This is an automated email from the git hooks/post-receive script.
cbaines pushed a commit to branch master
in repository maintenance.
The following commit(s) were added to refs/heads/master by this push:
new 8281e0d hydra: Add configuration for lakeside.
8281e0d is described below
commit 8281e0d86424bdf52c17fffe43eb8106f142208e
Author: Christopher Baines <m...@cbaines.net>
AuthorDate: Tue Feb 1 19:03:38 2022 +0000
hydra: Add configuration for lakeside.
This is a Hetzner hosted machine that stores and serves nars for
bordeaux.guix.gnu.org.
* hydra/lakeside.scm: New file.
---
lakeside.scm | 166 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 166 insertions(+)
diff --git a/lakeside.scm b/lakeside.scm
new file mode 100644
index 0000000..88d594e
--- /dev/null
+++ b/lakeside.scm
@@ -0,0 +1,166 @@
+(use-modules (gnu))
+(use-service-modules networking ssh monitoring web certbot guix)
+(use-package-modules screen ssh zile linux certs)
+
+(define %nginx-server-blocks
+ (let ((common-locations
+ (list
+ (nginx-location-configuration
+ (uri "= /nix-cache-info")
+ (body '("
+ return 200 'StoreDir: /gnu/store\nWantMassQuery: 0\nPriority: 100\n';
+ add_header Content-Type text/plain;")))
+ (nginx-location-configuration
+ (uri "~ \\.narinfo$")
+ (body '("
+ proxy_pass http://nar-herder;
+
+ # For HTTP pipelining. This has a dramatic impact on performance.
+ client_body_buffer_size 128k;
+
+ # Narinfos requests are short, serve many of them on a connection.
+ keepalive_requests 20000;
+")))
+ (nginx-location-configuration
+ (uri "~ \\.narinfo/info$")
+ (body '("proxy_pass http://nar-herder;";)))
+ (nginx-location-configuration
+ (uri "/nar/")
+ (body '("
+ root /var/lib/nars;
+
+ error_page 404 /404;
+
+ client_body_buffer_size 256k;
+
+ # Nars are already compressed.
+ gzip off;
+")))
+ (nginx-location-configuration
+ (uri "= /latest-database-dump")
+ (body '("proxy_pass http://nar-herder;";)))
+ (nginx-location-configuration
+ (uri "= /recent-changes")
+ (body '("proxy_pass http://nar-herder;";)))
+ (nginx-location-configuration
+ (uri "~ ^/internal/database/(.*)$")
+ (body '("internal;"
+ "alias /var/lib/nar-herder/$1;"))))))
+
+ (list
+ (nginx-server-configuration
+ (server-name '("lakeside.guix.gnu.org"))
+ (listen '("80"))
+ (root "/var/www")
+ (locations
+ (append
+ common-locations
+ (list
+ (nginx-location-configuration ; For use by Certbot
+ (uri "/.well-known")
+ (body '(("root /var/www;"))))))))
+
+ (nginx-server-configuration
+ (server-name '("lakeside.guix.gnu.org"))
+ (listen '("443 ssl"))
+ (root "/var/www")
+ (ssl-certificate
+ "/etc/letsencrypt/live/lakeside.guix.gnu.org/fullchain.pem")
+ (ssl-certificate-key
+ "/etc/letsencrypt/live/lakeside.guix.gnu.org/privkey.pem")
+ (raw-content
+ '("
+# Make sure SSL is disabled.
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+# Disable weak cipher suites.
+ssl_ciphers HIGH:!aNULL:!MD5;
+ssl_prefer_server_ciphers on;"))
+ (locations common-locations)))))
+
+(operating-system
+ (host-name "lakeside")
+ (timezone "Europe/Berlin")
+ (locale "en_US.utf8")
+
+ (bootloader (bootloader-configuration
+ (bootloader grub-bootloader)
+ (targets '("/dev/sda"))))
+
+ (file-systems (cons (file-system
+ (device "/dev/sda2")
+ (mount-point "/")
+ (type "btrfs"))
+ %base-file-systems))
+
+ (users (cons (user-account
+ (name "cbaines")
+ (group "users")
+
+ (supplementary-groups '("wheel"
+ "audio" "video")))
+ %base-user-accounts))
+
+ (packages (cons* screen zile btrfs-progs nss-certs %base-packages))
+
+ (services
+ (append
+ (list
+ (service static-networking-service-type
+ (list
+ (static-networking
+ (addresses
+ (list
+ (network-address
+ (device "enp4s0")
+ (ipv6? #t)
+ (value "2a01:4f8:151:40cc::/64"))
+ (network-address
+ (device "enp4s0")
+ (value "176.9.98.253/27"))))
+ (routes
+ (list
+ (network-route
+ (destination "default")
+ (device "enp4s0")
+ (gateway "176.9.98.225"))
+ (network-route
+ (destination "default")
+ (device "enp4s0")
+ (ipv6? #t)
+ (gateway "fe80::1"))))
+ (name-servers
+ '("185.12.64.1" "185.12.64.2")))))
+
+ (service prometheus-node-exporter-service-type)
+
+ (service certbot-service-type
+ (certbot-configuration
+ (certificates
+ (list (certificate-configuration
+ (domains '("lakeside.guix.gnu.org")))))
+ (email "m...@cbaines.net")
+ (webroot "/var/www")))
+
+ (service nar-herder-service-type
+ (nar-herder-configuration
+ (mirror "https://bordeaux.guix.gnu.org";)
+ (storage "/var/lib/nars")))
+
+ (service nginx-service-type
+ (nginx-configuration
+ (upstream-blocks
+ (list (nginx-upstream-configuration
+ (name "nar-herder")
+ (servers '("localhost:8734")))))
+ (server-blocks
+ %nginx-server-blocks)))
+
+ (service openssh-service-type
+ (openssh-configuration
+ (password-authentication? #f))))
+ (modify-services %base-services
+ (guix-service-type
+ config => (guix-configuration
+ (extra-options
+ (list "--max-jobs" "2"))))))))
