Commit graph

65 commits

Author SHA1 Message Date
ec93c94e7e revert default shell to bash
zsh is unbearably slow on some machines
2024-10-30 13:29:27 +01:00
3ed36f74fd onboarding: add pennae keys on lix infra
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-22 16:57:06 +02:00
df8a57f91a
users: add ckie 2024-10-18 14:43:25 +03:00
97bee26977 new ssh key for yureka 2024-10-10 13:42:29 +00:00
decc9963ee feat: add buildbot.lix.systems
This introduces a new Buildbot instance using all the previous work.

This is a "Raito's VM" hardware type.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:53:25 +02:00
daa99e83e8 fix(buildbot): add gerrit.lix.systems as known host
Otherwise, buildbot cannot listen to the stream of events.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:53:04 +02:00
b56b8963a2 feat: introduce Buildbot multi-tenancy
This shares the same expression to deploy the Buildbot.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:28:29 +02:00
76276a8da3 feat: add build01.aarch64.lix.systems
This is the first Lix machine we are enrolling in our infrastructure
(!).

It's using all the previous commits to make it cozy with our current
infra style.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:10:28 +02:00
7e205b16d0 feat(common/hardware/oracle-vm): enable systemd initrd
Let's minimize the amount of scripted initrd stuff if we can.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:10:28 +02:00
8838709a95 fix(common/hardware/oracle-vm): forgotten virtio modules
Otherwise, the machine won't reboot because virtio-scsi is not available
in the initrd.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:10:04 +02:00
002db9a78f feat: introduce tenant-specific extra build capacity
At Lix, we have few aarch64-linux and aarch64-darwin systems we use to
boost our CI.

This is a module to handle tenant-specific extra build capacity without
it leaking over the rest of the deployment.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:09:23 +02:00
92560708b8 feat: multi-tenant secrets
Lix may have its own secrets and we want to maintain a certain
generalization level on the NixOS modules, so we can decorrelate which
secret we select dynamically by having a simple tenancy hierarchy
system.

This unfortunately requires to rewrite all call sites with a floral
prefix until we migrate them to the simple internal secret module which
is aware of this.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:10:44 +00:00
3b6be269d6 feat: introduce Oracle VMs and Hetzner VMs as hardware types
This includes aarch64-linux variants for these hosters.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:10:44 +00:00
acaaad68bb feat: introduce resource control over all machines
We were using over all our machines in the Lix infrastructure.
It still makes sense for all our machines.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:10:44 +00:00
3c9b077bb2 feat: add more admins tools from lix infra
We had this in our equivalent file.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:10:44 +00:00
6d3e14ec27 feat: finer-grained ACLs for server accesses
In the process of adding multi-tenant infrastructure, it seems relevant
to add finer-grained ACLs.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-05 16:20:19 +02:00
f321ab6450 users: add winterqt
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-09-28 21:09:06 +02:00
9a04ef909b feat(nixpkgs): run oxidized channel scripts
We don't need weird Perl scripts where we are going. Here's a streaming
channel-scripts deployment with plenty of bells, including OTLP.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 19:32:23 +02:00
c969625b0f fix(sniproxy): outside/inside of infra, the ingress IPs are different
In my infrastructure, the source node is 99::1, outside of my infra,
it's ::1.

All of this machinery was never really meant to be used on this scale,
so oopsie.

We should build our own sniproxy at some point.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-30 19:01:44 +02:00
0eaaf860d1 feat(common): enable system wide diff in the activation output
This helps me to review what changes could be problematic in advance.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-23 20:43:00 +02:00
ce3a40671c
acme: make ToS and contact config common 2024-08-16 09:03:08 +02:00
50fadb45e2
common: define TZ in base server configs, remove heretical host-specific configuration 2024-08-13 22:38:40 +02:00
37bcb261ab
ssh-keys: add build-coord, rekey secrets 2024-08-13 22:36:30 +02:00
3f2909dd8a public-keys: add public01 SSH host key
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-13 19:15:05 +02:00
b1c28cfc7c bagel-cache.s3-web.delroth.net -> cache.forkos.org 2024-08-06 13:26:15 +02:00
8390caee53
users: Add thubrecht 2024-07-23 23:14:39 +02:00
1b82c2f8fd common/{admin,ssh-keys}: add hexchen 2024-07-23 23:07:12 +02:00
26c5e56605 common/{admins,ssh-keys}: sort users 2024-07-23 23:06:17 +02:00
56a04a6faf buildbot: init
Reviewed-on: #68
2024-07-18 08:57:56 +00:00
e00d0331ec common/known-ssh-keys: init
Let's ensure that all our servers are aware of all host keys to avoid
host key verification issues when needed.

(example: buildbot → gerrit)

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-17 18:00:51 +02:00
c3394264ba hosts/buildbot: init
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-17 18:00:51 +02:00
7789e9ce75 services/buildbot: init
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-17 18:00:51 +02:00
81fc914d79 feat: change the default shell to zsh
Reviewed-on: #59
2024-07-17 12:56:45 +00:00
ab9caaf520
systems: add git.forkos.org 2024-07-16 15:44:08 +02:00
d4caf7b71a
admins: add emilylange 2024-07-16 15:43:58 +02:00
af515792cc admins: add janik 2024-07-13 01:10:39 +00:00
bed5ef022f
change the default user shell to zsh 2024-07-12 19:50:34 +02:00
329f267b02 enable nftables on all hosts 2024-07-11 02:05:35 +02:00
58325e30dd
common/nix: use bagel-cache by default 2024-07-10 18:17:30 +02:00
70e608a8f7
common: provide a pinned nixpkgs on all infra machines 2024-07-10 17:17:18 +02:00
3cbdbc45f7 more quality of life improvements... 2024-07-10 15:54:30 +02:00
787b3af638 Add wob-vpn-gw key, rekey metrics push password for it 2024-07-10 15:13:05 +03:00
e608b92e4f Add htop and btop to default machine config 2024-07-10 15:01:09 +03:00
9e7e6d42ab Make nginx/loki/mimir go fast 2024-07-10 14:55:28 +03:00
39d2352bbc general quality of life improvements 2024-07-09 23:26:12 +00:00
a7d21e96a0 add global hardening options 2024-07-09 23:26:12 +00:00
bc8ef7b5fc
ssh-keys: remove raito's key which is too NSA'd for agenix 2024-07-10 01:04:48 +02:00
61e8048445
sysadmin: remove pwru, does not build on latest nixpkgs 2024-07-10 01:01:27 +02:00
f9f955214f ssh-keys: add raito to secrets set
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-10 00:59:22 +02:00
eb21cb6916 add baremetal builders 2024-07-10 00:35:01 +02:00