c709d2a5d3
This deploys buildkite-api-proxy at cl.snix.dev/buildkite-status/. Part of #118. Change-Id: Iae927b11acc2163e6edc4ba6e91194e8fa884b0d Reviewed-on: https://cl.snix.dev/c/snix/+/30405 Reviewed-by: edef <edef@edef.eu> Tested-by: besadii Autosubmit: Florian Klink <flokli@flokli.de>
74 lines
2 KiB
Nix
74 lines
2 KiB
Nix
{ config, depot, ... }:
|
|
|
|
{
|
|
imports = [
|
|
./base.nix
|
|
];
|
|
|
|
config = {
|
|
services.nginx.virtualHosts."cl-shortlink" = {
|
|
serverName = "cl";
|
|
extraConfig = "return 302 https://cl.snix.dev$request_uri;";
|
|
};
|
|
|
|
services.nginx.virtualHosts.gerrit = {
|
|
serverName = "cl.snix.dev";
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
extraConfig = ''
|
|
location / {
|
|
proxy_pass http://localhost:4778;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
# The :443 suffix is a workaround for https://b.snix.dev/issues/88.
|
|
proxy_set_header Host $host:443;
|
|
}
|
|
|
|
# Retro-compatibility to TVL shortlinks.
|
|
location ~ "^/q/([1-2]?[0-9]{1,4}|30000)$" {
|
|
return 302 https://cl.tvl.fyi$request_uri;
|
|
}
|
|
|
|
location = /robots.txt {
|
|
return 200 'User-agent: *\nAllow: /';
|
|
}
|
|
|
|
location /buildkite-status/ {
|
|
proxy_pass http://buildkite-api-proxy/;
|
|
}
|
|
'';
|
|
};
|
|
|
|
services.nginx.upstreams.buildkite-api-proxy = {
|
|
servers."unix:/run/buildkite-api-proxy.sock" = { };
|
|
};
|
|
|
|
systemd.services.buildkite-api-proxy = {
|
|
serviceConfig = {
|
|
LoadCredential = "buildkite-api-token:${config.age.secrets.buildkite-api-proxy-token.path}";
|
|
ExecStart = "${depot.ops.buildkite-api-proxy}/bin/buildkite-api-proxy";
|
|
Restart = "always";
|
|
RestartSec = 5;
|
|
User = "buildkite-api-proxy";
|
|
DynamicUser = true;
|
|
ProtectHome = true;
|
|
ProtectSystem = true;
|
|
MemoryDenyWriteExecute = true;
|
|
ProtectControlGroups = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
"~@privileged"
|
|
];
|
|
};
|
|
};
|
|
systemd.sockets.buildkite-api-proxy = {
|
|
wantedBy = [ "sockets.target" ];
|
|
socketConfig.ListenStream = "/run/buildkite-api-proxy.sock";
|
|
};
|
|
};
|
|
}
|