First on serving the internationalized website:
The following changes to maintenance:berlin redirect requests for old
URLs properly *only for non-HTTPS* in local testing on a vm-image. I
assume the same will work when added for the HTTPS location, though
perhaps the line "set_from_accept_language $lang en de;" cannot or
need not be duplicated for both non-HTTPS and HTTPS. I hope the
changes are compatible with the manual and cookbook URLs. The changes
would better be tested more but I do not know how.
diff --git a/hydra/nginx/berlin.scm b/hydra/nginx/berlin.scm
index 2947759..8b66ba7 100644
--- a/hydra/nginx/berlin.scm
+++ b/hydra/nginx/berlin.scm
@@ -468,6 +468,10 @@ PUBLISH-URL."
(uri "/guix")
(body (list "root /var/www;")))
+ (nginx-location-configuration
+ (uri "~ (.html|.htm)$")
+ (body (list "try_files /$lang/$uri $uri =404;")))
+
(nginx-location-configuration ;certbot
(uri "/.well-known")
(body (list "root /var/www;")))))
@@ -505,6 +509,9 @@ PUBLISH-URL."
(root "/home/rekado/bootstrappable.org")
(raw-content
(list
+ "rewrite (.*)/$ $1/index.html;"
+ ;; put en first so it is the default:
+ "set_from_accept_language $lang en de;"
"access_log /var/log/nginx/bootstrappable.access.log;")))
(nginx-server-configuration
@@ -767,5 +774,11 @@ PUBLISH-URL."
(define %nginx-configuration
(nginx-configuration
(server-blocks %berlin-servers)
+ (modules
+ (list
+ ;; We need this module for redirecting users to the localized
+ ;; website of their choice.
+ (file-append nginx-accept-language-module "\
+/etc/nginx/modules/ngx_http_accept_language_module.so")))
(extra-content
(string-join %extra-content "\n"))))
I attach a complete patch that can only be used for testing on a local
VM. For testing, I perform the following steps:
cd ~/git/maintenance/hydra/
GUILE_LOAD_PATH=$(readlink -f ~/git/maintenance/hydra/modules):$GUILE_LOAD_PATH
guix system vm-image --image-size=14G berlin.scm --fallback
cp /gnu/store/mm000wdzkzrvalg09jxk0y6nhi9c4iai-qemu-image berlin1.img
guix gc -D /gnu/store/mm000wdzkzrvalg09jxk0y6nhi9c4iai-qemu-image
chmod +w berlin1.img
qemu-system-x86_64 -enable-kvm berlin1.img -m 2048 -nic
tap,ifname=tap0,script=no,downscript=no
Note that I use NetworkManager with dnsmasq for a tap0 host-to-guest
network connection as specified in the Guix manual.
---
Second, unrelated to serving the website:
I also noticed that Microsoft Internet Explorer 11 cannot display the
new accessible dropdowns on https://guix.gnu.org/.i18n/en. Do we
care? Perhaps the use of CSS z-index causes the problems. The
previous dropdowns used display: none; which made the dropdowns
not-keyboard navigable.
Regards,
Florian
>From 3cfdd06a5f29b664666a002e4b49ecc82b157b5a Mon Sep 17 00:00:00 2001
From: Florian Pelz <pelzflor...@pelzflorian.de>
Date: Sun, 17 Nov 2019 17:12:11 +0100
Subject: [PATCH] [various changes for local testing]
---
hydra/berlin.scm | 140 +---------------
hydra/modules/sysadmin/services.scm | 66 ++++----
hydra/nginx/berlin.scm | 238 +---------------------------
3 files changed, 41 insertions(+), 403 deletions(-)
diff --git a/hydra/berlin.scm b/hydra/berlin.scm
index fddf597..b34cf34 100644
--- a/hydra/berlin.scm
+++ b/hydra/berlin.scm
@@ -90,29 +90,9 @@ Happy hacking!\n"))
;; The root file system resides on just a single
;; disk, no RAID :-/
(file-system
- (device (file-system-label "my-root"))
+ (device "/dev/sda")
(mount-point "/")
(type "ext4"))
- ;; This is a large external storage array
- ;; connected via 2 HBA cards. We only mount it
- ;; through one of the HBA cards. We would need
- ;; to use multipathd otherwise.
- (file-system
- (device (uuid "a6455b66-59d2-40bd-bddb-0c572bb62a2f"))
- (mount-point "/gnu")
- (type "ext4"))
- ;; Bind mount cache to large external storage.
- (file-system
- (device "/gnu/cache")
- (mount-point "/var/cache")
- (flags '(bind-mount))
- (type "none"))
- ;; Access root file system without bind mounts.
- (file-system
- (device "/")
- (mount-point "/mnt/root-fs")
- (flags '(bind-mount))
- (type "none"))
%base-file-systems))
;; Local admin account for MDC maintenance.
@@ -132,69 +112,13 @@ Happy hacking!\n"))
%base-packages))
(services (cons*
- ;; Connection to the DMZ for public access
- ;; This is a 1G port only
- (static-networking-service "eno1"
- "141.80.181.41"
- #:netmask "255.255.255.0"
- #:gateway "141.80.181.1")
- ;; This is a 10G port.
- (static-networking-service "enp129s0f0"
- "141.80.181.40"
- #:netmask "255.255.255.0")
- ;; Connection to build nodes
- (static-networking-service "eno3"
- "141.80.167.131"
- #:netmask "255.255.255.192")
+ (service dhcp-client-service-type)
;; Allow login over serial console.
(agetty-service (agetty-configuration
(tty "ttyS0")
(baud-rate "115200")))
- ;; DNS
- (service knot-service-type
- (knot-configuration
- (zones (list (knot-zone-configuration
- (domain "guix.gnu.org")
- (master '("bayfront-master"))
- (acl '("notify-allow")))))
- (acls (list (knot-acl-configuration
- (id "notify-allow")
- (address (list bayfront-ip4))
- (action '(notify)))))
- (remotes (list (knot-remote-configuration
- (id "bayfront-master")
- (address (list bayfront-ip4)))))))
-
- ;; Monitoring
- (service zabbix-agent-service-type)
- (service zabbix-server-service-type
- (zabbix-server-configuration
- (include-files '("/root/zabbix-pass"))))
- (service zabbix-front-end-service-type
- (zabbix-front-end-configuration
- (nginx (list
- (nginx-server-configuration
- (root #~(string-append
#$zabbix-server:front-end "/share/zabbix/php"))
- (listen '("127.0.0.1:7878"))
- (index '("index.php"))
- (locations
- (let ((php-location (nginx-php-location)))
- (list (nginx-location-configuration
- (inherit php-location)
- (body (append
(nginx-location-configuration-body php-location)
- (list "
-fastcgi_param PHP_VALUE \"post_max_size = 16M
- max_execution_time = 300\";
-"))))))))))
- (db-secret-file "/root/zabbix-front-end-secrets")))
-
- ;; For the Zabbix database. It was created by manually
- ;; following the instructions here:
- ;;
https://www.zabbix.com/documentation/3.0/manual/appendix/install/db_scripts
- (postgresql-service)
-
(service ntp-service-type)
;; Make SSH and HTTP/HTTPS available over Tor.
@@ -210,68 +134,10 @@ fastcgi_param PHP_VALUE \"post_max_size = 16M
(service static-web-site-service-type
(static-web-site-configuration
(git-url
-
"https://git.savannah.gnu.org/git/guix/guix-artwork.git";)
+ "git://pelzflorian.de/guix-artwork.git")
(directory "/srv/guix.gnu.org")
(build-file "website/.guix.scm")))
- ;; 'wip-i18n' branch of guix.gnu.org.
- (service static-web-site-service-type
- (static-web-site-configuration
- (git-url
-
"https://git.savannah.gnu.org/git/guix/guix-artwork.git";)
- (git-ref '(branch . "wip-i18n"))
- (directory "/srv/guix.gnu.org-i18n")
- (build-file "website/.guix.scm")
- (cache-directory "guix.gnu.org-i18n") ;avoid collision
- (environment-variables
- '(("GUIX_WEB_SITE_ROOT_PATH" . "/.i18n")))))
-
- ;; Manual for the latest stable release.
- (service static-web-site-service-type
- (static-web-site-configuration
- (git-url "https://git.savannah.gnu.org/git/guix.git";)
- (git-ref '(branch . "version-1.0.1"))
- (directory "/srv/guix-manual")
- (build-file "doc/build.scm")
- (environment-variables
- '(("GUIX_MANUAL_VERSION" . "1.0.1")
- ("GUIX_WEB_SITE_URL" . "/")))))
-
- ;; Manual for 'master'.
- (service static-web-site-service-type
- (static-web-site-configuration
- (git-url "https://git.savannah.gnu.org/git/guix.git";)
- (directory "/srv/guix-manual-devel")
-
- ;; XXX: Use a different cache directory to work around
- ;; the fact that (guix git) would use a same-named
- ;; checkout directory for 'master' and for the branch
- ;; above. Since both mcron jobs run at the same time,
- ;; they would end up using one branch or the other, in
- ;; a non-deterministic way.
- (cache-directory "guix-master-manual")
-
- (build-file "doc/build.scm")
- (environment-variables
- '(("GUIX_WEB_SITE_URL" . "/")))))
-
- ;; Cookbook for 'master'.
- (service static-web-site-service-type
- (static-web-site-configuration
- (git-url "https://git.savannah.gnu.org/git/guix.git";)
- (directory "/srv/guix-cookbook")
-
- ;; XXX: Use a different cache directory (see above).
- (cache-directory "guix-cookbook-master")
-
- (build-file "doc/build.scm")
- (environment-variables
- '(("GUIX_MANUAL" . "guix-cookbook")
- ("GUIX_WEB_SITE_URL" . "/")))))
-
- ;; GWL web site.
- (service gwl-web-service-type)
-
(frontend-services %sysadmins
#:systems '("x86_64-linux" "i686-linux"
"aarch64-linux")
diff --git a/hydra/modules/sysadmin/services.scm
b/hydra/modules/sysadmin/services.scm
index 943df8a..a7c63bc 100644
--- a/hydra/modules/sysadmin/services.scm
+++ b/hydra/modules/sysadmin/services.scm
@@ -90,19 +90,19 @@
(define* (guix-daemon-config #:key (max-jobs 5) (cores 4))
(guix-configuration
;; Disable substitutes altogether.
- (use-substitutes? #f)
- (substitute-urls '())
- (authorized-keys '())
-
- ;; We don't want to let builds get stuck for too long, but we still want
- ;; to allow building, say, Guile 2.2 on armhf-linux, which takes < 3h on
- ;; an OverDrive 1000.
- (max-silent-time 3600)
- (timeout (* 6 3600))
-
- (log-compression 'gzip) ;be friendly to 'guix publish' users
-
- (build-accounts (* 2 max-jobs))
+ ;; (use-substitutes? #f)
+ ;; (substitute-urls '())
+ ;; (authorized-keys '())
+ ;;
+ ;; ;; We don't want to let builds get stuck for too long, but we still want
+ ;; ;; to allow building, say, Guile 2.2 on armhf-linux, which takes < 3h on
+ ;; ;; an OverDrive 1000.
+ ;; (max-silent-time 3600)
+ ;; (timeout (* 6 3600))
+ ;;
+ ;; (log-compression 'gzip) ;be friendly to 'guix publish'
users
+ ;;
+ ;; (build-accounts (* 2 max-jobs))
(extra-options (list "--max-jobs" (number->string max-jobs)
"--cores" (number->string cores)
"--cache-failures"
@@ -261,27 +261,27 @@
(mcron-configuration
(jobs (cons %certbot-job %gc-jobs))))
- firewall-service
-
- ;; The Web service.
- (service guix-publish-service-type
- (guix-publish-configuration
- (port 3000)
- (cache "/var/cache/guix/publish")
- (ttl nar-ttl)
- (compression '(("gzip" 9) ("lzip" 9)))
- (workers publish-workers)))
+ ;; firewall-service
+ ;;
+ ;; ;; The Web service.
+ ;; (service guix-publish-service-type
+ ;; (guix-publish-configuration
+ ;; (port 3000)
+ ;; (cache "/var/cache/guix/publish")
+ ;; (ttl nar-ttl)
+ ;; (compression '(("gzip" 9) ("lzip" 9)))
+ ;; (workers publish-workers)))
%nginx-mime-types
%nginx-cache-activation
- (service cuirass-service-type
- (cuirass-configuration
- (interval (* 5 60))
- (ttl (quotient nar-ttl 2))
- (specifications (cuirass-specs systems))))
-
- (service openssh-service-type)
+ ;; (service cuirass-service-type
+ ;; (cuirass-configuration
+ ;; (interval (* 5 60))
+ ;; (ttl (quotient nar-ttl 2))
+ ;; (specifications (cuirass-specs systems))))
+ ;;
+ ;; (service openssh-service-type)
(service sysadmin-service-type sysadmins)
(append (if nginx-config-file
@@ -290,9 +290,9 @@
(file nginx-config-file))))
'())
(modify-services %base-services
- (guix-service-type
- config => (guix-daemon-config #:max-jobs max-jobs
- #:cores cores))
+ ;; (guix-service-type
+ ;; config => (guix-daemon-config #:max-jobs max-jobs
+ ;; #:cores cores))
(login-service-type
config => (login-configuration
(inherit config)
diff --git a/hydra/nginx/berlin.scm b/hydra/nginx/berlin.scm
index 2947759..01e3144 100644
--- a/hydra/nginx/berlin.scm
+++ b/hydra/nginx/berlin.scm
@@ -167,28 +167,6 @@
PUBLISH-URL."
(append (publish-locations publish-url)
(list
- ;; Cuirass.
- (nginx-location-configuration
- (uri "/")
- (body (list "proxy_pass http://localhost:8081;";)))
- (nginx-location-configuration
- (uri "~ ^/admin")
- (body
- (list "if ($ssl_client_verify != SUCCESS) { return 403; }
proxy_pass http://localhost:8081;";)))
-
- (nginx-location-configuration
- (uri "/static")
- (body
- (list
- "proxy_pass http://localhost:8081;";
- ;; Let browsers cache this for a while.
- "expires 10d;"
- ;; Cache quite aggressively.
- "proxy_cache static;"
- "proxy_cache_valid 200 5d;"
- "proxy_cache_valid any 10m;"
- "proxy_ignore_client_abort on;")))
-
(nginx-location-configuration
(uri "/berlin.guixsd.org-export.pub")
(body
@@ -485,28 +463,6 @@ PUBLISH-URL."
(define %berlin-servers
(list
;; Plain HTTP
- (nginx-server-configuration
- (listen '("80"))
- (server-name '("berlin.guixsd.org"
- "ci.guix.info"
- "ci.guix.gnu.org"))
- (locations (berlin-locations %publish-url))
- (raw-content
- (list
- "access_log /var/log/nginx/http.access.log;"
- "proxy_set_header X-Forwarded-Host $host;"
- "proxy_set_header X-Forwarded-Port $server_port;"
- "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;")))
-
- (nginx-server-configuration
- (listen '("80"))
- (server-name '("bootstrappable.org"
- "www.bootstrappable.org"))
- (root "/home/rekado/bootstrappable.org")
- (raw-content
- (list
- "access_log /var/log/nginx/bootstrappable.access.log;")))
-
(nginx-server-configuration
(listen '("80"))
(server-name '("guix.gnu.org"))
@@ -514,195 +470,10 @@ PUBLISH-URL."
(locations guix.gnu.org-locations)
(raw-content
(list
- "access_log /var/log/nginx/guix-info.access.log;")))
-
- (nginx-server-configuration
- (listen '("80"))
- (server-name '("guix.info"
- "www.guix.info"))
- (locations guix.info-locations)
- (raw-content
- (append
- %tls-settings
- (list
- "access_log /var/log/nginx/guix-info.https.access.log;"))))
-
- (nginx-server-configuration
- (listen '("80"))
- (server-name '("issues.guix.info"
- "issues.guix.gnu.org"))
- (root "/home/rekado/mumi/")
- (locations
- (list (nginx-location-configuration ;certbot
- (uri "/.well-known")
- (body (list "root /var/www;")))
- (nginx-location-configuration
- (uri "/")
- (body '("proxy_pass http://localhost:1234;";)))))
- (raw-content
- (list
- "access_log /var/log/nginx/issues-guix-info.access.log;")))
-
- (nginx-server-configuration
- (listen '("80"))
- (server-name '("workflows.guix.info"
- "workflow.guix.info"
- "guixwl.org"
- "www.guixwl.org"))
- (root "/home/rekado/gwl/")
- (locations
- (list (nginx-location-configuration ;certbot
- (uri "/.well-known")
- (body (list "root /var/www;")))
-
- ;; Pass requests to 'guix workflow --web-interface'.
- (nginx-location-configuration
- (uri "/")
- (body '("proxy_pass http://localhost:5000;";)))))
- (raw-content
- (list
- "access_log /var/log/nginx/workflows-guix-info.access.log;")))
-
- ;; HTTPS servers
- (nginx-server-configuration
- (listen '("443 ssl"))
- (server-name '("berlin.guixsd.org"
- "ci.guix.info"
- "ci.guix.gnu.org"))
- (ssl-certificate (le "berlin.guixsd.org"))
- (ssl-certificate-key (le "berlin.guixsd.org" 'key))
- (locations (berlin-locations %publish-url))
- (raw-content
- (append
- %tls-settings
- (list
- "access_log /var/log/nginx/https.access.log;"
- "proxy_set_header X-Forwarded-Host $host;"
- "proxy_set_header X-Forwarded-Port $server_port;"
- "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
- ;; For Cuirass admin interface authentication
- "ssl_client_certificate /etc/ssl-ca/certs/ca.crt;"
- "ssl_crl /etc/ssl-ca/private/ca.crl;"
- "ssl_verify_client optional;"))))
-
- (nginx-server-configuration
- (listen '("443 ssl"))
- (server-name '("qualif.ci.guix.gnu.org"))
- (locations (berlin-locations "http://localhost:3003";))
- (raw-content
- (append %tls-settings
- '("access_log /var/log/nginx/qualif.access.log;"))))
-
- (nginx-server-configuration
- (listen '("443 ssl"))
- (server-name '("bootstrappable.org"
- "www.bootstrappable.org"))
- (ssl-certificate (le "bootstrappable.org"))
- (ssl-certificate-key (le "bootstrappable.org" 'key))
- (root "/home/rekado/bootstrappable.org")
- (raw-content
- (append
- %tls-settings
- (list
- "access_log /var/log/nginx/bootstrappable.https.access.log;"))))
-
- (nginx-server-configuration
- (listen '("443 ssl"))
- (server-name '("guix.info"
- "www.guix.info"))
- (ssl-certificate (le "guix.info"))
- (ssl-certificate-key (le "guix.info" 'key))
- (locations guix.info-locations)
- (raw-content
- (append
- %tls-settings
- (list
- "access_log /var/log/nginx/guix-info.https.access.log;"))))
-
- (nginx-server-configuration
- (listen '("443 ssl"))
- (server-name '("guix.gnu.org"))
- (ssl-certificate (le "guix.gnu.org"))
- (ssl-certificate-key (le "guix.gnu.org" 'key))
- (root "/srv/guix.gnu.org")
- (locations guix.gnu.org-locations)
- (raw-content
- (append
- %tls-settings
- (list
- "access_log /var/log/nginx/guix-gnu-org.https.access.log;"))))
-
- (nginx-server-configuration
- (listen '("443 ssl"))
- (server-name '("issues.guix.info"))
- (ssl-certificate (le "issues.guix.info"))
- (ssl-certificate-key (le "issues.guix.info" 'key))
- (root "/home/rekado/mumi/")
- (locations
- (list (nginx-location-configuration
- (uri "/")
- (body '("proxy_pass http://localhost:1234;";)))))
- (raw-content
- (append
- %tls-settings
- (list
- "proxy_set_header X-Forwarded-Host $host;"
- "proxy_set_header X-Forwarded-Port $server_port;"
- "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
- "proxy_connect_timeout 600;"
- "proxy_send_timeout 600;"
- "proxy_read_timeout 600;"
- "send_timeout 600;"
- "access_log /var/log/nginx/issues-guix-info.https.access.log;"))))
-
- (nginx-server-configuration
- (listen '("443 ssl"))
- (server-name '("issues.guix.gnu.org"))
- (ssl-certificate (le "issues.guix.gnu.org"))
- (ssl-certificate-key (le "issues.guix.gnu.org" 'key))
- (root "/home/rekado/mumi/")
- (locations
- (list (nginx-location-configuration
- (uri "/")
- (body '("proxy_pass http://localhost:1234;";)))))
- (raw-content
- (append
- %tls-settings
- (list
- "proxy_set_header X-Forwarded-Host $host;"
- "proxy_set_header X-Forwarded-Port $server_port;"
- "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
- "proxy_connect_timeout 600;"
- "proxy_send_timeout 600;"
- "proxy_read_timeout 600;"
- "send_timeout 600;"
- "access_log /var/log/nginx/issues-guix-gnu-org.https.access.log;"))))
-
- (nginx-server-configuration
- (listen '("443 ssl"))
- (server-name '("workflows.guix.info"
- "workflow.guix.info"
- "guixwl.org"
- "www.guixwl.org"))
- (ssl-certificate (le "www.guixwl.org"))
- (ssl-certificate-key (le "www.guixwl.org" 'key))
- (root "/home/rekado/gwl/")
- (locations
- (list (nginx-location-configuration
- (uri "/")
- (body '("proxy_pass http://localhost:5000;";)))))
- (raw-content
- (append
- %tls-settings
- (list
- "proxy_set_header X-Forwarded-Host $host;"
- "proxy_set_header X-Forwarded-Port $server_port;"
- "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
- "proxy_connect_timeout 600;"
- "proxy_send_timeout 600;"
- "proxy_read_timeout 600;"
- "send_timeout 600;"
- "access_log /var/log/nginx/workflows-guix-info.https.access.log;"))))))
+ "rewrite (.*)/$ $1/index.html;"
+ "access_log /var/log/nginx/guix-info.access.log;"
+ ;; put en first so it is the default:
+ "set_from_accept_language $lang en de;")))))
(define %extra-content
(list
@@ -766,6 +537,7 @@ PUBLISH-URL."
(define %nginx-configuration
(nginx-configuration
+ (server-names-hash-bucket-size 64)
(server-blocks %berlin-servers)
(extra-content
(string-join %extra-content "\n"))))
--
2.24.0
