This deploys irccat, connected to the #snix channel.
We drop the custom irccat third_party, it's 2 years older than the
latest version in nixpkgs.
The irccat.nix module file contains some of the code present in the TVL
version, it however moves the secrets merging to ExecStartPre=,
given https://github.com/systemd/systemd/issues/19604#issuecomment-989279884
has been fixed for almost a year.
Contrary to the setup there, we don't let irccat connect to ZNC, but
hackint directly (so make use of the secrets logic).
We also drop the network-online.target, and make this overall more
tolerant by using Restart=on-failure.
Change-Id: Ieac3b744b7ea58b8dddf1cdc37a8bc057b205b1b
Reviewed-on: https://cl.snix.dev/c/snix/+/30504
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
This is a read-only Buildkite token, it was generated and installed by
flokli@ and has read_builds, read_build_logs, and read_pipelines
permissions.
Part of #118.
Change-Id: I0bbfbab9ad1152ff8e781b7380f44d3cd7245bab
Reviewed-on: https://cl.snix.dev/c/snix/+/30404
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
Deploys Harmonia on build01, proxied through public01.
We cannot serve from build01 directly because it only supports IPv6.
Closes: https://git.snix.dev/snix/snix/issues/66
Change-Id: Iff3c16366d60c0fbfd1315a18c27fcd636a0261a
Reviewed-on: https://cl.snix.dev/c/snix/+/30274
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Autosubmit: Ilan Joselevich <personal@ilanjoselevich.com>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
This configures Forgejo to use the "Forgejo" Message Stream on our "Snix"
server in Postmark.
Change-Id: I298966a8b43b55b0f1992a8fedf0fffcd6dde472
Reviewed-on: https://cl.snix.dev/c/snix/+/30206
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
This configures Gerrit to use the "Gerrit" Message Stream on our "Snix"
server in Postmark.
Change-Id: I4d021919c666aabc94008f9f705163cb9639f1aa
Reviewed-on: https://cl.snix.dev/c/snix/+/30205
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Removes whitby DNS records and other related configuration that is no longer
required now that whitby is gone.
whitby served us well. RIP.
This resolves b/433.
Change-Id: I56fe6f88cde9112fc3bfc79758ac33e88a743422
Reviewed-on: https://cl.tvl.fyi/c/depot/+/13117
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Backups are moving from GleSYS to Yandex Cloud (is this motivated by me not
having to pay for them in that case? Maybe!); this changes the default backup
location to accommodate that.
I also noticed that we previously manually placed the backup key on whitby, so
the new key is going into agenix instead, as well as the secrets for protecting
the repositories.
Change-Id: Ibe5dbfec6784345f020a8b4d92bb01c6ad719a89
Reviewed-on: https://cl.tvl.fyi/c/depot/+/13096
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
This grants access to all relevant keys to the new machines.
Change-Id: I78a7003181ee9977e548fbfe0d78afb67357b56b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/13064
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Adman (the hoster) have not provided an ETA for native v6 on bugry yet, so we
establish a public v6 connection through nevsky for now.
In traffic flows going West->East the overhead is minimal (a few ms), though I
guess it might be worse if you're in the middle (Yekaterinburg or something).
The prefix was chosen by the bugry public v4 address encoded in hex, and
appended to the nevsky prefix.
Change-Id: I133622c17bd02eade0a6febc6bdf97f403fed14c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12974
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
For the duration of the sprint, this bot will take care of
synchronising the IRC channel with the Telegram group.
After the sprint, it will be removed again.
Change-Id: I6d5b1316fc85ddd26adf55e31f6bff742907fc24
Reviewed-on: https://cl.tvl.fyi/c/depot/+/11727
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Enables the new autosubmit bot, albeit without rebase
functionality (this will be a separate change).
Change-Id: Ia42a4f08c0edca5e6cc8bf4770ec24dbf16a5db7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/10132
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
This was already removed from whitby a while ago, no reason to keep
this secret.
Change-Id: I4742dd0138a3eff91325c94e44e64b72c644ee3c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8915
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
This changes the structure of secrets.nix a bit to split between
secrets for whitby, and secrets for all TVL machines.
Change-Id: I791f0ce42a16b33051e24a7a6c5b153761ed9eb3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5300
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
This isn't actually used by anything that would use agenix, but this
seems like a vaguely sensible way of sharing the token with other people
regardless.
Anyone who finds this commit and wants to be added to the telegram
channel where the alerts go, lmk.
Change-Id: I06d6ed2d4bec099cbf68ede8fd00a5e6f4e7bc60
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5124
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
The intent is to configure oauth2_proxy pointing at Keycloak to enable
usage with nginx auth_request directives.
I want to expose this as a function from within the module in which
nginx server configuration blocks can be wrapped, but the function for
that is currently a placeholder.
Change-Id: I5ed7deb9bf1c62818f516e68c33e8c5b632fccfe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4767
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Adds the secrets and some instructions for deploying the GleSYS
Terraform infrastructure.
Change-Id: I1a10f9cee7648d406b3d27ef45fc74b6923cbc30
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4712
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
This file can be sourced (somehow, depending on the user) while
working with //ops/keycloak to get the relevant secrets.
Change-Id: Ibb3051c4b019f64824964475451c1c3996db6421
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4708
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Gerrit has OAuth2 and email related secrets which now live in agenix
instead of a random file on disk.
Change-Id: I6220fbb7a2e2ec0102a900b4bcf6150b8b4d32ef
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4612
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Trialing this as an alternative to CAS that is a little easier to
configure and can help us delegate authentication to other OIDC
services.
Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
We already checked this in, but this commit adds the configuration for
making use of it.
There are two copies of besadii's JSON configuration with different
permissions.
Note that the buildkite-graphql-token path needs to be updated in
static-pipeline.yml, but this needs to happen in a separate commit
after deploy because the pipeline will break otherwise.
Change-Id: I6fab4bf1a2e679df7cf76521e2b53bd9dadbac62
The irccat module uses DynamicUser, so to grant permission to it a new
group has been added for irccat.
I have some vague memory of DynamicUser + Group not behaving as one
would expect, but we'll see what happens.
Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac
Adds a systemd EnvironmentFile secret that contains the Gerrit
username & password for gerrit-queue.
Change-Id: I25acf87764c26774045138402b8a417b6813ee8f
Sets up the key set and adds an initial secret (besadii config with
tokens) to be deployed to whitby.
Change-Id: Ic07fd5e66b9e7a533013e04c35e052c2aa11f77d
