This deploys irccat, connected to the #snix channel.
We drop the custom irccat third_party, it's 2 years older than the
latest version in nixpkgs.
The irccat.nix module file contains some of the code present in the TVL
version, it however moves the secrets merging to ExecStartPre=,
given https://github.com/systemd/systemd/issues/19604#issuecomment-989279884
has been fixed for almost a year.
Contrary to the setup there, we don't let irccat connect to ZNC, but
hackint directly (so make use of the secrets logic).
We also drop the network-online.target, and make this overall more
tolerant by using Restart=on-failure.
Change-Id: Ieac3b744b7ea58b8dddf1cdc37a8bc057b205b1b
Reviewed-on: https://cl.snix.dev/c/snix/+/30504
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
In some distant past, stc-ng had some clear troubles while deploying the
machine when we were bootstrapping infra.
This was fixed by rolling back to the old stc. Having retried right now,
stc-ng seems to transition the new system correctly, so let's switch to
it for the time being.
Change-Id: I99f92618841b49357a28212955b62bf5e495e761
Signed-off-by: Raito Bezarius <raito@lix.systems>
Reviewed-on: https://cl.snix.dev/c/snix/+/30503
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
This builds the important website for both snix.systems and its
predecessor, tvix.systems.
Change-Id: I4cce5595098c804bd4df0cc2ae3c05344138e7b1
Reviewed-on: https://cl.snix.dev/c/snix/+/30502
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
Also include tvix.{store,systems}, they might still be used in some
places.
Change-Id: I90085d7488f94c8764e61e3d99d8f03459c6f9f0
Reviewed-on: https://cl.snix.dev/c/snix/+/30501
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
There are no .zone files in here (maybe once were, before switching DNS
providers, or this was copy-pasted from elsewhere).
Also, the validate.terraform target was broken, due to a typo, and not
covered in CI, due to being inside another attrset.
There's only a single check left, so just call that one `validate`,
making it consistent with other //ops terraform workspaces, and getting
CI to actually check it.
Change-Id: I022138d4d3c74181a53738cb53a48b7945392345
Reviewed-on: https://cl.snix.dev/c/snix/+/30499
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Provide redirects when the old domain is accessed, which Nix seems to
follow.
We keep the same hostname, so historical node exporter graphs are still
visible.
Change-Id: Icecd7f5324ac25bbfd4c003ca9cc65681114f0b5
Reviewed-on: https://cl.snix.dev/c/snix/+/30484
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
This enables logging in to Buildkite with SAML.
Fixes#95.
Change-Id: Ieaa87c660692953305619c2bd8270d2329bd7545
Reviewed-on: https://cl.snix.dev/c/snix/+/30478
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
There's two Roles for the Forgejo application, "Admin" and
"Contributors".
Everyone gets the "Contributor" role assigned automatically (it doesn't
really give you a ton of privileges).
Regarding mapping Gerrit groups, it seems there's no support for this in
the `gerrit-oauth-provider` plugin (yet) -
see https://github.com/davido/gerrit-oauth-provider/issues/170.
Fixes#73.
Change-Id: I3cbb968e664125b1f08235db3008d1dbf778922a
Reviewed-on: https://cl.snix.dev/c/snix/+/30477
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
keycloak_openid_user_client_role_protocol_mapper.grafana_role_mapper was
missing. It is configured to make the client roles for this Application
(and only those for this application) available in the grafana_roles
claim.
We can also disable full scope, as we're not interested in other role
mappings.
The Terraform files are a bit reorganized, everything configuring the
Grafana client lives in grafana.tf (and vice-versa for Forgejo,
Buildkite and Gerrit). The only thing left in permissions.tf is global
groups, their memberships and mappings.
Change-Id: I37b0755f4f8658518083353ec6cc0193e805d5c2
Reviewed-on: https://cl.snix.dev/c/snix/+/30476
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
This makes it possible to fetch refs/meta/config from the forgejo
endpoint too. It was possible to fetch it from Gerrit directly before,
so this isn't more or less private than before.
Forgejo doesn't seem to provide an endpoint to link to refs/meta/config,
but it's perfectly fine to view the tree for a given commit from there:
dd5ed6266a
Change-Id: I9bbfb8c5994118e6a205e84d5584cc82a560cc23
Reviewed-on: https://cl.snix.dev/c/snix/+/30444
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
We stopped using them a while ago, no need to replicate.
Change-Id: I584a584b401ed357eba6d8f2349d2be40684765e
Reviewed-on: https://cl.snix.dev/c/snix/+/30443
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Since https://github.com/bornhack/bornhack-website/pull/1838, users can
set their preferred username there, so it can be correctly propagated
to Keycloak.
Change-Id: If492d4b92b420c07b9e1450883ccb30a18802a42
Reviewed-on: https://cl.snix.dev/c/snix/+/30424
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
This points our own gerrit check to the deployed buildkite-api-proxy,
updates the URL and stops sending an outdated token.
Fixes#118.
Change-Id: Ic7ace4d67a6bd05c408ac14fe988ae3fe829a49b
Reviewed-on: https://cl.snix.dev/c/snix/+/30406
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: edef <edef@edef.eu>
This is a read-only Buildkite token, it was generated and installed by
flokli@ and has read_builds, read_build_logs, and read_pipelines
permissions.
Part of #118.
Change-Id: I0bbfbab9ad1152ff8e781b7380f44d3cd7245bab
Reviewed-on: https://cl.snix.dev/c/snix/+/30404
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
This provides a very simple http server, receiving a git sha1 and
querying the buildkite api for the status - the same that's previously
done by the frontend, but now without exposing the (read-only) token
to users.
We can add caching / rate-limiting if the need arises, for now we
just propagate the `cache-control` headers (which seem to be set at
"cache-control: max-age=0, private, must-revalidate" currently anyways)
Part of #118.
Change-Id: I8989a74cb2b278139d988089ff8d6e59e00969e4
Reviewed-on: https://cl.snix.dev/c/snix/+/30403
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
besadii is called as `patchset-created` or `change-merged`, not
`ref-updated`.
Change-Id: I843f2d749ab152fb0061b6a9da44775ed58a9eae
Reviewed-on: https://cl.snix.dev/c/snix/+/30344
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
This blocks a bunch of AI scrapers from Forgejo, which seems to be
particularly attractive.
Especially meta-externalagent has been scraping very excessively.
The list comes from https://github.com/ai-robots-txt/ai.robots.txt,
let's see how often this needs updating.
Change-Id: I55ae7c42c6a3eeff6f0457411a8b05d55cb24f65
Reviewed-on: https://cl.snix.dev/c/snix/+/30370
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
This doesn't seem to do anything, and logs a warning on startup.
Change-Id: I4d883f2a95d5934bc3dc2998a497f3c2a8ff857d
Reviewed-on: https://cl.snix.dev/c/snix/+/30364
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
It seems this now gets added automatically, and causes nginx to fail
with an emergency due to the directive being there two times.
Drop one of it, which gets nginx to boot up again.
Change-Id: I0df3c2f7c2cfbe23d717249570d5a4d1a7fe2f2b
Reviewed-on: https://cl.snix.dev/c/snix/+/30363
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
grafana-agent has been removed, but the failing eval was missed due
to #80.
Change-Id: I87cfc71c8c98e27e32f4e95e4d85901195cb5b75
Reviewed-on: https://cl.snix.dev/c/snix/+/30347
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
This was missed, due to #80.
Change-Id: I3b10fa615c09fdd9887c63c847cfd70f5a80d277
Reviewed-on: https://cl.snix.dev/c/snix/+/30346
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
This option is not used, we can reintroduce it when needed.
Change-Id: Ie0f90ea7fc84f493f0c73de29ddf200c1184cb40
Reviewed-on: https://cl.snix.dev/c/snix/+/30345
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
This adds bornhack.dk as an OIDC provider.
We currently do not yet map the `nickname` claim as a username field.
This means users logging in via Bornhack need to choose their username
manually, until https://github.com/bornhack/bornhack-website/issues/1837
is solved.
Change-Id: Ia91594107a0cd1d1e0a2ee7ca48d603a2ac681a5
Reviewed-on: https://cl.snix.dev/c/snix/+/30326
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
This mostly matches the default configuration, but notably does not
make the lastName field mandatory, in order to accommodate mononymy.
Change-Id: I47ca86a179eb9b7dcf5f3e761681c78e22f5265c
Fixes: https://git.snix.dev/snix/snix/issues/104
Reviewed-on: https://cl.snix.dev/c/snix/+/30289
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Nix clients still might have old .narinfo files cached, containing old
NAR URLs. Send a redirect to the new URL.
Fixes: #103
Change-Id: Ie3b77e4fdc4be0f982e023f2a2acd3f9f0257f9b
Reviewed-on: https://cl.snix.dev/c/snix/+/30291
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
Deploys Harmonia on build01, proxied through public01.
We cannot serve from build01 directly because it only supports IPv6.
Closes: https://git.snix.dev/snix/snix/issues/66
Change-Id: Iff3c16366d60c0fbfd1315a18c27fcd636a0261a
Reviewed-on: https://cl.snix.dev/c/snix/+/30274
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Autosubmit: Ilan Joselevich <personal@ilanjoselevich.com>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
We only use the OAuth flow (with Keycloak), and the native login
mechanism is an unnecessary source of user confusion.
Change-Id: I819e0b6ac507013c903c55a28f0db52e8706d8dc
Reviewed-on: https://cl.snix.dev/c/snix/+/30282
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: edef . <edef@edef.eu>
Previously, the buildkite users were not able to traverse there.
Removing /nix/var/nix/gcroots/buildkite/canon might not be needed, and
is racy with other anchor step - the first one might still be building
`ci.gcroot` (and didn't create the new symlink), so the second one will
fail trying to remove the non-existing symlink.
Change-Id: I0449447f7193113d807d597750b26c7beb48a3a6
Reviewed-on: https://cl.snix.dev/c/snix/+/30257
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
This is pointing to the wrong URLs. This isn't set up yet.
Change-Id: Ie21146311c2adcf5d9c5a80132cf1f8333a6baa2
Reviewed-on: https://cl.snix.dev/c/snix/+/30250
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
This allows Keycloak to send emails.
Using naked TLS fails with:
```
Mar 23 00:10:50 public01 keycloak-start[875412]: Caused by: jakarta.mail.MessagingException: Could not connect to SMTP host: smtp.postmarkapp.com, port: 2525;
Mar 23 00:10:50 public01 keycloak-start[875412]: nested exception is:
Mar 23 00:10:50 public01 keycloak-start[875412]: javax.net.ssl.SSLException: Unsupported or unrecognized SSL message
Mar 23 00:10:50 public01 keycloak-start[875412]: at org.eclipse.angus.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:2245)
Mar 23 00:10:50 public01 keycloak-start[875412]: at org.eclipse.angus.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:729)
Mar 23 00:10:50 public01 keycloak-start[875412]: at jakarta.mail.Service.connect(Service.java:342)
Mar 23 00:10:50 public01 keycloak-start[875412]: at jakarta.mail.Service.connect(Service.java:222)
Mar 23 00:10:50 public01 keycloak-start[875412]: at jakarta.mail.Service.connect(Service.java:243)
Mar 23 00:10:50 public01 keycloak-start[875412]: at org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:161)
Mar 23 00:10:50 public01 keycloak-start[875412]: ... 17 more
Mar 23 00:10:50 public01 keycloak-start[875412]: Caused by: javax.net.ssl.SSLException: Unsupported or unrecognized SSL message
```
With starttls, we can send emails, so use that.
Change-Id: I5898bec4f9413a8714c9adb1654d9e964022d183
Reviewed-on: https://cl.snix.dev/c/snix/+/30249
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Every buildkite user needs to be able to update these symlinks, and the
directory doesn't exist. It was probably created imperatively on whitby.
Use a tmpfiles rule creating a /nix/var/nix/gcroots/buildkite directory,
and add a `canon` symlink in there.
Change-Id: Ic4d67fbb69f77cebe891b0fff9b824713ebec87c
Reviewed-on: https://cl.snix.dev/c/snix/+/30247
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
This doesn't really work in all cases anyways, and currently isn't used
to deploy - remove it.
Change-Id: I6684d9583cb036d851ab6cd9f4c811973a7882fc
Reviewed-on: https://cl.snix.dev/c/snix/+/30242
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
There's been a lot of
```
nix-daemon[2039685]: unexpected Nix daemon error: error: writing to file: Broken pipe
```
log messages, and failed builds in CI.
These don't seem to occur with Lix.
Change-Id: Ida277064282905154ea9265f935a221bf8006c8d
Reviewed-on: https://cl.snix.dev/c/snix/+/30225
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
This configures Forgejo to use the "Forgejo" Message Stream on our "Snix"
server in Postmark.
Change-Id: I298966a8b43b55b0f1992a8fedf0fffcd6dde472
Reviewed-on: https://cl.snix.dev/c/snix/+/30206
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
This configures Gerrit to use the "Gerrit" Message Stream on our "Snix"
server in Postmark.
Change-Id: I4d021919c666aabc94008f9f705163cb9639f1aa
Reviewed-on: https://cl.snix.dev/c/snix/+/30205
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Type checking of secrets was removed in cff6575948 to get rid of yants.
This adds back type checking using Korora.
Fixes https://git.snix.dev/snix/snix/issues/71
Change-Id: I27cd47b7e1810be5c4cd5d86366e860ca217f9c4
Reviewed-on: https://cl.snix.dev/c/snix/+/30118
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Reviewed-by: Florian Klink <flokli@flokli.de>
This configures the DNS records necessary to send emails from Postmark.
Change-Id: I2e55151f40c4f5e54f6d7f06ae24f2e863b7c656
Reviewed-on: https://cl.snix.dev/c/snix/+/30204
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii