[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
02/04: hydra: hatysa: Configure nginx to reverse proxy for the nar-herde
From: |
Christopher Baines |
Subject: |
02/04: hydra: hatysa: Configure nginx to reverse proxy for the nar-herder. |
Date: |
Fri, 8 Jul 2022 10:03:45 -0400 (EDT) |
cbaines pushed a commit to branch master
in repository maintenance.
commit 2b0cd4b47ce63b9757a216de71dbb3ff7214c508
Author: Christopher Baines <mail@cbaines.net>
AuthorDate: Fri Jul 8 14:40:39 2022 +0100
hydra: hatysa: Configure nginx to reverse proxy for the nar-herder.
To allow bayfront to check for nars being present on hatysa, expose
the nar-herder.
* hydra/hatysa.scm (%nginx-server-blocks): New variable.
<services>: Add nginx and certbot.
---
hydra/hatysa.scm | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 65 insertions(+), 1 deletion(-)
diff --git a/hydra/hatysa.scm b/hydra/hatysa.scm
index d3d9035..9db1fb9 100644
--- a/hydra/hatysa.scm
+++ b/hydra/hatysa.scm
@@ -4,7 +4,7 @@
;; Released under the GNU GPLv3 or any later version.
(use-modules (guix) (gnu))
-(use-service-modules networking mcron ssh monitoring guix)
+(use-service-modules networking mcron ssh monitoring guix web certbot)
(use-package-modules screen ssh linux certs)
(define (sysadmin name full-name)
@@ -93,6 +93,52 @@
("CONFIG_SND_SOC_ES8316" . m))
%default-extra-linux-options)))
+(define %nginx-server-blocks
+ (let ((common-locations
+ (list
+ (nginx-location-configuration
+ (uri "~ \\.narinfo/info$")
+ (body '("proxy_pass http://nar-herder;"
+ "proxy_http_version 1.1;"
+ "proxy_set_header Connection \"\";"
+ "proxy_ignore_client_abort on;")))
+ (nginx-location-configuration
+ (uri "= /metrics")
+ (body '("proxy_pass http://nar-herder;"
+ "proxy_http_version 1.1;"
+ "proxy_set_header Connection \"\";"))))))
+
+ (list
+ (nginx-server-configuration
+ (server-name '("hatysa.cbaines.net"))
+ (listen '("80" "[::]:80"))
+ (root "/var/www")
+ (locations
+ (append
+ common-locations
+ (list
+ (nginx-location-configuration ; For use by Certbot
+ (uri "/.well-known")
+ (body '(("root /var/www;"))))))))
+
+ (nginx-server-configuration
+ (server-name '("hatysa.cbaines.net"))
+ (listen '("443 ssl" "[::]:443 ssl"))
+ (root "/var/www")
+ (ssl-certificate
+ "/etc/letsencrypt/live/hatysa.cbaines.net/fullchain.pem")
+ (ssl-certificate-key
+ "/etc/letsencrypt/live/hatysa.cbaines.net/privkey.pem")
+ (raw-content
+ '("
+# Make sure SSL is disabled.
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+# Disable weak cipher suites.
+ssl_ciphers HIGH:!aNULL:!MD5;
+ssl_prefer_server_ciphers on;"))
+ (locations common-locations)))))
+
(operating-system
(host-name "hatysa")
(timezone "Europe/London")
@@ -172,6 +218,24 @@
(mirror "https://bordeaux.guix.gnu.org")
(storage "/var/lib/nars")))
+ (service certbot-service-type
+ (certbot-configuration
+ (certificates
+ (list (certificate-configuration
+ (domains '("hatysa.cbaines.net")))))
+ (email "mail@cbaines.net")
+ (webroot "/var/www")))
+
+ (service nginx-service-type
+ (nginx-configuration
+ (upstream-blocks
+ (list (nginx-upstream-configuration
+ (name "nar-herder")
+ (servers '("127.0.0.1:8734"))
+ (extra-content '("keepalive 2;")))))
+ (server-blocks
+ %nginx-server-blocks)))
+
(modify-services %base-services
(guix-service-type
config => (guix-configuration