runner: Caddy service for cache HTTPS frontend (router-PAT-friendly ports)
This commit is contained in:
@@ -1,9 +1,11 @@
|
||||
# Runs the act_runner that listens to Gitea and spawns one job
|
||||
# container per workflow run. The job image (cargoxx-runner-job:latest)
|
||||
# is built reproducibly from runner/flake.nix — run `nix run .#load-image`
|
||||
# in this directory to load it into the host's Docker daemon before
|
||||
# starting the runner.
|
||||
version: "3.8"
|
||||
# Runs two services on the host:
|
||||
# - act_runner — polls Gitea, spawns one job container per workflow
|
||||
# run via the host docker socket. Job image built reproducibly from
|
||||
# runner/flake.nix (`nix run .#load-image`).
|
||||
# - caddy — HTTPS-fronts the binary cache (./cache/store) so
|
||||
# consumers' substituter config can read it. Custom ports because
|
||||
# the router does PAT (port-forwarding 80→CADDY_HTTP_PORT,
|
||||
# 443→CADDY_HTTPS_PORT). Set those in .env.
|
||||
services:
|
||||
runner:
|
||||
image: docker.io/gitea/act_runner:nightly
|
||||
@@ -20,12 +22,26 @@ services:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
# Binary cache — `validate-pr.yml`'s push step writes `$out` NAR
|
||||
# archives here. Named volumes (defined below) make the same
|
||||
# storage reachable from both this runner container AND every
|
||||
# job container act_runner spawns. nginx (on the host) serves
|
||||
# ./cache/store over HTTPS for consumers' substituter config.
|
||||
# storage reachable from this runner container AND every job
|
||||
# container act_runner spawns AND the caddy frontend below.
|
||||
- cargoxx-cache-store:/srv/cargoxx-cache/store
|
||||
- cargoxx-cache-keys:/srv/cargoxx-cache/keys:ro
|
||||
|
||||
caddy:
|
||||
image: docker.io/caddy:2
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
- "${CADDY_HTTP_PORT:-8080}:${CADDY_HTTP_PORT:-8080}"
|
||||
- "${CADDY_HTTPS_PORT:-8443}:${CADDY_HTTPS_PORT:-8443}"
|
||||
environment:
|
||||
CADDY_HTTP_PORT: "${CADDY_HTTP_PORT:-8080}"
|
||||
CADDY_HTTPS_PORT: "${CADDY_HTTPS_PORT:-8443}"
|
||||
volumes:
|
||||
- ./Caddyfile:/etc/caddy/Caddyfile:ro
|
||||
- cargoxx-cache-store:/srv/cache:ro
|
||||
- caddy-data:/data
|
||||
- caddy-config:/config
|
||||
|
||||
volumes:
|
||||
cargoxx-cache-store:
|
||||
# Explicit name disables compose's project-prefix so spawned job
|
||||
@@ -44,3 +60,19 @@ volumes:
|
||||
type: none
|
||||
o: bind
|
||||
device: "${PWD}/cache/keys"
|
||||
caddy-data:
|
||||
# Caddy's own state: ACME account, issued certificates, OCSP
|
||||
# staples. Persist so we don't re-issue certs every restart.
|
||||
name: caddy-data
|
||||
driver: local
|
||||
driver_opts:
|
||||
type: none
|
||||
o: bind
|
||||
device: "${PWD}/caddy/data"
|
||||
caddy-config:
|
||||
name: caddy-config
|
||||
driver: local
|
||||
driver_opts:
|
||||
type: none
|
||||
o: bind
|
||||
device: "${PWD}/caddy/config"
|
||||
|
||||
Reference in New Issue
Block a user