centra/photoncloud-monorepo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
photoncloud-monorepo/chainfire/baremetal/pxe-server/http/nginx.conf
centra 5c6eb04a46 T036: Add VM cluster deployment configs for nixos-anywhere 
- netboot-base.nix with SSH key auth
- Launch scripts for node01/02/03
- Node configuration.nix and disko.nix
- Nix modules for first-boot automation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-11 09:59:19 +09:00

213 lines
6.6 KiB
Nginx Configuration File
Raw Permalink Blame History

# Nginx Configuration for PXE Boot Server
#
# This configuration serves:
# - iPXE bootloaders (undionly.kpxe, ipxe.efi)
# - iPXE boot scripts (boot.ipxe)
# - NixOS netboot images (kernel, initrd)
#
# Directory structure:
# /var/lib/pxe-boot/
# ├── ipxe/ - iPXE bootloaders and scripts
# │ ├── undionly.kpxe
# │ ├── ipxe.efi
# │ └── boot.ipxe
# └── nixos/ - NixOS boot images
# ├── bzImage - Linux kernel
# └── initrd - Initial ramdisk
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Logging format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
# Performance tuning
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# Disable server tokens for security
server_tokens off;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss;
# Custom MIME types for PXE boot files
types {
application/octet-stream kpxe;
application/octet-stream efi;
text/plain ipxe;
}
# PXE Boot Server
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
# Root directory for boot files
root /var/lib/pxe-boot;
# Increase buffer sizes for large boot images
client_max_body_size 0;
client_body_buffer_size 10M;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
# Disable buffering for boot files (stream directly)
proxy_buffering off;
# Security headers
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
# Boot assets location
location /boot/ {
alias /var/lib/pxe-boot/;
autoindex on; # Enable directory listing for debugging
autoindex_exact_size off;
autoindex_localtime on;
# Cache control for boot files
# - Boot scripts (.ipxe): No cache (frequently updated)
# - Bootloaders (.kpxe, .efi): Short cache (rarely updated)
# - NixOS images (kernel, initrd): Medium cache (updated per build)
location ~ \.ipxe$ {
# iPXE scripts - no cache
add_header Cache-Control "no-store, no-cache, must-revalidate";
add_header Pragma "no-cache";
expires -1;
}
location ~ \.(kpxe|efi)$ {
# iPXE bootloaders - cache for 1 hour
add_header Cache-Control "public, max-age=3600";
expires 1h;
}
location ~ ^.*/nixos/(bzImage|initrd)$ {
# NixOS boot images - cache for 15 minutes
add_header Cache-Control "public, max-age=900";
expires 15m;
# Enable range requests for partial downloads
add_header Accept-Ranges bytes;
}
}
# Direct access to iPXE scripts (alternative path)
location /ipxe/ {
alias /var/lib/pxe-boot/ipxe/;
autoindex on;
# No cache for boot scripts
add_header Cache-Control "no-store, no-cache, must-revalidate";
add_header Pragma "no-cache";
expires -1;
}
# Health check endpoint
location /health {
access_log off;
return 200 "OK\n";
add_header Content-Type text/plain;
}
# Status page (for monitoring)
location /nginx_status {
stub_status on;
access_log off;
# Restrict access to localhost only
allow 127.0.0.1;
allow ::1;
deny all;
}
# Metrics endpoint (Prometheus-compatible)
location /metrics {
access_log off;
# This requires nginx-module-vts or similar
# Uncomment if you have the module installed
# vhost_traffic_status_display;
# vhost_traffic_status_display_format html;
# For now, return a simple status
return 200 "# Placeholder for metrics\n";
add_header Content-Type text/plain;
}
# Root path - display welcome page
location = / {
return 200 "Centra Cloud PXE Boot Server\n\nAvailable endpoints:\n /boot/ipxe/boot.ipxe - Main boot script\n /boot/nixos/ - NixOS boot images\n /health - Health check\n\nFor more information, see: /boot/\n";
add_header Content-Type text/plain;
}
# Deny access to hidden files
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Custom error pages
error_page 404 /404.html;
location = /404.html {
return 404 "Not Found: The requested boot file does not exist.\nCheck your PXE configuration and ensure boot images are properly deployed.\n";
add_header Content-Type text/plain;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
return 500 "Server Error: The PXE boot server encountered an error.\nCheck nginx logs for details: /var/log/nginx/error.log\n";
add_header Content-Type text/plain;
}
}
# HTTPS server (optional, for enhanced security)
# Uncomment and configure SSL certificates if needed
#
# server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name pxe.centra.local;
#
# ssl_certificate /etc/ssl/certs/pxe-server.crt;
# ssl_certificate_key /etc/ssl/private/pxe-server.key;
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Same location blocks as HTTP server above
# root /var/lib/pxe-boot;
#
# location /boot/ {
# alias /var/lib/pxe-boot/;
# autoindex on;
# }
# # ... (copy other location blocks)
# }
}
Reference in a new issue View git blame Copy permalink