Commit graph

1114 commits

Author SHA1 Message Date
Florian Klink
c9a77e5b58 feat(ops/meta01): deploy irccat
This deploys irccat, connected to the #snix channel.

We drop the custom irccat third_party, it's 2 years older than the
latest version in nixpkgs.

The irccat.nix module file contains some of the code present in the TVL
version, it however moves the secrets merging to ExecStartPre=,
given https://github.com/systemd/systemd/issues/19604#issuecomment-989279884
has been fixed for almost a year.

Contrary to the setup there, we don't let irccat connect to ZNC, but
hackint directly (so make use of the secrets logic).

We also drop the network-online.target, and make this overall more
tolerant by using Restart=on-failure.

Change-Id: Ieac3b744b7ea58b8dddf1cdc37a8bc057b205b1b
Reviewed-on: https://cl.snix.dev/c/snix/+/30504
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
2025-05-15 14:31:42 +00:00
Raito Bezarius
5d16817f80 fix(machines/build01): move back to stc-ng
In some distant past, stc-ng had some clear troubles while deploying the
machine when we were bootstrapping infra.

This was fixed by rolling back to the old stc. Having retried right now,
stc-ng seems to transition the new system correctly, so let's switch to
it for the time being.

Change-Id: I99f92618841b49357a28212955b62bf5e495e761
Signed-off-by: Raito Bezarius <raito@lix.systems>
Reviewed-on: https://cl.snix.dev/c/snix/+/30503
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-15 14:19:01 +00:00
Florian Klink
e285cbe8cf feat(fun/solves-this): add, deploy to public01
This builds the important website for both snix.systems and its
predecessor, tvix.systems.

Change-Id: I4cce5595098c804bd4df0cc2ae3c05344138e7b1
Reviewed-on: https://cl.snix.dev/c/snix/+/30502
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
2025-05-12 14:40:17 +00:00
Florian Klink
a11099fd1c feat(ops/dns): manage snix.{store,systems} in DO
Also include tvix.{store,systems}, they might still be used in some
places.

Change-Id: I90085d7488f94c8764e61e3d99d8f03459c6f9f0
Reviewed-on: https://cl.snix.dev/c/snix/+/30501
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-12 14:39:47 +00:00
Florian Klink
20589ef8cb fix(ops/dns): drop broken checkZone parts, fix validate
There are no .zone files in here (maybe once were, before switching DNS
providers, or this was copy-pasted from elsewhere).

Also, the validate.terraform target was broken, due to a typo, and not
covered in CI, due to being inside another attrset.

There's only a single check left, so just call that one `validate`,
making it consistent with other //ops terraform workspaces, and getting
CI to actually check it.

Change-Id: I022138d4d3c74181a53738cb53a48b7945392345
Reviewed-on: https://cl.snix.dev/c/snix/+/30499
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-10 16:09:02 +00:00
Florian Klink
ec9e7ee73c refactor(ops): make nixos.snix.cache grafana listen on unix socket
Change-Id: Iadd9850faadb3037825c0465b9aed45fa2826583
Reviewed-on: https://cl.snix.dev/c/snix/+/30495
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-09 23:06:14 +00:00
Florian Klink
7c3d029b8e fix(ops/modules/o11y): disable analytics.reporting_enabled
Change-Id: I1138a3cc9a8a107794bf3053fc48e51af2789d9b
Reviewed-on: https://cl.snix.dev/c/snix/+/30494
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-09 23:06:14 +00:00
Florian Klink
6b518f1aed refactor(ops): make status.snix.dev grafana listen on unix socket
Change-Id: Ib3838edf1ee98a8fe1792771f1a948f00e3f466b
Reviewed-on: https://cl.snix.dev/c/snix/+/30493
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-09 23:06:14 +00:00
Florian Klink
5dbe46eea7 refactor(ops/machines/snix-cache): use new snix.store domain
Provide redirects when the old domain is accessed, which Nix seems to
follow.

We keep the same hostname, so historical node exporter graphs are still
visible.

Change-Id: Icecd7f5324ac25bbfd4c003ca9cc65681114f0b5
Reviewed-on: https://cl.snix.dev/c/snix/+/30484
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-07 21:03:57 +00:00
Florian Klink
c706826aa9 feat(ops/keycloak): configure Buildkite SAML
This enables logging in to Buildkite with SAML.

Fixes #95.

Change-Id: Ieaa87c660692953305619c2bd8270d2329bd7545
Reviewed-on: https://cl.snix.dev/c/snix/+/30478
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 12:36:30 +00:00
Florian Klink
d9ca20a5cc feat(ops/keycloak): configure Forgejo Roles
There's two Roles for the Forgejo application, "Admin" and
"Contributors".
Everyone gets the "Contributor" role assigned automatically (it doesn't
really give you a ton of privileges).

Regarding mapping Gerrit groups, it seems there's no support for this in
the `gerrit-oauth-provider` plugin (yet) -
see https://github.com/davido/gerrit-oauth-provider/issues/170.

Fixes #73.

Change-Id: I3cbb968e664125b1f08235db3008d1dbf778922a
Reviewed-on: https://cl.snix.dev/c/snix/+/30477
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-05 12:36:30 +00:00
Florian Klink
e20ff4cb60 fix(ops/keycloak): fix assigning grafana_roles
keycloak_openid_user_client_role_protocol_mapper.grafana_role_mapper was
missing. It is configured to make the client roles for this Application
(and only those for this application) available in the grafana_roles
claim.

We can also disable full scope, as we're not interested in other role
mappings.

The Terraform files are a bit reorganized, everything configuring the
Grafana client lives in grafana.tf (and vice-versa for Forgejo,
Buildkite and Gerrit). The only thing left in permissions.tf is global
groups, their memberships and mappings.

Change-Id: I37b0755f4f8658518083353ec6cc0193e805d5c2
Reviewed-on: https://cl.snix.dev/c/snix/+/30476
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 12:36:30 +00:00
Vova Kryachko
4b46d93bd3 chore(gerrit): Disable code-owners on meta/config branch.
Change-Id: I6c56b9c87892e7ff4a1afa7e0cf8e91b2c9c0e8f
Reviewed-on: https://cl.snix.dev/c/snix/+/30451
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: Vova Kryachko <v.kryachko@gmail.com>
Tested-by: besadii
2025-05-04 17:42:24 +00:00
Florian Klink
7b329b402c feat(ops/modules/monorepo-gerrit): replicate refs/meta/config
This makes it possible to fetch refs/meta/config from the forgejo
endpoint too. It was possible to fetch it from Gerrit directly before,
so this isn't more or less private than before.

Forgejo doesn't seem to provide an endpoint to link to refs/meta/config,
but it's perfectly fine to view the tree for a given commit from there:

dd5ed6266a

Change-Id: I9bbfb8c5994118e6a205e84d5584cc82a560cc23
Reviewed-on: https://cl.snix.dev/c/snix/+/30444
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-04 15:06:38 +00:00
Florian Klink
dc6af0823c refactor(ops/modules/monorepo-gerrit): stop pushing r/ refs
We stopped using them a while ago, no need to replicate.

Change-Id: I584a584b401ed357eba6d8f2349d2be40684765e
Reviewed-on: https://cl.snix.dev/c/snix/+/30443
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-04 15:06:07 +00:00
Florian Klink
b04011dd53 feat(ops/keycloak): use preferred_username claim from Bornhack IdP
Since https://github.com/bornhack/bornhack-website/pull/1838, users can
set their preferred username there, so it can be correctly propagated
to Keycloak.

Change-Id: If492d4b92b420c07b9e1450883ccb30a18802a42
Reviewed-on: https://cl.snix.dev/c/snix/+/30424
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-04 13:32:57 +00:00
Florian Klink
48807c90ec fix(ops/gerrit-tvl): query buildkite-status endpoint and re-enable
This points our own gerrit check to the deployed buildkite-api-proxy,
updates the URL and stops sending an outdated token.

Fixes #118.

Change-Id: Ic7ace4d67a6bd05c408ac14fe988ae3fe829a49b
Reviewed-on: https://cl.snix.dev/c/snix/+/30406
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: edef <edef@edef.eu>
2025-05-03 22:49:43 +00:00
Florian Klink
c709d2a5d3 feat(ops/www/cl.snix.dev): deploy buildkite-api-proxy
This deploys buildkite-api-proxy at cl.snix.dev/buildkite-status/.

Part of #118.

Change-Id: Iae927b11acc2163e6edc4ba6e91194e8fa884b0d
Reviewed-on: https://cl.snix.dev/c/snix/+/30405
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-03 22:37:12 +00:00
Florian Klink
d85b322c55 feat(ops/gerrit01): provide buildkite-api-proxy-token.age
This is a read-only Buildkite token, it was generated and installed by
flokli@ and has read_builds, read_build_logs, and read_pipelines
permissions.

Part of #118.

Change-Id: I0bbfbab9ad1152ff8e781b7380f44d3cd7245bab
Reviewed-on: https://cl.snix.dev/c/snix/+/30404
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
2025-05-03 22:36:42 +00:00
Florian Klink
54c313c9b2 feat(ops/buildkite-api-proxy): init
This provides a very simple http server, receiving a git sha1 and
querying the buildkite api for the status - the same that's previously
done by the frontend, but now without exposing the (read-only) token
to users.

We can add caching / rate-limiting if the need arises, for now we
just propagate the `cache-control` headers (which seem to be set at
"cache-control: max-age=0, private, must-revalidate" currently anyways)

Part of #118.

Change-Id: I8989a74cb2b278139d988089ff8d6e59e00969e4
Reviewed-on: https://cl.snix.dev/c/snix/+/30403
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-03 22:36:42 +00:00
Florian Klink
ba1e30cfa3 fix(ops/modules/monorepo-gerrit): disable gerrit-tvl for now
Part of #118.

Change-Id: I4da12d18f2638554093cf3ae3bda49a6b523c4f3
Reviewed-on: https://cl.snix.dev/c/snix/+/30388
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-03 19:58:57 +00:00
Florian Klink
14ad575384 doc(ops/besadii): update docstring
besadii is called as `patchset-created` or `change-merged`, not
`ref-updated`.

Change-Id: I843f2d749ab152fb0061b6a9da44775ed58a9eae
Reviewed-on: https://cl.snix.dev/c/snix/+/30344
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-05-02 01:11:06 +00:00
Florian Klink
853754d25f feat(ops/modules/www/git.snix.dev): block AI scrapers
This blocks a bunch of AI scrapers from Forgejo, which seems to be
particularly attractive.

Especially meta-externalagent has been scraping very excessively.

The list comes from https://github.com/ai-robots-txt/ai.robots.txt,
let's see how often this needs updating.

Change-Id: I55ae7c42c6a3eeff6f0457411a8b05d55cb24f65
Reviewed-on: https://cl.snix.dev/c/snix/+/30370
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
2025-05-01 14:57:44 +00:00
Florian Klink
56c3a5d24d fix(ops/modules/o11y): remove anonymous auth org_name
This doesn't seem to do anything, and logs a warning on startup.

Change-Id: I4d883f2a95d5934bc3dc2998a497f3c2a8ff857d
Reviewed-on: https://cl.snix.dev/c/snix/+/30364
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
2025-04-30 20:22:13 +00:00
Florian Klink
5f3fd9385d fix(ops/modules/tempo): drop keepalive from extraConfig
It seems this now gets added automatically, and causes nginx to fail
with an emergency due to the directive being there two times.

Drop one of it, which gets nginx to boot up again.

Change-Id: I0df3c2f7c2cfbe23d717249570d5a4d1a7fe2f2b
Reviewed-on: https://cl.snix.dev/c/snix/+/30363
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
2025-04-30 20:21:42 +00:00
Florian Klink
ca23b17680 refactor(ops/machines): switch from grafana-agent to alloy
grafana-agent has been removed, but the failing eval was missed due
to #80.

Change-Id: I87cfc71c8c98e27e32f4e95e4d85901195cb5b75
Reviewed-on: https://cl.snix.dev/c/snix/+/30347
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
2025-04-30 20:21:42 +00:00
Florian Klink
b2fa87f344 fix(ops/machines/*): fix leftover usages of depot.automatic-gc
This was missed, due to #80.

Change-Id: I3b10fa615c09fdd9887c63c847cfd70f5a80d277
Reviewed-on: https://cl.snix.dev/c/snix/+/30346
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-04-30 20:20:12 +00:00
Florian Klink
088296c52c refactor(ops/modules/o11y/agent): drop bearerTokenFile option
This option is not used, we can reintroduce it when needed.

Change-Id: Ie0f90ea7fc84f493f0c73de29ddf200c1184cb40
Reviewed-on: https://cl.snix.dev/c/snix/+/30345
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-04-30 20:20:12 +00:00
Florian Klink
7ffd2ea502 feat(ops/machines/build01): enable automatic GC
Fixes #109.

Change-Id: I8bcf4f9900a34b6d07f1e70ada22de6e398f6203
Reviewed-on: https://cl.snix.dev/c/snix/+/30339
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-04-29 10:06:23 +00:00
Florian Klink
11b1f8b304 chore(ops/modules): drop unused NixOS modules
Change-Id: I043fea952df5498cd3e831b479220b1025a295fa
Reviewed-on: https://cl.snix.dev/c/snix/+/30338
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-04-29 10:05:23 +00:00
Florian Klink
09c1e3d25b feat(ops/keycloak): allow log in with Bornhack account
This adds bornhack.dk as an OIDC provider.

We currently do not yet map the `nickname` claim as a username field.

This means users logging in via Bornhack need to choose their username
manually, until https://github.com/bornhack/bornhack-website/issues/1837
is solved.

Change-Id: Ia91594107a0cd1d1e0a2ee7ca48d603a2ac681a5
Reviewed-on: https://cl.snix.dev/c/snix/+/30326
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-04-26 11:58:25 +00:00
edef
d814c7afa8 feat(ops/keycloak): configure user profile declaratively
This mostly matches the default configuration, but notably does not
make the lastName field mandatory, in order to accommodate mononymy.

Change-Id: I47ca86a179eb9b7dcf5f3e761681c78e22f5265c
Fixes: https://git.snix.dev/snix/snix/issues/104
Reviewed-on: https://cl.snix.dev/c/snix/+/30289
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-04-04 16:41:12 +00:00
Florian Klink
6e45456fec fix(ops/machines/snix-cache): support old /nar/tvix-castore URLs
Nix clients still might have old .narinfo files cached, containing old
NAR URLs. Send a redirect to the new URL.

Fixes: #103
Change-Id: Ie3b77e4fdc4be0f982e023f2a2acd3f9f0257f9b
Reviewed-on: https://cl.snix.dev/c/snix/+/30291
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
2025-04-02 17:20:10 +00:00
Ilan Joselevich
5551d0ea5e feat(ops): Deploy harmonia on cache.snix.dev
Deploys Harmonia on build01, proxied through public01.
We cannot serve from build01 directly because it only supports IPv6.

Closes: https://git.snix.dev/snix/snix/issues/66
Change-Id: Iff3c16366d60c0fbfd1315a18c27fcd636a0261a
Reviewed-on: https://cl.snix.dev/c/snix/+/30274
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Autosubmit: Ilan Joselevich <personal@ilanjoselevich.com>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-03-31 12:39:21 +00:00
edef
683458d604 fix(ops/modules/forgejo): disable native sign-in
We only use the OAuth flow (with Keycloak), and the native login
mechanism is an unnecessary source of user confusion.

Change-Id: I819e0b6ac507013c903c55a28f0db52e8706d8dc
Reviewed-on: https://cl.snix.dev/c/snix/+/30282
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: edef . <edef@edef.eu>
2025-03-25 14:56:20 +00:00
Florian Klink
00950aa91d fix(ops): add +x for /nix/var/nix/gcroots
Previously, the buildkite users were not able to traverse there.

Removing /nix/var/nix/gcroots/buildkite/canon might not be needed, and
is racy with other anchor step - the first one might still be building
`ci.gcroot` (and didn't create the new symlink), so the second one will
fail trying to remove the non-existing symlink.

Change-Id: I0449447f7193113d807d597750b26c7beb48a3a6
Reviewed-on: https://cl.snix.dev/c/snix/+/30257
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-03-23 15:02:22 +00:00
Florian Klink
7e22d4f55f feat(ops/keycloak): update group memberships
Change-Id: I3b881fec1ee0d67cbfac636e99460b3491e2c653
Reviewed-on: https://cl.snix.dev/c/snix/+/30252
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-03-23 00:50:26 +00:00
Florian Klink
2d98b56d5b chore(ops/keycloak): drop wiki groups/roles
Change-Id: I215778faf2045865d0416296f32a6cfa335ed241
Reviewed-on: https://cl.snix.dev/c/snix/+/30251
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Tested-by: besadii
2025-03-23 00:50:26 +00:00
Florian Klink
9130830912 chore(ops/keycloak): disable buildkite keycloak SAML settings for now
This is pointing to the wrong URLs. This isn't set up yet.

Change-Id: Ie21146311c2adcf5d9c5a80132cf1f8333a6baa2
Reviewed-on: https://cl.snix.dev/c/snix/+/30250
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-03-23 00:50:26 +00:00
Florian Klink
5f0697083f feat(ops/keycloak): configure smtp settings
This allows Keycloak to send emails.

Using naked TLS fails with:

```
Mar 23 00:10:50 public01 keycloak-start[875412]: Caused by: jakarta.mail.MessagingException: Could not connect to SMTP host: smtp.postmarkapp.com, port: 2525;
Mar 23 00:10:50 public01 keycloak-start[875412]:   nested exception is:
Mar 23 00:10:50 public01 keycloak-start[875412]: 	javax.net.ssl.SSLException: Unsupported or unrecognized SSL message
Mar 23 00:10:50 public01 keycloak-start[875412]: 	at org.eclipse.angus.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:2245)
Mar 23 00:10:50 public01 keycloak-start[875412]: 	at org.eclipse.angus.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:729)
Mar 23 00:10:50 public01 keycloak-start[875412]: 	at jakarta.mail.Service.connect(Service.java:342)
Mar 23 00:10:50 public01 keycloak-start[875412]: 	at jakarta.mail.Service.connect(Service.java:222)
Mar 23 00:10:50 public01 keycloak-start[875412]: 	at jakarta.mail.Service.connect(Service.java:243)
Mar 23 00:10:50 public01 keycloak-start[875412]: 	at org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:161)
Mar 23 00:10:50 public01 keycloak-start[875412]: 	... 17 more
Mar 23 00:10:50 public01 keycloak-start[875412]: Caused by: javax.net.ssl.SSLException: Unsupported or unrecognized SSL message
```

With starttls, we can send emails, so use that.

Change-Id: I5898bec4f9413a8714c9adb1654d9e964022d183
Reviewed-on: https://cl.snix.dev/c/snix/+/30249
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-03-23 00:49:59 +00:00
Florian Klink
8c4f447ec7 fix(ops/pipelines): fix anchor steps
Every buildkite user needs to be able to update these symlinks, and the
directory doesn't exist. It was probably created imperatively on whitby.

Use a tmpfiles rule creating a /nix/var/nix/gcroots/buildkite directory,
and add a `canon` symlink in there.

Change-Id: Ic4d67fbb69f77cebe891b0fff9b824713ebec87c
Reviewed-on: https://cl.snix.dev/c/snix/+/30247
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-03-23 00:48:45 +00:00
Paul Meyer
bfd948c6e2 fix(treewide): remove trailing whitespace
Change-Id: I3116d3f397ba309be2418e188327143c7187b789
Reviewed-on: https://cl.snix.dev/c/snix/+/30235
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Paul Meyer <katexochen0@gmail.com>
Autosubmit: Paul Meyer <katexochen0@gmail.com>
2025-03-22 17:29:59 +00:00
Florian Klink
8e1fa6435c chore(ops/nixos): drop ops.rebuild-system
This doesn't really work in all cases anyways, and currently isn't used
to deploy - remove it.

Change-Id: I6684d9583cb036d851ab6cd9f4c811973a7882fc
Reviewed-on: https://cl.snix.dev/c/snix/+/30242
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-03-22 15:57:46 +00:00
Florian Klink
22c2770f42 fix(ops/machines/build01): switch to Lix in nix.package
There's been a lot of

```
nix-daemon[2039685]: unexpected Nix daemon error: error: writing to file: Broken pipe
```

log messages, and failed builds in CI.

These don't seem to occur with Lix.

Change-Id: Ida277064282905154ea9265f935a221bf8006c8d
Reviewed-on: https://cl.snix.dev/c/snix/+/30225
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
2025-03-21 13:46:35 +00:00
Paul Meyer
df802d93df fix(treewide): add missing final newlines
Change-Id: Ib20d37803d56a2d1b7b6ddfc0d5a80b65eff29ed
Reviewed-on: https://cl.snix.dev/c/snix/+/30232
Autosubmit: Paul Meyer <katexochen0@gmail.com>
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-03-21 13:33:32 +00:00
Florian Klink
d99819280a feat(ops): configure email for Forgejo
This configures Forgejo to use the "Forgejo" Message Stream on our "Snix"
server in Postmark.

Change-Id: I298966a8b43b55b0f1992a8fedf0fffcd6dde472
Reviewed-on: https://cl.snix.dev/c/snix/+/30206
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
2025-03-21 01:40:52 +00:00
Florian Klink
3191a6c8d0 feat(ops): configure sendemail for gerrit
This configures Gerrit to use the "Gerrit" Message Stream on our "Snix"
server in Postmark.

Change-Id: I4d021919c666aabc94008f9f705163cb9639f1aa
Reviewed-on: https://cl.snix.dev/c/snix/+/30205
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
2025-03-21 01:40:52 +00:00
adisbladis
7aef14c57f chore(ops/besadii): switch from buildGo to buildGoModule
Change-Id: I0457419d6b74d4f4c3c999a656a22ddd6c9d9ac3
Reviewed-on: https://cl.snix.dev/c/snix/+/30186
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-03-20 21:25:25 +00:00
adisbladis
b69cd940cf feat(ops/secrets): Use korora for type checking secrets
Type checking of secrets was removed in cff6575948 to get rid of yants.
This adds back type checking using Korora.

Fixes https://git.snix.dev/snix/snix/issues/71
Change-Id: I27cd47b7e1810be5c4cd5d86366e860ca217f9c4
Reviewed-on: https://cl.snix.dev/c/snix/+/30118
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-03-20 21:25:05 +00:00
Florian Klink
cfe842effa feat(ops/dns): setup Postmark DNS records
This configures the DNS records necessary to send emails from Postmark.

Change-Id: I2e55151f40c4f5e54f6d7f06ae24f2e863b7c656
Reviewed-on: https://cl.snix.dev/c/snix/+/30204
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-03-20 21:18:40 +00:00