system-configuration

system-configuration/modules/config/cuirass.scm

cuirass.scm

;;; Tyreunom's system administration and configuration tools.
;;;
;;; Copyright © 2020 Julien Lepiller <julien@lepiller.eu>
;;;
;;; This program is free software: you can redistribute it and/or modify
;;; it under the terms of the GNU General Public License as published by
;;; the Free Software Foundation, either version 3 of the License, or
;;; (at your option) any later version.
;;;
;;; This program is distributed in the hope that it will be useful,
;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.

;;
;; Cuirass service type and related configurations (web, ...)
;;

(define-module (config cuirass)
  #:use-module (guix gexp)
  #:use-module (gnu services)
  #:use-module (gnu services base)
  #:use-module (gnu services cuirass)
  #:use-module (gnu services web)
  #:export (cuirass-services
            %cuirass-extra-content))

(define %publish-port 3000)
(define %publish-url
  (string-append "http://localhost:" (number->string %publish-port)))

(define* (guix-input name #:optional (branch "master"))
  `((#:name . ,name)
    (#:url . "https://git.savannah.gnu.org/git/guix.git")
    (#:load-path . ".")
    (#:branch . ,branch)
    (#:no-compile? . #t)))

(define %cuirass-specifications
  #~(list
      '((#:name "guix-modular-master")
        (#:load-path-inputs . ())
        (#:package-path-inputs . ())
        (#:proc-input . "guix-modular")
        (#:proc-file . "build-aux/cuirass/guix-modular.scm")
        (#:proc . cuirass-jobs)
        (#:proc-args (systems . ("x86_64-linux")))
        (#:inputs . (#$(guix-input "guix-modular" "master"))))
      '((#:name "master")
        (#:load-path-inputs . ())
        (#:package-path-inputs . ())
        (#:proc-input . "guix")
        (#:proc-file . "build-aux/cuirass/gnu-system.scm")
        (#:proc . cuirass-jobs)
        (#:proc-args (subset . "all") (systems . ("x86_64-linux")))
        (#:inputs . (#$(guix-input "guix" "master"))))))

(define (publish-locations url)
  "Return the nginx location blocks for 'guix publish' running on URL."
  (list (nginx-location-configuration
         (uri "/nix-cache-info")
         (body
          (list
           (string-append
            "proxy_pass " url "/nix-cache-info;")
           ;; Cache this file since that's always the first thing we ask
           ;; for.
           "proxy_cache static;"
           "proxy_cache_valid 200 100d;"     ; cache hits for a looong time.
           "proxy_cache_valid any 5m;"       ; cache misses/others for 5 min.
           "proxy_ignore_client_abort on;"

           ;; We need to hide and ignore the Set-Cookie header to enable
           ;; caching.
           "proxy_hide_header    Set-Cookie;"
           "proxy_ignore_headers Set-Cookie;")))

        (nginx-location-configuration
         (uri "/nar/")
         (body
          (list
           (string-append "proxy_pass " url ";")
           "client_body_buffer_size 256k;"

           ;; Be more tolerant of delays when fetching a nar.
           "proxy_read_timeout 60s;"
           "proxy_send_timeout 60s;"

           ;; Enable caching for nar files, to avoid reconstructing and
           ;; recompressing archives.
           "proxy_cache nar;"
           "proxy_cache_valid 200 30d;"           ; cache hits for 1 month
           "proxy_cache_valid 504 3m;" ; timeout, when hydra.gnu.org is overloaded
           "proxy_cache_valid any 1h;" ; cache misses/others for 1h.

           "proxy_ignore_client_abort on;"

           ;; Nars are already compressed.
           "gzip off;"

           ;; We need to hide and ignore the Set-Cookie header to enable
           ;; caching.
           "proxy_hide_header    Set-Cookie;"
           "proxy_ignore_headers Set-Cookie;"

           ;; Provide a 'content-length' header so that 'guix
           ;; substitute-binary' knows upfront how much it is downloading.
           ;; "add_header Content-Length $body_bytes_sent;"
           )))

        (nginx-location-configuration
         (uri "~ \\.narinfo$")
         (body
          (list
           ;; Since 'guix publish' has its own caching, and since it relies
           ;; on the atime of cached narinfos to determine whether a
           ;; narinfo can be removed from the cache, don't do any caching
           ;; here.
           (string-append "proxy_pass " url ";")

           ;; For HTTP pipelining.  This has a dramatic impact on
           ;; performance.
           "client_body_buffer_size 128k;"

           ;; Narinfos requests are short, serve many of them on a
           ;; connection.
           "keepalive_requests 600;"

           ;; Do not tolerate slowness of hydra.gnu.org when fetching
           ;; narinfos: better return 504 quickly than wait forever.
           "proxy_connect_timeout 2s;"
           "proxy_read_timeout 2s;"
           "proxy_send_timeout 2s;"

           ;; 'guix publish --ttl' produces a 'Cache-Control' header for
           ;; use by 'guix substitute'.  Let it through rather than use
           ;; nginx's "expire" directive since the expiration time defined
           ;; by 'guix publish' is the right one.
           "proxy_pass_header Cache-Control;"

           "proxy_ignore_client_abort on;"

           ;; We need to hide and ignore the Set-Cookie header to enable
           ;; caching.
           "proxy_hide_header    Set-Cookie;"
           "proxy_ignore_headers Set-Cookie;")))

        (nginx-location-configuration
         (uri "/log/")
         (body
          (list
           (string-append "proxy_pass " url ";")

           ;; Enable caching for build logs.
           "proxy_cache logs;"
           "proxy_cache_valid 200 60d;"           ; cache hits.
           "proxy_cache_valid 504 3m;" ; timeout, when hydra.gnu.org is overloaded
           "proxy_cache_valid any 1h;" ; cache misses/others.

           "proxy_ignore_client_abort on;"

           ;; We need to hide and ignore the Set-Cookie header to enable
           ;; caching.
           "proxy_hide_header    Set-Cookie;"
           "proxy_ignore_headers Set-Cookie;")))

        ;; Content-addressed files served by 'guix publish'.
        (nginx-location-configuration
         (uri "/file/")
         (body
          (list
           (string-append "proxy_pass " url ";")

           "proxy_cache cas;"
           "proxy_cache_valid 200 200d;"          ; cache hits
           "proxy_cache_valid any 5m;"            ; cache misses/others

           "proxy_ignore_client_abort on;")))))

(define (cuirass-locations publish-url)
  "Return nginx location blocks with 'guix publish' reachable at
PUBLISH-URL."
  (append (publish-locations publish-url)
          (list
           ;; Cuirass.
           (nginx-location-configuration
            (uri "/")
            (body (list "proxy_pass http://localhost:8081;")))
           (nginx-location-configuration
            (uri "~ ^/admin")
            (body
             (list "if ($ssl_client_verify != SUCCESS) { return 403; } proxy_pass http://localhost:8081;")))

           (nginx-location-configuration
            (uri "/static")
            (body
             (list
              "proxy_pass http://localhost:8081;"
              ;; Let browsers cache this for a while.
              "expires 10d;"
              ;; Cache quite aggressively.
              "proxy_cache static;"
              "proxy_cache_valid 200 5d;"
              "proxy_cache_valid any 10m;"
              "proxy_ignore_client_abort on;")))

           (nginx-location-configuration          ;certbot
            (uri "/.well-known")
            (body (list "root /var/www;")))

           (nginx-location-configuration
            (uri "/berlin.guixsd.org-export.pub")
            (body
             (list "root /var/www/guix;"))))))

(define %cuirass-extra-content
  (list
    "default_type application/octet-stream;"
    "sendfile on;"
    "sendfile_max_chunk 1m;"
    "keepalive_timeout  65;"
    "proxy_http_version 1.1;"

    ;; cache for nar files
    "proxy_cache_path /var/cache/nginx/nar"
    "     levels=2"
    "     inactive=8d"       ; inactive keys removed after 8d
    "     keys_zone=nar:4m"  ; nar cache meta data: ~32K keys
    "     max_size=10g;"     ; total cache data size max

    ;; cache for content-addressed-files
    "proxy_cache_path /var/cache/nginx/cas"
    "     levels=2"
    "     inactive=180d"     ; inactive keys removed after 180d
    "     keys_zone=cas:8m"  ; nar cache meta data: ~64K keys
    "     max_size=50g;"         ; total cache data size max

    ;; cache for build logs
    "proxy_cache_path /var/cache/nginx/logs"
    "     levels=2"
    "     inactive=60d"          ; inactive keys removed after 60d
    "     keys_zone=logs:8m"     ; narinfo meta data: ~64K keys
    "     max_size=4g;"          ; total cache data size max

    ;; cache for static data
    "proxy_cache_path /var/cache/nginx/static"
    "     levels=1"
    "     inactive=10d"         ; inactive keys removed after 10d
    "     keys_zone=static:1m"   ; nar cache meta data: ~8K keys
    "     max_size=200m;"        ; total cache data size max

    ;; Cache timeouts for a little while to avoid increasing pressure.
    "proxy_cache_valid 504 30s;"))

(define (cuirass-services root certificate key)
  (list
    (simple-service 'guix-http-server nginx-service-type
      (list (nginx-server-configuration
              (ssl-certificate certificate)
              (ssl-certificate-key key)
              (listen '("443 ssl http2" "[::]:443 ssl http2"))
              (server-name (list root))
              (locations (cuirass-locations %publish-url)))))
    (service guix-publish-service-type
      (guix-publish-configuration
        (compression '(("lzip" 3) ("gzip" 3)))
        (port %publish-port)))
    (service cuirass-service-type
      (cuirass-configuration
        (ttl (* 30 24 3600))
        (specifications %cuirass-specifications)))))


1	;;; Tyreunom's system administration and configuration tools.
2	;;;
3	;;; Copyright © 2020 Julien Lepiller <julien@lepiller.eu>
4	;;;
5	;;; This program is free software: you can redistribute it and/or modify
6	;;; it under the terms of the GNU General Public License as published by
7	;;; the Free Software Foundation, either version 3 of the License, or
8	;;; (at your option) any later version.
9	;;;
10	;;; This program is distributed in the hope that it will be useful,
11	;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
12	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13	;;; GNU General Public License for more details.
14	;;;
15	;;; You should have received a copy of the GNU General Public License
16	;;; along with this program. If not, see <http://www.gnu.org/licenses/>.
17
18	;;
19	;; Cuirass service type and related configurations (web, ...)
20	;;
21
22	(define-module (config cuirass)
23	#:use-module (guix gexp)
24	#:use-module (gnu services)
25	#:use-module (gnu services base)
26	#:use-module (gnu services cuirass)
27	#:use-module (gnu services web)
28	#:export (cuirass-services
29	%cuirass-extra-content))
30
31	(define %publish-port 3000)
32	(define %publish-url
33	(string-append "http://localhost:" (number->string %publish-port)))
34
35	(define* (guix-input name #:optional (branch "master"))
36	`((#:name . ,name)
37	(#:url . "https://git.savannah.gnu.org/git/guix.git")
38	(#:load-path . ".")
39	(#:branch . ,branch)
40	(#:no-compile? . #t)))
41
42	(define %cuirass-specifications
43	#~(list
44	'((#:name "guix-modular-master")
45	(#:load-path-inputs . ())
46	(#:package-path-inputs . ())
47	(#:proc-input . "guix-modular")
48	(#:proc-file . "build-aux/cuirass/guix-modular.scm")
49	(#:proc . cuirass-jobs)
50	(#:proc-args (systems . ("x86_64-linux")))
51	(#:inputs . (#$(guix-input "guix-modular" "master"))))
52	'((#:name "master")
53	(#:load-path-inputs . ())
54	(#:package-path-inputs . ())
55	(#:proc-input . "guix")
56	(#:proc-file . "build-aux/cuirass/gnu-system.scm")
57	(#:proc . cuirass-jobs)
58	(#:proc-args (subset . "all") (systems . ("x86_64-linux")))
59	(#:inputs . (#$(guix-input "guix" "master"))))))
60
61	(define (publish-locations url)
62	"Return the nginx location blocks for 'guix publish' running on URL."
63	(list (nginx-location-configuration
64	(uri "/nix-cache-info")
65	(body
66	(list
67	(string-append
68	"proxy_pass " url "/nix-cache-info;")
69	;; Cache this file since that's always the first thing we ask
70	;; for.
71	"proxy_cache static;"
72	"proxy_cache_valid 200 100d;" ; cache hits for a looong time.
73	"proxy_cache_valid any 5m;" ; cache misses/others for 5 min.
74	"proxy_ignore_client_abort on;"
75
76	;; We need to hide and ignore the Set-Cookie header to enable
77	;; caching.
78	"proxy_hide_header Set-Cookie;"
79	"proxy_ignore_headers Set-Cookie;")))
80
81	(nginx-location-configuration
82	(uri "/nar/")
83	(body
84	(list
85	(string-append "proxy_pass " url ";")
86	"client_body_buffer_size 256k;"
87
88	;; Be more tolerant of delays when fetching a nar.
89	"proxy_read_timeout 60s;"
90	"proxy_send_timeout 60s;"
91
92	;; Enable caching for nar files, to avoid reconstructing and
93	;; recompressing archives.
94	"proxy_cache nar;"
95	"proxy_cache_valid 200 30d;" ; cache hits for 1 month
96	"proxy_cache_valid 504 3m;" ; timeout, when hydra.gnu.org is overloaded
97	"proxy_cache_valid any 1h;" ; cache misses/others for 1h.
98
99	"proxy_ignore_client_abort on;"
100
101	;; Nars are already compressed.
102	"gzip off;"
103
104	;; We need to hide and ignore the Set-Cookie header to enable
105	;; caching.
106	"proxy_hide_header Set-Cookie;"
107	"proxy_ignore_headers Set-Cookie;"
108
109	;; Provide a 'content-length' header so that 'guix
110	;; substitute-binary' knows upfront how much it is downloading.
111	;; "add_header Content-Length $body_bytes_sent;"
112	)))
113
114	(nginx-location-configuration
115	(uri "~ \\.narinfo$")
116	(body
117	(list
118	;; Since 'guix publish' has its own caching, and since it relies
119	;; on the atime of cached narinfos to determine whether a
120	;; narinfo can be removed from the cache, don't do any caching
121	;; here.
122	(string-append "proxy_pass " url ";")
123
124	;; For HTTP pipelining. This has a dramatic impact on
125	;; performance.
126	"client_body_buffer_size 128k;"
127
128	;; Narinfos requests are short, serve many of them on a
129	;; connection.
130	"keepalive_requests 600;"
131
132	;; Do not tolerate slowness of hydra.gnu.org when fetching
133	;; narinfos: better return 504 quickly than wait forever.
134	"proxy_connect_timeout 2s;"
135	"proxy_read_timeout 2s;"
136	"proxy_send_timeout 2s;"
137
138	;; 'guix publish --ttl' produces a 'Cache-Control' header for
139	;; use by 'guix substitute'. Let it through rather than use
140	;; nginx's "expire" directive since the expiration time defined
141	;; by 'guix publish' is the right one.
142	"proxy_pass_header Cache-Control;"
143
144	"proxy_ignore_client_abort on;"
145
146	;; We need to hide and ignore the Set-Cookie header to enable
147	;; caching.
148	"proxy_hide_header Set-Cookie;"
149	"proxy_ignore_headers Set-Cookie;")))
150
151	(nginx-location-configuration
152	(uri "/log/")
153	(body
154	(list
155	(string-append "proxy_pass " url ";")
156
157	;; Enable caching for build logs.
158	"proxy_cache logs;"
159	"proxy_cache_valid 200 60d;" ; cache hits.
160	"proxy_cache_valid 504 3m;" ; timeout, when hydra.gnu.org is overloaded
161	"proxy_cache_valid any 1h;" ; cache misses/others.
162
163	"proxy_ignore_client_abort on;"
164
165	;; We need to hide and ignore the Set-Cookie header to enable
166	;; caching.
167	"proxy_hide_header Set-Cookie;"
168	"proxy_ignore_headers Set-Cookie;")))
169
170	;; Content-addressed files served by 'guix publish'.
171	(nginx-location-configuration
172	(uri "/file/")
173	(body
174	(list
175	(string-append "proxy_pass " url ";")
176
177	"proxy_cache cas;"
178	"proxy_cache_valid 200 200d;" ; cache hits
179	"proxy_cache_valid any 5m;" ; cache misses/others
180
181	"proxy_ignore_client_abort on;")))))
182
183	(define (cuirass-locations publish-url)
184	"Return nginx location blocks with 'guix publish' reachable at
185	PUBLISH-URL."
186	(append (publish-locations publish-url)
187	(list
188	;; Cuirass.
189	(nginx-location-configuration
190	(uri "/")
191	(body (list "proxy_pass http://localhost:8081;")))
192	(nginx-location-configuration
193	(uri "~ ^/admin")
194	(body
195	(list "if ($ssl_client_verify != SUCCESS) { return 403; } proxy_pass http://localhost:8081;")))
196
197	(nginx-location-configuration
198	(uri "/static")
199	(body
200	(list
201	"proxy_pass http://localhost:8081;"
202	;; Let browsers cache this for a while.
203	"expires 10d;"
204	;; Cache quite aggressively.
205	"proxy_cache static;"
206	"proxy_cache_valid 200 5d;"
207	"proxy_cache_valid any 10m;"
208	"proxy_ignore_client_abort on;")))
209
210	(nginx-location-configuration ;certbot
211	(uri "/.well-known")
212	(body (list "root /var/www;")))
213
214	(nginx-location-configuration
215	(uri "/berlin.guixsd.org-export.pub")
216	(body
217	(list "root /var/www/guix;"))))))
218
219	(define %cuirass-extra-content
220	(list
221	"default_type application/octet-stream;"
222	"sendfile on;"
223	"sendfile_max_chunk 1m;"
224	"keepalive_timeout 65;"
225	"proxy_http_version 1.1;"
226
227	;; cache for nar files
228	"proxy_cache_path /var/cache/nginx/nar"
229	" levels=2"
230	" inactive=8d" ; inactive keys removed after 8d
231	" keys_zone=nar:4m" ; nar cache meta data: ~32K keys
232	" max_size=10g;" ; total cache data size max
233
234	;; cache for content-addressed-files
235	"proxy_cache_path /var/cache/nginx/cas"
236	" levels=2"
237	" inactive=180d" ; inactive keys removed after 180d
238	" keys_zone=cas:8m" ; nar cache meta data: ~64K keys
239	" max_size=50g;" ; total cache data size max
240
241	;; cache for build logs
242	"proxy_cache_path /var/cache/nginx/logs"
243	" levels=2"
244	" inactive=60d" ; inactive keys removed after 60d
245	" keys_zone=logs:8m" ; narinfo meta data: ~64K keys
246	" max_size=4g;" ; total cache data size max
247
248	;; cache for static data
249	"proxy_cache_path /var/cache/nginx/static"
250	" levels=1"
251	" inactive=10d" ; inactive keys removed after 10d
252	" keys_zone=static:1m" ; nar cache meta data: ~8K keys
253	" max_size=200m;" ; total cache data size max
254
255	;; Cache timeouts for a little while to avoid increasing pressure.
256	"proxy_cache_valid 504 30s;"))
257
258	(define (cuirass-services root certificate key)
259	(list
260	(simple-service 'guix-http-server nginx-service-type
261	(list (nginx-server-configuration
262	(ssl-certificate certificate)
263	(ssl-certificate-key key)
264	(listen '("443 ssl http2" "[::]:443 ssl http2"))
265	(server-name (list root))
266	(locations (cuirass-locations %publish-url)))))
267	(service guix-publish-service-type
268	(guix-publish-configuration
269	(compression '(("lzip" 3) ("gzip" 3)))
270	(port %publish-port)))
271	(service cuirass-service-type
272	(cuirass-configuration
273	(ttl (* 30 24 3600))
274	(specifications %cuirass-specifications)))))
275