix secrets there is no build time validation of secret paths - things fail at runtime (system activation). To prevent that, this CL makes the secrets part of the tree based on the same configuration file used by agenix itself. This guards against: * agenix secrets.nix definition for a non-existent file * age.secrets value in a NixOS config for a non-existent secret Change-Id: I5b191dcbd5b2522566ff7c38f8a988bbf7679364
2021-12-11 r/3208 chore(ops/secrets): Reencrypt all secrets with sterni includedVincent Ambo12-63/+81
Change-Id: I14043c2bd9da43a6b7de65baf0ebb75eaf3c4e22
2021-12-11 r/3207 feat(ops/secrets): add keys for sternisterni1-1/+5
Change-Id: Idf13f7737dd51e74e87093e07cdf22ad24407944
2021-12-10 r/3205 fix(ops/secrets): Fix missing fileVincent Ambo1-0/+13
... okay, this is like the 5th error related to something with this and file paths. Need to write some validation logic. Change-Id: I4314818aa1bc25b8cf7bd3593850d3836ccb867c
2021-12-10 r/3203 refactor(ops): Move panettone secrets to agenixVincent Ambo1-0/+1
Relates to b/161 Change-Id: I508e5a0eacab668f4bd39a2c888d894b96bed093
2021-12-10 r/3199 refactor(ops): Move Nix cache secret to agenixVincent Ambo3-0/+25
... and also the public key, just to keep the distribution mechanism the same. Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0
2021-12-10 r/3198 refactor(ops): Use besadii configuration from agenixVincent Ambo2-0/+10
We already checked this in, but this commit adds the configuration for making use of it. There are two copies of besadii's JSON configuration with different permissions. Note that the buildkite-graphql-token path needs to be updated in static-pipeline.yml, but this needs to happen in a separate commit after deploy because the pipeline will break otherwise. Change-Id: I6fab4bf1a2e679df7cf76521e2b53bd9dadbac62
2021-12-10 r/3197 refactor(ops): Move grafana secret into agenixVincent Ambo2-0/+1
Change-Id: Id141758135c796881e91d20b950dae74c40d9ab3
2021-12-10 r/3189 chore(ops/secrets): Reencrypt with grfn's key includedVincent Ambo7-18/+21
Change-Id: I66df150ab5070a81a92f0741334639df9df1f86f
2021-12-10 r/3187 feat(ops/secrets): Add key for grfnGriffin Smith1-1/+5
Change-Id: I8063ae804932e3815e9a499e0206806818b9b021
2021-12-10 r/3184 refactor(ops): Move irccat secret into agenixVincent Ambo2-1/+13
The irccat module uses DynamicUser, so to grant permission to it a new group has been added for irccat. I have some vague memory of DynamicUser + Group not behaving as one would expect, but we'll see what happens. Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac
2021-12-10 r/3183 refactor(ops): Move clbot SSH key into agenixVincent Ambo2-0/+1
Change-Id: Iae03ead7dda0509689a76f0d76f9cfeb8434e967
2021-12-10 r/3176 refactor(ops): Move buildkite-agent-token into agenixVincent Ambo2-0/+11
Relates to b/161 Change-Id: I5d3a698d437928966d8b78ce9e0ba226c1437655
2021-12-10 r/3175 refactor(ops): Move owothia secret into agenixVincent Ambo2-1/+2
Relates to b/161 Change-Id: I25445281b0dd3c3f3660f8bb0d8337506a1e427b
2021-12-10 r/3174 refactor(ops): Move clbot secret into agenixVincent Ambo2-0/+11
Relates to b/161 Change-Id: I7badf22ff93bb4e8b06e4dd4a8bf880b0bd48f09
2021-12-10 r/3173 feat(ops/secrets): Configure secrets for gerrit-queueVincent Ambo2-0/+10
Adds a systemd EnvironmentFile secret that contains the Gerrit username & password for gerrit-queue. Change-Id: I25acf87764c26774045138402b8a417b6813ee8f
2021-12-08 r/3159 feat(ops/secrets): Bootstrap agenix secrets folderVincent Ambo4-0/+15
Sets up the key set and adds an initial secret (besadii config with tokens) to be deployed to whitby. Change-Id: Ic07fd5e66b9e7a533013e04c35e052c2aa11f77d
2020-06-29 r/1130 chore(ops): Clean up old GCP infrastructure filesVincent Ambo7-1/+0
This removes almost all of the GCP-infrastructure leftovers from my previous setup. The DNS configuration is retained, but moves to my user folder instead. Change-Id: I1867acd379443882f11a3c645846c9902eadd5b0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/782 Tested-by: BuildkiteCI Reviewed-by: eta <eta@theta.eu.org> Reviewed-by: isomer <isomer@tvl.fyi>
2020-01-18 r/408 feat(ops/infra/k8s): Add sourcehut configuration to sync-gcsrVincent Ambo1-0/+0
2020-01-05 r/338 chore(ops/secrets): Add Google Maps API keyVincent Ambo1-0/+0