66beb8ccb1
Some checks failed
Veza CI / Notify on failure (push) Blocked by required conditions
Security Scan / Secret Scanning (gitleaks) (push) Waiting to run
Veza CI / Frontend (Web) (push) Has been cancelled
Veza CI / Backend (Go) (push) Has been cancelled
E2E Playwright / e2e (full) (push) Has been cancelled
Veza CI / Rust (Stream Server) (push) Has been cancelled
Self-hosted edge cache on a dedicated Incus container, sits between clients and the MinIO EC:2 cluster. Replaces the need for an external CDN at v1.0 traffic levels — handles thousands of concurrent listeners on the R720, leaks zero logs to a third party. This is the phase-1 alternative documented in the v1.0.9 CDN synthesis : phase-1 = self-hosted Nginx, phase-2 = 2 cache nodes + GeoDNS, phase-3 = Bunny.net via the existing CDN_* config (still inert with CDN_ENABLED=false). - infra/ansible/roles/nginx_proxy_cache/ : install nginx + curl, render nginx.conf with shared zone (128 MiB keys + 20 GiB disk, inactive=7d), render veza-cache site that proxies to the minio_nodes upstream pool with keepalive=32. HLS segments cached 7d via 1 MiB slice ; .m3u8 cached 60s ; everything else 1h. - Cache key excludes Authorization / Cookie (presigned URLs only in v1.0). slice_range included for segments so byte-range requests with arbitrary offsets all hit the same cached chunks. - proxy_cache_use_stale error timeout updating http_500..504 + background_update + lock — survives MinIO partial outages without cold-storming the origin. - X-Cache-Status surfaced on every response so smoke tests + operators can verify HIT/MISS without parsing access logs. - stub_status bound to 127.0.0.1:81/__nginx_status for the future prometheus nginx_exporter sidecar. - infra/ansible/playbooks/nginx_proxy_cache.yml : provisions the Incus container + applies common baseline + role. - inventory/lab.yml : new nginx_cache group. - infra/ansible/tests/test_nginx_cache.sh : MISS→HIT roundtrip via X-Cache-Status, on-disk entry verification. Acceptance : smoke test reports MISS then HIT for the same URL ; cache directory carries on-disk entries. No backend code change — the cache is transparent. To route through it, flip AWS_S3_ENDPOINT=http://nginx-cache.lxd:80 in the API env. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
71 lines
1.7 KiB
YAML
71 lines
1.7 KiB
YAML
# nginx_proxy_cache role — installs nginx, renders the cache config
|
|
# pointed at the MinIO cluster, ensures the systemd unit running.
|
|
# Idempotent.
|
|
---
|
|
- name: Install nginx + curl (curl needed for the smoke test)
|
|
ansible.builtin.apt:
|
|
name:
|
|
- nginx
|
|
- curl
|
|
state: present
|
|
update_cache: true
|
|
cache_valid_time: 3600
|
|
tags: [nginx_cache, packages]
|
|
|
|
- name: Ensure cache root directory
|
|
ansible.builtin.file:
|
|
path: "{{ nginx_cache_root }}"
|
|
state: directory
|
|
owner: www-data
|
|
group: www-data
|
|
mode: "0755"
|
|
tags: [nginx_cache, config]
|
|
|
|
- name: Render nginx.conf (top-level)
|
|
ansible.builtin.template:
|
|
src: nginx.conf.j2
|
|
dest: /etc/nginx/nginx.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify: Reload nginx
|
|
tags: [nginx_cache, config]
|
|
|
|
- name: Disable the default site
|
|
ansible.builtin.file:
|
|
path: /etc/nginx/sites-enabled/default
|
|
state: absent
|
|
notify: Reload nginx
|
|
tags: [nginx_cache, config]
|
|
|
|
- name: Render the veza-cache site config
|
|
ansible.builtin.template:
|
|
src: sites/veza-cache.conf.j2
|
|
dest: /etc/nginx/sites-available/veza-cache.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify: Reload nginx
|
|
tags: [nginx_cache, config]
|
|
|
|
- name: Enable veza-cache site
|
|
ansible.builtin.file:
|
|
src: /etc/nginx/sites-available/veza-cache.conf
|
|
dest: /etc/nginx/sites-enabled/veza-cache.conf
|
|
state: link
|
|
force: true
|
|
notify: Reload nginx
|
|
tags: [nginx_cache, config]
|
|
|
|
- name: Validate nginx config
|
|
ansible.builtin.command:
|
|
cmd: nginx -t
|
|
changed_when: false
|
|
tags: [nginx_cache, config]
|
|
|
|
- name: Enable + start nginx
|
|
ansible.builtin.systemd:
|
|
name: nginx
|
|
state: started
|
|
enabled: true
|
|
tags: [nginx_cache, service]
|