02/04: hydra: hatysa: Configure nginx to reverse proxy for the nar-herder.

[Christopher Baines]

cbaines pushed a commit to branch master
in repository maintenance.

commit 2b0cd4b47ce63b9757a216de71dbb3ff7214c508
Author: Christopher Baines <mail@cbaines.net>
AuthorDate: Fri Jul 8 14:40:39 2022 +0100

    hydra: hatysa: Configure nginx to reverse proxy for the nar-herder.
    
    To allow bayfront to check for nars being present on hatysa, expose
    the nar-herder.
    
    * hydra/hatysa.scm (%nginx-server-blocks): New variable.
    <services>: Add nginx and certbot.
---
 hydra/hatysa.scm | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 65 insertions(+), 1 deletion(-)

diff --git a/hydra/hatysa.scm b/hydra/hatysa.scm
index d3d9035..9db1fb9 100644
--- a/hydra/hatysa.scm
+++ b/hydra/hatysa.scm
@@ -4,7 +4,7 @@
 ;; Released under the GNU GPLv3 or any later version.
 
 (use-modules (guix) (gnu))
-(use-service-modules networking mcron ssh monitoring guix)
+(use-service-modules networking mcron ssh monitoring guix web certbot)
 (use-package-modules screen ssh linux certs)
 
 (define (sysadmin name full-name)
@@ -93,6 +93,52 @@
                         ("CONFIG_SND_SOC_ES8316" . m))
                       %default-extra-linux-options)))
 
+(define %nginx-server-blocks
+  (let ((common-locations
+         (list
+          (nginx-location-configuration
+           (uri "~ \\.narinfo/info$")
+           (body '("proxy_pass http://nar-herder;";
+                   "proxy_http_version 1.1;"
+                   "proxy_set_header Connection \"\";"
+                   "proxy_ignore_client_abort on;")))
+          (nginx-location-configuration
+           (uri "= /metrics")
+           (body '("proxy_pass http://nar-herder;";
+                   "proxy_http_version 1.1;"
+                   "proxy_set_header Connection \"\";"))))))
+
+    (list
+     (nginx-server-configuration
+      (server-name '("hatysa.cbaines.net"))
+      (listen '("80" "[::]:80"))
+      (root "/var/www")
+      (locations
+       (append
+        common-locations
+        (list
+         (nginx-location-configuration  ; For use by Certbot
+          (uri "/.well-known")
+          (body '(("root /var/www;"))))))))
+
+     (nginx-server-configuration
+      (server-name '("hatysa.cbaines.net"))
+      (listen '("443 ssl" "[::]:443 ssl"))
+      (root "/var/www")
+      (ssl-certificate
+       "/etc/letsencrypt/live/hatysa.cbaines.net/fullchain.pem")
+      (ssl-certificate-key
+       "/etc/letsencrypt/live/hatysa.cbaines.net/privkey.pem")
+      (raw-content
+       '("
+# Make sure SSL is disabled.
+ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+
+# Disable weak cipher suites.
+ssl_ciphers         HIGH:!aNULL:!MD5;
+ssl_prefer_server_ciphers on;"))
+      (locations common-locations)))))
+
 (operating-system
   (host-name "hatysa")
   (timezone "Europe/London")
@@ -172,6 +218,24 @@
                     (mirror "https://bordeaux.guix.gnu.org";)
                     (storage "/var/lib/nars")))
 
+          (service certbot-service-type
+                   (certbot-configuration
+                    (certificates
+                     (list (certificate-configuration
+                            (domains '("hatysa.cbaines.net")))))
+                    (email "mail@cbaines.net")
+                    (webroot "/var/www")))
+
+          (service nginx-service-type
+                   (nginx-configuration
+                    (upstream-blocks
+                     (list (nginx-upstream-configuration
+                            (name "nar-herder")
+                            (servers '("127.0.0.1:8734"))
+                            (extra-content '("keepalive 2;")))))
+                    (server-blocks
+                     %nginx-server-blocks)))
+
           (modify-services %base-services
             (guix-service-type
              config => (guix-configuration