GNU bug report logs -
#76296
[PATCH maintenance] hydra: bayfront: Set up ‘git.guix.gnu.org’ as a redirect to Savannah.
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Fri, 14 Feb 2025 23:16:02 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 76296 in the body.
You can then email your comments to 76296 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-sysadmin <at> gnu.org, guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Fri, 14 Feb 2025 23:16:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ludovic Courtès <ludo <at> gnu.org>:
New bug report received and forwarded. Copy sent to
guix-sysadmin <at> gnu.org, guix-patches <at> gnu.org.
(Fri, 14 Feb 2025 23:16:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* hydra/modules/sysadmin/dns.scm (git-ip4, git-ip6): New variables.
(guix.gnu.org.zone): Add “git” A and AAAA records.
(guix.gnu.org-zone)[serial]: Bump.
* hydra/modules/sysadmin/nginx.scm (git.guix.gnu.org-nginx-servers): New
procedure.
* hydra/modules/sysadmin/web.scm (git.guix.gnu.org-service-type): New
variable.
* hydra/bayfront.scm <top level>: Use it.
---
hydra/bayfront.scm | 5 ++++-
hydra/modules/sysadmin/dns.scm | 7 ++++++-
hydra/modules/sysadmin/nginx.scm | 29 +++++++++++++++++++++++++++--
hydra/modules/sysadmin/web.scm | 21 +++++++++++++++++++--
4 files changed, 56 insertions(+), 6 deletions(-)
Hello!
As part of preliminary discussions around GCD #002 (“Migrating repositories,
issues, and patches to Codeberg”), some suggested having a git.guix.gnu.org
DNS entry to make Git migration in general easier.
This patch implements that; technically we have to have an HTTP redirect,
which means that clients pay the cost of an extra connection and get nothing
if bayfront is down. That’s the price to pay for this indirection, but
it’s probably worth it.
Note that I haven’t been able to test this patch for real since it depends
of the state and environments of bayfront: certificates, networking set up,
host names, etc.
This patch could be applied whether or not the GCD is eventually accepted.
Thoughts?
Ludo’.
diff --git a/hydra/bayfront.scm b/hydra/bayfront.scm
index e85d715..6b89470 100644
--- a/hydra/bayfront.scm
+++ b/hydra/bayfront.scm
@@ -1,5 +1,5 @@
;; OS configuration for bayfront
-;; Copyright © 2016-2024 Ludovic Courtès <ludo <at> gnu.org>
+;; Copyright © 2016-2025 Ludovic Courtès <ludo <at> gnu.org>
;; Copyright © 2016, 2017, 2018, 2019, 2020, 2023, 2024 Andreas Enge <andreas <at> enge.fr>
;; Copyright © 2017, 2019, 2024 Ricardo Wurmus <rekado <at> elephly.net>
;; Copyright © 2019 Julien Lepiller <julien <at> lepiller.eu>
@@ -1683,6 +1683,9 @@ access_log /var/log/nginx/git.qa.access.log;"))
static-web-site-service-type
(list ten-years-of-guix-web-site))
+ ;; Running the git.guix.gnu.org HTTP redirect.
+ (service git.guix.gnu.org-service-type)
+
;; hpcguix-web as it can be seen at
;; <https://hpc.guix.info/browse>.
(service hpcguix-web-service-type
diff --git a/hydra/modules/sysadmin/dns.scm b/hydra/modules/sysadmin/dns.scm
index d5b8a98..72b2b7f 100644
--- a/hydra/modules/sysadmin/dns.scm
+++ b/hydra/modules/sysadmin/dns.scm
@@ -63,6 +63,8 @@
(define dover-ip6 "2a02:8010:68c1::e2ff:f7ff:fe00:20b3")
(define hatysa-ip6 "2a02:8010:68c1::d263:b4ff:fe03:b9af")
(define hamal-ip6 "2a02:8010:68c1::d263:b4ff:fe02:e65b")
+(define git-ip4 bayfront-ip4)
+(define git-ip6 bayfront-ip6)
;; The SOA MNAME and one NS record must always be consistent.
(define primary-ns "ns1.gnu.org.")
@@ -142,6 +144,9 @@
("packages" "" "IN" "A" bayfront-ip4)
("packages" "" "IN" "AAAA" bayfront-ip6)
+ ("git" "" "IN" "A" git-ip4)
+ ("git" "" "IN" "AAAA" git-ip6)
+
;; This record is required in order to prove to Amazon ACM that we
;; own the domain. As long as it exists, ACM will automatically
;; renew the TLS certificate for the CloudFront distribution we use
@@ -155,4 +160,4 @@
(origin "guix.gnu.org")
(ns primary-ns)
(entries guix.gnu.org.zone)
- (serial 2024120821)))))
+ (serial 2025021421)))))
diff --git a/hydra/modules/sysadmin/nginx.scm b/hydra/modules/sysadmin/nginx.scm
index d1f67e0..a087f35 100644
--- a/hydra/modules/sysadmin/nginx.scm
+++ b/hydra/modules/sysadmin/nginx.scm
@@ -1,5 +1,5 @@
;; Nginx configuration for ci.guix.gnu.org
-;; Copyright © 2016-2024 Ludovic Courtès <ludo <at> gnu.org>
+;; Copyright © 2016-2025 Ludovic Courtès <ludo <at> gnu.org>
;; Copyright © 2017, 2018, 2019, 2020, 2021 Ricardo Wurmus <rekado <at> elephly.net>
;; Copyright © 2020 Christopher Baines <mail <at> cbaines.net>
;; Copyright © 2020, 2021, 2024 Florian Pelz <pelzflorian <at> pelzflorian.de>
@@ -14,7 +14,8 @@
#:export (%tls-settings
le
accept-languages
- guix.gnu.org-nginx-server))
+ guix.gnu.org-nginx-server
+ git.guix.gnu.org-nginx-servers))
�
;;;
@@ -783,3 +784,27 @@ synonymous IETF language tags that should be mapped to the same $lang."
"rewrite (.*)/$ $1/index.html;"
"access_log /var/log/nginx/guix-gnu-org.https.access.log;")))))
+
+(define (git.guix.gnu.org-nginx-servers base-url)
+ (let ((redirect (nginx-location-configuration
+ (uri "/")
+ (body `("expires 24h;"
+ ,(string-append "return 302 "
+ base-url "$request_uri;"))))))
+ (list (nginx-server-configuration
+ (server-name '("git.guix.gnu.org"))
+ (listen '("80" "[::]:80"))
+ (raw-content
+ '("access_log /var/log/nginx/git.access.log;"))
+ (locations (list (nginx-location-configuration
+ (uri "^~ /.well-known")
+ (body '("root /var/www;")))
+ redirect)))
+ (nginx-server-configuration
+ (listen '("443 ssl" "[::]:443 ssl"))
+ (server-name '("git.guix.gnu.org"))
+ (ssl-certificate (le "guix.gnu.org"))
+ (ssl-certificate-key (le "guix.gnu.org" 'key))
+ (locations (list redirect))
+ (raw-content
+ '("access_log /var/log/nginx/git.access.log;"))))))
diff --git a/hydra/modules/sysadmin/web.scm b/hydra/modules/sysadmin/web.scm
index b07c080..e662a09 100644
--- a/hydra/modules/sysadmin/web.scm
+++ b/hydra/modules/sysadmin/web.scm
@@ -1,6 +1,6 @@
;;; GNU Guix system administration tools.
;;;
-;;; Copyright © 2019-2023 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2019-2023, 2025 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2020, 2021 Ricardo Wurmus <rekado <at> elephly.net>
;;;
;;; This program is free software: you can redistribute it and/or modify
@@ -48,7 +48,8 @@
static-web-site-service-type
guix-web-site-service-type
- gwl-web-service-type))
+ gwl-web-service-type
+ git.guix.gnu.org-service-type))
(define guix-extensions
(match (package-transitive-propagated-inputs
@@ -333,6 +334,22 @@ taken from a Git repository.")
"This service provides the web site of the GNU Guix project.")
(default-value #t)))
+�
+;;;
+;;; git.guix.gnu.org redirect.
+;;;
+
+(define git.guix.gnu.org-service-type
+ (service-type
+ (name 'git.guix.gnu.org-redirect)
+ (extensions
+ (list (service-extension nginx-service-type
+ git.guix.gnu.org-nginx-servers)))
+ (description
+ "This service sets up an HTTP redirect from
+@url{https://git.guix.gnu.org/guix.git} to the underlying server.")
+ (default-value "https://git.savannah.gnu.org/git")))
+
�
;;;
;;; Guix Workflow Language.
base-commit: 9c10ac82b270cb27ff7b92c6f44eac2efd0b7193
--
2.48.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Sat, 15 Feb 2025 14:10:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 76296 <at> debbugs.gnu.org (full text, mbox):
Hi,
Ludovic Courtès <ludo <at> gnu.org> writes:
[...]
> As part of preliminary discussions around GCD #002 (“Migrating repositories,
> issues, and patches to Codeberg”), some suggested having a git.guix.gnu.org
> DNS entry to make Git migration in general easier.
>
> This patch implements that; technically we have to have an HTTP redirect,
> which means that clients pay the cost of an extra connection and get nothing
> if bayfront is down. That’s the price to pay for this indirection, but
> it’s probably worth it.
>
> Note that I haven’t been able to test this patch for real since it depends
> of the state and environments of bayfront: certificates, networking set up,
> host names, etc.
>
> This patch could be applied whether or not the GCD is eventually accepted.
> Thoughts?
It's a bit eager to my taste :-). I'd rather the GCD process complete
its course before doing something concrete. I'd keep it around for when
we get to it.
--
Thanks,
Maxim
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Fri, 21 Feb 2025 13:35:03 GMT)
Full text and
rfc822 format available.
Message #11 received at 76296 <at> debbugs.gnu.org (full text, mbox):
Hi,
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
>> This patch could be applied whether or not the GCD is eventually accepted.
>
>> Thoughts?
>
> It's a bit eager to my taste :-). I'd rather the GCD process complete
> its course before doing something concrete. I'd keep it around for when
> we get to it.
Sure, I don’t mind putting this on hold.
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Sun, 11 May 2025 15:00:08 GMT)
Full text and
rfc822 format available.
Message #14 received at 76296 <at> debbugs.gnu.org (full text, mbox):
Hello,
Now that GCD 002 has been accepted, I’d like to restart discussions
around this patch, which adds the git.guix.gnu.org DNS entry and HTTP(S)
redirects to codeberg.org/guix:
https://issues.guix.gnu.org/76296
> This patch implements that; technically we have to have an HTTP redirect,
> which means that clients pay the cost of an extra connection and get nothing
> if bayfront is down. That’s the price to pay for this indirection, but
> it’s probably worth it.
>
> Note that I haven’t been able to test this patch for real since it depends
> of the state and environments of bayfront: certificates, networking set up,
> host names, etc.
If we choose to install this patch, we should IMO do it as before
guix.git is migrated to Codeberg (presumably on May 25th). That way, we
can use git.guix.gnu.org in (guix channels) instead of
codeberg.org/guix/guix.git.
Thoughts?
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Mon, 12 May 2025 07:49:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 76296 <at> debbugs.gnu.org (full text, mbox):
Hi,
Ludovic Courtès <ludo <at> gnu.org> writes:
> Hello,
>
> Now that GCD 002 has been accepted, I’d like to restart discussions
> around this patch, which adds the git.guix.gnu.org DNS entry and HTTP(S)
> redirects to codeberg.org/guix:
>
> https://issues.guix.gnu.org/76296
>
>> This patch implements that; technically we have to have an HTTP redirect,
>> which means that clients pay the cost of an extra connection and get nothing
>> if bayfront is down. That’s the price to pay for this indirection, but
>> it’s probably worth it.
>>
>> Note that I haven’t been able to test this patch for real since it depends
>> of the state and environments of bayfront: certificates, networking set up,
>> host names, etc.
DNS configuration is not really my forte, but the general idea and a
summary review of the implementation LGTM.
--
Thanks,
Maxim
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Mon, 12 May 2025 09:29:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 76296 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:
> Now that GCD 002 has been accepted, I’d like to restart discussions
> around this patch, which adds the git.guix.gnu.org DNS entry and HTTP(S)
> redirects to codeberg.org/guix:
>
> https://issues.guix.gnu.org/76296
>
>> This patch implements that; technically we have to have an HTTP redirect,
>> which means that clients pay the cost of an extra connection and get nothing
>> if bayfront is down. That’s the price to pay for this indirection, but
>> it’s probably worth it.
>>
>> Note that I haven’t been able to test this patch for real since it depends
>> of the state and environments of bayfront: certificates, networking set up,
>> host names, etc.
>
> If we choose to install this patch, we should IMO do it as before
> guix.git is migrated to Codeberg (presumably on May 25th). That way, we
> can use git.guix.gnu.org in (guix channels) instead of
> codeberg.org/guix/guix.git.
>
> Thoughts?
I wonder how this compares to storing and serving a mirror of the Git
repository. Maybe that's a bit more complicated in terms of the setup,
but it may perform better than a redirect and actually provide
redundancy?
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Mon, 12 May 2025 09:55:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 76296 <at> debbugs.gnu.org (full text, mbox):
Hi,
Christopher Baines <mail <at> cbaines.net> writes:
> I wonder how this compares to storing and serving a mirror of the Git
> repository. Maybe that's a bit more complicated in terms of the setup,
> but it may perform better than a redirect and actually provide
> redundancy?
Good point. I think mirroring would be good, but if and only if we can
synchronize it at every push rather than periodically (current mirror is
periodic).
Regardless, I think the priority is to decide on whether this DNS entry
is the way to go, so we can use it in (guix channels) on the day we
switch.
Once git.guix.gnu.org is in place, we can always change its
implementation from redirect to mirroring.
WDYT?
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Mon, 12 May 2025 10:04:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 76296 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:
> Christopher Baines <mail <at> cbaines.net> writes:
>
>> I wonder how this compares to storing and serving a mirror of the Git
>> repository. Maybe that's a bit more complicated in terms of the setup,
>> but it may perform better than a redirect and actually provide
>> redundancy?
>
> Good point. I think mirroring would be good, but if and only if we can
> synchronize it at every push rather than periodically (current mirror is
> periodic).
Using the fancy GitHub/Forgejo Actions thing, I think that should be
possible.
> Regardless, I think the priority is to decide on whether this DNS entry
> is the way to go, so we can use it in (guix channels) on the day we
> switch.
>
> Once git.guix.gnu.org is in place, we can always change its
> implementation from redirect to mirroring.
>
> WDYT?
Good point, personally I'm pro using a domain we control for the Git
repository going forward, so yeah, I'm happy to see this setup so that
we can test it.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Mon, 12 May 2025 10:16:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 76296 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:
> Hello,
>
> Now that GCD 002 has been accepted, I’d like to restart discussions
> around this patch, which adds the git.guix.gnu.org DNS entry and HTTP(S)
> redirects to codeberg.org/guix:
>
> https://issues.guix.gnu.org/76296
>
>> This patch implements that; technically we have to have an HTTP redirect,
>> which means that clients pay the cost of an extra connection and get nothing
>> if bayfront is down. That’s the price to pay for this indirection, but
>> it’s probably worth it.
>>
>> Note that I haven’t been able to test this patch for real since it depends
>> of the state and environments of bayfront: certificates, networking set up,
>> host names, etc.
>
> If we choose to install this patch, we should IMO do it as before
> guix.git is migrated to Codeberg (presumably on May 25th). That way, we
> can use git.guix.gnu.org in (guix channels) instead of
> codeberg.org/guix/guix.git.
>
> Thoughts?
>
> Ludo’.
As you said, this adds an extra point of failure. It seems that there is
no real issue with changing URL right now as shown by GCD 002. So what
is the benefit of this patch?
I guess its for style points, which I’m all for. I do think it would be
better to set the URL to git.guix.gnu.org/guix/guix.git and just a DNS
redirect to codeberg to avoid the extra connection.
Have a nice day,
Noé
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Mon, 12 May 2025 11:58:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 76296 <at> debbugs.gnu.org (full text, mbox):
Hi Noé,
Noé Lopez <noelopez <at> free.fr> writes:
> As you said, this adds an extra point of failure. It seems that there is
> no real issue with changing URL right now as shown by GCD 002. So what
> is the benefit of this patch?
This was originally proposed as a way to facilitate Git migration—should
we decide in a year to migrate to, say, github.com :-) (or more
seriously: to self-host.)
But as Chris wrote, it’s also a good way to keep infra under the
project’s control, and provides a way to add redundancy through
mirroring for instance.
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Wed, 14 May 2025 08:49:01 GMT)
Full text and
rfc822 format available.
Message #35 received at 76296 <at> debbugs.gnu.org (full text, mbox):
Noé Lopez <noelopez <at> free.fr> writes:
> I guess its for style points, which I’m all for. I do think it
> would be
> better to set the URL to git.guix.gnu.org/guix/guix.git and just
> a DNS
> redirect to codeberg to avoid the extra connection.
I second this.
I think a DNS level redirect would be sufficient. I'd prefer not
to loop in bayfront for every git connection.
--
Ricardo
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Wed, 14 May 2025 10:08:02 GMT)
Full text and
rfc822 format available.
Message #38 received at 76296 <at> debbugs.gnu.org (full text, mbox):
Hi,
Ricardo Wurmus <rekado <at> elephly.net> writes:
> Noé Lopez <noelopez <at> free.fr> writes:
>
>> I guess its for style points, which I’m all for. I do think it would
>> be
>> better to set the URL to git.guix.gnu.org/guix/guix.git and just a
>> DNS
>> redirect to codeberg to avoid the extra connection.
>
> I second this.
>
> I think a DNS level redirect would be sufficient. I'd prefer not to
> loop in bayfront for every git connection.
As I suggested in <https://issues.guix.gnu.org/76296>, I don’t think
that’s possible: the X.509 certificate that codeberg.org serves is for
codeberg.org, not for git.guix.gnu.org, so TLS libraries would report a
host name mismatch.
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Wed, 14 May 2025 18:52:02 GMT)
Full text and
rfc822 format available.
Message #41 received at 76296 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès <ludo <at> gnu.org> writes:
> Ricardo Wurmus <rekado <at> elephly.net> writes:
>
>> Noé Lopez <noelopez <at> free.fr> writes:
>>
>>> I guess its for style points, which I’m all for. I do think it
>>> would
>>> be
>>> better to set the URL to git.guix.gnu.org/guix/guix.git and
>>> just a
>>> DNS
>>> redirect to codeberg to avoid the extra connection.
>>
>> I second this.
>>
>> I think a DNS level redirect would be sufficient. I'd prefer
>> not to
>> loop in bayfront for every git connection.
>
> As I suggested in <https://issues.guix.gnu.org/76296>, I don’t
> think
> that’s possible: the X.509 certificate that codeberg.org serves
> is for
> codeberg.org, not for git.guix.gnu.org, so TLS libraries would
> report a
> host name mismatch.
Ah, true. My bad! I keep forgetting this. We've had the same
discussion back when we wanted to set up bayfront as a fail-over
for the web services on berlin.
--
Ricardo
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Thu, 15 May 2025 11:05:03 GMT)
Full text and
rfc822 format available.
Message #44 received at 76296 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello,
On mer, mag 14 2025, Ludovic Courtès wrote:
> Ricardo Wurmus <rekado <at> elephly.net> writes:
>
>> Noé Lopez <noelopez <at> free.fr> writes:
>>
>>> I guess its for style points, which I’m all for. I do think it would
>>> be
>>> better to set the URL to git.guix.gnu.org/guix/guix.git and just a
>>> DNS
>>> redirect to codeberg to avoid the extra connection.
>>
>> I second this.
>>
>> I think a DNS level redirect would be sufficient. I'd prefer not to
>> loop in bayfront for every git connection.
>
> As I suggested in <https://issues.guix.gnu.org/76296>, I don’t think
> that’s possible: the X.509 certificate that codeberg.org serves is for
> codeberg.org, not for git.guix.gnu.org, so TLS libraries would report a
> host name mismatch.
I can confirm it's not possible to use a host name that is not part of
the list of hosts in the X.509 certificate, that in this case is the one
provided by the codeberg.org web server [1].
The only way to use git.guix.gnu.org is to set up a proxy server with
proper TLS termination... and yes: it means that the proxy server is
/always/ in the loop.
Currently I use haproxy (on Nix, not on Guix) to achieve this kind of
configuration but I know it's also possible with nginx (but never done
it myself).
IMHO setting up a proxy is worth the effort (correct english?), since I
see a strategic advantage in having git.guix.gnu.org as an official
remote name and the traffic seen by a server under Guix Team control,
also for eventual and future load balancing, if needed.
I can help if needed, but please keep me in Cc since in this (long)
period I seldom follow the mailing lists, sorry.
Just my 2 cents :-)
Thank you for your work! Gio'
[1] unless codeberg.org provides a way to add an alias to a remote _and_
adds that alias to the list of hosts for the certificate... but I doubt
since it could quickly become technically hard to manage (is there a
limit to the number of extra host names for a certificate?).
--
Giovanni Biscuolo
Xelera IT Infrastructures
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Sun, 18 May 2025 16:46:02 GMT)
Full text and
rfc822 format available.
Message #47 received at 76296 <at> debbugs.gnu.org (full text, mbox):
Greetings,
On 5/14/25 13:52, Ludovic Courtès wrote:
> Hi,
>
> Ricardo Wurmus <rekado <at> elephly.net> writes:
>
>> Noé Lopez <noelopez <at> free.fr> writes:
>>
>>> I guess its for style points, which I’m all for. I do think it would
>>> be
>>> better to set the URL to git.guix.gnu.org/guix/guix.git and just a
>>> DNS
>>> redirect to codeberg to avoid the extra connection.
>> I second this.
I guess this would make switching, in case of disasters, seamless for
the user, which is probably something we want. The URL doesn't change.
On Guix project's side, it's a relatively quick change. The extra load
is probably negligible also. No need to proxy the connections.
>>
>> I think a DNS level redirect would be sufficient. I'd prefer not to
>> loop in bayfront for every git connection.
> As I suggested in <https://issues.guix.gnu.org/76296>, I don’t think
> that’s possible: the X.509 certificate that codeberg.org serves is for
> codeberg.org, not for git.guix.gnu.org, so TLS libraries would report a
> host name mismatch.
I did some testing on a test domain. I configured both DNS redirect
(git-dns.guix.redscript.org) and HTTP 302 redirect
(git.guix.redscript.org) to codeberg.org. As Ludo mentioned before, DNS
redirect doesn't work. HTTP 302 redirect seems to work well with both
"guix pull" and "git clone".
The configuration is still in place. Feel free to test.
Commands, config and output below.
HTTP 302 redirect tests:
---
user <at> pc ~> guix pull
--url=https://git.guix.redscript.org/guix/guix-mirror.git
Updating channel 'nonguix' from Git repository at
'https://gitlab.com/nonguix/nonguix'...
Updating channel 'guix' from Git repository at
'https://git.guix.redscript.org/guix/guix-mirror.git'...
guix pull: warning: pulled channel 'guix' from a mirror of
https://git.savannah.gnu.org/git/guix.git, which might be stale
Building from these channels:
nonguix https://gitlab.com/nonguix/nonguix 3f530e5
guix https://git.guix.redscript.org/guix/guix-mirror.git 17c34fe
[...]
---
---
user <at> pc ~> guix describe
[...]
guix 17c34fe
repository URL: https://git.guix.redscript.org/guix/guix-mirror.git
branch: master
commit: 17c34fe73ddef7411ac91ff2e568aa0b8d7761cb
---
---
user <at> pc ~/git> git clone https://git.guix.redscript.org/guix/guix-mirror.git
Cloning into 'guix-mirror'...
warning: redirecting to https://codeberg.org/guix/guix-mirror.git/
remote: Enumerating objects: 898744, done.
[...]
Updating files: 100% (3145/3145), done.
---
DNS redirect tests:
---
user <at> pc ~> guix pull
--url=https://git-dns.guix.redscript.org/guix/guix-mirror.git
Updating channel 'nonguix' from Git repository at
'https://gitlab.com/nonguix/nonguix'...
Updating channel 'guix' from Git repository at
'https://git-dns.guix.redscript.org/guix/guix-mirror.git'...
guix pull: error: Git error: SSL error: error:0A000438:SSL
routines::tlsv1 alert internal error
---
---
user <at> pc ~/git> git clone
https://git-dns.guix.redscript.org/guix/guix-mirror.git
Cloning into 'guix-mirror'...
fatal: unable to access
'https://git-dns.guix.redscript.org/guix/guix-mirror.git/':
gnutls_handshake() failed: Internal error
---
The DNS entries I used:
---
git.guix.redscript.org 60 IN A 181.214.58.244
git-dns.guix.redscript.org 60 IN CNAME codeberg.org
---
NGINX config I used (some minor personal stuff removed):
---
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name git.guix.redscript.org;
ssl_certificate
/etc/private/live/git.guix.redscript.org/fullchain.pem;
ssl_certificate_key
/etc/private/live/git.guix.redscript.org/privkey.pem;
ssl_trusted_certificate
/etc/private/live/git.guix.redscript.org/chain.pem;
location / {
return 302 https://codeberg.org$request_uri;
}
}
---
> Ludo’.
>
>
>
Thanks,
Ahmad
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Sun, 18 May 2025 19:04:02 GMT)
Full text and
rfc822 format available.
Message #50 received at 76296 <at> debbugs.gnu.org (full text, mbox):
Hello,
Ahmad Draidi <a.r.draidi <at> redscript.org> writes:
> I guess this would make switching, in case of disasters, seamless for
> the user, which is probably something we want. The URL doesn't
> change. On Guix project's side, it's a relatively quick change. The
> extra load is probably negligible also. No need to proxy the
> connections.
+1
> I did some testing on a test domain. I configured both DNS redirect
> (git-dns.guix.redscript.org) and HTTP 302 redirect
> (git.guix.redscript.org) to codeberg.org. As Ludo mentioned before,
> DNS redirect doesn't work. HTTP 302 redirect seems to work well with
> both "guix pull" and "git clone".
Thanks for testing. Your config looks close to the one I submitted,
right?
Thanks,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Sun, 18 May 2025 19:04:02 GMT)
Full text and
rfc822 format available.
Message #53 received at 76296 <at> debbugs.gnu.org (full text, mbox):
I wanted to deploy this patch now so we can start testing it and since
the goal was to migrate guix.git next Sunday (May 25th).
Unfortunately, we seem to be unable to connect to the machine hosting
our DNS service (bayfront) so I’m not sure when we’ll be able to deploy
it. Bad timing. :-/
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Mon, 19 May 2025 02:54:01 GMT)
Full text and
rfc822 format available.
Message #56 received at 76296 <at> debbugs.gnu.org (full text, mbox):
Hello,
On 5/18/25 22:55, Ludovic Courtès wrote:
> Hello,
>
> Ahmad Draidi <a.r.draidi <at> redscript.org> writes:
>
>> I did some testing on a test domain. I configured both DNS redirect
>> (git-dns.guix.redscript.org) and HTTP 302 redirect
>> (git.guix.redscript.org) to codeberg.org. As Ludo mentioned before,
>> DNS redirect doesn't work. HTTP 302 redirect seems to work well with
>> both "guix pull" and "git clone".
> Thanks for testing. Your config looks close to the one I submitted,
> right?
Yeah. I think so. I guess the "/git" at the end of the base-url is
different. I can change the config and test again, if you want.
>
> Thanks,
> Ludo’.
Thanks,
Ahmad
Information forwarded
to
guix-patches <at> gnu.org:
bug#76296; Package
guix-patches.
(Thu, 22 May 2025 12:14:01 GMT)
Full text and
rfc822 format available.
Message #59 received at 76296 <at> debbugs.gnu.org (full text, mbox):
Hello,
Ludovic Courtès <ludo <at> gnu.org> writes:
> If we choose to install this patch, we should IMO do it as before
> guix.git is migrated to Codeberg (presumably on May 25th). That way, we
> can use git.guix.gnu.org in (guix channels) instead of
> codeberg.org/guix/guix.git.
We had a bunch of issues on the server (bayfront) but this patch is now
committed and deployed:
https://codeberg.org/guix/maintenance/commit/e8a3100bd5e0b2c795e0817878c735982ddf53c4
It’s working as expected:
--8<---------------cut here---------------start------------->8---
$ git ls-remote https://git.guix.gnu.org/guix.git |head
warning: redirecting to https://git.savannah.gnu.org/git/guix.git/
409bbd801428b90701f625c38e6b5840f12a187b HEAD
315aeb0fc3edb7dcd071cf9737ec908666f0d995 refs/heads/c++-team
dcef371e0e6a4f5c5bc511da923bd2708047ae2e refs/heads/core-packages-team
43979b51c06ffa11303e848f800d1dc28693b31c refs/heads/core-packages-team-old
571916871e38ecdefc6d6bc6a0117f50e3f92304 refs/heads/core-packages-team-old2
b4693b9d4e131a96e8491651914d6c47d7eca7af refs/heads/core-packages-team-old3
cbfa13a8595ad8469a1649bd0543923b5407a321 refs/heads/core-updates-glibc-2.39
55b894145ef13c6357bf79bd80de63cd366bcd26 refs/heads/emacs-team
0abd275c41c97e6638133b388e2350b798b4fbac refs/heads/games-updates
5d783ecc9620657656c3e8c2bb7fedae6b274336 refs/heads/gnome-team
--8<---------------cut here---------------end--------------->8---
Please take a look at the followup here:
https://issues.guix.gnu.org/78547
Thanks,
Ludo’.
bug closed, send any further explanations to
76296 <at> debbugs.gnu.org and Ludovic Courtès <ludo <at> gnu.org>
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Thu, 22 May 2025 12:14:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 20 Jun 2025 11:24:14 GMT)
Full text and
rfc822 format available.
This bug report was last modified today.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.