raito
96f5d45ff3
feat(lix): add buildbot.lix.systems key for extra build capacity
...
Otherwise, buildbot.lix.systems will not be able to access it anymore.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:28:29 +02:00
raito
3df1697289
fix(secrets): rekey the monitoring password
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:28:29 +02:00
raito
76276a8da3
feat: add build01.aarch64.lix.systems
...
This is the first Lix machine we are enrolling in our infrastructure
(!).
It's using all the previous commits to make it cozy with our current
infra style.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:10:28 +02:00
raito
7e205b16d0
feat(common/hardware/oracle-vm): enable systemd initrd
...
Let's minimize the amount of scripted initrd stuff if we can.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:10:28 +02:00
raito
1e421889e4
feat(monitoring): add static label for tenancy
...
So we can distinguish easily things in the dashboards.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:10:16 +02:00
raito
8838709a95
fix(common/hardware/oracle-vm): forgotten virtio modules
...
Otherwise, the machine won't reboot because virtio-scsi is not available
in the initrd.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:10:04 +02:00
raito
002db9a78f
feat: introduce tenant-specific extra build capacity
...
At Lix, we have few aarch64-linux and aarch64-darwin systems we use to
boost our CI.
This is a module to handle tenant-specific extra build capacity without
it leaking over the rest of the deployment.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:09:23 +02:00
raito
6978c1271d
feat: introduce floral and lix common modules
...
This way, we can mark tenancy appropriately in a common expression and
add all machines altogether in the same entrypoint.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:09:11 +02:00
raito
92560708b8
feat: multi-tenant secrets
...
Lix may have its own secrets and we want to maintain a certain
generalization level on the NixOS modules, so we can decorrelate which
secret we select dynamically by having a simple tenancy hierarchy
system.
This unfortunately requires to rewrite all call sites with a floral
prefix until we migrate them to the simple internal secret module which
is aware of this.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:10:44 +00:00
raito
3b6be269d6
feat: introduce Oracle VMs and Hetzner VMs as hardware types
...
This includes aarch64-linux variants for these hosters.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:10:44 +00:00
raito
acaaad68bb
feat: introduce resource control over all machines
...
We were using over all our machines in the Lix infrastructure.
It still makes sense for all our machines.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:10:44 +00:00
raito
3c9b077bb2
feat: add more admins tools from lix infra
...
We had this in our equivalent file.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:10:44 +00:00
raito
c23d290647
docs(README.md): explain how to deploy things
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:09:53 +00:00
raito
c0689e6832
feat: add @localboot tags for machine which can be deployed
...
colmena does not support netboot deployment, this is fine. We can fix it
later.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:09:53 +00:00
raito
a2eecd1886
feat(buildbot): disable manhole debugging
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 07:59:56 +00:00
raito
b5d412a5ba
feat: adopt new version of Buildbot with incoming ref data
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 07:59:56 +00:00
Yureka
01f8322df9
update hydra/lix
2024-10-05 23:33:17 +02:00
Yureka
3072dfad55
update flake inputs
2024-10-05 23:30:21 +02:00
Maxine Aubrey
86e833f52a
chore(tf): drop all gandi resources
2024-10-05 18:46:45 +02:00
raito
1a862b2b0f
hotfix: add the path to the stateless uptime kuma's password file
...
Forgotten in the previous merge.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-05 16:33:38 +02:00
raito
6d3e14ec27
feat: finer-grained ACLs for server accesses
...
In the process of adding multi-tenant infrastructure, it seems relevant
to add finer-grained ACLs.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-05 16:20:19 +02:00
Ilya K
5582a0a29b
Fix Hydra exporter crash loop nonsense
2024-10-01 19:27:13 +03:00
Ilya K
4ddf87fa8e
Add new metric to Hydra exporter
2024-10-01 19:27:05 +03:00
Ilya K
98d899fabc
Update Hydra
2024-10-01 19:26:58 +03:00
Kiara Grouwstra
b291caac46
feat(monitoring): add uptime-kuma for status page, fixes #97
...
Adds a service for a status page using
[`uptime-kuma`](https://uptime.kuma.pet/ ).
2024-10-01 16:13:23 +00:00
Ilya K
e2c6550796
Hydra metrics
...
Yoink the nixos org exporter, rewrite most of it, deploy
2024-10-01 19:06:26 +03:00
raito
4749d204bf
feat: add stateless-uptime-kuma-password secret
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-09-29 16:01:23 +02:00
raito
c86cefe21f
Merge pull request 'feat(gerrit): run git-gc-preserve on a daily timer' ( #110 ) from gerrit-gc into main
2024-09-28 20:13:39 +00:00
raito
f321ab6450
users: add winterqt
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-09-28 21:09:06 +02:00
Maxine Aubrey
8d95d1f850
fix(dns): dnsimple expects FQDNs in CNAMEs
...
DNSimple doesn't appear to follow the typical behaviour of appending the
domain unless the CNAME is terminated with `.`
To avoid further problems, let's just explicilty use the FQDN for all
CNAMEs.
https://support.dnsimple.com/articles/cname-record/
For comparison:
```
;; ANSWER SECTION:
alerts.forkos.org. 300 IN CNAME meta01.infra.p.
```
```
;; ANSWER SECTION:
alerts.forkos.org. 181 IN CNAME meta01.infra.p.forkos.org.
meta01.infra.p.forkos.org. 181 IN A 163.172.69.160
```
2024-09-24 23:11:28 +02:00
Maxine Aubrey
29c1b366c6
feat(dns): migrate forkos.org zone to dnsimple
2024-09-24 21:10:39 +02:00
Maxine Aubrey
16027be2ca
fix(dns): apex cnames are not allowed
...
change flowery.systems from CNAME to ALIAS pointing to news.forkos.org
2024-09-24 20:50:41 +02:00
Janik Haag
d780f18534
Merge pull request 'feat(dns): migrate functions from gandi to dnsimple' ( #113 ) from janik/dnsimple into main
...
Reviewed-on: #113
Reviewed-by: Maxine Aubrey <max@ine.dev>
2024-09-24 18:37:55 +00:00
Janik Haag
8acc60e328
feat(dns): migrate functions from gandi to dnsimple
2024-09-24 00:25:58 +02:00
Maxine Aubrey
e3b6cb72b4
feat(dns): add dnsimple to terraform configuration
2024-09-23 19:49:21 +02:00
Janik Haag
d462e8ca9c
feat(gerrit): run git-gc-preserve on a daily timer
2024-09-18 22:27:57 +02:00
raito
94d1881e10
feat(gerrit): add git-gc-preserve script
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-09-02 11:05:54 +02:00
raito
132d2866b5
feat(channels): add minimal ISO for x86_64-linux
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 20:14:02 +02:00
raito
a14f496db8
fix(channel-scripts): fix RUST_LOG=info
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 20:03:11 +02:00
raito
c2ad3d6d26
fix(channel-scripts): push OTLP properly now
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 19:56:46 +02:00
raito
4c7943349b
fix(flake): bump channel-scripts to obtain the fixed rename
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 19:50:02 +02:00
raito
9a04ef909b
feat(nixpkgs): run oxidized channel scripts
...
We don't need weird Perl scripts where we are going. Here's a streaming
channel-scripts deployment with plenty of bells, including OTLP.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 19:32:23 +02:00
Ilya K
c1712dc1fa
Set up tempo
2024-08-31 15:05:30 +03:00
raito
8073ae6942
feat(s3-revproxy): tune the cache-control
...
Adopt the original values from the Perl script.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 00:52:13 +02:00
raito
c38e9b482f
feat(web): provide a directory listing via s3-revproxy
...
Thanks to Jade Lovelace who built all this machinery for Lix initially.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 00:29:18 +02:00
raito
9063138156
feat(secrets): add s3 reverse proxy API keys
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 00:19:49 +02:00
raito
322f10d9ae
feat(dns): add raw S3 reverse proxies domains for channel scripts
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 00:19:40 +02:00
Ilya K
bf7252c210
terraform/hydra: more nixpkgses now
2024-08-30 21:34:30 +03:00
raito
c969625b0f
fix(sniproxy): outside/inside of infra, the ingress IPs are different
...
In my infrastructure, the source node is 99::1, outside of my infra,
it's ::1.
All of this machinery was never really meant to be used on this scale,
so oopsie.
We should build our own sniproxy at some point.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-30 19:01:44 +02:00
raito
1b22c1f0ae
fix(hydra): proxy it over my sniproxy
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-30 18:34:35 +02:00