diff options
author | Baptiste Jonglez <git@bitsofnetworks.org> | 2024-06-23 22:29:14 +0200 |
---|---|---|
committer | Baptiste Jonglez <git@bitsofnetworks.org> | 2024-06-23 22:29:14 +0200 |
commit | fc83048b0247e222dd94bbf0430f99d58c5be418 (patch) | |
tree | 294e070ea3fb11dc9880da5596de6d31524f8199 | |
parent | 86026c564230aff1aae53a4acb56d4671b14e023 (diff) | |
download | nixcfg-fc83048b0247e222dd94bbf0430f99d58c5be418.tar.gz nixcfg-fc83048b0247e222dd94bbf0430f99d58c5be418.zip |
staging: move bottin and guichet to docker, sync with prod config
-rw-r--r-- | cluster/prod/app/core/secrets.toml | 4 | ||||
-rw-r--r-- | cluster/prod/app/guichet/deploy/guichet.hcl (renamed from cluster/prod/app/guichet/deploy/directory.hcl) | 2 | ||||
-rw-r--r-- | cluster/staging/app/core/config/bottin/config.json.tpl (renamed from cluster/staging/app/directory/config/bottin/config.json.tpl) | 0 | ||||
-rw-r--r-- | cluster/staging/app/core/deploy/bottin.hcl | 100 | ||||
-rw-r--r-- | cluster/staging/app/core/secrets.toml | 5 | ||||
-rw-r--r-- | cluster/staging/app/directory/deploy/directory.hcl | 133 | ||||
-rw-r--r-- | cluster/staging/app/guichet/config/guichet/config.json.tpl (renamed from cluster/staging/app/directory/config/guichet/config.json.tpl) | 5 | ||||
-rw-r--r-- | cluster/staging/app/guichet/deploy/guichet.hcl | 58 | ||||
-rw-r--r-- | cluster/staging/app/guichet/secrets.toml (renamed from cluster/staging/app/directory/secrets.toml) | 52 |
9 files changed, 198 insertions, 161 deletions
diff --git a/cluster/prod/app/core/secrets.toml b/cluster/prod/app/core/secrets.toml index 736c9dd..8a6a7f2 100644 --- a/cluster/prod/app/core/secrets.toml +++ b/cluster/prod/app/core/secrets.toml @@ -3,3 +3,7 @@ type = 'user' description = 'LDAP base DN for everything' example = 'dc=example,dc=com' +[secrets."d53/gandi_api_key"] +type = 'user' +description = 'Gandi API key' + diff --git a/cluster/prod/app/guichet/deploy/directory.hcl b/cluster/prod/app/guichet/deploy/guichet.hcl index 397602f..4b2ff28 100644 --- a/cluster/prod/app/guichet/deploy/directory.hcl +++ b/cluster/prod/app/guichet/deploy/guichet.hcl @@ -14,7 +14,7 @@ job "guichet" { driver = "docker" config { image = "dxflrs/guichet:m1gzk1r00xp0kz566fwbpc87z7haq7xj" - args = [ "server", "-config", "/etc/config.json" ] + args = [ "server", "-config", "/etc/config.json" ] readonly_rootfs = true ports = [ "web_port" ] volumes = [ diff --git a/cluster/staging/app/directory/config/bottin/config.json.tpl b/cluster/staging/app/core/config/bottin/config.json.tpl index 844f7b7..844f7b7 100644 --- a/cluster/staging/app/directory/config/bottin/config.json.tpl +++ b/cluster/staging/app/core/config/bottin/config.json.tpl diff --git a/cluster/staging/app/core/deploy/bottin.hcl b/cluster/staging/app/core/deploy/bottin.hcl new file mode 100644 index 0000000..1481fa8 --- /dev/null +++ b/cluster/staging/app/core/deploy/bottin.hcl @@ -0,0 +1,100 @@ +job "core-bottin" { + datacenters = ["neptune", "jupiter", "corrin", "bespin"] + type = "system" + priority = 90 + + update { + max_parallel = 1 + stagger = "1m" + } + + group "bottin" { + constraint { + distinct_property = "${meta.site}" + value = "1" + } + + network { + port "ldap_port" { + static = 389 + to = 389 + } + } + + task "bottin" { + driver = "docker" + config { + image = "dxflrs/bottin:7h18i30cckckaahv87d3c86pn4a7q41z" + network_mode = "host" + readonly_rootfs = true + ports = [ "ldap_port" ] + volumes = [ + "secrets/config.json:/config.json", + "secrets:/etc/bottin", + ] + } + + restart { + interval = "5m" + attempts = 10 + delay = "15s" + mode = "delay" + } + + resources { + memory = 100 + memory_max = 200 + } + + template { + data = file("../config/bottin/config.json.tpl") + destination = "secrets/config.json" + } + + template { + data = "{{ key \"secrets/consul/consul.crt\" }}" + destination = "secrets/consul.crt" + } + + template { + data = "{{ key \"secrets/consul/consul-client.crt\" }}" + destination = "secrets/consul-client.crt" + } + + template { + data = "{{ key \"secrets/consul/consul-client.key\" }}" + destination = "secrets/consul-client.key" + } + + template { + data = <<EOH +CONSUL_HTTP_ADDR=https://consul.service.staging.consul:8501 +CONSUL_HTTP_SSL=true +CONSUL_CACERT=/etc/bottin/consul.crt +CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt +CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key +EOH + destination = "secrets/env" + env = true + } + + service { + tags = [ "${meta.site}" ] + port = "ldap_port" + address_mode = "host" + name = "bottin" + check { + type = "tcp" + port = "ldap_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} diff --git a/cluster/staging/app/core/secrets.toml b/cluster/staging/app/core/secrets.toml index 8da8561..8a6a7f2 100644 --- a/cluster/staging/app/core/secrets.toml +++ b/cluster/staging/app/core/secrets.toml @@ -1,3 +1,8 @@ +[secrets."directory/ldap_base_dn"] +type = 'user' +description = 'LDAP base DN for everything' +example = 'dc=example,dc=com' + [secrets."d53/gandi_api_key"] type = 'user' description = 'Gandi API key' diff --git a/cluster/staging/app/directory/deploy/directory.hcl b/cluster/staging/app/directory/deploy/directory.hcl deleted file mode 100644 index 534bf02..0000000 --- a/cluster/staging/app/directory/deploy/directory.hcl +++ /dev/null @@ -1,133 +0,0 @@ -job "directory" { - datacenters = ["neptune", "jupiter", "corrin", "bespin"] - type = "service" - priority = 90 - - constraint { - attribute = "${attr.cpu.arch}" - value = "amd64" - } - - group "bottin" { - count = 1 - - network { - port "ldap_port" { - static = 389 - } - } - - task "bottin" { - driver = "nix2" - config { - packages = [ - "git+https://git.deuxfleurs.fr/Deuxfleurs/bottin.git?ref=main&rev=9cab98d2cee386ece54b000bbdf2346da8b55eed" - ] - command = "bottin" - } - user = "root" # needed to bind port 389 - - resources { - memory = 100 - } - - template { - data = file("../config/bottin/config.json.tpl") - destination = "config.json" - } - - template { - data = "{{ key \"secrets/consul/consul-ca.crt\" }}" - destination = "etc/bottin/consul-ca.crt" - } - - template { - data = "{{ key \"secrets/consul/consul-client.crt\" }}" - destination = "etc/bottin/consul-client.crt" - } - - template { - data = "{{ key \"secrets/consul/consul-client.key\" }}" - destination = "etc/bottin/consul-client.key" - } - - template { - data = <<EOH -CONSUL_HTTP_ADDR=https://localhost:8501 -CONSUL_HTTP_SSL=true -CONSUL_CACERT=/etc/bottin/consul-ca.crt -CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt -CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key -EOH - destination = "secrets/env" - env = true - } - - service { - tags = ["bottin"] - port = "ldap_port" - name = "bottin" - check { - type = "tcp" - port = "ldap_port" - interval = "60s" - timeout = "5s" - check_restart { - limit = 3 - grace = "90s" - ignore_warnings = false - } - } - } - } - } - - group "guichet" { - count = 1 - - network { - port "web_port" { static = 9991 } - } - - task "guichet" { - driver = "nix2" - config { - packages = [ - "git+https://git.deuxfleurs.fr/Deuxfleurs/guichet.git?ref=main&rev=10bdee10cf6947ec6dd0ba5040d7274d6c3316a7" - ] - command = "guichet" - } - - template { - data = file("../config/guichet/config.json.tpl") - destination = "config.json" - } - - resources { - memory = 200 - } - - service { - name = "guichet" - tags = [ - "guichet", - "tricot guichet.staging.deuxfleurs.org", - "d53-cname guichet.staging.deuxfleurs.org", - ] - port = "web_port" - check { - type = "tcp" - port = "web_port" - interval = "60s" - timeout = "5s" - check_restart { - limit = 3 - grace = "90s" - ignore_warnings = false - } - } - } - } - } -} - diff --git a/cluster/staging/app/directory/config/guichet/config.json.tpl b/cluster/staging/app/guichet/config/guichet/config.json.tpl index cf01558..ea42c93 100644 --- a/cluster/staging/app/directory/config/guichet/config.json.tpl +++ b/cluster/staging/app/guichet/config/guichet/config.json.tpl @@ -1,12 +1,15 @@ { "http_bind_addr": ":9991", - "ldap_server_addr": "ldap://bottin.service.staging.consul:389", + "ldap_server_addr": "ldap://{{ env "meta.site" }}.bottin.service.staging.consul:389", "base_dn": "{{ key "secrets/directory/ldap_base_dn" }}", "user_base_dn": "ou=users,{{ key "secrets/directory/ldap_base_dn" }}", "user_name_attr": "cn", "group_base_dn": "ou=groups,{{ key "secrets/directory/ldap_base_dn" }}", "group_name_attr": "cn", + "mailing_list_base_dn": "ou=mailing_lists,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}", + "mailing_list_name_attr": "cn", + "mailing_list_guest_user_base_dn": "ou=guests,ou=users,{{ key "secrets/directory/ldap_base_dn" }}", "invitation_base_dn": "ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}", "invitation_name_attr": "cn", diff --git a/cluster/staging/app/guichet/deploy/guichet.hcl b/cluster/staging/app/guichet/deploy/guichet.hcl new file mode 100644 index 0000000..27cbb70 --- /dev/null +++ b/cluster/staging/app/guichet/deploy/guichet.hcl @@ -0,0 +1,58 @@ +job "guichet" { + datacenters = ["neptune", "jupiter", "corrin", "bespin"] + type = "service" + priority = 90 + + group "guichet" { + count = 1 + + network { + port "web_port" { to = 9991 } + } + + task "guichet" { + driver = "docker" + config { + image = "dxflrs/guichet:m1gzk1r00xp0kz566fwbpc87z7haq7xj" + args = [ "server", "-config", "/etc/config.json" ] + readonly_rootfs = true + ports = [ "web_port" ] + volumes = [ + "secrets/config.json:/etc/config.json" + ] + } + + template { + data = file("../config/guichet/config.json.tpl") + destination = "secrets/config.json" + } + + resources { + memory = 200 + } + + service { + name = "guichet" + tags = [ + "guichet", + "tricot guichet.staging.deuxfleurs.org", + "d53-cname guichet.staging.deuxfleurs.org", + ] + port = "web_port" + address_mode = "host" + check { + type = "tcp" + port = "web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/cluster/staging/app/directory/secrets.toml b/cluster/staging/app/guichet/secrets.toml index edde6cc..d614b27 100644 --- a/cluster/staging/app/directory/secrets.toml +++ b/cluster/staging/app/guichet/secrets.toml @@ -1,51 +1,51 @@ -[secrets."directory/ldap_base_dn"] +# General configuration + +[secrets."directory/guichet/web_hostname"] type = 'user' -description = 'LDAP base DN for everything' -example = 'dc=example,dc=com' +description = 'Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)' + + +# Mailing configuration [secrets."directory/guichet/smtp_user"] type = 'user' description = 'SMTP username' -[secrets."directory/guichet/s3_access_key"] +[secrets."directory/guichet/smtp_pass"] type = 'user' -description = 'Garage access key for Guichet profile pictures' +description = 'SMTP password' -[secrets."directory/guichet/s3_endpoint"] +[secrets."directory/guichet/smtp_server"] type = 'user' -description = 'S3 endpoint URL' +description = 'SMTP server address (hostname:port)' -[secrets."directory/guichet/s3_region"] +[secrets."directory/guichet/mail_from"] type = 'user' -description = 'S3 region' +description = 'E-mail address from which to send welcome emails to new users' -[secrets."directory/guichet/smtp_pass"] +[secrets."directory/guichet/mail_domain"] type = 'user' -description = 'SMTP password' +description = 'E-mail domain for new users (e.g. example.com)' -[secrets."directory/guichet/web_hostname"] + +# S3 configuration + +[secrets."directory/guichet/s3_endpoint"] type = 'user' -description = 'Public hostname from which Guichet is accessible via HTTP' -example = 'guichet.example.com' +description = 'S3 endpoint URL' [secrets."directory/guichet/s3_bucket"] type = 'user' description = 'S3 bucket in which to store data files (such as profile pictures)' -[secrets."directory/guichet/smtp_server"] -type = 'user' -description = 'SMTP server address (hostname:port)' - -[secrets."directory/guichet/s3_secret_key"] +[secrets."directory/guichet/s3_region"] type = 'user' -description = 'Garage secret key for Guichet profile pictures' +description = 'S3 region' -[secrets."directory/guichet/mail_from"] +[secrets."directory/guichet/s3_access_key"] type = 'user' -description = 'E-mail address from which to send welcome emails to new users' +description = 'Garage access key for Guichet profile pictures' -[secrets."directory/guichet/mail_domain"] +[secrets."directory/guichet/s3_secret_key"] type = 'user' -description = 'E-mail domain for new users' -example = 'example.com' - +description = 'Garage secret key for Guichet profile pictures' |