about summary refs log tree commit diff
path: root/ops
AgeCommit message (Collapse)AuthorFilesLines
2023-09-05 r/6551 feat(ops/glesys): delegate signup.tvl.fyi to whitby in DNSVincent Ambo1-0/+1
Change-Id: I7ca1e970228239e87581fd4d65c50334932d85a5 Reviewed-on: https://cl.tvl.fyi/c/depot/+/9265 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de>
2023-08-22 r/6517 fix(ops/nixery): switch nixery.dev to stable nixpkgs channelVincent Ambo1-2/+3
The current unstable has a bunch of breakage which people have been reporting, lets move the public instance to the stable channel until that is sorted out. Example breakage: https://github.com/tazjin/nixery/issues/159 Change-Id: Id5eb11ebd235928b85c01c178c32da3badea517f Reviewed-on: https://cl.tvl.fyi/c/depot/+/9126 Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2023-08-21 r/6516 feat(tvl-users): grant wheel privileges to flokliVincent Ambo1-1/+1
Flokli needs deploy access to whitby to ~~break auth~~ experiment with Dex. Change-Id: If39763192961e227ee569a312f6a0e3ae2c10786 Reviewed-on: https://cl.tvl.fyi/c/depot/+/9113 Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2023-07-10 r/6401 fix(ops/whitby): remove tazj.in moduleVincent Ambo1-1/+0
this moved out of whitby some time ago (to koptevo.tazj.in), but is now causing failures because of ACME cert renewal Change-Id: I4da5512db0d85d416511a1d10f784e978c5ccc93 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8948 Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
2023-07-07 r/6396 fix(users): rename zseri -> fogtiAlain Zscheile1-2/+2
in accordnace with similar renaming on other sites (e.g. GitHub, Exozyme, chaos.social) My experience with exozyme tells me that fully applying this change might require manual editing of gerrits database anyways to fix broken references/patch ownerships. Change-Id: I024ff264c09b25d8f854c489d93458d1fce7e9f4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8919 Autosubmit: lukegb <lukegb@tvl.fyi> Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: zseri <zseri.devel@ytrizja.de>
2023-07-05 r/6392 feat(tools/git-r): git subcommand to display r/numbers for commitssterni1-0/+5
Sadly, this can't quite be an alias (which would be difficult to automatically set up anyways), since we want to check if an r/number is part of the (upstream) canon branch. The test script for the subcommand doubles up as a soundness check for our pipelines ref creation. Change-Id: I840af6556e50187c69490668bd8a18dd7dc25a86 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8844 Tested-by: BuildkiteCI Autosubmit: sterni <sternenseemann@systemli.org> Reviewed-by: flokli <flokli@flokli.de>
2023-07-01 r/6383 chore(ops/secrets): drop oauth2_proxy.ageFlorian Klink2-1/+0
This was already removed from whitby a while ago, no reason to keep this secret. Change-Id: I4742dd0138a3eff91325c94e44e64b72c644ee3c Reviewed-on: https://cl.tvl.fyi/c/depot/+/8915 Autosubmit: flokli <flokli@flokli.de> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2023-07-01 r/6382 chore(ops/keycloak): drop oauth2-proxy clientFlorian Klink1-21/+0
Nothing is using this, so it can be removed. Change-Id: I1b812b6df89d4f79ed313e646e141909519c6083 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8914 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: flokli <flokli@flokli.de>
2023-07-01 r/6381 chore(ops/modules): remove oauth2_proxy moduleFlorian Klink1-60/+0
This was dropped from whitby itself in cl/8905, but didn't drop the module because we were worried someone else might still be using it. However, this relies on the "oauth2-proxy" client ID, which only has the following supported redirect uris (as per ops/keycloak/clients.tf): - https://login.tvl.fyi/oauth2/callback - http://localhost:4774/oauth2/callback … which means, noone can really run this properly anyways, so let's drop it. We can always restore it from git. Change-Id: I7d700f59a62cce1254ad4ba0792a7d7b3960b769 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8913 Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI Autosubmit: flokli <flokli@flokli.de>
2023-06-30 r/6374 chore(ops/whitby): remove broken oauth2_proxy serviceVincent Ambo1-5/+0
this never worked and was never used, but for now the module itself is still around in case somebody wants it for something Change-Id: Id8e449e08c8012786bca0ea57d9c7b97056a1f3d Reviewed-on: https://cl.tvl.fyi/c/depot/+/8905 Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-06-23 r/6350 chore(ops/whitby): drop obsolete grub version optionsterni1-1/+0
Change-Id: I8f89f00d3eca5cef23dc7698208b08e0b6826393 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8854 Autosubmit: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2023-06-22 r/6343 feat(ops): introduce (head|tail)scale server at net.tvl.fyiVincent Ambo3-0/+76
This runs a headscale server on sanduny which lets users join their machines to the TVL tailscale network. This would theoretically let people communicate with each other on the internal network, but also more notably joined servers can advertise exit node capability so that we can have our own "VPN network", for starters with endpoints in Germany, UK and Russia (whitby, sanduny and koptevo respectively). This setup isn't fully stable yet, notably: * The IP range used by tailscale is just the default one right now, I'm not sure if that should be changed or what. * The system is stateful (on sanduny), but the state is not (yet) backed up anywhere. Use with caution. * Machine joining is a manual process requiring SSH & root access to sanduny. The process is to log in to sanduny, then get a headscale shell with `sudo -u headscale bash`, and to use the `headscale` CLI within there to administrate access. I've opted to create a user account `tvl` for TVL-owned machines, and a personal account for myself and my machines. Change-Id: I4f1be1fe8062a6c2e77203ff72fe8709f4e4dec8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8837 Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2023-06-20 r/6338 feat(ops/glesys): add `net.tvl.fyi` CNAME for sandunyVincent Ambo1-0/+7
This will host a headscale server for TVL. Change-Id: I8769852aaaf7a02a2d63f48ecf5adfd86747ff72 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8835 Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
2023-06-15 r/6317 fix(ops/modules/quassel): use systemd LoadCredential to read certsVincent Ambo1-1/+5
This avoids permission issues with nginx vs. quassel Change-Id: I770f8284d8fd8fc6d38add93c1681f9daebe8749 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8786 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-06-15 r/6311 chore(3p/sources): Bump channels & overlayssterni2-2/+1
* //ops/modules/depot-inbox: Adapt to upstream option type declaration. See nixpkgs commit b6ed3b8f402893df91a8e21ce993520301c2f076. * //ops/machines/sanduny, //users/tazjin/polyanka: Remove boot.loader.grub.version options (no longer has any effect). * //users/sterni/emacs: reflect rename emacsPgtk -> emacs-pgtk * //3p/overlays: update tdlib to match emacs-overlay * //3p/overlays: give EXWM from depot a separate name * //users/grfn/system/home: disable Slack support in ntfy Change-Id: I03bde088bc70e05b23925f244899807210cb7b20 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8547 Autosubmit: sterni <sternenseemann@systemli.org> Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2023-06-14 r/6292 fix(ops/yandex-cloud-rs): fix dev-dependencies for examplesVincent Ambo2-0/+4
Change-Id: Ib99755d2b49464a6a30442b696ecfeda03038066 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8767 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-06-14 r/6291 docs(ops/yandex-cloud-rs): link to folder with usage examplesVincent Ambo1-0/+3
Change-Id: If2596b5a3dc542dca9a06a51a5a0f509034665c8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8766 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-06-14 r/6290 chore(ops/yandex-cloud-rs): bump API definitions to 2023-06-13Vincent Ambo3-92/+65
Change-Id: Iad2d85eaffe96de0cf9ecb490fe5ba87209e1005 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8765 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2023-06-14 r/6289 refactor(ops/yandex-cloud-rs): allow TokenProvider impls to failVincent Ambo1-6/+6
It's actually quite common that a token provider might fail, for example when fetching a token from instance metadata. Change-Id: Ie0126fb92c6c613ad36b5583fd68505fdd97f2c1 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8764 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2023-06-14 r/6288 chore(ops/yandex-cloud-rs): re-export some tonic typesVincent Ambo1-0/+9
These are useful for downstream users of the library, who might not need all the rest of the tonic stuff. Change-Id: Iab4d941696ae3c7a33b25815b72f92598aa82b80 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8763 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-06-14 r/6287 fix(ops/yandex-cloud-rs): add `Bearer` prefix to auth tokenVincent Ambo1-2/+3
Change-Id: I27d23de0598e3ca926a85cba3022f2dfff25f6be Reviewed-on: https://cl.tvl.fyi/c/depot/+/8762 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2023-05-23 r/6175 chore(ops/yandex-cloud-rs): bump API specs to 2023-05-23Vincent Ambo4-17/+15
Change-Id: Ibc98d3878690099d6d95dfe1a2741d551ed7a72a Reviewed-on: https://cl.tvl.fyi/c/depot/+/8608 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-05-19 r/6170 chore(ops/yandex-cloud-rs): explicitly set `include` in manifestVincent Ambo1-0/+1
This makes publishing a bit easier without the build script interfering and other wonkiness. Change-Id: Iadb144aabbdeabae8899ebdc62636315239e5f08 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8601 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su>
2023-05-19 r/6169 fix(ops/yandex-cloud-rs): set license in Cargo manifestVincent Ambo1-0/+1
Change-Id: Icc15953557585cbb2708a1267ab509caca8b258e Reviewed-on: https://cl.tvl.fyi/c/depot/+/8600 Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-05-19 r/6168 chore(ops/yandex-cloud-rs): bump API definitions (2023-05-19)Vincent Ambo3-72/+72
Change-Id: I0c4e77587b9fac14017449eb6a4630265b07950e Reviewed-on: https://cl.tvl.fyi/c/depot/+/8599 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-05-19 r/6167 docs(ops/yandex-cloud-rs): add developer-facing READMEVincent Ambo2-0/+53
Mostly to remind myself about the wonky release process. Change-Id: I76ea8d9a2ed600ebb31f4b1a5368f3cefa0556d6 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8598 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2023-05-16 r/6143 feat(ops/terraform/deploy-nixos): make target_user_ssh_key optionalFlorian Klink2-9/+14
In case `target_user_ssh_key` points to an empty string, nixos-copy.sh just doesn't set `IdentityFile=` at all. This allows using deploy-nixos without any explicitly passed ssh keys, but picking up whatever ssh setup the user has configured locally. Change-Id: If335ce8434627e61da13bf6923b9767085af08a5 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8576 Autosubmit: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-05-11 r/6132 chore: address renames of boot & tmp related optionssterni1-1/+1
Change-Id: I78f2116a63675fff5a36826b3e5390798ab9db9f Reviewed-on: https://cl.tvl.fyi/c/depot/+/8526 Tested-by: BuildkiteCI Autosubmit: sterni <sternenseemann@systemli.org> Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: flokli
2023-04-28 r/6117 feat(ops/modules/open_eid): add support for Web eID extensionFlorian Klink1-20/+37
Most likely due to bad UX in browsers for hardware-backed TLS client cert auth, most websites have switched from client-side TLS to the "Web eID" extension. Once installed, the extension uses [Native Messaging] to talk to a `web-eid-app` application, which handles the communication with the smart card itself. This can be tested on https://web-eid.eu/ . The commit needs nixpkgs to be bumped past https://github.com/NixOS/nixpkgs/pull/227354 . [Native Messaging]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging Change-Id: Iffe6d81ecf7cee25406fa39a983ff52cf669c373 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8490 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-04-28 r/6116 feat(ops/yandex-cloud-rs): generated gRPC clients for Yandex CloudVincent Ambo7-0/+1613
This uses tonic to generate the full set of gRPC clients for Yandex Cloud. Includes some utility functions like an authentication interceptor to make these actually work. Since the upstream protos are exported regularly I've decided that the versioning will simply be date-based. The point of this is journaldriver integration, of course, hence also the log-centric example code. Change-Id: I00a615dcba80030e7f9bcfd476b2cfdb298f130d Reviewed-on: https://cl.tvl.fyi/c/depot/+/8525 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2023-04-28 r/6115 feat(ops/users): Add hsjobeki to usersJohannes Kirschbauer1-0/+5
Change-Id: Ib5f8c314d2c7ad6af948ff23754eeb895b1f1e94 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8529 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: flokli <flokli@flokli.de> Reviewed-by: flokli <flokli@flokli.de>
2023-04-19 r/6099 fix(ops/modules/open_eid): use libdigidocpp.binFlorian Klink1-1/+1
nixpkgs commit 134036f642a7f3ba9efeab509727c0989458b02b moved the digidoc-tool binary to the `bin` output, so this wasn't actually providing the digidoc-tool binary anymore. Change-Id: Id5f7cc69d55b7cc058a6361512cc74de0e7bc1b2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8487 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Autosubmit: flokli <flokli@flokli.de>
2023-04-11 r/6094 chore: adapt to ssh option renamessterni1-2/+4
Change-Id: I6fc2aaefe40e449bd1937bb68f3a2ab4abaa5cd0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8372 Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
2023-04-07 r/6072 chore(3p/sources): Bump channels & overlayssterni1-3/+3
* Satisfy new assert that the corresponding shell needs to be enabled via programs.* if it is as the login shell of at least one user. * //users/tazjin: “Address” removal of hardware.video.hidpi option. * //3p/gerrit: update fetch sha256 Change-Id: Id0988a0ea7f393d6b7848a7104fc3526ee1177f4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8407 Autosubmit: sterni <sternenseemann@systemli.org> Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-03-31 r/6064 fix(views/kit): communicate :unsign in the tvl-kit URL directlyFlorian Klink1-1/+1
Instead of prepending :unsign to all URLs in josh-proxy, and for all calls to filteredGitPush, explicitly use it only in the filter we use for the `export-kit` extraStep. This means, people cloning tvl-kit via > https://code.tvl.fyi/depot.git:workspace=views/kit.git now need to update the URL to point to > https://code.tvl.fyi/depot.git:unsign:workspace=views/kit.git instead. git@github.com:tvlfyi/kit.git will keep the same hashes, as it's updated to export the unsigned workspace view of it. This is less invasive than dooming every josh workspace to have to strip signatures. Change-Id: I6de05182fad4c3695081388c3bbf37306521d255 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8369 Autosubmit: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-03-29 r/6054 fix(ops/www): allow all indexing on cl.tvl.fyiVincent Ambo1-0/+4
I *want* search engines to index our CLs, they might be useful! Change-Id: I956d92c80d812e1aefefb6daeba77a1588055b94 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8361 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: flokli <flokli@flokli.de>
2023-03-14 r/6005 feat(ops): serve Tvix website & docs on (docs.)tvix.devVincent Ambo2-0/+40
Change-Id: I198ea197867f9b9a48e51665d0665f722202e02e Reviewed-on: https://cl.tvl.fyi/c/depot/+/8299 Reviewed-by: flokli <flokli@flokli.de> Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-03-14 r/6003 feat(ops/glesys): add CNAME for docs.tvix.devVincent Ambo1-0/+7
Change-Id: Ie1994ac4d14344c82ae184f4e3cd9f5292d96c84 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8297 Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2023-03-14 r/6001 feat(ops/glesys): point tvix.dev at whitbyVincent Ambo1-0/+40
Change-Id: Ied022e6c1a8039a9db375a8593afb76edcaa6dbd Reviewed-on: https://cl.tvl.fyi/c/depot/+/8295 Reviewed-by: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-03-08 r/5902 fix(ops/terraform): s/TARGET_ADDRESS/TARGET_HOSTFlorian Klink1-1/+1
We missed renaming this as well while iterating over https://cl.tvl.fyi/c/depot/+/7950. Change-Id: I704d3b60bb3beb1a2148e27bdd4a49075a6649b3 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8230 Autosubmit: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-03-07 r/5895 chore(3p/josh): update josh to recent master commitVincent Ambo1-1/+1
It's been a long time since we updated josh, almost 400 commits in between. I read through the entire changelog, and here are relevant josh commits from in between that might be interesting to us: 38eecee Fix optimisation bug for compose filter (#1159) e1d10b6 Add :rev(...) filter 0f1a07b Initial implementation of refs locking (#929) 88cea2a Initial work on meta repo support 030ad93 Change magic refs to include "for" 28b1d75 Add split changes feature (#904) 1f908d7 Discover filters only on HEAD (#774) a368d8f Make --require-auth only apply to push 8d80230 Add :linear filter (#741) 3460ec2 Implement redundant refs filtering (#700) 55b4e50 Implement stacked changes support (#699) ea1f814 Handle @sha urls by creating magic ref (#690) 883a381 Run filter discovery only on changed refs (#685) 4bb004f Prepend refs/heads to base parameter as default (#664) Of particular interest is a368d8f, which allows us to drop our authentication patch and use the standard --require-auth flag again. The default behaviour of dropping signatures on commits (which are invalid after filtering) has also been changed in josh, now only occuring when the `:unsign` filter is present. Since this breaks commit hashes with our existing exported histories, we are opting to set a `:unsign` filter prefix on all proxy requests to ensure that the hashes stay consistent. During this update we found a bug (josh#1155) which was fixed in the commit that this CL moves josh to. Change-Id: I3afac1619f3aa90313a0441da91f0e4a96fe0a3b Reviewed-on: https://cl.tvl.fyi/c/depot/+/8186 Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2023-03-03 r/5872 feat(ops/terraform): add trigger to deploy-nixos, remove target_nameFlorian Klink2-10/+8
This allows passing in custom triggers to trigger a (re)deploy. For example, a caller can put an AWS instance ID into the triggers to cause a redeploy whenever the instance ID has changed. The `target_name` terraform variable was doing something similar, but `triggers` is more generic, allowing multiple triggers, without having to stringify them. We also don't need to trigger on the attrpath - it can be changed, and as long as it still evaluates to the same `data.external.nixos_system.result.drv` (which is checked on every plan), no redeploy needs to be made. Change-Id: I94ce787a50830b87b6f53c08e042e4abe4036bdd Reviewed-on: https://cl.tvl.fyi/c/depot/+/8191 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: flokli <flokli@flokli.de>
2023-03-03 r/5871 feat(ops/terraform): allow specifying an entrypoint for the attrsetFlorian Klink2-5/+15
This adds an additional parameter `entrypoint`, pointing to a .nix file (or a directory containing a `default.nix` file) that's providing the attribute path asked for. If not set / kept at the default (empty string), it falls back to the root dir of the repository as before. Change-Id: I2e63114f21660c842153ac15424b3491d66624d2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8190 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Autosubmit: flokli <flokli@flokli.de>
2023-03-03 r/5867 feat(ops/terraform): add module for deploying NixOS system closuresVincent Ambo5-0/+187
This module makes it fairly easy to deploy NixOS system closures using Terraform, while properly separating the evaluation of a derivation (to determine whether a deploy is needed) from the building and copying of the closure itself. This has been on my stack for a while. It was originally developed for Resoptima, who agreed to open-sourcing it in depot back when we completed our work with them. Their contribution has been acknowledged in the README. Co-Authored-By: Florian Klink <flokli@flokli.de> Change-Id: Ica4c170658cd25f1fb7072c9a45735fcc4351474 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7950 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-02-11 r/5846 chore(whitby): enable zram swapAlyssa Ross1-0/+2
Whitby has a lot of memory, but I've still been fighting with the OOM Killer trying to build a few big packages at the same time. Besides, it's generally a good idea to always have swap available even if there's lots of memory for caching optimisation reasons[1], and zram swap is efficient enough to basically provide bonus memory for free. [1]: https://haydenjames.io/linux-performance-almost-always-add-swap-space/ Change-Id: I1fbe60f7975ebfa38e341e0de76848ec79b6fcf0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8065 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2023-02-09 r/5844 chore(ops/modules): add a GECOS for my userAlyssa Ross1-0/+1
This way, I won't have to teach my name one at a time to every program that wants to know my it (e.g. git). Change-Id: I45ddd9c2343a10cd4c13bacd9a97b7470db95c14 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8038 Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2023-02-01 r/5817 fix(ops/buildkite): set default_branch explicitlyFlorian Klink1-12/+15
It looks like this needs to be set for the tvix pipeline to succeed. It was set to `canon` for `tvl-kit` (not sure if manually, or some autodetection previously did it for us that's not present anymore). Anyways, this sets it to how it's set in the web interface, to hopefully fix it. Change-Id: Ic3eb60e3f421fa949a84dcdaa928823ff45f679a Reviewed-on: https://cl.tvl.fyi/c/depot/+/8008 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Autosubmit: flokli <flokli@flokli.de>
2023-02-01 r/5815 feat(ops/pipelines): trigger tvix buildkite pipelineFlorian Klink1-0/+10
Change-Id: I4e81694b9686f977a6590c5e1703a4ef413b0cf4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8003 Autosubmit: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-02-01 r/5813 feat(ops/buildkite): add tvix pipelineFlorian Klink2-0/+11
Change-Id: Ie701e0b77c596e07600efd1a59749d05068f0dbc Reviewed-on: https://cl.tvl.fyi/c/depot/+/8006 Tested-by: BuildkiteCI Autosubmit: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su>
2023-02-01 r/5810 feat(ops/secrets): add flokli to terraform secrets accessVincent Ambo25-138/+135
Change-Id: I9ede20028560f2da0fef89dfe431609c21bda51c Reviewed-on: https://cl.tvl.fyi/c/depot/+/8005 Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI