diff options
| author | David Thompson <dthompson2@worcester.edu> | 2023-11-16 21:19:59 -0500 |
|---|---|---|
| committer | David Thompson <dthompson2@worcester.edu> | 2023-11-16 21:19:59 -0500 |
| commit | 4b547bc4b4e61b2c1938983a41910f8b8918f139 (patch) | |
| tree | f8f016c416682bd308a790f522a273ec779fc2d4 | |
| parent | 67585e86f70474ed5b725625252b21086bf54011 (diff) | |
takemi: os: Add Laminar CI.
| -rw-r--r-- | takemi-os.scm | 43 |
1 files changed, 37 insertions, 6 deletions
diff --git a/takemi-os.scm b/takemi-os.scm index 693321e..f611d92 100644 --- a/takemi-os.scm +++ b/takemi-os.scm @@ -2,6 +2,7 @@ (gnu packages version-control) (gnu services certbot) (gnu services cgit) + (gnu services ci) (gnu services networking) (gnu services ssh) (gnu services version-control) @@ -88,6 +89,7 @@ (authorized-keys `(("dave" ,dave-pub-key) ("publish" ,dave-pub-key))))) + ;; Git repository hosting. (service gitolite-service-type (gitolite-configuration (admin-pubkey dave-pub-key) @@ -96,6 +98,10 @@ ;; cgit will work. (umask #o0027) (git-config-keys "gitweb\\..*"))))) + ;; Continuous integration. + (service laminar-service-type) + ;; TLS certificates. Certbot extends nginx with configuration to + ;; redirect all HTTP requests to HTTPS. (service (service-type (inherit certbot-service-type) (extensions @@ -117,6 +123,7 @@ (domains '("dthompson.us" "www.dthompson.us" "git.dthompson.us" + "ci.dthompson.us" "files.dthompson.us" "haunt.dthompson.us")) ;; Send SIGHUP signal to nginx to trigger a @@ -145,6 +152,28 @@ (raw-content '("autoindex on;")) (ssl-certificate letsencrypt-cert) (ssl-certificate-key letsencrypt-cert-key)) + (nginx-server-configuration + ;; Laminar recommends using HTTP2 here. + (listen '("443 ssl http2")) + (server-name '("ci.dthompson.us")) + (locations + (list + ;; Reverse proxy to Laminar daemon. + (nginx-location-configuration + (uri "/") + (body '("proxy_pass http://127.0.0.1:8080;" + "proxy_http_version 1.1;" + "proxy_set_header Connection \"\";"))) + ;; Serve static files directly. + (nginx-location-configuration + (uri "/archive") + (body '("alias /var/lib/laminar/archive/;"))))) + (ssl-certificate letsencrypt-cert) + (ssl-certificate-key letsencrypt-cert-key) + ;; Modern TLS only. + (raw-content + '("ssl_protocols TLSv1.3;" + "ssl_ciphers EECDH+AESGCM:EDH+AESGCM;"))) ;; I used to have the Haunt website under ;; its own subdomain, and some sites still ;; point to it. @@ -159,12 +188,7 @@ (body '("rewrite .* https://dthompson.us/projects/haunt.html permanent;"))))) (ssl-certificate letsencrypt-cert) (ssl-certificate-key letsencrypt-cert-key)))))) - (service fcgiwrap-service-type - (fcgiwrap-configuration - ;; Use git group for read-only access to gitolite - ;; repos. - (group "git") - (socket (string-append "tcp:" fcgiwrap-socket)))) + ;; Git repository viewer. (let ((cgit (specification->package "cgit"))) (service (service-type (inherit cgit-service-type) @@ -248,6 +272,13 @@ ("fastcgi_pass " ,fcgiwrap-socket ";")))))) (ssl-certificate letsencrypt-cert) (ssl-certificate-key letsencrypt-cert-key))))))) + ;; fcgriwrap wraps cgit. + (service fcgiwrap-service-type + (fcgiwrap-configuration + ;; Use git group for read-only access to gitolite + ;; repos. + (group "git") + (socket (string-append "tcp:" fcgiwrap-socket)))) (modify-services %base-services (guix-service-type config => (guix-configuration |