chore: add lorri to prevent direnv from blocking, closes #147

fix: update grapevine config
fix: ensure that pg_stat_statements is always created as an ext
2024-10-21 18:27:52 +02:00 · 2024-10-21 16:31:26 +03:00 · 2024-10-21 14:33:18 +02:00 · 2024-10-20 11:24:58 +02:00 · 2024-10-19 19:12:10 +02:00 · 2024-10-18 23:22:51 +00:00
16 changed files with 117 additions and 36 deletions
--- a/.envrc
+++ b/.envrc
@ -1,2 +1,2 @@
 # shellcheck shell=bash
-use flake
+eval "$(lorri direnv --flake .)" 
--- a/common/admins.nix
+++ b/common/admins.nix
@ -19,6 +19,7 @@ in
      "thubrecht"
      "winter"
      "yuka"
+      "ckie"
    ];

    lix-infra.members = [
@ -39,5 +40,6 @@ in
    "thubrecht"
    "winter"
    "yuka"
+    "ckie"
  ] (name: {});
 }
--- a/common/ssh-keys.nix
+++ b/common/ssh-keys.nix
@ -63,5 +63,6 @@
    thubrecht = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn" ];
    yuka = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxQ3NYBi8v1f/vhxLKDcA6upmX0pctRDbnK6SER5OUR yureka" ];
    winter = [ "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIH/LDRUG+U+++UmlxvA2kspioTjktQZ8taDcHq8gVlkfAAAABHNzaDo=" ];
+    ckie = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3uTwzSSMAPg84fwbNp2cq9+BdLFeA1VzDGth4zCAbz https://mei.puppycat.house" ];
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -87,16 +87,16 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1728307353,
-        "narHash": "sha256-eVSDu52qZn48c1HfDlH79JkDIzuE7qyY0ipPMbrpYzE=",
-        "ref": "refs/heads/forkos",
-        "rev": "60860d308404efc14cff66513f9e8e4a002756c3",
-        "revCount": 299,
+        "lastModified": 1728837991,
+        "narHash": "sha256-+jXVHPmX9eUtH2JhMKye0Tm2KMQTmD8FlHHfbcaXMOI=",
+        "ref": "refs/heads/bring-back-old-gerrit-reporting",
+        "rev": "879e9cdcdf2d7e6566ee512d015acc4d23f35517",
+        "revCount": 302,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/buildbot-nix.git"
      },
      "original": {
-        "ref": "refs/heads/forkos",
+        "ref": "refs/heads/bring-back-old-gerrit-reporting",
        "type": "git",
        "url": "https://git.lix.systems/lix-project/buildbot-nix.git"
      }
--- a/flake.nix
+++ b/flake.nix
@ -22,7 +22,7 @@
    gerrit-dashboard.url = "git+https://git.lix.systems/the-distro/gerrit-monitoring.git";
    gerrit-dashboard.flake = false;

-    buildbot-nix.url = "git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/forkos";
+    buildbot-nix.url = "git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/bring-back-old-gerrit-reporting";
    buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";

    channel-scripts.url = "git+https://git.lix.systems/the-distro/channel-scripts.git";
@ -93,6 +93,9 @@
    devShells = forEachSystem' ({ system, pkgs, ... }: {
      default = pkgs.mkShell {
        packages = [
+          pkgs.direnv
+          pkgs.lorri
+
          inputs.agenix.packages.${system}.agenix

          pkgs.opentofu
--- a/hosts/buildbot-lix/default.nix
+++ b/hosts/buildbot-lix/default.nix
@ -38,7 +38,9 @@
      port = 2022;
      username = "buildbot";
    };
-    cors.allowedOrigin = "*.lix.systems";
+    cors.allowedOrigins = [
+      "https://*.lix.systems"
+    ];
    projects = [
      "lix"
      "lix-installer"
--- a/hosts/buildbot/default.nix
+++ b/hosts/buildbot/default.nix
@ -36,13 +36,15 @@
        port = cfgGerrit.port;
        username = "buildbot";
      };
-    cors.allowedOrigin = "*.forkos.org";
+    cors.allowedOrigins = [
+      "https://*.forkos.org"
+    ];
    projects = [
      "buildbot-test"
      "nixpkgs"
      "infra"
    ];
-    builders = [ "builder-10" ];
+    builders = [ "builder-9" ];
  };

  i18n.defaultLocale = "en_US.UTF-8";
--- a/hosts/gerrit01/default.nix
+++ b/hosts/gerrit01/default.nix
@ -23,6 +23,9 @@
    };
  };

+  # Block all these crawlers!!
+  bagel.services.nginx.crawler-blocker.enable = true;
+
  fileSystems."/gerrit-data" = {
    device = "/dev/disk/by-uuid/d1062305-0dea-4740-9a27-b6b1691862a4";
    fsType = "ext4";
--- a/services/block-crawlers/blocked-ua.txt
+++ b/services/block-crawlers/blocked-ua.txt
@ -0,0 +1,40 @@
+AI2Bot
+Ai2Bot-Dolma
+Amazonbot
+anthropic-ai
+Applebot
+Applebot-Extended
+Bytespider
+CCBot
+ChatGPT-User
+Claude-Web
+ClaudeBot
+cohere-ai
+Diffbot
+FacebookBot
+facebookexternalhit
+FriendlyCrawler
+Google-Extended
+GoogleOther
+GoogleOther-Image
+GoogleOther-Video
+GPTBot
+iaskspider/2.0
+ICC-Crawler
+ImagesiftBot
+img2dataset
+ISSCyberRiskCrawler
+Kangaroo Bot
+Meta-ExternalAgent
+Meta-ExternalFetcher
+OAI-SearchBot
+omgili
+omgilibot
+PerplexityBot
+PetalBot
+Scrapy
+Sidetrade indexer bot
+Timpibot
+VelenPublicWebCrawler
+Webzio-Extended
+YouBot
--- a/services/block-crawlers/default.nix
+++ b/services/block-crawlers/default.nix
@ -0,0 +1,32 @@
+{ pkgs, config, lib, ... }:
+let
+  inherit (lib) mkEnableOption mkIf mkOption types concatStringsSep mkDefault splitString;
+  cfg = config.bagel.services.nginx.crawler-blocker;
+  mkRobotsFile = blockedUAs: pkgs.writeText "robots.txt" ''
+    ${concatStringsSep "\n" (map (ua: "User-agent: ${ua}") blockedUAs)}
+    Disallow: /
+  '';
+in
+{
+  options = {
+    bagel.services.nginx.crawler-blocker = {
+      enable = mkEnableOption "the crawler blocker";
+
+      userAgents = mkOption {
+        type = types.listOf types.str;
+        default = splitString "\n" (builtins.readFile ./blocked-ua.txt);
+      };
+    };
+
+    services.nginx.virtualHosts = mkOption {
+      type = types.attrsOf (types.submodule {
+        config = {
+          locations."= /robots.txt" = mkIf cfg.enable (mkDefault {
+            alias = mkRobotsFile cfg.userAgents;
+          });
+        };
+      });
+    };
+  };
+}
+
--- a/services/buildbot/default.nix
+++ b/services/buildbot/default.nix
@ -53,9 +53,9 @@ in
      };
    };

-    cors.allowedOrigin = mkOption {
-      type = types.str;
-      example = "*.forkos.org";
+    cors.allowedOrigins = mkOption {
+      type = types.listOf types.str;
+      example = [ "*.forkos.org" ];
      description = "Allowed origin for Buildbot and NGINX for CORS without the protocol";
    };

@ -100,6 +100,7 @@ in
    };

    services.nginx = {
+      recommendedProxySettings = true;
      appendHttpConfig = ''
        # Our session stuff is too big with the TWISTED_COOKIE in addition.
        # Default is usually 4k or 8k.
@ -109,8 +110,8 @@ in
        forceSSL = true;
        enableACME = true;
        extraConfig = ''
+          # This is needed so that logged-in users in Buildbot can include their credentials in their requests.
          add_header Access-Control-Allow-Credentials 'true' always;
-          add_header Access-Control-Allow-Origin 'https://${cfg.cors.allowedOrigin}' always;
        '';
      };
    };
@ -155,9 +156,8 @@ in
      # we can replace all of this with automatic localworker generation on buildbot-nix side.
      workersFile = config.age.secrets.buildbot-workers.path;

-      allowedOrigins = [
-        cfg.cors.allowedOrigin
-      ];
+      # We rely on NGINX to do the CORS dance.
+      allowedOrigins = cfg.cors.allowedOrigins;

      buildMachines = map (n: {
          hostName = nodes.${n}.config.networking.fqdn;
--- a/services/default.nix
+++ b/services/default.nix
@ -1,5 +1,6 @@
 {
  imports = [
+    ./block-crawlers
    ./gerrit
    ./channel-scripts
    ./hydra
--- a/services/gerrit/default.nix
+++ b/services/gerrit/default.nix
@ -129,7 +129,9 @@ in
      serverId = "9e5216ad-038d-4d74-a4e8-716515834a94";

      builtinPlugins = [
-        "gitiles"
+        # Disable gitiles as it generates too much traffic.
+        # Prefer git.forkos.org.
+        # "gitiles"
        "codemirror-editor"
        "reviewnotes"
        "download-commands"
--- a/services/gerrit/www.nix
+++ b/services/gerrit/www.nix
@ -29,10 +29,6 @@ in
            # NGINX should not give up super fast. Things can take time.
            proxy_read_timeout 3600;
          }
-
-          location = /robots.txt {
-            return 200 'User-agent: *\nAllow: /';
-          }
        '';
      };

--- a/services/matrix/default.nix
+++ b/services/matrix/default.nix
@ -32,6 +32,11 @@ in
          ];
          server_name = "forkos.org";
          database.backend = "rocksdb";
+
+          server_discovery = {
+            server.authority = "matrix.forkos.org:443";
+            client.base_url = "https://matrix.forkos.org";
+          };
        };
      };

@ -48,18 +53,7 @@ in
          "forkos.org" = {
            forceSSL = true;
            enableACME = true;
-            locations = {
-              "= /.well-known/matrix/server".extraConfig = ''
-                add_header Content-Type application/json;
-                add_header Access-Control-Allow-Origin *;
-                return 200 '{"m.server": "matrix.forkos.org:443"}';
-              '';
-              "= /.well-known/matrix/client".extraConfig = ''
-                add_header Content-Type application/json;
-                add_header Access-Control-Allow-Origin *;
-                return 200 '{"m.homeserver": {"base_url": "https://matrix.forkos.org/"}, "m.identity_server": {"base_url": "https://matrix.org/"}, "org.matrix.msc3575.proxy": {"url": "https://matrix.forkos.org"}}';
-              '';
-            };
+            locations."/.well-known/matrix".proxyPass = "http://grapevine";
          };
        };
      };
--- a/services/monitoring/exporters/postgres.nix
+++ b/services/monitoring/exporters/postgres.nix
@ -23,7 +23,10 @@ in
    };

    services.postgresql.settings.shared_preload_libraries = "pg_stat_statements";
+    systemd.services.postgresql.postStart = lib.mkAfter ''
+      ${config.services.postgresql.package}/bin/psql -U postgres -c "CREATE EXTENSION IF NOT EXISTS pg_stat_statements;";
+    '';

    bagel.monitoring.grafana-agent.exporters.postgres.port = 9104;
  };
-}
+}
Author	SHA1	Message	Date
Kiara Grouwstra	2ae7672fad	chore: add lorri to prevent direnv from blocking, closes #147	2024-10-21 18:27:52 +02:00
Ilya K	14935c5e92	fix: update grapevine config	2024-10-21 16:31:26 +03:00
raito	bee402fecc	fix: ensure that pg_stat_statements is always created as an ext Otherwise, we will have issues with this exporter. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>	2024-10-21 14:33:18 +02:00
raito	3efdd0f6c9	fix: disable gitiles on gerrit01 It is generating too much traffic and CPU load for no good reason. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>	2024-10-20 11:24:58 +02:00
raito	8c0c7b517f	feat: block automatically crawlers if the blocker is enabled This help us getting rid of useless traffic by crawlers. It is enabled for gerrit01 which is suffering the most from this. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>	2024-10-19 19:12:10 +02:00
raito	d5500d7c4e	fix(buildbot): bring back the old Gerrit reporting Signed-off-by: Raito Bezarius <masterancpp@gmail.com>	2024-10-18 23:22:51 +00:00
raito	eaf48a0cdd	fix(buildbot): use builder-9 as builder-10 is down Signed-off-by: Raito Bezarius <masterancpp@gmail.com>	2024-10-18 23:22:51 +00:00
raito	e3129fec51	fix(buildbot): fix CORS properly wildcards are not allowed in the headers. We need to include credentials as well. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>	2024-10-18 23:22:51 +00:00
raito	437293bdaa	fix(buildbot): remove CORS wildcards for their precise Gerrit hosts wildcards are not supported in CORS headers, so this design was quite wrong actually. We can just use the actual Gerrit hostname for now. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>	2024-10-18 23:22:51 +00:00
mei (ckie)	df8a57f91a	users: add ckie	2024-10-18 14:43:25 +03:00