We found this bug in Lix's config and noticed Snix had the same bug; see
4b9e84fa0a
and b47965fe8f.
Change-Id: I65b14839a62c4e779136c1c34750d15cedaaddc8
Reviewed-on: https://cl.snix.dev/c/snix/+/30605
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
Changelog: https://www.gerritcodereview.com/3.12.html
We are skipping over the 3.11.1, 3.11.2, 3.11.3 minor releases which
remains available.
This bump was already tested on another Gerrit instance.
No manual intervention is required.
Change-Id: Ia3ce1f1cda36abe6da4edd4210260f664f7b3672
Signed-off-by: Raito Bezarius <raito@lix.systems>
Reviewed-on: https://cl.snix.dev/c/snix/+/30576
Autosubmit: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
This is a listener for gerrit events, sent by their "webhooks" plugin,
as well as a NixOS module to deploy it.
Issue: https://git.snix.dev/snix/snix/issues/74
Change-Id: I65c5c5a991e6b1f4f330b3439c8a25aec3f1b484
Reviewed-on: https://cl.snix.dev/c/snix/+/30526
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
cl/30249 changed this to Postmark, and it was unconfigured before.
Change-Id: I89eb49dbb8a3cb81135ae01c98379151e32ecd7c
Reviewed-on: https://cl.snix.dev/c/snix/+/30528
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Autosubmit: Florian Klink <flokli@flokli.de>
This removes the old clbot, which kept an SSH connection to gerrit open.
Change-Id: If8faecdd018b45dd087b7332fe3d3a8280947358
Reviewed-on: https://cl.snix.dev/c/snix/+/30525
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
This deploys irccat, connected to the #snix channel.
We drop the custom irccat third_party, it's 2 years older than the
latest version in nixpkgs.
The irccat.nix module file contains some of the code present in the TVL
version, it however moves the secrets merging to ExecStartPre=,
given https://github.com/systemd/systemd/issues/19604#issuecomment-989279884
has been fixed for almost a year.
Contrary to the setup there, we don't let irccat connect to ZNC, but
hackint directly (so make use of the secrets logic).
We also drop the network-online.target, and make this overall more
tolerant by using Restart=on-failure.
Change-Id: Ieac3b744b7ea58b8dddf1cdc37a8bc057b205b1b
Reviewed-on: https://cl.snix.dev/c/snix/+/30504
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
This builds the important website for both snix.systems and its
predecessor, tvix.systems.
Change-Id: I4cce5595098c804bd4df0cc2ae3c05344138e7b1
Reviewed-on: https://cl.snix.dev/c/snix/+/30502
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
There's two Roles for the Forgejo application, "Admin" and
"Contributors".
Everyone gets the "Contributor" role assigned automatically (it doesn't
really give you a ton of privileges).
Regarding mapping Gerrit groups, it seems there's no support for this in
the `gerrit-oauth-provider` plugin (yet) -
see https://github.com/davido/gerrit-oauth-provider/issues/170.
Fixes#73.
Change-Id: I3cbb968e664125b1f08235db3008d1dbf778922a
Reviewed-on: https://cl.snix.dev/c/snix/+/30477
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
keycloak_openid_user_client_role_protocol_mapper.grafana_role_mapper was
missing. It is configured to make the client roles for this Application
(and only those for this application) available in the grafana_roles
claim.
We can also disable full scope, as we're not interested in other role
mappings.
The Terraform files are a bit reorganized, everything configuring the
Grafana client lives in grafana.tf (and vice-versa for Forgejo,
Buildkite and Gerrit). The only thing left in permissions.tf is global
groups, their memberships and mappings.
Change-Id: I37b0755f4f8658518083353ec6cc0193e805d5c2
Reviewed-on: https://cl.snix.dev/c/snix/+/30476
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
This makes it possible to fetch refs/meta/config from the forgejo
endpoint too. It was possible to fetch it from Gerrit directly before,
so this isn't more or less private than before.
Forgejo doesn't seem to provide an endpoint to link to refs/meta/config,
but it's perfectly fine to view the tree for a given commit from there:
dd5ed6266a
Change-Id: I9bbfb8c5994118e6a205e84d5584cc82a560cc23
Reviewed-on: https://cl.snix.dev/c/snix/+/30444
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
We stopped using them a while ago, no need to replicate.
Change-Id: I584a584b401ed357eba6d8f2349d2be40684765e
Reviewed-on: https://cl.snix.dev/c/snix/+/30443
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
This points our own gerrit check to the deployed buildkite-api-proxy,
updates the URL and stops sending an outdated token.
Fixes#118.
Change-Id: Ic7ace4d67a6bd05c408ac14fe988ae3fe829a49b
Reviewed-on: https://cl.snix.dev/c/snix/+/30406
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: edef <edef@edef.eu>
This blocks a bunch of AI scrapers from Forgejo, which seems to be
particularly attractive.
Especially meta-externalagent has been scraping very excessively.
The list comes from https://github.com/ai-robots-txt/ai.robots.txt,
let's see how often this needs updating.
Change-Id: I55ae7c42c6a3eeff6f0457411a8b05d55cb24f65
Reviewed-on: https://cl.snix.dev/c/snix/+/30370
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
This doesn't seem to do anything, and logs a warning on startup.
Change-Id: I4d883f2a95d5934bc3dc2998a497f3c2a8ff857d
Reviewed-on: https://cl.snix.dev/c/snix/+/30364
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
It seems this now gets added automatically, and causes nginx to fail
with an emergency due to the directive being there two times.
Drop one of it, which gets nginx to boot up again.
Change-Id: I0df3c2f7c2cfbe23d717249570d5a4d1a7fe2f2b
Reviewed-on: https://cl.snix.dev/c/snix/+/30363
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
grafana-agent has been removed, but the failing eval was missed due
to #80.
Change-Id: I87cfc71c8c98e27e32f4e95e4d85901195cb5b75
Reviewed-on: https://cl.snix.dev/c/snix/+/30347
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
This option is not used, we can reintroduce it when needed.
Change-Id: Ie0f90ea7fc84f493f0c73de29ddf200c1184cb40
Reviewed-on: https://cl.snix.dev/c/snix/+/30345
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Deploys Harmonia on build01, proxied through public01.
We cannot serve from build01 directly because it only supports IPv6.
Closes: https://git.snix.dev/snix/snix/issues/66
Change-Id: Iff3c16366d60c0fbfd1315a18c27fcd636a0261a
Reviewed-on: https://cl.snix.dev/c/snix/+/30274
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Autosubmit: Ilan Joselevich <personal@ilanjoselevich.com>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
We only use the OAuth flow (with Keycloak), and the native login
mechanism is an unnecessary source of user confusion.
Change-Id: I819e0b6ac507013c903c55a28f0db52e8706d8dc
Reviewed-on: https://cl.snix.dev/c/snix/+/30282
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: edef . <edef@edef.eu>
This configures Forgejo to use the "Forgejo" Message Stream on our "Snix"
server in Postmark.
Change-Id: I298966a8b43b55b0f1992a8fedf0fffcd6dde472
Reviewed-on: https://cl.snix.dev/c/snix/+/30206
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
This configures Gerrit to use the "Gerrit" Message Stream on our "Snix"
server in Postmark.
Change-Id: I4d021919c666aabc94008f9f705163cb9639f1aa
Reviewed-on: https://cl.snix.dev/c/snix/+/30205
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
They are linked to Snix repo because this is the only one we are using.
Fixes#81.
Change-Id: I3c47547128a7dc5e1fe67a8fbe87b17c7e94f153
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
Reviewed-on: https://cl.snix.dev/c/snix/+/30144
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
They were not going to q/ but just the root of the website, this was not
working.
Change-Id: I1acda0bb630198a8eef5b6fe991a395f1be1f796
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
Reviewed-on: https://cl.snix.dev/c/snix/+/30170
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Code Owners was disabled because it's very sensitive about the identity
of the committers and while pushing the original history, this was a
distraction.
Now that the history has been pushed and everyone is back to their
normal identity, it's fine to enable it again.
Fixes#83.
Change-Id: I4181d6af4eca489d4827b1c1ee606dfbb28a05c9
Reviewed-on: https://cl.snix.dev/c/snix/+/30173
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: Ryan Lahfa <masterancpp@gmail.com>
We are not going to use Panettone neither r/ revisions.
Change-Id: Icc037fc02861cfbe53690ca6641eb7ea777f7b74
Reviewed-on: https://cl.snix.dev/c/snix/+/30172
Autosubmit: Ryan Lahfa <masterancpp@gmail.com>
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
We don't have an email server configured (yet), we can resurrect it once
we do.
Change-Id: I568075154c6169d031462f39b43ce5897a754f19
Reviewed-on: https://cl.snix.dev/c/snix/+/30109
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Everything was large=true and then nothing was small=true and did not
have a hostname.
This is fixed.
Change-Id: Id90e6246f9ab44ce020d999e975dd8b4cd4492c9
Signed-off-by: Ryan Lahfa <raito@lix.systems>
cl.snix.fyi/q/$ID where $ID ≤ 30K will redirect (301) to
cl.tvl.fyi/q/$ID to keep the old links working.
Change-Id: I27b496a1c52a3de3d106292ba7a2931b0f15fa49
Signed-off-by: Ryan Lahfa <raito@lix.systems>
This is definitely faster than doing a roundtrip via a build.
Change-Id: I7a02b828462def735fdb241ce729143e90bc5c75
Reviewed-on: https://cl.tvl.fyi/c/depot/+/13236
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: sterni <sternenseemann@systemli.org>
Something recently caused us to replace Docker with Podman (I guess a default
changed in nixpkgs? I don't remember making the change explicitly), which broke
the reindexing unit.
Change-Id: I1d3453ed970e536abb540c6ef79765cfda271810
Reviewed-on: https://cl.tvl.fyi/c/depot/+/13173
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
