staging: move bottin and guichet to docker, sync with prod config

author: Baptiste Jonglez <git@bitsofnetworks.org> 2024-06-23 22:29:14 +0200
committer: Baptiste Jonglez <git@bitsofnetworks.org> 2024-06-23 22:29:14 +0200
commit: fc83048b0247e222dd94bbf0430f99d58c5be418 (patch)
tree: 294e070ea3fb11dc9880da5596de6d31524f8199
parent: 86026c564230aff1aae53a4acb56d4671b14e023 (diff)
download: nixcfg-fc83048b0247e222dd94bbf0430f99d58c5be418.tar.gz
nixcfg-fc83048b0247e222dd94bbf0430f99d58c5be418.zip
9 files changed, 198 insertions, 161 deletions
diff --git a/cluster/prod/app/core/secrets.toml b/cluster/prod/app/core/secrets.toml
index 736c9dd..8a6a7f2 100644
--- a/cluster/prod/app/core/secrets.toml
+++ b/cluster/prod/app/core/secrets.toml
@@ -3,3 +3,7 @@ type = 'user'
 description = 'LDAP base DN for everything'
 example = 'dc=example,dc=com'
 
+[secrets."d53/gandi_api_key"]
+type = 'user'
+description = 'Gandi API key'
+
diff --git a/cluster/prod/app/guichet/deploy/directory.hcl b/cluster/prod/app/guichet/deploy/guichet.hcl
index 397602f..4b2ff28 100644
--- a/cluster/prod/app/guichet/deploy/directory.hcl
+++ b/cluster/prod/app/guichet/deploy/guichet.hcl
@@ -14,7 +14,7 @@ job "guichet" {
       driver = "docker"
       config {
         image = "dxflrs/guichet:m1gzk1r00xp0kz566fwbpc87z7haq7xj"
-	args = [ "server", "-config", "/etc/config.json" ]
+        args = [ "server", "-config", "/etc/config.json" ]
         readonly_rootfs = true
         ports = [ "web_port" ]
         volumes = [
diff --git a/cluster/staging/app/directory/config/bottin/config.json.tpl b/cluster/staging/app/core/config/bottin/config.json.tpl
index 844f7b7..844f7b7 100644
--- a/cluster/staging/app/directory/config/bottin/config.json.tpl
+++ b/cluster/staging/app/core/config/bottin/config.json.tpl
diff --git a/cluster/staging/app/core/deploy/bottin.hcl b/cluster/staging/app/core/deploy/bottin.hcl
new file mode 100644
index 0000000..1481fa8
--- /dev/null
+++ b/cluster/staging/app/core/deploy/bottin.hcl
@@ -0,0 +1,100 @@
+job "core-bottin" {
+  datacenters = ["neptune", "jupiter", "corrin", "bespin"]
+  type = "system"
+  priority = 90
+
+  update {
+    max_parallel = 1
+    stagger = "1m"
+  }
+
+  group "bottin" {
+    constraint {
+      distinct_property = "${meta.site}"
+      value = "1"
+    }
+
+    network {
+      port "ldap_port" {
+        static = 389
+        to = 389
+      }
+    }
+
+    task "bottin" {
+      driver = "docker"
+      config {
+        image = "dxflrs/bottin:7h18i30cckckaahv87d3c86pn4a7q41z"
+        network_mode = "host"
+        readonly_rootfs = true
+        ports = [ "ldap_port" ]
+        volumes = [
+          "secrets/config.json:/config.json",
+          "secrets:/etc/bottin",
+        ]
+      }
+
+      restart {
+        interval = "5m"
+        attempts = 10
+        delay    = "15s"
+        mode     = "delay"
+      }
+
+      resources {
+        memory = 100
+        memory_max = 200
+      }
+
+      template {
+        data = file("../config/bottin/config.json.tpl")
+        destination = "secrets/config.json"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul.crt\" }}"
+        destination = "secrets/consul.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.crt\" }}"
+        destination = "secrets/consul-client.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.key\" }}"
+        destination = "secrets/consul-client.key"
+      }
+
+      template {
+        data = <<EOH
+CONSUL_HTTP_ADDR=https://consul.service.staging.consul:8501
+CONSUL_HTTP_SSL=true
+CONSUL_CACERT=/etc/bottin/consul.crt
+CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt
+CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key
+EOH
+        destination = "secrets/env"
+        env = true
+      }
+
+      service {
+        tags = [ "${meta.site}" ]
+        port = "ldap_port"
+        address_mode = "host"
+        name = "bottin"
+        check {
+          type = "tcp"
+          port = "ldap_port"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/cluster/staging/app/core/secrets.toml b/cluster/staging/app/core/secrets.toml
index 8da8561..8a6a7f2 100644
--- a/cluster/staging/app/core/secrets.toml
+++ b/cluster/staging/app/core/secrets.toml
@@ -1,3 +1,8 @@
+[secrets."directory/ldap_base_dn"]
+type = 'user'
+description = 'LDAP base DN for everything'
+example = 'dc=example,dc=com'
+
 [secrets."d53/gandi_api_key"]
 type = 'user'
 description = 'Gandi API key'
diff --git a/cluster/staging/app/directory/deploy/directory.hcl b/cluster/staging/app/directory/deploy/directory.hcl
deleted file mode 100644
index 534bf02..0000000
--- a/cluster/staging/app/directory/deploy/directory.hcl
+++ /dev/null
@@ -1,133 +0,0 @@
-job "directory" {
-  datacenters = ["neptune", "jupiter", "corrin", "bespin"]
-  type = "service"
-  priority = 90
-
-  constraint {
-    attribute = "${attr.cpu.arch}"
-    value     = "amd64"
-  }
-
-  group "bottin" {
-    count = 1
-
-    network {
-      port "ldap_port" {
-        static = 389
-      }
-    }
-
-    task "bottin" {
-      driver = "nix2"
-      config {
-        packages = [
-          "git+https://git.deuxfleurs.fr/Deuxfleurs/bottin.git?ref=main&rev=9cab98d2cee386ece54b000bbdf2346da8b55eed"
-        ]
-        command = "bottin"
-      }
-      user = "root" # needed to bind port 389
-
-      resources {
-        memory = 100
-      }
-
-      template {
-        data = file("../config/bottin/config.json.tpl")
-        destination = "config.json"
-      }
-
-      template {
-        data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
-        destination = "etc/bottin/consul-ca.crt"
-      }
-
-      template {
-        data = "{{ key \"secrets/consul/consul-client.crt\" }}"
-        destination = "etc/bottin/consul-client.crt"
-      }
-
-      template {
-        data = "{{ key \"secrets/consul/consul-client.key\" }}"
-        destination = "etc/bottin/consul-client.key"
-      }
-
-      template {
-        data = <<EOH
-CONSUL_HTTP_ADDR=https://localhost:8501
-CONSUL_HTTP_SSL=true
-CONSUL_CACERT=/etc/bottin/consul-ca.crt
-CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt
-CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key
-EOH
-        destination = "secrets/env"
-        env = true
-      }
-
-      service {
-        tags = ["bottin"]
-        port = "ldap_port"
-        name = "bottin"
-        check {
-          type = "tcp"
-          port = "ldap_port"
-          interval = "60s"
-          timeout = "5s"
-          check_restart {
-            limit = 3
-            grace = "90s"
-            ignore_warnings = false
-          }
-        }
-      }
-    }
-  }
-
-  group "guichet" {
-    count = 1
-
-    network {
-      port "web_port" { static = 9991 }
-    }
-
-    task "guichet" {
-      driver = "nix2"
-      config {
-        packages = [
-          "git+https://git.deuxfleurs.fr/Deuxfleurs/guichet.git?ref=main&rev=10bdee10cf6947ec6dd0ba5040d7274d6c3316a7"
-        ]
-        command = "guichet"
-      }
-
-      template {
-        data = file("../config/guichet/config.json.tpl")
-        destination = "config.json"
-      }
-
-      resources {
-        memory = 200
-      }
-
-      service {
-        name = "guichet"
-        tags = [
-          "guichet",
-          "tricot guichet.staging.deuxfleurs.org",
-          "d53-cname guichet.staging.deuxfleurs.org",
-        ]
-        port = "web_port"
-        check {
-          type = "tcp"
-          port = "web_port"
-          interval = "60s"
-          timeout = "5s"
-          check_restart {
-            limit = 3
-            grace = "90s"
-            ignore_warnings = false
-          }
-        }
-      }
-    }
-  }
-}
-
diff --git a/cluster/staging/app/directory/config/guichet/config.json.tpl b/cluster/staging/app/guichet/config/guichet/config.json.tpl
index cf01558..ea42c93 100644
--- a/cluster/staging/app/directory/config/guichet/config.json.tpl
+++ b/cluster/staging/app/guichet/config/guichet/config.json.tpl
@@ -1,12 +1,15 @@
 {
   "http_bind_addr": ":9991",
-  "ldap_server_addr": "ldap://bottin.service.staging.consul:389",
+  "ldap_server_addr": "ldap://{{ env "meta.site" }}.bottin.service.staging.consul:389",
 
   "base_dn": "{{ key "secrets/directory/ldap_base_dn" }}",
   "user_base_dn": "ou=users,{{ key "secrets/directory/ldap_base_dn" }}",
   "user_name_attr": "cn",
   "group_base_dn": "ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
   "group_name_attr": "cn",
+  "mailing_list_base_dn": "ou=mailing_lists,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
+  "mailing_list_name_attr": "cn",
+  "mailing_list_guest_user_base_dn": "ou=guests,ou=users,{{ key "secrets/directory/ldap_base_dn" }}",
 
   "invitation_base_dn": "ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}",
   "invitation_name_attr": "cn",
diff --git a/cluster/staging/app/guichet/deploy/guichet.hcl b/cluster/staging/app/guichet/deploy/guichet.hcl
new file mode 100644
index 0000000..27cbb70
--- /dev/null
+++ b/cluster/staging/app/guichet/deploy/guichet.hcl
@@ -0,0 +1,58 @@
+job "guichet" {
+  datacenters = ["neptune", "jupiter", "corrin", "bespin"]
+  type = "service"
+  priority = 90
+
+  group "guichet" {
+    count = 1
+
+    network {
+      port "web_port" { to = 9991 }
+    }
+
+    task "guichet" {
+      driver = "docker"
+      config {
+        image = "dxflrs/guichet:m1gzk1r00xp0kz566fwbpc87z7haq7xj"
+        args = [ "server", "-config", "/etc/config.json" ]
+        readonly_rootfs = true
+        ports = [ "web_port" ]
+        volumes = [
+          "secrets/config.json:/etc/config.json"
+        ]
+      }
+
+      template {
+        data = file("../config/guichet/config.json.tpl")
+        destination = "secrets/config.json"
+      }
+
+      resources {
+        memory = 200
+      }
+
+      service {
+        name = "guichet"
+        tags = [
+          "guichet",
+          "tricot guichet.staging.deuxfleurs.org",
+          "d53-cname guichet.staging.deuxfleurs.org",
+        ]
+        port = "web_port"
+        address_mode = "host"
+        check {
+          type = "tcp"
+          port = "web_port"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+    }
+  }
+}
+
diff --git a/cluster/staging/app/directory/secrets.toml b/cluster/staging/app/guichet/secrets.toml
index edde6cc..d614b27 100644
--- a/cluster/staging/app/directory/secrets.toml
+++ b/cluster/staging/app/guichet/secrets.toml
@@ -1,51 +1,51 @@
-[secrets."directory/ldap_base_dn"]
+# General configuration 
+
+[secrets."directory/guichet/web_hostname"]
 type = 'user'
-description = 'LDAP base DN for everything'
-example = 'dc=example,dc=com'
+description = 'Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)'
+
+
+# Mailing configuration
 
 [secrets."directory/guichet/smtp_user"]
 type = 'user'
 description = 'SMTP username'
 
-[secrets."directory/guichet/s3_access_key"]
+[secrets."directory/guichet/smtp_pass"]
 type = 'user'
-description = 'Garage access key for Guichet profile pictures'
+description = 'SMTP password'
 
-[secrets."directory/guichet/s3_endpoint"]
+[secrets."directory/guichet/smtp_server"]
 type = 'user'
-description = 'S3 endpoint URL'
+description = 'SMTP server address (hostname:port)'
 
-[secrets."directory/guichet/s3_region"]
+[secrets."directory/guichet/mail_from"]
 type = 'user'
-description = 'S3 region'
+description = 'E-mail address from which to send welcome emails to new users'
 
-[secrets."directory/guichet/smtp_pass"]
+[secrets."directory/guichet/mail_domain"]
 type = 'user'
-description = 'SMTP password'
+description = 'E-mail domain for new users (e.g. example.com)'
 
-[secrets."directory/guichet/web_hostname"]
+
+# S3 configuration
+
+[secrets."directory/guichet/s3_endpoint"]
 type = 'user'
-description = 'Public hostname from which Guichet is accessible via HTTP'
-example = 'guichet.example.com'
+description = 'S3 endpoint URL'
 
 [secrets."directory/guichet/s3_bucket"]
 type = 'user'
 description = 'S3 bucket in which to store data files (such as profile pictures)'
 
-[secrets."directory/guichet/smtp_server"]
-type = 'user'
-description = 'SMTP server address (hostname:port)'
-
-[secrets."directory/guichet/s3_secret_key"]
+[secrets."directory/guichet/s3_region"]
 type = 'user'
-description = 'Garage secret key for Guichet profile pictures'
+description = 'S3 region'
 
-[secrets."directory/guichet/mail_from"]
+[secrets."directory/guichet/s3_access_key"]
 type = 'user'
-description = 'E-mail address from which to send welcome emails to new users'
+description = 'Garage access key for Guichet profile pictures'
 
-[secrets."directory/guichet/mail_domain"]
+[secrets."directory/guichet/s3_secret_key"]
 type = 'user'
-description = 'E-mail domain for new users'
-example = 'example.com'
-
+description = 'Garage secret key for Guichet profile pictures'
author	Baptiste Jonglez <git@bitsofnetworks.org>	2024-06-23 22:29:14 +0200
committer	Baptiste Jonglez <git@bitsofnetworks.org>	2024-06-23 22:29:14 +0200
commit	fc83048b0247e222dd94bbf0430f99d58c5be418 (patch)
tree	294e070ea3fb11dc9880da5596de6d31524f8199
parent	86026c564230aff1aae53a4acb56d4671b14e023 (diff)
download	nixcfg-fc83048b0247e222dd94bbf0430f99d58c5be418.tar.gz nixcfg-fc83048b0247e222dd94bbf0430f99d58c5be418.zip