the-distro/infra
9
0
Fork 5
Code Issues 39 Pull requests 8 Packages Projects 1 Releases Wiki Activity
344 commits 29 branches 0 tags 2.6 MiB
Commit graph

60 commits

Author SHA1 Message Date
raito daa99e83e8 fix(buildbot): add gerrit.lix.systems as known host 
Otherwise, buildbot cannot listen to the stream of events.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-10-06 11:53:04 +02:00
raito b56b8963a2 feat: introduce Buildbot multi-tenancy 
This shares the same expression to deploy the Buildbot.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-10-06 11:28:29 +02:00
raito 76276a8da3 feat: add build01.aarch64.lix.systems 
This is the first Lix machine we are enrolling in our infrastructure
(!).

It's using all the previous commits to make it cozy with our current
infra style.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-10-06 11:10:28 +02:00
raito 7e205b16d0 feat(common/hardware/oracle-vm): enable systemd initrd 
Let's minimize the amount of scripted initrd stuff if we can.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-10-06 11:10:28 +02:00
raito 8838709a95 fix(common/hardware/oracle-vm): forgotten virtio modules 
Otherwise, the machine won't reboot because virtio-scsi is not available
in the initrd.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-10-06 11:10:04 +02:00
raito 002db9a78f feat: introduce tenant-specific extra build capacity 
At Lix, we have few aarch64-linux and aarch64-darwin systems we use to
boost our CI.

This is a module to handle tenant-specific extra build capacity without
it leaking over the rest of the deployment.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-10-06 11:09:23 +02:00
raito 92560708b8 feat: multi-tenant secrets 
Lix may have its own secrets and we want to maintain a certain
generalization level on the NixOS modules, so we can decorrelate which
secret we select dynamically by having a simple tenancy hierarchy
system.

This unfortunately requires to rewrite all call sites with a floral
prefix until we migrate them to the simple internal secret module which
is aware of this.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-10-06 08:10:44 +00:00
raito 3b6be269d6 feat: introduce Oracle VMs and Hetzner VMs as hardware types 
This includes aarch64-linux variants for these hosters.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-10-06 08:10:44 +00:00
raito acaaad68bb feat: introduce resource control over all machines 
We were using over all our machines in the Lix infrastructure.
It still makes sense for all our machines.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-10-06 08:10:44 +00:00
raito 3c9b077bb2 feat: add more admins tools from lix infra 
We had this in our equivalent file.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-10-06 08:10:44 +00:00
raito 6d3e14ec27 feat: finer-grained ACLs for server accesses 
In the process of adding multi-tenant infrastructure, it seems relevant
to add finer-grained ACLs.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-10-05 16:20:19 +02:00
raito f321ab6450 users: add winterqt 
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-09-28 21:09:06 +02:00
raito 9a04ef909b feat(nixpkgs): run oxidized channel scripts 
We don't need weird Perl scripts where we are going. Here's a streaming
channel-scripts deployment with plenty of bells, including OTLP.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-08-31 19:32:23 +02:00
raito c969625b0f fix(sniproxy): outside/inside of infra, the ingress IPs are different 
In my infrastructure, the source node is 99::1, outside of my infra,
it's ::1.

All of this machinery was never really meant to be used on this scale,
so oopsie.

We should build our own sniproxy at some point.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-08-30 19:01:44 +02:00
raito 0eaaf860d1 feat(common): enable system wide diff in the activation output 
This helps me to review what changes could be problematic in advance.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-08-23 20:43:00 +02:00
Pierre Bourdon ce3a40671c
acme: make ToS and contact config common 2024-08-16 09:03:08 +02:00
Pierre Bourdon 50fadb45e2
common: define TZ in base server configs, remove heretical host-specific configuration 2024-08-13 22:38:40 +02:00
Pierre Bourdon 37bcb261ab
ssh-keys: add build-coord, rekey secrets 2024-08-13 22:36:30 +02:00
raito 3f2909dd8a public-keys: add public01 SSH host key 
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-08-13 19:15:05 +02:00
Yureka b1c28cfc7c bagel-cache.s3-web.delroth.net -> cache.forkos.org 2024-08-06 13:26:15 +02:00
Tom Hubrecht 8390caee53
users: Add thubrecht 2024-07-23 23:14:39 +02:00
hexchen 1b82c2f8fd common/{admin,ssh-keys}: add hexchen 2024-07-23 23:07:12 +02:00
hexchen 26c5e56605 common/{admins,ssh-keys}: sort users 2024-07-23 23:06:17 +02:00
raito 56a04a6faf buildbot: init 
Reviewed-on: #68
 2024-07-18 08:57:56 +00:00
raito e00d0331ec common/known-ssh-keys: init 
Let's ensure that all our servers are aware of all host keys to avoid
host key verification issues when needed.

(example: buildbot → gerrit)

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-07-17 18:00:51 +02:00
raito c3394264ba hosts/buildbot: init 
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-07-17 18:00:51 +02:00
raito 7789e9ce75 services/buildbot: init 
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-07-17 18:00:51 +02:00
raito 81fc914d79 feat: change the default shell to zsh 
Reviewed-on: #59
 2024-07-17 12:56:45 +00:00
emily ab9caaf520
systems: add git.forkos.org 2024-07-16 15:44:08 +02:00
emily d4caf7b71a
admins: add emilylange 2024-07-16 15:43:58 +02:00
Janik Haag af515792cc admins: add janik 2024-07-13 01:10:39 +00:00
Janik Haag bed5ef022f
change the default user shell to zsh 2024-07-12 19:50:34 +02:00
Yureka 329f267b02 enable nftables on all hosts 2024-07-11 02:05:35 +02:00
Pierre Bourdon 58325e30dd
common/nix: use bagel-cache by default 2024-07-10 18:17:30 +02:00
Pierre Bourdon 70e608a8f7
common: provide a pinned nixpkgs on all infra machines 2024-07-10 17:17:18 +02:00
Yureka 3cbdbc45f7 more quality of life improvements... 2024-07-10 15:54:30 +02:00
Ilya K 787b3af638 Add wob-vpn-gw key, rekey metrics push password for it 2024-07-10 15:13:05 +03:00
Ilya K e608b92e4f Add htop and btop to default machine config 2024-07-10 15:01:09 +03:00
Ilya K 9e7e6d42ab Make nginx/loki/mimir go fast 2024-07-10 14:55:28 +03:00
Yureka 39d2352bbc general quality of life improvements 2024-07-09 23:26:12 +00:00
Yureka a7d21e96a0 add global hardening options 2024-07-09 23:26:12 +00:00
Pierre Bourdon bc8ef7b5fc
ssh-keys: remove raito's key which is too NSA'd for agenix 2024-07-10 01:04:48 +02:00
Pierre Bourdon 61e8048445
sysadmin: remove pwru, does not build on latest nixpkgs 2024-07-10 01:01:27 +02:00
raito f9f955214f ssh-keys: add raito to secrets set 
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-07-10 00:59:22 +02:00
Yureka eb21cb6916 add baremetal builders 2024-07-10 00:35:01 +02:00
Yureka c0e1d05b3c admins: add yuka 2024-07-09 10:34:30 +02:00
raito 48579e8818 feat: add gdb to sysadmin tooling 
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-07-08 22:10:06 +00:00
Luke Granger-Brown d4e9dcc2a6 admins: provision lukegb 
hello I can be trusted with your infrastructure
 2024-07-08 21:55:41 +00:00
raito e803c198c1 admins: provision jade 
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-07-07 13:15:27 +00:00
raito 578e24e634 systems: add fodwatch.forkos.org 
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-07-07 13:15:27 +00:00