From 4b547bc4b4e61b2c1938983a41910f8b8918f139 Mon Sep 17 00:00:00 2001 From: David Thompson Date: Thu, 16 Nov 2023 21:19:59 -0500 Subject: takemi: os: Add Laminar CI. --- takemi-os.scm | 43 +++++++++++++++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 6 deletions(-) diff --git a/takemi-os.scm b/takemi-os.scm index 693321e..f611d92 100644 --- a/takemi-os.scm +++ b/takemi-os.scm @@ -2,6 +2,7 @@ (gnu packages version-control) (gnu services certbot) (gnu services cgit) + (gnu services ci) (gnu services networking) (gnu services ssh) (gnu services version-control) @@ -88,6 +89,7 @@ (authorized-keys `(("dave" ,dave-pub-key) ("publish" ,dave-pub-key))))) + ;; Git repository hosting. (service gitolite-service-type (gitolite-configuration (admin-pubkey dave-pub-key) @@ -96,6 +98,10 @@ ;; cgit will work. (umask #o0027) (git-config-keys "gitweb\\..*"))))) + ;; Continuous integration. + (service laminar-service-type) + ;; TLS certificates. Certbot extends nginx with configuration to + ;; redirect all HTTP requests to HTTPS. (service (service-type (inherit certbot-service-type) (extensions @@ -117,6 +123,7 @@ (domains '("dthompson.us" "www.dthompson.us" "git.dthompson.us" + "ci.dthompson.us" "files.dthompson.us" "haunt.dthompson.us")) ;; Send SIGHUP signal to nginx to trigger a @@ -145,6 +152,28 @@ (raw-content '("autoindex on;")) (ssl-certificate letsencrypt-cert) (ssl-certificate-key letsencrypt-cert-key)) + (nginx-server-configuration + ;; Laminar recommends using HTTP2 here. + (listen '("443 ssl http2")) + (server-name '("ci.dthompson.us")) + (locations + (list + ;; Reverse proxy to Laminar daemon. + (nginx-location-configuration + (uri "/") + (body '("proxy_pass http://127.0.0.1:8080;" + "proxy_http_version 1.1;" + "proxy_set_header Connection \"\";"))) + ;; Serve static files directly. + (nginx-location-configuration + (uri "/archive") + (body '("alias /var/lib/laminar/archive/;"))))) + (ssl-certificate letsencrypt-cert) + (ssl-certificate-key letsencrypt-cert-key) + ;; Modern TLS only. + (raw-content + '("ssl_protocols TLSv1.3;" + "ssl_ciphers EECDH+AESGCM:EDH+AESGCM;"))) ;; I used to have the Haunt website under ;; its own subdomain, and some sites still ;; point to it. @@ -159,12 +188,7 @@ (body '("rewrite .* https://dthompson.us/projects/haunt.html permanent;"))))) (ssl-certificate letsencrypt-cert) (ssl-certificate-key letsencrypt-cert-key)))))) - (service fcgiwrap-service-type - (fcgiwrap-configuration - ;; Use git group for read-only access to gitolite - ;; repos. - (group "git") - (socket (string-append "tcp:" fcgiwrap-socket)))) + ;; Git repository viewer. (let ((cgit (specification->package "cgit"))) (service (service-type (inherit cgit-service-type) @@ -248,6 +272,13 @@ ("fastcgi_pass " ,fcgiwrap-socket ";")))))) (ssl-certificate letsencrypt-cert) (ssl-certificate-key letsencrypt-cert-key))))))) + ;; fcgriwrap wraps cgit. + (service fcgiwrap-service-type + (fcgiwrap-configuration + ;; Use git group for read-only access to gitolite + ;; repos. + (group "git") + (socket (string-append "tcp:" fcgiwrap-socket)))) (modify-services %base-services (guix-service-type config => (guix-configuration -- cgit v1.2.3