runner: Caddyfile for cache HTTPS frontend + README

This commit is contained in:
2026-05-18 20:27:48 +00:00
parent bbae941a36
commit fcecc1e5b0
2 changed files with 39 additions and 13 deletions

28
runner/Caddyfile.example Normal file
View File

@@ -0,0 +1,28 @@
# Caddy snippet that serves the cargoxx binary cache over HTTPS.
# Append to /etc/caddy/Caddyfile (or include via `import`) and reload:
# sudo systemctl reload caddy
#
# Caddy handles cert provisioning + renewal via ACME automatically.
# Adjust the domain + the `root` path if the runner lives elsewhere.
#
# The cache is read-only here — writes happen exclusively from the
# runner job container (`nix copy --to file:///srv/cargoxx-cache/store`).
cache.cargoxx.amadey.xyz {
root * /home/mozart/cargoxx-pkgs/runner/cache/store
file_server browse=false
# narinfo / nar are immutable per content hash → cache aggressively.
@cache_immutable path *.narinfo *.nar.xz *.nar
header @cache_immutable Cache-Control "public, immutable, max-age=31536000"
# Substituter probe — short cache, must reflect new entries quickly.
@cache_info path /nix-cache-info
header @cache_info Cache-Control "public, max-age=300"
# Logs go to /var/log/caddy/cargoxx-cache.{access,error}.log by
# default; uncomment to override.
# log {
# output file /var/log/caddy/cargoxx-cache.log
# }
}

View File

@@ -61,22 +61,20 @@ Self-hosted Gitea Actions runner that validates package PRs.
The `cache/` directory is gitignored. Both keys live alongside The `cache/` directory is gitignored. Both keys live alongside
`compose.yml`; the named volume binds use `${PWD}/cache/...`. `compose.yml`; the named volume binds use `${PWD}/cache/...`.
5. **(optional) Front the store with nginx** so substituters can read it: 5. **(optional) Front the store with Caddy** so substituters can read it.
A ready-to-edit `Caddyfile.example` ships in this directory — copy
into `/etc/caddy/Caddyfile` (or `import` it) and reload:
```nginx ```sh
# /etc/nginx/sites-available/cargoxx-cache sudo install -m644 Caddyfile.example /etc/caddy/conf.d/cargoxx-cache
server { sudo systemctl reload caddy
listen 443 ssl;
server_name cache.cargoxx.<your-domain>;
root /path/to/cargoxx-pkgs/runner/cache/store;
autoindex off;
location / { try_files $uri =404; }
}
``` ```
Consumers later need `substituters = https://cache.cargoxx.<your-domain>` Caddy auto-provisions a Let's Encrypt cert. Consumers later need
and `trusted-public-keys = <contents of cache.pub>` in their nix `substituters = https://cache.cargoxx.<your-domain>` and
config (bake this into the cargoxx wrapper once ready). `trusted-public-keys = <contents of cache.pub>` in their nix config
— those go into the cargoxx wrapper (`cargoxx`'s own `flake.nix`),
so any user installing the bundled cargoxx picks them up.
6. **Start the runner**: 6. **Start the runner**: