Fork 0
Commit Graph

1255 Commits (master)

Author SHA1 Message Date
vuko e8a5d8f1fc hswaw/customs: fix laserproxy startup dependencies
fixes https://issues.hackerspace.pl/issues/60

Change-Id: I3601d03898555a0299e6530ca1dee9127a19f1ef
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1326
Reviewed-by: q3k <q3k@hackerspace.pl>
Reviewed-by: informatic <informatic@hackerspace.pl>
2022-06-26 22:10:00 +00:00
informatic 7ad415f7fb hswaw/paperless: initial deployment
Change-Id: Ie6fb0df0bfa047e4fd561c6de8b26ab0fbebbcb8
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1305
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-06-19 12:13:21 +00:00
q3k 437b0c335f rook: fix benji
This unforks benji back into upstream. The old fork didn't support a new
authentication method on Ceph, and we don't have multiple clusters
anymore (so we don't need the functionality of the fork).

Change-Id: Ie79313b2321ca2e22ad2874b75a71385af95105f
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1321
Reviewed-by: informatic <informatic@hackerspace.pl>
2022-06-19 11:49:12 +00:00
q3k 8e439ed8e3 shell: add vim, openssh (hermeticity)
Change-Id: I846b5e2d3f93159a149d694a40d21f22d4fccddc
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1323
Reviewed-by: informatic <informatic@hackerspace.pl>
2022-06-19 11:48:57 +00:00
q3k 55a486ae49 cluster: refactor nix machinery to fit //ops
This is a chonky refactor that get rids of the previous cluster-centric
defs-* plain nix file setup.

Now, nodes are configured individually in plain nixos modules, and are
provided a view of all other nodes in the 'machines' attribute. Cluster
logic is moved into modules which inspect this array to find other nodes
within the same cluster.

Kubernetes options are not fully clusterified yet (ie., they are still
hardcode to only provide the 'k0' cluster) but that can be fixed later.
The Ceph machinery is a good example of how that can be done.

The new NixOS configs are zero-diff against prod. While this is done
mostly by keeping the logic, we had to keep a few newly discovered
'bugs' around by adding some temporary options which keeps things as they
are. These will be removed in a future CL, then introducing a diff (but
no functional changes, hopefully).

We also remove the nix eval from clustercfg as it was not used anymore
(basically since we refactored certs at some point).

Change-Id: Id79772a96249b0e6344046f96f9c2cb481c4e1f4
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1322
Reviewed-by: informatic <informatic@hackerspace.pl>
2022-06-19 11:48:52 +00:00
informatic 1da87e5209 app/matrix: bump appservice-irc
Change-Id: I70d856125754b3ffab556c7f264616471bfdd47f
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1306
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-06-19 08:47:09 +00:00
q3k b0e3693c0e cluster/kube: calico: fix etcd endpoints
Change-Id: Ia93d355ca343fa5a42ec37fbcae9135cb5304f6e
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1285
Reviewed-by: implr <implr@hackerspace.pl>
2022-06-11 19:00:52 +00:00
implr 0544d27c04 tools, cluster/tools: bazel5 compat: remove unused import
Change-Id: I8b264a6c36e4d0f1535f38ad1f41495e62061f26
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1308
Reviewed-by: daz <daz@hackerspace.pl>
2022-06-04 19:56:40 +00:00
informatic a13208bf9b ops/sso: bump to latest version, roll out RSA JWT signing
Bump to:

This introduces (and enables) support for RSA id_tokens (that are
required by oauth2_proxy for example) and fixes/improves handling of
non-active members.

Change-Id: Ia7d5e5ca7a2769f11f6190add78114e3b6141c6e
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1304
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-05-01 08:17:57 +00:00
informatic 7d0e56cba7 app/matrix: remove stream writer endpoints from generic worker
Change-Id: I93dc263f00becceb1428da99161b883a23a1f027
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1303
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-05-01 08:17:57 +00:00
informatic 5ff2ccf5df app/matrix: force non-id_token flow to fix SSO
Presence of id_token in IDP token response causes synapse to demand
jwks_uri to be present in config/metadata. (login flow failing with
<<Missing "jwks_uri" in metadata>> message)
This behaviour was introduced somewhere between 1.42.0 and 1.56.0.

This is currently not set up correctly on sso.hackerspace.pl (we hand
out hs256 tokens instead of proper rsa ones) so this change will make it
fall back to non-oidc/plain oauth2 flow.

Change-Id: I4ff8aa175b4f0bbdcb3ee993b7cbd4545eac561a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1302
Reviewed-by: informatic <informatic@hackerspace.pl>
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-05-01 08:17:57 +00:00
mlen 8bd24f4a96 Enable Matrix message thread support.
This change enables experimental message threading support and upgrades
Synapse and Element to their latest stable versions.

Change-Id: I68334982168ffdac98a1602a157be727b04e58d6
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1286
Reviewed-by: informatic <informatic@hackerspace.pl>
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-05-01 08:17:57 +00:00
informatic 529e181497 app/matrix: appservice workers
This change extracts appservice workers (deployed and tested) and prepares for
federation sender workers extraction (still partially broken)

Change-Id: I2d63fe44538ea2a7c5fd492f6ce119bc35a9eb03
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1101
Reviewed-by: informatic <informatic@hackerspace.pl>
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-05-01 08:17:57 +00:00
informatic 45e4fecf2e shell: improve hermeticity
* Add some missing tools and ssl cert bundles to fix builds when using
nix-shell --pure
* Replaced broken //tools:install with direct bazel build in shell.nix
initialization to prevent cache thrashing
* Added fontconfig file with roboto font for use in wkhtmltopdf

Change-Id: I062380df5f1d83a0fb2df8ca172f362fff9ecf8e
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1301
Reviewed-by: q3k <q3k@hackerspace.pl>
Reviewed-by: pl <pl@hackerspace.pl>
2022-05-01 08:17:57 +00:00
informatic 497870680e app/onlyoffice: bump to v7.0.0.132
Change-Id: I5c75d92126352bd185935125af04f51d4b91acc3
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1261
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-04-27 00:18:05 +00:00
q3k d584e76ea3 cluster/clustercfg: fix for nix 2.4
Change-Id: I3f9ebd895495a23ec179ccd237389e8f3e531768
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1284
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-04-04 17:51:44 +00:00
q3k 2ada80423a tools/hscloud/lib.py: fix newlines sneaking in
Change-Id: Iacf956c80486596f02efd901c48f4571f0a76adf
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1283
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-04-04 17:51:44 +00:00
q3k 42c17872fd cluster/certs: bump certs
Change-Id: I549364c050a96f72859886e6b724e07924ee3964
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1282
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-04-04 17:51:44 +00:00
vuko 4306994b4e hswaw/checkinator: convert timestamp to browsers timezone
Change-Id: Ib7439269bf13de530a5f170bf231f89d815b0f3e
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1246
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-03-10 18:33:42 +00:00
vuko 2afcbddf6a hswaw/checkinator: update README
Change-Id: Ib3c92c1b707d9effe566e219cc5d65d850a91ab3
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1241
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-03-07 11:52:33 +00:00
vuko bd124bd066 hswaw/machines/customs: import checkinator via hscloud namespace
Change-Id: I4586c92af4126ec1f1d0d1a1aa2d9dc5c84dec44
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1220
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-03-07 11:52:17 +00:00
implr 54a34b24a1 cluster/k0: ceph: add tape staging
Change-Id: I7fdba86b15f92157888850d2905440b45fb36f17
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1263
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-03-05 22:45:29 +00:00
vuko 3cd087d939 check in checkinator into hswaw/checkinator
repository: https://code.hackerspace.pl/checkinator
revision: 713c7e6c1a8fd6147522c1a5e3067898a1d8bf7a

Change-Id: I1bd2975a46ec0d9a89d6594fb4b9d49832001627
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1219
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-03-02 23:11:05 +00:00
vuko 5319e611b2 hswaw/laserproxy: update deps hash
Change-Id: I1515cf596b9e0f6038ec8c3cc0bcb6f90f77783e
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1245
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-03-02 23:08:22 +00:00
patryk d0a0b18e54 cluster: allow namespace admins to access certificate resources
Change-Id: I532dadfe1799da43d12598e388141f8f9a3872de
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1250
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-02-05 15:08:47 +00:00
q3k f642e86724 hswaw/site: bump base image, deploy
Change-Id: Iebe3cbcdb7b10fc125b34d5121e708a538c5d85c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1252
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-02-01 09:46:42 +00:00
q3k 19c8b60a42 hswaw/site: mirror google fonts
More privacy more better.

Change-Id: I2186a3ee47f72e4a8c3e52a45c15727da0a6a9c4
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1251
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-02-01 09:38:54 +00:00
ar f92437451c hswaw/site: spaceapi: make the open state depend on members presence
Change-Id: Ibe5b25a989b06f757a696fc2c325695b6ad9d158
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1248
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-01-25 14:52:07 +00:00
implr 523df5c235 personal/implr: vpn.curs: add anthracite
Change-Id: I5403b89b38e9c1706d8da1ba61085fb5cc0833d3
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1247
2021-12-28 21:11:54 +00:00
ironbound e7c8509d48 bump factorio version
Change-Id: I027d45b843b33fe963008b90a5d1c024ecef4e71
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1205
Reviewed-by: ironbound <ironbound@hackerspace.pl>
Reviewed-by: lquawl <lquawl@hackerspace.pl>
Reviewed-by: q3k <q3k@hackerspace.pl>
2021-12-26 10:26:04 +00:00
q3k 5edcf58b8c games/valheim: fix startup, add second server
Change-Id: I7621eb42ee68ff25c0a69b29d4dc1728ce95cd42
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1204
Reviewed-by: q3k <q3k@hackerspace.pl>
2021-12-13 22:30:46 +00:00
q3k f157fbfb08 openrct2: new map
Change-Id: If8130391e17b87aa4396983d3aefa43c477a4f55
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1203
2021-12-13 22:30:46 +00:00
q3k bdd403c587 cluster: k0: move cockroachdb away from bc01n01, fixup joins
Reminded by a power failure on bc01n0{1,2}, we migrate away from at
least one of them into another server.

We also fix up the startup join parameter to not include the node itself
(which is not necessary, but a nice thing to have nonetheless).

Since bc01n01 was the initial node of the cluster, we also disable the
init job for k0 (which we don't care about anyway).

Change-Id: I3406471c0f9542e9d802d39138e400b5a5e74794
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1176
Reviewed-by: q3k <q3k@hackerspace.pl>
2021-12-13 22:30:46 +00:00
q3k 8469691645 bgpwtf: edge01: new customer
Change-Id: I9b871370e310a98848c8266658b17fef17b61011
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1202
Reviewed-by: q3k <q3k@hackerspace.pl>
2021-12-13 22:30:46 +00:00
q3k d602c28df6 bgpwtf: fixup ssh problems
This makes our routers less likely to reject connections when they're
being bruteforced: first, by disabling password auth (which we don't
use, anyway), second by making connection limits a bit less draconian.

Change-Id: I4e1e3b0be85dd5ad07a10610ca28a6f094249d8c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1174
Reviewed-by: q3k <q3k@hackerspace.pl>
Reviewed-by: implr <implr@hackerspace.pl>
2021-12-13 22:30:46 +00:00
q3k 82fc1318e2 bgpwtf: edge01: repurpose wireguard tunnel for fmt
Change-Id: Ib36048a83641b62210ad0d63b7b7ecda999da542
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1201
Reviewed-by: q3k <q3k@hackerspace.pl>
2021-12-13 22:30:46 +00:00
q3k 767f031898 bgpwtf: fix edge01 DNS blackholing
The grapevine says that people were being fined for not supporting a
punycode domain. This was broken in rsh-unbound, so I had to fix it. I
then also realized we never were reloading unbound, so some changes
might've been slow to propagate.

Change-Id: Ie461a2ba27b5f447654a70f56bd73d3732b256ee
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1180
Reviewed-by: q3k <q3k@hackerspace.pl>
2021-12-08 14:12:07 +00:00
q3k b754fee4e3 bgpwtf: edge01.waw: add new customer network
Change-Id: I057a93d543694300483f690598380329782f2876
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1175
Reviewed-by: q3k <q3k@hackerspace.pl>
2021-12-08 14:12:07 +00:00
implr eca1e080d7 calico: restore CNI_NET_DIR
Change-Id: I04e17f8639505f5b7cc42e86392abc175b7922db
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1178
Reviewed-by: q3k <q3k@hackerspace.pl>
2021-12-03 03:10:13 +00:00
implr 12f176c1eb calico 3.14 -> 1.15
Change-Id: I9eceaf26017e483235b97c8d08717d2750fabe25
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/995
Reviewed-by: q3k <q3k@hackerspace.pl>
2021-11-20 22:12:52 +00:00
noisersup e999b4f726 personal: Critical fix
Change-Id: If7e6d2db8d99e62b7be64b7e06b69f3e767b7410
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1177
2021-11-15 21:05:10 +00:00
q3k 81fc7d8f0d *: gazelle: switch back to go_default_library convention
Change-Id: I888c2aa1b108b3e9845072ae7670d9db77e97c8f
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1173
Reviewed-by: q3k <q3k@hackerspace.pl>
2021-10-28 23:40:46 +00:00
informatic 6c69fcdbc9 hswaw/machines/customs: rework checkinator build
Change-Id: I4ec569c5966f65f46f48a3707842a1fe9d483e16
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1171
Reviewed-by: informatic <informatic@hackerspace.pl>
2021-10-20 20:58:16 +00:00
informatic 6f6187c61c hswaw/machines/customs: unpin hscloud/nixpkgs in certain modules
Change-Id: I1c02a485b76955e3de3859fca4d6c7e8e69ef09b
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1170
Reviewed-by: informatic <informatic@hackerspace.pl>
2021-10-20 20:58:16 +00:00
informatic b6bc3e69b9 hswaw/machines/customs: upgrade to workspace nixos-unstable 2021-08-11
Change-Id: I6eb4408d40e14f24ebbe3f9f3aef0be952b44e8b
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1167
Reviewed-by: vuko <vuko@hackerspace.pl>
2021-10-20 20:58:16 +00:00
informatic a01905ae64 hswaw/machines/customs: check in code.hackerspace.pl/vuko/customs
Change-Id: Ic698cce2ef0060a54b195cf90574696b8be1eb0f
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1162
Reviewed-by: informatic <informatic@hackerspace.pl>
2021-10-20 20:58:16 +00:00
q3k 0f8e5a2132 *: do not require env.sh
This removes the need to source env.{sh,fish} when working with hscloud.

This is done by:

 1. Implementing a Go library to reliably detect the location of the
    active hscloud checkout. That in turn is enabled by
    BUILD_WORKSPACE_DIRECTORY being now a thing in Bazel.
 2. Creating a tool `hscloud`, with a command `hscloud workspace` that
    returns the workspace path.
 3. Wrapping this tool to be accessible from Python and Bash.
 4. Bumping all users of hscloud_root to use either the Go library or
    one of the two implemented wrappers.

We also drive-by replace tools/install.sh to be a proper sh_binary, and
make it yell at people if it isn't being ran as `bazel run

Finally, we also drive-by delete cluster/tools/nixops.sh which was never used.

Change-Id: I7873714319bfc38bbb930b05baa605c5aa36470a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1169
Reviewed-by: informatic <informatic@hackerspace.pl>
2021-10-17 21:21:58 +00:00
informatic 20c6bcb730 hswaw/laserproxy: limit nix rebuilds
Change-Id: I6d8208b46524adf6542a1164910f3b7818f47910
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1168
Reviewed-by: q3k <q3k@hackerspace.pl>
2021-10-17 20:15:49 +00:00
informatic 9a89343985 hswaw/ldapweb: bump version
This release removes Let's Encrypt DST Root CA X3 pinning and adds
dynamic secret key generation.

Deployed to production on 2021/10/09

Change-Id: I2b88dc9ab6b67d1c3af277d673702c6a1b3188db
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1161
Reviewed-by: q3k <q3k@hackerspace.pl>
2021-10-16 22:57:57 +00:00
q3k f3e6f8f3d7 ci_presubmit: don't rely on tools/install.sh and hscloud_root
Let's make things simpler and just build/run stuff that we deem

Change-Id: I356efaac4c8af276aaaa0a141a70f35da19c6957
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1166
Reviewed-by: q3k <q3k@hackerspace.pl>
2021-10-16 21:24:47 +00:00