Fork 0
Commit Graph

1255 Commits (master)

Author SHA1 Message Date
q3k 9f0e1e88f1 cluster/clustercfg: rewrite it in Go
This replaces the old clustercfg script with a brand spanking new
mostly-equivalent Go reimplementation. But it's not exactly the same,
here are the differences:

 1. No cluster deployment logic anymore - we expect everyone to use ops/
    machine at this point.
 2. All certs/keys are Ed25519 and do not expire by default - but
    support for short-lived certificates is there, and is actually more
    generic and reusable. Currently it's only used for admincreds.
 3. Speaking of admincreds: the new admincreds automatically figure out
    your username.
 4. admincreds also doesn't shell out to kubectl anymore, and doesn't
    override your default context. The generated creds can live
    peacefully alongside your normal prodaccess creds.
 5. gencerts (the new nodestrap without deployment support) now
    automatically generates certs for all nodes, based on local Nix
    modules in ops/.
 6. No secretstore support. This will be changed once we rebuild
    secretstore in Go. For now users are expected to manually run
    secretstore sync on cluster/secrets.

Change-Id: Ida935f44e04fd933df125905eee10121ac078495
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1498
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-06-19 22:23:52 +00:00
q3k a03b60b310 go/workspace: implement EvalHscloudNix
This allows us to access hscloud nix 'facts' from Go.

Change-Id: Ic8fc3350a7d073947c44529fcae0bbb8627421aa
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1508
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-06-19 22:23:52 +00:00
informatic 8e22f6c7db hswaw/pretalx: config drift - remove cronjob
Change-Id: I829a80eeed162b654151dc85e467ced85e3fa6a0
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1513
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-06-19 21:20:53 +00:00
informatic 7e841065b0 *: post-certmanager manifests update
Change-Id: I745c850268c31777c5722a9833c8152a55615aed
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1512
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-06-19 21:20:44 +00:00
q3k 3dd3ff5dcd cluster/cert-manager: update to v1.5.0
Change-Id: I7a4cdadc9956141292302bc004d09d6e9e22855e
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1497
Reviewed-by: informatic <informatic@hackerspace.pl>
2023-05-26 10:38:16 +00:00
informatic 926252c871 app/matrix: synapse v1.79.0 update
Change-Id: I38a47615e7a2a212fe4d06c2e404a2ec1274a977
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1507
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-05-25 22:20:52 +00:00
informatic 05f20b206f matrix.hackerspace.pl: disable appservice workers
Change-Id: I12a971fc967f8a45b9b0c16ddb99b9955667da18
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1506
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-05-25 22:20:52 +00:00
informatic 6bd5d20073 app/matrix: use paths extracted directly from synapse docs for easier upgrades
Change-Id: Ife95ca0b6572074e225a0ba24a3e11d23b2d78a9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1505
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-05-25 22:20:52 +00:00
informatic b51cdcee68 shell.nix: fix python dependency on NixOS
hermetic python introduced in f21ca38 depends on libcrypt.so.1 which is
provided by libxcrypt

Change-Id: Iff6e34bb75320bb300811878eeb0b0bc95783697
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1504
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-05-25 22:20:52 +00:00
informatic 1e6ae55a94 app/matrix: bump element-web
Change-Id: I5a10fbaa055dce3759a3e0e559b731b279931abe
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1503
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-05-25 22:20:52 +00:00
informatic ad3cb5c2e0 app/matrix: adjust media repo config to one deployed in production
Change-Id: Iac32918a1051a676377e5c3cc3c4592959a48e19
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1502
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-05-25 22:20:52 +00:00
q3k ffdb97b7dd cluster/prodaccess: fix cert migration bug
Change-Id: I7426e60731b09c571aa7385f5213e998f04675a6
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1510
Reviewed-by: ironbound <ironbound@hackerspace.pl>
2023-04-14 08:13:39 +00:00
q3k 0aa2910d00 hswaw/capacifier: rewrite it in go
This reimplements capacifier, one of the earliest
just-some-flask-code-on-boston-packets services, in Go.

It's a minimum reimplementation, as this service is generally deprecated
- but some stuff still depends on it. So we do away with capacifier v0's
bespoke rule language and just hardcode everything. It's not like any of
these rules ever changed, anyway.

This is not yet deployed.

Change-Id: Id65ef92784a524c32ae5223cd5460736ac683116
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1509
Reviewed-by: ironbound <ironbound@hackerspace.pl>
2023-04-07 18:15:11 +00:00
implr 90cf314d1e bgpwtf: cloudflare: remove password
Seems like they aren't actually setting it on their end.

Change-Id: Ia751cd1560196ae44be15f759681dd9d679370da
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1485
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-04-01 16:57:18 +00:00
q3k 57df027f28 cluster/kube: add k0-cert-manager.jsonnet view
Change-Id: I4d008839f6d6190d0d88fd3fff44974c4f2db2c0
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1499
Reviewed-by: implr <implr@hackerspace.pl>
2023-04-01 14:58:50 +00:00
q3k 9251121fa9 cluster/certs: remove old kube CA
This completes the migration away from the old CA/cert infrastructure.

The tool which was used to generate all these certs will come next. It's
effectively a reimplementation of clustercfg in Go.

We also removed the unused kube-serviceaccounts cert, which was
generated by the old tooling for no good reason (we only need a key for
service accounts, not an actual cert...).

Change-Id: Ied9e5d8fc90c64a6b4b9fdd20c33981410c884b4
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1501
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-04-01 13:55:18 +00:00
q3k bdf2fa326f cluster/certs: finish replacing all CAs
This finishes the regeneration of all cluster CAs/certs to be never
expiring ED25519 certs.

We still have leftovers of the old Kube CA (and it's still being
accepted in Kubernetes components). Cleaning that up is the next step.

Change-Id: I883f94fd8cef3e3b5feefdf56ee106e462bb04a9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1500
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-04-01 13:55:14 +00:00
q3k 989dfa3183 cluster/kube: add k0-prodvider.jsonnet view
Change-Id: I170fbef3008f906c26ed79387858c3c1e4e2e10c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1496
Reviewed-by: implr <implr@hackerspace.pl>
2023-04-01 13:54:49 +00:00
q3k 6f0d852568 radio: allow setting master username/password
Change-Id: I30a99fbbf11da7dded48504b1689ef6e290e73fa
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1494
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-04-01 11:26:11 +00:00
q3k 7572f0790c k0: add disks
Already deployed, now rebalancing.

Change-Id: I536a063bc346effd07a1700aeffe598cc35f6f7a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1493
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-04-01 11:21:54 +00:00
q3k e35199ad9b shell.nix: add libxcrypt (needed for some python junk)
Change-Id: Ie094aa06669c82018708534eea58a161f89f8742
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1492
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-04-01 11:19:20 +00:00
q3k 073d850a95 cluster/prodvider: redeploy
Change-Id: I7a6cce06bb7c2f495d5354d3a2bebef64e307e42
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1491
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-04-01 11:18:25 +00:00
q3k bbc5a43d77 cluster: move kubernetes services to temporary CA bundle
This is already deployed, and it allows Kubernetes components
(temporary) freedom to use the old or new CA cert.

Change-Id: I8ac7f773a333c30fa22902b8edc327c0c700a482
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1490
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-31 22:53:59 +00:00
q3k 3a6d67e0c4 cluster/prodvider: rewrite against x509 lib for ed25519 support
This gets rid of cfssl for the kubernetes bits of prodvider, instead
using plain crypto/x509. This also allows to support our new fancy
ED25519 CA.

Change-Id: If677b3f4523014f56ea802b87499d1c0eb6d92e9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1489
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-31 22:53:59 +00:00
q3k 777aab92a9 cluster/prodaccess: use new kube CA cert
Change-Id: I1bff03008a4a212ad93e5eaa112adaa2b0cad3e7
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1488
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-31 22:53:59 +00:00
q3k a4f8a459b9 cluster: partial cert bump

 1. etcd peer CA & certs
 2. etcd client CA & certs
 3. kube CA (currently all components set to accept both new and old CA,
    new CA called ca-kube-new)
 4. kube apiserver
 5. kubelet & kube-proxy
 6. prodvider intermediate


 1. kubernetes controller-manager & kubernetes scheduler
 2. kubefront CA
 3. admitomatic?
 4. undo bundle on kube CA components to fully transition away from old

Change-Id: If529eeaed9a6a2063bed23c9d81c57b36b9a0115
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1487
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-31 22:53:59 +00:00
q3k f6e6abb0f5 ops: repin cluster machines to older nixpkgs checkout
Change-Id: I592c689e33d81c131d389d87153900165aac19e5
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1486
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-31 22:53:59 +00:00
vuko a5dd6d5338 hswaw/customs: fix openvpn member auth
Change-Id: I3f29d45563772d9bf90aa107ee4e90dc86435123
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1458
Reviewed-by: informatic <informatic@hackerspace.pl>
2023-03-31 19:33:26 +00:00
vuko ca6dba9902 hswaw/customs: send cron mails to both
Change-Id: I9776ee7eadc77f8bddf09eee7dee6331f9088c29
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1457
Reviewed-by: informatic <informatic@hackerspace.pl>
2023-03-31 19:33:17 +00:00
vuko 3125aa1186 hswaw/customs: improve unbound config
Change-Id: Ic616033897b87f692ee92a106b417423a09d630b
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1456
Reviewed-by: informatic <informatic@hackerspace.pl>
2023-03-31 19:33:17 +00:00
vuko ee8f1d5e2c hswaw/customs: disable DynamicUser for dhcpd / checkinator
Change-Id: I9c7feccf8eb908bf3808afb2ffc5adac50d7abd9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1455
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-31 19:33:17 +00:00
implr 779727b39e machines/bc01n05: postgres: auth, hba, more ram
Change-Id: Id10b97efa3588a2a9147a349391da559e6cce7e5
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1482
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-28 21:22:50 +00:00
q3k f262868753 matrix.hackerspace.pl: use external postgres
Change-Id: Ie0bb76a4200f905bfd0c065cde81283271f8397a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1483
Reviewed-by: informatic <informatic@hackerspace.pl>
2023-03-28 20:33:26 +00:00
implr 26a7f5bb56 bgpwtf: peer with cloudflare
Change-Id: I00d040d56610b965d03d5af5cf7f17a5ea7f7b2d
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1484
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-28 17:12:52 +00:00
implr 3b0887397a machines/bc01n05: postgres tuning
Change-Id: I30925a84216b45bde9e92b67b007f15b2cdf58e8
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1481
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-26 12:16:20 +00:00
implr 821b839b16 machines/bc01n05: zfsify; initial postgres
Change-Id: I355ac4aa3c56a1e6a564b7a3c7cfc4e67b072dae
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1470
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-11 21:33:14 +00:00
implr 3320155d23 cluster/machines/base: enable microcode loading
This will happen at next boot via early microcode - no risk to currently
running processes.

Change-Id: I88553fa9a1350ebb80aaf978e29e8f1156783a2c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1469
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-11 21:33:05 +00:00
patryk 98604701ab bgpwtf: customer cleanup
Change-Id: Idb2e66a1d75d713fc3c73cc9af41d66883bf6366
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1472
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-10 21:15:55 +00:00
q3k 8f0842341a ops: repin edge01.waw to old nixpkgs
We accidentally bumped nixpkgs at https://gerrit.hackerspace.pl/1441 and
forgot to upgrade it. We don't wanna upgrade it right now.

This doesn't give us back a zero-diff, but it's close enough.

Change-Id: I1a9f50df88e564cd4de76f67adfaa1e88a746f2e
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1471
Reviewed-by: patryk <patryk@hackerspace.pl>
2023-03-10 20:17:15 +00:00
q3k 712a5dc3e3 cluster: add bc01n05.hswaw.net
This will be our postgres pet machine.

Change-Id: Ifff6648394ca6407fb5b5daa853f4abc42541703
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1467
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-04 22:26:46 +00:00
q3k 3a9562ecfd cluster: k0: remove native ceph
After installing HBJ11s and spreading out the mons we're going full

Change-Id: Ia00cbe953548f06cf27343371fc67890619c8262
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1466
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-04 22:26:39 +00:00
q3k ef3aab6a14 k0: host os bump wip
This bumps it on bc01n01, but nowhere else yet.

We have to vendor some more kubelet bits unfortunately.

Change-Id: Ifb169dd9c2c19d60f88d946d065d4446141601b1
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1465
Reviewed-by: implr <implr@hackerspace.pl>
2023-03-04 22:26:14 +00:00
implr 45394bf3b0 app/matrix: enable wal=logical for postgres, add tmp mount
This is quite hacky, but we intend to remove that postgres soon anyway.
The changes to synapse's resource limits are to reflect current state of

Change-Id: Ic7beaa3e7ee378c0e10ba24f9a5a3aee67c2ccf2
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1468
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-01 20:38:24 +00:00
implr 0156ab24ca cluster/kube/k0: remove implr-spark bucket, add implr bucket
the spark one has been an abandoned experiment from years ago, and
I could use a personal one right now

Change-Id: I78a706c3371d441b2f8460fd796d0cfd9a198cc6
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1464
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-02-26 16:41:23 +00:00
implr f21ca388ba WORKSPACE: rules_python->0.13; switch to hermetic interpreter
Change-Id: I0145f9db6a71fa9080b166dd75ff2c1b93e2b241
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1462
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-02-19 17:12:35 +00:00
implr 0173f501d7 cockroach: v20.2 -> v21.1
Following https://www.cockroachlabs.com/docs/v21.1/upgrade-cockroach-version?filters=linux
--logtostderr is deprecated/removed, but AFAICT from the default config
it will still log there: https://www.cockroachlabs.com/docs/v21.1/configure-logs#default-logging-configuration

Change-Id: I7fb3f835693f955b37de24dc581140ea34b11630
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1461
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-01-30 21:16:42 +00:00
vuko 9836999652 allow passing system to default.nix
This is needed to use hscloud in builds invoked from flakes.

Change-Id: I7551b97dfeedb9399866cd2c16cc573ee60359cc
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1452
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-01-29 16:22:37 +00:00
vuko aa077968f9 hswaw/customs: hotfix laserproxy build by using old hscloud
Change-Id: I5a00d138ed7e5080e55997912413bf2f776cd295
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1451
Reviewed-by: vuko <vuko@hackerspace.pl>
2023-01-29 16:22:37 +00:00
vuko 32624090e4 hswaw/customs use ip address in spejsiot proxy
Change-Id: I2148783d9470c09234feaa59e935606bdb21f6f4
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1450
Reviewed-by: vuko <vuko@hackerspace.pl>
2023-01-29 16:22:37 +00:00
vuko 740a52dec9 hswaw/customs: fix warnings after nixpkgs update
Change-Id: I4d62e8fa73f16dbb51a1cacfa1bc70183b6bff2d
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1449
Reviewed-by: vuko <vuko@hackerspace.pl>
2023-01-29 16:22:37 +00:00