about summary refs log tree commit diff
path: root/ops
AgeCommit message (Collapse)AuthorFilesLines
2022-01-14 r/3598 fix(gerrit-tvl): Handle "broken" (skipped) jobs correctlyVincent Ambo1-1/+7
by simply skipping them Change-Id: I9cbec3b79469ae01b1873d6a42e990b98cc4110a Reviewed-on: https://cl.tvl.fyi/c/depot/+/4921 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-01-14 r/3597 fix(gerrit-tvl): Exclude non-command jobs from check resultsVincent Ambo1-0/+5
Change-Id: I13727d30ac7a568f02614a4bbc778afed6a286ba Reviewed-on: https://cl.tvl.fyi/c/depot/+/4891 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: tazjin <tazjin@tvl.su>
2022-01-14 r/3596 fix(gerrit-tvl): Explicitly specify patchset on check runsVincent Ambo1-0/+1
Since we now group patchsets inside of Buildkite, the results are no longer guaranteed to be for the right patchset. There might be some metadata passed in from Gerrit that would let us do this with the commit ID instead, but I haven't checked. Change-Id: I5b74a17697511160fcc89d3dbef23517d974dc6f Reviewed-on: https://cl.tvl.fyi/c/depot/+/4890 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: tazjin <tazjin@tvl.su>
2022-01-14 r/3595 fix(gerrit-tvl): Mark job as failed on all failure statesVincent Ambo1-1/+1
Change-Id: If0fa85d8178b9e457305d0244ddf67d12a4b3051 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4889 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: tazjin <tazjin@tvl.su>
2022-01-14 r/3594 fix(gerrit-tvl): Support all documented Buildkite job statusesVincent Ambo1-12/+58
I'm not sure where the previous list originated, but it was missing some officially documented statuses. However, the API definitely returns statuses that are documented to only appear in other types, so this commit simply maps ALL statuses that Buildkite has documented for any type. Also adds a log statement in case we encounter a brand new, unknown, undocumented status. Change-Id: Iff003a3bd2608702019ae0f4137958435ad0856f Reviewed-on: https://cl.tvl.fyi/c/depot/+/4888 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-01-14 r/3593 fix(gerrit-tvl): Fix construction of ref used in BuildkiteVincent Ambo1-3/+2
... and remove a spammy log statement. This changed in besadii a while ago and lead to the behaviour of failing silently, instead of failing with an error saying "undefined undefined". Note that with this change merged the plugin probably still won't work again, but it gets us a step closer to the real error. Change-Id: I3db25d246f4b1c634d316cd92574e27fb220d769 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4887 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-01-14 r/3592 feat(besadii): Skip builds of patchsets with no code changesVincent Ambo1-2/+8
Currently Gerrit is configured to copy forward the scores of the 'Verified' label if the tree of the commit does not change (e.g. only author information or commit message is modified). Besadii still triggers builds for these patchsets though. With this change it will inspect the (previously ignored) "kind" of the patchset and skip patchsets with the same tree as their predecessor. See Gerrit docs for the semantics of "kind": https://gerrit-review.googlesource.com/Documentation/json.html#patchSet Note that an argument can be made that we should do the exact opposite - stop carrying over 'Verified' at all and always build all patchsets. I think this depends on whether we intend to use commit metadata in CI runs at all. Adding a few people to the review for opinions. Change-Id: I48a96a1ad1e07d92330d84e5cfdc820a39395297 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4867 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: asmundo <asmundo@gmail.com> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-13 r/3590 feat(whitby): Install a handful of systemPackagesVincent Ambo1-5/+13
Adds more things I keep using via nix-shell, as well as the deploy-whitby script (which is independent of a particular depot checkout). Change-Id: I36f87de7645768a05268c90ba9b3ab833bacca05 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4881 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-13 r/3589 refactor(deploy-whitby): use nvd instead of nix-diffVincent Ambo2-2/+2
nvd only shows us changed versions of packages, as well as added/removed packages, which means that for the majority of depot packages nothing will be displayed however, the current output of nix-diff is not usable anyways, so having something that can be looked at is better than nothing Change-Id: Iefbd8139c7ccf5c88ed1209897abdb2ae9302e91 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4868 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2022-01-12 r/3588 fix: resolve remaining security.acme.email warningssterni1-1/+1
These were missed in cl/4784. Change-Id: I01a5827900c1b3bdfdf9b1c36dcca8d6b59073a1 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4866 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: wpcarro <wpcarro@gmail.com> Autosubmit: sterni <sternenseemann@systemli.org>
2022-01-12 r/3585 fix(ops/besadii) no need to ref CL number in post to GerritÅsmund Østvold1-1/+1
The comment posted to the Gerrit change do not need to contain the CL number as it is given by the context of the Gerrit UI. Change-Id: I172645e7f4d82e2fbebe179578babd42ea29737f Reviewed-on: https://cl.tvl.fyi/c/depot/+/4826 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: asmundo <asmundo@gmail.com>
2022-01-08 r/3573 fix(wpcarro/all-systems): Remove diogenes from my top-level systemsWilliam Carroll1-1/+0
When `findSystem` attempts to evaluate `system.config.networking.hostName`, diogenes (because I've refactored its definition) causes the following error: > You're trying to declare a value of type `string' > rather than an attribute-set for the option > `system'! Change-Id: Ib23cb9aa9cadc1f71ad3369c903e587762d12cc0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4830 Reviewed-by: wpcarro <wpcarro@gmail.com> Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: wpcarro <wpcarro@gmail.com> Tested-by: BuildkiteCI
2022-01-07 r/3526 feat(ops/auto-deploy): Support emergency stops via stop fileVincent Ambo1-0/+9
Adds a feature to emergency-stop deploys by simply running `touch /var/lib/auto-deploy/stop`. This can be useful in some situations, especially if there is a process that reconciles service state (so that e.g. stopping the unit's timer would be undone). Change-Id: I233dfac365a578bfa4110eb605b50be079974ba4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4827 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: wpcarro <wpcarro@gmail.com>
2022-01-07 r/3525 chore(cache.tvl.su): Raise cache priority to 50Vincent Ambo1-0/+5
The priority of binary caches is decided by the remotes in Nix (???), and by default nix-serve (which is *very* slow) has a lower priority than cache.nixos.org (which means that it will be preferred over the faster cache for paths that exist on both). To avoid this, override the hardcoded (????) priority by serving the nix-cache-info response directly from nginx instead. Change-Id: I15a2d6618386d16edaf69f1c9257a36bd72132d2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4823 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: grfn <grfn@gws.fyi>
2022-01-07 r/3524 revert: "fix(ops/pipelines): Remove duplicated wait step"tazjin1-0/+4
This reverts commit 5e036ed9fc579d14353eb7da4af4b426c99f96e6. Reason for revert: This introduced a logic error since the remaining step runs at the wrong point in the pipeline. Temporarily reverting to having duplicated waits in order to clean up later. Change-Id: Ifa6ece50dd22924f02efd7b790a5863ca1189af7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4841 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: tazjin <tazjin@tvl.su>
2022-01-04 r/3518 feat(ops): Add initial oauth2_proxy configurationVincent Ambo4-0/+58
The intent is to configure oauth2_proxy pointing at Keycloak to enable usage with nginx auth_request directives. I want to expose this as a function from within the module in which nginx server configuration blocks can be wrapped, but the function for that is currently a placeholder. Change-Id: I5ed7deb9bf1c62818f516e68c33e8c5b632fccfe Reviewed-on: https://cl.tvl.fyi/c/depot/+/4767 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2022-01-04 r/3517 chore(ops): Remove login.tvl.fyi moduleVincent Ambo2-25/+0
It looks like we won't need this for oauth2_proxy when combined with nginx auth_request setups. Change-Id: I2294aee6226b4f64a27bf6592c2d18092d0268cc Reviewed-on: https://cl.tvl.fyi/c/depot/+/4766 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: grfn <grfn@gws.fyi>
2022-01-02 r/3512 fix(ops/pipelines): Realise anchor derivation for rootingVincent Ambo1-1/+1
Turns the anchor derivation into something that can actually be built (a call creating a propagated build inputs file), and builds it. This should fix the anchoring logic we have on canon. Change-Id: If6a7662b82e2e396388980f65e332cf67a45b46e Reviewed-on: https://cl.tvl.fyi/c/depot/+/4763 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-02 r/3511 refactor(ops/keycloak): Split out clients & user-sourcesVincent Ambo3-106/+113
Without some kind of physical organisation it's a little difficult to understand whether things are going "in" (supplying users to Keycloak) or "out" (getting auth/user info from Keycloak). Change-Id: I516501081e3448c81c710fcbc79cc68ad2a80f3b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4762 Tested-by: BuildkiteCI Reviewed-by: Profpatsch <mail@profpatsch.de>
2022-01-02 r/3510 fix(ops/pipelines): Remove duplicated wait stepVincent Ambo1-4/+0
This now happens in //nix/buildkite instead Change-Id: Ie9e239ee4f28ac34aa4d3279dac55d70a2cb9d86 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4764 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-01 r/3509 refactor(modules/smtprelay): Load credentials via agenixVincent Ambo2-7/+15
Change-Id: I56f6887e1fd35551cfc83ad08cafebb611f4a341 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4760 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: Profpatsch <mail@profpatsch.de> Autosubmit: tazjin <mail@tazj.in>
2022-01-01 r/3508 feat(ops/secrets): Add smtprelay credentialsVincent Ambo2-0/+15
Change-Id: I489e611a3fb19b4a374a563aa1afd81a130b2e7f Reviewed-on: https://cl.tvl.fyi/c/depot/+/4759 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: tazjin <mail@tazj.in>
2021-12-28 r/3495 fix(ops/keycloak): redefine buildkite client, correctly this timeVincent Ambo1-15/+26
This client definition was previously nonsense. What happened is that I accidentally imported the client as an OIDC client, which Keycloak accepted because apparently those are the same entities on the API level, and that ended up getting mangled into some broken hybrid shape by Terraform. This sets up the Buildkite provider again but with the correct SAML configuration this time. Change-Id: Id7ba318984d2fcc9e2ca91ed45ccbfd227278bbe Reviewed-on: https://cl.tvl.fyi/c/depot/+/4731 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: tazjin <mail@tazj.in>
2021-12-28 r/3492 refactor(tools/depotfmt): Move depotfmt check into a real build stepVincent Ambo1-1/+8
Produces more useful output and also makes for a good target for the upcoming extraSteps logic. Change-Id: Ifd389d433d9e27f97940a48999f4fba35646e37a Reviewed-on: https://cl.tvl.fyi/c/depot/+/4727 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: sterni <sternenseemann@systemli.org>
2021-12-28 r/3491 refactor: Generalise pipeline generation in //nix/buildkiteVincent Ambo1-115/+7
Extracts the logic for generating our Buildkite pipeline (which has been copy&pasted and slightly modified in some places outside of depot) into a generic //nix/buildkite library. This should cause no change in functionality. Change-Id: Iad3201713945de41279b39e4f1b847f697c179f7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4726 Autosubmit: tazjin <mail@tazj.in> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2021-12-28 r/3490 fix(ops/users): change my email to the @tvl.su oneVincent Ambo1-1/+1
Change-Id: Id608fe66b203c1d08958c85be44506a86eec56d5 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4730 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Autosubmit: tazjin <mail@tazj.in>
2021-12-27 r/3482 refactor(ops/secrets): optimize + typecheck mkSecretszseri1-11/+19
Change-Id: I592c8f2f82cef8fe4509e90a8c48504a0c74d133 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4688 Reviewed-by: zseri <zseri.devel@ytrizja.de> Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: zseri <zseri.devel@ytrizja.de> Tested-by: BuildkiteCI
2021-12-27 r/3481 feat(ops/glesys): Import DNS records for tvl.suVincent Ambo1-0/+120
These records were previously configured manually in the GleSYS web UI during our DNS outage (b/155). Note that I could not find a way to `terraform import` these records and have instead recreated the set and then cleaned up in the UI. Change-Id: If7de9a7e6dad20953ba8b610589a62dce400e87b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4716 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3480 feat(ops/glesys): Import DNS records for tvl.fyiVincent Ambo3-2/+111
These records were previously configured manually in the GleSYS web UI during our DNS outage (b/155). Note that I could not find a way to `terraform import` these records and have instead recreated the set and then cleaned up in the UI. Since we often point things at whitby, I have extracted variables for its IPs in this change. Change-Id: I09fda94d3734e8aaa278fa858e160d046740da1e Reviewed-on: https://cl.tvl.fyi/c/depot/+/4714 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3479 feat(ops/glesys): Import DNS records for nixery.devVincent Ambo1-0/+44
These records were previously configured manually in the GleSYS web UI during our DNS outage (b/155). Note that I could not find a way to `terraform import` these records and have instead recreated the set and then cleaned up in the UI. Change-Id: I2b7e0ed0931f50e7fa49c1f6e3400dfe958def04 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4713 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3474 feat(ops/secrets): Import secrets for tf-glesysVincent Ambo3-0/+21
Adds the secrets and some instructions for deploying the GleSYS Terraform infrastructure. Change-Id: I1a10f9cee7648d406b3d27ef45fc74b6923cbc30 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4712 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3473 feat(ops/keycloak): Import Buildkite OIDC clientVincent Ambo1-0/+21
This was previously configured in the UI. Change-Id: I68361b1489093b76736adab2e38ed7b474b10881 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4711 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3472 feat(ops/keycloak): Import Gerrit OIDC clientVincent Ambo1-0/+21
This was previously configured in the UI. Change-Id: Ib15b8ecca96d7814dc85d62199865b22bdb63f95 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4710 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3471 fix(ops/keycloak): Move Terraform state to GleSYS bucketVincent Ambo2-12/+24
This should never sit around locally the way it does now. Change-Id: Icfbdaf1949d6d948a796a0759282ea6144af3621 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4709 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3470 feat(ops/secrets): Add tf-keycloak secrets fileVincent Ambo3-0/+32
This file can be sourced (somehow, depending on the user) while working with //ops/keycloak to get the relevant secrets. Change-Id: Ibb3051c4b019f64824964475451c1c3996db6421 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4708 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3469 feat(ops/keycloak): Add OIDC client for GrafanaVincent Ambo1-0/+14
Completely forgot about Grafana, so it's currently broken. Oops! Change-Id: Ia4e6405428ad8e514d6e61635f9692c57f61defe Reviewed-on: https://cl.tvl.fyi/c/depot/+/4705 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: tazjin <mail@tazj.in>
2021-12-27 r/3468 fix(whitby): Point grafana at new auth providerVincent Ambo2-18/+18
Grafana was still pointing at the (now non-existent) CAS setup. This changes the endpoints to use Keycloak instead and updates the client secret. Change-Id: Ib25d38330aba2ef6d894e8c33d86852c884ab5be Reviewed-on: https://cl.tvl.fyi/c/depot/+/4706 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3453 refactor(ops/secrets): generalize out a mkSecrets functionGriffin Smith2-21/+22
Generalize out a reusable mkSecrets function from the secrets-tree-building that's happening in //ops/secrets, so the same thing can happen in other places in the depot (I want to use it for my personal infrastructure). Change-Id: I059295c8c257d78ad7fa0802859f57c2c105f29b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4679 Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: zseri <zseri.devel@ytrizja.de> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
2021-12-26 r/3447 feat(ops/machines/all-systems): Add grfn/mugwumpGriffin Smith1-0/+1
Change-Id: I7770b58c44a5700e86c80d1058e89e9fa65d719b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4686 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: grfn <grfn@gws.fyi>
2021-12-26 r/3446 fix(auto-deploy): Add missing packages to pathGriffin Smith1-3/+5
Building nix derivations needs tar (provided by gnutar) and gzip on the PATH in order to extract .tar.gz archives. Change-Id: Ia2df7a3a770cfd342dfede58ad34e04805fbd1f8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4685 Tested-by: BuildkiteCI Autosubmit: grfn <grfn@gws.fyi> Reviewed-by: wpcarro <wpcarro@gmail.com>
2021-12-26 r/3428 fix(ops/keycloak): set up client for usage with oauth2_proxyVincent Ambo1-7/+7
This will be useful for things like panettone, pending a NixOS module for oauth2-proxy (the upstream one is too complicated and doesn't support what we need). Change-Id: I4ca193e10a94a29b1fb9003e945896ff8eb61116 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4662 Tested-by: BuildkiteCI Reviewed-by: Profpatsch <mail@profpatsch.de> Autosubmit: tazjin <mail@tazj.in>
2021-12-26 r/3427 fix(ops/keycloak): trust email addresses from LDAPVincent Ambo1-0/+1
Verified emails are required for some things, like e.g. oauth2_proxy Change-Id: Ifb124be40d6d2863cd1b7ed5fbdfcf4827e8808c Reviewed-on: https://cl.tvl.fyi/c/depot/+/4661 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-12-26 r/3426 feat(ops/keycloak): Set up oauth2_proxy clientVincent Ambo1-0/+21
Change-Id: I996d9644ed7e870d6e5a42af117eafbf841da679 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4640 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-12-26 r/3425 feat(ops/keycloak): Check in initial Keycloak configurationVincent Ambo3-0/+51
This is still missing most of the client configuration etc., in part due to bugs in the provider which are preventing resource imports. Change-Id: Ic224ffc001f8e1fe6dcd47b7d002580fdf7b0774 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4628 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-12-26 r/3414 feat(ops/auto-deploy): Support auto-deployWilliam Carroll3-3/+98
Automatically rebuild the current system's NixOS config from the latest checkout of depot. Change-Id: I23aa7af50e16e985ac34df214e0905e770316e5e Reviewed-on: https://cl.tvl.fyi/c/depot/+/4390 Reviewed-by: wpcarro <wpcarro@gmail.com> Reviewed-by: zseri <zseri.devel@ytrizja.de> Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: wpcarro <wpcarro@gmail.com> Tested-by: BuildkiteCI
2021-12-26 r/3411 chore: friendship ended with cas, now keycloak is our best friendVincent Ambo2-30/+1
Note that the login.tvl.fyi WWW configuration is still kind of hanging around until we've settled where Keycloak lives. Change-Id: Iaca4e394a7371cafa3716ca66ef09c4eca5b1520 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4626 Autosubmit: tazjin <mail@tazj.in> Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-12-26 r/3410 feat(monorepo-gerrit): Configure for Keycloak compatibilityVincent Ambo2-5/+6
Change-Id: Ic3fce02b071c09cf03e652510f16bafb795a5a1d Reviewed-on: https://cl.tvl.fyi/c/depot/+/4614 Autosubmit: tazjin <mail@tazj.in> Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: grfn <grfn@gws.fyi>
2021-12-25 r/3402 refactor(ops/whitby): Move Gerrit secrets into agenixVincent Ambo3-0/+23
Gerrit has OAuth2 and email related secrets which now live in agenix instead of a random file on disk. Change-Id: I6220fbb7a2e2ec0102a900b4bcf6150b8b4d32ef Reviewed-on: https://cl.tvl.fyi/c/depot/+/4612 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-12-25 r/3401 feat(whitby): Configure initial Keycloak setupVincent Ambo4-1/+59
Trialing this as an alternative to CAS that is a little easier to configure and can help us delegate authentication to other OIDC services. Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi>
2021-12-24 r/3369 feat(ops/glesys): Provide tf-glesys wrapperVincent Ambo1-0/+8
This provides the right Terraform provider with a wrapper in $PATH. Change-Id: Idcb4fa89dff0161e8a73addfce81959e825c331e Reviewed-on: https://cl.tvl.fyi/c/depot/+/4562 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi>