about summary refs log tree commit diff
path: root/ops
AgeCommit message (Collapse)AuthorFilesLines
2021-12-19 r/3302 feat(whitby): Add buildkite agents to docker groupGriffin Smith1-1/+1
I'd like to be able to run extra CI steps that include running docker containers (to integration test things like webapps that connect to a database). To do this the buildkite agents themselves need permission to do docker things. Change-Id: I3c9a488708f0e12a508754ac41f04148ca7aedac Reviewed-on: https://cl.tvl.fyi/c/depot/+/4408 Tested-by: BuildkiteCI Autosubmit: grfn <grfn@gws.fyi> Reviewed-by: tazjin <mail@tazj.in>
2021-12-17 r/3288 fix(ops/diogenes): Ensure diogenes buildsWilliam Carroll1-0/+1
diogenes "passed" CI because the file was named configuration.nix (vestage from the NixOS default /etc/nixos/configuration). This CL fixes some issues I encountered after running depot/bin/rebuild-system. TL;DR: - rename configuration.nix -> default.nix to trigger CI - add diogenes to my systems - add public SSH key Change-Id: I24197b8936c201267db6f71f00099dce590eac1d Reviewed-on: https://cl.tvl.fyi/c/depot/+/4388 Tested-by: BuildkiteCI Reviewed-by: wpcarro <wpcarro@gmail.com> Reviewed-by: tazjin <mail@tazj.in> Autosubmit: wpcarro <wpcarro@gmail.com>
2021-12-16 r/3272 feat(wpcarro/marcus): Add marcus to the depotWilliam Carroll1-0/+4
me: marcus, meet depot. depot, meet marcus. Change-Id: Ic6a25ac85e4c7f6dfea2a42b46a4400f92df70a2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4351 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-16 r/3270 feat(ops/users): Add user zserizseri1-0/+5
Submitted via IRC, instead of the usual Google Groups due to email issues. Change-Id: I71a2bdfd10b02370df61bbba4dabc2f45b6c1009 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4384 Tested-by: BuildkiteCI Autosubmit: sterni <sternenseemann@systemli.org> Reviewed-by: tazjin <mail@tazj.in>
2021-12-16 r/3266 feat(ops/modules): Provide some modules to all nixosesGriffin Smith2-1/+13
For modules that are gated behind a mkEnableOption, it's reasonable to just provide them to all Depot-built nixos systems without requiring people to explicitly import them. This defines a special module called `default-imports.nix` which imports these modules (currently just tvl-cache.nix and automatic-gc.nix, as I'm being rather conservative adding things here to avoid breaking anyone's system), then provides that module as one of the `modules` passed at the top-level nixos/eval-config invocation. Change-Id: I3be299ab10ae4c451ef11c514edb3c89318a2278 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4345 Tested-by: BuildkiteCI Autosubmit: grfn <grfn@gws.fyi> Reviewed-by: tazjin <mail@tazj.in>
2021-12-15 r/3261 feat(ops/modules): Add shared module for TVL cacheGriffin Smith1-0/+19
Add a shared nixos module for configuring whitby as a binary nix cache, and refactor tverskoy to use this module. This is enabled via an option to pave the way for including it as an import in all depot-generated nixos configs at some point in the future. Change-Id: I6dcc0e8eb48b1ac34457666dceebeedd5da6c526 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4344 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: wpcarro <wpcarro@gmail.com> Autosubmit: grfn <grfn@gws.fyi>
2021-12-15 r/3253 fix(ops/besadii): Don't send notifications for CI statusGriffin Smith1-0/+8
Don't notify reviewers ever on CI status changes, and only notify the owner if the build fails. Change-Id: If2cf63581b49e3de77181024ce8a4213031f4bd5 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4337 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Autosubmit: grfn <grfn@gws.fyi>
2021-12-15 r/3250 fix(ops/pipelines): Allow steps to run immediately after uploadVincent Ambo1-0/+11
This fix was recommended by Buildkite and is explained in the comment. Change-Id: I3f1c1c07cba0b417857d69c021c8af4750d645c4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4334 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-12-15 r/3248 fix(ops/pipelines): Chunk build pipeline into multiple uploadsVincent Ambo2-10/+51
The number of jobs in the depot pipeline is reaching the limits of the Buildkite backend's ability for a single pipeline upload. Based on a conversation with their support my understanding is that this has to do with internal locking mechanisms at Buildkite. To work around this, we can instead chunk the pipeline into several smaller chunks that are uploaded serially. This commit introduces logic to chunk the pipeline accordingly. The chunk size chosen is 256 for now (a multiple of our number of agents, which is useful if we can get builds from the first chunk to start before the next ones are uploaded). Note that this chunk size is significantly below even the current number of targets (~460 as of this commit), but choosing a lower chunk size might alleviate problems we've been seeing with timeouts during pipeline uploads. Change-Id: I77030aaf8b874c330218b78c77d15216e13b9af7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4332 Tested-by: BuildkiteCI Reviewed-by: wpcarro <wpcarro@gmail.com> Autosubmit: tazjin <mail@tazj.in>
2021-12-14 r/3244 docs(ops/irccat): link to credentials RFEFlorian Klink1-0/+4
https://cl.tvl.fyi/c/depot/+/4264 did move merging config with secrets into ExecStart=, which is tracked in an RFE upstream: https://github.com/systemd/systemd/issues/19604#issuecomment-989279884 We didn't link to this so far, neither in the commit message, nor in a comment. Let's add a comment, so people know when we can undo this. Change-Id: I7bed370b671093bb876592b4dccd562f1c256cd2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4326 Tested-by: BuildkiteCI Autosubmit: flokli <flokli@flokli.de> Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi>
2021-12-14 r/3240 docs(ops/pipelines/depot): correct comment about fallback build cmdsterni1-4/+3
We can gcroot the derivation files and drop this step, but have elected not to do so for the moment, see cl/3436. Change-Id: I993a1f3921e9f21e18fa260e76d3dd15ffa556bd Reviewed-on: https://cl.tvl.fyi/c/depot/+/4327 Tested-by: BuildkiteCI Autosubmit: sterni <sternenseemann@systemli.org> Reviewed-by: tazjin <mail@tazj.in>
2021-12-14 r/3237 feat(besadii): Make Gerrit label configurableÅsmund Østvold1-5/+11
By default besadii will set the `Verified` label in Gerrit. This adds a config option to set a different label instead if desired. Co-authored-by: Vincent Ambo <mail@tazj.in> Change-Id: I254159e46994e01182987ed5e5e26e27c57f46ce
2021-12-13 r/3220 feat(ops/users): Add wpcarroVincent Ambo1-0/+5
... this was overdue! Change-Id: I435768007db4a0f3663e1aa9376e8cae4d1d0381
2021-12-13 r/3219 chore(ops/users): Rotate password hash for asmundoVincent Ambo1-1/+1
New hash received via an authenticated channel, of course. Change-Id: Idca688d8a8bb2e943aef3937f54d292b48f79fad
2021-12-13 r/3218 feat(ops/whitby): install alacritty terminfosterni1-0/+1
alacritty is used by grfn atm. Change-Id: I10dacd301044f9c37790e22e955cb068fcbd2cfc
2021-12-13 r/3211 feat(ops/whitby): add terminfos for other terminals usedsterni1-0/+2
* foot (me) * kitty (lukegb) Change-Id: I65303e39c4adb05e362792a544134fc2884175bf
2021-12-13 r/3210 feat(whitby): Add some more useful programsVincent Ambo1-0/+3
I keep using these in nix-shell but really they should just be installed. Change-Id: Ic2c36bae8b582fef88029b288accdfd3c8bc0f1b
2021-12-12 r/3209 feat(ops/secrets): Make (encrypted) secrets part of the treeVincent Ambo2-1/+22
Currently in NixOS configuration using agenix secrets there is no build time validation of secret paths - things fail at runtime (system activation). To prevent that, this CL makes the secrets part of the tree based on the same configuration file used by agenix itself. This guards against: * agenix secrets.nix definition for a non-existent file * age.secrets value in a NixOS config for a non-existent secret Change-Id: I5b191dcbd5b2522566ff7c38f8a988bbf7679364
2021-12-11 r/3208 chore(ops/secrets): Reencrypt all secrets with sterni includedVincent Ambo12-63/+81
Change-Id: I14043c2bd9da43a6b7de65baf0ebb75eaf3c4e22
2021-12-11 r/3207 feat(ops/secrets): add keys for sternisterni1-1/+5
Change-Id: Idf13f7737dd51e74e87093e07cdf22ad24407944
2021-12-10 r/3205 fix(ops/secrets): Fix missing fileVincent Ambo1-0/+13
... okay, this is like the 5th error related to something with this and file paths. Need to write some validation logic. Change-Id: I4314818aa1bc25b8cf7bd3593850d3836ccb867c
2021-12-10 r/3204 fix(tvl-buildkite): Use supported credential helper binary nameVincent Ambo1-1/+1
Git only allows binary names prefixed with `git-credential-` if the path to the helper is not absolute. Why? Who knows. Change-Id: I216b2a621f62a73f05e21def7ec8016b29ede892
2021-12-10 r/3203 refactor(ops): Move panettone secrets to agenixVincent Ambo3-2/+4
Relates to b/161 Change-Id: I508e5a0eacab668f4bd39a2c888d894b96bed093
2021-12-10 r/3202 refactor(ops/pipelines): Use agenix-deployed besadii secretsVincent Ambo1-2/+2
I *think* this is the final step for b/161 Change-Id: Ie7a2198a045f2f1866a245884ab0f5414e205327
2021-12-10 r/3201 fix(whitby): Fix typo in buildkite-agents group nameVincent Ambo1-2/+2
... really would like some assertion helpers for this sort of stuff. Change-Id: I32d1de18ebfbbdfa5128a8fbdad2efcc511f8514
2021-12-10 r/3200 refactor(tvl-buildkite): Prepare gerrit credentials helperVincent Ambo1-0/+6
Currently this functionality is provided by a shell script stored in /etc/secrets (which has the password value hardcoded). This needs to happen in a separate commit from the one that changes the pipeline to avoid breaking it (it needs to be deployed first). Change-Id: I680754c828ccefbacfcf0d5c813a4bc19493ba4c
2021-12-10 r/3199 refactor(ops): Move Nix cache secret to agenixVincent Ambo5-3/+35
... and also the public key, just to keep the distribution mechanism the same. Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0
2021-12-10 r/3198 refactor(ops): Use besadii configuration from agenixVincent Ambo5-2/+29
We already checked this in, but this commit adds the configuration for making use of it. There are two copies of besadii's JSON configuration with different permissions. Note that the buildkite-graphql-token path needs to be updated in static-pipeline.yml, but this needs to happen in a separate commit after deploy because the pipeline will break otherwise. Change-Id: I6fab4bf1a2e679df7cf76521e2b53bd9dadbac62
2021-12-10 r/3197 refactor(ops): Move grafana secret into agenixVincent Ambo3-1/+3
Change-Id: Id141758135c796881e91d20b950dae74c40d9ab3
2021-12-10 r/3194 fix(tvl-buildkite): Add more missing programs to agent pathVincent Ambo1-0/+2
... this option really is a pitfall! The list of programs is now the same as in the upstream module, plus curl and jq. Change-Id: I29edae4b2400a2724f62df9efa1dc184a8b0af5f
2021-12-10 r/3191 fix(ops/irccat): Avoid permissions issue with LoadCredentials=Vincent Ambo2-15/+8
The DynamicUser + Group configuration does not work as planned, thus the systemd LoadCredentials feature is used instead which makes the file (which itself is only readable by root) available in a memory-backed location only readable by the service. The secret is only available to `ExecStart` commands, so units using this feature can not be used with pre/post units and the like if those commands need secrets. To accommodate this, the merge of configuration files has been moved into the service launch script, which is now the ExecStart= process. For details take a look at https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LoadCredential=ID:PATH Change-Id: I693fe5677cc0d63c7aa485c2c7472457c5262166
2021-12-10 r/3190 fix(tvl-buildkite): Explicitly set runtimePackagesVincent Ambo1-1/+5
It turns out the lib.mkAfter call doesn't behave as expected - only *some* of the packages that are defaulted end up in the $PATH. I suspect this is actually something else, e.g. these packages are always added for some reason or another, and the option is completely overridden every time. Change-Id: I854c7198520d82b00e6338ed0fe653836226dc6d
2021-12-10 r/3189 chore(ops/secrets): Reencrypt with grfn's key includedVincent Ambo7-18/+21
Change-Id: I66df150ab5070a81a92f0741334639df9df1f86f
2021-12-10 r/3188 chore(ops/users): Rotate password for grfnGriffin Smith1-1/+1
Just a regular password rotation, plus I wasn't using argon2 unlike everyone else. Change-Id: Ic57fe79a2dbfdc15397d20f6b2b47c6aac911d29
2021-12-10 r/3187 feat(ops/secrets): Add key for grfnGriffin Smith1-1/+5
Change-Id: I8063ae804932e3815e9a499e0206806818b9b021
2021-12-10 r/3185 fix(tvl-buildkite): Add missing runtimePackages backVincent Ambo1-1/+5
Turns out that the type of this option is not concatenative and it replaces the packages needed to run Buildkite if set. Change-Id: I9f52572bc165bccdd8c6518cfdf7b8967f7a50d0
2021-12-10 r/3184 refactor(ops): Move irccat secret into agenixVincent Ambo4-3/+31
The irccat module uses DynamicUser, so to grant permission to it a new group has been added for irccat. I have some vague memory of DynamicUser + Group not behaving as one would expect, but we'll see what happens. Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac
2021-12-10 r/3183 refactor(ops): Move clbot SSH key into agenixVincent Ambo3-2/+8
Change-Id: Iae03ead7dda0509689a76f0d76f9cfeb8434e967
2021-12-10 r/3180 chore(whitby): Remove shadowsocks serviceVincent Ambo1-6/+0
No longer required on whitby. Change-Id: I93951c6b708eae81ddb03df920a4068c1ccde9e7
2021-12-10 r/3178 fix(ops/pipelines): Move :anchor: to static pipelineVincent Ambo2-20/+18
This step would get inserted at the wrong point in the build pipeline otherwise, causing a dependency cycle and causing the pipeline to fail. Change-Id: I534568eec77f74ae6c47276820f8a9e99493a3ea
2021-12-10 r/3177 refactor(ops/pipelines): Move :duck: logic into static pipelineVincent Ambo3-49/+37
This simplifies the fallback logic used in case of Nix evaluation failure and makes it so that the evaluation step itself is the one that is marked as failed in Buildkite. This is possible because the pipeline upload command will insert new steps at the point where it runs in the pipeline, and not later. Change-Id: I870534c004ebc457a1602623c4e5f9c0c68e28fc
2021-12-10 r/3176 refactor(ops): Move buildkite-agent-token into agenixVincent Ambo4-1/+18
Relates to b/161 Change-Id: I5d3a698d437928966d8b78ce9e0ba226c1437655
2021-12-10 r/3175 refactor(ops): Move owothia secret into agenixVincent Ambo4-2/+4
Relates to b/161 Change-Id: I25445281b0dd3c3f3660f8bb0d8337506a1e427b
2021-12-10 r/3174 refactor(ops): Move clbot secret into agenixVincent Ambo4-4/+25
Relates to b/161 Change-Id: I7badf22ff93bb4e8b06e4dd4a8bf880b0bd48f09
2021-12-10 r/3173 feat(ops/secrets): Configure secrets for gerrit-queueVincent Ambo3-0/+16
Adds a systemd EnvironmentFile secret that contains the Gerrit username & password for gerrit-queue. Change-Id: I25acf87764c26774045138402b8a417b6813ee8f
2021-12-10 r/3172 feat(ops/modules): Add module for running gerrit-queueVincent Ambo2-0/+55
This is not yet including the secret configuration for gerrit-queue, and just expects the secret (gerrit username & password) to be available in /etc/secrets. Change-Id: Ia465ef7f3f521c70d606d7fdeba9aa83c7e1b98b
2021-12-10 r/3171 chore(tvl-buildkite): Add jq and curl to agent pathsVincent Ambo1-0/+1
This is required for a simplification of the build pipeline (following CL) and needs to be in a separate commit as it can not be done atomically (merging the other commit to deploy it would immediately break pipelines otherwise). Change-Id: I5d8ec8f3238f79b5518d799486bf98d1d9516c43
2021-12-08 r/3159 feat(ops/secrets): Bootstrap agenix secrets folderVincent Ambo4-0/+15
Sets up the key set and adds an initial secret (besadii config with tokens) to be deployed to whitby. Change-Id: Ic07fd5e66b9e7a533013e04c35e052c2aa11f77d
2021-12-07 r/3150 chore(besadii): Improve error messages on parse failureVincent Ambo1-2/+2
Change-Id: I3cc4637aca8a940a0fdeca2d8bd6ac620ea384c0
2021-12-07 r/3149 fix(ops/besadii): Unquote Gerrit's extra-quotes around emailsVincent Ambo1-0/+6
Gerrit wraps RFC5322 emails in another layer of quotes when passing them as flags, and this needs to be unquoted. Otherwise hook invocations fail with cryptic errors. Change-Id: Ieeb74c662873d99a4154f8cbc92da77b039cb88e