[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/03: hydra: deploy-node-129: Store and serve bordeaux nars.
From: |
Christopher Baines |
Subject: |
01/03: hydra: deploy-node-129: Store and serve bordeaux nars. |
Date: |
Tue, 30 May 2023 13:13:17 -0400 (EDT) |
cbaines pushed a commit to branch master
in repository maintenance.
commit a35f3a0deefe4500365530df9a1b0b23a733afb2
Author: Christopher Baines <mail@cbaines.net>
AuthorDate: Tue May 30 18:04:57 2023 +0100
hydra: deploy-node-129: Store and serve bordeaux nars.
Step in for bishan (which has run out of space) to store and serve all
the bordeaux nars.
* hydra/deploy-node-129.scm (%nginx-server-blocks): New variable.
<services>: Switch to mirroring bordeaux.guix.gnu.org directly, and
add certbot and nginx.
---
hydra/deploy-node-129.scm | 137 +++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 136 insertions(+), 1 deletion(-)
diff --git a/hydra/deploy-node-129.scm b/hydra/deploy-node-129.scm
index 253ecc8..6ac1699 100644
--- a/hydra/deploy-node-129.scm
+++ b/hydra/deploy-node-129.scm
@@ -12,6 +12,8 @@
;;; 4. Be used as a test bed for staging new configurations before
;;; they are deployed in production to Berlin.
;;;
+;;; 5. Store and serve nars for bordeaux.guix.gnu.org
+;;;
;;; TODO: Implement service redundancy with Berlin.
;;;
;;; FIXME: Re-deploying must happen from Berlin, due to bug #46760.
@@ -36,6 +38,8 @@
(gnu services rsync)
(gnu services guix)
(gnu services ssh)
+ (gnu services web)
+ (gnu services certbot)
(gnu system file-systems)
(gnu system linux-initrd)
(guix gexp)
@@ -48,6 +52,116 @@
;; List of authorized 'guix archive' keys.
(list (local-file "keys/guix/berlin.guixsd.org-export.pub")))
+(define %nginx-server-blocks
+ (let ((common-locations
+ (list
+ (nginx-location-configuration
+ (uri "= /nix-cache-info")
+ (body '("
+ return 200 'StoreDir: /gnu/store\nWantMassQuery: 0\nPriority: 100\n';
+ add_header Content-Type text/plain;")))
+ (nginx-location-configuration
+ (uri "~ \\.narinfo$")
+ (body '("
+ proxy_pass http://nar-herder;
+
+ # For HTTP pipelining. This has a dramatic impact on performance.
+ client_body_buffer_size 128k;
+
+ # Narinfos requests are short, serve many of them on a connection.
+ keepalive_requests 20000;
+")))
+ (nginx-location-configuration
+ (uri "~ \\.narinfo/info$")
+ (body '("proxy_pass http://nar-herder;")))
+ (nginx-location-configuration
+ (uri "/nar/")
+ (body '("proxy_pass http://nar-herder;")))
+ (nginx-location-configuration
+ (uri "/file/")
+ (body '("proxy_pass http://nar-herder;")))
+ (nginx-named-location-configuration
+ (name "nar-storage-location")
+ (body '("rewrite /internal/(.*) /$1 break;"
+ "proxy_pass https://nar-storage;"
+ "
+set $via \"1.1 hydra-guix-129\";
+if ($http_via) {
+ set $via \"$http_via, $via\";
+}
+proxy_set_header Via $via;"
+ "proxy_set_header Host bordeaux.guix.gnu.org:443;")))
+ (nginx-location-configuration
+ (uri "= /latest-database-dump")
+ (body '("proxy_pass http://nar-herder;")))
+ (nginx-location-configuration
+ (uri "= /recent-changes")
+ (body '("proxy_pass http://nar-herder;")))
+ (nginx-location-configuration
+ (uri "= /metrics")
+ (body '("proxy_pass http://nar-herder;")))
+ (nginx-location-configuration
+ (uri "~ ^/internal/nar/(.*)$")
+ (body '("
+ internal;
+ root /srv/bordeaux/nars;
+
+ try_files /nar/$1 @nar-storage-location;
+
+ error_page 404 /404;
+
+ client_body_buffer_size 256k;
+
+ # Nars are already compressed.
+ gzip off;
+")))
+ (nginx-location-configuration
+ (uri "~ ^/internal/cached-nar/(.*)$")
+ (body '("
+ internal;
+ root /var/cache/nar-herder;
+ try_files /nar/$1 =404;
+
+ error_page 404 /404;
+ client_body_buffer_size 256k;
+ gzip off;
+")))
+ (nginx-location-configuration
+ (uri "~ ^/internal/database/(.*)$")
+ (body '("internal;"
+ "alias /var/lib/nar-herder/$1;"))))))
+
+ (list
+ (nginx-server-configuration
+ (server-name '("hydra-guix-129.guix.gnu.org"))
+ (listen '("80"))
+ (root (local-file "nginx/html/hydra-guix-129" #:recursive? #t))
+ (locations
+ (append
+ common-locations
+ (list
+ (nginx-location-configuration ; For use by Certbot
+ (uri "/.well-known")
+ (body '(("root /var/www;"))))))))
+
+ (nginx-server-configuration
+ (server-name '("hydra-guix-129.guix.gnu.org"))
+ (listen '("443 ssl"))
+ (root (local-file "nginx/html/hydra-guix-129" #:recursive? #t))
+ (ssl-certificate
+ "/etc/letsencrypt/live/hydra-guix-129.guix.gnu.org/fullchain.pem")
+ (ssl-certificate-key
+ "/etc/letsencrypt/live/hydra-guix-129.guix.gnu.org/privkey.pem")
+ (raw-content
+ '("
+ # Make sure SSL is disabled.
+ ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+
+ # Disable weak cipher suites.
+ ssl_ciphers HIGH:!aNULL:!MD5;
+ ssl_prefer_server_ciphers on;"))
+ (locations common-locations)))))
+
(define %btrfs-san-uuid "3bd8e3fb-2ad1-41ff-ac80-4ca3e17950ea")
(define %common-btrfs-options '(("compress" . "zstd")
@@ -227,11 +341,32 @@ devices {
(service nar-herder-service-type
(nar-herder-configuration
- (mirror "https://bishan.guix.gnu.org")
+ (mirror "https://bordeaux.guix.gnu.org")
(storage "/srv/bordeaux/nars")
(ttl "180d")
(log-level 'DEBUG)))
+ (service certbot-service-type
+ (certbot-configuration
+ (certificates
+ (list (certificate-configuration
+ (domains '("hydra-guix-129.guix.gnu.org")))))
+ ;; TODO: Maybe this should be guix-sysadmin@gnu.org
+ (email "mail@cbaines.net")
+ (webroot "/var/www")))
+
+ (service nginx-service-type
+ (nginx-configuration
+ (upstream-blocks
+ (list (nginx-upstream-configuration
+ (name "nar-herder")
+ (servers '("127.0.0.1:8734")))
+ (nginx-upstream-configuration
+ (name "nar-storage")
+ (servers '("bordeaux.guix.gnu.org:443")))))
+ (server-blocks
+ %nginx-server-blocks)))
+
(modify-services (operating-system-user-services base-os)
(mcron-service-type
config => (mcron-configuration