runner: Caddy service for cache HTTPS frontend (router-PAT-friendly ports)
This commit is contained in:
@@ -61,20 +61,28 @@ Self-hosted Gitea Actions runner that validates package PRs.
|
||||
The `cache/` directory is gitignored. Both keys live alongside
|
||||
`compose.yml`; the named volume binds use `${PWD}/cache/...`.
|
||||
|
||||
5. **(optional) Front the store with Caddy** so substituters can read it.
|
||||
A ready-to-edit `Caddyfile.example` ships in this directory — copy
|
||||
into `/etc/caddy/Caddyfile` (or `import` it) and reload:
|
||||
5. **Pick the Caddy ports.** `compose.yml` runs Caddy alongside the
|
||||
runner to HTTPS-front the cache. Because the router does PAT, the
|
||||
*internal* ports Caddy listens on must equal whatever 80/443 are
|
||||
forwarded to. Add to `.env`:
|
||||
|
||||
```sh
|
||||
sudo install -m644 Caddyfile.example /etc/caddy/conf.d/cargoxx-cache
|
||||
sudo systemctl reload caddy
|
||||
```env
|
||||
CADDY_HTTP_PORT=8080
|
||||
CADDY_HTTPS_PORT=8443
|
||||
```
|
||||
|
||||
Caddy auto-provisions a Let's Encrypt cert. Consumers later need
|
||||
`substituters = https://cache.cargoxx.<your-domain>` and
|
||||
`trusted-public-keys = <contents of cache.pub>` in their nix config
|
||||
— those go into the cargoxx wrapper (`cargoxx`'s own `flake.nix`),
|
||||
so any user installing the bundled cargoxx picks them up.
|
||||
Both compose.yml and the Caddyfile pick those up. The Caddyfile
|
||||
already targets `cache.cargoxx.amadey.xyz` and the e-mail
|
||||
`vorontsov@amadey.xyz`; edit if you're deploying somewhere else.
|
||||
|
||||
ACME provisioning works as long as the router forwards 80 →
|
||||
CADDY_HTTP_PORT and 443 → CADDY_HTTPS_PORT, so Let's Encrypt's
|
||||
HTTP-01 challenge reaches Caddy.
|
||||
|
||||
Consumers' substituter config (`substituters = https://cache.<domain>`,
|
||||
`trusted-public-keys = <cache.pub>`) is baked into cargoxx's own
|
||||
wrapper (`cargoxx/flake.nix:cargoxxNixConfig`), so any installed
|
||||
`cargoxx` binary picks them up — no per-user setup needed.
|
||||
|
||||
6. **Start the runner**:
|
||||
|
||||
|
||||
Reference in New Issue
Block a user