From b073ee1fd4a879a29166422269733604a6454fc3 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 21 Nov 2018 00:03:49 +0100 Subject: puyak.r: add cache.nsupdate.info --- krebs/3modules/cachecache.nix | 171 ++++++++++++++++++++++++++++++++++++++++++ krebs/3modules/default.nix | 1 + 2 files changed, 172 insertions(+) create mode 100644 krebs/3modules/cachecache.nix (limited to 'krebs/3modules') diff --git a/krebs/3modules/cachecache.nix b/krebs/3modules/cachecache.nix new file mode 100644 index 000000000..c02c7c80c --- /dev/null +++ b/krebs/3modules/cachecache.nix @@ -0,0 +1,171 @@ +{ config, lib, ... }: + + +# fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b +# related: https://github.com/nh2/nix-binary-cache-proxy + +with lib; + +let + + cfg = config.krebs.cachecache; + + nginxCfg = config.services.nginx; + + cacheFallbackConfig = { + proxyPass = "$upstream_endpoint"; + extraConfig = '' + # Default is HTTP/1, keepalive is only enabled in HTTP/1.1. + proxy_http_version 1.1; + + # Remove the Connection header if the client sends it, it could + # be "close" to close a keepalive connection + proxy_set_header Connection ""; + + # Needed for CloudFront. + proxy_ssl_server_name on; + + proxy_set_header Host $proxy_host; + proxy_cache nix_cache_cache; + proxy_cache_valid 200 302 60m; + proxy_cache_valid 404 1m; + + expires max; + add_header Cache-Control $nix_cache_cache_header always; + ''; + }; + +in + +{ + options = { + krebs.cachecache = { + enable = mkEnableOption "Nix binary cache cache"; + + virtualHost = mkOption { + type = types.str; + default = "nix-cache"; + description = '' + Name of the nginx virtualhost to use and setup. If null, do + not setup any virtualhost. + ''; + }; + enableSSL = mkOption { + type = types.bool; + default = true; + description = '' + enable SSL via letsencrypt. Requires working dns resolution and open + internet tls port. + ''; + }; + + # webRoot = mkOption { + # type = types.str; + # default = "/"; + # description = '' + # Directory on virtual host that serves the cache. Must end in + # /. + # ''; + # }; + + resolver = mkOption { + type = types.str; + description = "Address of DNS resolver."; + default = "8.8.8.8 ipv6=off"; + example = "127.0.0.1 ipv6=off"; + }; + + cacheDir = mkOption { + type = types.str; + default = "/var/cache/nix-cache-cache"; + description = '' + Where nginx should store cached data. + ''; + }; + + maxSize = mkOption { + type = types.str; + default = "50g"; + description = "Maximum cache size."; + }; + }; + }; + + config = { + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + + systemd.services.nginx.preStart = '' + mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache + chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache + chown ${nginxCfg.user}:${nginxCfg.group} \ + ${cfg.cacheDir} /srv/www/nix-cache-cache + ''; + + services.nginx = { + enable = true; + + appendHttpConfig = '' + proxy_cache_path ${cfg.cacheDir} + levels=1:2 + keys_zone=nix_cache_cache:100m + max_size=${cfg.maxSize} + inactive=365d + use_temp_path=off; + + # Cache only success status codes; in particular we don't want + # to cache 404s. See https://serverfault.com/a/690258/128321. + map $status $nix_cache_cache_header { + 200 "public"; + 302 "public"; + default "no-cache"; + } + ''; + + virtualHosts.${cfg.virtualHost} = { + addSSL = cfg.enableSSL; + enableACME = cfg.enableSSL; + extraConfig = '' + # Using a variable for the upstream endpoint to ensure that it is + # resolved at runtime as opposed to once when the config file is loaded + # and then cached forever (we don't want that): + # see https://tenzer.dk/nginx-with-dynamic-upstreams/ + # This fixes errors like + # + # nginx: [emerg] host not found in upstream "upstream.example.com" + # + # when the upstream host is not reachable for a short time when + # nginx is started. + resolver ${cfg.resolver} valid=10s; + set $upstream_endpoint https://cache.nixos.org; + ''; + + locations."/" = + { + root = "/srv/www/nix-cache-cache"; + extraConfig = '' + expires max; + add_header Cache-Control $nix_cache_cache_header always; + + # Ask the upstream server if a file isn't available + # locally. + error_page 404 = @fallback; + + # Don't bother logging the above 404. + log_not_found off; + ''; + }; + + locations."@fallback" = cacheFallbackConfig; + + # We always want to copy cache.nixos.org's nix-cache-info + # file, and ignore our own, because `nix-push` by default + # generates one without `Priority` field, and thus that file + # by default has priority 50 (compared to cache.nixos.org's + # `Priority: 40`), which will make download clients prefer + # `cache.nixos.org` over our binary cache. + locations."= /nix-cache-info" = cacheFallbackConfig; + }; + }; + }; +} diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index ca67ce65c..24cbd9cc9 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -14,6 +14,7 @@ let ./buildbot/master.nix ./buildbot/slave.nix ./build.nix + ./cachecache.nix ./charybdis.nix ./ci.nix ./current.nix -- cgit v1.2.3 From 105a0b6515b2e193b883ee8fb00d8454b8049588 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 21 Nov 2018 04:10:07 +0100 Subject: cachecache: enable only if enabled --- krebs/3modules/cachecache.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/cachecache.nix b/krebs/3modules/cachecache.nix index c02c7c80c..989320480 100644 --- a/krebs/3modules/cachecache.nix +++ b/krebs/3modules/cachecache.nix @@ -91,7 +91,7 @@ in }; }; - config = { + config = mkIf cfg.enable { networking.firewall.allowedTCPPorts = [ 80 443 ]; -- cgit v1.2.3 From a6f4d27da624cce5f9001b371a03b34ba4a68b8e Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 22 Nov 2018 09:38:33 +0100 Subject: ma: gum.r also resolves to torrent.gum.r --- krebs/3modules/makefu/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs/3modules') diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index bea0f1c0e..881f082c6 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -624,6 +624,7 @@ in { "blog.makefu.r" "blog.gum.r" "dcpp.gum.r" + "torrent.gum.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- -- cgit v1.2.3 From 4fedcb814791363ce89f8ba0a31291fc2a1ca138 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 25 Nov 2018 23:45:27 +0100 Subject: ma gum.r: fix pubkey which accidentally got overwritten ... --- krebs/3modules/makefu/default.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 881f082c6..188fbc461 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -628,12 +628,12 @@ in { ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAucCebFmS96WorD+Br4UQudmAhMlLpacErjwA/u2argBTT2nGHTR8 - aN4e0xf3IYLA+iogLIW/JuQfKLe8evEK21iZ3jleW8N7mbCulhasi/0lqWlirrpO - npJAiSNF1m7ijoylkEKxtmehze+8ojprUT2hx1ImMlHMWGxvs+TmBbZBMgxAGMJh - 6cMMDJQi+4d9XrJQ3+XUVK3MkviLA91oIAXsLdFptL6b12siUaz4StQXDJUHemBF - 3ZwlO+W2Es69ifEhmV6NaDDRcSRdChGbHTz1OU8wYaFNaxWla/iprQQ+jEUldpcN - VC18QGYRUAgZ0PCIpKurjWNehJFB3zXt+wIDAQAB + MIIBCgKCAQEAvgvzx3rT/3zLuCkzXk1ZkYBkG4lltxrLOLNivohw2XAzrYDIw/ZY + BTDDcD424EkNOF6g/3tIRWqvVGZ1u12WQ9A/R+2F7i1SsaE4nTxdNlQ5rjy80gO3 + i1ZubMkTGwd1OYjJytYdcMTwM9V9/8QYFiiWqh77Xxu/FhY6PcQqwHxM7SMyZCJ7 + 09gtZuR16ngKnKfo2tw6C3hHQtWCfORVbWQq5cmGzCb4sdIKow5BxUC855MulNsS + u5l+G8wX+UbDI85VSDAtOP4QaSFzLL+U0aaDAmq0NO1QiODJoCo0iPhULZQTFZUa + OMDYHHfqzluEI7n8ENI4WwchDXH+MstsgwIDAQAB -----END RSA PUBLIC KEY----- ''; }; -- cgit v1.2.3 From c35bc044dba5260bea5574a86897c6c45b4e525a Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 27 Nov 2018 00:55:59 +0100 Subject: ci: abort if an error occurs in get_steps --- krebs/3modules/ci.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs/3modules') diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix index 4cfe598d6..62efce44b 100644 --- a/krebs/3modules/ci.nix +++ b/krebs/3modules/ci.nix @@ -26,6 +26,7 @@ let hostname = config.networking.hostName; getJobs = pkgs.writeDash "get_jobs" '' + set -efu nix-build --no-out-link --quiet -Q ./ci.nix > /dev/null nix-instantiate --quiet -Q --eval --strict --json ./ci.nix ''; -- cgit v1.2.3 From 09ee7ca4d832bfdc836c9463513891f1e97db10b Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 27 Nov 2018 00:58:07 +0100 Subject: ci: add gcroot for build-scripts --- krebs/3modules/ci.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix index 62efce44b..d8d0e7f3d 100644 --- a/krebs/3modules/ci.nix +++ b/krebs/3modules/ci.nix @@ -28,7 +28,13 @@ let getJobs = pkgs.writeDash "get_jobs" '' set -efu nix-build --no-out-link --quiet -Q ./ci.nix > /dev/null - nix-instantiate --quiet -Q --eval --strict --json ./ci.nix + js="$(nix-instantiate --quiet -Q --eval --strict --json ./ci.nix)" + echo "$js" | jq -r 'to_entries[] | [.key, .value] | @tsv' \ + | while read -r host builder; do + gcroot=${shell.escape profileRoot}/$host-builder + ${pkgs.nix}/bin/nix-env -p "$gcroot" --set "$builder" + done + echo "$js" ''; profileRoot = "/nix/var/nix/profiles/ci"; -- cgit v1.2.3 From 593b2baf031dac70bff4d0484f87b28d674ccbed Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 27 Nov 2018 00:58:57 +0100 Subject: fetchWallpaper: remove broken maxTime --- krebs/3modules/fetchWallpaper.nix | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix index f67188122..5a5065565 100644 --- a/krebs/3modules/fetchWallpaper.nix +++ b/krebs/3modules/fetchWallpaper.nix @@ -38,11 +38,6 @@ let ''; default = {}; }; - maxTime = mkOption { - type = types.int; - default = 0; - description = "Time to wait before download is aborted"; - }; }; fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" '' @@ -51,8 +46,8 @@ let mkdir -p ${cfg.stateDir} chmod o+rx ${cfg.stateDir} cd ${cfg.stateDir} - (curl --max-time ${toString cfg.maxTime} -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || : - feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper + (curl -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || : + feh --no-fehbg --bg-scale wallpaper ''; imp = { -- cgit v1.2.3 From 0b6c07ad7203634af4131ed3fb6f64c1c7fc45ff Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 27 Nov 2018 01:11:35 +0100 Subject: buildbot: don't fuckup permissions --- krebs/3modules/buildbot/master.nix | 2 +- krebs/3modules/buildbot/slave.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix index 209dbe980..8995753ac 100644 --- a/krebs/3modules/buildbot/master.nix +++ b/krebs/3modules/buildbot/master.nix @@ -362,7 +362,7 @@ let # normally we should write buildbot.tac by our own # ${pkgs.buildbot-classic}/bin/buildbot upgrade-master ${workdir} - chmod 700 -R ${workdir} + chmod 700 ${workdir} chown buildbotMaster:buildbotMaster -R ${workdir} ''; ExecStart = "${pkgs.buildbot-classic}/bin/buildbot start --nodaemon ${workdir}"; diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix index 544f9c4e0..c15169fba 100644 --- a/krebs/3modules/buildbot/slave.nix +++ b/krebs/3modules/buildbot/slave.nix @@ -166,7 +166,7 @@ let echo ${description} > ${workdir}/info/host chown buildbotSlave:buildbotSlave -R ${workdir} - chmod 700 -R ${workdir} + chmod 700 ${workdir} ''; ExecStart = "${pkgs.buildbot-classic-slave}/bin/buildslave start ${workdir}"; ExecStop = "${pkgs.buildbot-classic-slave}/bin/buildslave stop ${workdir}"; -- cgit v1.2.3