Age | Commit message (Collapse) | Author | Files | Lines |
|
Change-Id: Id2577449ec0a52f8c16f13150896ec0680f02051
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9325
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
Change-Id: I6ef83796a01014b01ac8aef6c7f500863f5cbf03
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9305
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
|
|
There's a go.mod in in tvix/store/protos, which sets the module path to
code.tvl.fyi/tvix/store/protos.
While this path makes kinda sense, it's currently not possible to `go
get` it from that location, as we serve the cgit interface from there.
Fortunately, `go get` has a mechanism to determine clone URLs for a
given go module path, as documented in https://go.dev/ref/mod#vcs-find.
We simply need to serve a small HTML file at that path, describing the
proper clone URL.
This points the clone URL for code.tvl.fyi/tvix/store/protos to a josh-
provided subtree of just :/tvix/store/protos, which will contain the
root go.mod file.
We need another layer of indirection as nginx can't have an `alias`
directive inside a conditional block (but can have a redirect).
Contrary to https://b.tvl.fyi/issues/299#comment-464, it seems to work
for our usecase. It might become a problem if we actually serve `go.mod`
files in a nested fashion at some point, but let's look at that once we
get there.
Fixes b/299.
Change-Id: Idcad795105af5d57e6d06de6e232881dccf9110b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9290
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Reviewed-by: adisbladis <adisbladis@gmail.com>
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
I verified on whitby that the password hashes generated by
//web/pwcrypt are compatible with our OpenLDAP, so it's time to make
this thing public.
Change-Id: Icc2f095ca7ce4acff6de91a1642dea6461177423
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9266
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
|
|
Change-Id: I7ca1e970228239e87581fd4d65c50334932d85a5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9265
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
|
|
The current unstable has a bunch of breakage which people have been
reporting, lets move the public instance to the stable channel until
that is sorted out.
Example breakage: https://github.com/tazjin/nixery/issues/159
Change-Id: Id5eb11ebd235928b85c01c178c32da3badea517f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9126
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
|
|
Flokli needs deploy access to whitby to ~~break auth~~ experiment with
Dex.
Change-Id: If39763192961e227ee569a312f6a0e3ae2c10786
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9113
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
|
|
this moved out of whitby some time ago (to koptevo.tazj.in), but is
now causing failures because of ACME cert renewal
Change-Id: I4da5512db0d85d416511a1d10f784e978c5ccc93
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8948
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
|
|
in accordnace with similar renaming on other sites
(e.g. GitHub, Exozyme, chaos.social)
My experience with exozyme tells me that fully applying
this change might require manual editing of gerrits database
anyways to fix broken references/patch ownerships.
Change-Id: I024ff264c09b25d8f854c489d93458d1fce7e9f4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8919
Autosubmit: lukegb <lukegb@tvl.fyi>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: zseri <zseri.devel@ytrizja.de>
|
|
Sadly, this can't quite be an alias (which would be difficult to
automatically set up anyways), since we want to check if an r/number is
part of the (upstream) canon branch.
The test script for the subcommand doubles up as a soundness check for
our pipelines ref creation.
Change-Id: I840af6556e50187c69490668bd8a18dd7dc25a86
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8844
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: flokli <flokli@flokli.de>
|
|
This was already removed from whitby a while ago, no reason to keep
this secret.
Change-Id: I4742dd0138a3eff91325c94e44e64b72c644ee3c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8915
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
|
|
Nothing is using this, so it can be removed.
Change-Id: I1b812b6df89d4f79ed313e646e141909519c6083
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8914
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: flokli <flokli@flokli.de>
|
|
This was dropped from whitby itself in cl/8905, but didn't drop the
module because we were worried someone else might still be using it.
However, this relies on the "oauth2-proxy" client ID, which only has the
following supported redirect uris (as per ops/keycloak/clients.tf):
- https://login.tvl.fyi/oauth2/callback
- http://localhost:4774/oauth2/callback
… which means, noone can really run this properly anyways, so let's
drop it.
We can always restore it from git.
Change-Id: I7d700f59a62cce1254ad4ba0792a7d7b3960b769
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8913
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
|
|
this never worked and was never used, but for now the module itself is
still around in case somebody wants it for something
Change-Id: Id8e449e08c8012786bca0ea57d9c7b97056a1f3d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8905
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: I8f89f00d3eca5cef23dc7698208b08e0b6826393
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8854
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
This runs a headscale server on sanduny which lets users join their
machines to the TVL tailscale network.
This would theoretically let people communicate with each other on the
internal network, but also more notably joined servers can advertise
exit node capability so that we can have our own "VPN network", for
starters with endpoints in Germany, UK and Russia (whitby, sanduny and
koptevo respectively).
This setup isn't fully stable yet, notably:
* The IP range used by tailscale is just the default one right now,
I'm not sure if that should be changed or what.
* The system is stateful (on sanduny), but the state is not (yet)
backed up anywhere. Use with caution.
* Machine joining is a manual process requiring SSH & root access to
sanduny.
The process is to log in to sanduny, then get a headscale shell with
`sudo -u headscale bash`, and to use the `headscale` CLI within
there to administrate access.
I've opted to create a user account `tvl` for TVL-owned machines,
and a personal account for myself and my machines.
Change-Id: I4f1be1fe8062a6c2e77203ff72fe8709f4e4dec8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8837
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
|
|
This will host a headscale server for TVL.
Change-Id: I8769852aaaf7a02a2d63f48ecf5adfd86747ff72
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8835
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
|
|
This avoids permission issues with nginx vs. quassel
Change-Id: I770f8284d8fd8fc6d38add93c1681f9daebe8749
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8786
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
* //ops/modules/depot-inbox: Adapt to upstream option type declaration.
See nixpkgs commit b6ed3b8f402893df91a8e21ce993520301c2f076.
* //ops/machines/sanduny, //users/tazjin/polyanka:
Remove boot.loader.grub.version options (no longer has any effect).
* //users/sterni/emacs: reflect rename emacsPgtk -> emacs-pgtk
* //3p/overlays: update tdlib to match emacs-overlay
* //3p/overlays: give EXWM from depot a separate name
* //users/grfn/system/home: disable Slack support in ntfy
Change-Id: I03bde088bc70e05b23925f244899807210cb7b20
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8547
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
Change-Id: Ib99755d2b49464a6a30442b696ecfeda03038066
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8767
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: If2596b5a3dc542dca9a06a51a5a0f509034665c8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8766
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: Iad2d85eaffe96de0cf9ecb490fe5ba87209e1005
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8765
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
It's actually quite common that a token provider might fail, for
example when fetching a token from instance metadata.
Change-Id: Ie0126fb92c6c613ad36b5583fd68505fdd97f2c1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8764
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
These are useful for downstream users of the library, who might not
need all the rest of the tonic stuff.
Change-Id: Iab4d941696ae3c7a33b25815b72f92598aa82b80
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8763
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: I27d23de0598e3ca926a85cba3022f2dfff25f6be
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8762
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
Change-Id: Ibc98d3878690099d6d95dfe1a2741d551ed7a72a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8608
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
This makes publishing a bit easier without the build script
interfering and other wonkiness.
Change-Id: Iadb144aabbdeabae8899ebdc62636315239e5f08
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8601
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
|
|
Change-Id: Icc15953557585cbb2708a1267ab509caca8b258e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8600
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: I0c4e77587b9fac14017449eb6a4630265b07950e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8599
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Mostly to remind myself about the wonky release process.
Change-Id: I76ea8d9a2ed600ebb31f4b1a5368f3cefa0556d6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8598
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
In case `target_user_ssh_key` points to an empty string, nixos-copy.sh
just doesn't set `IdentityFile=` at all.
This allows using deploy-nixos without any explicitly passed ssh keys,
but picking up whatever ssh setup the user has configured locally.
Change-Id: If335ce8434627e61da13bf6923b9767085af08a5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8576
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: I78f2116a63675fff5a36826b3e5390798ab9db9f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8526
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: flokli
|
|
Most likely due to bad UX in browsers for hardware-backed TLS client
cert auth, most websites have switched from client-side TLS to the "Web
eID" extension.
Once installed, the extension uses [Native Messaging] to talk to a
`web-eid-app` application, which handles the communication with the
smart card itself.
This can be tested on https://web-eid.eu/ .
The commit needs nixpkgs to be bumped past
https://github.com/NixOS/nixpkgs/pull/227354 .
[Native Messaging]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging
Change-Id: Iffe6d81ecf7cee25406fa39a983ff52cf669c373
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8490
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
This uses tonic to generate the full set of gRPC clients for Yandex
Cloud. Includes some utility functions like an authentication
interceptor to make these actually work.
Since the upstream protos are exported regularly I've decided that the
versioning will simply be date-based.
The point of this is journaldriver integration, of course, hence also
the log-centric example code.
Change-Id: I00a615dcba80030e7f9bcfd476b2cfdb298f130d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8525
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
Change-Id: Ib5f8c314d2c7ad6af948ff23754eeb895b1f1e94
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8529
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: flokli <flokli@flokli.de>
|
|
nixpkgs commit 134036f642a7f3ba9efeab509727c0989458b02b moved the
digidoc-tool binary to the `bin` output, so this wasn't actually
providing the digidoc-tool binary anymore.
Change-Id: Id5f7cc69d55b7cc058a6361512cc74de0e7bc1b2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8487
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
|
|
Change-Id: I6fc2aaefe40e449bd1937bb68f3a2ab4abaa5cd0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8372
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
|
|
* Satisfy new assert that the corresponding shell needs to be enabled
via programs.* if it is as the login shell of at least one user.
* //users/tazjin: “Address” removal of hardware.video.hidpi option.
* //3p/gerrit: update fetch sha256
Change-Id: Id0988a0ea7f393d6b7848a7104fc3526ee1177f4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8407
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Instead of prepending :unsign to all URLs in josh-proxy, and for all
calls to filteredGitPush, explicitly use it only in the filter we use
for the `export-kit` extraStep.
This means, people cloning tvl-kit via
> https://code.tvl.fyi/depot.git:workspace=views/kit.git
now need to update the URL to point to
> https://code.tvl.fyi/depot.git:unsign:workspace=views/kit.git
instead.
git@github.com:tvlfyi/kit.git will keep the same hashes, as it's updated
to export the unsigned workspace view of it.
This is less invasive than dooming every josh workspace to have to strip
signatures.
Change-Id: I6de05182fad4c3695081388c3bbf37306521d255
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8369
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
I *want* search engines to index our CLs, they might be useful!
Change-Id: I956d92c80d812e1aefefb6daeba77a1588055b94
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8361
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
|
|
Change-Id: I198ea197867f9b9a48e51665d0665f722202e02e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8299
Reviewed-by: flokli <flokli@flokli.de>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Change-Id: Ie1994ac4d14344c82ae184f4e3cd9f5292d96c84
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8297
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
|
|
Change-Id: Ied022e6c1a8039a9db375a8593afb76edcaa6dbd
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8295
Reviewed-by: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
We missed renaming this as well while iterating over
https://cl.tvl.fyi/c/depot/+/7950.
Change-Id: I704d3b60bb3beb1a2148e27bdd4a49075a6649b3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8230
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
It's been a long time since we updated josh, almost 400 commits in
between. I read through the entire changelog, and here are relevant
josh commits from in between that might be interesting to us:
38eecee Fix optimisation bug for compose filter (#1159)
e1d10b6 Add :rev(...) filter
0f1a07b Initial implementation of refs locking (#929)
88cea2a Initial work on meta repo support
030ad93 Change magic refs to include "for"
28b1d75 Add split changes feature (#904)
1f908d7 Discover filters only on HEAD (#774)
a368d8f Make --require-auth only apply to push
8d80230 Add :linear filter (#741)
3460ec2 Implement redundant refs filtering (#700)
55b4e50 Implement stacked changes support (#699)
ea1f814 Handle @sha urls by creating magic ref (#690)
883a381 Run filter discovery only on changed refs (#685)
4bb004f Prepend refs/heads to base parameter as default (#664)
Of particular interest is a368d8f, which allows us to drop our
authentication patch and use the standard --require-auth flag again.
The default behaviour of dropping signatures on commits (which are
invalid after filtering) has also been changed in josh, now only
occuring when the `:unsign` filter is present. Since this breaks
commit hashes with our existing exported histories, we are opting to
set a `:unsign` filter prefix on all proxy requests to ensure that the
hashes stay consistent.
During this update we found a bug (josh#1155) which was fixed in the
commit that this CL moves josh to.
Change-Id: I3afac1619f3aa90313a0441da91f0e4a96fe0a3b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8186
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
|
|
This allows passing in custom triggers to trigger a (re)deploy.
For example, a caller can put an AWS instance ID into the triggers to
cause a redeploy whenever the instance ID has changed.
The `target_name` terraform variable was doing something similar, but
`triggers` is more generic, allowing multiple triggers, without having
to stringify them.
We also don't need to trigger on the attrpath - it can be changed, and
as long as it still evaluates to the same
`data.external.nixos_system.result.drv` (which is checked on every
plan), no redeploy needs to be made.
Change-Id: I94ce787a50830b87b6f53c08e042e4abe4036bdd
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8191
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: flokli <flokli@flokli.de>
|
|
This adds an additional parameter `entrypoint`, pointing to a .nix file
(or a directory containing a `default.nix` file) that's providing the
attribute path asked for.
If not set / kept at the default (empty string), it falls back to the
root dir of the repository as before.
Change-Id: I2e63114f21660c842153ac15424b3491d66624d2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8190
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
|
|
This module makes it fairly easy to deploy NixOS system closures using
Terraform, while properly separating the evaluation of a
derivation (to determine whether a deploy is needed) from the building
and copying of the closure itself.
This has been on my stack for a while. It was originally developed for
Resoptima, who agreed to open-sourcing it in depot back when we
completed our work with them. Their contribution has been acknowledged
in the README.
Co-Authored-By: Florian Klink <flokli@flokli.de>
Change-Id: Ica4c170658cd25f1fb7072c9a45735fcc4351474
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7950
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
|
|
Whitby has a lot of memory, but I've still been fighting with the OOM
Killer trying to build a few big packages at the same time. Besides,
it's generally a good idea to always have swap available even if
there's lots of memory for caching optimisation reasons[1], and zram
swap is efficient enough to basically provide bonus memory for free.
[1]: https://haydenjames.io/linux-performance-almost-always-add-swap-space/
Change-Id: I1fbe60f7975ebfa38e341e0de76848ec79b6fcf0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8065
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
|
|
This way, I won't have to teach my name one at a time to every program
that wants to know my it (e.g. git).
Change-Id: I45ddd9c2343a10cd4c13bacd9a97b7470db95c14
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8038
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
|