hydra: Use Caddy as reverse proxy

ngi-nix · May 3, 2024 · 455919f · 455919f
1 parent 8c45f71
commit 455919f
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 88 deletions.
diff --git a/infra/makemake/configuration.nix b/infra/makemake/configuration.nix
@@ -5,7 +5,6 @@
 }: {
   imports = [
     ./hydra.nix
-    ./hydra-proxy.nix
     ./hardware.nix
   ];
 
@@ -50,7 +49,13 @@
     jq # required by numtide/terraform-deploy-nixos-flakes.
   ];
 
-  services.openssh.enable = true;
+  services = {
+    caddy = {
+      enable = true;
+      email = "ngi@nixos.org";
+    };
+    openssh.enable = true;
+  };
 
   fileSystems = {
     "/" = {

diff --git a/infra/makemake/hydra-proxy.nix b/infra/makemake/hydra-proxy.nix
diff --git a/infra/makemake/hydra.nix b/infra/makemake/hydra.nix
@@ -1,48 +1,72 @@
 let
   narCache = "/var/cache/hydra/nar-cache";
 in {
-  services.hydra-dev = {
-    enable = true;
-    logo = ./ngi-logo.svg;
-    hydraURL = "https://hydra.ngi0.nixos.org";
-    notificationSender = "ngi@nixos.org";
-    smtpHost = "localhost";
-    useSubstitutes = true;
-    extraConfig = ''
-      max_servers 15
+  services = {
+    caddy.virtualHosts."hydra.ngi0.nixos.org".extraConfig = ''
+      @encode {
+        not path /api/* /download/* /nar/*
+        not path *.gif *.jpg *.jpeg *.png *.narinfo
+      }
 
-      enable_google_login = 1
-      google_client_id = 816926039128-splu8iepg00ntgp9ngm6ic6fu8uenuir.apps.googleusercontent.com
+      reverse_proxy localhost:3000 {
+        # Required by Catalyst.
+        header_up X-Forwarded-Proto https
+        header_up X-Forwarded-Port 443
+      }
 
-      github_client_id = 18d98ddcf417b17601a1
-      github_client_secret_file = /var/lib/hydra/www/keys/hydra-github-client-secret
+      encode @encode {
+        gzip
+        zstd
+      }
 
-      store_uri = s3://ngi0-cache?secret-key=/var/lib/hydra/queue-runner/keys/cache.ngi0.nixos.org-1/secret&write-nar-listing=1&ls-compression=br&log-compression=br&region=eu-west-1
-      server_store_uri = https://cache.ngi0.nixos.org?local-nar-cache=${narCache}
-      binary_cache_public_uri = https://cache.ngi0.nixos.org
+      header {
+        Strict-Transport-Security max-age=15552000;
+      }
+    '';
 
-      <Plugin::Session>
-        cache_size = 32m
-      </Plugin::Session>
+    hydra-dev = {
+      enable = true;
+      logo = ./ngi-logo.svg;
+      hydraURL = "https://hydra.ngi0.nixos.org";
+      notificationSender = "ngi@nixos.org";
+      smtpHost = "localhost";
+      useSubstitutes = true;
+      extraConfig = ''
+        max_servers 15
 
-      # patchelf:master:3
-      xxx-jobset-repeats = nixos:reproducibility:1
+        enable_google_login = 1
+        google_client_id = 816926039128-splu8iepg00ntgp9ngm6ic6fu8uenuir.apps.googleusercontent.com
 
-      # https://monitoring.nixos.org/prometheus/graph?g0.range_input=2w&g0.expr=hydra_memory_tokens_in_use&g0.tab=0
-      nar_buffer_size = ${let gb = 8; in toString (gb * 1024 * 1024 * 1024)}
+        github_client_id = 18d98ddcf417b17601a1
+        github_client_secret_file = /var/lib/hydra/www/keys/hydra-github-client-secret
 
-      #upload_logs_to_binary_cache = true
+        store_uri = s3://ngi0-cache?secret-key=/var/lib/hydra/queue-runner/keys/cache.ngi0.nixos.org-1/secret&write-nar-listing=1&ls-compression=br&log-compression=br&region=eu-west-1
+        server_store_uri = https://cache.ngi0.nixos.org?local-nar-cache=${narCache}
+        binary_cache_public_uri = https://cache.ngi0.nixos.org
 
-      # FIXME: Cloudfront messes up CORS
-      #log_prefix = https://cache.ngi0.nixos.org/
+        <Plugin::Session>
+          cache_size = 32m
+        </Plugin::Session>
 
-      log_prefix = https://ngi0-cache.s3.eu-west-1.amazonaws.com/
+        # patchelf:master:3
+        xxx-jobset-repeats = nixos:reproducibility:1
 
-      evaluator_workers = 4
-      evaluator_max_memory_size = 4096
+        # https://monitoring.nixos.org/prometheus/graph?g0.range_input=2w&g0.expr=hydra_memory_tokens_in_use&g0.tab=0
+        nar_buffer_size = ${let gb = 8; in toString (gb * 1024 * 1024 * 1024)}
 
-      max_concurrent_evals = 2
-    '';
+        #upload_logs_to_binary_cache = true
+
+        # FIXME: Cloudfront messes up CORS
+        #log_prefix = https://cache.ngi0.nixos.org/
+
+        log_prefix = https://ngi0-cache.s3.eu-west-1.amazonaws.com/
+
+        evaluator_workers = 4
+        evaluator_max_memory_size = 4096
+
+        max_concurrent_evals = 2
+      '';
+    };
   };
 
   systemd = {