[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
05/06: hydra: bayfront: Add nginx service.
From: |
Ludovic Courtès |
Subject: |
05/06: hydra: bayfront: Add nginx service. |
Date: |
Sat, 3 Dec 2016 11:18:52 +0000 (UTC) |
civodul pushed a commit to branch master
in repository maintenance.
commit eda26dfca558fae62eef2de61551a625e46e5b9e
Author: Ludovic Courtès <address@hidden>
Date: Fri Dec 2 23:58:25 2016 +0100
hydra: bayfront: Add nginx service.
---
hydra/bayfront.scm | 60 ++++++++++++++--
hydra/nginx/bayfront-locations.conf | 130 +++++++++++++++++++++++++++++++++++
hydra/nginx/bayfront.conf | 126 +++++++++++++++++++++++++++++++++
3 files changed, 312 insertions(+), 4 deletions(-)
diff --git a/hydra/bayfront.scm b/hydra/bayfront.scm
index 736fd4d..81be7b9 100644
--- a/hydra/bayfront.scm
+++ b/hydra/bayfront.scm
@@ -1,8 +1,8 @@
;; OS configuration for bayfront, the frontend of the compile farm.
(use-modules (gnu) (sysadmin people))
-(use-service-modules networking admin mcron ssh)
-(use-package-modules admin linux ssh vim package-management)
+(use-service-modules base networking admin mcron ssh web)
+(use-package-modules admin linux ssh tls vim package-management web wget)
(define %sysadmins
;; The sysadmins.
@@ -33,6 +33,50 @@
"--cache-failures"
"--gc-keep-outputs" "--gc-keep-derivations"))))
+
+;;;
+;;; NGINX.
+;;;
+
+(define %nginx-config
+ ;; Our nginx configuration directory. It expects 'guix publish' to be
+ ;; running on port 3000.
+ (computed-file "nginx-config"
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+
+ (mkdir #$output)
+ (chdir #$output)
+ (symlink #$(local-file "nginx/bayfront.conf")
+ "bayfront.conf")
+ (copy-file #$(local-file
+ "nginx/bayfront-locations.conf")
+ "bayfront-locations.conf")
+ (substitute* "bayfront-locations.conf"
+ (("@WWWROOT@")
+ #$(local-file "nginx/html" #:recursive? #t)))))))
+
+(define %nginx-mime-types
+ ;; Provide /etc/nginx/mime.types (and a bunch of other files.)
+ (simple-service 'nginx-mime.types
+ etc-service-type
+ `(("nginx" ,(file-append nginx "/share/nginx/conf")))))
+
+(define %nginx-cache-activation
+ ;; Make sure /var/cache/nginx exists on the first run.
+ (simple-service 'nginx-/var/cache/nginx
+ activation-service-type
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+ (mkdir-p "/var/cache/nginx")))))
+
+
+;;;
+;;; Operating system.
+;;;
+
(operating-system
(host-name "bayfront")
(timezone "Europe/Paris")
@@ -58,7 +102,8 @@
#:extra-modules '("raid10")
rest)))
- (packages (cons* mdadm vim lm-sensors openssh
+ (packages (cons* certbot wget
+ mdadm vim lm-sensors openssh
%base-packages))
(services (cons* (service sysadmin-service-type %sysadmins)
@@ -73,7 +118,14 @@
#:name-servers '("141.255.128.100" "141.255.129.101"))
(lsh-service #:port-number 22)
- (guix-publish-service #:port 9080)
+
+ ;; The Web service.
+ (guix-publish-service #:port 3000)
+ (nginx-service #:config-file
+ (file-append %nginx-config
+ "/bayfront.conf"))
+ %nginx-mime-types
+ %nginx-cache-activation
(service rottlog-service-type (rottlog-configuration))
(service mcron-service-type
diff --git a/hydra/nginx/bayfront-locations.conf
b/hydra/nginx/bayfront-locations.conf
new file mode 100644
index 0000000..3daa8d1
--- /dev/null
+++ b/hydra/nginx/bayfront-locations.conf
@@ -0,0 +1,130 @@
+# Configuration of the various HTTP locations.
+# This file is meant to be included in the bayfront configuration file.
+
+location = / {
+ # Make sure index.html lives in there.
+ root @WWWROOT@;
+}
+
+location = /index.html {
+ root @WWWROOT@;
+}
+
+location = /nix-cache-info {
+ proxy_pass http://localhost:3000/nix-cache-info;
+
+ # Cache this file since that's always the first thing we ask for.
+ proxy_cache static;
+ proxy_cache_valid 200 100d; # cache hits for a looong time.
+ proxy_cache_valid any 5m; # cache misses/others for 5 min.
+ proxy_ignore_client_abort on;
+
+ # We need to hide and ignore the Set-Cookie header
+ # to enable caching.
+ proxy_hide_header Set-Cookie;
+ proxy_ignore_headers Set-Cookie;
+}
+
+location /nar/ {
+ proxy_pass http://localhost:3000;
+
+ client_body_buffer_size 256k;
+
+ # Be more tolerant of delays when fetching a nar.
+ proxy_read_timeout 60s;
+ proxy_send_timeout 60s;
+
+ # Enable caching for nar files, to avoid reconstructing and recompressing
+ # archives.
+ proxy_cache nar;
+ proxy_cache_valid 200 91d; # cache hits for 3 months.
+ proxy_cache_valid 504 3m; # timeout, when hydra.gnu.org is overloaded
+ proxy_cache_valid any 1h; # cache misses/others for 1h.
+
+ proxy_ignore_client_abort on;
+
+ # Nars are already compressed.
+ gzip off;
+
+ # We need to hide and ignore the Set-Cookie header
+ # to enable caching.
+ proxy_hide_header Set-Cookie;
+ proxy_ignore_headers Set-Cookie;
+
+ # Provide a 'content-length' header so that 'guix substitute-binary'
+ # knows upfront how much it is downloading.
+ #add_header Content-Length $body_bytes_sent;
+}
+
+location ~ \.narinfo$ {
+ proxy_pass http://localhost:3000;
+
+ # For HTTP pipelining. This has a dramatic impact on performance.
+ client_body_buffer_size 128k;
+
+ # Do not tolerate slowness of hydra.gnu.org when fetching
+ # narinfos: better return 504 quickly than wait forever.
+ proxy_connect_timeout 2s;
+ proxy_read_timeout 2s;
+ proxy_send_timeout 2s;
+
+ # Enable caching for narinfo files, to avoid recomputing nar signatures.
+ #
+ # Note: Avoid caching narinfos for too long to avoid a situation
+ # where we have the narinfo but don't have the corresponding nar
+ # and cannot have it.
+ proxy_cache narinfo;
+ proxy_cache_valid 200 30d; # cache hits for 1 month
+ proxy_cache_valid 504 5m; # timeout, when hydra.gnu.org is overloaded
+ proxy_cache_valid any 1h; # cache misses/others for 1h.
+
+ # Use the above TTLs, not those advertised by hydra.gnu.org.
+ proxy_ignore_headers Expires Cache-Control;
+
+ # Add 'Expires' and 'Cache-Control' response headers so clients
+ # such as 'guix substitute' know how long they can cache it.
+ # Override the headers coming from hydra.gnu.org.
+ proxy_hide_header Expires;
+ proxy_hide_header Cache-Control;
+ expires 7d;
+
+ proxy_ignore_client_abort on;
+
+ # We need to hide and ignore the Set-Cookie header
+ # to enable caching.
+ proxy_hide_header Set-Cookie;
+ proxy_ignore_headers Set-Cookie;
+}
+
+location /log/ {
+ proxy_pass http://localhost:3000;
+
+ # Enable caching for build logs.
+ proxy_cache logs;
+ proxy_cache_valid 200 60d; # cache hits.
+ proxy_cache_valid 504 3m; # timeout, when hydra.gnu.org is overloaded
+ proxy_cache_valid any 1h; # cache misses/others.
+
+ proxy_ignore_client_abort on;
+
+ # We need to hide and ignore the Set-Cookie header
+ # to enable caching.
+ proxy_hide_header Set-Cookie;
+ proxy_ignore_headers Set-Cookie;
+}
+
+# Content-addressed files served by 'guix publish'.
+location /file/ {
+ proxy_pass http://localhost:3000;
+
+ proxy_cache cas;
+ proxy_cache_valid 200 200d; # cache hits
+ proxy_cache_valid any 5m; # cache misses/others
+
+ proxy_ignore_client_abort on;
+}
+
+# For use by Certbot.
+location /.well-known {
+ root /var/www;
+}
diff --git a/hydra/nginx/bayfront.conf b/hydra/nginx/bayfront.conf
new file mode 100644
index 0000000..d705b28
--- /dev/null
+++ b/hydra/nginx/bayfront.conf
@@ -0,0 +1,126 @@
+# This is the nginx config file for bayfront.guixsd.conf.
+
+user nginx;
+worker_processes auto;
+
+error_log /var/log/nginx/error.log error;
+pid /var/run/nginx.pid;
+
+pcre_jit on;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ access_log /var/log/nginx/access.log;
+
+ sendfile on;
+
+ # Maximum chunk size to send. Partly this is a workaround
+ # for <http://bugs.gnu.org/19939>, but also the nginx docs
+ # mention that "Without the limit, one fast connection may
+ # seize the worker process entirely."
+ # <http://nginx.org/en/docs/http/ngx_http_core_module#sendfile_max_chunk>
+ sendfile_max_chunk 1m;
+
+ keepalive_timeout 65;
+
+ # Use HTTP 1.1 to talk to the backend so we benefit from
+ # keep-alive connections and chunked transfer encoding. The
+ # latter allows us to make sure we do not cache partial downloads.
+ proxy_http_version 1.1;
+
+ # The 'inactive' parameter for caching is not very useful in our
+ # case: all that matters is that LRU sweeping happens when
+ # 'max_size' is hit.
+
+ # cache for narinfo files
+ proxy_cache_path /var/cache/nginx/narinfo
+ levels=2
+ inactive=7d # inactive keys removed after 7d
+ keys_zone=narinfo:4m # narinfo meta data: ~32K keys
+ max_size=20g; # total cache data size max
+
+ # cache for nar files
+ proxy_cache_path /var/cache/nginx/nar
+ levels=2
+ inactive=8d # inactive keys removed after 8d
+ keys_zone=nar:4m # nar cache meta data: ~32K keys
+ max_size=200g; # total cache data size max
+
+ # cache for content-addressed files
+ proxy_cache_path /var/cache/nginx/cas
+ levels=2
+ inactive=180d # inactive keys removed after 180d
+ keys_zone=cas:8m # nar cache meta data: ~64K keys
+ max_size=30g; # total cache data size max
+
+ # cache for build logs
+ proxy_cache_path /var/cache/nginx/logs
+ levels=2
+ inactive=60d # inactive keys removed after 60d
+ keys_zone=logs:8m # narinfo meta data: ~64K keys
+ max_size=4g; # total cache data size max
+
+ # cache for static data
+ proxy_cache_path /var/cache/nginx/static
+ levels=1
+ inactive=10d # inactive keys removed after 10d
+ keys_zone=static:1m # nar cache meta data: ~8K keys
+ max_size=200m; # total cache data size max
+
+ # If Hydra cannot honor these delays, then something is wrong and
+ # we'd better drop the connection and return 504.
+ proxy_connect_timeout 7s;
+ proxy_read_timeout 10s;
+ proxy_send_timeout 10s;
+
+ # Cache timeouts for a little while to avoid increasing pressure.
+ proxy_cache_valid 504 30s;
+
+ server {
+ listen 80;
+ server_name bayfront.guixsd.org;
+
+ access_log /var/log/nginx/http.access.log;
+
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Port $server_port;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+ include bayfront-locations.conf;
+ }
+
+ # HTTPS server.
+ server {
+ listen 443 ssl;
+ server_name bayfront.guixsd.org;
+
+ ssl_certificate
/etc/letsencrypt/live/bayfront.guixsd.org/fullchain.pem;
+ ssl_certificate_key
/etc/letsencrypt/live/bayfront.guixsd.org/privkey.pem;
+
+ # Make sure SSL is disabled.
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+ # Disable weak cipher suites.
+ ssl_ciphers HIGH:!aNULL:!MD5;
+ ssl_prefer_server_ciphers on;
+
+ # Use our own DH parameters created with:
+ # openssl dhparam -out dhparams.pem 2048
+ # as suggested at <https://weakdh.org/sysadmin.html>.
+ ssl_dhparam /etc/dhparams.pem;
+
+ access_log /var/log/nginx/https.access.log;
+
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Port $server_port;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+ include bayfront-locations.conf;
+ }
+}
- branch master updated (09fcfc4 -> 8654b47), Ludovic Courtès, 2016/12/03
- 03/06: hydra: bayfront: Remove 'md0' variable (no functional change)., Ludovic Courtès, 2016/12/03
- 01/06: hydra: bayfront: Fix the netmask and network interface name., Ludovic Courtès, 2016/12/03
- 02/06: hydra: bayfront: Add OpenSSH to the global profile., Ludovic Courtès, 2016/12/03
- 06/06: hydra: bayfront: Add Tor hidden services., Ludovic Courtès, 2016/12/03
- 04/06: hydra: bayfront: Provide appropriate settings for guix-daemon., Ludovic Courtès, 2016/12/03
- 05/06: hydra: bayfront: Add nginx service.,
Ludovic Courtès <=