This fixes full labs settings tab visibility in newer Element versions
(only Beta options were listed, not all experimental features), and
enables quite common custom reaction packs support.
Base config adjusted to more closely resemble official sample:
https://github.com/element-hq/element-web/blob/develop/config.sample.json
Change-Id: Id6f30ebec9dd6bfe5c87de0648031fa14fc417dd
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2144
Reviewed-by: informatic <informatic@hackerspace.pl>
These machines have been dead for a long time
Change-Id: Idf10da9945cb0ae2284740775b15997991a8f789
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2142
Reviewed-by: informatic <informatic@hackerspace.pl>
cebula.camp is moving to its own infra
Change-Id: Ic0c86d81d913ba9e65259baf9f7385b4cba99c5a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2147
Reviewed-by: q3k <q3k@hackerspace.pl>
Adds Calico network fabric & CNI plugin, as well as its BGP configuration and IP Pools.
Updates IP addresses for coredns, ingress, prodvider, now that IP ranges have been determined.
Change-Id: Ic7214ad946bc486978444582b7c7dcb49f68e8f1
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2138
Reviewed-by: informatic <informatic@hackerspace.pl>
oopsie that happened in 17d71bd, but was only caught after everything.jsonnet was merged. Sorry!
Change-Id: I12de7be673fd1f355c2e47583957aea06d2f130d
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2140
Reviewed-by: radex <radex@hackerspace.pl>
TODO:
* fix polycom volume control on iot.
* spejsiot-api, spejsiot-polycom, and socat-polycom appear to be working, but manipulating aux1 audio gain on iot. doesn't seem to affect volume coming from sound.
./.: driveby: nixfmt
./audio.nix:
* `sound.enable` is no more
* migration to pipewire
* disable cache in spotifyd
* bluez-simple-agent moved to its own package because of GI_TYPELIB_PATH shenanigans
* enable avahi to allow pipewire to publish itself
* explicitly set audio backend for spotifyd to pulseaudio, otherwise it attempts to use native pipewire and fails because that lives in a specific user's session now
* pipewire modules require a dbus session; workaround it by making pipewire user a normal user with lingering units and pipewire user service wanted as by default.target
* make starting user sessions depend on network-online.target, to avoid a race condition between pipewire{,-pulse} zeroconf publishing and network status; added a load-bearing sleep to pipewire-pulse because it *sometimes* (once every >10 reboots) still wasn't enough
* added airplay/raop sink (shairport-sync)
./configuration.nix:
* sshd setting rename
* add my key
* add alsa-utils for alsamixer
* migrate to networkd, make networkd only wait for "lan" interface for online status
* spejsiot-api listens on 127.0.0.1; change nginx backend explicitly to that address; localhost resolved to ip6 ::1 and caused errors
./bluez-simple-agent.py:
* automagic shebangs interferred with running the script as a systemd unit
* reworked import from gi.repository because MainLoop() is now in GLib
* moved to hswaw/bluez-simple-agent to avoid unnecessary rebuilds
./spejsiot-api.nix:
* fix for deprecated import
* driveby: remove unused variable binding
ops/hive.nix: move customs pinned commit to outer scope and use it for sound as well
hswaw/lib/flask_spaceauth/example.py: fix for deprecated import
Change-Id: Ic9993836e334236ac842525a0fd167906a91fc37
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2119
Reviewed-by: informatic <informatic@hackerspace.pl>
Because of a large k8s version difference (and hence ingress controller version), it's not practical to reuse k0's config in total.
As we're starting from a blank slate, this setup is a bit simpler (closer to vendored yaml) than k0's:
- We don't have to rename namespace, maintain old labels, and so on.
- We can include {cluster,}role{binding,}s, service account as is.
- The deployment is also just a modified version of the vendored deployment (changing replicas, args, resources, volume only from the default)
For ConfigMaps, we reuse k0's as much as practical for the transition period.
For Services, I propose a convention of tying `ingress-$N.k1.hswaw.net` to `svc/ingress-$N-k1-hswaw-net`, so that in the future, we can point code.hackerspace.pl to ingress-2.k1.hswaw.net instead of an IP. This should be easier to read and understand than the old setup.
Change-Id: I81e1570411e574c1ce828ac94e2251f7ecf90b00
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2131
Reviewed-by: informatic <informatic@hackerspace.pl>
This convention is meant to aid during mass refactoring of jsonnets (such as kube.libsonnet additions). However, this can also be used to do global diff between master and production.
Currently, this is only helpful to handful of secretstore keyholders, otherwise not all jsonnets can evaluate. However, in principle it should be possible to evaluate jsonnets sans secrets to allow non-admins to do this type of maintenance.
Change-Id: I5afb9ee3ab478b2f0939c8bacec7cdb2c96011de
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2122
Reviewed-by: implr <implr@hackerspace.pl>
Adds //cluster/k1/certs go package, and changes prodaccess to look up the correct one based on the -cluster flag. This should complete the transition of prodaccess to multicluster.
Change-Id: If65fab8f898a48ec16e6de7eeb02fd0aacee30b4
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2117
Reviewed-by: q3k <q3k@hackerspace.pl>
This adds a stub of k1/cluster.libsonnet and k1.jsonnet, mirroring k0 configuration structure.
There are no nodes to deploy this to yet, but it is at least valid jsonnet.
It contains all cluster services/config that are k1-ready as of this commit:
- basic roles and bindings
- letsencrypt certificate issuer
- prodvider
- pki
- admitomatic
- namespace admins
admitomatic and admin config is shared with k0 at this stage.
Change-Id: I51326dae43739b1cbee89d54b8ac490430d49256
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2127
Reviewed-by: informatic <informatic@hackerspace.pl>
This introduces a way to replace kube.libsonnet with k1.libsonnet in all places that will be used both on k0 and k1.
We need this because of k8s API incompatibilities.
Change-Id: Id10bafea85c04fc214d5a766c33cadc979183992
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2134
Reviewed-by: informatic <informatic@hackerspace.pl>
This contains changes that will be required for k1 but are (AFAICT) incompatible with k0. The idea is for apps deployed on k1 to import this instead of hscloud.libsonnet
Change-Id: I133bf71c1610469674089041c3996a9d7f7117a8
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2126
Reviewed-by: informatic <informatic@hackerspace.pl>
Extracting this part of cluster.libsonnet, primarily for ease of reuse in k1 config.
Additionally, removed an unused cluster cfg field
Change-Id: I66a527f0090fa5e3833287bfea267db485977f21
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2128
Reviewed-by: informatic <informatic@hackerspace.pl>
This will allow affected libsonnets to be reused for k1
Change-Id: I30e7dfd6c391e479270c78f8a245d6f330e65027
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2124
Reviewed-by: informatic <informatic@hackerspace.pl>
matrix.0x3c.pl.jsonnet and pretalx.libsonnet would not evaluate correctly due to errors
Change-Id: I919cc5065dd22fb6aa44928c00acbfa2a10db939
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2123
Reviewed-by: informatic <informatic@hackerspace.pl>
Also:
- update implr's keys
- drop noXlibs as nixos dropped it
- remove sshd patch as 24.11 is on 9.9 which is not affected
Change-Id: Id81291b7d5949fa390ac3b72104ada7e5a16c00c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2067
Reviewed-by: ar <ar@hackerspace.pl>
Reviewed-by: q3k <q3k@hackerspace.pl>
There should not be a bus factor of 1 in OWNERS files with inherited: false
Change-Id: Ie5862e956b34fc2e5445c817fc85a93f3e317500
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2118
Reviewed-by: q3k <q3k@hackerspace.pl>
This introduces pulseaudio/bluez-based A2DP sink. Authentication is
handled by a custom agent python script that allows everything without
any manual input (with fallback to "1234" code if that's requested by
connecting party) - "NoInputNoOutput" mode that's supposed to allow
pairing without any code/interaction seems to be broken.
spotifyd (spotify connect-capable receiver) is added now too.
Change-Id: I22b4d946a61e84e7c0387448a0d8021910bf1451
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1952
Reviewed-by: informatic <informatic@hackerspace.pl>
Across the hscloud, few deployments have number of replicas other than 1. And not every app is even built to support more than 1 replica (notably, nothing with waw-hdd-redundant-3 mounts will work). Also, replicas=1 is the default. Therefore, it doesn't make sense to explicitly say `replicas: 1` unless other value is needed.
Change-Id: I12250ceb053d2041c06ecfe685fe7f8f10d20679
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2084
Reviewed-by: pl <pl@hackerspace.pl>
Reviewed-by: krnlexception <krnlexception@hackerspace.pl>
Reviewed-by: informatic <informatic@hackerspace.pl>
The abstraction and name of SimpleIngress didn't feel right to me. I realized it's actually a few related things. One is just the simplified syntax to point `target` to `hosts`, and that should live in the (upstream-able) kube.libsonnet (similar to what we do with Service, PVC). Second is k0-specific default for all ingresses of proxy-body-size=0. Third is TLS-specific stuff, which includes the (standard) spec.tls, and k0-specific acme/cert-manager annotations.
In the end, for cluster users this is basically just a rename of SimpleIngress to TLSIngress. But it's a bit better encapsulated I think, and if someone wants a non-TLS Ingress or if we ever upstream kube.libsonnet, this may be helpful
Change-Id: I4587549699c40fe71c4fff358faac8748ecc44ef
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2085
Reviewed-by: q3k <q3k@hackerspace.pl>
- allow passing -cluster to select another cluster (k0 remains the default for the time being)
- default prodvider dns to prodvider.<cluster>.hswaw.net
- scope kube config username and certs storage by cluster name
additionally:
- force username to be lowercase (LDAP is case-insensitive, but e.g. kubernetes namespaces are not)
- fix some Go deprecations
Change-Id: Ibf4a6ced7a635940f6a7c568c79714cd8ac60ce9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2101
Reviewed-by: radex <radex@hackerspace.pl>
- remove defaults for -kubernetes_host and -prodvider_cn
- pass cluster fqdn to KubernetesKeys.Cluster
- hardcode prodvider.hswaw.net as one of prodvider cert's DNSNames to allow graceful transition to prodvider.k0.hswaw.net
- add optional -crdb_cluster flag
BONUS CONTENT:
- use consistent credential duration for all certs + allow configuration via -credential_duration
- fixes broken prodviding if username isn't all lowercase
Change-Id: Ia801a16d7245d746e72f199a0900100ffc614dcf
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2100
Reviewed-by: q3k <q3k@hackerspace.pl>