This is necessary because we registered a separate Let's Encrypt
certificate instead of expanding the certificate we used for
issues.guix.info.
* hydra/nginx/berlin.scm (%berlin-servers): Separate server
configurations for issues.guix.info and issues.guix.gnu.org.
* hydra/machines-for-berlin.scm (x86_64->qemu-armhf,
x86_64->qemu-aarch64): New procedures; use them to add five virtual
build nodes for both architectures.
Now that ci.guix.info points directly to berlin, we can avoid
depending on the guixsd.org zone by using ci.guix.info as the origin.
* cdn/terraform/cloudfront.tf (locals) <default_behavior>
<do_not_cache_behavior>: Change target_origin_id to "ci.guix.info".
The berlin-mirror-certificate ACM certificate is safe to delete, since
it was only used by the berlin-mirror CloudFront distribution, which
has already been removed.
* cdn/terraform/acm.tf (berlin-mirror-certificate): Remove it.
The berlin-mirror CloudFront distribution is safe to delete because it
is not currently being used. The charlie-distribution CloudFront
distribution has replaced it.
* cdn/terraform/cloudfront.tf (berlin-mirror, berlin-mirror-id)
(berlin-mirror-enabled, berlin-mirror-status)
(berlin-mirror-domain-name): Remove these.
* doc/refcard/guix-refcard.lout (Managing the Operating System)
(Building and Running Containers, Building Virtual Machines)
(Building Operating System Images)
(Inspecting an Operating System, Declaring an Operating System): New
sections.
* hydra/modules/sysadmin/dns.scm (guix.gnu.org.zone) <ci>: Change this
CNAME record's value to d1aw3orh0yrgph.cloudfront.net
(guix.gnu.org-zone) <serial>: Increment it.
* hydra/modules/sysadmin/dns.scm (guix.gnu.org.zone) <@>: Add CAA
records allowing "letsencrypt", "amazon.com", "amazontrust.com",
"awstrust.com", and "amazonaws.com" to issue certificates. This was
not required for the guix.info zone because it lacked CAA records, but
the gnu.org zone already has a CAA record, so here it is required.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This is a followup to 49c30276eb.
* hydra/berlin.scm (services): Add our NGINX-SERVICE-TYPE instance and
remove use of 'modify-services', which was not matching anything.
These were unused since commit
a94e1be874.
* hydra/nginx/berlin-locations.conf,
hydra/nginx/berlin.conf: Remove.
* hydra/modules/sysadmin/services.scm (frontend-services): Add
NGINX-SERVICE-TYPE only when NGINX-CONFIG-FILE is true.
* hydra/berlin.scm (services): Remove #:nginx-config-file argument to
'frontend-services'.
* hydra/modules/sysadmin/dns.scm (berlin-ip6): New variable.
(guix.gnu.org.zone): Change "@" to point to berlin rather than gnu.org.
Add "issues" A and AAAA records.
ACM requires us to create a CNAME under ci.guix.gnu.org to prove
domain ownership. It does not require ci.guix.gnu.org itself to be a
CNAME; we can make ci.guix.gnu.org whatever we want.
* hydra/modules/sysadmin/dns.scm (guix.gnu.org.zone) <ci>: Remove this
CNAME record.
<_82c0b5947777eb0bee604d5d2061d85f.ci>: New CNAME.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Suggested by Rubén Rodriguez.
* hydra/modules/sysadmin/dns.scm (guix.gnu.org.zone): Remove "ns1" and
"ns2" NS records. That way, gnu.org can answer for us.
Note that this only turns on the CloudFront distribution. It does not
cause client requests to be sent to the distribution. That will only
happen after we flip the DNS record for ci.guix.info, also.
* cdn/terraform/cloudfront.tf (berlin-mirror) <enabled>: Change to true.