diff --git a/systems/cuirass.scm b/systems/cuirass.scm index 4b3ff32..6e7d74e 100644 --- a/systems/cuirass.scm +++ b/systems/cuirass.scm @@ -1,12 +1,169 @@ (use-modules (freya system) + (ice-9 match) + (gnu packages ci) + (gnu services cuirass) + (gnu services avahi) + (gnu services mcron) + (gnu services web) + (gnu services networking) (gnu)) +;; Cuirass specification +(define %cuirass-specs + #~(list + (specification + (name "sakura") + (build '(channels sakura)) + (channels + (list %default-guix-channel + (channel + (name 'sakura) + (url "https://g.freya.cat/freya/sakura") + (branch "main") + (introduction + (make-channel-introduction + "490f9018f0de343c7192c8a2d1f3d9d66f180c8d" + (openpgp-fingerprint + "4F6B C11C EBB2 F242 14B9 0FAC 9FF6 937B 829E 565A")))))) + (priority 0) + (systems '("x86_64-linux"))))) + +;; Run the garbe collector every day at 3:00 AM +(define garbage-collector-job + #~(job "0 3 * * *" + "guix gc -F 50G")) + +;; Restart the cuiras worker every night +(define restart-worker-job + #~(job "0 2 * * *" + "herd restart cuirass-remote-worker")) + +;; Curiass module filter +(define default-module-filter + (match-lambda + (('guix 'config) #f) + (('guix _ ...) #t) + (('gnu _ ...) #t) + (('nongnu _ ...) #f) + (('nonguix _ ...) #f) + (('sakura _ ...) #t) + (_ #f))) + +;; Curiass operating system (operating-system (inherit %virt-freya-operating-system) (host-name "cuirass") + (packages (cons* ; ci + cuirass + %virt-freya-packages)) + (services (cons* ; avahi + (service avahi-service-type) + ; cuirass + (service cuirass-service-type + (cuirass-configuration + (remote-server + (cuirass-remote-server-configuration + (private-key "/etc/guix/signing-key.sec") + (public-key "/etc/guix/signing-key.pub") + (publish? #f) + (trigger-url "localhost:8080"))) + (specifications %cuirass-specs))) + ; cuirass worker + (service cuirass-remote-worker-service-type + (cuirass-remote-worker-configuration + (private-key "/etc/guix/signing-key.sec") + (public-key "/etc/guix/signing-key.pub") + (server "localhost:5555") + (substitute-urls (list "https://ci.guix.gnu.org" + "https://substitutes.freya.cat")) + (systems '("x86_64-linux")) + (workers 2))) + ; guix publish + (service guix-publish-service-type + (guix-publish-configuration + (cache "/var/cache/publish") + (compression '(("zstd" 19))) + (port 8080))) + ; cron + (simple-service 'cron + mcron-service-type + (list garbage-collector-job + restart-worker-job)) + ; iptables + (service iptables-service-type + (iptables-configuration + (ipv4-rules (plain-file "iptables.rules" "*filter +-A INPUT -p tcp --dport 5522 ! -s 127.0.0.1 -j REJECT +-A INPUT -p tcp --dport 5555:5558 ! -s 127.0.0.1 -j REJECT +-A INPUT -p tcp --dport 8080:8081 ! -s 127.0.0.1 -j REJECT +COMMIT +")))) + ; nginx + (service nginx-service-type + (nginx-configuration + (upstream-blocks + (list + (nginx-upstream-configuration + (name "cuirass") + (servers (list "localhost:8081"))) + (nginx-upstream-configuration + (name "publish") + (servers (list "localhost:8080"))))) + (server-blocks + (list + (nginx-server-configuration + (server-name '("cuirass.in.freya.cat")) + (listen '("80")) + (locations + (list + (nginx-location-configuration + (uri "/") + (body + (list "proxy_pass http://cuirass;")))))) + (nginx-server-configuration + (server-name '("substitutes.in.freya.cat")) + (listen '("80")) + (raw-content '("rewrite ^//(.*)$ /$1 redirect;")) + (index (list "index.html")) + (locations + (list + (nginx-location-configuration + (uri "/signing-key.pub") + (body '("proxy_pass http://publish;"))) + (nginx-location-configuration + (uri "/file/") + (body '("proxy_pass http://publish;"))) + (nginx-location-configuration + (uri "/log/") + (body '("proxy_pass http://publish;"))) + (nginx-location-configuration + (uri "/nix-cache-info") + (body (list + "proxy_pass http://publish;" + "proxy_hide_header Set-Cookie;"))) + (nginx-location-configuration + (uri "/nar/") + (body (list + "proxy_pass http://publish;" + "client_body_buffer_size 256k;" + ;; Nars are already compressed. -> no perf change + "gzip off;" + "proxy_pass_header Cache-Control;"))) + (nginx-location-configuration + (uri "~ \\.narinfo$") + (body + (list + "proxy_pass http://publish;" + "client_body_buffer_size 128k;" + "proxy_connect_timeout 2s;" + "proxy_read_timeout 2s;" + "proxy_send_timeout 2s;" + "proxy_pass_header Cache-Control;" + "proxy_ignore_client_abort on;")))))))))) + %base-freya-services)) (swap-devices (list (swap-space - (target (uuid - "8ffa6d73-06e9-4dc5-9b15-569b3b176dbc"))))) + (target (uuid + "8ffa6d73-06e9-4dc5-9b15-569b3b176dbc"))))) (file-systems (cons* (file-system (mount-point "/") (device (uuid "fae7deed-d630-40a1-adac-87f49b431ad4")) @@ -16,8 +173,7 @@ (device (uuid "027A-4AA1" 'fat32)) (type "vfat")) - (operating-system-file-systems - %virt-freya-operating-system))) + %base-freya-file-systems)) (bootloader (bootloader-configuration (bootloader grub-bootloader) (targets '("/dev/sda")))))