summaryrefslogtreecommitdiffstats
path: root/krebs/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/3modules')
-rw-r--r--krebs/3modules/buildbot/master.nix2
-rw-r--r--krebs/3modules/buildbot/slave.nix2
-rw-r--r--krebs/3modules/cachecache.nix171
-rw-r--r--krebs/3modules/ci.nix9
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/fetchWallpaper.nix9
-rw-r--r--krebs/3modules/makefu/default.nix13
7 files changed, 191 insertions, 16 deletions
diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix
index 209dbe980..8995753ac 100644
--- a/krebs/3modules/buildbot/master.nix
+++ b/krebs/3modules/buildbot/master.nix
@@ -362,7 +362,7 @@ let
# normally we should write buildbot.tac by our own
# ${pkgs.buildbot-classic}/bin/buildbot upgrade-master ${workdir}
- chmod 700 -R ${workdir}
+ chmod 700 ${workdir}
chown buildbotMaster:buildbotMaster -R ${workdir}
'';
ExecStart = "${pkgs.buildbot-classic}/bin/buildbot start --nodaemon ${workdir}";
diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix
index 544f9c4e0..c15169fba 100644
--- a/krebs/3modules/buildbot/slave.nix
+++ b/krebs/3modules/buildbot/slave.nix
@@ -166,7 +166,7 @@ let
echo ${description} > ${workdir}/info/host
chown buildbotSlave:buildbotSlave -R ${workdir}
- chmod 700 -R ${workdir}
+ chmod 700 ${workdir}
'';
ExecStart = "${pkgs.buildbot-classic-slave}/bin/buildslave start ${workdir}";
ExecStop = "${pkgs.buildbot-classic-slave}/bin/buildslave stop ${workdir}";
diff --git a/krebs/3modules/cachecache.nix b/krebs/3modules/cachecache.nix
new file mode 100644
index 000000000..989320480
--- /dev/null
+++ b/krebs/3modules/cachecache.nix
@@ -0,0 +1,171 @@
+{ config, lib, ... }:
+
+
+# fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b
+# related: https://github.com/nh2/nix-binary-cache-proxy
+
+with lib;
+
+let
+
+ cfg = config.krebs.cachecache;
+
+ nginxCfg = config.services.nginx;
+
+ cacheFallbackConfig = {
+ proxyPass = "$upstream_endpoint";
+ extraConfig = ''
+ # Default is HTTP/1, keepalive is only enabled in HTTP/1.1.
+ proxy_http_version 1.1;
+
+ # Remove the Connection header if the client sends it, it could
+ # be "close" to close a keepalive connection
+ proxy_set_header Connection "";
+
+ # Needed for CloudFront.
+ proxy_ssl_server_name on;
+
+ proxy_set_header Host $proxy_host;
+ proxy_cache nix_cache_cache;
+ proxy_cache_valid 200 302 60m;
+ proxy_cache_valid 404 1m;
+
+ expires max;
+ add_header Cache-Control $nix_cache_cache_header always;
+ '';
+ };
+
+in
+
+{
+ options = {
+ krebs.cachecache = {
+ enable = mkEnableOption "Nix binary cache cache";
+
+ virtualHost = mkOption {
+ type = types.str;
+ default = "nix-cache";
+ description = ''
+ Name of the nginx virtualhost to use and setup. If null, do
+ not setup any virtualhost.
+ '';
+ };
+ enableSSL = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ enable SSL via letsencrypt. Requires working dns resolution and open
+ internet tls port.
+ '';
+ };
+
+ # webRoot = mkOption {
+ # type = types.str;
+ # default = "/";
+ # description = ''
+ # Directory on virtual host that serves the cache. Must end in
+ # <literal>/</literal>.
+ # '';
+ # };
+
+ resolver = mkOption {
+ type = types.str;
+ description = "Address of DNS resolver.";
+ default = "8.8.8.8 ipv6=off";
+ example = "127.0.0.1 ipv6=off";
+ };
+
+ cacheDir = mkOption {
+ type = types.str;
+ default = "/var/cache/nix-cache-cache";
+ description = ''
+ Where nginx should store cached data.
+ '';
+ };
+
+ maxSize = mkOption {
+ type = types.str;
+ default = "50g";
+ description = "Maximum cache size.";
+ };
+ };
+ };
+
+ config = mkIf cfg.enable {
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+
+ systemd.services.nginx.preStart = ''
+ mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache
+ chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache
+ chown ${nginxCfg.user}:${nginxCfg.group} \
+ ${cfg.cacheDir} /srv/www/nix-cache-cache
+ '';
+
+ services.nginx = {
+ enable = true;
+
+ appendHttpConfig = ''
+ proxy_cache_path ${cfg.cacheDir}
+ levels=1:2
+ keys_zone=nix_cache_cache:100m
+ max_size=${cfg.maxSize}
+ inactive=365d
+ use_temp_path=off;
+
+ # Cache only success status codes; in particular we don't want
+ # to cache 404s. See https://serverfault.com/a/690258/128321.
+ map $status $nix_cache_cache_header {
+ 200 "public";
+ 302 "public";
+ default "no-cache";
+ }
+ '';
+
+ virtualHosts.${cfg.virtualHost} = {
+ addSSL = cfg.enableSSL;
+ enableACME = cfg.enableSSL;
+ extraConfig = ''
+ # Using a variable for the upstream endpoint to ensure that it is
+ # resolved at runtime as opposed to once when the config file is loaded
+ # and then cached forever (we don't want that):
+ # see https://tenzer.dk/nginx-with-dynamic-upstreams/
+ # This fixes errors like
+ #
+ # nginx: [emerg] host not found in upstream "upstream.example.com"
+ #
+ # when the upstream host is not reachable for a short time when
+ # nginx is started.
+ resolver ${cfg.resolver} valid=10s;
+ set $upstream_endpoint https://cache.nixos.org;
+ '';
+
+ locations."/" =
+ {
+ root = "/srv/www/nix-cache-cache";
+ extraConfig = ''
+ expires max;
+ add_header Cache-Control $nix_cache_cache_header always;
+
+ # Ask the upstream server if a file isn't available
+ # locally.
+ error_page 404 = @fallback;
+
+ # Don't bother logging the above 404.
+ log_not_found off;
+ '';
+ };
+
+ locations."@fallback" = cacheFallbackConfig;
+
+ # We always want to copy cache.nixos.org's nix-cache-info
+ # file, and ignore our own, because `nix-push` by default
+ # generates one without `Priority` field, and thus that file
+ # by default has priority 50 (compared to cache.nixos.org's
+ # `Priority: 40`), which will make download clients prefer
+ # `cache.nixos.org` over our binary cache.
+ locations."= /nix-cache-info" = cacheFallbackConfig;
+ };
+ };
+ };
+}
diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix
index 4cfe598d6..d8d0e7f3d 100644
--- a/krebs/3modules/ci.nix
+++ b/krebs/3modules/ci.nix
@@ -26,8 +26,15 @@ let
hostname = config.networking.hostName;
getJobs = pkgs.writeDash "get_jobs" ''
+ set -efu
nix-build --no-out-link --quiet -Q ./ci.nix > /dev/null
- nix-instantiate --quiet -Q --eval --strict --json ./ci.nix
+ js="$(nix-instantiate --quiet -Q --eval --strict --json ./ci.nix)"
+ echo "$js" | jq -r 'to_entries[] | [.key, .value] | @tsv' \
+ | while read -r host builder; do
+ gcroot=${shell.escape profileRoot}/$host-builder
+ ${pkgs.nix}/bin/nix-env -p "$gcroot" --set "$builder"
+ done
+ echo "$js"
'';
profileRoot = "/nix/var/nix/profiles/ci";
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index ca67ce65c..24cbd9cc9 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -14,6 +14,7 @@ let
./buildbot/master.nix
./buildbot/slave.nix
./build.nix
+ ./cachecache.nix
./charybdis.nix
./ci.nix
./current.nix
diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix
index f67188122..5a5065565 100644
--- a/krebs/3modules/fetchWallpaper.nix
+++ b/krebs/3modules/fetchWallpaper.nix
@@ -38,11 +38,6 @@ let
'';
default = {};
};
- maxTime = mkOption {
- type = types.int;
- default = 0;
- description = "Time to wait before download is aborted";
- };
};
fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" ''
@@ -51,8 +46,8 @@ let
mkdir -p ${cfg.stateDir}
chmod o+rx ${cfg.stateDir}
cd ${cfg.stateDir}
- (curl --max-time ${toString cfg.maxTime} -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
- feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper
+ (curl -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
+ feh --no-fehbg --bg-scale wallpaper
'';
imp = {
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index bea0f1c0e..188fbc461 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -624,15 +624,16 @@ in {
"blog.makefu.r"
"blog.gum.r"
"dcpp.gum.r"
+ "torrent.gum.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
- MIIBCgKCAQEAucCebFmS96WorD+Br4UQudmAhMlLpacErjwA/u2argBTT2nGHTR8
- aN4e0xf3IYLA+iogLIW/JuQfKLe8evEK21iZ3jleW8N7mbCulhasi/0lqWlirrpO
- npJAiSNF1m7ijoylkEKxtmehze+8ojprUT2hx1ImMlHMWGxvs+TmBbZBMgxAGMJh
- 6cMMDJQi+4d9XrJQ3+XUVK3MkviLA91oIAXsLdFptL6b12siUaz4StQXDJUHemBF
- 3ZwlO+W2Es69ifEhmV6NaDDRcSRdChGbHTz1OU8wYaFNaxWla/iprQQ+jEUldpcN
- VC18QGYRUAgZ0PCIpKurjWNehJFB3zXt+wIDAQAB
+ MIIBCgKCAQEAvgvzx3rT/3zLuCkzXk1ZkYBkG4lltxrLOLNivohw2XAzrYDIw/ZY
+ BTDDcD424EkNOF6g/3tIRWqvVGZ1u12WQ9A/R+2F7i1SsaE4nTxdNlQ5rjy80gO3
+ i1ZubMkTGwd1OYjJytYdcMTwM9V9/8QYFiiWqh77Xxu/FhY6PcQqwHxM7SMyZCJ7
+ 09gtZuR16ngKnKfo2tw6C3hHQtWCfORVbWQq5cmGzCb4sdIKow5BxUC855MulNsS
+ u5l+G8wX+UbDI85VSDAtOP4QaSFzLL+U0aaDAmq0NO1QiODJoCo0iPhULZQTFZUa
+ OMDYHHfqzluEI7n8ENI4WwchDXH+MstsgwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};