Reconfigure services to use correct tricot url, TLS fails

3 files changed, 156 insertions, 0 deletions

diff --git a/cluster/prod/app/garage/config/garage.toml b/cluster/prod/app/garage/config/garage.toml
new file mode 100644
index 0000000..a721886
--- /dev/null
+++ b/cluster/prod/app/garage/config/garage.toml
@@ -0,0 +1,24 @@
+block_size = 1048576
+
+metadata_dir = "/meta"
+data_dir = "/data"
+
+replication_mode = "3"
+
+rpc_bind_addr = "[::]:3901"
+rpc_secret = "{{ key "secrets/garage/rpc_secret" | trimSpace }}"
+
+sled_cache_capacity = 536870912
+sled_sync_interval_ms = 10000
+
+[s3_api]
+s3_region = "garage"
+api_bind_addr = "[::]:3900"
+root_domain = ".garage.deuxfleurs.fr"
+
+[s3_web]
+bind_addr = "[::]:3902"
+root_domain = ".web.deuxfleurs.fr"
+
+[admin]
+api_bind_addr = "[::1]:3903"
diff --git a/cluster/prod/app/garage/deploy/garage.hcl b/cluster/prod/app/garage/deploy/garage.hcl
new file mode 100644
index 0000000..8d4ee6a
--- /dev/null
+++ b/cluster/prod/app/garage/deploy/garage.hcl
@@ -0,0 +1,131 @@
+job "garage" {
+  datacenters = ["neptune", "orion"]
+  type = "system"
+  priority = 80
+
+  constraint {
+    attribute = "${attr.cpu.arch}"
+    value     = "amd64"
+  }
+
+  group "garage" {
+    network {
+      port "s3" { static = 3900 }
+      port "rpc" { static = 3901 }
+      port "web" { static = 3902 }
+    }
+
+	update {
+		max_parallel = 1
+		min_healthy_time = "30s"
+		healthy_deadline = "5m"
+	}
+
+    task "server" {
+      driver = "docker"
+      config {
+        advertise_ipv6_address = true
+        image = "dxflrs/amd64_garage:v0.7.1"
+        command = "/garage"
+        args = [ "server" ]
+        network_mode = "host"
+        volumes = [
+          "/mnt/storage/garage/data:/data",
+          "/mnt/ssd/garage/meta:/meta",
+          "secrets/garage.toml:/etc/garage.toml",
+        ]
+        logging {
+          type = "journald"
+        }
+      }
+
+      template {
+        data = file("../config/garage.toml")
+        destination = "secrets/garage.toml"
+      }
+
+      resources {
+        memory = 1500
+        cpu = 1000
+      }
+
+      kill_signal = "SIGINT"
+      kill_timeout = "20s"
+
+      service {
+        tags = [
+          "garage_api",
+          "tricot garage.deuxfleurs.fr",
+          "tricot *.garage.deuxfleurs.fr",
+        ]
+        port = 3900
+        address_mode = "driver"
+        name = "garage-api"
+        check {
+          type = "tcp"
+          port = 3900
+          address_mode = "driver"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+
+      service {
+        tags = ["garage-rpc"]
+        port = 3901
+        address_mode = "driver"
+        name = "garage-rpc"
+        check {
+          type = "tcp"
+          port = 3901
+          address_mode = "driver"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+
+      service {
+        tags = [
+            "garage-web",
+            "tricot * 1",
+            "tricot-add-header Content-Security-Policy default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://code.jquery.com/; frame-ancestors 'self'",
+            "tricot-add-header Strict-Transport-Security max-age=63072000; includeSubDomains; preload",
+            "tricot-add-header X-Frame-Options SAMEORIGIN",
+            "tricot-add-header X-XSS-Protection 1; mode=block",
+        ]
+        port = 3902
+        address_mode = "driver"
+        name = "garage-web"
+        check {
+          type = "tcp"
+          port = 3902
+          address_mode = "driver"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+
+      restart { 
+        interval = "30m"  
+        attempts = 10  
+        delay    = "15s"  
+        mode     = "delay"
+      }
+    }
+  }
+}
diff --git a/cluster/prod/app/garage/secrets/garage/rpc_secret b/cluster/prod/app/garage/secrets/garage/rpc_secret
new file mode 100644
index 0000000..d831d53
--- /dev/null
+++ b/cluster/prod/app/garage/secrets/garage/rpc_secret
@@ -0,0 +1 @@
+CMD_ONCE openssl rand -hex 32