[bug#76296,maintenance] hydra: bayfront: Set up ‘git.guix.gnu.org’ as a redirect to Savannah.
Commit Message
* hydra/modules/sysadmin/dns.scm (git-ip4, git-ip6): New variables.
(guix.gnu.org.zone): Add “git” A and AAAA records.
(guix.gnu.org-zone)[serial]: Bump.
* hydra/modules/sysadmin/nginx.scm (git.guix.gnu.org-nginx-servers): New
procedure.
* hydra/modules/sysadmin/web.scm (git.guix.gnu.org-service-type): New
variable.
* hydra/bayfront.scm <top level>: Use it.
---
hydra/bayfront.scm | 5 ++++-
hydra/modules/sysadmin/dns.scm | 7 ++++++-
hydra/modules/sysadmin/nginx.scm | 29 +++++++++++++++++++++++++++--
hydra/modules/sysadmin/web.scm | 21 +++++++++++++++++++--
4 files changed, 56 insertions(+), 6 deletions(-)
Hello!
As part of preliminary discussions around GCD #002 (“Migrating repositories,
issues, and patches to Codeberg”), some suggested having a git.guix.gnu.org
DNS entry to make Git migration in general easier.
This patch implements that; technically we have to have an HTTP redirect,
which means that clients pay the cost of an extra connection and get nothing
if bayfront is down. That’s the price to pay for this indirection, but
it’s probably worth it.
Note that I haven’t been able to test this patch for real since it depends
of the state and environments of bayfront: certificates, networking set up,
host names, etc.
This patch could be applied whether or not the GCD is eventually accepted.
Thoughts?
Ludo’.
base-commit: 9c10ac82b270cb27ff7b92c6f44eac2efd0b7193
Comments
Hi,
Ludovic Courtès <ludo@gnu.org> writes:
[...]
> As part of preliminary discussions around GCD #002 (“Migrating repositories,
> issues, and patches to Codeberg”), some suggested having a git.guix.gnu.org
> DNS entry to make Git migration in general easier.
>
> This patch implements that; technically we have to have an HTTP redirect,
> which means that clients pay the cost of an extra connection and get nothing
> if bayfront is down. That’s the price to pay for this indirection, but
> it’s probably worth it.
>
> Note that I haven’t been able to test this patch for real since it depends
> of the state and environments of bayfront: certificates, networking set up,
> host names, etc.
>
> This patch could be applied whether or not the GCD is eventually accepted.
> Thoughts?
It's a bit eager to my taste :-). I'd rather the GCD process complete
its course before doing something concrete. I'd keep it around for when
we get to it.
Hi,
Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>> This patch could be applied whether or not the GCD is eventually accepted.
>
>> Thoughts?
>
> It's a bit eager to my taste :-). I'd rather the GCD process complete
> its course before doing something concrete. I'd keep it around for when
> we get to it.
Sure, I don’t mind putting this on hold.
Ludo’.
@@ -1,5 +1,5 @@
;; OS configuration for bayfront
-;; Copyright © 2016-2024 Ludovic Courtès <ludo@gnu.org>
+;; Copyright © 2016-2025 Ludovic Courtès <ludo@gnu.org>
;; Copyright © 2016, 2017, 2018, 2019, 2020, 2023, 2024 Andreas Enge <andreas@enge.fr>
;; Copyright © 2017, 2019, 2024 Ricardo Wurmus <rekado@elephly.net>
;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
@@ -1683,6 +1683,9 @@ access_log /var/log/nginx/git.qa.access.log;"))
static-web-site-service-type
(list ten-years-of-guix-web-site))
+ ;; Running the git.guix.gnu.org HTTP redirect.
+ (service git.guix.gnu.org-service-type)
+
;; hpcguix-web as it can be seen at
;; <https://hpc.guix.info/browse>.
(service hpcguix-web-service-type
@@ -63,6 +63,8 @@
(define dover-ip6 "2a02:8010:68c1::e2ff:f7ff:fe00:20b3")
(define hatysa-ip6 "2a02:8010:68c1::d263:b4ff:fe03:b9af")
(define hamal-ip6 "2a02:8010:68c1::d263:b4ff:fe02:e65b")
+(define git-ip4 bayfront-ip4)
+(define git-ip6 bayfront-ip6)
;; The SOA MNAME and one NS record must always be consistent.
(define primary-ns "ns1.gnu.org.")
@@ -142,6 +144,9 @@
("packages" "" "IN" "A" bayfront-ip4)
("packages" "" "IN" "AAAA" bayfront-ip6)
+ ("git" "" "IN" "A" git-ip4)
+ ("git" "" "IN" "AAAA" git-ip6)
+
;; This record is required in order to prove to Amazon ACM that we
;; own the domain. As long as it exists, ACM will automatically
;; renew the TLS certificate for the CloudFront distribution we use
@@ -155,4 +160,4 @@
(origin "guix.gnu.org")
(ns primary-ns)
(entries guix.gnu.org.zone)
- (serial 2024120821)))))
+ (serial 2025021421)))))
@@ -1,5 +1,5 @@
;; Nginx configuration for ci.guix.gnu.org
-;; Copyright © 2016-2024 Ludovic Courtès <ludo@gnu.org>
+;; Copyright © 2016-2025 Ludovic Courtès <ludo@gnu.org>
;; Copyright © 2017, 2018, 2019, 2020, 2021 Ricardo Wurmus <rekado@elephly.net>
;; Copyright © 2020 Christopher Baines <mail@cbaines.net>
;; Copyright © 2020, 2021, 2024 Florian Pelz <pelzflorian@pelzflorian.de>
@@ -14,7 +14,8 @@
#:export (%tls-settings
le
accept-languages
- guix.gnu.org-nginx-server))
+ guix.gnu.org-nginx-server
+ git.guix.gnu.org-nginx-servers))
�
;;;
@@ -783,3 +784,27 @@ synonymous IETF language tags that should be mapped to the same $lang."
"rewrite (.*)/$ $1/index.html;"
"access_log /var/log/nginx/guix-gnu-org.https.access.log;")))))
+
+(define (git.guix.gnu.org-nginx-servers base-url)
+ (let ((redirect (nginx-location-configuration
+ (uri "/")
+ (body `("expires 24h;"
+ ,(string-append "return 302 "
+ base-url "$request_uri;"))))))
+ (list (nginx-server-configuration
+ (server-name '("git.guix.gnu.org"))
+ (listen '("80" "[::]:80"))
+ (raw-content
+ '("access_log /var/log/nginx/git.access.log;"))
+ (locations (list (nginx-location-configuration
+ (uri "^~ /.well-known")
+ (body '("root /var/www;")))
+ redirect)))
+ (nginx-server-configuration
+ (listen '("443 ssl" "[::]:443 ssl"))
+ (server-name '("git.guix.gnu.org"))
+ (ssl-certificate (le "guix.gnu.org"))
+ (ssl-certificate-key (le "guix.gnu.org" 'key))
+ (locations (list redirect))
+ (raw-content
+ '("access_log /var/log/nginx/git.access.log;"))))))
@@ -1,6 +1,6 @@
;;; GNU Guix system administration tools.
;;;
-;;; Copyright © 2019-2023 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2019-2023, 2025 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2020, 2021 Ricardo Wurmus <rekado@elephly.net>
;;;
;;; This program is free software: you can redistribute it and/or modify
@@ -48,7 +48,8 @@
static-web-site-service-type
guix-web-site-service-type
- gwl-web-service-type))
+ gwl-web-service-type
+ git.guix.gnu.org-service-type))
(define guix-extensions
(match (package-transitive-propagated-inputs
@@ -333,6 +334,22 @@ taken from a Git repository.")
"This service provides the web site of the GNU Guix project.")
(default-value #t)))
+�
+;;;
+;;; git.guix.gnu.org redirect.
+;;;
+
+(define git.guix.gnu.org-service-type
+ (service-type
+ (name 'git.guix.gnu.org-redirect)
+ (extensions
+ (list (service-extension nginx-service-type
+ git.guix.gnu.org-nginx-servers)))
+ (description
+ "This service sets up an HTTP redirect from
+@url{https://git.guix.gnu.org/guix.git} to the underlying server.")
+ (default-value "https://git.savannah.gnu.org/git")))
+
�
;;;
;;; Guix Workflow Language.