Commit graph

1128 commits

Author SHA1 Message Date
Oleksandr Knyshuk
8d0ae4f7ae feat(ops/gerrit-webhook-to-irccat): notify when CLs are undrafted
- Extend the notification template to handle `wip-state-changed` events where a change is undrafted (i.e., `.Change.Wip` is false or not present).
- Add test cases for undrafting (should notify) and re-drafting (should not notify).
- Ensure correct handling of `.Changer.Username` for undraft notifications.
- Update Go module dependencies for test coverage. (`go mod tidy`)

This allows the IRC bot to notify when a change is moved out of
WIP/draft state, improving visibility for ready-for-review CLs.

Fixes #167.

Change-Id: I6a6a69642369726c3bd9f523ae025c34dba8c4aa
Reviewed-on: https://cl.snix.dev/c/snix/+/30641
Reviewed-by: Oleksandr Knyshuk <olk@disr.it>
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-08-04 12:50:22 +00:00
Starnick4444
2a1cd31d52 chore: finish migration to 2024 edition
Closes #114
Removes the per-crate rustfmt configs, sets default edition to 2024.
This should fix the formatting issues between some editors and CI.

Change-Id: I9bb3a5f49f8ba2c8a616f29e87b7f8093187a165
Reviewed-on: https://cl.snix.dev/c/snix/+/30595
Autosubmit: Bence Nemes <nemes.bence1@gmail.com>
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-08-03 20:10:05 +00:00
Florian Klink
a2ace425cb feat(ops/machines/*01): install kitty terminfo
Change-Id: If9e2ca897e52ae9aa4da033b52dee6f17e66f636
Reviewed-on: https://cl.snix.dev/c/snix/+/30623
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
2025-07-29 11:47:25 +00:00
Florian Klink
723ef9146b fix(ops/gerrit-webhook-to-irccat): fix json parsing
patchset and change numbers are numbers in the JSON, trying to deserialize them into a string fails:

Jul 28 20:34:03 gerrit01 gerrit-webhook-to-irccat[2430441]: time=2025-07-28T20:34:03.675Z level=WARN msg="failed to parse body" error="json: cannot unmarshal number into Go struct field PatchSet.patchSet.number of type string"

Update our library dependency to a version containing the fixed types.

Also add tests for the three messages we care about.

Change-Id: Iac44e6ad01a8590b4cafa4d301c9f45000f335d0
Reviewed-on: https://cl.snix.dev/c/snix/+/30624
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Reviewed-by: Jade Lovelace <jade@lix.systems>
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-07-29 11:47:24 +00:00
Jade Lovelace
be68d89901 fix(ops/gerrit): send mail with the triggering user's name on it
We found this bug in Lix's config and noticed Snix had the same bug; see
4b9e84fa0a
and b47965fe8f.

Change-Id: I65b14839a62c4e779136c1c34750d15cedaaddc8
Reviewed-on: https://cl.snix.dev/c/snix/+/30605
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-07-28 20:34:03 +00:00
Starnick4444
5602582a9e chore(ops): upgrade to 2024 edition
Part of #114

Change-Id: I2aea31c745af5de71e3a6c153e55aae3457c87e5
Reviewed-on: https://cl.snix.dev/c/snix/+/30594
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Autosubmit: Bence Nemes <nemes.bence1@gmail.com>
2025-07-04 17:15:04 +00:00
Florian Klink
fcd43e8bc8 refactor(ops/gerrit-webhook-to-irccat): use streams data types
The types are different for `gerrit stream-events` and webhooks, so
switch to a fork of go-gerrit containing their definitions.

https://github.com/andygrunwald/go-gerrit/pull/189 is the upstream PR.
Change-Id: I24136af2f2cf5655f2a8278632a3b0f52aa6adcc
Reviewed-on: https://cl.snix.dev/c/snix/+/30544
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-06-29 14:05:48 +00:00
Raito Bezarius
abb2daa4ae feat(modules/monorepo-gerrit): 3.11.0 -> 3.12.0
Changelog: https://www.gerritcodereview.com/3.12.html

We are skipping over the 3.11.1, 3.11.2, 3.11.3 minor releases which
remains available.

This bump was already tested on another Gerrit instance.

No manual intervention is required.

Change-Id: Ia3ce1f1cda36abe6da4edd4210260f664f7b3672
Signed-off-by: Raito Bezarius <raito@lix.systems>
Reviewed-on: https://cl.snix.dev/c/snix/+/30576
Autosubmit: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-06-22 17:55:52 +00:00
Florian Klink
32cafdc570 feat(ops/modules/monorepo-gerrit): enable webhooks plugin
Fixes: https://git.snix.dev/snix/snix/issues/74
Change-Id: If4ca98cc1886f5e0a26dcc1ebeef4758054d3811
Reviewed-on: https://cl.snix.dev/c/snix/+/30529
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-16 09:23:58 +00:00
Florian Klink
6f3699664a feat(ops/machines/gerrit01): deploy gerrit-webhook-to-irccat
And allow gerrit01 to send these hooks over to irccat running on meta01.

Issue: https://git.snix.dev/snix/snix/issues/74
Change-Id: Ic5835734b32e8e5a46225e68d4124d55c002d663
Reviewed-on: https://cl.snix.dev/c/snix/+/30527
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-16 09:23:28 +00:00
Florian Klink
064765b19a feat(ops/gerrit-webhook-to-irccat): init
This is a listener for gerrit events, sent by their "webhooks" plugin,
as well as a NixOS module to deploy it.

Issue: https://git.snix.dev/snix/snix/issues/74
Change-Id: I65c5c5a991e6b1f4f330b3439c8a25aec3f1b484
Reviewed-on: https://cl.snix.dev/c/snix/+/30526
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-16 09:22:58 +00:00
Florian Klink
af4e1303b0 fix(ops/modules/monorepo-gerrit): fix outdated comment
cl/30249 changed this to Postmark, and it was unconfigured before.

Change-Id: I89eb49dbb8a3cb81135ae01c98379151e32ecd7c
Reviewed-on: https://cl.snix.dev/c/snix/+/30528
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-16 09:22:07 +00:00
Florian Klink
0bcae4c083 fix(ops): drop clbot
This removes the old clbot, which kept an SSH connection to gerrit open.

Change-Id: If8faecdd018b45dd087b7332fe3d3a8280947358
Reviewed-on: https://cl.snix.dev/c/snix/+/30525
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-16 09:22:00 +00:00
Florian Klink
6666d38584 fix(ops/meta01): fix http listener port, restrict tcp
The config seems a bit underdocumented, but this is what gets it to
listen on 4722 for http.

While we have firewall rules in place, we don't want this to listen on
*:$randomPort, for tcp but just have it disabled.

This doesn't seem to be possible right now, due to a bug in viper, but
we can at least restrict it to listen to localhost only for TCP.

Change-Id: I94d379b8820fd32dc1d75082d3a7fb078f93e4ec
Reviewed-on: https://cl.snix.dev/c/snix/+/30523
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-16 09:15:26 +00:00
Florian Klink
c9a77e5b58 feat(ops/meta01): deploy irccat
This deploys irccat, connected to the #snix channel.

We drop the custom irccat third_party, it's 2 years older than the
latest version in nixpkgs.

The irccat.nix module file contains some of the code present in the TVL
version, it however moves the secrets merging to ExecStartPre=,
given https://github.com/systemd/systemd/issues/19604#issuecomment-989279884
has been fixed for almost a year.

Contrary to the setup there, we don't let irccat connect to ZNC, but
hackint directly (so make use of the secrets logic).

We also drop the network-online.target, and make this overall more
tolerant by using Restart=on-failure.

Change-Id: Ieac3b744b7ea58b8dddf1cdc37a8bc057b205b1b
Reviewed-on: https://cl.snix.dev/c/snix/+/30504
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
2025-05-15 14:31:42 +00:00
Raito Bezarius
5d16817f80 fix(machines/build01): move back to stc-ng
In some distant past, stc-ng had some clear troubles while deploying the
machine when we were bootstrapping infra.

This was fixed by rolling back to the old stc. Having retried right now,
stc-ng seems to transition the new system correctly, so let's switch to
it for the time being.

Change-Id: I99f92618841b49357a28212955b62bf5e495e761
Signed-off-by: Raito Bezarius <raito@lix.systems>
Reviewed-on: https://cl.snix.dev/c/snix/+/30503
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-15 14:19:01 +00:00
Florian Klink
e285cbe8cf feat(fun/solves-this): add, deploy to public01
This builds the important website for both snix.systems and its
predecessor, tvix.systems.

Change-Id: I4cce5595098c804bd4df0cc2ae3c05344138e7b1
Reviewed-on: https://cl.snix.dev/c/snix/+/30502
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
2025-05-12 14:40:17 +00:00
Florian Klink
a11099fd1c feat(ops/dns): manage snix.{store,systems} in DO
Also include tvix.{store,systems}, they might still be used in some
places.

Change-Id: I90085d7488f94c8764e61e3d99d8f03459c6f9f0
Reviewed-on: https://cl.snix.dev/c/snix/+/30501
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-12 14:39:47 +00:00
Florian Klink
20589ef8cb fix(ops/dns): drop broken checkZone parts, fix validate
There are no .zone files in here (maybe once were, before switching DNS
providers, or this was copy-pasted from elsewhere).

Also, the validate.terraform target was broken, due to a typo, and not
covered in CI, due to being inside another attrset.

There's only a single check left, so just call that one `validate`,
making it consistent with other //ops terraform workspaces, and getting
CI to actually check it.

Change-Id: I022138d4d3c74181a53738cb53a48b7945392345
Reviewed-on: https://cl.snix.dev/c/snix/+/30499
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-10 16:09:02 +00:00
Florian Klink
ec9e7ee73c refactor(ops): make nixos.snix.cache grafana listen on unix socket
Change-Id: Iadd9850faadb3037825c0465b9aed45fa2826583
Reviewed-on: https://cl.snix.dev/c/snix/+/30495
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-09 23:06:14 +00:00
Florian Klink
7c3d029b8e fix(ops/modules/o11y): disable analytics.reporting_enabled
Change-Id: I1138a3cc9a8a107794bf3053fc48e51af2789d9b
Reviewed-on: https://cl.snix.dev/c/snix/+/30494
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-09 23:06:14 +00:00
Florian Klink
6b518f1aed refactor(ops): make status.snix.dev grafana listen on unix socket
Change-Id: Ib3838edf1ee98a8fe1792771f1a948f00e3f466b
Reviewed-on: https://cl.snix.dev/c/snix/+/30493
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-09 23:06:14 +00:00
Florian Klink
5dbe46eea7 refactor(ops/machines/snix-cache): use new snix.store domain
Provide redirects when the old domain is accessed, which Nix seems to
follow.

We keep the same hostname, so historical node exporter graphs are still
visible.

Change-Id: Icecd7f5324ac25bbfd4c003ca9cc65681114f0b5
Reviewed-on: https://cl.snix.dev/c/snix/+/30484
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-07 21:03:57 +00:00
Florian Klink
c706826aa9 feat(ops/keycloak): configure Buildkite SAML
This enables logging in to Buildkite with SAML.

Fixes #95.

Change-Id: Ieaa87c660692953305619c2bd8270d2329bd7545
Reviewed-on: https://cl.snix.dev/c/snix/+/30478
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 12:36:30 +00:00
Florian Klink
d9ca20a5cc feat(ops/keycloak): configure Forgejo Roles
There's two Roles for the Forgejo application, "Admin" and
"Contributors".
Everyone gets the "Contributor" role assigned automatically (it doesn't
really give you a ton of privileges).

Regarding mapping Gerrit groups, it seems there's no support for this in
the `gerrit-oauth-provider` plugin (yet) -
see https://github.com/davido/gerrit-oauth-provider/issues/170.

Fixes #73.

Change-Id: I3cbb968e664125b1f08235db3008d1dbf778922a
Reviewed-on: https://cl.snix.dev/c/snix/+/30477
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-05 12:36:30 +00:00
Florian Klink
e20ff4cb60 fix(ops/keycloak): fix assigning grafana_roles
keycloak_openid_user_client_role_protocol_mapper.grafana_role_mapper was
missing. It is configured to make the client roles for this Application
(and only those for this application) available in the grafana_roles
claim.

We can also disable full scope, as we're not interested in other role
mappings.

The Terraform files are a bit reorganized, everything configuring the
Grafana client lives in grafana.tf (and vice-versa for Forgejo,
Buildkite and Gerrit). The only thing left in permissions.tf is global
groups, their memberships and mappings.

Change-Id: I37b0755f4f8658518083353ec6cc0193e805d5c2
Reviewed-on: https://cl.snix.dev/c/snix/+/30476
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 12:36:30 +00:00
Vova Kryachko
4b46d93bd3 chore(gerrit): Disable code-owners on meta/config branch.
Change-Id: I6c56b9c87892e7ff4a1afa7e0cf8e91b2c9c0e8f
Reviewed-on: https://cl.snix.dev/c/snix/+/30451
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: Vova Kryachko <v.kryachko@gmail.com>
Tested-by: besadii
2025-05-04 17:42:24 +00:00
Florian Klink
7b329b402c feat(ops/modules/monorepo-gerrit): replicate refs/meta/config
This makes it possible to fetch refs/meta/config from the forgejo
endpoint too. It was possible to fetch it from Gerrit directly before,
so this isn't more or less private than before.

Forgejo doesn't seem to provide an endpoint to link to refs/meta/config,
but it's perfectly fine to view the tree for a given commit from there:

dd5ed6266a

Change-Id: I9bbfb8c5994118e6a205e84d5584cc82a560cc23
Reviewed-on: https://cl.snix.dev/c/snix/+/30444
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-04 15:06:38 +00:00
Florian Klink
dc6af0823c refactor(ops/modules/monorepo-gerrit): stop pushing r/ refs
We stopped using them a while ago, no need to replicate.

Change-Id: I584a584b401ed357eba6d8f2349d2be40684765e
Reviewed-on: https://cl.snix.dev/c/snix/+/30443
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-04 15:06:07 +00:00
Florian Klink
b04011dd53 feat(ops/keycloak): use preferred_username claim from Bornhack IdP
Since https://github.com/bornhack/bornhack-website/pull/1838, users can
set their preferred username there, so it can be correctly propagated
to Keycloak.

Change-Id: If492d4b92b420c07b9e1450883ccb30a18802a42
Reviewed-on: https://cl.snix.dev/c/snix/+/30424
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-04 13:32:57 +00:00
Florian Klink
48807c90ec fix(ops/gerrit-tvl): query buildkite-status endpoint and re-enable
This points our own gerrit check to the deployed buildkite-api-proxy,
updates the URL and stops sending an outdated token.

Fixes #118.

Change-Id: Ic7ace4d67a6bd05c408ac14fe988ae3fe829a49b
Reviewed-on: https://cl.snix.dev/c/snix/+/30406
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: edef <edef@edef.eu>
2025-05-03 22:49:43 +00:00
Florian Klink
c709d2a5d3 feat(ops/www/cl.snix.dev): deploy buildkite-api-proxy
This deploys buildkite-api-proxy at cl.snix.dev/buildkite-status/.

Part of #118.

Change-Id: Iae927b11acc2163e6edc4ba6e91194e8fa884b0d
Reviewed-on: https://cl.snix.dev/c/snix/+/30405
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-03 22:37:12 +00:00
Florian Klink
d85b322c55 feat(ops/gerrit01): provide buildkite-api-proxy-token.age
This is a read-only Buildkite token, it was generated and installed by
flokli@ and has read_builds, read_build_logs, and read_pipelines
permissions.

Part of #118.

Change-Id: I0bbfbab9ad1152ff8e781b7380f44d3cd7245bab
Reviewed-on: https://cl.snix.dev/c/snix/+/30404
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
2025-05-03 22:36:42 +00:00
Florian Klink
54c313c9b2 feat(ops/buildkite-api-proxy): init
This provides a very simple http server, receiving a git sha1 and
querying the buildkite api for the status - the same that's previously
done by the frontend, but now without exposing the (read-only) token
to users.

We can add caching / rate-limiting if the need arises, for now we
just propagate the `cache-control` headers (which seem to be set at
"cache-control: max-age=0, private, must-revalidate" currently anyways)

Part of #118.

Change-Id: I8989a74cb2b278139d988089ff8d6e59e00969e4
Reviewed-on: https://cl.snix.dev/c/snix/+/30403
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-03 22:36:42 +00:00
Florian Klink
ba1e30cfa3 fix(ops/modules/monorepo-gerrit): disable gerrit-tvl for now
Part of #118.

Change-Id: I4da12d18f2638554093cf3ae3bda49a6b523c4f3
Reviewed-on: https://cl.snix.dev/c/snix/+/30388
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-03 19:58:57 +00:00
Florian Klink
14ad575384 doc(ops/besadii): update docstring
besadii is called as `patchset-created` or `change-merged`, not
`ref-updated`.

Change-Id: I843f2d749ab152fb0061b6a9da44775ed58a9eae
Reviewed-on: https://cl.snix.dev/c/snix/+/30344
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-05-02 01:11:06 +00:00
Florian Klink
853754d25f feat(ops/modules/www/git.snix.dev): block AI scrapers
This blocks a bunch of AI scrapers from Forgejo, which seems to be
particularly attractive.

Especially meta-externalagent has been scraping very excessively.

The list comes from https://github.com/ai-robots-txt/ai.robots.txt,
let's see how often this needs updating.

Change-Id: I55ae7c42c6a3eeff6f0457411a8b05d55cb24f65
Reviewed-on: https://cl.snix.dev/c/snix/+/30370
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
2025-05-01 14:57:44 +00:00
Florian Klink
56c3a5d24d fix(ops/modules/o11y): remove anonymous auth org_name
This doesn't seem to do anything, and logs a warning on startup.

Change-Id: I4d883f2a95d5934bc3dc2998a497f3c2a8ff857d
Reviewed-on: https://cl.snix.dev/c/snix/+/30364
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
2025-04-30 20:22:13 +00:00
Florian Klink
5f3fd9385d fix(ops/modules/tempo): drop keepalive from extraConfig
It seems this now gets added automatically, and causes nginx to fail
with an emergency due to the directive being there two times.

Drop one of it, which gets nginx to boot up again.

Change-Id: I0df3c2f7c2cfbe23d717249570d5a4d1a7fe2f2b
Reviewed-on: https://cl.snix.dev/c/snix/+/30363
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
2025-04-30 20:21:42 +00:00
Florian Klink
ca23b17680 refactor(ops/machines): switch from grafana-agent to alloy
grafana-agent has been removed, but the failing eval was missed due
to #80.

Change-Id: I87cfc71c8c98e27e32f4e95e4d85901195cb5b75
Reviewed-on: https://cl.snix.dev/c/snix/+/30347
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
2025-04-30 20:21:42 +00:00
Florian Klink
b2fa87f344 fix(ops/machines/*): fix leftover usages of depot.automatic-gc
This was missed, due to #80.

Change-Id: I3b10fa615c09fdd9887c63c847cfd70f5a80d277
Reviewed-on: https://cl.snix.dev/c/snix/+/30346
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-04-30 20:20:12 +00:00
Florian Klink
088296c52c refactor(ops/modules/o11y/agent): drop bearerTokenFile option
This option is not used, we can reintroduce it when needed.

Change-Id: Ie0f90ea7fc84f493f0c73de29ddf200c1184cb40
Reviewed-on: https://cl.snix.dev/c/snix/+/30345
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-04-30 20:20:12 +00:00
Florian Klink
7ffd2ea502 feat(ops/machines/build01): enable automatic GC
Fixes #109.

Change-Id: I8bcf4f9900a34b6d07f1e70ada22de6e398f6203
Reviewed-on: https://cl.snix.dev/c/snix/+/30339
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-04-29 10:06:23 +00:00
Florian Klink
11b1f8b304 chore(ops/modules): drop unused NixOS modules
Change-Id: I043fea952df5498cd3e831b479220b1025a295fa
Reviewed-on: https://cl.snix.dev/c/snix/+/30338
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-04-29 10:05:23 +00:00
Florian Klink
09c1e3d25b feat(ops/keycloak): allow log in with Bornhack account
This adds bornhack.dk as an OIDC provider.

We currently do not yet map the `nickname` claim as a username field.

This means users logging in via Bornhack need to choose their username
manually, until https://github.com/bornhack/bornhack-website/issues/1837
is solved.

Change-Id: Ia91594107a0cd1d1e0a2ee7ca48d603a2ac681a5
Reviewed-on: https://cl.snix.dev/c/snix/+/30326
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-04-26 11:58:25 +00:00
edef
d814c7afa8 feat(ops/keycloak): configure user profile declaratively
This mostly matches the default configuration, but notably does not
make the lastName field mandatory, in order to accommodate mononymy.

Change-Id: I47ca86a179eb9b7dcf5f3e761681c78e22f5265c
Fixes: https://git.snix.dev/snix/snix/issues/104
Reviewed-on: https://cl.snix.dev/c/snix/+/30289
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-04-04 16:41:12 +00:00
Florian Klink
6e45456fec fix(ops/machines/snix-cache): support old /nar/tvix-castore URLs
Nix clients still might have old .narinfo files cached, containing old
NAR URLs. Send a redirect to the new URL.

Fixes: #103
Change-Id: Ie3b77e4fdc4be0f982e023f2a2acd3f9f0257f9b
Reviewed-on: https://cl.snix.dev/c/snix/+/30291
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
2025-04-02 17:20:10 +00:00
Ilan Joselevich
5551d0ea5e feat(ops): Deploy harmonia on cache.snix.dev
Deploys Harmonia on build01, proxied through public01.
We cannot serve from build01 directly because it only supports IPv6.

Closes: https://git.snix.dev/snix/snix/issues/66
Change-Id: Iff3c16366d60c0fbfd1315a18c27fcd636a0261a
Reviewed-on: https://cl.snix.dev/c/snix/+/30274
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Autosubmit: Ilan Joselevich <personal@ilanjoselevich.com>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-03-31 12:39:21 +00:00
edef
683458d604 fix(ops/modules/forgejo): disable native sign-in
We only use the OAuth flow (with Keycloak), and the native login
mechanism is an unnecessary source of user confusion.

Change-Id: I819e0b6ac507013c903c55a28f0db52e8706d8dc
Reviewed-on: https://cl.snix.dev/c/snix/+/30282
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: edef . <edef@edef.eu>
2025-03-25 14:56:20 +00:00
Florian Klink
00950aa91d fix(ops): add +x for /nix/var/nix/gcroots
Previously, the buildkite users were not able to traverse there.

Removing /nix/var/nix/gcroots/buildkite/canon might not be needed, and
is racy with other anchor step - the first one might still be building
`ci.gcroot` (and didn't create the new symlink), so the second one will
fail trying to remove the non-existing symlink.

Change-Id: I0449447f7193113d807d597750b26c7beb48a3a6
Reviewed-on: https://cl.snix.dev/c/snix/+/30257
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-03-23 15:02:22 +00:00