Make service addressable by zones

author: Quentin Dufour <quentin@deuxfleurs.fr> 2022-08-24 21:06:48 +0200
committer: Quentin Dufour <quentin@deuxfleurs.fr> 2022-08-24 21:06:48 +0200
commit: 3be2659aa19abfb7e676d33e9e7e1357c790a383 (patch)
tree: a1d267a07e86c0be0bdfff92a595ad865105053b /cluster/prod/app/core/deploy
parent: 243eee4322b8db098b89a13680b1dba2077498b3 (diff)
download: nixcfg-3be2659aa19abfb7e676d33e9e7e1357c790a383.tar.gz
nixcfg-3be2659aa19abfb7e676d33e9e7e1357c790a383.zip
1 files changed, 167 insertions, 6 deletions
diff --git a/cluster/prod/app/core/deploy/core.hcl b/cluster/prod/app/core/deploy/core.hcl
index 274cb5b..3625993 100644
--- a/cluster/prod/app/core/deploy/core.hcl
+++ b/cluster/prod/app/core/deploy/core.hcl
@@ -3,13 +3,8 @@ job "core" {
   type = "system"
   priority = 90
 
-  constraint {
-    attribute = "${attr.cpu.arch}"
-    value     = "amd64"
-  }
-
   update {
-    max_parallel     = 1
+    max_parallel = 1
     stagger = "1m"
   }
 
@@ -69,4 +64,170 @@ EOH
       }
     }
   }
+
+  group "tricot" {
+    constraint {
+      distinct_property = "${meta.site}"
+      value = "1"
+    }
+
+    network {
+      port "http_port" { static = 80 }
+      port "https_port" { static = 443 }
+    }
+
+    task "server" {
+      driver = "docker"
+
+      config {
+        image = "lxpz/amd64_tricot:42"
+        network_mode = "host"
+        readonly_rootfs = true
+        ports = [ "http_port", "https_port" ]
+        volumes = [
+          "secrets:/etc/tricot",
+        ]
+      }
+
+      resources {
+        cpu = 2000
+        memory = 200
+      }
+
+      restart {
+        interval = "30m"
+        attempts = 2
+        delay    = "15s"
+        mode     = "delay"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
+        destination = "secrets/consul-ca.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.crt\" }}"
+        destination = "secrets/consul-client.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.key\" }}"
+        destination = "secrets/consul-client.key"
+      }
+
+      template {
+        data = <<EOH
+TRICOT_NODE_NAME={{ env "attr.unique.consul.name" }}
+TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me
+TRICOT_ENABLE_COMPRESSION=true
+TRICOT_CONSUL_HOST=https://consul.service.prod.consul:8501
+TRICOT_CONSUL_TLS_SKIP_VERIFY=true
+TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt
+TRICOT_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key
+TRICOT_HTTP_BIND_ADDR=[::]:80
+TRICOT_HTTPS_BIND_ADDR=[::]:443
+RUST_LOG=tricot=debug
+EOH
+        destination = "secrets/env"
+        env = true
+      }
+
+      service {
+        name = "tricot-http"
+        port = "http_port"
+        tags = [ "(diplonat (tcp_port 80))", "${meta.site}" ]
+        address_mode = "host"
+      }
+
+      service {
+        name = "tricot-https"
+        port = "https_port"
+        tags = [ "(diplonat (tcp_port 443))", "${meta.site}" ]
+        address_mode = "host"
+      }
+    }
+  }
+
+  group "bottin" {
+    constraint {
+      distinct_property = "${meta.site}"
+      value = "1"
+    }
+
+    network {
+      port "ldap_port" {
+        static = 389
+        to = 389
+      }
+    }
+
+    task "bottin" {
+      driver = "docker"
+      config {
+        image = "superboum/bottin_amd64:22"
+        network_mode = "host"
+        readonly_rootfs = true
+        ports = [ "ldap_port" ]
+        volumes = [
+          "secrets/config.json:/config.json",
+          "secrets:/etc/bottin",
+        ]
+      }
+
+      resources {
+        memory = 100
+      }
+
+      template {
+        data = file("../config/bottin/config.json.tpl")
+        destination = "secrets/config.json"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul.crt\" }}"
+        destination = "secrets/consul.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.crt\" }}"
+        destination = "secrets/consul-client.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.key\" }}"
+        destination = "secrets/consul-client.key"
+      }
+
+      template {
+        data = <<EOH
+CONSUL_HTTP_ADDR=https://consul.service.prod.consul:8501
+CONSUL_HTTP_SSL=true
+CONSUL_CACERT=/etc/bottin/consul.crt
+CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt
+CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key
+EOH
+        destination = "secrets/env"
+        env = true
+      }
+
+      service {
+        tags = [ "${meta.site}" ]
+        port = "ldap_port"
+        address_mode = "host"
+        name = "bottin"
+        check {
+          type = "tcp"
+          port = "ldap_port"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+    }
+  }
 }
author	Quentin Dufour <quentin@deuxfleurs.fr>	2022-08-24 21:06:48 +0200
committer	Quentin Dufour <quentin@deuxfleurs.fr>	2022-08-24 21:06:48 +0200
commit	3be2659aa19abfb7e676d33e9e7e1357c790a383 (patch)
tree	a1d267a07e86c0be0bdfff92a595ad865105053b /cluster/prod/app/core/deploy
parent	243eee4322b8db098b89a13680b1dba2077498b3 (diff)
download	nixcfg-3be2659aa19abfb7e676d33e9e7e1357c790a383.tar.gz nixcfg-3be2659aa19abfb7e676d33e9e7e1357c790a383.zip