patchset and change numbers are numbers in the JSON, trying to deserialize them into a string fails:
Jul 28 20:34:03 gerrit01 gerrit-webhook-to-irccat[2430441]: time=2025-07-28T20:34:03.675Z level=WARN msg="failed to parse body" error="json: cannot unmarshal number into Go struct field PatchSet.patchSet.number of type string"
Update our library dependency to a version containing the fixed types.
Also add tests for the three messages we care about.
Change-Id: Iac44e6ad01a8590b4cafa4d301c9f45000f335d0
Reviewed-on: https://cl.snix.dev/c/snix/+/30624
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Reviewed-by: Jade Lovelace <jade@lix.systems>
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Florian Klink <flokli@flokli.de>
We found this bug in Lix's config and noticed Snix had the same bug; see
4b9e84fa0a
and b47965fe8f.
Change-Id: I65b14839a62c4e779136c1c34750d15cedaaddc8
Reviewed-on: https://cl.snix.dev/c/snix/+/30605
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
The types are different for `gerrit stream-events` and webhooks, so
switch to a fork of go-gerrit containing their definitions.
https://github.com/andygrunwald/go-gerrit/pull/189 is the upstream PR.
Change-Id: I24136af2f2cf5655f2a8278632a3b0f52aa6adcc
Reviewed-on: https://cl.snix.dev/c/snix/+/30544
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Changelog: https://www.gerritcodereview.com/3.12.html
We are skipping over the 3.11.1, 3.11.2, 3.11.3 minor releases which
remains available.
This bump was already tested on another Gerrit instance.
No manual intervention is required.
Change-Id: Ia3ce1f1cda36abe6da4edd4210260f664f7b3672
Signed-off-by: Raito Bezarius <raito@lix.systems>
Reviewed-on: https://cl.snix.dev/c/snix/+/30576
Autosubmit: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
And allow gerrit01 to send these hooks over to irccat running on meta01.
Issue: https://git.snix.dev/snix/snix/issues/74
Change-Id: Ic5835734b32e8e5a46225e68d4124d55c002d663
Reviewed-on: https://cl.snix.dev/c/snix/+/30527
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
This is a listener for gerrit events, sent by their "webhooks" plugin,
as well as a NixOS module to deploy it.
Issue: https://git.snix.dev/snix/snix/issues/74
Change-Id: I65c5c5a991e6b1f4f330b3439c8a25aec3f1b484
Reviewed-on: https://cl.snix.dev/c/snix/+/30526
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
cl/30249 changed this to Postmark, and it was unconfigured before.
Change-Id: I89eb49dbb8a3cb81135ae01c98379151e32ecd7c
Reviewed-on: https://cl.snix.dev/c/snix/+/30528
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Autosubmit: Florian Klink <flokli@flokli.de>
This removes the old clbot, which kept an SSH connection to gerrit open.
Change-Id: If8faecdd018b45dd087b7332fe3d3a8280947358
Reviewed-on: https://cl.snix.dev/c/snix/+/30525
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
The config seems a bit underdocumented, but this is what gets it to
listen on 4722 for http.
While we have firewall rules in place, we don't want this to listen on
*:$randomPort, for tcp but just have it disabled.
This doesn't seem to be possible right now, due to a bug in viper, but
we can at least restrict it to listen to localhost only for TCP.
Change-Id: I94d379b8820fd32dc1d75082d3a7fb078f93e4ec
Reviewed-on: https://cl.snix.dev/c/snix/+/30523
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
This deploys irccat, connected to the #snix channel.
We drop the custom irccat third_party, it's 2 years older than the
latest version in nixpkgs.
The irccat.nix module file contains some of the code present in the TVL
version, it however moves the secrets merging to ExecStartPre=,
given https://github.com/systemd/systemd/issues/19604#issuecomment-989279884
has been fixed for almost a year.
Contrary to the setup there, we don't let irccat connect to ZNC, but
hackint directly (so make use of the secrets logic).
We also drop the network-online.target, and make this overall more
tolerant by using Restart=on-failure.
Change-Id: Ieac3b744b7ea58b8dddf1cdc37a8bc057b205b1b
Reviewed-on: https://cl.snix.dev/c/snix/+/30504
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
In some distant past, stc-ng had some clear troubles while deploying the
machine when we were bootstrapping infra.
This was fixed by rolling back to the old stc. Having retried right now,
stc-ng seems to transition the new system correctly, so let's switch to
it for the time being.
Change-Id: I99f92618841b49357a28212955b62bf5e495e761
Signed-off-by: Raito Bezarius <raito@lix.systems>
Reviewed-on: https://cl.snix.dev/c/snix/+/30503
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
This builds the important website for both snix.systems and its
predecessor, tvix.systems.
Change-Id: I4cce5595098c804bd4df0cc2ae3c05344138e7b1
Reviewed-on: https://cl.snix.dev/c/snix/+/30502
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
Also include tvix.{store,systems}, they might still be used in some
places.
Change-Id: I90085d7488f94c8764e61e3d99d8f03459c6f9f0
Reviewed-on: https://cl.snix.dev/c/snix/+/30501
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
There are no .zone files in here (maybe once were, before switching DNS
providers, or this was copy-pasted from elsewhere).
Also, the validate.terraform target was broken, due to a typo, and not
covered in CI, due to being inside another attrset.
There's only a single check left, so just call that one `validate`,
making it consistent with other //ops terraform workspaces, and getting
CI to actually check it.
Change-Id: I022138d4d3c74181a53738cb53a48b7945392345
Reviewed-on: https://cl.snix.dev/c/snix/+/30499
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Provide redirects when the old domain is accessed, which Nix seems to
follow.
We keep the same hostname, so historical node exporter graphs are still
visible.
Change-Id: Icecd7f5324ac25bbfd4c003ca9cc65681114f0b5
Reviewed-on: https://cl.snix.dev/c/snix/+/30484
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
This enables logging in to Buildkite with SAML.
Fixes#95.
Change-Id: Ieaa87c660692953305619c2bd8270d2329bd7545
Reviewed-on: https://cl.snix.dev/c/snix/+/30478
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
There's two Roles for the Forgejo application, "Admin" and
"Contributors".
Everyone gets the "Contributor" role assigned automatically (it doesn't
really give you a ton of privileges).
Regarding mapping Gerrit groups, it seems there's no support for this in
the `gerrit-oauth-provider` plugin (yet) -
see https://github.com/davido/gerrit-oauth-provider/issues/170.
Fixes#73.
Change-Id: I3cbb968e664125b1f08235db3008d1dbf778922a
Reviewed-on: https://cl.snix.dev/c/snix/+/30477
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
keycloak_openid_user_client_role_protocol_mapper.grafana_role_mapper was
missing. It is configured to make the client roles for this Application
(and only those for this application) available in the grafana_roles
claim.
We can also disable full scope, as we're not interested in other role
mappings.
The Terraform files are a bit reorganized, everything configuring the
Grafana client lives in grafana.tf (and vice-versa for Forgejo,
Buildkite and Gerrit). The only thing left in permissions.tf is global
groups, their memberships and mappings.
Change-Id: I37b0755f4f8658518083353ec6cc0193e805d5c2
Reviewed-on: https://cl.snix.dev/c/snix/+/30476
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
This makes it possible to fetch refs/meta/config from the forgejo
endpoint too. It was possible to fetch it from Gerrit directly before,
so this isn't more or less private than before.
Forgejo doesn't seem to provide an endpoint to link to refs/meta/config,
but it's perfectly fine to view the tree for a given commit from there:
dd5ed6266a
Change-Id: I9bbfb8c5994118e6a205e84d5584cc82a560cc23
Reviewed-on: https://cl.snix.dev/c/snix/+/30444
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
We stopped using them a while ago, no need to replicate.
Change-Id: I584a584b401ed357eba6d8f2349d2be40684765e
Reviewed-on: https://cl.snix.dev/c/snix/+/30443
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Since https://github.com/bornhack/bornhack-website/pull/1838, users can
set their preferred username there, so it can be correctly propagated
to Keycloak.
Change-Id: If492d4b92b420c07b9e1450883ccb30a18802a42
Reviewed-on: https://cl.snix.dev/c/snix/+/30424
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
This points our own gerrit check to the deployed buildkite-api-proxy,
updates the URL and stops sending an outdated token.
Fixes#118.
Change-Id: Ic7ace4d67a6bd05c408ac14fe988ae3fe829a49b
Reviewed-on: https://cl.snix.dev/c/snix/+/30406
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: edef <edef@edef.eu>
This is a read-only Buildkite token, it was generated and installed by
flokli@ and has read_builds, read_build_logs, and read_pipelines
permissions.
Part of #118.
Change-Id: I0bbfbab9ad1152ff8e781b7380f44d3cd7245bab
Reviewed-on: https://cl.snix.dev/c/snix/+/30404
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
This provides a very simple http server, receiving a git sha1 and
querying the buildkite api for the status - the same that's previously
done by the frontend, but now without exposing the (read-only) token
to users.
We can add caching / rate-limiting if the need arises, for now we
just propagate the `cache-control` headers (which seem to be set at
"cache-control: max-age=0, private, must-revalidate" currently anyways)
Part of #118.
Change-Id: I8989a74cb2b278139d988089ff8d6e59e00969e4
Reviewed-on: https://cl.snix.dev/c/snix/+/30403
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
besadii is called as `patchset-created` or `change-merged`, not
`ref-updated`.
Change-Id: I843f2d749ab152fb0061b6a9da44775ed58a9eae
Reviewed-on: https://cl.snix.dev/c/snix/+/30344
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
This blocks a bunch of AI scrapers from Forgejo, which seems to be
particularly attractive.
Especially meta-externalagent has been scraping very excessively.
The list comes from https://github.com/ai-robots-txt/ai.robots.txt,
let's see how often this needs updating.
Change-Id: I55ae7c42c6a3eeff6f0457411a8b05d55cb24f65
Reviewed-on: https://cl.snix.dev/c/snix/+/30370
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
This doesn't seem to do anything, and logs a warning on startup.
Change-Id: I4d883f2a95d5934bc3dc2998a497f3c2a8ff857d
Reviewed-on: https://cl.snix.dev/c/snix/+/30364
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
It seems this now gets added automatically, and causes nginx to fail
with an emergency due to the directive being there two times.
Drop one of it, which gets nginx to boot up again.
Change-Id: I0df3c2f7c2cfbe23d717249570d5a4d1a7fe2f2b
Reviewed-on: https://cl.snix.dev/c/snix/+/30363
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
grafana-agent has been removed, but the failing eval was missed due
to #80.
Change-Id: I87cfc71c8c98e27e32f4e95e4d85901195cb5b75
Reviewed-on: https://cl.snix.dev/c/snix/+/30347
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
This was missed, due to #80.
Change-Id: I3b10fa615c09fdd9887c63c847cfd70f5a80d277
Reviewed-on: https://cl.snix.dev/c/snix/+/30346
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
This option is not used, we can reintroduce it when needed.
Change-Id: Ie0f90ea7fc84f493f0c73de29ddf200c1184cb40
Reviewed-on: https://cl.snix.dev/c/snix/+/30345
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
This adds bornhack.dk as an OIDC provider.
We currently do not yet map the `nickname` claim as a username field.
This means users logging in via Bornhack need to choose their username
manually, until https://github.com/bornhack/bornhack-website/issues/1837
is solved.
Change-Id: Ia91594107a0cd1d1e0a2ee7ca48d603a2ac681a5
Reviewed-on: https://cl.snix.dev/c/snix/+/30326
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
This mostly matches the default configuration, but notably does not
make the lastName field mandatory, in order to accommodate mononymy.
Change-Id: I47ca86a179eb9b7dcf5f3e761681c78e22f5265c
Fixes: https://git.snix.dev/snix/snix/issues/104
Reviewed-on: https://cl.snix.dev/c/snix/+/30289
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Nix clients still might have old .narinfo files cached, containing old
NAR URLs. Send a redirect to the new URL.
Fixes: #103
Change-Id: Ie3b77e4fdc4be0f982e023f2a2acd3f9f0257f9b
Reviewed-on: https://cl.snix.dev/c/snix/+/30291
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
Deploys Harmonia on build01, proxied through public01.
We cannot serve from build01 directly because it only supports IPv6.
Closes: https://git.snix.dev/snix/snix/issues/66
Change-Id: Iff3c16366d60c0fbfd1315a18c27fcd636a0261a
Reviewed-on: https://cl.snix.dev/c/snix/+/30274
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Autosubmit: Ilan Joselevich <personal@ilanjoselevich.com>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
We only use the OAuth flow (with Keycloak), and the native login
mechanism is an unnecessary source of user confusion.
Change-Id: I819e0b6ac507013c903c55a28f0db52e8706d8dc
Reviewed-on: https://cl.snix.dev/c/snix/+/30282
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: edef . <edef@edef.eu>
Previously, the buildkite users were not able to traverse there.
Removing /nix/var/nix/gcroots/buildkite/canon might not be needed, and
is racy with other anchor step - the first one might still be building
`ci.gcroot` (and didn't create the new symlink), so the second one will
fail trying to remove the non-existing symlink.
Change-Id: I0449447f7193113d807d597750b26c7beb48a3a6
Reviewed-on: https://cl.snix.dev/c/snix/+/30257
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
This is pointing to the wrong URLs. This isn't set up yet.
Change-Id: Ie21146311c2adcf5d9c5a80132cf1f8333a6baa2
Reviewed-on: https://cl.snix.dev/c/snix/+/30250
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
