mirror of
git://git.savannah.gnu.org/guix/maintenance.git
synced 2023-12-14 03:33:04 +01:00
fb6aa43f55
* hydra/bayfront.scm: Add it.
976 lines
36 KiB
Scheme
976 lines
36 KiB
Scheme
;; OS configuration for bayfront
|
|
;; Copyright © 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès <ludo@gnu.org>
|
|
;; Copyright © 2016, 2017, 2018, 2019, 2020 Andreas Enge <andreas@enge.fr>
|
|
;; Copyright © 2017, 2019 Ricardo Wurmus <rekado@elephly.net>
|
|
;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
|
|
;; Copyright © 2020, 2021 Christopher Baines <mail@cbaines.net>
|
|
;; Copyright © 2020, 2021 Tobias Geerinckx-Rice <me@tobias.gr>
|
|
;; Released under the GNU GPLv3 or any later version.
|
|
|
|
(use-modules (gnu) (guix) (guix packages) (guix git)
|
|
(sysadmin people) (sysadmin services)
|
|
(sysadmin dns) (sysadmin web))
|
|
(use-service-modules admin avahi base certbot databases dns
|
|
monitoring networking shepherd ssh web mcron guix)
|
|
(use-package-modules admin certs ci databases linux ssh tls vim
|
|
package-management web wget)
|
|
|
|
(define %sysadmins
|
|
;; The sysadmins.
|
|
(list (sysadmin (name "andreas")
|
|
(full-name "Andreas Enge")
|
|
(ssh-public-key (local-file "keys/ssh/andreas.pub")))
|
|
(sysadmin (name "marusich")
|
|
(full-name "Chris Marusich")
|
|
(ssh-public-key (local-file "keys/ssh/marusich.pub"))
|
|
(restricted? #t))
|
|
(sysadmin (name "cbaines")
|
|
(full-name "Christopher Baines")
|
|
(ssh-public-key (local-file "keys/ssh/cbaines.pub")))
|
|
(sysadmin (name "dannym")
|
|
(full-name "Danny Milosavljevic")
|
|
(ssh-public-key (local-file "keys/ssh/dannym.pub"))
|
|
(restricted? #t))
|
|
(sysadmin (name "efraim")
|
|
(full-name "Efraim Flashner")
|
|
(ssh-public-key (local-file "keys/ssh/efraim.pub"))
|
|
(restricted? #t))
|
|
(sysadmin (name "kuba")
|
|
(full-name "Jakub Kądziołka")
|
|
(ssh-public-key (local-file "keys/ssh/kuba.pub"))
|
|
(restricted? #t))
|
|
(sysadmin (name "roptat")
|
|
(full-name "Julien Lepiller")
|
|
(ssh-public-key (local-file "keys/ssh/roptat.pub"))
|
|
(restricted? #t))
|
|
(sysadmin (name "ludo")
|
|
(full-name "Ludovic Courtès")
|
|
(ssh-public-key (local-file "keys/ssh/ludo.pub")))
|
|
(sysadmin (name "rekado")
|
|
(full-name "Ricardo Wurmus")
|
|
(ssh-public-key (local-file "keys/ssh/rekado.pub")))
|
|
(sysadmin (name "mathieu")
|
|
(full-name "Mathieu Othacehe")
|
|
(ssh-public-key (local-file "keys/ssh/mathieu.pub")))
|
|
|
|
;; Not a sysadmin in any sense, but has access for the length of their
|
|
;; Outreachy internship to speed up their work. nckx will help them.
|
|
(sysadmin (name "raghavgururajan")
|
|
(full-name "Raghav Gururajan")
|
|
(ssh-public-key (local-file "keys/ssh/raghavgururajan.pub"))
|
|
(restricted? #t))
|
|
(sysadmin (name "nckx")
|
|
(full-name "Tobias Geerinckx-Rice")
|
|
(ssh-public-key (local-file "keys/ssh/nckx.pub")))))
|
|
|
|
(define %nginx-deploy-hook
|
|
;; Hook that restarts nginx when a new certificate is deployed.
|
|
(program-file "nginx-deploy-hook"
|
|
#~(let ((pid (call-with-input-file "/var/run/nginx/pid"
|
|
read)))
|
|
(kill pid SIGHUP))))
|
|
|
|
(define %certbot-configuration
|
|
(certbot-configuration
|
|
(webroot "/var/www")
|
|
(email "ludovic.courtes@inria.fr")
|
|
(certificates
|
|
(list (certificate-configuration
|
|
(domains '("bayfront.guix.gnu.org"
|
|
"bordeaux.guix.gnu.org"
|
|
"logs.guix.gnu.org"
|
|
"bayfront.guix.info"
|
|
"hpc.guix.info"
|
|
"guix-hpc.bordeaux.inria.fr"
|
|
"coordinator.bayfront.guix.gnu.org"))
|
|
(deploy-hook %nginx-deploy-hook))))))
|
|
|
|
(define guix-hpc-web-site
|
|
(static-web-site-configuration
|
|
(git-url "https://gitlab.inria.fr/guix-hpc/website.git")
|
|
(directory "/srv/guix-hpc-web")))
|
|
|
|
(define %motd
|
|
(plain-file "motd"
|
|
"\
|
|
░░░ ░░░
|
|
░░▒▒░░░░░░░░░ ░░░░░░░░░▒▒░░
|
|
░░▒▒▒▒▒░░░░░░░ ░░░░░░░▒▒▒▒▒░
|
|
░▒▒▒░░▒▒▒▒▒ ░░░░░░░▒▒░
|
|
░▒▒▒▒░ ░░░░░░
|
|
▒▒▒▒▒ ░░░░░░
|
|
▒▒▒▒▒ ░░░░░
|
|
░▒▒▒▒▒ ░░░░░ Welcome to bayfront!
|
|
▒▒▒▒▒ ░░░░░
|
|
▒▒▒▒▒ ░░░░░
|
|
░▒▒▒▒▒░░░░░
|
|
▒▒▒▒▒▒░░░
|
|
▒▒▒▒▒▒░
|
|
|
|
Best practices:
|
|
|
|
1. Store everything in guix-maintenance.git.
|
|
2. Use the Git checkouts of Guix and guix-maintenance in ~root.
|
|
3. Notify guix-sysadmin@gnu.org when reconfiguring.
|
|
4. Notify guix-sysadmin@gnu.org when something goes wrong.
|
|
|
|
Happy hacking!\n"))
|
|
|
|
(define gnu-ns1-ip4
|
|
;; IPv4 address of "ns1.gnu.org".
|
|
"209.51.188.164")
|
|
|
|
(define %build-node-keys
|
|
;; Signing keys of the build nodes.
|
|
(list (local-file "keys/guix/harbourfront.guix.info-export.pub")
|
|
(local-file "keys/guix/milano-guix-1.di.unimi.it-export.pub")))
|
|
|
|
(define %hpcguix-web-channels
|
|
;; Channels picked up and displayed by hpcguix-web.
|
|
#~(append %default-channels
|
|
(list (channel
|
|
(name 'guix-hpc)
|
|
(url "https://gitlab.inria.fr/guix-hpc/guix-hpc.git"))
|
|
(channel
|
|
(name 'guix-past)
|
|
(url "https://gitlab.inria.fr/guix-hpc/guix-past")
|
|
(introduction
|
|
(make-channel-introduction
|
|
"0c119db2ea86a389769f4d2b9c6f5c41c027e336"
|
|
(openpgp-fingerprint
|
|
"3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5"))))
|
|
(channel
|
|
(name 'guix-science)
|
|
(url "https://github.com/guix-science/guix-science.git")
|
|
(introduction
|
|
(make-channel-introduction
|
|
"b1fe5aaff3ab48e798a4cce02f0212bc91f423dc"
|
|
(openpgp-fingerprint
|
|
"CA4F 8CF4 37D7 478F DA05 5FD4 4213 7701 1A37 8446")))))))
|
|
|
|
(define %bayfront-nginx-service-extra-config
|
|
"
|
|
sendfile on;
|
|
|
|
# Maximum chunk size to send. Partly this is a workaround
|
|
# for <http://bugs.gnu.org/19939>, but also the nginx docs
|
|
# mention that \"Without the limit, one fast connection may
|
|
# seize the worker process entirely.\"
|
|
# <http://nginx.org/en/docs/http/ngx_http_core_module#sendfile_max_chunk>
|
|
sendfile_max_chunk 1m;
|
|
|
|
keepalive_timeout 65;
|
|
|
|
# Use HTTP 1.1 to talk to the backend so we benefit from
|
|
# keep-alive connections and chunked transfer encoding. The
|
|
# latter allows us to make sure we do not cache partial downloads.
|
|
proxy_http_version 1.1;
|
|
|
|
# The 'inactive' parameter for caching is not very useful in our
|
|
# case: all that matters is that LRU sweeping happens when
|
|
# 'max_size' is hit.
|
|
|
|
# cache for nar files
|
|
proxy_cache_path /var/cache/nginx/nar
|
|
levels=2
|
|
inactive=8d # inactive keys removed after 8d
|
|
keys_zone=nar:4m # nar cache meta data: ~32K keys
|
|
max_size=10g; # total cache data size max
|
|
|
|
# cache for content-addressed files
|
|
proxy_cache_path /var/cache/nginx/cas
|
|
levels=2
|
|
inactive=180d # inactive keys removed after 180d
|
|
keys_zone=cas:8m # nar cache meta data: ~64K keys
|
|
max_size=50g; # total cache data size max
|
|
|
|
# cache for build logs
|
|
proxy_cache_path /var/cache/nginx/logs
|
|
levels=2
|
|
inactive=60d # inactive keys removed after 60d
|
|
keys_zone=logs:8m # narinfo meta data: ~64K keys
|
|
max_size=4g; # total cache data size max
|
|
|
|
# cache for static data
|
|
proxy_cache_path /var/cache/nginx/static
|
|
levels=1
|
|
inactive=10d # inactive keys removed after 10d
|
|
keys_zone=static:1m # nar cache meta data: ~8K keys
|
|
max_size=200m; # total cache data size max
|
|
")
|
|
|
|
(define %hpc.guix.info-nginx-servers
|
|
(let ((common-locations
|
|
(list
|
|
(nginx-location-configuration
|
|
(uri "/")
|
|
(body '("root /srv/guix-hpc-web;")))
|
|
|
|
;; For the package browsing interface
|
|
(nginx-named-location-configuration
|
|
(name "gnupackages")
|
|
(body '( "return 307 https://www.gnu.org/software/guix/packages/;")))
|
|
(nginx-location-configuration
|
|
(uri "/browse")
|
|
(body '("proxy_pass http://localhost:5000;
|
|
rewrite .* / break;
|
|
proxy_connect_timeout 3s;
|
|
proxy_read_timeout 2s;
|
|
error_page 500 502 503 504 = @gnupackages;")))
|
|
(nginx-location-configuration
|
|
(uri "/package")
|
|
(body '("proxy_pass http://localhost:5000;
|
|
proxy_connect_timeout 3s;
|
|
proxy_read_timeout 2s;
|
|
error_page 500 502 503 504 = @gnupackages;")))
|
|
|
|
;; JS for hpcguix-web
|
|
(nginx-location-configuration
|
|
(uri "~ /static/.*\\.js")
|
|
(body '("proxy_pass http://localhost:5000;")))
|
|
|
|
;; Licensing info for hpcguix-web JS code
|
|
(nginx-location-configuration
|
|
(uri "/javascript")
|
|
(body '("proxy_pass http://localhost:5000;")))
|
|
(nginx-location-configuration
|
|
(uri "~ /static/images/sort_.*\\.png")
|
|
(body '("proxy_pass http://localhost:5000;")))
|
|
(nginx-location-configuration ; Videos
|
|
(uri "/static/videos")
|
|
(body '("root /srv/guix-hpc-videos;"))))))
|
|
|
|
(list
|
|
(nginx-server-configuration
|
|
(server-name '("hpc.guix.info"))
|
|
(listen '("80"))
|
|
(raw-content
|
|
'("
|
|
access_log /var/log/nginx/guix-hpc.access.log;"))
|
|
(locations
|
|
(append
|
|
common-locations
|
|
(list
|
|
(nginx-location-configuration ; For use by Certbot
|
|
(uri "/.well-known")
|
|
(body '("root /var/www;")))))))
|
|
|
|
(nginx-server-configuration
|
|
(server-name '("hpc.guix.info"))
|
|
(listen '("443 ssl"))
|
|
(ssl-certificate "/etc/letsencrypt/live/hpc.guix.info/fullchain.pem")
|
|
(ssl-certificate-key "/etc/letsencrypt/live/hpc.guix.info/privkey.pem")
|
|
(root "/srv/guix-hpc-web")
|
|
(raw-content
|
|
'("
|
|
# Make sure SSL is disabled.
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
# Disable weak cipher suites.
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Use our own DH parameters created with:
|
|
# openssl dhparam -out dhparams.pem 2048
|
|
# as suggested at <https://weakdh.org/sysadmin.html>.
|
|
ssl_dhparam /etc/dhparams.pem;
|
|
|
|
access_log /var/log/nginx/guix-hpc.access.log;"))
|
|
(locations common-locations)))))
|
|
|
|
(define %guix-hpc.bordeaux.inria.fr-nginx-servers
|
|
(let ((common-locations
|
|
(list
|
|
(nginx-location-configuration
|
|
(uri "~ ^/nix-cache-info$")
|
|
(body
|
|
'("return 301 $scheme://guix.bordeaux.inria.fr/nix-cache-info;")))
|
|
(nginx-location-configuration
|
|
(uri "~ /(.*\\.narinfo)")
|
|
(body
|
|
'("return 301 $scheme://guix.bordeaux.inria.fr/$1;")))
|
|
(nginx-location-configuration
|
|
(uri "~ /nar/(.*)")
|
|
(body
|
|
'("return 301 $scheme://guix.bordeaux.inria.fr/nar/$1;")))
|
|
(nginx-location-configuration
|
|
(uri "~ /(.*)")
|
|
(body
|
|
'("return 301 $scheme://hpc.guix.info/$1;"))))))
|
|
|
|
(list
|
|
(nginx-server-configuration
|
|
(server-name '("guix-hpc.bordeaux.inria.fr"))
|
|
(listen '("80"))
|
|
(raw-content
|
|
'("
|
|
access_log /var/log/nginx/guix-hpc.access.log;"))
|
|
(locations
|
|
(append
|
|
common-locations
|
|
(list
|
|
(nginx-location-configuration ; For use by Certbot
|
|
(uri "/.well-known")
|
|
(body '("root /var/www;")))))))
|
|
|
|
(nginx-server-configuration
|
|
(server-name '("guix-hpc.bordeaux.inria.fr"))
|
|
(listen '("443 ssl"))
|
|
(ssl-certificate
|
|
"/etc/letsencrypt/live/guix-hpc.bordeaux.inria.fr/fullchain.pem")
|
|
(ssl-certificate-key
|
|
"/etc/letsencrypt/live/guix-hpc.bordeaux.inria.fr/privkey.pem")
|
|
(raw-content
|
|
'("
|
|
# Make sure SSL is disabled.
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
# Disable weak cipher suites.
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Use our own DH parameters created with:
|
|
# openssl dhparam -out dhparams.pem 2048
|
|
# as suggested at <https://weakdh.org/sysadmin.html>.
|
|
ssl_dhparam /etc/dhparams.pem;
|
|
|
|
access_log /var/log/nginx/guix-hpc.access.log;"))
|
|
(locations common-locations)))))
|
|
|
|
(define %logs.guix.gnu.org-nginx-servers
|
|
(let ((common-locations
|
|
(list
|
|
(nginx-location-configuration
|
|
(uri "/")
|
|
(body '("proxy_pass http://localhost:3333/;"))))))
|
|
|
|
(list
|
|
(nginx-server-configuration
|
|
(server-name '("logs.guix.gnu.org"))
|
|
(listen '("80"))
|
|
(raw-content
|
|
'("
|
|
access_log /var/log/nginx/logs.access.log;"))
|
|
(locations
|
|
(append
|
|
common-locations
|
|
(list
|
|
(nginx-location-configuration ; For use by Certbot
|
|
(uri "/.well-known")
|
|
(body '("root /var/www;")))))))
|
|
|
|
(nginx-server-configuration
|
|
(server-name '("logs.guix.gnu.org"))
|
|
(listen '("443 ssl"))
|
|
(ssl-certificate
|
|
"/etc/letsencrypt/live/logs.guix.gnu.org/fullchain.pem")
|
|
(ssl-certificate-key
|
|
"/etc/letsencrypt/live/logs.guix.gnu.org/privkey.pem")
|
|
(raw-content
|
|
'("
|
|
# Make sure SSL is disabled.
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
# Disable weak cipher suites.
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Use our own DH parameters created with:
|
|
# openssl dhparam -out dhparams.pem 2048
|
|
# as suggested at <https://weakdh.org/sysadmin.html>.
|
|
ssl_dhparam /etc/dhparams.pem;
|
|
|
|
access_log /var/log/nginx/logs.access.log;"))
|
|
(locations common-locations)))))
|
|
|
|
(define %coordinator.bayfront.guix.gnu.org-nginx-servers
|
|
(list
|
|
(nginx-server-configuration
|
|
(server-name '("coordinator.bayfront.guix.gnu.org"))
|
|
(listen '("80"))
|
|
(locations
|
|
(list
|
|
(nginx-location-configuration ; For use by Certbot
|
|
(uri "/.well-known")
|
|
(body '(("root /var/www;")))))))
|
|
|
|
(nginx-server-configuration
|
|
(server-name '("coordinator.bayfront.guix.gnu.org"))
|
|
(listen '("443 ssl"))
|
|
(ssl-certificate
|
|
"/etc/letsencrypt/live/bayfront.guix.gnu.org/fullchain.pem")
|
|
(ssl-certificate-key
|
|
"/etc/letsencrypt/live/bayfront.guix.gnu.org/privkey.pem")
|
|
(raw-content
|
|
'("
|
|
# Make sure SSL is disabled.
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
# Disable weak cipher suites.
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Use our own DH parameters created with:
|
|
# openssl dhparam -out dhparams.pem 2048
|
|
# as suggested at <https://weakdh.org/sysadmin.html>.
|
|
ssl_dhparam /etc/dhparams.pem;
|
|
|
|
client_max_body_size 0;
|
|
client_body_buffer_size 128K;
|
|
|
|
access_log /var/log/nginx/coordinator.access.log;
|
|
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"))
|
|
(locations
|
|
(list (nginx-location-configuration
|
|
(uri "/")
|
|
(body '("try_files $uri $uri/ @guix-build-coordinator;")))
|
|
(nginx-named-location-configuration
|
|
(name "guix-build-coordinator")
|
|
(body '("proxy_pass http://guix-build-coordinator-proxy;"
|
|
"proxy_http_version 1.1;"
|
|
"proxy_set_header Host $host;"
|
|
"proxy_set_header X-Forwarded-For $remote_addr;"
|
|
"proxy_request_buffering off;"
|
|
|
|
"gzip on;"
|
|
"gzip_types text/html application/json;"
|
|
"gzip_proxied any;"))))))))
|
|
|
|
(define %bayfront.guix.gnu.org-nginx-servers
|
|
(let ((common-locations
|
|
(list
|
|
(nginx-location-configuration
|
|
(uri "= /nix-cache-info")
|
|
(body '("
|
|
return 200 'StoreDir: /gnu/store\nWantMassQuery: 0\nPriority: 100\n';
|
|
add_header Content-Type text/plain;")))
|
|
(nginx-location-configuration
|
|
(uri "= /404")
|
|
(body '("
|
|
return 404 '404';
|
|
add_header Content-Type text/plain;")))
|
|
(nginx-location-configuration
|
|
(uri "~ \\.narinfo$")
|
|
(body '("
|
|
root /var/lib/nars;
|
|
|
|
error_page 404 /404;
|
|
|
|
# For HTTP pipelining. This has a dramatic impact on performance.
|
|
client_body_buffer_size 128k;
|
|
|
|
# Narinfos requests are short, serve many of them on a connection.
|
|
keepalive_requests 20000;
|
|
|
|
add_header Content-Type text/plain;
|
|
")))
|
|
(nginx-location-configuration
|
|
(uri "/nar/")
|
|
(body '("
|
|
root /var/lib/nars;
|
|
|
|
error_page 404 /404;
|
|
|
|
client_body_buffer_size 256k;
|
|
|
|
# Nars are already compressed.
|
|
gzip off;
|
|
"))))))
|
|
|
|
(list
|
|
(nginx-server-configuration
|
|
(server-name '("bayfront.guix.gnu.org"))
|
|
(listen '("80"))
|
|
(raw-content
|
|
'("
|
|
access_log /var/log/nginx/http.access.log;
|
|
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"))
|
|
(locations
|
|
(append
|
|
common-locations
|
|
(list
|
|
(nginx-location-configuration ; For use by Certbot
|
|
(uri "/.well-known")
|
|
(body '(("root /var/www;"))))))))
|
|
|
|
(nginx-server-configuration
|
|
(server-name '("bayfront.guix.gnu.org"))
|
|
(listen '("443 ssl"))
|
|
(ssl-certificate
|
|
"/etc/letsencrypt/live/bayfront.guix.gnu.org/fullchain.pem")
|
|
(ssl-certificate-key
|
|
"/etc/letsencrypt/live/bayfront.guix.gnu.org/privkey.pem")
|
|
(raw-content
|
|
'("
|
|
# Make sure SSL is disabled.
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
# Disable weak cipher suites.
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Use our own DH parameters created with:
|
|
# openssl dhparam -out dhparams.pem 2048
|
|
# as suggested at <https://weakdh.org/sysadmin.html>.
|
|
ssl_dhparam /etc/dhparams.pem;
|
|
|
|
access_log /var/log/nginx/https.access.log;
|
|
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"))
|
|
(locations common-locations)))))
|
|
|
|
(define %bordeaux.guix.gnu.org-nginx-servers
|
|
(let ((common-locations
|
|
(list
|
|
(nginx-location-configuration
|
|
(uri "= /nix-cache-info")
|
|
(body '("
|
|
return 200 'StoreDir: /gnu/store\nWantMassQuery: 0\nPriority: 100\n';
|
|
add_header Content-Type text/plain;")))
|
|
(nginx-location-configuration
|
|
(uri "= /404")
|
|
(body '("
|
|
return 404 '404';
|
|
add_header Content-Type text/plain;")))
|
|
(nginx-location-configuration
|
|
(uri "~ \\.narinfo$")
|
|
(body '("
|
|
root /var/lib/nars;
|
|
|
|
error_page 404 /404;
|
|
|
|
# For HTTP pipelining. This has a dramatic impact on performance.
|
|
client_body_buffer_size 128k;
|
|
|
|
# Narinfos requests are short, serve many of them on a connection.
|
|
keepalive_requests 20000;
|
|
|
|
add_header Content-Type text/plain;
|
|
")))
|
|
(nginx-location-configuration
|
|
(uri "/nar/")
|
|
(body '("
|
|
root /var/lib/nars;
|
|
|
|
error_page 404 /404;
|
|
|
|
client_body_buffer_size 256k;
|
|
|
|
# Nars are already compressed.
|
|
gzip off;
|
|
")))
|
|
(nginx-location-configuration
|
|
(uri "~ \"\\/build\\/([a-z0-9-]{36})$\"")
|
|
;; At some point a detailed page for each build would be
|
|
;; nice, but for now, just show the log file.
|
|
(body '("rewrite /(.*) /$1/log last;")))
|
|
(nginx-location-configuration
|
|
(uri "~ /build/(.*)/log$")
|
|
(body '("alias /var/lib/guix-build-coordinator/build-logs/$1/log;"
|
|
"gzip_static always;"
|
|
"gunzip on;"))))))
|
|
|
|
(list
|
|
(nginx-server-configuration
|
|
(server-name '("bordeaux.guix.gnu.org"))
|
|
(listen '("80"))
|
|
(root (local-file "nginx/html/bordeaux" #:recursive? #t))
|
|
(raw-content
|
|
'("
|
|
access_log /var/log/nginx/bordeaux.access.log;"))
|
|
(locations
|
|
(append
|
|
common-locations
|
|
(list
|
|
(nginx-location-configuration ; For use by Certbot
|
|
(uri "/.well-known")
|
|
(body '(("root /var/www;"))))))))
|
|
|
|
(nginx-server-configuration
|
|
(server-name '("bordeaux.guix.gnu.org"))
|
|
(listen '("443 ssl"))
|
|
(root (local-file "nginx/html/bordeaux" #:recursive? #t))
|
|
(ssl-certificate
|
|
"/etc/letsencrypt/live/bayfront.guix.gnu.org/fullchain.pem")
|
|
(ssl-certificate-key
|
|
"/etc/letsencrypt/live/bayfront.guix.gnu.org/privkey.pem")
|
|
(raw-content
|
|
'("
|
|
# Make sure SSL is disabled.
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
# Disable weak cipher suites.
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Use our own DH parameters created with:
|
|
# openssl dhparam -out dhparams.pem 2048
|
|
# as suggested at <https://weakdh.org/sysadmin.html>.
|
|
ssl_dhparam /etc/dhparams.pem;
|
|
|
|
access_log /var/log/nginx/bordeaux.access.log;"))
|
|
(locations common-locations)))))
|
|
|
|
(define %guix-build-coordinator-configuration
|
|
(let* ((data.guix.gnu.org-build-event-destination
|
|
#~(string-append
|
|
"https://data.guix.gnu.org"
|
|
"/build-server/2/build-events?token="
|
|
(string-trim-right
|
|
(call-with-input-file
|
|
"/etc/guix-build-coordinator/data.guix.gnu.org-token"
|
|
get-string-all))))
|
|
(data.guix-patches.cbaines.net-build-event-destination
|
|
#~(string-append
|
|
"https://data.guix-patches.cbaines.net"
|
|
"/build-server/2/build-events?token="
|
|
(string-trim-right
|
|
(call-with-input-file
|
|
"/etc/guix-build-coordinator/data.guix-patches.cbaines.net-token"
|
|
get-string-all))))
|
|
(publish-directory
|
|
"/var/lib/nars")
|
|
(recompress-log-file-hook
|
|
#~(apply ((@ (guix-build-coordinator hooks)
|
|
build-recompress-log-file-hook)
|
|
#:recompress-to 'gzip)
|
|
args)))
|
|
|
|
(define (send-guix-data-service-event event-hook)
|
|
#~(begin
|
|
(use-modules (ice-9 textual-ports))
|
|
|
|
(apply ((@ (guix-build-coordinator hooks)
|
|
#$event-hook)
|
|
#$data.guix.gnu.org-build-event-destination)
|
|
args)
|
|
(apply ((@ (guix-build-coordinator hooks)
|
|
#$event-hook)
|
|
#$data.guix-patches.cbaines.net-build-event-destination)
|
|
args)))
|
|
|
|
(guix-build-coordinator-configuration
|
|
(agent-communication-uri-string
|
|
"http://127.0.0.1:8745") ; only listen locally
|
|
(allocation-strategy
|
|
#~derivation-ordered-build-allocation-strategy)
|
|
(hooks
|
|
`((build-submitted
|
|
. ,#~(lambda args
|
|
#$(send-guix-data-service-event
|
|
'build-submitted-send-event-to-guix-data-service-hook)))
|
|
(build-started
|
|
. ,#~(lambda args
|
|
#$(send-guix-data-service-event
|
|
'build-started-send-event-to-guix-data-service-hook)))
|
|
(build-success
|
|
. ,#~(lambda args
|
|
(use-modules (gcrypt pk-crypto)) ; for read-file-sexp
|
|
|
|
#$recompress-log-file-hook
|
|
(apply ((@ (guix-build-coordinator hooks)
|
|
build-success-publish-hook)
|
|
#$publish-directory
|
|
;; These should be the same as
|
|
;; /etc/guix/... but are copied here so that
|
|
;; they can be read by the Guix Build
|
|
;; Coordinantor
|
|
#:public-key
|
|
(read-file-sexp
|
|
"/etc/guix-build-coordinator/signing-key.pub")
|
|
#:private-key
|
|
(read-file-sexp
|
|
"/etc/guix-build-coordinator/signing-key.sec"))
|
|
args)
|
|
#$(send-guix-data-service-event
|
|
'build-success-send-event-to-guix-data-service-hook)
|
|
(apply (@ (guix-build-coordinator hooks)
|
|
default-build-success-hook)
|
|
args)))
|
|
(build-failure
|
|
. ,#~(lambda args
|
|
#$recompress-log-file-hook
|
|
(apply ((@ (guix-build-coordinator hooks)
|
|
build-failure-retry-hook))
|
|
args)
|
|
#$(send-guix-data-service-event
|
|
'build-failure-send-event-to-guix-data-service-hook)
|
|
(apply (@ (guix-build-coordinator hooks)
|
|
default-build-failure-hook)
|
|
args)))
|
|
(build-canceled
|
|
. ,#~(lambda args
|
|
#$(send-guix-data-service-event
|
|
'build-canceled-send-event-to-guix-data-service-hook)
|
|
(apply (@ (guix-build-coordinator hooks)
|
|
default-build-canceled-hook)
|
|
args)))
|
|
(build-submit-outputs
|
|
. ,#~(begin
|
|
(use-modules (srfi srfi-1)
|
|
(guix-build-coordinator coordinator)
|
|
(guix-build-coordinator datastore))
|
|
|
|
(lambda (build-coordinator uuid)
|
|
(any (lambda (output)
|
|
(let* ((output-hash
|
|
(string-take
|
|
(string-drop (assq-ref output 'output) 11)
|
|
32))
|
|
(narinfo
|
|
(string-append #$publish-directory "/"
|
|
output-hash ".narinfo")))
|
|
(not (file-exists? narinfo))))
|
|
(datastore-list-build-outputs
|
|
(build-coordinator-datastore build-coordinator) uuid))))))))))
|
|
|
|
(operating-system
|
|
(host-name "bayfront")
|
|
(timezone "Europe/Paris")
|
|
(locale "en_US.UTF-8")
|
|
|
|
(bootloader (bootloader-configuration
|
|
(bootloader grub-bootloader)
|
|
(target "/dev/sda")
|
|
(terminal-outputs '(console))))
|
|
|
|
(mapped-devices (list (mapped-device
|
|
(source (list "/dev/sda2" "/dev/sdb2"))
|
|
(target "/dev/md0")
|
|
(type raid-device-mapping))))
|
|
(file-systems (cons* (file-system
|
|
(device "/dev/md0")
|
|
(mount-point "/")
|
|
(type "ext4")
|
|
(dependencies mapped-devices))
|
|
(file-system
|
|
;; This is how Goggles' IRC network is currently configured :-)
|
|
(device "/home/rekado/.znc/users/bayfront-log/networks/libera/moddata/log")
|
|
(mount-point "/var/www/.well-known/all-logs")
|
|
(type "none")
|
|
(flags '(bind-mount))
|
|
(check? #f))
|
|
%base-file-systems))
|
|
|
|
(swap-devices '("/swap"))
|
|
|
|
(kernel linux-libre-5.10)
|
|
|
|
;; Add a kernel module for RAID-10.
|
|
(initrd-modules (cons "raid10" %base-initrd-modules))
|
|
|
|
(packages (cons* certbot wget iptables jnettop
|
|
mdadm vim lm-sensors openssh
|
|
nss-certs guix-build-coordinator
|
|
%base-packages))
|
|
|
|
(services
|
|
(cons*
|
|
;; TODO: create a bonding interface over ens9 + ens10
|
|
;; TODO: configure ens10 as with:
|
|
;; ip a add dev ens10 2a01:474:0::56/48
|
|
;; ip -6 route add default via 2a01:474:0::126
|
|
(static-networking-service
|
|
"ens10" "185.233.100.56"
|
|
#:netmask "255.255.255.128"
|
|
#:gateway "185.233.100.126"
|
|
#:name-servers '("185.233.100.100" "185.233.100.101"))
|
|
|
|
;; Alternate interface.
|
|
(static-networking-service
|
|
"ens9" "185.233.100.57"
|
|
#:netmask "255.255.255.128"
|
|
;; Don't repeat #:gateway and #:name-servers.
|
|
)
|
|
|
|
;; Make SSH and HTTP/HTTPS available over Tor.
|
|
(tor-hidden-service "http"
|
|
'((22 "127.0.0.1:22")
|
|
(80 "127.0.0.1:80")
|
|
(443 "127.0.0.1:443")))
|
|
(service tor-service-type)
|
|
|
|
(service prometheus-node-exporter-service-type)
|
|
|
|
(service ntp-service-type)
|
|
|
|
;; DNS
|
|
(service knot-service-type
|
|
(knot-configuration
|
|
(zones (list (knot-zone-configuration
|
|
(inherit guix.gnu.org-zone)
|
|
(zonefile-load 'difference-no-serial)
|
|
;; (dnssec-policy "default")
|
|
(acl '("transfer-allow"
|
|
"gnu-transfer"))
|
|
(notify '("gnu-master")))))
|
|
(acls (list (knot-acl-configuration
|
|
(id "transfer-allow")
|
|
(address (list berlin-ip4))
|
|
(action '(transfer)))
|
|
(knot-acl-configuration
|
|
(id "gnu-transfer")
|
|
(address (list gnu-ns1-ip4))
|
|
(action '(transfer)))))
|
|
|
|
(remotes (list (knot-remote-configuration
|
|
(id "gnu-master")
|
|
(address (list gnu-ns1-ip4)))))))
|
|
|
|
;; Runnning hpc.guix.info.
|
|
(service static-web-site-service-type
|
|
guix-hpc-web-site)
|
|
|
|
;; hpcguix-web as it can be seen at
|
|
;; <https://hpc.guix.info/browse>.
|
|
(service hpcguix-web-service-type
|
|
(hpcguix-web-configuration
|
|
(specs
|
|
#~(begin
|
|
(use-modules (guix channels))
|
|
|
|
(define site-config
|
|
(hpcweb-configuration
|
|
(title-prefix "Guix-HPC — ")
|
|
(package-filter-proc (const #t))
|
|
(package-page-extension-proc
|
|
(lambda (path)
|
|
(let ((url (string-append
|
|
"http://data.guix.gnu.org"
|
|
"/repository/1/branch/master/package/"
|
|
(basename path))))
|
|
`(div
|
|
(a (@ (href ,url))
|
|
"View package version history.")))))
|
|
(menu '(("/about" "ABOUT")
|
|
("/browse" "BROWSE")
|
|
("/blog" "BLOG")))
|
|
(channels #$%hpcguix-web-channels)))))))
|
|
|
|
(service certbot-service-type %certbot-configuration)
|
|
(service goggles-service-type)
|
|
|
|
(service mcron-service-type
|
|
(mcron-configuration
|
|
(jobs
|
|
(let ((threshold (* 800 GiB)))
|
|
(list #~(job '(next-hour '(4))
|
|
(string-append
|
|
#$guix "/bin/guix gc -F"
|
|
#$(number->string threshold)))
|
|
|
|
;; Half a day later, make sure
|
|
;; half of our quota is available.
|
|
#~(job '(next-hour '(16))
|
|
(string-append
|
|
#$guix "/bin/guix gc -F"
|
|
#$(number->string
|
|
(quotient threshold 2)))))))))
|
|
|
|
firewall-service
|
|
|
|
(service openssh-service-type)
|
|
(service sysadmin-service-type %sysadmins)
|
|
|
|
(service nginx-service-type
|
|
(nginx-configuration
|
|
(nginx
|
|
(package
|
|
(inherit nginx)
|
|
(arguments
|
|
(append
|
|
'(#:configure-flags '("--with-http_gzip_static_module"
|
|
"--with-http_gunzip_module"))
|
|
(package-arguments nginx)))))
|
|
(extra-content %bayfront-nginx-service-extra-config)
|
|
(upstream-blocks
|
|
(list (nginx-upstream-configuration
|
|
(name "guix-build-coordinator-proxy")
|
|
(servers '("localhost:8745")))))
|
|
(server-blocks
|
|
(append %hpc.guix.info-nginx-servers
|
|
%guix-hpc.bordeaux.inria.fr-nginx-servers
|
|
%logs.guix.gnu.org-nginx-servers
|
|
%bayfront.guix.gnu.org-nginx-servers
|
|
%bordeaux.guix.gnu.org-nginx-servers
|
|
%coordinator.bayfront.guix.gnu.org-nginx-servers))))
|
|
|
|
(service guix-build-coordinator-service-type
|
|
%guix-build-coordinator-configuration)
|
|
|
|
(service guix-build-coordinator-queue-builds-service-type
|
|
(guix-build-coordinator-queue-builds-configuration
|
|
(systems '("x86_64-linux" "i686-linux"
|
|
"aarch64-linux"
|
|
"armhf-linux"
|
|
"powerpc64le-linux"
|
|
"i586-gnu"))
|
|
(systems-and-targets
|
|
'(("x86_64-linux" . "i586-pc-gnu")))))
|
|
|
|
(service guix-build-coordinator-agent-service-type
|
|
(guix-build-coordinator-agent-configuration
|
|
(coordinator "https://coordinator.bayfront.guix.gnu.org")
|
|
(authentication
|
|
(guix-build-coordinator-agent-password-file-auth
|
|
(uuid "0c973ac8-4e62-4889-87b4-31c9536641db")
|
|
(password-file
|
|
"/etc/guix-build-coordinator-agent-password")))
|
|
(max-parallel-builds 1)
|
|
(max-1min-load-average 8)
|
|
(systems '("x86_64-linux" "i686-linux"))
|
|
(derivation-substitute-urls
|
|
(list "https://data.guix.gnu.org"))
|
|
(non-derivation-substitute-urls
|
|
(list "https://bayfront.guix.gnu.org"))))
|
|
|
|
(modify-services %base-services
|
|
(guix-service-type
|
|
config => (guix-configuration
|
|
(substitute-urls
|
|
'("https://bayfront.guix.gnu.org"))
|
|
(authorized-keys
|
|
(cons*
|
|
(local-file "keys/guix/bayfront.guix.info-export.pub")
|
|
;; for substituting derivations
|
|
(plain-file
|
|
"data.guix.gnu.org.pub"
|
|
"
|
|
(public-key
|
|
(ecc
|
|
(curve Ed25519)
|
|
(q #1EEE5340C3AAD6E062A1395A88A86FC75982E8BC7DCBAE171858EEAAB14AAB77#)
|
|
)
|
|
)")
|
|
%build-node-keys))
|
|
|
|
(max-silent-time (* 12 3600))
|
|
(timeout (* 48 3600))
|
|
|
|
;; be friendly to 'guix publish' users
|
|
(log-compression 'gzip)
|
|
|
|
(build-accounts 64)
|
|
(extra-options
|
|
(list "--max-jobs" "2" "--cores" "6"))))
|
|
(login-service-type
|
|
config => (login-configuration
|
|
(inherit config)
|
|
(motd %motd)))
|
|
(openssh-service-type
|
|
config => (openssh-configuration
|
|
(inherit config)
|
|
(password-authentication? #f)))))))
|
|
|
|
;; Local Variables:
|
|
;; eval: (put 'modify-services 'scheme-indent-function 1)
|
|
;; End:
|