about summary refs log tree commit diff
path: root/ops
AgeCommit message (Collapse)AuthorFilesLines
2022-07-18 r/4305 fix(ops/www): issue certificate for 'www.tazj.in'Vincent Ambo1-0/+1
Change-Id: I6179f785bb6bd6168a2a11836b90da5ee93adc69 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5953 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: tazjin <tazjin@tvl.su>
2022-07-12 r/4295 refactor(ops/cgit): make user configurableVincent Ambo2-4/+24
on whitby, cgit runs as the gerrit user to get access to serving gerrit's repositories directly. on other machines (e.g. sanduny) this isn't necessary, as we have a world-readable depot replica. Change-Id: Ibf7e7cc08e5909e0fa182e561ab0cb472188edcb Reviewed-on: https://cl.tvl.fyi/c/depot/+/5932 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-07-12 r/4294 fix(depot-replica): make the depot replica world readableVincent Ambo1-1/+1
Change-Id: Idc0b5210793ab0d83b3ac99cf36d7f7f02a35a37 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5931 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-07-12 r/4293 feat(ops/sanduny): run cgit instanceVincent Ambo1-0/+7
Change-Id: Id869fa46d74f215a9034e86f795a4cd9e93acb16 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5930 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-07-03 r/4274 feat(ops): configure depot replication to sandunyVincent Ambo2-0/+21
this configures gerrit's built-in replication plugin to push every change in depot to sanduny. this allows us to serve a replica of depot from sanduny. manual config that was needed which needs to be automated: * system-wide known_hosts does not work, needed one in /var/lib/git * .ssh/config MUST be present and configured for sanduny.tvl.su Change-Id: Iba399f2328abb5acb65dae19a36e265eea0952ac Reviewed-on: https://cl.tvl.fyi/c/depot/+/5915 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-07-03 r/4273 feat(ops/secrets): add private key for depot git replicationVincent Ambo2-1/+2
Change-Id: Iaf86d1fe635be8fbd9bc8a397999a2cffcc21606 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5914 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-07-03 r/4272 feat(ops/modules): add module for receiving a depot replicaVincent Ambo2-0/+49
This module sets up a user with an SSH key and permissions to receive a (pushed) replica of depot from Gerrit. This still needs appropriate configuration in Gerrit's replication plugin on the other end. This module has been enabled for sanduny. For now it does not (yet) configure git serving. Change-Id: I0fb6f7e696609e71008308e855bdf305dcbcd4f7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5913 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-06-27 r/4261 fix(ops/sanduny): Enable our binary cacheVincent Ambo1-0/+3
Change-Id: I53f4c5b667018c0d3b01b307411200b66f6a7de3 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5901 Tested-by: BuildkiteCI Reviewed-by: wpcarro <wpcarro@gmail.com> Autosubmit: tazjin <tazjin@tvl.su>
2022-06-27 r/4254 refactor(web/cgit-tvl): Move cgit config back out of moduleVincent Ambo4-106/+40
It occured to me yesterday that with the config inside of the module it is kind of difficult to test cgit locally. This moves it back to a separate location (//web/cgit-tvl) and makes the most important things configurable via overrides. Change-Id: I9b0f4c60b75c31441e1718e63b5b55aba3100aae Reviewed-on: https://cl.tvl.fyi/c/depot/+/5893 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-06-09 r/4232 fix(ops/besadii) test trigger.ref against configured branchÅsmund Østvold1-1/+1
Before this commit besadii only worked for repos having 'refs/heads/canon' as main branch. Change-Id: Ia2ceb8a720c675be84bc3d81b89338522cea6ebd Reviewed-on: https://cl.tvl.fyi/c/depot/+/5862 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: asmundo <asmundo@gmail.com>
2022-06-07 r/4227 refactor(ops/keycloak): Use tools.checks.validateTerraformVincent Ambo1-5/+5
Remove some ~commit message~ ... uh, code duplication. Change-Id: Id6e8f2132999e153d3984848f95ccabd52e4f45f Reviewed-on: https://cl.tvl.fyi/c/depot/+/5853 Tested-by: BuildkiteCI Reviewed-by: asmundo <asmundo@gmail.com>
2022-06-07 r/4226 refactor(ops/glesys): Use tools.checks.validateTerraformVincent Ambo1-8/+6
Remove some code duplication. Change-Id: Ia9e0b3b22926eb9e72f302e2c1ebcee68eaa1db9 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5852 Tested-by: BuildkiteCI Reviewed-by: asmundo <asmundo@gmail.com>
2022-06-07 r/4225 refactor(ops/buildkite): Use tools.checks.validateTerraformVincent Ambo1-8/+6
Remove some code duplication. Change-Id: I7ff49e728e1bd584bca3b84cdc033d93e60aefc2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5851 Tested-by: BuildkiteCI Reviewed-by: asmundo <asmundo@gmail.com>
2022-06-06 r/4219 fix(ops/glesys): Remove now unnecessary workaroundVincent Ambo1-4/+0
Remove a workaround for a GleSYS provider bug that was fixed in the last release. Change-Id: Ibd25de0b4dcccd781518d5d0ae1c75d296f6b05f Reviewed-on: https://cl.tvl.fyi/c/depot/+/5845 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2022-06-06 r/4218 test(ops/keycloak): Validate Terraform configuration in CIVincent Ambo1-2/+8
Change-Id: I5602cf722b9fe9502c9d7610eefc7ba0ab647362 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5844 Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
2022-06-06 r/4217 test(ops/glesys): Validate Terraform configuration in CIVincent Ambo1-2/+11
Change-Id: I8d251d3ee1de77feca865d0a677041c9c485d211 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5843 Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
2022-06-06 r/4216 test(ops/buildkite): Validate Terraform configuration in CIVincent Ambo1-2/+11
Change-Id: Ieef4d7d0a717107ee67432474683f3344b6561f8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5842 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-06-06 r/4215 feat(ops/buildkite): Import tvl-kit pipelineVincent Ambo2-0/+11
Change-Id: I21f6e0adba3dca3be741761a226ab6810d8bcf8d Reviewed-on: https://cl.tvl.fyi/c/depot/+/5841 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-06-06 r/4214 feat(ops/buildkite): Import main depot pipelineVincent Ambo2-0/+13
Change-Id: Id470750aa90505002c6a7e4f840e56c4939ed391 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5840 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-06-06 r/4213 docs(ops/buildkite): Add documentation about this configVincent Ambo2-1/+25
Change-Id: Ia61b15127c67cdd9dddcab9f3540f1aee949cd6b Reviewed-on: https://cl.tvl.fyi/c/depot/+/5839 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-06-06 r/4212 feat(ops/buildkite): Bootstrap Buildkite Terraform configurationVincent Ambo3-0/+33
In order to run this the secrets needs to be sourced, e.g.: eval $(age --decrypt -i ~/.ssh/id_ed25519 $(git rev-parse --show-toplevel)/ops/secrets/tf-buildkite.age) Change-Id: I9f6a02c0dac22f584181635861ddbb06cf849f14 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5838 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: tazjin <tazjin@tvl.su>
2022-06-06 r/4211 feat(ops/secrets): Add Buildkite API token for TerraformVincent Ambo2-0/+17
Change-Id: I0930f4fb34015ddcaa791b07e4d5d87d069d2b0a Reviewed-on: https://cl.tvl.fyi/c/depot/+/5837 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2022-06-03 r/4202 refactor(nix/buildkite): Rename "post" steps to "release" stepsVincent Ambo1-3/+3
This is in preparation for a subsequent CL that will do much more significant changes in //nix/buildkite. Change-Id: I80a8d67d3a7d593854c8d711572483c2581e7881 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5824 Reviewed-by: ezemtsov <eugene.zemtsov@gmail.com> Tested-by: BuildkiteCI
2022-05-29 r/4185 fix(ops/nixos): use builtins.storePath to avoid dumping pkgs.pathsterni1-4/+12
This is a less invasive way to achieve the same goal as cl/5681, by preventing the already existing nixpkgs store path from being dumped again at the call site. To support nixpkgsBisectPath, we simply check if pkgs.path is below builtins.storeDir and use builtins.storePath based on that. This is actually similar to the approach taken in the nixpkgs documentation system which tries to limit the amount of nixpkgs that needs to be dumped by using filterSource on specific subtrees of nixpkgs. For this to work it has to insist on pkgs.path being an ordinary Nix path, though. Change-Id: Idf892f90a5d811184568e4702a901c334d56210e Reviewed-on: https://cl.tvl.fyi/c/depot/+/5787 Autosubmit: sterni <sternenseemann@systemli.org> Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4179 feat(ops/secrets): Add OAuth2 client secret for panettoneVincent Ambo1-15/+16
Change-Id: Icc53b161b260632e50b7bdc4c908912fd377bb87 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5771 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2022-05-28 r/4177 feat(ops/keycloak): Add OIDC client for panettoneVincent Ambo1-0/+14
Change-Id: Idb4352e3bbf412df5569aa988a78c6438063f93a Reviewed-on: https://cl.tvl.fyi/c/depot/+/5769 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2022-05-28 r/4176 fix(gerrit-tvl): Use only one build filterVincent Ambo1-4/+1
Buildkite can't handle more than one filter for the query; as of the last commit it just returned an empty list. I've verified with curl based on the request the previous attempt constructed that this works as intended with only setting the commit. Behaviour is probably undefined if there are two builds for the same commit (i.e. a retry). Which one will you see? Who knows! However, since the commit hash contains the Change-Id, we can't get a situation where the build was for two different CLs at the same commit. Gerrit wouldn't allow that. Change-Id: I0dcd0ff44c28d3d15cba23461970bfc8483f4e48 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5768 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-28 r/4174 chore(ops/sourcegraph): Bump to 3.40.0Vincent Ambo1-1/+1
Change-Id: I77438201d8ed5237095b3d2e8a855dec3e58b641 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5766 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4173 chore(ops/sourcegraph): Bump to 3.39.1Vincent Ambo1-1/+1
Change-Id: I76d0a3ede7cc23a9a6e8db61ed7e9d91670f1699 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5765 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4172 chore(ops/sourcegraph): Bump to 3.38.1Vincent Ambo1-1/+1
Change-Id: Ib1f4f9591acab537607c9d9c9b123e9c711e331b Reviewed-on: https://cl.tvl.fyi/c/depot/+/5764 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4171 chore(ops/sourcegraph): Bump to 3.37.0Vincent Ambo1-1/+1
Change-Id: If333f28dd0bec4eb965a6e3005ef5aca810c86f3 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5763 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4170 chore(ops/sourcegraph): Bump to 3.36.3Vincent Ambo1-1/+1
Change-Id: I3a6caeeb06919b25a9c1200c8f286b0bd34916b2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5762 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4169 chore(ops/sourcegraph): Bump to 3.35.2Vincent Ambo1-1/+1
Change-Id: Ia829b4ffa2e7e37438f766d0ff98e504c0d856b4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5755 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4167 chore(ops/sourcegraph): Bump to 3.34.2Vincent Ambo1-1/+1
Change-Id: I865335006a091986f8a98e4d5da7161a25e948d9 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5754 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4166 chore(ops/sourcegraph): Bump to 3.33.2Vincent Ambo1-1/+1
Change-Id: I6568e3226a7ff0796cbf3748c0dab1530fb0fb6a Reviewed-on: https://cl.tvl.fyi/c/depot/+/5753 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2022-05-28 r/4165 chore(ops/sourcegraph): Bump to 3.32.1Vincent Ambo1-1/+1
Change-Id: I8efdf3dbfc5575f24c8e6996a7716d308f1446df Reviewed-on: https://cl.tvl.fyi/c/depot/+/5752 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-27 r/4164 fix(tvl-slapd): load argon2 module with new nameVincent Ambo1-1/+1
This became an "official" module and dropped the `pw-` prefix. Relates to b/184 Change-Id: I963f83b55b83015b022ab1b8330ea710d2258631 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5751 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-27 r/4154 feat(wpcarro/tarasco): Support tarasco 🇲🇽William Carroll1-0/+1
Named after the Mexican restaurant, El Tarasco, in El Porto, which I live 3m walking distance from. Change-Id: I2cd4b68eaa974ad6c8fec73e0566bc0b831c57a8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5743 Reviewed-by: wpcarro <wpcarro@gmail.com> Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: wpcarro <wpcarro@gmail.com> Tested-by: BuildkiteCI
2022-05-27 r/4150 fix(ops/gerrit-tvl): Filter builds by commit hashVincent Ambo1-2/+3
The patchsetSha is one of the things passed in to the `fetch()` interface, and Buildkite's API (now?) supports filtering by the commit hash in addition. With this combination, we should not accidentally display builds for the wrong patch set. Change-Id: I6bb26dd7387f2dd00291990cadd38629ecda999b Reviewed-on: https://cl.tvl.fyi/c/depot/+/5702 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-27 r/4147 fix(ops/modules): Increase `RestartSec=` of oauth2_proxy serviceVincent Ambo1-0/+1
When Keycloak and oauth2_proxy are restarted simultaneously, the latter might try to come up (repeatedly!) before Keycloak can serve it properly. This leads to systemd considering the unit failed. Since this all happens in the span of a second or so, slightly increase the restart delay of the service to ensure it comes back after Keycloak is ready. A "proper" fix might be to add a script that runs before the actual service and waits for Keycloak, but I don't want to prioritise that right now. Change-Id: I4dadba686de60ffc103fe889ce19f05ca1d7d4fe Reviewed-on: https://cl.tvl.fyi/c/depot/+/5695 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-26 r/4144 feat(ops/pipelines): Evaluate depot pipeline in restricted-eval modeVincent Ambo1-1/+4
Change-Id: Ic5b98a0777860b68dabb9a9b59e8c682236a71c7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4884 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2022-05-26 r/4139 refactor(ops/nixos): Prepare for restricted evalVincent Ambo1-2/+2
Change-Id: I7b5304dda3040830fe90fc188b35da3fd95451a0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5682 Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su>
2022-05-26 r/4136 refactor(sanduny): Prepare for restricted-evalVincent Ambo1-1/+1
Change-Id: I83a404dc7dbaf5ca53659d03df4e4de461a9d046 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5688 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: tazjin <tazjin@tvl.su>
2022-05-26 r/4134 refactor(whitby): Prepare for restricted-evalVincent Ambo1-40/+42
Change-Id: I7604ca29310d759b0ffee2ffb0048b6365a2894c Reviewed-on: https://cl.tvl.fyi/c/depot/+/5683 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: tazjin <tazjin@tvl.su>
2022-05-26 r/4122 fix(ops/modules): adapt for changed ssh.knownHostsVincent Ambo1-3/+3
Somehow this ended up generating an empty file, with this change it is fine again. I was looking at the recent commits of the module in nixpkgs but couldn't quite figure it out, there are also some vague references to the attribute set key being used as a hostname, but this doesn't seem to be true in practice. To be clear, the previous code was wrong, but at some point it generated a file that accidentally worked. Change-Id: I42d55730c09daafe6d6fe0eb3647135e84737bca Reviewed-on: https://cl.tvl.fyi/c/depot/+/5670 Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su>
2022-05-25 r/4118 feat(whitby): Deploy private SSH key for build agentsVincent Ambo2-0/+7
Change-Id: I5b1dfaaf28e835cac5b897e18b015d90ac3b2857 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5665 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi>
2022-05-25 r/4117 feat(ops/secrets): Add private SSH key for Buildkite agent(s)Vincent Ambo2-0/+1
The public key is: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIME13zAw3Fk6qsbWCe6mH2zkxOJ+NmG+FwMjLw00mcWt buildkite@tvl Change-Id: Ia8591e5df42727e4068f26865d83d0af85424fde Reviewed-on: https://cl.tvl.fyi/c/depot/+/5664 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-25 r/4115 feat(ops/modules/open_eid.nix): Access all key slotsKlemens Nanni1-3/+4
`onepin-opensc-pkcs11.so` only enables PIN1, but PIN2 is also required. Change-Id: Ic1c34ca58a46c2978c7e27e7a9b7e6a4d335ac0c Reviewed-on: https://cl.tvl.fyi/c/depot/+/5648 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de> Reviewed-by: kn <klemens@posteo.de> Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-25 r/4114 feat(ops/modules/open_eid.nix): Add digidoc-tool(1) to PATHKlemens Nanni1-0/+1
libdigidocpp is a dependency of qdigidoc4(1) already. This will need https://github.com/NixOS/nixpkgs/pull/174055 "libdigidocpp: Fix PKCS11 module library path" to work, though. Change-Id: Ic8d671077977b1d1f099a8b4b23cc537b52aa954 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5647 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-25 r/4112 feat(3p/agenix): update to 2022-05-16 and add to nivsterni9-12/+12
The new version brings the new secretsDir setting which means we no longer have to hardcode /run/agenix everywhere. Change-Id: I4b579d7233d315a780d7671869d5d06722d769fa Reviewed-on: https://cl.tvl.fyi/c/depot/+/5646 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: sterni <sternenseemann@systemli.org>