Add hcl files in here for staging cluster

9 files changed, 367 insertions, 3 deletions

diff --git a/app/core/deploy/core.hcl b/app/core/deploy/core.hcl
new file mode 100644
index 0000000..67a3e64
--- /dev/null
+++ b/app/core/deploy/core.hcl
@@ -0,0 +1,50 @@
+job "core" {
+  datacenters = ["dc1", "neptune"]
+  type = "system"
+  priority = 90
+
+  constraint {
+    attribute = "${attr.cpu.arch}"
+    value     = "amd64"
+  }
+
+  update {
+    max_parallel     = 1
+    stagger = "1m"
+  }
+
+  group "network" {
+    task "diplonat" {
+      driver = "docker"
+
+      config {
+        image = "lxpz/amd64_diplonat:2"
+        network_mode = "host"
+        readonly_rootfs = true
+        privileged = true
+      }
+
+      restart {
+        interval = "30m"
+        attempts = 2
+        delay    = "15s"
+        mode     = "delay"
+      }
+
+      template {
+        data = <<EOH
+DIPLONAT_REFRESH_TIME=60
+DIPLONAT_EXPIRATION_TIME=300
+DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }}
+RUST_LOG=debug
+EOH
+        destination = "secrets/env"
+        env = true
+      }
+
+      resources {
+        memory = 40
+      }
+    }
+  }
+}
diff --git a/app/dummy/deploy/dummy-nginx.hcl b/app/dummy/deploy/dummy-nginx.hcl
new file mode 100644
index 0000000..6415010
--- /dev/null
+++ b/app/dummy/deploy/dummy-nginx.hcl
@@ -0,0 +1,41 @@
+job "dummy-nginx" {
+	datacenters = ["neptune"]
+	type = "service"
+	
+	group "nginx" {
+		count = 1
+
+		constraint {
+			attribute = "${attr.unique.hostname}"
+			operator = "="
+			value = "carcajou"
+		}
+
+		network {
+			port "http" {
+				to = 80
+			}
+		}
+
+		task "nginx" {
+			driver = "docker"
+			config {
+				image = "nginx"
+				ports = [ "http" ]
+			}
+		}
+
+		service {
+			port = "http"
+			tags = [
+				"tricot home.adnab.me 100",
+			]
+			check {
+				type = "http"
+				path = "/"
+				interval = "10s"
+				timeout = "2s"
+			}
+		}
+	}
+}
diff --git a/app/dummy/deploy/dummy-synapse.hcl b/app/dummy/deploy/dummy-synapse.hcl
new file mode 100644
index 0000000..2d54960
--- /dev/null
+++ b/app/dummy/deploy/dummy-synapse.hcl
@@ -0,0 +1,48 @@
+job "dummy-synapse" {
+	datacenters = ["neptune"]
+	type = "service"
+	
+	group "synapse" {
+		count = 1
+
+		constraint {
+			attribute = "${attr.unique.hostname}"
+			operator = "="
+			value = "cariacou"
+		}
+
+		network {
+			port "http" {
+				to = 8008
+			}
+		}
+
+		task "synapse" {
+			driver = "docker"
+			config {
+				image = "matrixdotorg/synapse:v1.48.0"
+				ports = [ "http" ]
+        volumes = [
+          "/mnt/ssd/dummy-synapse:/data",
+        ]
+			}
+		}
+
+
+		service {
+			port = "http"
+			tags = [
+				"tricot matrix.home.adnab.me 100",
+				"tricot matrix.home.adnab.me:443 100",
+				"tricot matrix.home.adnab.me:8448 100",
+        "tricot-add-header Access-Control-Allow-Origin *",
+			]
+			check {
+				type = "http"
+				path = "/"
+				interval = "10s"
+				timeout = "2s"
+			}
+		}
+	}
+}
diff --git a/app/frontend/deploy/frontend-tricot.hcl b/app/frontend/deploy/frontend-tricot.hcl
new file mode 100644
index 0000000..d36cce7
--- /dev/null
+++ b/app/frontend/deploy/frontend-tricot.hcl
@@ -0,0 +1,67 @@
+job "frontend" {
+  datacenters = ["neptune"]
+  type = "service"
+  priority = 90
+
+  group "tricot" {
+    constraint {
+      attribute = "${attr.unique.hostname}"
+      operator = "="
+      value = "carcajou"
+    }
+
+    network {
+      port "http_port" { static = 80 }
+      port "https_port" { static = 443 }
+      port "admin_port" { static = 8082 }
+    }
+
+    task "server" {
+      driver = "docker"
+
+      config {
+        image = "lxpz/amd64_tricot:25"
+        network_mode = "host"
+        readonly_rootfs = true
+        ports = [ "http_port", "https_port", "admin_port" ]
+      }
+
+      resources {
+        cpu = 2000
+        memory = 200
+      }
+
+      restart {
+        interval = "30m"
+        attempts = 2
+        delay    = "15s"
+        mode     = "delay"
+      }
+
+      template {
+        data = <<EOH
+TRICOT_NODE_NAME={{ env "attr.unique.hostname" }}
+TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me
+TRICOT_ENABLE_COMPRESSION=true
+RUST_LOG=tricot=trace
+EOH
+        destination = "secrets/env"
+        env = true
+      }
+
+      service {
+        name = "tricot-http"
+        port = "http_port"
+        tags = [ "(diplonat (tcp_port 80))" ]
+        address_mode = "host"
+      }
+
+      service {
+        name = "tricot-https"
+        port = "https_port"
+        tags = [ "(diplonat (tcp_port 443))" ]
+        address_mode = "host"
+      }
+    }
+  }
+}
diff --git a/app/garage-staging/config/garage.toml b/app/garage-staging/config/garage.toml
new file mode 100644
index 0000000..fffcf0c
--- /dev/null
+++ b/app/garage-staging/config/garage.toml
@@ -0,0 +1,23 @@
+block_size = 1048576
+
+metadata_dir = "/meta"
+data_dir = "/data"
+
+replication_mode = "3"
+
+rpc_bind_addr = "0.0.0.0:3991"
+rpc_secret = "{{ key "secrets/garage-staging/rpc_secret" | trimSpace }}"
+
+consul_host = "localhost:8500"
+consul_service_name = "garage-staging-rpc-self-advertised"
+
+bootstrap_peers = []
+
+[s3_api]
+s3_region = "garage-staging"
+api_bind_addr = "0.0.0.0:3990"
+
+[s3_web]
+bind_addr = "0.0.0.0:3992"
+root_domain = ".garage-staging-web.home.adnab.me"
+index = "index.html"
diff --git a/app/garage-staging/deploy/garage.hcl b/app/garage-staging/deploy/garage.hcl
new file mode 100644
index 0000000..21faffb
--- /dev/null
+++ b/app/garage-staging/deploy/garage.hcl
@@ -0,0 +1,130 @@
+job "garage-staging" {
+  type = "system"
+  datacenters = [ "neptune", "pluton" ]
+
+  priority = 80
+
+  constraint {
+    attribute = "${attr.cpu.arch}"
+    value     = "amd64"
+  }
+
+  group "garage-staging" {
+    network {
+      port "s3" { static = 3990 }
+      port "rpc" { static = 3991 }
+      port "web" { static = 3992 }
+    }
+
+    update {
+      max_parallel = 1
+      min_healthy_time = "30s"
+      healthy_deadline = "5m"
+    }
+
+    task "server" {
+      driver = "docker"
+
+      config {
+        image = "dxflrs/amd64_garage:v0.5-beta1"
+        command = "/garage"
+        args = [ "server" ]
+        network_mode = "host"
+        volumes = [
+          "/mnt/storage/garage-staging/data:/data",
+          "/mnt/ssd/garage-staging/meta:/meta",
+          "secrets/garage.toml:/etc/garage.toml",
+        ]
+        logging {
+          type = "journald"
+        }
+      }
+
+      template {
+        data = file("../config/garage.toml")
+        destination = "secrets/garage.toml"
+      }
+
+      resources {
+        memory = 1000
+        cpu = 1000
+      }
+
+      kill_signal = "SIGINT"
+      kill_timeout = "20s"
+
+      service {
+        tags = [
+          "garage-staging-api",
+          "tricot garage-staging.home.adnab.me",
+        ]
+        port = 3990
+        address_mode = "driver"
+        name = "garage-staging-api"
+        check {
+          type = "tcp"
+          port = 3990
+          address_mode = "driver"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+
+      service {
+        tags = ["garage-staging-rpc"]
+        port = 3991
+        address_mode = "driver"
+        name = "garage-staging-rpc"
+        check {
+          type = "tcp"
+          port = 3991
+          address_mode = "driver"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+
+      service {
+        tags = [
+            "garage-staging-web",
+            "tricot *.garage-staging-web.home.adnab.me",
+            "tricot matrix.home.adnab.me/.well-known/matrix/server",
+            "tricot rust-docs",
+            "tricot-add-header Access-Control-Allow-Origin *",
+        ]
+        port = 3992
+        address_mode = "driver"
+        name = "garage-staging-web"
+        check {
+          type = "tcp"
+          port = 3992
+          address_mode = "driver"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+
+      restart { 
+        interval = "30m"  
+        attempts = 10  
+        delay    = "15s"  
+        mode     = "delay"
+      }
+    }
+  }
+}
diff --git a/app/garage-staging/secrets/garage-staging/rpc_secret b/app/garage-staging/secrets/garage-staging/rpc_secret
new file mode 100644
index 0000000..d831d53
--- /dev/null
+++ b/app/garage-staging/secrets/garage-staging/rpc_secret
@@ -0,0 +1 @@
+CMD_ONCE openssl rand -hex 32
diff --git a/app/secretmgr.py b/app/secretmgr.py
new file mode 120000
index 0000000..3364b32
--- /dev/null
+++ b/app/secretmgr.py
@@ -0,0 +1 @@
+../../infrastructure/app/secretmgr.py
\ No newline at end of file
diff --git a/configuration.nix b/configuration.nix
index 89b9c2d..67b4ff5 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -87,13 +87,16 @@ in
   time.timeZone = "Europe/Paris";
 
   networking.extraHosts = ''
-192.168.1.21 cariacou
-192.168.1.22 carcajou
-192.168.1.23 caribou
+192.168.1.21 cariacou.lan
+192.168.1.22 carcajou.lan
+192.168.1.23 caribou.lan
 192.168.1.23 binarycache
 192.168.1.23 binarycache.home.adnab.me
 10.42.0.1 hammerhead
 10.42.0.2 spoutnik
+10.42.0.21 cariacou
+10.42.0.22 carcajou
+10.42.0.23 caribou
 10.42.0.66 lindy
 10.42.0.206 shiki
   '';