Presence of id_token in IDP token response causes synapse to demand
jwks_uri to be present in config/metadata. (login flow failing with
<<Missing "jwks_uri" in metadata>> message)
This behaviour was introduced somewhere between 1.42.0 and 1.56.0.
This is currently not set up correctly on sso.hackerspace.pl (we hand
out hs256 tokens instead of proper rsa ones) so this change will make it
fall back to non-oidc/plain oauth2 flow.
Change-Id: I4ff8aa175b4f0bbdcb3ee993b7cbd4545eac561a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1302
Reviewed-by: informatic <informatic@hackerspace.pl>
Reviewed-by: q3k <q3k@hackerspace.pl>
This change enables experimental message threading support and upgrades
Synapse and Element to their latest stable versions.
Change-Id: I68334982168ffdac98a1602a157be727b04e58d6
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1286
Reviewed-by: informatic <informatic@hackerspace.pl>
Reviewed-by: q3k <q3k@hackerspace.pl>
* Add some missing tools and ssl cert bundles to fix builds when using
nix-shell --pure
* Replaced broken //tools:install with direct bazel build in shell.nix
initialization to prevent cache thrashing
* Added fontconfig file with roboto font for use in wkhtmltopdf
Change-Id: I062380df5f1d83a0fb2df8ca172f362fff9ecf8e
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1301
Reviewed-by: q3k <q3k@hackerspace.pl>
Reviewed-by: pl <pl@hackerspace.pl>
Reminded by a power failure on bc01n0{1,2}, we migrate away from at
least one of them into another server.
We also fix up the startup join parameter to not include the node itself
(which is not necessary, but a nice thing to have nonetheless).
Since bc01n01 was the initial node of the cluster, we also disable the
init job for k0 (which we don't care about anyway).
Change-Id: I3406471c0f9542e9d802d39138e400b5a5e74794
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1176
Reviewed-by: q3k <q3k@hackerspace.pl>
This makes our routers less likely to reject connections when they're
being bruteforced: first, by disabling password auth (which we don't
use, anyway), second by making connection limits a bit less draconian.
Change-Id: I4e1e3b0be85dd5ad07a10610ca28a6f094249d8c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1174
Reviewed-by: q3k <q3k@hackerspace.pl>
Reviewed-by: implr <implr@hackerspace.pl>
The grapevine says that people were being fined for not supporting a
punycode domain. This was broken in rsh-unbound, so I had to fix it. I
then also realized we never were reloading unbound, so some changes
might've been slow to propagate.
Change-Id: Ie461a2ba27b5f447654a70f56bd73d3732b256ee
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1180
Reviewed-by: q3k <q3k@hackerspace.pl>
This removes the need to source env.{sh,fish} when working with hscloud.
This is done by:
1. Implementing a Go library to reliably detect the location of the
active hscloud checkout. That in turn is enabled by
BUILD_WORKSPACE_DIRECTORY being now a thing in Bazel.
2. Creating a tool `hscloud`, with a command `hscloud workspace` that
returns the workspace path.
3. Wrapping this tool to be accessible from Python and Bash.
4. Bumping all users of hscloud_root to use either the Go library or
one of the two implemented wrappers.
We also drive-by replace tools/install.sh to be a proper sh_binary, and
make it yell at people if it isn't being ran as `bazel run
//tools:install`.
Finally, we also drive-by delete cluster/tools/nixops.sh which was never used.
Change-Id: I7873714319bfc38bbb930b05baa605c5aa36470a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1169
Reviewed-by: informatic <informatic@hackerspace.pl>
This release removes Let's Encrypt DST Root CA X3 pinning and adds
dynamic secret key generation.
Deployed to production on 2021/10/09
Change-Id: I2b88dc9ab6b67d1c3af277d673702c6a1b3188db
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1161
Reviewed-by: q3k <q3k@hackerspace.pl>
Let's make things simpler and just build/run stuff that we deem
critical.
Change-Id: I356efaac4c8af276aaaa0a141a70f35da19c6957
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1166
Reviewed-by: q3k <q3k@hackerspace.pl>
This makes the hscloud readTree object available as following in NixOS
modules:
{ config, pkgs, workspace, ... }: {
environment.systemPackages = [
workspace.hswaw.laserproxy
];
}
Change-Id: I9c8146f5156ffe5d06cb8408a2ce632657990d59
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1164
Reviewed-by: q3k <q3k@hackerspace.pl>
This bitrot at some point. Now it's all freshened up.
Change-Id: Ia7df1ccd9b39d9180131452e9bf18d0fb8fa50d5
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1163
Reviewed-by: informatic <informatic@hackerspace.pl>
You can test this using:
bazel run '@io_filippo_age//cmd/age'
The same target can now be used in data dependencies for secretstore
(you'll need to hardcode the runfile path, or use some
Bazel-runfile-resolving library for Python).
This required adding a few dependencies to
third_party/go/repositories.bzl, but also moving golang.org/x/crypto
from that file into WORKSPACE, before gazelle_deps gets loaded (as the
version requested by gazelle_deps is too old). We also moved shlex that
shouldn't have been in WORKSPACE into third_party/go/repositories.bzl.
Otherwise, this was just a few small deps - bumped golang.org/x/crypto,
new golang.org/x/term, new filippo.io/edwards25519. Hooray low
dependency code.
Change-Id: I0e684d88efffde13a3b4e253860aabcb35a3c94d
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1158
Reviewed-by: patryk <patryk@hackerspace.pl>