Pierre Bourdon
c33326f836
hydra: switch to using mTLS instead of local peer auth
2024-08-16 08:19:18 +02:00
Pierre Bourdon
0dd333c573
postgres: add mTLS support
...
New client certs can be minted via the provided script, which is meant
to be run on the postgres server (where the CA private key is
conveniently deployed).
2024-08-16 07:59:12 +02:00
Pierre Bourdon
e7f25d6ee2
tf/gandi: add a postgres CNAME to bagel-box
2024-08-16 07:34:55 +02:00
Pierre Bourdon
29babfc5c4
Revert "Partial revert "Add Grapevine Matrix server and matrix-hookshot""
...
This reverts commit 17c342b33e
.
Grapevine's use of IFD was fixed upstream.
2024-08-15 16:22:22 +02:00
Pierre Bourdon
50fadb45e2
common: define TZ in base server configs, remove heretical host-specific configuration
2024-08-13 22:38:40 +02:00
Pierre Bourdon
37bcb261ab
ssh-keys: add build-coord, rekey secrets
2024-08-13 22:36:30 +02:00
Pierre Bourdon
5dd9ad553c
build-coord: add initial config
2024-08-13 22:36:30 +02:00
raito
3f2909dd8a
public-keys: add public01 SSH host key
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-13 19:15:05 +02:00
Pierre Bourdon
90325344a3
Reserve builder-11 for build coordination, rename to build-coord
2024-08-13 19:12:36 +02:00
Pierre Bourdon
5ace7a63d8
forgejo: base on forgejo-lts since forgejo got bumped to a new master in nixpkgs
2024-08-13 01:50:19 +02:00
Pierre Bourdon
434def3337
flake.lock: Update
...
Flake lock file updates:
• Updated input 'agenix':
'github:ryantm/agenix/de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6' (2024-07-09)
→ 'github:ryantm/agenix/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41' (2024-08-10)
• Updated input 'hydra':
'git+https://git.lix.systems/lix-project/hydra.git?ref=refs/heads/main&rev=4b107e6ff36bd89958fba36e0fe0340903e7cd13 ' (2024-07-22)
→ 'git+https://git.lix.systems/lix-project/hydra.git?ref=refs/heads/main&rev=f1b552ecbf2d011cd4fdb93d7d117388ab9c0027 ' (2024-08-12)
• Updated input 'hydra/lix':
'git+https://git.lix.systems/lix-project/lix?ref=refs/heads/main&rev=6b4d46e9e0e1dd80e0977684ab20d14bcd1a6bc3 ' (2024-07-16)
→ 'git+https://git.lix.systems/lix-project/lix?ref=refs/heads/main&rev=5137cea99044d54337e439510a647743110b2d7d ' (2024-08-10)
• Updated input 'hydra/lix/nix2container':
'github:nlewo/nix2container/20aad300c925639d5d6cbe30013c8357ce9f2a2e' (2024-04-13)
→ 'github:nlewo/nix2container/3853e5caf9ad24103b13aa6e0e8bcebb47649fe4' (2024-07-10)
• Updated input 'hydra/lix/pre-commit-hooks':
'github:cachix/git-hooks.nix/e35aed5fda3cc79f88ed7f1795021e559582093a' (2024-04-02)
→ 'github:cachix/git-hooks.nix/f451c19376071a90d8c58ab1a953c6e9840527fd' (2024-07-15)
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/9355fa86e6f27422963132c2c9aeedb0fb963d93' (2024-07-16)
→ 'github:NixOS/nixpkgs/154bcb95ad51bc257c2ce4043a725de6ca700ef6' (2024-08-09)
2024-08-13 01:11:38 +02:00
Pierre Bourdon
8b1ade5580
Revert "update hydra"
...
This reverts commit f7907a2915
.
We develop straight on lix-project/hydra, as discussed a few times on
the Lix development channel.
2024-08-13 01:11:31 +02:00
Pierre Bourdon
42b3977e8f
flake: remove an extra nixpkgs lying around
2024-08-13 00:38:51 +02:00
Pierre Bourdon
17c342b33e
Partial revert "Add Grapevine Matrix server and matrix-hookshot"
...
This partially reverts commit d2f3ca5624
.
Said commit requires IFD to eval, which is generally unwanted, and is
currently forbidden on Hydra (imo: rightfully so, we should try to
properly separate evals from builds).
The services/ file for grapevine is kept but will not work without the
flake.nix change reapplied.
2024-08-13 00:35:10 +02:00
Pierre Bourdon
ca904d7b4e
tf: use tf.ref instead of config.resource.* when dependencies matter
...
Using config.resource.* gets interpolated by Nix, whereas tf.ref gets
interpolated by Terraform. The latter ends up generating implicit
dependencies between resources.
In practice, the lack of dependencies was only showing up when creating
a new Hydra project + jobset at the same time - the concurrent /
misordered creation sometimes required two different TF applications to
create first the project then the jobset (the first application would
end up with a failure).
2024-08-12 19:36:50 +02:00
raito
84efd0976d
feat(alerts): add a sync failed too often alert
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-09 16:25:34 +02:00
raito
e2f5a7b0e4
feat(alerts): add basic postgresql alerts
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-09 16:06:34 +02:00
raito
7388de79c4
feat(alerts): add some basic "host & hardware" alerts
...
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-09 16:06:34 +02:00
Ilya K
f8cad42b5c
Set up alertmanager-hookshot-adapter
2024-08-09 14:03:56 +00:00
Ilya K
9ad279a505
Set up admins + DNS for hookshot
2024-08-09 14:03:56 +00:00
Ilya K
d2f3ca5624
Add Grapevine Matrix server and matrix-hookshot
...
It doesn't want to work.
2024-08-09 14:03:56 +00:00
Yureka
d635042e57
adjust timer for staging sync services
2024-08-08 15:22:44 +02:00
Yureka
b6375b8294
add staging sync services
2024-08-08 15:16:04 +02:00
Yureka
420e6915df
Vous avez des branches divergentes et vous devez spécifier comment les réconcilier
2024-08-08 10:39:00 +02:00
Yureka
dbb4e03292
Revert "builders: direct buildbot to /mnt store via ForceCommand"
...
This reverts commit dfd48f2179
.
2024-08-08 10:37:42 +02:00
Yureka
cd0621ba55
builders/netboot: add separate firmware_part output
2024-08-06 13:26:51 +02:00
Yureka
dfd48f2179
builders: direct buildbot to /mnt store via ForceCommand
2024-08-06 13:26:35 +02:00
Yureka
b1c28cfc7c
bagel-cache.s3-web.delroth.net -> cache.forkos.org
2024-08-06 13:26:15 +02:00
Yureka
a69750b495
update buildbot-nix
2024-08-06 13:26:01 +02:00
Yureka
77ff556583
builders: fix provisioning of ssh hostkeys
2024-08-05 08:18:20 +02:00
Yureka
fe3cb577c1
fix eval
2024-08-05 07:20:59 +02:00
Yureka
20fc4c8f96
builders: move provisioning of ssh hostkeys to a systemd service
...
at first activation it does not yet have a working network setup
2024-08-05 07:17:45 +02:00
Yureka
bce44930b1
builders: provision ssh hostkeys on boot
2024-08-04 18:12:02 +02:00
Yureka
27d66d390e
update iusb-spoof and start service on boot
2024-08-03 23:38:21 +02:00
Yureka
79dea0686b
add 'notipxe' netboot loader based on systemd-initrd + u-root
2024-08-03 20:28:57 +02:00
Yureka
aeb8102ae4
builders: do not mount / and /boot on netboot systems
2024-08-03 20:01:39 +02:00
Yureka
830dcbf6bc
builders: do not mount / and /boot on netboot systems
2024-08-03 18:41:01 +02:00
Yureka
f7907a2915
update hydra
2024-08-03 18:40:25 +02:00
Yureka
93822775a9
baremetal-builders: do not create swapfile on rootfs when netbooting
2024-08-03 18:10:59 +02:00
Yureka
dd028656ac
builders: fix serial console
2024-08-02 13:21:04 +02:00
Yureka
88317d099c
attempt to fix netboot hydra jobs
2024-08-02 01:05:20 +02:00
Yureka
1cbf286f18
build netboot files from hydra
2024-08-01 22:47:25 +02:00
Yureka
6dc424dd43
wob01: serve an ipxe over iusb-spoof
2024-08-01 22:16:48 +02:00
Yureka
504a443acc
adjust hydra-gc numbers
...
we want to see how garbage collection would behave on a 480GB drive
2024-07-31 23:44:08 +02:00
emily
96d58bbd41
forgejo: disable users explore page
...
This was requested and should make it a decent bit more difficult to get
a somewhat complete list of users on this instance.
We are, however, aware of other endpoints that can be used to get to a
similar result. Those just aren't as convenient nor obvious.
https://forgejo.org/docs/latest/admin/config-cheat-sheet/#service---explore-serviceexplore
2024-07-31 01:42:05 +02:00
Yureka
5154906aac
fix eval in assignments.nix
2024-07-30 17:23:54 +02:00
Yureka
f3828368e6
hydra: set reasonable max-jobs and cores
2024-07-30 17:03:12 +02:00
Yureka
314f1cb363
fix buildbot-nix reference
...
accidentally committed the lockfile which points to my local checkout
2024-07-30 14:02:26 +02:00
Yureka
4e2d21930f
baremetal-builders: detect percent_filled for the correct partition
2024-07-30 13:59:46 +02:00
Yureka
dd81b78f7a
add nixos-main jobset
2024-07-28 23:40:36 +02:00