runner: Caddyfile for cache HTTPS frontend + README
This commit is contained in:
28
runner/Caddyfile.example
Normal file
28
runner/Caddyfile.example
Normal file
@@ -0,0 +1,28 @@
|
|||||||
|
# Caddy snippet that serves the cargoxx binary cache over HTTPS.
|
||||||
|
# Append to /etc/caddy/Caddyfile (or include via `import`) and reload:
|
||||||
|
# sudo systemctl reload caddy
|
||||||
|
#
|
||||||
|
# Caddy handles cert provisioning + renewal via ACME automatically.
|
||||||
|
# Adjust the domain + the `root` path if the runner lives elsewhere.
|
||||||
|
#
|
||||||
|
# The cache is read-only here — writes happen exclusively from the
|
||||||
|
# runner job container (`nix copy --to file:///srv/cargoxx-cache/store`).
|
||||||
|
|
||||||
|
cache.cargoxx.amadey.xyz {
|
||||||
|
root * /home/mozart/cargoxx-pkgs/runner/cache/store
|
||||||
|
file_server browse=false
|
||||||
|
|
||||||
|
# narinfo / nar are immutable per content hash → cache aggressively.
|
||||||
|
@cache_immutable path *.narinfo *.nar.xz *.nar
|
||||||
|
header @cache_immutable Cache-Control "public, immutable, max-age=31536000"
|
||||||
|
|
||||||
|
# Substituter probe — short cache, must reflect new entries quickly.
|
||||||
|
@cache_info path /nix-cache-info
|
||||||
|
header @cache_info Cache-Control "public, max-age=300"
|
||||||
|
|
||||||
|
# Logs go to /var/log/caddy/cargoxx-cache.{access,error}.log by
|
||||||
|
# default; uncomment to override.
|
||||||
|
# log {
|
||||||
|
# output file /var/log/caddy/cargoxx-cache.log
|
||||||
|
# }
|
||||||
|
}
|
||||||
@@ -61,22 +61,20 @@ Self-hosted Gitea Actions runner that validates package PRs.
|
|||||||
The `cache/` directory is gitignored. Both keys live alongside
|
The `cache/` directory is gitignored. Both keys live alongside
|
||||||
`compose.yml`; the named volume binds use `${PWD}/cache/...`.
|
`compose.yml`; the named volume binds use `${PWD}/cache/...`.
|
||||||
|
|
||||||
5. **(optional) Front the store with nginx** so substituters can read it:
|
5. **(optional) Front the store with Caddy** so substituters can read it.
|
||||||
|
A ready-to-edit `Caddyfile.example` ships in this directory — copy
|
||||||
|
into `/etc/caddy/Caddyfile` (or `import` it) and reload:
|
||||||
|
|
||||||
```nginx
|
```sh
|
||||||
# /etc/nginx/sites-available/cargoxx-cache
|
sudo install -m644 Caddyfile.example /etc/caddy/conf.d/cargoxx-cache
|
||||||
server {
|
sudo systemctl reload caddy
|
||||||
listen 443 ssl;
|
|
||||||
server_name cache.cargoxx.<your-domain>;
|
|
||||||
root /path/to/cargoxx-pkgs/runner/cache/store;
|
|
||||||
autoindex off;
|
|
||||||
location / { try_files $uri =404; }
|
|
||||||
}
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Consumers later need `substituters = https://cache.cargoxx.<your-domain>`
|
Caddy auto-provisions a Let's Encrypt cert. Consumers later need
|
||||||
and `trusted-public-keys = <contents of cache.pub>` in their nix
|
`substituters = https://cache.cargoxx.<your-domain>` and
|
||||||
config (bake this into the cargoxx wrapper once ready).
|
`trusted-public-keys = <contents of cache.pub>` in their nix config
|
||||||
|
— those go into the cargoxx wrapper (`cargoxx`'s own `flake.nix`),
|
||||||
|
so any user installing the bundled cargoxx picks them up.
|
||||||
|
|
||||||
6. **Start the runner**:
|
6. **Start the runner**:
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user