There's two Roles for the Forgejo application, "Admin" and
"Contributors".
Everyone gets the "Contributor" role assigned automatically (it doesn't
really give you a ton of privileges).
Regarding mapping Gerrit groups, it seems there's no support for this in
the `gerrit-oauth-provider` plugin (yet) -
see https://github.com/davido/gerrit-oauth-provider/issues/170.
Fixes#73.
Change-Id: I3cbb968e664125b1f08235db3008d1dbf778922a
Reviewed-on: https://cl.snix.dev/c/snix/+/30477
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
keycloak_openid_user_client_role_protocol_mapper.grafana_role_mapper was
missing. It is configured to make the client roles for this Application
(and only those for this application) available in the grafana_roles
claim.
We can also disable full scope, as we're not interested in other role
mappings.
The Terraform files are a bit reorganized, everything configuring the
Grafana client lives in grafana.tf (and vice-versa for Forgejo,
Buildkite and Gerrit). The only thing left in permissions.tf is global
groups, their memberships and mappings.
Change-Id: I37b0755f4f8658518083353ec6cc0193e805d5c2
Reviewed-on: https://cl.snix.dev/c/snix/+/30476
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
This makes it possible to fetch refs/meta/config from the forgejo
endpoint too. It was possible to fetch it from Gerrit directly before,
so this isn't more or less private than before.
Forgejo doesn't seem to provide an endpoint to link to refs/meta/config,
but it's perfectly fine to view the tree for a given commit from there:
dd5ed6266a
Change-Id: I9bbfb8c5994118e6a205e84d5584cc82a560cc23
Reviewed-on: https://cl.snix.dev/c/snix/+/30444
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
We stopped using them a while ago, no need to replicate.
Change-Id: I584a584b401ed357eba6d8f2349d2be40684765e
Reviewed-on: https://cl.snix.dev/c/snix/+/30443
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
This points our own gerrit check to the deployed buildkite-api-proxy,
updates the URL and stops sending an outdated token.
Fixes#118.
Change-Id: Ic7ace4d67a6bd05c408ac14fe988ae3fe829a49b
Reviewed-on: https://cl.snix.dev/c/snix/+/30406
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: edef <edef@edef.eu>
This blocks a bunch of AI scrapers from Forgejo, which seems to be
particularly attractive.
Especially meta-externalagent has been scraping very excessively.
The list comes from https://github.com/ai-robots-txt/ai.robots.txt,
let's see how often this needs updating.
Change-Id: I55ae7c42c6a3eeff6f0457411a8b05d55cb24f65
Reviewed-on: https://cl.snix.dev/c/snix/+/30370
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
This doesn't seem to do anything, and logs a warning on startup.
Change-Id: I4d883f2a95d5934bc3dc2998a497f3c2a8ff857d
Reviewed-on: https://cl.snix.dev/c/snix/+/30364
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
It seems this now gets added automatically, and causes nginx to fail
with an emergency due to the directive being there two times.
Drop one of it, which gets nginx to boot up again.
Change-Id: I0df3c2f7c2cfbe23d717249570d5a4d1a7fe2f2b
Reviewed-on: https://cl.snix.dev/c/snix/+/30363
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
grafana-agent has been removed, but the failing eval was missed due
to #80.
Change-Id: I87cfc71c8c98e27e32f4e95e4d85901195cb5b75
Reviewed-on: https://cl.snix.dev/c/snix/+/30347
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
This option is not used, we can reintroduce it when needed.
Change-Id: Ie0f90ea7fc84f493f0c73de29ddf200c1184cb40
Reviewed-on: https://cl.snix.dev/c/snix/+/30345
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Deploys Harmonia on build01, proxied through public01.
We cannot serve from build01 directly because it only supports IPv6.
Closes: https://git.snix.dev/snix/snix/issues/66
Change-Id: Iff3c16366d60c0fbfd1315a18c27fcd636a0261a
Reviewed-on: https://cl.snix.dev/c/snix/+/30274
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Autosubmit: Ilan Joselevich <personal@ilanjoselevich.com>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
We only use the OAuth flow (with Keycloak), and the native login
mechanism is an unnecessary source of user confusion.
Change-Id: I819e0b6ac507013c903c55a28f0db52e8706d8dc
Reviewed-on: https://cl.snix.dev/c/snix/+/30282
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: edef . <edef@edef.eu>
This configures Forgejo to use the "Forgejo" Message Stream on our "Snix"
server in Postmark.
Change-Id: I298966a8b43b55b0f1992a8fedf0fffcd6dde472
Reviewed-on: https://cl.snix.dev/c/snix/+/30206
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
This configures Gerrit to use the "Gerrit" Message Stream on our "Snix"
server in Postmark.
Change-Id: I4d021919c666aabc94008f9f705163cb9639f1aa
Reviewed-on: https://cl.snix.dev/c/snix/+/30205
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
They are linked to Snix repo because this is the only one we are using.
Fixes#81.
Change-Id: I3c47547128a7dc5e1fe67a8fbe87b17c7e94f153
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
Reviewed-on: https://cl.snix.dev/c/snix/+/30144
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
They were not going to q/ but just the root of the website, this was not
working.
Change-Id: I1acda0bb630198a8eef5b6fe991a395f1be1f796
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
Reviewed-on: https://cl.snix.dev/c/snix/+/30170
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Code Owners was disabled because it's very sensitive about the identity
of the committers and while pushing the original history, this was a
distraction.
Now that the history has been pushed and everyone is back to their
normal identity, it's fine to enable it again.
Fixes#83.
Change-Id: I4181d6af4eca489d4827b1c1ee606dfbb28a05c9
Reviewed-on: https://cl.snix.dev/c/snix/+/30173
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: Ryan Lahfa <masterancpp@gmail.com>
We are not going to use Panettone neither r/ revisions.
Change-Id: Icc037fc02861cfbe53690ca6641eb7ea777f7b74
Reviewed-on: https://cl.snix.dev/c/snix/+/30172
Autosubmit: Ryan Lahfa <masterancpp@gmail.com>
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
We don't have an email server configured (yet), we can resurrect it once
we do.
Change-Id: I568075154c6169d031462f39b43ce5897a754f19
Reviewed-on: https://cl.snix.dev/c/snix/+/30109
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Everything was large=true and then nothing was small=true and did not
have a hostname.
This is fixed.
Change-Id: Id90e6246f9ab44ce020d999e975dd8b4cd4492c9
Signed-off-by: Ryan Lahfa <raito@lix.systems>
cl.snix.fyi/q/$ID where $ID ≤ 30K will redirect (301) to
cl.tvl.fyi/q/$ID to keep the old links working.
Change-Id: I27b496a1c52a3de3d106292ba7a2931b0f15fa49
Signed-off-by: Ryan Lahfa <raito@lix.systems>
This is definitely faster than doing a roundtrip via a build.
Change-Id: I7a02b828462def735fdb241ce729143e90bc5c75
Reviewed-on: https://cl.tvl.fyi/c/depot/+/13236
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: sterni <sternenseemann@systemli.org>
Something recently caused us to replace Docker with Podman (I guess a default
changed in nixpkgs? I don't remember making the change explicitly), which broke
the reindexing unit.
Change-Id: I1d3453ed970e536abb540c6ef79765cfda271810
Reviewed-on: https://cl.tvl.fyi/c/depot/+/13173
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
These bots are doing unthrottled requests to cgit 24/7, and it's starting to
annoy me.
Change-Id: I6b7d7a68e9becb8ed4b5c52b376c2a60febc6ec6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/13145
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Adds a new tagging system to Buildkite agents, where agents are tagged with
large/small slots. All agents have small slots, only some agents have large
slots. The small slots are purely informative - nothing targets them, whereas
large slots will be used for filtering agents.
This allows us to target large slots in some builds and minimise the concurrent
execution of extremely large builds, while keeping a large number of small slots
around for all the light targets.
This will need some tuning over time (also because tagging is a manual process).
Change-Id: I15aa657773ed874d84d98e55238fb31c75d4efa7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/13120
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Removes whitby DNS records and other related configuration that is no longer
required now that whitby is gone.
whitby served us well. RIP.
This resolves b/433.
Change-Id: I56fe6f88cde9112fc3bfc79758ac33e88a743422
Reviewed-on: https://cl.tvl.fyi/c/depot/+/13117
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Backups are moving from GleSYS to Yandex Cloud (is this motivated by me not
having to pay for them in that case? Maybe!); this changes the default backup
location to accommodate that.
I also noticed that we previously manually placed the backup key on whitby, so
the new key is going into agenix instead, as well as the secrets for protecting
the repositories.
Change-Id: Ibe5dbfec6784345f020a8b4d92bb01c6ad719a89
Reviewed-on: https://cl.tvl.fyi/c/depot/+/13096
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
This turns off almost all of the lights. The server will be decomissioned on
2025-02-05. Until then we can keep running the Buildkite builders there for
extra capacity.
Stuff that was left in the whitby config has been migrated to nevsky.
This relates to b/433.
Change-Id: I84953e9d5e912f75b8884cb9d8edd5a1b7d5c85d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/13095
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
... that is then promptly enabled on nevsky.
Change-Id: Ie51037cec810bb7f81099a67ebd2581dcf710bd5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/13093
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
