[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
branch master updated: hydra: bayfront: Refresh config.
From: |
Christopher Baines |
Subject: |
branch master updated: hydra: bayfront: Refresh config. |
Date: |
Thu, 25 Mar 2021 11:44:45 -0400 |
This is an automated email from the git hooks/post-receive script.
cbaines pushed a commit to branch master
in repository maintenance.
The following commit(s) were added to refs/heads/master by this push:
new 84d6704 hydra: bayfront: Refresh config.
84d6704 is described below
commit 84d67041c6d53de281e248fb5cdb5aeec7ac0427
Author: Christopher Baines <mail@cbaines.net>
AuthorDate: Sun Mar 7 16:10:15 2021 +0000
hydra: bayfront: Refresh config.
This involves a few things. The Cuirass service is removed through
moving most of the frontend-services functionality directly in to the
configuration, and the NGinx configuration is transformed in to
various records. I'm hoping this will make the bayfront configuration
easier to change and maintain.
* hydra/bayfront.scm (%nginx-config): Remove variable.
(%bayfront-nginx-service-extra-config, %hpc.guix.info-nginx-servers,
%guix-hpc.bordeaux.inria.fr-nginx-servers,
%logs.guix.gnu.org-nginx-servers,
%bayfront.guix.gnu.org-nginx-servers): New variables.
(operating-system)[packages]: Remove comment relating to Cuirass.
[services]: Remove Cuirass dependencies, and incorporate most of the
services returned by frontend-services.
* hydra/nginx/bayfront-locations.conf: Delete file.
* hydra/nginx/bayfront.conf: Delete file.
* hydra/nginx/guix-hpc-inria-locations.conf: Delete file.
* hydra/nginx/guix-hpc-locations.conf: Delete file.
---
hydra/bayfront.scm | 513 +++++++++++++++++++++++++++---
hydra/nginx/bayfront-locations.conf | 126 --------
hydra/nginx/bayfront.conf | 239 --------------
hydra/nginx/guix-hpc-inria-locations.conf | 17 -
hydra/nginx/guix-hpc-locations.conf | 42 ---
5 files changed, 464 insertions(+), 473 deletions(-)
diff --git a/hydra/bayfront.scm b/hydra/bayfront.scm
index 93782b8..f22e876 100644
--- a/hydra/bayfront.scm
+++ b/hydra/bayfront.scm
@@ -1,10 +1,10 @@
-;; OS configuration for bayfront, the frontend of the compile farm.
+;; OS configuration for bayfront
(use-modules (gnu) (guix) (guix packages) (guix git)
(sysadmin people) (sysadmin services)
(sysadmin dns) (sysadmin web))
-(use-service-modules admin avahi base certbot cuirass databases dns
- monitoring networking shepherd ssh web)
+(use-service-modules admin avahi base certbot databases dns
+ monitoring networking shepherd ssh web mcron)
(use-package-modules admin certs ci databases linux ssh tls vim
package-management web wget)
@@ -56,28 +56,6 @@
(full-name "Tobias Geerinckx-Rice")
(ssh-public-key (local-file "keys/ssh/nckx.pub")))))
-(define %nginx-config
- ;; Our nginx configuration directory. It expects 'guix publish' to be
- ;; running on port 3000.
- (computed-file "nginx-config"
- (with-imported-modules '((guix build utils))
- #~(begin
- (use-modules (guix build utils))
-
- (mkdir #$output)
- (chdir #$output)
- (symlink #$(local-file "nginx/bayfront.conf")
- "bayfront.conf")
- (copy-file #$(local-file
- "nginx/bayfront-locations.conf")
- "bayfront-locations.conf")
- (copy-file #$(local-file
- "nginx/guix-hpc-locations.conf")
- "guix-hpc-locations.conf")
- (copy-file #$(local-file
- "nginx/guix-hpc-inria-locations.conf")
- "guix-hpc-inria-locations.conf")))))
-
(define %nginx-deploy-hook
;; Hook that restarts nginx when a new certificate is deployed.
(program-file "nginx-deploy-hook"
@@ -161,6 +139,414 @@ Happy hacking!\n"))
(openpgp-fingerprint
"CA4F 8CF4 37D7 478F DA05 5FD4 4213 7701 1A37
8446")))))))
+(define %bayfront-nginx-service-extra-config
+ "
+sendfile on;
+
+# Maximum chunk size to send. Partly this is a workaround
+# for <http://bugs.gnu.org/19939>, but also the nginx docs
+# mention that \"Without the limit, one fast connection may
+# seize the worker process entirely.\"
+# <http://nginx.org/en/docs/http/ngx_http_core_module#sendfile_max_chunk>
+sendfile_max_chunk 1m;
+
+keepalive_timeout 65;
+
+# Use HTTP 1.1 to talk to the backend so we benefit from
+# keep-alive connections and chunked transfer encoding. The
+# latter allows us to make sure we do not cache partial downloads.
+proxy_http_version 1.1;
+
+# The 'inactive' parameter for caching is not very useful in our
+# case: all that matters is that LRU sweeping happens when
+# 'max_size' is hit.
+
+# cache for nar files
+proxy_cache_path /var/cache/nginx/nar
+ levels=2
+ inactive=8d # inactive keys removed after 8d
+ keys_zone=nar:4m # nar cache meta data: ~32K keys
+ max_size=10g; # total cache data size max
+
+# cache for content-addressed files
+proxy_cache_path /var/cache/nginx/cas
+ levels=2
+ inactive=180d # inactive keys removed after 180d
+ keys_zone=cas:8m # nar cache meta data: ~64K keys
+ max_size=50g; # total cache data size max
+
+# cache for build logs
+proxy_cache_path /var/cache/nginx/logs
+ levels=2
+ inactive=60d # inactive keys removed after 60d
+ keys_zone=logs:8m # narinfo meta data: ~64K keys
+ max_size=4g; # total cache data size max
+
+# cache for static data
+proxy_cache_path /var/cache/nginx/static
+ levels=1
+ inactive=10d # inactive keys removed after 10d
+ keys_zone=static:1m # nar cache meta data: ~8K keys
+ max_size=200m; # total cache data size max
+
+# If Hydra cannot honor these delays, then something is wrong and
+# we'd better drop the connection and return 504.
+proxy_connect_timeout 7s;
+proxy_read_timeout 10s;
+proxy_send_timeout 10s;
+
+# Cache timeouts for a little while to avoid increasing pressure.
+proxy_cache_valid 504 30s;")
+
+(define %hpc.guix.info-nginx-servers
+ (let ((common-locations
+ (list
+ (nginx-location-configuration
+ (uri "/")
+ (body '("root /srv/guix-hpc-web;")))
+
+ ;; For the package browsing interface
+ (nginx-named-location-configuration
+ (name "gnupackages")
+ (body '( "return 307
https://www.gnu.org/software/guix/packages/;")))
+ (nginx-location-configuration
+ (uri "/browse")
+ (body '("proxy_pass http://localhost:5000;
+ rewrite .* / break;
+ proxy_connect_timeout 3s;
+ proxy_read_timeout 2s;
+ error_page 500 502 503 504 = @gnupackages;")))
+ (nginx-location-configuration
+ (uri "/package")
+ (body '("proxy_pass http://localhost:5000;
+ proxy_connect_timeout 3s;
+ proxy_read_timeout 2s;
+ error_page 500 502 503 504 = @gnupackages;")))
+
+ ;; JS for hpcguix-web
+ (nginx-location-configuration
+ (uri "~ /static/.*\\.js")
+ (body '("proxy_pass http://localhost:5000;")))
+
+ ;; Licensing info for hpcguix-web JS code
+ (nginx-location-configuration
+ (uri "/javascript")
+ (body '("proxy_pass http://localhost:5000;")))
+ (nginx-location-configuration
+ (uri "~ /static/images/sort_.*\\.png")
+ (body '("proxy_pass http://localhost:5000;")))
+ (nginx-location-configuration ; Videos
+ (uri "/static/videos")
+ (body '("root /srv/guix-hpc-videos;"))))))
+
+ (list
+ (nginx-server-configuration
+ (server-name '("hpc.guix.info"))
+ (listen '("80"))
+ (raw-content
+ '("
+access_log /var/log/nginx/guix-hpc.access.log;"))
+ (locations
+ (append
+ common-locations
+ (list
+ (nginx-location-configuration ; For use by Certbot
+ (uri "/.well-known")
+ (body '("root /var/www;")))))))
+
+ (nginx-server-configuration
+ (server-name '("hpc.guix.info"))
+ (listen '("443 ssl"))
+ (ssl-certificate "/etc/letsencrypt/live/hpc.guix.info/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/hpc.guix.info/privkey.pem")
+ (root "/srv/guix-hpc-web")
+ (raw-content
+ '("
+# Make sure SSL is disabled.
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+# Disable weak cipher suites.
+ssl_ciphers HIGH:!aNULL:!MD5;
+ssl_prefer_server_ciphers on;
+
+# Use our own DH parameters created with:
+# openssl dhparam -out dhparams.pem 2048
+# as suggested at <https://weakdh.org/sysadmin.html>.
+ssl_dhparam /etc/dhparams.pem;
+
+access_log /var/log/nginx/guix-hpc.access.log;"))
+ (locations common-locations)))))
+
+(define %guix-hpc.bordeaux.inria.fr-nginx-servers
+ (let ((common-locations
+ (list
+ (nginx-location-configuration
+ (uri "~ ^/nix-cache-info$")
+ (body
+ '("return 301 $scheme://guix.bordeaux.inria.fr/nix-cache-info;")))
+ (nginx-location-configuration
+ (uri "~ /(.*\\.narinfo)")
+ (body
+ '("return 301 $scheme://guix.bordeaux.inria.fr/$1;")))
+ (nginx-location-configuration
+ (uri "~ /nar/(.*)")
+ (body
+ '("return 301 $scheme://guix.bordeaux.inria.fr/nar/$1;")))
+ (nginx-location-configuration
+ (uri "~ /(.*)")
+ (body
+ '("return 301 $scheme://hpc.guix.info/$1;"))))))
+
+ (list
+ (nginx-server-configuration
+ (server-name '("guix-hpc.bordeaux.inria.fr"))
+ (listen '("80"))
+ (raw-content
+ '("
+access_log /var/log/nginx/guix-hpc.access.log;"))
+ (locations
+ (append
+ common-locations
+ (list
+ (nginx-location-configuration ; For use by Certbot
+ (uri "/.well-known")
+ (body '("root /var/www;")))))))
+
+ (nginx-server-configuration
+ (server-name '("guix-hpc.bordeaux.inria.fr"))
+ (listen '("443 ssl"))
+ (ssl-certificate
+ "/etc/letsencrypt/live/guix-hpc.bordeaux.inria.fr/fullchain.pem")
+ (ssl-certificate-key
+ "/etc/letsencrypt/live/=guix-hpc.bordeaux.inria.fr/privkey.pem")
+ (raw-content
+ '("
+# Make sure SSL is disabled.
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+# Disable weak cipher suites.
+ssl_ciphers HIGH:!aNULL:!MD5;
+ssl_prefer_server_ciphers on;
+
+# Use our own DH parameters created with:
+# openssl dhparam -out dhparams.pem 2048
+# as suggested at <https://weakdh.org/sysadmin.html>.
+ssl_dhparam /etc/dhparams.pem;
+
+access_log /var/log/nginx/guix-hpc.access.log;"))
+ (locations common-locations)))))
+
+(define %logs.guix.gnu.org-nginx-servers
+ (let ((common-locations
+ (list
+ (nginx-location-configuration
+ (uri "/")
+ (body '("proxy_pass http://localhost:3333/;"))))))
+
+ (list
+ (nginx-server-configuration
+ (server-name '("logs.guix.gnu.org"))
+ (listen '("80"))
+ (raw-content
+ '("
+access_log /var/log/nginx/logs.access.log;"))
+ (locations
+ (append
+ common-locations
+ (list
+ (nginx-location-configuration ; For use by Certbot
+ (uri "/.well-known")
+ (body '("root /var/www;")))))))
+
+ (nginx-server-configuration
+ (server-name '("logs.guix.gnu.org"))
+ (listen '("443 ssl"))
+ (ssl-certificate
+ "/etc/letsencrypt/live/logs.guix.gnu.org/fullchain.pem")
+ (ssl-certificate-key
+ "/etc/letsencrypt/live/logs.guix.gnu.org/privkey.pem")
+ (raw-content
+ '("
+# Make sure SSL is disabled.
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+ Disable weak cipher suites.
+sl_ciphers HIGH:!aNULL:!MD5;
+sl_prefer_server_ciphers on;
+
+# Use our own DH parameters created with:
+# openssl dhparam -out dhparams.pem 2048
+# as suggested at <https://weakdh.org/sysadmin.html>.
+ssl_dhparam /etc/dhparams.pem;
+
+access_log /var/log/nginx/logs.access.log;"))
+ (locations common-locations)))))
+
+(define %bayfront.guix.gnu.org-nginx-servers
+ (let ((common-locations
+ (list
+ (nginx-location-configuration
+ (uri "~ ^/admin")
+ (body '("if ($ssl_client_verify != SUCCESS) {
+ return 403;
+ }
+ proxy_pass http://localhost:8081;")))
+ (nginx-location-configuration
+ (uri "/nix-cache-info")
+ (body '("proxy_pass http://localhost:3000/nix-cache-info;"
+ ;; Cache this file since that's always the first
+ ;; thing we ask for.
+ "proxy_cache static;
+ proxy_cache_valid 200 100d; # cache hits for a looong
time.
+ proxy_cache_valid any 5m; # cache misses/others for 5
min.
+ proxy_ignore_client_abort on;"
+ ;; We need to hide and ignore the Set-Cookie header
+ ;; to enable caching.
+ "proxy_hide_header Set-Cookie;
+ proxy_ignore_headers Set-Cookie;")))
+ (nginx-location-configuration
+ (uri "/nar/")
+ (body '("proxy_pass http://localhost:3000;"
+
+ "client_body_buffer_size 256k;"
+
+ ;; Be more tolerant of delays when fetching a nar.
+ "proxy_read_timeout 60s;
+ proxy_send_timeout 60s;"
+
+ ;; Enable caching for nar files, to avoid ;;
+ ;; reconstructing and recompressing archives.
+ "proxy_cache nar;"
+ "proxy_cache_valid 200 30d;" ; cache hits for 1 month
+ "proxy_cache_valid 504 3m;" ; timeout, when
+ ; hydra.gnu.org is
+ ; overloaded
+ "proxy_cache_valid any 1h;" ; cache misses/others for 1h.
+
+ "proxy_ignore_client_abort on;"
+
+ ;; Nars are already compressed.
+ "gzip off;"
+
+ ;; We need to hide and ignore the Set-Cookie header
+ ;; to enable caching.
+ "proxy_hide_header Set-Cookie;
+ proxy_ignore_headers Set-Cookie;")))
+ (nginx-location-configuration
+ (uri "~ \\.narinfo$")
+ (body '("proxy_pass http://localhost:3000;"
+
+ ;; Since 'guix publish' has its own caching, and
+ ;; since it relies on the atime of cached narinfos
+ ;; to determine whether a narinfo can be removed
+ ;; from the cache, don't do any caching here.
+
+ ;; For HTTP pipelining. This has a dramatic impact
+ ;; on performance.
+ "client_body_buffer_size 128k;"
+
+ ;; Narinfos requests are short, serve many of them
+ ;; on a connection.
+ "keepalive_requests 600;"
+
+ ;; Do not tolerate slowness of hydra.gnu.org when
+ ;; fetching narinfos: better return 504 quickly
+ ;; than wait forever.
+ "proxy_connect_timeout 2s;
+ proxy_read_timeout 2s;
+ proxy_send_timeout 2s;"
+
+ ;; 'guix publish --ttl' produces a 'Cache-Control'
+ ;; header for use by 'guix substitute'. Let it
+ ;; through rather than use nginx's "expire"
+ ;; directive since the expiration time defined by
+ ;; 'guix publish' is the right one.
+ "proxy_pass_header Cache-Control;
+
+ proxy_ignore_client_abort on;"
+
+ ;; We need to hide and ignore the Set-Cookie header
+ ;; to enable caching.
+ "proxy_hide_header Set-Cookie;
+ proxy_ignore_headers Set-Cookie;")))
+
+ (nginx-location-configuration
+ (uri "/log/")
+ (body '("proxy_pass http://localhost:3000;"
+
+ ;; Enable caching for build logs.
+ "proxy_cache logs;"
+ "proxy_cache_valid 200 60d;" ; cache hits.
+ "proxy_cache_valid 504 3m;" ; timeout, when
+ ; hydra.gnu.org is
+ ; overloaded
+ "proxy_cache_valid any 1h;" ; cache misses/others.
+
+ "proxy_ignore_client_abort on;"
+
+ ;; We need to hide and ignore the Set-Cookie header
+ ;; to enable caching.
+ "proxy_hide_header Set-Cookie;
+ proxy_ignore_headers Set-Cookie;")))
+
+ ;; Content-addressed files served by 'guix publish'.
+ (nginx-location-configuration
+ (uri "/file/")
+ (body '("proxy_pass http://localhost:3000;"
+
+ "proxy_cache cas;"
+ "proxy_cache_valid 200 200d;" ; cache hits
+ "proxy_cache_valid any 5m;" ; cache misses/others
+
+ "proxy_ignore_client_abort on;"))))))
+
+ (list
+ (nginx-server-configuration
+ (server-name '("bayfront.guix.gnu.org"))
+ (listen '("80"))
+ (raw-content
+ '("
+access_log /var/log/nginx/http.access.log;
+
+proxy_set_header X-Forwarded-Host $host;
+proxy_set_header X-Forwarded-Port $server_port;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"))
+ (locations
+ (append
+ common-locations
+ (list
+ (nginx-location-configuration ; For use by Certbot
+ (uri "/.well-known")
+ (body '(("root /var/www;"))))))))
+
+ (nginx-server-configuration
+ (server-name '("bayfront.guix.gnu.org"))
+ (listen '("443 ssl"))
+ (ssl-certificate
+ "/etc/letsencrypt/live/bayfront.guix.gnu.org/fullchain.pem")
+ (ssl-certificate-key
+ "/etc/letsencrypt/live/bayfront.guix.gnu.org/privkey.pem")
+ (raw-content
+ '("
+# Make sure SSL is disabled.
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+# Disable weak cipher suites.
+ssl_ciphers HIGH:!aNULL:!MD5;
+ssl_prefer_server_ciphers on;
+
+# Use our own DH parameters created with:
+# openssl dhparam -out dhparams.pem 2048
+# as suggested at <https://weakdh.org/sysadmin.html>.
+ssl_dhparam /etc/dhparams.pem;
+
+access_log /var/log/nginx/https.access.log;
+
+proxy_set_header X-Forwarded-Host $host;
+proxy_set_header X-Forwarded-Port $server_port;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"))
+ (locations common-locations)))))
+
(operating-system
(host-name "bayfront")
(timezone "Europe/Paris")
@@ -187,8 +573,6 @@ Happy hacking!\n"))
(packages (cons* certbot wget iptables jnettop
mdadm vim lm-sensors openssh
- ;; This is needed to set GIT_SSL_CAINFO allowing
- ;; Cuirass to fetch sources via HTTPS.
nss-certs
%base-packages))
@@ -275,28 +659,59 @@ Happy hacking!\n"))
(service certbot-service-type %certbot-configuration)
(service goggles-service-type)
- ;; Cuirass needs PostgreSQL...
- (service postgresql-service-type
- (postgresql-configuration
- (postgresql postgresql-10)))
- (service postgresql-role-service-type)
-
- ;; ... and Avahi.
- (service avahi-service-type)
-
- (modify-services
- (frontend-services %sysadmins
- #:authorized-keys %build-node-keys
- #:nar-ttl (* 7 24 3600)
- #:motd %motd
- #:max-jobs 4
- #:cores 6
- #:build-accounts-to-max-jobs-ratio 16
- #:branches '("master")
- #:systems '("x86_64-linux")
- #:nginx-config-file
- (file-append %nginx-config
- "/bayfront.conf"))
+ (service mcron-service-type
+ (mcron-configuration
+ (jobs
+ (let ((threshold (* 800 GiB)))
+ (list #~(job '(next-hour '(4))
+ (string-append
+ #$guix "/bin/guix gc -F"
+ #$(number->string threshold)))
+
+ ;; Half a day later, make sure
+ ;; half of our quota is available.
+ #~(job '(next-hour '(16))
+ (string-append
+ #$guix "/bin/guix gc -F"
+ #$(number->string
+ (quotient threshold 2)))))))))
+
+ firewall-service
+
+ (service openssh-service-type)
+ (service sysadmin-service-type %sysadmins)
+
+ (service nginx-service-type
+ (nginx-configuration
+ (extra-content
%bayfront-nginx-service-extra-config)
+ (server-blocks
+ (append %hpc.guix.info-nginx-servers
+ %guix-hpc.bordeaux.inria.fr-nginx-servers
+ %logs.guix.gnu.org-nginx-servers
+ %bayfront.guix.gnu.org-nginx-servers))))
+
+ (modify-services %base-services
+ (guix-service-type
+ config => (guix-configuration
+ (substitute-urls
+ '("https://bayfront.guix.gnu.org"))
+ (authorized-keys
+ '())
+
+ (max-silent-time 3600)
+ (timeout (* 6 3600))
+
+ ;; be friendly to 'guix publish' users
+ (log-compression 'gzip)
+
+ (build-accounts 64)
+ (extra-options
+ (list "--max-jobs" "4"
+ "--cores" "6"))))
+ (login-service-type
+ config => (login-configuration
+ (inherit config)
+ (motd %motd)))
(openssh-service-type
config => (openssh-configuration
(inherit config)
diff --git a/hydra/nginx/bayfront-locations.conf
b/hydra/nginx/bayfront-locations.conf
deleted file mode 100644
index 601eaca..0000000
--- a/hydra/nginx/bayfront-locations.conf
+++ /dev/null
@@ -1,126 +0,0 @@
-# Configuration of the various HTTP locations.
-# This file is meant to be included in the bayfront configuration file.
-
-location / {
- proxy_pass http://localhost:8081;
-}
-
-location ~ ^/admin {
- if ($ssl_client_verify != SUCCESS) {
- return 403;
- }
- proxy_pass http://localhost:8081;
-}
-
-location = /nix-cache-info {
- proxy_pass http://localhost:3000/nix-cache-info;
-
- # Cache this file since that's always the first thing we ask for.
- proxy_cache static;
- proxy_cache_valid 200 100d; # cache hits for a looong time.
- proxy_cache_valid any 5m; # cache misses/others for 5 min.
- proxy_ignore_client_abort on;
-
- # We need to hide and ignore the Set-Cookie header
- # to enable caching.
- proxy_hide_header Set-Cookie;
- proxy_ignore_headers Set-Cookie;
-}
-
-location /nar/ {
- proxy_pass http://localhost:3000;
-
- client_body_buffer_size 256k;
-
- # Be more tolerant of delays when fetching a nar.
- proxy_read_timeout 60s;
- proxy_send_timeout 60s;
-
- # Enable caching for nar files, to avoid reconstructing and recompressing
- # archives.
- proxy_cache nar;
- proxy_cache_valid 200 30d; # cache hits for 1 month
- proxy_cache_valid 504 3m; # timeout, when hydra.gnu.org is overloaded
- proxy_cache_valid any 1h; # cache misses/others for 1h.
-
- proxy_ignore_client_abort on;
-
- # Nars are already compressed.
- gzip off;
-
- # We need to hide and ignore the Set-Cookie header
- # to enable caching.
- proxy_hide_header Set-Cookie;
- proxy_ignore_headers Set-Cookie;
-
- # Provide a 'content-length' header so that 'guix substitute-binary'
- # knows upfront how much it is downloading.
- #add_header Content-Length $body_bytes_sent;
-}
-
-location ~ \.narinfo$ {
- # Since 'guix publish' has its own caching, and since it relies
- # on the atime of cached narinfos to determine whether a
- # narinfo can be removed from the cache, don't do any caching
- # here.
-
- proxy_pass http://localhost:3000;
-
- # For HTTP pipelining. This has a dramatic impact on performance.
- client_body_buffer_size 128k;
-
- # Narinfos requests are short, serve many of them on a connection.
- keepalive_requests 600;
-
- # Do not tolerate slowness of hydra.gnu.org when fetching
- # narinfos: better return 504 quickly than wait forever.
- proxy_connect_timeout 2s;
- proxy_read_timeout 2s;
- proxy_send_timeout 2s;
-
- # 'guix publish --ttl' produces a 'Cache-Control' header for use
- # by 'guix substitute'. Let it through rather than use nginx's
- # "expire" directive since the expiration time defined by 'guix
- # publish' is the right one.
- proxy_pass_header Cache-Control;
-
- proxy_ignore_client_abort on;
-
- # We need to hide and ignore the Set-Cookie header
- # to enable caching.
- proxy_hide_header Set-Cookie;
- proxy_ignore_headers Set-Cookie;
-}
-
-location /log/ {
- proxy_pass http://localhost:3000;
-
- # Enable caching for build logs.
- proxy_cache logs;
- proxy_cache_valid 200 60d; # cache hits.
- proxy_cache_valid 504 3m; # timeout, when hydra.gnu.org is overloaded
- proxy_cache_valid any 1h; # cache misses/others.
-
- proxy_ignore_client_abort on;
-
- # We need to hide and ignore the Set-Cookie header
- # to enable caching.
- proxy_hide_header Set-Cookie;
- proxy_ignore_headers Set-Cookie;
-}
-
-# Content-addressed files served by 'guix publish'.
-location /file/ {
- proxy_pass http://localhost:3000;
-
- proxy_cache cas;
- proxy_cache_valid 200 200d; # cache hits
- proxy_cache_valid any 5m; # cache misses/others
-
- proxy_ignore_client_abort on;
-}
-
-# For use by Certbot.
-location /.well-known {
- root /var/www;
-}
diff --git a/hydra/nginx/bayfront.conf b/hydra/nginx/bayfront.conf
deleted file mode 100644
index a70bc72..0000000
--- a/hydra/nginx/bayfront.conf
+++ /dev/null
@@ -1,239 +0,0 @@
-# This is the nginx config file for bayfront.guix.gnu.org.
-
-user nginx;
-worker_processes auto;
-
-error_log /var/log/nginx/error.log error;
-pid /var/run/nginx.pid;
-
-pcre_jit on;
-
-events {
- worker_connections 1024;
-}
-
-http {
- include /etc/nginx/mime.types;
- default_type application/octet-stream;
-
- # We need to specify all these or nginx picks its own directory to
- # store them, which doesn't work because the store is read-only.
- client_body_temp_path /var/run/nginx/body;
- proxy_temp_path /var/run/nginx/proxy;
- fastcgi_temp_path /var/run/nginx/fastcgi;
- uwsgi_temp_path /var/run/nginx/uwsgi;
- scgi_temp_path /var/run/nginx/scgi;
-
- access_log /var/log/nginx/access.log;
-
- sendfile on;
-
- # Maximum chunk size to send. Partly this is a workaround
- # for <http://bugs.gnu.org/19939>, but also the nginx docs
- # mention that "Without the limit, one fast connection may
- # seize the worker process entirely."
- # <http://nginx.org/en/docs/http/ngx_http_core_module#sendfile_max_chunk>
- sendfile_max_chunk 1m;
-
- keepalive_timeout 65;
-
- # Use HTTP 1.1 to talk to the backend so we benefit from
- # keep-alive connections and chunked transfer encoding. The
- # latter allows us to make sure we do not cache partial downloads.
- proxy_http_version 1.1;
-
- # The 'inactive' parameter for caching is not very useful in our
- # case: all that matters is that LRU sweeping happens when
- # 'max_size' is hit.
-
- # cache for nar files
- proxy_cache_path /var/cache/nginx/nar
- levels=2
- inactive=8d # inactive keys removed after 8d
- keys_zone=nar:4m # nar cache meta data: ~32K keys
- max_size=10g; # total cache data size max
-
- # cache for content-addressed files
- proxy_cache_path /var/cache/nginx/cas
- levels=2
- inactive=180d # inactive keys removed after 180d
- keys_zone=cas:8m # nar cache meta data: ~64K keys
- max_size=50g; # total cache data size max
-
- # cache for build logs
- proxy_cache_path /var/cache/nginx/logs
- levels=2
- inactive=60d # inactive keys removed after 60d
- keys_zone=logs:8m # narinfo meta data: ~64K keys
- max_size=4g; # total cache data size max
-
- # cache for static data
- proxy_cache_path /var/cache/nginx/static
- levels=1
- inactive=10d # inactive keys removed after 10d
- keys_zone=static:1m # nar cache meta data: ~8K keys
- max_size=200m; # total cache data size max
-
- # If Hydra cannot honor these delays, then something is wrong and
- # we'd better drop the connection and return 504.
- proxy_connect_timeout 7s;
- proxy_read_timeout 10s;
- proxy_send_timeout 10s;
-
- # Cache timeouts for a little while to avoid increasing pressure.
- proxy_cache_valid 504 30s;
-
- server {
- listen 80;
- server_name bayfront.guix.gnu.org;
-
- access_log /var/log/nginx/http.access.log;
-
- proxy_set_header X-Forwarded-Host $host;
- proxy_set_header X-Forwarded-Port $server_port;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
- include bayfront-locations.conf;
- }
-
- server {
- listen 80;
- server_name bootstrappable.org;
- root /home/rekado/bootstrappable.org;
- index index.html;
- access_log /var/log/nginx/bootstrappable.access.log;
- location = / {
- root /home/rekado/bootstrappable.org;
- }
- }
-
- server {
- listen 80;
- server_name hpc.guix.info;
- access_log /var/log/nginx/guix-hpc.access.log;
- include guix-hpc-locations.conf;
- }
-
- server {
- listen 80;
- server_name guix-hpc.bordeaux.inria.fr;
- access_log /var/log/nginx/guix-hpc.access.log;
- include guix-hpc-inria-locations.conf;
- }
-
- server {
- listen 80;
- server_name logs.guix.gnu.org;
- access_log /var/log/nginx/logs.access.log;
-
- # Certbot webroot for certificate renewal.
- location /.well-known {
- root /var/www;
- }
- location / {
- proxy_pass http://localhost:3333/;
- }
- }
-
- # HTTPS server.
- server {
- listen 443 ssl;
- server_name logs.guix.gnu.org;
-
- ssl_certificate
/etc/letsencrypt/live/logs.guix.gnu.org/fullchain.pem;
- ssl_certificate_key
/etc/letsencrypt/live/logs.guix.gnu.org/privkey.pem;
-
- # Make sure SSL is disabled.
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
- # Disable weak cipher suites.
- ssl_ciphers HIGH:!aNULL:!MD5;
- ssl_prefer_server_ciphers on;
-
- # Use our own DH parameters created with:
- # openssl dhparam -out dhparams.pem 2048
- # as suggested at <https://weakdh.org/sysadmin.html>.
- ssl_dhparam /etc/dhparams.pem;
-
- access_log /var/log/nginx/logs.access.log;
- location / {
- proxy_pass http://localhost:3333/;
- }
- }
-
- # HTTPS server.
- server {
- listen 443 ssl;
- server_name bayfront.guix.gnu.org;
-
- ssl_certificate
/etc/letsencrypt/live/bayfront.guix.gnu.org/fullchain.pem;
- ssl_certificate_key
/etc/letsencrypt/live/bayfront.guix.gnu.org/privkey.pem;
-
- # Make sure SSL is disabled.
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
- # Disable weak cipher suites.
- ssl_ciphers HIGH:!aNULL:!MD5;
- ssl_prefer_server_ciphers on;
-
- # Use our own DH parameters created with:
- # openssl dhparam -out dhparams.pem 2048
- # as suggested at <https://weakdh.org/sysadmin.html>.
- ssl_dhparam /etc/dhparams.pem;
-
- access_log /var/log/nginx/https.access.log;
-
- proxy_set_header X-Forwarded-Host $host;
- proxy_set_header X-Forwarded-Port $server_port;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
- include bayfront-locations.conf;
- }
-
- # HTTPS server.
- server {
- listen 443 ssl;
- server_name hpc.guix.info;
-
- ssl_certificate /etc/letsencrypt/live/hpc.guix.info/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/hpc.guix.info/privkey.pem;
-
- # Make sure SSL is disabled.
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
- # Disable weak cipher suites.
- ssl_ciphers HIGH:!aNULL:!MD5;
- ssl_prefer_server_ciphers on;
-
- # Use our own DH parameters created with:
- # openssl dhparam -out dhparams.pem 2048
- # as suggested at <https://weakdh.org/sysadmin.html>.
- ssl_dhparam /etc/dhparams.pem;
-
- access_log /var/log/nginx/guix-hpc.access.log;
- include guix-hpc-locations.conf;
- }
-
- server {
- listen 443 ssl;
- server_name guix-hpc.bordeaux.inria.fr;
-
- ssl_certificate
/etc/letsencrypt/live/guix-hpc.bordeaux.inria.fr/fullchain.pem;
- ssl_certificate_key
/etc/letsencrypt/live/guix-hpc.bordeaux.inria.fr/privkey.pem;
-
- # Make sure SSL is disabled.
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
- # Disable weak cipher suites.
- ssl_ciphers HIGH:!aNULL:!MD5;
- ssl_prefer_server_ciphers on;
-
- # Use our own DH parameters created with:
- # openssl dhparam -out dhparams.pem 2048
- # as suggested at <https://weakdh.org/sysadmin.html>.
- ssl_dhparam /etc/dhparams.pem;
-
- access_log /var/log/nginx/guix-hpc.access.log;
- include guix-hpc-inria-locations.conf;
- }
-}
diff --git a/hydra/nginx/guix-hpc-inria-locations.conf
b/hydra/nginx/guix-hpc-inria-locations.conf
deleted file mode 100644
index 3f25cce..0000000
--- a/hydra/nginx/guix-hpc-inria-locations.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# Redirects from guix-hpc.bordeaux.inria.fr.
-
-location ~ ^/nix-cache-info$ {
- return 301 $scheme://guix.bordeaux.inria.fr/nix-cache-info;
-}
-
-location ~ /(.*\.narinfo) {
- return 301 $scheme://guix.bordeaux.inria.fr/$1;
-}
-
-location ~ /nar/(.*) {
- return 301 $scheme://guix.bordeaux.inria.fr/nar/$1;
-}
-
-location ~ /(.*) {
- return 301 $scheme://hpc.guix.info/$1;
-}
diff --git a/hydra/nginx/guix-hpc-locations.conf
b/hydra/nginx/guix-hpc-locations.conf
deleted file mode 100644
index 93870eb..0000000
--- a/hydra/nginx/guix-hpc-locations.conf
+++ /dev/null
@@ -1,42 +0,0 @@
-location / {
- root /srv/guix-hpc-web;
-}
-
-# For the package browsing interface.
-location @gnupackages {
- return 307 https://www.gnu.org/software/guix/packages/;
-}
-location /browse {
- proxy_pass http://localhost:5000;
- rewrite .* / break;
- proxy_connect_timeout 3s;
- proxy_read_timeout 2s;
- error_page 500 502 503 504 = @gnupackages;
-}
-location /package {
- proxy_pass http://localhost:5000;
- proxy_connect_timeout 3s;
- proxy_read_timeout 2s;
- error_page 500 502 503 504 = @gnupackages;
-}
-location ~ /static/.*\.js {
- # JS for hpcguix-web.
- proxy_pass http://localhost:5000;
-}
-location /javascript {
- # Licensing info for hpcguix-web JS code.
- proxy_pass http://localhost:5000;
-}
-location ~ /static/images/sort_.*\.png {
- proxy_pass http://localhost:5000;
-}
-
-# Videos.
-location /static/videos {
- root /srv/guix-hpc-videos;
-}
-
-# For use by Certbot.
-location /.well-known {
- root /var/www;
-}
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- branch master updated: hydra: bayfront: Refresh config.,
Christopher Baines <=