diff options
author | Alex Auvolat <alex@adnab.me> | 2021-12-25 19:40:51 +0100 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2021-12-25 19:40:51 +0100 |
commit | 60dc1b21a1fdbebae663790e1e07afe704758d61 (patch) | |
tree | 0d96ce82707c6e9caae59deadbdea245f6830e73 | |
parent | e77254e97f16dfec41277e46ba3ddc7e2bd3d664 (diff) | |
download | nixcfg-60dc1b21a1fdbebae663790e1e07afe704758d61.tar.gz nixcfg-60dc1b21a1fdbebae663790e1e07afe704758d61.zip |
Add hcl files in here for staging cluster
-rw-r--r-- | app/core/deploy/core.hcl | 50 | ||||
-rw-r--r-- | app/dummy/deploy/dummy-nginx.hcl | 41 | ||||
-rw-r--r-- | app/dummy/deploy/dummy-synapse.hcl | 48 | ||||
-rw-r--r-- | app/frontend/deploy/frontend-tricot.hcl | 67 | ||||
-rw-r--r-- | app/garage-staging/config/garage.toml | 23 | ||||
-rw-r--r-- | app/garage-staging/deploy/garage.hcl | 130 | ||||
-rw-r--r-- | app/garage-staging/secrets/garage-staging/rpc_secret | 1 | ||||
l--------- | app/secretmgr.py | 1 | ||||
-rw-r--r-- | configuration.nix | 9 |
9 files changed, 367 insertions, 3 deletions
diff --git a/app/core/deploy/core.hcl b/app/core/deploy/core.hcl new file mode 100644 index 0000000..67a3e64 --- /dev/null +++ b/app/core/deploy/core.hcl @@ -0,0 +1,50 @@ +job "core" { + datacenters = ["dc1", "neptune"] + type = "system" + priority = 90 + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + update { + max_parallel = 1 + stagger = "1m" + } + + group "network" { + task "diplonat" { + driver = "docker" + + config { + image = "lxpz/amd64_diplonat:2" + network_mode = "host" + readonly_rootfs = true + privileged = true + } + + restart { + interval = "30m" + attempts = 2 + delay = "15s" + mode = "delay" + } + + template { + data = <<EOH +DIPLONAT_REFRESH_TIME=60 +DIPLONAT_EXPIRATION_TIME=300 +DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }} +RUST_LOG=debug +EOH + destination = "secrets/env" + env = true + } + + resources { + memory = 40 + } + } + } +} diff --git a/app/dummy/deploy/dummy-nginx.hcl b/app/dummy/deploy/dummy-nginx.hcl new file mode 100644 index 0000000..6415010 --- /dev/null +++ b/app/dummy/deploy/dummy-nginx.hcl @@ -0,0 +1,41 @@ +job "dummy-nginx" { + datacenters = ["neptune"] + type = "service" + + group "nginx" { + count = 1 + + constraint { + attribute = "${attr.unique.hostname}" + operator = "=" + value = "carcajou" + } + + network { + port "http" { + to = 80 + } + } + + task "nginx" { + driver = "docker" + config { + image = "nginx" + ports = [ "http" ] + } + } + + service { + port = "http" + tags = [ + "tricot home.adnab.me 100", + ] + check { + type = "http" + path = "/" + interval = "10s" + timeout = "2s" + } + } + } +} diff --git a/app/dummy/deploy/dummy-synapse.hcl b/app/dummy/deploy/dummy-synapse.hcl new file mode 100644 index 0000000..2d54960 --- /dev/null +++ b/app/dummy/deploy/dummy-synapse.hcl @@ -0,0 +1,48 @@ +job "dummy-synapse" { + datacenters = ["neptune"] + type = "service" + + group "synapse" { + count = 1 + + constraint { + attribute = "${attr.unique.hostname}" + operator = "=" + value = "cariacou" + } + + network { + port "http" { + to = 8008 + } + } + + task "synapse" { + driver = "docker" + config { + image = "matrixdotorg/synapse:v1.48.0" + ports = [ "http" ] + volumes = [ + "/mnt/ssd/dummy-synapse:/data", + ] + } + } + + + service { + port = "http" + tags = [ + "tricot matrix.home.adnab.me 100", + "tricot matrix.home.adnab.me:443 100", + "tricot matrix.home.adnab.me:8448 100", + "tricot-add-header Access-Control-Allow-Origin *", + ] + check { + type = "http" + path = "/" + interval = "10s" + timeout = "2s" + } + } + } +} diff --git a/app/frontend/deploy/frontend-tricot.hcl b/app/frontend/deploy/frontend-tricot.hcl new file mode 100644 index 0000000..d36cce7 --- /dev/null +++ b/app/frontend/deploy/frontend-tricot.hcl @@ -0,0 +1,67 @@ +job "frontend" { + datacenters = ["neptune"] + type = "service" + priority = 90 + + group "tricot" { + constraint { + attribute = "${attr.unique.hostname}" + operator = "=" + value = "carcajou" + } + + network { + port "http_port" { static = 80 } + port "https_port" { static = 443 } + port "admin_port" { static = 8082 } + } + + task "server" { + driver = "docker" + + config { + image = "lxpz/amd64_tricot:25" + network_mode = "host" + readonly_rootfs = true + ports = [ "http_port", "https_port", "admin_port" ] + } + + resources { + cpu = 2000 + memory = 200 + } + + restart { + interval = "30m" + attempts = 2 + delay = "15s" + mode = "delay" + } + + template { + data = <<EOH +TRICOT_NODE_NAME={{ env "attr.unique.hostname" }} +TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me +TRICOT_ENABLE_COMPRESSION=true +RUST_LOG=tricot=trace +EOH + destination = "secrets/env" + env = true + } + + service { + name = "tricot-http" + port = "http_port" + tags = [ "(diplonat (tcp_port 80))" ] + address_mode = "host" + } + + service { + name = "tricot-https" + port = "https_port" + tags = [ "(diplonat (tcp_port 443))" ] + address_mode = "host" + } + } + } +} diff --git a/app/garage-staging/config/garage.toml b/app/garage-staging/config/garage.toml new file mode 100644 index 0000000..fffcf0c --- /dev/null +++ b/app/garage-staging/config/garage.toml @@ -0,0 +1,23 @@ +block_size = 1048576 + +metadata_dir = "/meta" +data_dir = "/data" + +replication_mode = "3" + +rpc_bind_addr = "0.0.0.0:3991" +rpc_secret = "{{ key "secrets/garage-staging/rpc_secret" | trimSpace }}" + +consul_host = "localhost:8500" +consul_service_name = "garage-staging-rpc-self-advertised" + +bootstrap_peers = [] + +[s3_api] +s3_region = "garage-staging" +api_bind_addr = "0.0.0.0:3990" + +[s3_web] +bind_addr = "0.0.0.0:3992" +root_domain = ".garage-staging-web.home.adnab.me" +index = "index.html" diff --git a/app/garage-staging/deploy/garage.hcl b/app/garage-staging/deploy/garage.hcl new file mode 100644 index 0000000..21faffb --- /dev/null +++ b/app/garage-staging/deploy/garage.hcl @@ -0,0 +1,130 @@ +job "garage-staging" { + type = "system" + datacenters = [ "neptune", "pluton" ] + + priority = 80 + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "garage-staging" { + network { + port "s3" { static = 3990 } + port "rpc" { static = 3991 } + port "web" { static = 3992 } + } + + update { + max_parallel = 1 + min_healthy_time = "30s" + healthy_deadline = "5m" + } + + task "server" { + driver = "docker" + + config { + image = "dxflrs/amd64_garage:v0.5-beta1" + command = "/garage" + args = [ "server" ] + network_mode = "host" + volumes = [ + "/mnt/storage/garage-staging/data:/data", + "/mnt/ssd/garage-staging/meta:/meta", + "secrets/garage.toml:/etc/garage.toml", + ] + logging { + type = "journald" + } + } + + template { + data = file("../config/garage.toml") + destination = "secrets/garage.toml" + } + + resources { + memory = 1000 + cpu = 1000 + } + + kill_signal = "SIGINT" + kill_timeout = "20s" + + service { + tags = [ + "garage-staging-api", + "tricot garage-staging.home.adnab.me", + ] + port = 3990 + address_mode = "driver" + name = "garage-staging-api" + check { + type = "tcp" + port = 3990 + address_mode = "driver" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + tags = ["garage-staging-rpc"] + port = 3991 + address_mode = "driver" + name = "garage-staging-rpc" + check { + type = "tcp" + port = 3991 + address_mode = "driver" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + tags = [ + "garage-staging-web", + "tricot *.garage-staging-web.home.adnab.me", + "tricot matrix.home.adnab.me/.well-known/matrix/server", + "tricot rust-docs", + "tricot-add-header Access-Control-Allow-Origin *", + ] + port = 3992 + address_mode = "driver" + name = "garage-staging-web" + check { + type = "tcp" + port = 3992 + address_mode = "driver" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + restart { + interval = "30m" + attempts = 10 + delay = "15s" + mode = "delay" + } + } + } +} diff --git a/app/garage-staging/secrets/garage-staging/rpc_secret b/app/garage-staging/secrets/garage-staging/rpc_secret new file mode 100644 index 0000000..d831d53 --- /dev/null +++ b/app/garage-staging/secrets/garage-staging/rpc_secret @@ -0,0 +1 @@ +CMD_ONCE openssl rand -hex 32 diff --git a/app/secretmgr.py b/app/secretmgr.py new file mode 120000 index 0000000..3364b32 --- /dev/null +++ b/app/secretmgr.py @@ -0,0 +1 @@ +../../infrastructure/app/secretmgr.py
\ No newline at end of file diff --git a/configuration.nix b/configuration.nix index 89b9c2d..67b4ff5 100644 --- a/configuration.nix +++ b/configuration.nix @@ -87,13 +87,16 @@ in time.timeZone = "Europe/Paris"; networking.extraHosts = '' -192.168.1.21 cariacou -192.168.1.22 carcajou -192.168.1.23 caribou +192.168.1.21 cariacou.lan +192.168.1.22 carcajou.lan +192.168.1.23 caribou.lan 192.168.1.23 binarycache 192.168.1.23 binarycache.home.adnab.me 10.42.0.1 hammerhead 10.42.0.2 spoutnik +10.42.0.21 cariacou +10.42.0.22 carcajou +10.42.0.23 caribou 10.42.0.66 lindy 10.42.0.206 shiki ''; |