aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBaptiste Jonglez <git@bitsofnetworks.org>2024-06-23 22:29:14 +0200
committerBaptiste Jonglez <git@bitsofnetworks.org>2024-06-23 22:29:14 +0200
commitfc83048b0247e222dd94bbf0430f99d58c5be418 (patch)
tree294e070ea3fb11dc9880da5596de6d31524f8199
parent86026c564230aff1aae53a4acb56d4671b14e023 (diff)
downloadnixcfg-fc83048b0247e222dd94bbf0430f99d58c5be418.tar.gz
nixcfg-fc83048b0247e222dd94bbf0430f99d58c5be418.zip
staging: move bottin and guichet to docker, sync with prod config
-rw-r--r--cluster/prod/app/core/secrets.toml4
-rw-r--r--cluster/prod/app/guichet/deploy/guichet.hcl (renamed from cluster/prod/app/guichet/deploy/directory.hcl)2
-rw-r--r--cluster/staging/app/core/config/bottin/config.json.tpl (renamed from cluster/staging/app/directory/config/bottin/config.json.tpl)0
-rw-r--r--cluster/staging/app/core/deploy/bottin.hcl100
-rw-r--r--cluster/staging/app/core/secrets.toml5
-rw-r--r--cluster/staging/app/directory/deploy/directory.hcl133
-rw-r--r--cluster/staging/app/guichet/config/guichet/config.json.tpl (renamed from cluster/staging/app/directory/config/guichet/config.json.tpl)5
-rw-r--r--cluster/staging/app/guichet/deploy/guichet.hcl58
-rw-r--r--cluster/staging/app/guichet/secrets.toml (renamed from cluster/staging/app/directory/secrets.toml)52
9 files changed, 198 insertions, 161 deletions
diff --git a/cluster/prod/app/core/secrets.toml b/cluster/prod/app/core/secrets.toml
index 736c9dd..8a6a7f2 100644
--- a/cluster/prod/app/core/secrets.toml
+++ b/cluster/prod/app/core/secrets.toml
@@ -3,3 +3,7 @@ type = 'user'
description = 'LDAP base DN for everything'
example = 'dc=example,dc=com'
+[secrets."d53/gandi_api_key"]
+type = 'user'
+description = 'Gandi API key'
+
diff --git a/cluster/prod/app/guichet/deploy/directory.hcl b/cluster/prod/app/guichet/deploy/guichet.hcl
index 397602f..4b2ff28 100644
--- a/cluster/prod/app/guichet/deploy/directory.hcl
+++ b/cluster/prod/app/guichet/deploy/guichet.hcl
@@ -14,7 +14,7 @@ job "guichet" {
driver = "docker"
config {
image = "dxflrs/guichet:m1gzk1r00xp0kz566fwbpc87z7haq7xj"
- args = [ "server", "-config", "/etc/config.json" ]
+ args = [ "server", "-config", "/etc/config.json" ]
readonly_rootfs = true
ports = [ "web_port" ]
volumes = [
diff --git a/cluster/staging/app/directory/config/bottin/config.json.tpl b/cluster/staging/app/core/config/bottin/config.json.tpl
index 844f7b7..844f7b7 100644
--- a/cluster/staging/app/directory/config/bottin/config.json.tpl
+++ b/cluster/staging/app/core/config/bottin/config.json.tpl
diff --git a/cluster/staging/app/core/deploy/bottin.hcl b/cluster/staging/app/core/deploy/bottin.hcl
new file mode 100644
index 0000000..1481fa8
--- /dev/null
+++ b/cluster/staging/app/core/deploy/bottin.hcl
@@ -0,0 +1,100 @@
+job "core-bottin" {
+ datacenters = ["neptune", "jupiter", "corrin", "bespin"]
+ type = "system"
+ priority = 90
+
+ update {
+ max_parallel = 1
+ stagger = "1m"
+ }
+
+ group "bottin" {
+ constraint {
+ distinct_property = "${meta.site}"
+ value = "1"
+ }
+
+ network {
+ port "ldap_port" {
+ static = 389
+ to = 389
+ }
+ }
+
+ task "bottin" {
+ driver = "docker"
+ config {
+ image = "dxflrs/bottin:7h18i30cckckaahv87d3c86pn4a7q41z"
+ network_mode = "host"
+ readonly_rootfs = true
+ ports = [ "ldap_port" ]
+ volumes = [
+ "secrets/config.json:/config.json",
+ "secrets:/etc/bottin",
+ ]
+ }
+
+ restart {
+ interval = "5m"
+ attempts = 10
+ delay = "15s"
+ mode = "delay"
+ }
+
+ resources {
+ memory = 100
+ memory_max = 200
+ }
+
+ template {
+ data = file("../config/bottin/config.json.tpl")
+ destination = "secrets/config.json"
+ }
+
+ template {
+ data = "{{ key \"secrets/consul/consul.crt\" }}"
+ destination = "secrets/consul.crt"
+ }
+
+ template {
+ data = "{{ key \"secrets/consul/consul-client.crt\" }}"
+ destination = "secrets/consul-client.crt"
+ }
+
+ template {
+ data = "{{ key \"secrets/consul/consul-client.key\" }}"
+ destination = "secrets/consul-client.key"
+ }
+
+ template {
+ data = <<EOH
+CONSUL_HTTP_ADDR=https://consul.service.staging.consul:8501
+CONSUL_HTTP_SSL=true
+CONSUL_CACERT=/etc/bottin/consul.crt
+CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt
+CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key
+EOH
+ destination = "secrets/env"
+ env = true
+ }
+
+ service {
+ tags = [ "${meta.site}" ]
+ port = "ldap_port"
+ address_mode = "host"
+ name = "bottin"
+ check {
+ type = "tcp"
+ port = "ldap_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/cluster/staging/app/core/secrets.toml b/cluster/staging/app/core/secrets.toml
index 8da8561..8a6a7f2 100644
--- a/cluster/staging/app/core/secrets.toml
+++ b/cluster/staging/app/core/secrets.toml
@@ -1,3 +1,8 @@
+[secrets."directory/ldap_base_dn"]
+type = 'user'
+description = 'LDAP base DN for everything'
+example = 'dc=example,dc=com'
+
[secrets."d53/gandi_api_key"]
type = 'user'
description = 'Gandi API key'
diff --git a/cluster/staging/app/directory/deploy/directory.hcl b/cluster/staging/app/directory/deploy/directory.hcl
deleted file mode 100644
index 534bf02..0000000
--- a/cluster/staging/app/directory/deploy/directory.hcl
+++ /dev/null
@@ -1,133 +0,0 @@
-job "directory" {
- datacenters = ["neptune", "jupiter", "corrin", "bespin"]
- type = "service"
- priority = 90
-
- constraint {
- attribute = "${attr.cpu.arch}"
- value = "amd64"
- }
-
- group "bottin" {
- count = 1
-
- network {
- port "ldap_port" {
- static = 389
- }
- }
-
- task "bottin" {
- driver = "nix2"
- config {
- packages = [
- "git+https://git.deuxfleurs.fr/Deuxfleurs/bottin.git?ref=main&rev=9cab98d2cee386ece54b000bbdf2346da8b55eed"
- ]
- command = "bottin"
- }
- user = "root" # needed to bind port 389
-
- resources {
- memory = 100
- }
-
- template {
- data = file("../config/bottin/config.json.tpl")
- destination = "config.json"
- }
-
- template {
- data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
- destination = "etc/bottin/consul-ca.crt"
- }
-
- template {
- data = "{{ key \"secrets/consul/consul-client.crt\" }}"
- destination = "etc/bottin/consul-client.crt"
- }
-
- template {
- data = "{{ key \"secrets/consul/consul-client.key\" }}"
- destination = "etc/bottin/consul-client.key"
- }
-
- template {
- data = <<EOH
-CONSUL_HTTP_ADDR=https://localhost:8501
-CONSUL_HTTP_SSL=true
-CONSUL_CACERT=/etc/bottin/consul-ca.crt
-CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt
-CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key
-EOH
- destination = "secrets/env"
- env = true
- }
-
- service {
- tags = ["bottin"]
- port = "ldap_port"
- name = "bottin"
- check {
- type = "tcp"
- port = "ldap_port"
- interval = "60s"
- timeout = "5s"
- check_restart {
- limit = 3
- grace = "90s"
- ignore_warnings = false
- }
- }
- }
- }
- }
-
- group "guichet" {
- count = 1
-
- network {
- port "web_port" { static = 9991 }
- }
-
- task "guichet" {
- driver = "nix2"
- config {
- packages = [
- "git+https://git.deuxfleurs.fr/Deuxfleurs/guichet.git?ref=main&rev=10bdee10cf6947ec6dd0ba5040d7274d6c3316a7"
- ]
- command = "guichet"
- }
-
- template {
- data = file("../config/guichet/config.json.tpl")
- destination = "config.json"
- }
-
- resources {
- memory = 200
- }
-
- service {
- name = "guichet"
- tags = [
- "guichet",
- "tricot guichet.staging.deuxfleurs.org",
- "d53-cname guichet.staging.deuxfleurs.org",
- ]
- port = "web_port"
- check {
- type = "tcp"
- port = "web_port"
- interval = "60s"
- timeout = "5s"
- check_restart {
- limit = 3
- grace = "90s"
- ignore_warnings = false
- }
- }
- }
- }
- }
-}
-
diff --git a/cluster/staging/app/directory/config/guichet/config.json.tpl b/cluster/staging/app/guichet/config/guichet/config.json.tpl
index cf01558..ea42c93 100644
--- a/cluster/staging/app/directory/config/guichet/config.json.tpl
+++ b/cluster/staging/app/guichet/config/guichet/config.json.tpl
@@ -1,12 +1,15 @@
{
"http_bind_addr": ":9991",
- "ldap_server_addr": "ldap://bottin.service.staging.consul:389",
+ "ldap_server_addr": "ldap://{{ env "meta.site" }}.bottin.service.staging.consul:389",
"base_dn": "{{ key "secrets/directory/ldap_base_dn" }}",
"user_base_dn": "ou=users,{{ key "secrets/directory/ldap_base_dn" }}",
"user_name_attr": "cn",
"group_base_dn": "ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
"group_name_attr": "cn",
+ "mailing_list_base_dn": "ou=mailing_lists,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
+ "mailing_list_name_attr": "cn",
+ "mailing_list_guest_user_base_dn": "ou=guests,ou=users,{{ key "secrets/directory/ldap_base_dn" }}",
"invitation_base_dn": "ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}",
"invitation_name_attr": "cn",
diff --git a/cluster/staging/app/guichet/deploy/guichet.hcl b/cluster/staging/app/guichet/deploy/guichet.hcl
new file mode 100644
index 0000000..27cbb70
--- /dev/null
+++ b/cluster/staging/app/guichet/deploy/guichet.hcl
@@ -0,0 +1,58 @@
+job "guichet" {
+ datacenters = ["neptune", "jupiter", "corrin", "bespin"]
+ type = "service"
+ priority = 90
+
+ group "guichet" {
+ count = 1
+
+ network {
+ port "web_port" { to = 9991 }
+ }
+
+ task "guichet" {
+ driver = "docker"
+ config {
+ image = "dxflrs/guichet:m1gzk1r00xp0kz566fwbpc87z7haq7xj"
+ args = [ "server", "-config", "/etc/config.json" ]
+ readonly_rootfs = true
+ ports = [ "web_port" ]
+ volumes = [
+ "secrets/config.json:/etc/config.json"
+ ]
+ }
+
+ template {
+ data = file("../config/guichet/config.json.tpl")
+ destination = "secrets/config.json"
+ }
+
+ resources {
+ memory = 200
+ }
+
+ service {
+ name = "guichet"
+ tags = [
+ "guichet",
+ "tricot guichet.staging.deuxfleurs.org",
+ "d53-cname guichet.staging.deuxfleurs.org",
+ ]
+ port = "web_port"
+ address_mode = "host"
+ check {
+ type = "tcp"
+ port = "web_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+}
+
diff --git a/cluster/staging/app/directory/secrets.toml b/cluster/staging/app/guichet/secrets.toml
index edde6cc..d614b27 100644
--- a/cluster/staging/app/directory/secrets.toml
+++ b/cluster/staging/app/guichet/secrets.toml
@@ -1,51 +1,51 @@
-[secrets."directory/ldap_base_dn"]
+# General configuration
+
+[secrets."directory/guichet/web_hostname"]
type = 'user'
-description = 'LDAP base DN for everything'
-example = 'dc=example,dc=com'
+description = 'Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)'
+
+
+# Mailing configuration
[secrets."directory/guichet/smtp_user"]
type = 'user'
description = 'SMTP username'
-[secrets."directory/guichet/s3_access_key"]
+[secrets."directory/guichet/smtp_pass"]
type = 'user'
-description = 'Garage access key for Guichet profile pictures'
+description = 'SMTP password'
-[secrets."directory/guichet/s3_endpoint"]
+[secrets."directory/guichet/smtp_server"]
type = 'user'
-description = 'S3 endpoint URL'
+description = 'SMTP server address (hostname:port)'
-[secrets."directory/guichet/s3_region"]
+[secrets."directory/guichet/mail_from"]
type = 'user'
-description = 'S3 region'
+description = 'E-mail address from which to send welcome emails to new users'
-[secrets."directory/guichet/smtp_pass"]
+[secrets."directory/guichet/mail_domain"]
type = 'user'
-description = 'SMTP password'
+description = 'E-mail domain for new users (e.g. example.com)'
-[secrets."directory/guichet/web_hostname"]
+
+# S3 configuration
+
+[secrets."directory/guichet/s3_endpoint"]
type = 'user'
-description = 'Public hostname from which Guichet is accessible via HTTP'
-example = 'guichet.example.com'
+description = 'S3 endpoint URL'
[secrets."directory/guichet/s3_bucket"]
type = 'user'
description = 'S3 bucket in which to store data files (such as profile pictures)'
-[secrets."directory/guichet/smtp_server"]
-type = 'user'
-description = 'SMTP server address (hostname:port)'
-
-[secrets."directory/guichet/s3_secret_key"]
+[secrets."directory/guichet/s3_region"]
type = 'user'
-description = 'Garage secret key for Guichet profile pictures'
+description = 'S3 region'
-[secrets."directory/guichet/mail_from"]
+[secrets."directory/guichet/s3_access_key"]
type = 'user'
-description = 'E-mail address from which to send welcome emails to new users'
+description = 'Garage access key for Guichet profile pictures'
-[secrets."directory/guichet/mail_domain"]
+[secrets."directory/guichet/s3_secret_key"]
type = 'user'
-description = 'E-mail domain for new users'
-example = 'example.com'
-
+description = 'Garage secret key for Guichet profile pictures'