Commit graph

389 commits

Author SHA1 Message Date
raito 96f5d45ff3 feat(lix): add buildbot.lix.systems key for extra build capacity
Otherwise, buildbot.lix.systems will not be able to access it anymore.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:28:29 +02:00
raito 3df1697289 fix(secrets): rekey the monitoring password
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:28:29 +02:00
raito 76276a8da3 feat: add build01.aarch64.lix.systems
This is the first Lix machine we are enrolling in our infrastructure
(!).

It's using all the previous commits to make it cozy with our current
infra style.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:10:28 +02:00
raito 7e205b16d0 feat(common/hardware/oracle-vm): enable systemd initrd
Let's minimize the amount of scripted initrd stuff if we can.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:10:28 +02:00
raito 1e421889e4 feat(monitoring): add static label for tenancy
So we can distinguish easily things in the dashboards.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:10:16 +02:00
raito 8838709a95 fix(common/hardware/oracle-vm): forgotten virtio modules
Otherwise, the machine won't reboot because virtio-scsi is not available
in the initrd.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:10:04 +02:00
raito 002db9a78f feat: introduce tenant-specific extra build capacity
At Lix, we have few aarch64-linux and aarch64-darwin systems we use to
boost our CI.

This is a module to handle tenant-specific extra build capacity without
it leaking over the rest of the deployment.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:09:23 +02:00
raito 6978c1271d feat: introduce floral and lix common modules
This way, we can mark tenancy appropriately in a common expression and
add all machines altogether in the same entrypoint.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:09:11 +02:00
raito 92560708b8 feat: multi-tenant secrets
Lix may have its own secrets and we want to maintain a certain
generalization level on the NixOS modules, so we can decorrelate which
secret we select dynamically by having a simple tenancy hierarchy
system.

This unfortunately requires to rewrite all call sites with a floral
prefix until we migrate them to the simple internal secret module which
is aware of this.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:10:44 +00:00
raito 3b6be269d6 feat: introduce Oracle VMs and Hetzner VMs as hardware types
This includes aarch64-linux variants for these hosters.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:10:44 +00:00
raito acaaad68bb feat: introduce resource control over all machines
We were using over all our machines in the Lix infrastructure.
It still makes sense for all our machines.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:10:44 +00:00
raito 3c9b077bb2 feat: add more admins tools from lix infra
We had this in our equivalent file.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:10:44 +00:00
raito c23d290647 docs(README.md): explain how to deploy things
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:09:53 +00:00
raito c0689e6832 feat: add @localboot tags for machine which can be deployed
colmena does not support netboot deployment, this is fine. We can fix it
later.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:09:53 +00:00
raito a2eecd1886 feat(buildbot): disable manhole debugging
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 07:59:56 +00:00
raito b5d412a5ba feat: adopt new version of Buildbot with incoming ref data
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 07:59:56 +00:00
Yureka 01f8322df9 update hydra/lix 2024-10-05 23:33:17 +02:00
Yureka 3072dfad55 update flake inputs 2024-10-05 23:30:21 +02:00
Maxine Aubrey 86e833f52a
chore(tf): drop all gandi resources 2024-10-05 18:46:45 +02:00
raito 1a862b2b0f hotfix: add the path to the stateless uptime kuma's password file
Forgotten in the previous merge.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-05 16:33:38 +02:00
raito 6d3e14ec27 feat: finer-grained ACLs for server accesses
In the process of adding multi-tenant infrastructure, it seems relevant
to add finer-grained ACLs.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-05 16:20:19 +02:00
Ilya K 5582a0a29b Fix Hydra exporter crash loop nonsense 2024-10-01 19:27:13 +03:00
Ilya K 4ddf87fa8e Add new metric to Hydra exporter 2024-10-01 19:27:05 +03:00
Ilya K 98d899fabc Update Hydra 2024-10-01 19:26:58 +03:00
Kiara Grouwstra b291caac46 feat(monitoring): add uptime-kuma for status page, fixes #97
Adds a service for a status page using
[`uptime-kuma`](https://uptime.kuma.pet/).
2024-10-01 16:13:23 +00:00
Ilya K e2c6550796 Hydra metrics
Yoink the nixos org exporter, rewrite most of it, deploy
2024-10-01 19:06:26 +03:00
raito 4749d204bf feat: add stateless-uptime-kuma-password secret
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-09-29 16:01:23 +02:00
raito c86cefe21f Merge pull request 'feat(gerrit): run git-gc-preserve on a daily timer' (#110) from gerrit-gc into main 2024-09-28 20:13:39 +00:00
raito f321ab6450 users: add winterqt
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-09-28 21:09:06 +02:00
Maxine Aubrey 8d95d1f850
fix(dns): dnsimple expects FQDNs in CNAMEs
DNSimple doesn't appear to follow the typical behaviour of appending the
domain unless the CNAME is terminated with `.`

To avoid further problems, let's just explicilty use the FQDN for all
CNAMEs.

https://support.dnsimple.com/articles/cname-record/

For comparison:
```
;; ANSWER SECTION:
alerts.forkos.org.	300	IN	CNAME	meta01.infra.p.
```

```
;; ANSWER SECTION:
alerts.forkos.org.	181	IN	CNAME	meta01.infra.p.forkos.org.
meta01.infra.p.forkos.org. 181	IN	A	163.172.69.160
```
2024-09-24 23:11:28 +02:00
Maxine Aubrey 29c1b366c6
feat(dns): migrate forkos.org zone to dnsimple 2024-09-24 21:10:39 +02:00
Maxine Aubrey 16027be2ca
fix(dns): apex cnames are not allowed
change flowery.systems from CNAME to ALIAS pointing to news.forkos.org
2024-09-24 20:50:41 +02:00
Janik Haag d780f18534 Merge pull request 'feat(dns): migrate functions from gandi to dnsimple' (#113) from janik/dnsimple into main
Reviewed-on: #113
Reviewed-by: Maxine Aubrey <max@ine.dev>
2024-09-24 18:37:55 +00:00
Janik Haag 8acc60e328
feat(dns): migrate functions from gandi to dnsimple 2024-09-24 00:25:58 +02:00
Maxine Aubrey e3b6cb72b4
feat(dns): add dnsimple to terraform configuration 2024-09-23 19:49:21 +02:00
Janik Haag d462e8ca9c
feat(gerrit): run git-gc-preserve on a daily timer 2024-09-18 22:27:57 +02:00
raito 94d1881e10 feat(gerrit): add git-gc-preserve script
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-09-02 11:05:54 +02:00
raito 132d2866b5 feat(channels): add minimal ISO for x86_64-linux
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 20:14:02 +02:00
raito a14f496db8 fix(channel-scripts): fix RUST_LOG=info
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 20:03:11 +02:00
raito c2ad3d6d26 fix(channel-scripts): push OTLP properly now
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 19:56:46 +02:00
raito 4c7943349b fix(flake): bump channel-scripts to obtain the fixed rename
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 19:50:02 +02:00
raito 9a04ef909b feat(nixpkgs): run oxidized channel scripts
We don't need weird Perl scripts where we are going. Here's a streaming
channel-scripts deployment with plenty of bells, including OTLP.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 19:32:23 +02:00
Ilya K c1712dc1fa Set up tempo 2024-08-31 15:05:30 +03:00
raito 8073ae6942 feat(s3-revproxy): tune the cache-control
Adopt the original values from the Perl script.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 00:52:13 +02:00
raito c38e9b482f feat(web): provide a directory listing via s3-revproxy
Thanks to Jade Lovelace who built all this machinery for Lix initially.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 00:29:18 +02:00
raito 9063138156 feat(secrets): add s3 reverse proxy API keys
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 00:19:49 +02:00
raito 322f10d9ae feat(dns): add raw S3 reverse proxies domains for channel scripts
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 00:19:40 +02:00
Ilya K bf7252c210 terraform/hydra: more nixpkgses now 2024-08-30 21:34:30 +03:00
raito c969625b0f fix(sniproxy): outside/inside of infra, the ingress IPs are different
In my infrastructure, the source node is 99::1, outside of my infra,
it's ::1.

All of this machinery was never really meant to be used on this scale,
so oopsie.

We should build our own sniproxy at some point.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-30 19:01:44 +02:00
raito 1b22c1f0ae fix(hydra): proxy it over my sniproxy
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-30 18:34:35 +02:00