diff --git a/runner/Caddyfile.example b/runner/Caddyfile.example new file mode 100644 index 0000000..3e93b24 --- /dev/null +++ b/runner/Caddyfile.example @@ -0,0 +1,28 @@ +# Caddy snippet that serves the cargoxx binary cache over HTTPS. +# Append to /etc/caddy/Caddyfile (or include via `import`) and reload: +# sudo systemctl reload caddy +# +# Caddy handles cert provisioning + renewal via ACME automatically. +# Adjust the domain + the `root` path if the runner lives elsewhere. +# +# The cache is read-only here — writes happen exclusively from the +# runner job container (`nix copy --to file:///srv/cargoxx-cache/store`). + +cache.cargoxx.amadey.xyz { + root * /home/mozart/cargoxx-pkgs/runner/cache/store + file_server browse=false + + # narinfo / nar are immutable per content hash → cache aggressively. + @cache_immutable path *.narinfo *.nar.xz *.nar + header @cache_immutable Cache-Control "public, immutable, max-age=31536000" + + # Substituter probe — short cache, must reflect new entries quickly. + @cache_info path /nix-cache-info + header @cache_info Cache-Control "public, max-age=300" + + # Logs go to /var/log/caddy/cargoxx-cache.{access,error}.log by + # default; uncomment to override. + # log { + # output file /var/log/caddy/cargoxx-cache.log + # } +} diff --git a/runner/README.md b/runner/README.md index 7e53f96..0710431 100644 --- a/runner/README.md +++ b/runner/README.md @@ -61,22 +61,20 @@ Self-hosted Gitea Actions runner that validates package PRs. The `cache/` directory is gitignored. Both keys live alongside `compose.yml`; the named volume binds use `${PWD}/cache/...`. -5. **(optional) Front the store with nginx** so substituters can read it: +5. **(optional) Front the store with Caddy** so substituters can read it. + A ready-to-edit `Caddyfile.example` ships in this directory — copy + into `/etc/caddy/Caddyfile` (or `import` it) and reload: - ```nginx - # /etc/nginx/sites-available/cargoxx-cache - server { - listen 443 ssl; - server_name cache.cargoxx.; - root /path/to/cargoxx-pkgs/runner/cache/store; - autoindex off; - location / { try_files $uri =404; } - } + ```sh + sudo install -m644 Caddyfile.example /etc/caddy/conf.d/cargoxx-cache + sudo systemctl reload caddy ``` - Consumers later need `substituters = https://cache.cargoxx.` - and `trusted-public-keys = ` in their nix - config (bake this into the cargoxx wrapper once ready). + Caddy auto-provisions a Let's Encrypt cert. Consumers later need + `substituters = https://cache.cargoxx.` and + `trusted-public-keys = ` in their nix config + — those go into the cargoxx wrapper (`cargoxx`'s own `flake.nix`), + so any user installing the bundled cargoxx picks them up. 6. **Start the runner**: