about summary refs log tree commit diff
path: root/ops
AgeCommit message (Collapse)AuthorFilesLines
2022-01-21 r/3653 refactor(depotfmt): Move formatting check into an extra stepVincent Ambo1-8/+1
Change-Id: I7e4cf6bb2351bd11a5396f1663c0d4cc97c0d94e Reviewed-on: https://cl.tvl.fyi/c/depot/+/5009 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: ezemtsov <eugene.zemtsov@gmail.com>
2022-01-20 r/3650 feat(ops/pipelines): Trigger pipeline for tvl-kit through canonVincent Ambo1-0/+10
This CI pipeline in Buildkite verifies the external (josh-provided) view of the depot at //views/kit. See https://buildkite.com/tvl/tvl-kit Note that this always triggers a build of HEAD. This is because we don't know the transformed commit ID, and we currently have no way to pass a ref through. The pipeline is configured to skip intermediate builds. I asked Buildkite for some ideas on how to improve this, lets see. Change-Id: I6c60fb1ea7606c1c90219ef04fd7bada64661529 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5010 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-19 r/3637 refactor(nix/buildkite): Move fetch-parent-targets script hereVincent Ambo2-42/+1
This is no longer TVL-specific and should live here with the other generalised stuff. Change-Id: I95a1b4c0321f34812162d6fd40568269abf639dd Reviewed-on: https://cl.tvl.fyi/c/depot/+/5006 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: ezemtsov <eugene.zemtsov@gmail.com>
2022-01-19 r/3636 refactor(ops/pipelines): Generalise fetch-parent-targets scriptVincent Ambo2-14/+15
Removes all TVL-specific values in favour of environment variables supplied by Buildkite. This makes it possible to reuse this script outside of TVL. Change-Id: Ic543bc41e4c81e65ee349ad241c515231e97ab30 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5005 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: ezemtsov <eugene.zemtsov@gmail.com>
2022-01-19 r/3633 feat(ops/besadii): make text 'cl' posted BuildKite configurableÅsmund Østvold1-4/+20
Some companies do not know the 'cl' term. They do know of 'change' and would maybe not like to introduce one more synonym. This cl introduce an optional entry 'gerritChangeName' in besadii.json. The string has to match `^[a-z0-9]+$` for readability. Change-Id: Id70fcb1e45158869f88bf37669be49b8b8a3b295 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4825 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: asmundo <asmundo@gmail.com>
2022-01-17 r/3616 fix(ops/oauth2_proxy): Fix cookie secret lengthVincent Ambo2-1/+1
The cookie secret in the encrypted file was too long, because the generation command in the oauth2_proxy docs is also wrong. Should probably fix that upstream as well. Also noticed that an extra '2' snuck into the service name and fixed that. Change-Id: I9a344a75993ab1f98299a8d45e7f5b2e146b7fc5 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4957 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-17 r/3603 feat(ops/pipelines): Fetch parent target map for pipeline generationVincent Ambo2-1/+51
Change-Id: I1c7d48fc0974549d67146a15f79ddb0b6ddfe805 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4947 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-17 r/3602 feat(nix/buildkite): Check target map of parent to determine skipsVincent Ambo1-2/+6
This changes the logic for build pipeline generation to inspect an (optional) parentTargetMap attribute which contains the derivation map of a target commit. Targets that existed in a parent commit with the same drv hash will be skipped, as they are not considered to have changed. This does not yet wire up any logic for retrieving the target map from storage, meaning that at this commit all targets are always built. The intention is that we will have logic to fetch the target map (initially from Buildkite artefact storage), which we then pass to the depot via externalArgs when actually generating the pipeline. Change-Id: I3373c60aaf4b56b94c6ab64e2e5eef68dea9287c Reviewed-on: https://cl.tvl.fyi/c/depot/+/4946 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-17 r/3601 feat(ops/pipelines): Create drvmap structure for each commitVincent Ambo2-7/+17
Always create a structure that maps all targets to derivations, and persist it as a JSON file. This relates to some of the ideas expressed in: https://docs.google.com/document/d/16A0a5oUxH1VoiSM8hyFyLW0WiUYpNo2e2D6FTW4BlH8/edit The file is always uploaded to Buildkite as an artifact. This allows for retrieving it based on the commit ID in a Buildkite GraphQL query. By default, Buildkite stores artefacts for 6 months. Storage location can be overridden (with custom retention) through some environment variables, but for now at TVL the Buildkite-managed storage is fine. See also: https://buildkite.com/docs/pipelines/artifacts In the subsequent filtering implementation, when diffing commits across a time-range that exceeds artefact retention time, we should simply default to building everything. Change-Id: I6d808461cd1c1fdd6983ba8c8ef075736d42caa7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3662 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-14 r/3598 fix(gerrit-tvl): Handle "broken" (skipped) jobs correctlyVincent Ambo1-1/+7
by simply skipping them Change-Id: I9cbec3b79469ae01b1873d6a42e990b98cc4110a Reviewed-on: https://cl.tvl.fyi/c/depot/+/4921 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-01-14 r/3597 fix(gerrit-tvl): Exclude non-command jobs from check resultsVincent Ambo1-0/+5
Change-Id: I13727d30ac7a568f02614a4bbc778afed6a286ba Reviewed-on: https://cl.tvl.fyi/c/depot/+/4891 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: tazjin <tazjin@tvl.su>
2022-01-14 r/3596 fix(gerrit-tvl): Explicitly specify patchset on check runsVincent Ambo1-0/+1
Since we now group patchsets inside of Buildkite, the results are no longer guaranteed to be for the right patchset. There might be some metadata passed in from Gerrit that would let us do this with the commit ID instead, but I haven't checked. Change-Id: I5b74a17697511160fcc89d3dbef23517d974dc6f Reviewed-on: https://cl.tvl.fyi/c/depot/+/4890 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: tazjin <tazjin@tvl.su>
2022-01-14 r/3595 fix(gerrit-tvl): Mark job as failed on all failure statesVincent Ambo1-1/+1
Change-Id: If0fa85d8178b9e457305d0244ddf67d12a4b3051 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4889 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: tazjin <tazjin@tvl.su>
2022-01-14 r/3594 fix(gerrit-tvl): Support all documented Buildkite job statusesVincent Ambo1-12/+58
I'm not sure where the previous list originated, but it was missing some officially documented statuses. However, the API definitely returns statuses that are documented to only appear in other types, so this commit simply maps ALL statuses that Buildkite has documented for any type. Also adds a log statement in case we encounter a brand new, unknown, undocumented status. Change-Id: Iff003a3bd2608702019ae0f4137958435ad0856f Reviewed-on: https://cl.tvl.fyi/c/depot/+/4888 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-01-14 r/3593 fix(gerrit-tvl): Fix construction of ref used in BuildkiteVincent Ambo1-3/+2
... and remove a spammy log statement. This changed in besadii a while ago and lead to the behaviour of failing silently, instead of failing with an error saying "undefined undefined". Note that with this change merged the plugin probably still won't work again, but it gets us a step closer to the real error. Change-Id: I3db25d246f4b1c634d316cd92574e27fb220d769 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4887 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-01-14 r/3592 feat(besadii): Skip builds of patchsets with no code changesVincent Ambo1-2/+8
Currently Gerrit is configured to copy forward the scores of the 'Verified' label if the tree of the commit does not change (e.g. only author information or commit message is modified). Besadii still triggers builds for these patchsets though. With this change it will inspect the (previously ignored) "kind" of the patchset and skip patchsets with the same tree as their predecessor. See Gerrit docs for the semantics of "kind": https://gerrit-review.googlesource.com/Documentation/json.html#patchSet Note that an argument can be made that we should do the exact opposite - stop carrying over 'Verified' at all and always build all patchsets. I think this depends on whether we intend to use commit metadata in CI runs at all. Adding a few people to the review for opinions. Change-Id: I48a96a1ad1e07d92330d84e5cfdc820a39395297 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4867 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: asmundo <asmundo@gmail.com> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-13 r/3590 feat(whitby): Install a handful of systemPackagesVincent Ambo1-5/+13
Adds more things I keep using via nix-shell, as well as the deploy-whitby script (which is independent of a particular depot checkout). Change-Id: I36f87de7645768a05268c90ba9b3ab833bacca05 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4881 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-13 r/3589 refactor(deploy-whitby): use nvd instead of nix-diffVincent Ambo2-2/+2
nvd only shows us changed versions of packages, as well as added/removed packages, which means that for the majority of depot packages nothing will be displayed however, the current output of nix-diff is not usable anyways, so having something that can be looked at is better than nothing Change-Id: Iefbd8139c7ccf5c88ed1209897abdb2ae9302e91 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4868 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2022-01-12 r/3588 fix: resolve remaining security.acme.email warningssterni1-1/+1
These were missed in cl/4784. Change-Id: I01a5827900c1b3bdfdf9b1c36dcca8d6b59073a1 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4866 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: wpcarro <wpcarro@gmail.com> Autosubmit: sterni <sternenseemann@systemli.org>
2022-01-12 r/3585 fix(ops/besadii) no need to ref CL number in post to GerritÅsmund Østvold1-1/+1
The comment posted to the Gerrit change do not need to contain the CL number as it is given by the context of the Gerrit UI. Change-Id: I172645e7f4d82e2fbebe179578babd42ea29737f Reviewed-on: https://cl.tvl.fyi/c/depot/+/4826 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: asmundo <asmundo@gmail.com>
2022-01-08 r/3573 fix(wpcarro/all-systems): Remove diogenes from my top-level systemsWilliam Carroll1-1/+0
When `findSystem` attempts to evaluate `system.config.networking.hostName`, diogenes (because I've refactored its definition) causes the following error: > You're trying to declare a value of type `string' > rather than an attribute-set for the option > `system'! Change-Id: Ib23cb9aa9cadc1f71ad3369c903e587762d12cc0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4830 Reviewed-by: wpcarro <wpcarro@gmail.com> Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: wpcarro <wpcarro@gmail.com> Tested-by: BuildkiteCI
2022-01-07 r/3526 feat(ops/auto-deploy): Support emergency stops via stop fileVincent Ambo1-0/+9
Adds a feature to emergency-stop deploys by simply running `touch /var/lib/auto-deploy/stop`. This can be useful in some situations, especially if there is a process that reconciles service state (so that e.g. stopping the unit's timer would be undone). Change-Id: I233dfac365a578bfa4110eb605b50be079974ba4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4827 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: wpcarro <wpcarro@gmail.com>
2022-01-07 r/3525 chore(cache.tvl.su): Raise cache priority to 50Vincent Ambo1-0/+5
The priority of binary caches is decided by the remotes in Nix (???), and by default nix-serve (which is *very* slow) has a lower priority than cache.nixos.org (which means that it will be preferred over the faster cache for paths that exist on both). To avoid this, override the hardcoded (????) priority by serving the nix-cache-info response directly from nginx instead. Change-Id: I15a2d6618386d16edaf69f1c9257a36bd72132d2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4823 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: grfn <grfn@gws.fyi>
2022-01-07 r/3524 revert: "fix(ops/pipelines): Remove duplicated wait step"tazjin1-0/+4
This reverts commit 5e036ed9fc579d14353eb7da4af4b426c99f96e6. Reason for revert: This introduced a logic error since the remaining step runs at the wrong point in the pipeline. Temporarily reverting to having duplicated waits in order to clean up later. Change-Id: Ifa6ece50dd22924f02efd7b790a5863ca1189af7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4841 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: tazjin <tazjin@tvl.su>
2022-01-04 r/3518 feat(ops): Add initial oauth2_proxy configurationVincent Ambo4-0/+58
The intent is to configure oauth2_proxy pointing at Keycloak to enable usage with nginx auth_request directives. I want to expose this as a function from within the module in which nginx server configuration blocks can be wrapped, but the function for that is currently a placeholder. Change-Id: I5ed7deb9bf1c62818f516e68c33e8c5b632fccfe Reviewed-on: https://cl.tvl.fyi/c/depot/+/4767 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2022-01-04 r/3517 chore(ops): Remove login.tvl.fyi moduleVincent Ambo2-25/+0
It looks like we won't need this for oauth2_proxy when combined with nginx auth_request setups. Change-Id: I2294aee6226b4f64a27bf6592c2d18092d0268cc Reviewed-on: https://cl.tvl.fyi/c/depot/+/4766 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: grfn <grfn@gws.fyi>
2022-01-02 r/3512 fix(ops/pipelines): Realise anchor derivation for rootingVincent Ambo1-1/+1
Turns the anchor derivation into something that can actually be built (a call creating a propagated build inputs file), and builds it. This should fix the anchoring logic we have on canon. Change-Id: If6a7662b82e2e396388980f65e332cf67a45b46e Reviewed-on: https://cl.tvl.fyi/c/depot/+/4763 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-02 r/3511 refactor(ops/keycloak): Split out clients & user-sourcesVincent Ambo3-106/+113
Without some kind of physical organisation it's a little difficult to understand whether things are going "in" (supplying users to Keycloak) or "out" (getting auth/user info from Keycloak). Change-Id: I516501081e3448c81c710fcbc79cc68ad2a80f3b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4762 Tested-by: BuildkiteCI Reviewed-by: Profpatsch <mail@profpatsch.de>
2022-01-02 r/3510 fix(ops/pipelines): Remove duplicated wait stepVincent Ambo1-4/+0
This now happens in //nix/buildkite instead Change-Id: Ie9e239ee4f28ac34aa4d3279dac55d70a2cb9d86 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4764 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-01 r/3509 refactor(modules/smtprelay): Load credentials via agenixVincent Ambo2-7/+15
Change-Id: I56f6887e1fd35551cfc83ad08cafebb611f4a341 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4760 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: Profpatsch <mail@profpatsch.de> Autosubmit: tazjin <mail@tazj.in>
2022-01-01 r/3508 feat(ops/secrets): Add smtprelay credentialsVincent Ambo2-0/+15
Change-Id: I489e611a3fb19b4a374a563aa1afd81a130b2e7f Reviewed-on: https://cl.tvl.fyi/c/depot/+/4759 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: tazjin <mail@tazj.in>
2021-12-28 r/3495 fix(ops/keycloak): redefine buildkite client, correctly this timeVincent Ambo1-15/+26
This client definition was previously nonsense. What happened is that I accidentally imported the client as an OIDC client, which Keycloak accepted because apparently those are the same entities on the API level, and that ended up getting mangled into some broken hybrid shape by Terraform. This sets up the Buildkite provider again but with the correct SAML configuration this time. Change-Id: Id7ba318984d2fcc9e2ca91ed45ccbfd227278bbe Reviewed-on: https://cl.tvl.fyi/c/depot/+/4731 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: tazjin <mail@tazj.in>
2021-12-28 r/3492 refactor(tools/depotfmt): Move depotfmt check into a real build stepVincent Ambo1-1/+8
Produces more useful output and also makes for a good target for the upcoming extraSteps logic. Change-Id: Ifd389d433d9e27f97940a48999f4fba35646e37a Reviewed-on: https://cl.tvl.fyi/c/depot/+/4727 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: sterni <sternenseemann@systemli.org>
2021-12-28 r/3491 refactor: Generalise pipeline generation in //nix/buildkiteVincent Ambo1-115/+7
Extracts the logic for generating our Buildkite pipeline (which has been copy&pasted and slightly modified in some places outside of depot) into a generic //nix/buildkite library. This should cause no change in functionality. Change-Id: Iad3201713945de41279b39e4f1b847f697c179f7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4726 Autosubmit: tazjin <mail@tazj.in> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-12-28 r/3490 fix(ops/users): change my email to the @tvl.su oneVincent Ambo1-1/+1
Change-Id: Id608fe66b203c1d08958c85be44506a86eec56d5 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4730 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Autosubmit: tazjin <mail@tazj.in>
2021-12-27 r/3482 refactor(ops/secrets): optimize + typecheck mkSecretszseri1-11/+19
Change-Id: I592c8f2f82cef8fe4509e90a8c48504a0c74d133 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4688 Reviewed-by: zseri <zseri.devel@ytrizja.de> Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: zseri <zseri.devel@ytrizja.de> Tested-by: BuildkiteCI
2021-12-27 r/3481 feat(ops/glesys): Import DNS records for tvl.suVincent Ambo1-0/+120
These records were previously configured manually in the GleSYS web UI during our DNS outage (b/155). Note that I could not find a way to `terraform import` these records and have instead recreated the set and then cleaned up in the UI. Change-Id: If7de9a7e6dad20953ba8b610589a62dce400e87b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4716 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3480 feat(ops/glesys): Import DNS records for tvl.fyiVincent Ambo3-2/+111
These records were previously configured manually in the GleSYS web UI during our DNS outage (b/155). Note that I could not find a way to `terraform import` these records and have instead recreated the set and then cleaned up in the UI. Since we often point things at whitby, I have extracted variables for its IPs in this change. Change-Id: I09fda94d3734e8aaa278fa858e160d046740da1e Reviewed-on: https://cl.tvl.fyi/c/depot/+/4714 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3479 feat(ops/glesys): Import DNS records for nixery.devVincent Ambo1-0/+44
These records were previously configured manually in the GleSYS web UI during our DNS outage (b/155). Note that I could not find a way to `terraform import` these records and have instead recreated the set and then cleaned up in the UI. Change-Id: I2b7e0ed0931f50e7fa49c1f6e3400dfe958def04 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4713 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3474 feat(ops/secrets): Import secrets for tf-glesysVincent Ambo3-0/+21
Adds the secrets and some instructions for deploying the GleSYS Terraform infrastructure. Change-Id: I1a10f9cee7648d406b3d27ef45fc74b6923cbc30 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4712 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3473 feat(ops/keycloak): Import Buildkite OIDC clientVincent Ambo1-0/+21
This was previously configured in the UI. Change-Id: I68361b1489093b76736adab2e38ed7b474b10881 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4711 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3472 feat(ops/keycloak): Import Gerrit OIDC clientVincent Ambo1-0/+21
This was previously configured in the UI. Change-Id: Ib15b8ecca96d7814dc85d62199865b22bdb63f95 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4710 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3471 fix(ops/keycloak): Move Terraform state to GleSYS bucketVincent Ambo2-12/+24
This should never sit around locally the way it does now. Change-Id: Icfbdaf1949d6d948a796a0759282ea6144af3621 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4709 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3470 feat(ops/secrets): Add tf-keycloak secrets fileVincent Ambo3-0/+32
This file can be sourced (somehow, depending on the user) while working with //ops/keycloak to get the relevant secrets. Change-Id: Ibb3051c4b019f64824964475451c1c3996db6421 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4708 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3469 feat(ops/keycloak): Add OIDC client for GrafanaVincent Ambo1-0/+14
Completely forgot about Grafana, so it's currently broken. Oops! Change-Id: Ia4e6405428ad8e514d6e61635f9692c57f61defe Reviewed-on: https://cl.tvl.fyi/c/depot/+/4705 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: tazjin <mail@tazj.in>
2021-12-27 r/3468 fix(whitby): Point grafana at new auth providerVincent Ambo2-18/+18
Grafana was still pointing at the (now non-existent) CAS setup. This changes the endpoints to use Keycloak instead and updates the client secret. Change-Id: Ib25d38330aba2ef6d894e8c33d86852c884ab5be Reviewed-on: https://cl.tvl.fyi/c/depot/+/4706 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3453 refactor(ops/secrets): generalize out a mkSecrets functionGriffin Smith2-21/+22
Generalize out a reusable mkSecrets function from the secrets-tree-building that's happening in //ops/secrets, so the same thing can happen in other places in the depot (I want to use it for my personal infrastructure). Change-Id: I059295c8c257d78ad7fa0802859f57c2c105f29b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4679 Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: zseri <zseri.devel@ytrizja.de> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
2021-12-26 r/3447 feat(ops/machines/all-systems): Add grfn/mugwumpGriffin Smith1-0/+1
Change-Id: I7770b58c44a5700e86c80d1058e89e9fa65d719b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4686 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: grfn <grfn@gws.fyi>
2021-12-26 r/3446 fix(auto-deploy): Add missing packages to pathGriffin Smith1-3/+5
Building nix derivations needs tar (provided by gnutar) and gzip on the PATH in order to extract .tar.gz archives. Change-Id: Ia2df7a3a770cfd342dfede58ad34e04805fbd1f8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4685 Tested-by: BuildkiteCI Autosubmit: grfn <grfn@gws.fyi> Reviewed-by: wpcarro <wpcarro@gmail.com>
2021-12-26 r/3428 fix(ops/keycloak): set up client for usage with oauth2_proxyVincent Ambo1-7/+7
This will be useful for things like panettone, pending a NixOS module for oauth2-proxy (the upstream one is too complicated and doesn't support what we need). Change-Id: I4ca193e10a94a29b1fb9003e945896ff8eb61116 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4662 Tested-by: BuildkiteCI Reviewed-by: Profpatsch <mail@profpatsch.de> Autosubmit: tazjin <mail@tazj.in>