blob: 28046190ed543b9e2da1d773efecb3c963e76cd6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
|
(use-modules (freya system)
(ice-9 match)
(gnu packages ci)
(gnu packages databases)
(gnu services)
(gnu services cuirass)
(gnu services avahi)
(gnu services mcron)
(gnu services web)
(gnu services databases)
(gnu services networking)
(guix gexp)
(gnu))
;; Cuirass specification
(define %cuirass-specs
#~(list
(specification
(name "sakura")
(build '(channels sakura))
(channels
(list %default-guix-channel
(channel
(name 'sakura)
(url "https://g.freya.cat/freya/sakura")
(branch "main")
(introduction
(make-channel-introduction
"8fb2f9c2fa414754c41c1c73665e3e73e12693ab"
(openpgp-fingerprint
"3CD3 65F0 373C EB13 853A F568 9FBC 6FFD 6D2D BF17"))))))
(priority 0)
(systems '("x86_64-linux")))))
;; Run the garbe collector every day at 3:00 AM
(define garbage-collector-job
#~(job "0 3 * * *"
"guix gc -F 50G"))
;; Restart the cuiras worker every night
(define restart-worker-job
#~(job "0 2 * * *"
"herd restart cuirass-remote-worker"))
;; Curiass module filter
(define default-module-filter
(match-lambda
(('guix 'config) #f)
(('guix _ ...) #t)
(('gnu _ ...) #t)
(('nongnu _ ...) #f)
(('nonguix _ ...) #f)
(('sakura _ ...) #t)
(_ #f)))
;; Curiass operating system
(operating-system
(inherit %virt-freya-operating-system)
(host-name "cuirass")
(packages (cons* ; ci
cuirass
%virt-freya-packages))
(services (cons* ; avahi
(service avahi-service-type)
; cuirass
(service cuirass-service-type
(cuirass-configuration
(specifications %cuirass-specs)))
; guix publish
(service guix-publish-service-type
(guix-publish-configuration
(cache "/var/cache/publish")
(compression '(("zstd" 19)))
(port 8080)))
; guix publish index.html
(extra-special-file "/srv/http/index.html"
(local-file "../files/index.html"))
; postgresql
(service postgresql-service-type
(postgresql-configuration
(postgresql postgresql-14)))
; cron
(simple-service 'cron
mcron-service-type
(list garbage-collector-job
restart-worker-job))
; iptables
(service iptables-service-type
(iptables-configuration
(ipv4-rules (plain-file "iptables.rules" "*filter
-A INPUT -p tcp --dport 5522 ! -s 127.0.0.1 -j REJECT
-A INPUT -p tcp --dport 5555:5558 ! -s 127.0.0.1 -j REJECT
-A INPUT -p tcp --dport 8080:8081 ! -s 127.0.0.1 -j REJECT
COMMIT
"))))
; nginx
(service nginx-service-type
(nginx-configuration
(upstream-blocks
(list
(nginx-upstream-configuration
(name "cuirass")
(servers (list "localhost:8081")))
(nginx-upstream-configuration
(name "publish")
(servers (list "localhost:8080")))))
(server-blocks
(list
(nginx-server-configuration
(server-name '("cuirass.in.freya.cat"))
(listen '("80"))
(locations
(list
(nginx-location-configuration
(uri "/")
(body
(list "proxy_pass http://cuirass;"
"proxy_set_header X-Forwarded-Proto https;"))))))
(nginx-server-configuration
(server-name '("substitutes.in.freya.cat"))
(listen '("80"))
(raw-content '("rewrite ^//(.*)$ /$1 redirect;"))
(index (list "index.html"))
(locations
(list
(nginx-location-configuration
(uri "/signing-key.pub")
(body '("proxy_pass http://publish;")))
(nginx-location-configuration
(uri "/file/")
(body '("proxy_pass http://publish;")))
(nginx-location-configuration
(uri "/log/")
(body '("proxy_pass http://publish;")))
(nginx-location-configuration
(uri "/nix-cache-info")
(body (list
"proxy_pass http://publish;"
"proxy_hide_header Set-Cookie;")))
(nginx-location-configuration
(uri "/nar/")
(body (list
"proxy_pass http://publish;"
"client_body_buffer_size 256k;"
;; Nars are already compressed. -> no perf change
"gzip off;"
"proxy_pass_header Cache-Control;")))
(nginx-location-configuration
(uri "~ \\.narinfo$")
(body
(list
"proxy_pass http://publish;"
"client_body_buffer_size 128k;"
"proxy_connect_timeout 2s;"
"proxy_read_timeout 2s;"
"proxy_send_timeout 2s;"
"proxy_pass_header Cache-Control;"
"proxy_ignore_client_abort on;"))))))))))
%base-freya-services))
(swap-devices (list (swap-space
(target (uuid
"8ffa6d73-06e9-4dc5-9b15-569b3b176dbc")))))
(file-systems (cons* (file-system
(mount-point "/")
(device (uuid "fae7deed-d630-40a1-adac-87f49b431ad4"))
(type "btrfs"))
(file-system
(mount-point "/boot")
(device (uuid "027A-4AA1"
'fat32))
(type "vfat"))
%base-freya-file-systems))
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(targets '("/dev/sda")))))
|
