feat(ops/machines): add temporary VolgaSprint cache machine
Change-Id: I5b5bb98f591e7bf3b1f16673f7f670b758444066 Reviewed-on: https://cl.tvl.fyi/c/depot/+/12327 Reviewed-by: mrflos <mrflos@yeswiki.pro> Tested-by: BuildkiteCI
This commit is contained in:
parent
6dff303c5f
commit
d504f668e0
2 changed files with 149 additions and 0 deletions
148
ops/machines/volgasprint-cache/default.nix
Normal file
148
ops/machines/volgasprint-cache/default.nix
Normal file
|
@ -0,0 +1,148 @@
|
|||
# temporary machine for local binary cache proxy during VolgaSprint
|
||||
|
||||
{ depot, lib, pkgs, ... }: # readTree options
|
||||
{ config, ... }: # passed by module system
|
||||
|
||||
let
|
||||
mod = name: depot.path.origSrc + ("/ops/modules/" + name);
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
(mod "tvl-users.nix")
|
||||
];
|
||||
|
||||
boot = {
|
||||
kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
|
||||
initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
|
||||
loader = {
|
||||
grub.enable = false;
|
||||
generic-extlinux-compatible.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/disk/by-label/NIXOS_SD";
|
||||
fsType = "ext4";
|
||||
options = [ "noatime" ];
|
||||
};
|
||||
"/var/public-nix-cache" = {
|
||||
device = "/dev/sda1";
|
||||
fsType = "ext4";
|
||||
};
|
||||
};
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = [ 80 443 8098 ];
|
||||
};
|
||||
|
||||
hostName = "cache";
|
||||
domain = "volgasprint.org";
|
||||
|
||||
wireless = {
|
||||
enable = true;
|
||||
networks.VolgaSprint.psk = "nixos-unstable";
|
||||
interfaces = [ "wlan0" ];
|
||||
};
|
||||
|
||||
wg-quick.interfaces = {
|
||||
wg0 = {
|
||||
address = [ "10.10.10.2/24" "fd42::1/128" ];
|
||||
dns = [ "1.1.1.1" ];
|
||||
privateKeyFile = "/etc/wireguard_private_key";
|
||||
|
||||
peers = [
|
||||
{
|
||||
publicKey = "2MZzEGJzA3HrwkHf91TaKJEHwCNyVvsTLWoIYHrCxhY=";
|
||||
presharedKeyFile = "/etc/wireguard_preshared_key";
|
||||
allowedIPs = [ "0.0.0.0/0" "::/0" ];
|
||||
endpoint = "195.201.63.240:8098";
|
||||
persistentKeepalive = 15;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
|
||||
appendHttpConfig = ''
|
||||
proxy_cache_path /tmp/pkgcache levels=1:2 keys_zone=cachecache:100m max_size=20g inactive=365d use_temp_path=off;
|
||||
|
||||
# Cache only success status codes; in particular we don't want to cache 404s.
|
||||
# See https://serverfault.com/a/690258/128321
|
||||
map $status $cache_header {
|
||||
200 "public";
|
||||
302 "public";
|
||||
default "no-cache";
|
||||
}
|
||||
access_log /var/log/nginx/access.log;
|
||||
'';
|
||||
|
||||
virtualHosts."cache.volgasprint.org" = {
|
||||
sslCertificate = "/etc/ssl/cache.volgasprint.org/key.pem";
|
||||
sslCertificateKey = "/etc/ssl/cache.volgasprint.org/key.pem";
|
||||
sslTrustedCertificate = "/etc/ssl/cache.volgasprint.org/chain.pem";
|
||||
|
||||
locations."/" = {
|
||||
root = "/var/public-nix-cache";
|
||||
extraConfig = ''
|
||||
expires max;
|
||||
add_header Cache-Control $cache_header always;
|
||||
# Ask the upstream server if a file isn't available locally
|
||||
error_page 404 = @fallback;
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = ''
|
||||
# Using a variable for the upstream endpoint to ensure that it is
|
||||
# resolved at runtime as opposed to once when the config file is loaded
|
||||
# and then cached forever (we don't want that):
|
||||
# see https://tenzer.dk/nginx-with-dynamic-upstreams/
|
||||
# This fixes errors like
|
||||
# nginx: [emerg] host not found in upstream "upstream.example.com"
|
||||
# when the upstream host is not reachable for a short time when
|
||||
# nginx is started.
|
||||
resolver 80.67.169.12; # fdn dns
|
||||
set $upstream_endpoint http://cache.nixos.org;
|
||||
'';
|
||||
|
||||
locations."@fallback" = {
|
||||
proxyPass = "$upstream_endpoint";
|
||||
extraConfig = ''
|
||||
proxy_cache cachecache;
|
||||
proxy_cache_valid 200 302 60d;
|
||||
expires max;
|
||||
add_header Cache-Control $cache_header always;
|
||||
'';
|
||||
};
|
||||
|
||||
# We always want to copy cache.nixos.org's nix-cache-info file,
|
||||
# and ignore our own, because `nix-push` by default generates one
|
||||
# without `Priority` field, and thus that file by default has priority
|
||||
# 50 (compared to cache.nixos.org's `Priority: 40`), which will make
|
||||
# download clients prefer `cache.nixos.org` over our binary cache.
|
||||
locations."= /nix-cache-info" = {
|
||||
# Note: This is duplicated with the `@fallback` above,
|
||||
# would be nicer if we could redirect to the @fallback instead.
|
||||
proxyPass = "$upstream_endpoint";
|
||||
extraConfig = ''
|
||||
proxy_cache cachecache;
|
||||
proxy_cache_valid 200 302 60d;
|
||||
expires max;
|
||||
add_header Cache-Control $cache_header always;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
system.stateVersion = "23.11";
|
||||
}
|
|
@ -63,5 +63,6 @@ in rec {
|
|||
whitbySystem = (nixosFor depot.ops.machines.whitby).system;
|
||||
sandunySystem = (nixosFor depot.ops.machines.sanduny).system;
|
||||
nixeryDev01System = (nixosFor depot.ops.machines.nixery-01).system;
|
||||
volgaSprintCacheSystem = (nixosFor depot.ops.machines.volgasprint-cache).system;
|
||||
meta.ci.targets = [ "sandunySystem" "whitbySystem" "nixeryDev01System" ];
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue