puyak.r: add cache.nsupdate.info
This commit is contained in:
parent
c4bdac09df
commit
b073ee1fd4
@ -10,6 +10,7 @@
|
|||||||
<stockholm/krebs/2configs/stats/puyak-client.nix>
|
<stockholm/krebs/2configs/stats/puyak-client.nix>
|
||||||
<stockholm/krebs/2configs/binary-cache/nixos.nix>
|
<stockholm/krebs/2configs/binary-cache/nixos.nix>
|
||||||
<stockholm/krebs/2configs/binary-cache/prism.nix>
|
<stockholm/krebs/2configs/binary-cache/prism.nix>
|
||||||
|
<stockholm/krebs/2configs/cache.nsupdate.info.nix>
|
||||||
<stockholm/krebs/2configs/go.nix>
|
<stockholm/krebs/2configs/go.nix>
|
||||||
<stockholm/krebs/2configs/ircd.nix>
|
<stockholm/krebs/2configs/ircd.nix>
|
||||||
<stockholm/krebs/2configs/news.nix>
|
<stockholm/krebs/2configs/news.nix>
|
||||||
|
33
krebs/2configs/cache.nsupdate.info.nix
Normal file
33
krebs/2configs/cache.nsupdate.info.nix
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
{lib, ... }:
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
domain = "cache.nsupdate.info";
|
||||||
|
in {
|
||||||
|
# This only works for a single domain for nsupdate.info as multiple usernames
|
||||||
|
# and passwords are required for multiple domains
|
||||||
|
services.ddclient = {
|
||||||
|
enable = true;
|
||||||
|
server = "ipv4.nsupdate.info";
|
||||||
|
username = domain;
|
||||||
|
password = import ((toString <secrets>) + "/nsupdate-cache.nix");
|
||||||
|
domains = [ domain ];
|
||||||
|
use= "if, if=et0";
|
||||||
|
# use = "web, web=http://ipv4.nsupdate.info/myip";
|
||||||
|
|
||||||
|
};
|
||||||
|
krebs.cachecache = {
|
||||||
|
enable = true;
|
||||||
|
enableSSL = false; # disable letsencrypt for testing
|
||||||
|
cacheDir = "/var/cache/nix-cache-cache";
|
||||||
|
maxSize = "10g";
|
||||||
|
|
||||||
|
# assumes that the domain is reachable from the internet
|
||||||
|
virtualHost = domain;
|
||||||
|
};
|
||||||
|
|
||||||
|
boot.kernelModules = [ "tcp_bbr" ];
|
||||||
|
|
||||||
|
boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
|
||||||
|
boot.kernel.sysctl."net.core.default_qdisc" = "fq";
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
}
|
171
krebs/3modules/cachecache.nix
Normal file
171
krebs/3modules/cachecache.nix
Normal file
@ -0,0 +1,171 @@
|
|||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
|
||||||
|
# fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b
|
||||||
|
# related: https://github.com/nh2/nix-binary-cache-proxy
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
|
||||||
|
cfg = config.krebs.cachecache;
|
||||||
|
|
||||||
|
nginxCfg = config.services.nginx;
|
||||||
|
|
||||||
|
cacheFallbackConfig = {
|
||||||
|
proxyPass = "$upstream_endpoint";
|
||||||
|
extraConfig = ''
|
||||||
|
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1.
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
|
||||||
|
# Remove the Connection header if the client sends it, it could
|
||||||
|
# be "close" to close a keepalive connection
|
||||||
|
proxy_set_header Connection "";
|
||||||
|
|
||||||
|
# Needed for CloudFront.
|
||||||
|
proxy_ssl_server_name on;
|
||||||
|
|
||||||
|
proxy_set_header Host $proxy_host;
|
||||||
|
proxy_cache nix_cache_cache;
|
||||||
|
proxy_cache_valid 200 302 60m;
|
||||||
|
proxy_cache_valid 404 1m;
|
||||||
|
|
||||||
|
expires max;
|
||||||
|
add_header Cache-Control $nix_cache_cache_header always;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
krebs.cachecache = {
|
||||||
|
enable = mkEnableOption "Nix binary cache cache";
|
||||||
|
|
||||||
|
virtualHost = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "nix-cache";
|
||||||
|
description = ''
|
||||||
|
Name of the nginx virtualhost to use and setup. If null, do
|
||||||
|
not setup any virtualhost.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
enableSSL = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = ''
|
||||||
|
enable SSL via letsencrypt. Requires working dns resolution and open
|
||||||
|
internet tls port.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# webRoot = mkOption {
|
||||||
|
# type = types.str;
|
||||||
|
# default = "/";
|
||||||
|
# description = ''
|
||||||
|
# Directory on virtual host that serves the cache. Must end in
|
||||||
|
# <literal>/</literal>.
|
||||||
|
# '';
|
||||||
|
# };
|
||||||
|
|
||||||
|
resolver = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "Address of DNS resolver.";
|
||||||
|
default = "8.8.8.8 ipv6=off";
|
||||||
|
example = "127.0.0.1 ipv6=off";
|
||||||
|
};
|
||||||
|
|
||||||
|
cacheDir = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "/var/cache/nix-cache-cache";
|
||||||
|
description = ''
|
||||||
|
Where nginx should store cached data.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
maxSize = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "50g";
|
||||||
|
description = "Maximum cache size.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
|
||||||
|
|
||||||
|
systemd.services.nginx.preStart = ''
|
||||||
|
mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache
|
||||||
|
chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache
|
||||||
|
chown ${nginxCfg.user}:${nginxCfg.group} \
|
||||||
|
${cfg.cacheDir} /srv/www/nix-cache-cache
|
||||||
|
'';
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
appendHttpConfig = ''
|
||||||
|
proxy_cache_path ${cfg.cacheDir}
|
||||||
|
levels=1:2
|
||||||
|
keys_zone=nix_cache_cache:100m
|
||||||
|
max_size=${cfg.maxSize}
|
||||||
|
inactive=365d
|
||||||
|
use_temp_path=off;
|
||||||
|
|
||||||
|
# Cache only success status codes; in particular we don't want
|
||||||
|
# to cache 404s. See https://serverfault.com/a/690258/128321.
|
||||||
|
map $status $nix_cache_cache_header {
|
||||||
|
200 "public";
|
||||||
|
302 "public";
|
||||||
|
default "no-cache";
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
|
virtualHosts.${cfg.virtualHost} = {
|
||||||
|
addSSL = cfg.enableSSL;
|
||||||
|
enableACME = cfg.enableSSL;
|
||||||
|
extraConfig = ''
|
||||||
|
# Using a variable for the upstream endpoint to ensure that it is
|
||||||
|
# resolved at runtime as opposed to once when the config file is loaded
|
||||||
|
# and then cached forever (we don't want that):
|
||||||
|
# see https://tenzer.dk/nginx-with-dynamic-upstreams/
|
||||||
|
# This fixes errors like
|
||||||
|
#
|
||||||
|
# nginx: [emerg] host not found in upstream "upstream.example.com"
|
||||||
|
#
|
||||||
|
# when the upstream host is not reachable for a short time when
|
||||||
|
# nginx is started.
|
||||||
|
resolver ${cfg.resolver} valid=10s;
|
||||||
|
set $upstream_endpoint https://cache.nixos.org;
|
||||||
|
'';
|
||||||
|
|
||||||
|
locations."/" =
|
||||||
|
{
|
||||||
|
root = "/srv/www/nix-cache-cache";
|
||||||
|
extraConfig = ''
|
||||||
|
expires max;
|
||||||
|
add_header Cache-Control $nix_cache_cache_header always;
|
||||||
|
|
||||||
|
# Ask the upstream server if a file isn't available
|
||||||
|
# locally.
|
||||||
|
error_page 404 = @fallback;
|
||||||
|
|
||||||
|
# Don't bother logging the above 404.
|
||||||
|
log_not_found off;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
locations."@fallback" = cacheFallbackConfig;
|
||||||
|
|
||||||
|
# We always want to copy cache.nixos.org's nix-cache-info
|
||||||
|
# file, and ignore our own, because `nix-push` by default
|
||||||
|
# generates one without `Priority` field, and thus that file
|
||||||
|
# by default has priority 50 (compared to cache.nixos.org's
|
||||||
|
# `Priority: 40`), which will make download clients prefer
|
||||||
|
# `cache.nixos.org` over our binary cache.
|
||||||
|
locations."= /nix-cache-info" = cacheFallbackConfig;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
@ -14,6 +14,7 @@ let
|
|||||||
./buildbot/master.nix
|
./buildbot/master.nix
|
||||||
./buildbot/slave.nix
|
./buildbot/slave.nix
|
||||||
./build.nix
|
./build.nix
|
||||||
|
./cachecache.nix
|
||||||
./charybdis.nix
|
./charybdis.nix
|
||||||
./ci.nix
|
./ci.nix
|
||||||
./current.nix
|
./current.nix
|
||||||
|
Loading…
Reference in New Issue
Block a user