cbaines pushed a commit to branch master
in repository maintenance.
commit 33ee88095eb6bcdbfb59cf2445ed0030ec30df8b
Author: Christopher Baines <[email protected]>
AuthorDate: Mon Dec 16 10:58:07 2024 +0000
hydra: deploy-node-129: Setup reverse proxy for data.qa.guix.gnu.org.
Which is running on node 130.
* hydra/deploy-node-129.scm (%hydra-guix-129-nginx-server-blocks):
Rename from %nginx-server-blocks.
(%guix-data-service-nginx-server-blocks): New variable.
(node-129-os): Add the prometheus-node-exporter service type, setup
the data.qa.guix.gnu.org certificate and update the Nginx
configuration.
---
hydra/deploy-node-129.scm | 112 +++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 106 insertions(+), 6 deletions(-)
diff --git a/hydra/deploy-node-129.scm b/hydra/deploy-node-129.scm
index f9bbbe36..08e5001b 100644
--- a/hydra/deploy-node-129.scm
+++ b/hydra/deploy-node-129.scm
@@ -40,6 +40,7 @@
(gnu services ssh)
(gnu services web)
(gnu services certbot)
+ (gnu services monitoring)
(gnu system file-systems)
(gnu system linux-initrd)
(guix gexp)
@@ -52,7 +53,7 @@
;; List of authorized 'guix archive' keys.
(list (local-file "keys/guix/berlin.guixsd.org-export.pub")))
-(define %nginx-server-blocks
+(define %hydra-guix-129-nginx-server-blocks
(let ((common-locations
(list
(nginx-location-configuration
@@ -128,7 +129,16 @@
(nginx-location-configuration
(uri "~ ^/internal/database/(.*)$")
(body '("internal;"
- "alias /var/lib/nar-herder/$1;"))))))
+ "alias /var/lib/nar-herder/$1;")))
+
+ ;; Port 9100 isn't reachable externally, so proxy to allow
+ ;; machine metrics out
+ (nginx-location-configuration
+ (uri "/hydra-guix-129-metrics")
+ (body '(("proxy_pass http://127.0.0.1:9100/metrics;";))))
+ (nginx-location-configuration
+ (uri "/hydra-guix-130-metrics")
+ (body '(("proxy_pass http://141.80.167.187:9100/metrics;";)))))))
(list
(nginx-server-configuration
@@ -162,6 +172,75 @@
"set $via \"1.1 hydra-guix-129\";"))
(locations common-locations)))))
+(define %guix-data-service-nginx-server-blocks
+ (let ((base
+ (nginx-server-configuration
+ (server-name '("data.qa.guix.gnu.org"))
+ (listen '("443 ssl"))
+ (root "/srv/http/data.qa.guix.gnu.org")
+ (ssl-certificate
"/etc/letsencrypt/live/data.qa.guix.gnu.org/fullchain.pem")
+ (ssl-certificate-key
"/etc/letsencrypt/live/data.qa.guix.gnu.org/privkey.pem")
+ (locations
+ (list
+ (nginx-location-configuration
+ (uri "/")
+ (body '("try_files $uri $uri/ @guix-data-service;")))
+ (nginx-location-configuration
+ (uri "~ /dumps/(.+)")
+ (body `(("root /var/lib/guix-data-service;"
+ "try_files $uri =404;"))))
+ (nginx-named-location-configuration
+ (name "guix-data-service")
+ (body '("proxy_pass http://qa-data-service;";
+ "proxy_read_timeout 400s;"
+ "proxy_set_header Host $host;"
+ "proxy_set_header X-Forwarded-For $remote_addr;"
+
+ "proxy_cache guix-data-service;"
+ "proxy_cache_revalidate on;"
+ "proxy_cache_min_uses 3;"
+ "proxy_cache_use_stale error timeout updating http_500
http_502 http_503 http_504;"
+ "proxy_cache_background_update on;"
+ "proxy_cache_lock on;"
+ "add_header X-Cache-Status $upstream_cache_status;"
+
+ "if ($http_user_agent ~ (Bytespider|ClaudeBot) ) {
+ return 403;
+}"
+
+ "gzip on;"
+ "gzip_types text/html application/json;"
+ "gzip_proxied any;"))))))))
+ (list
+ base
+ (nginx-server-configuration
+ (inherit base)
+ (listen '("80"))
+ (ssl-certificate #f)
+ (ssl-certificate-key #f)
+ (locations
+ (append
+ (nginx-server-configuration-locations base)
+ (list
+ (nginx-location-configuration
+ (uri "^~ /.well-known/acme-challenge/")
+ (body '("root /srv/http/beid.cbaines.net;")))
+ (nginx-location-configuration
+ (uri "= /.well-known/acme-challenge/")
+ (body '("return 404;"))))))))))
+
+(define my-nginx-service-extra-content "
+ types {
+ text/plain run;
+ }
+
+ proxy_cache_path /var/cache/nginx/guix-data-service
+ levels=2
+ inactive=2d
+ keys_zone=guix-data-service:4m # ~32K keys
+ max_size=1g
+ use_temp_path=off;")
+
(define %btrfs-san-uuid "3bd8e3fb-2ad1-41ff-ac80-4ca3e17950ea")
(define %common-btrfs-options '(("compress" . "zstd")
@@ -337,6 +416,8 @@ devices {
(name "substitutes")
(file-name "/srv/publish/substitutes"))))))
+ (service prometheus-node-exporter-service-type)
+
(service nar-herder-service-type
(nar-herder-configuration
(mirror "https://bordeaux.guix.gnu.org";)
@@ -348,23 +429,42 @@ devices {
(certbot-configuration
(certificates
(list (certificate-configuration
- (domains '("hydra-guix-129.guix.gnu.org")))))
+ (domains '("hydra-guix-129.guix.gnu.org")))
+ (certificate-configuration
+ (domains '("data.qa.guix.gnu.org")))))
;; TODO: Maybe this should be [email protected]
(email "[email protected]")
(webroot "/var/www")))
(service nginx-service-type
(nginx-configuration
+ (nginx
+ (package
+ (inherit nginx)
+ (arguments
+ (append
+ '(#:configure-flags
'("--with-http_gzip_static_module"
+
"--with-http_gunzip_module"))
+ (package-arguments nginx)))))
+ (extra-content my-nginx-service-extra-content)
(log-level 'warn)
(upstream-blocks
(list (nginx-upstream-configuration
(name "nar-herder")
- (servers '("127.0.0.1:8734")))
+ (servers '("127.0.0.1:8734"))
+ (extra-content
+ '("keepalive 4;"
+ "keepalive_requests 10000;")))
(nginx-upstream-configuration
(name "nar-storage")
- (servers '("bordeaux.guix.gnu.org:443")))))
+ (servers '("bordeaux.guix.gnu.org:443")))
+ (nginx-upstream-configuration
+ (name "qa-data-service")
+ (servers '("141.80.167.187:8765")))))
(server-blocks
- %nginx-server-blocks)))
+ (append
+ %hydra-guix-129-nginx-server-blocks
+ %guix-data-service-nginx-server-blocks))))
(modify-services (operating-system-user-services base-os)
(mcron-service-type
