diff options
author | Alex Auvolat <alex@adnab.me> | 2022-08-24 17:31:08 +0200 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2022-08-24 17:31:08 +0200 |
commit | cfb1d623d9711156a1195312afa5cebadc8a6697 (patch) | |
tree | 78acc1e564d2e0e053f9be21ac5b0ec29f48048e /cluster/prod/app/garage | |
parent | a0c8280c02855fa2731d3f89df1dec0ae9627990 (diff) | |
download | nixcfg-cfb1d623d9711156a1195312afa5cebadc8a6697.tar.gz nixcfg-cfb1d623d9711156a1195312afa5cebadc8a6697.zip |
Reconfigure services to use correct tricot url, TLS fails
Diffstat (limited to 'cluster/prod/app/garage')
-rw-r--r-- | cluster/prod/app/garage/config/garage.toml | 24 | ||||
-rw-r--r-- | cluster/prod/app/garage/deploy/garage.hcl | 131 | ||||
-rw-r--r-- | cluster/prod/app/garage/secrets/garage/rpc_secret | 1 |
3 files changed, 156 insertions, 0 deletions
diff --git a/cluster/prod/app/garage/config/garage.toml b/cluster/prod/app/garage/config/garage.toml new file mode 100644 index 0000000..a721886 --- /dev/null +++ b/cluster/prod/app/garage/config/garage.toml @@ -0,0 +1,24 @@ +block_size = 1048576 + +metadata_dir = "/meta" +data_dir = "/data" + +replication_mode = "3" + +rpc_bind_addr = "[::]:3901" +rpc_secret = "{{ key "secrets/garage/rpc_secret" | trimSpace }}" + +sled_cache_capacity = 536870912 +sled_sync_interval_ms = 10000 + +[s3_api] +s3_region = "garage" +api_bind_addr = "[::]:3900" +root_domain = ".garage.deuxfleurs.fr" + +[s3_web] +bind_addr = "[::]:3902" +root_domain = ".web.deuxfleurs.fr" + +[admin] +api_bind_addr = "[::1]:3903" diff --git a/cluster/prod/app/garage/deploy/garage.hcl b/cluster/prod/app/garage/deploy/garage.hcl new file mode 100644 index 0000000..8d4ee6a --- /dev/null +++ b/cluster/prod/app/garage/deploy/garage.hcl @@ -0,0 +1,131 @@ +job "garage" { + datacenters = ["neptune", "orion"] + type = "system" + priority = 80 + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "garage" { + network { + port "s3" { static = 3900 } + port "rpc" { static = 3901 } + port "web" { static = 3902 } + } + + update { + max_parallel = 1 + min_healthy_time = "30s" + healthy_deadline = "5m" + } + + task "server" { + driver = "docker" + config { + advertise_ipv6_address = true + image = "dxflrs/amd64_garage:v0.7.1" + command = "/garage" + args = [ "server" ] + network_mode = "host" + volumes = [ + "/mnt/storage/garage/data:/data", + "/mnt/ssd/garage/meta:/meta", + "secrets/garage.toml:/etc/garage.toml", + ] + logging { + type = "journald" + } + } + + template { + data = file("../config/garage.toml") + destination = "secrets/garage.toml" + } + + resources { + memory = 1500 + cpu = 1000 + } + + kill_signal = "SIGINT" + kill_timeout = "20s" + + service { + tags = [ + "garage_api", + "tricot garage.deuxfleurs.fr", + "tricot *.garage.deuxfleurs.fr", + ] + port = 3900 + address_mode = "driver" + name = "garage-api" + check { + type = "tcp" + port = 3900 + address_mode = "driver" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + tags = ["garage-rpc"] + port = 3901 + address_mode = "driver" + name = "garage-rpc" + check { + type = "tcp" + port = 3901 + address_mode = "driver" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + tags = [ + "garage-web", + "tricot * 1", + "tricot-add-header Content-Security-Policy default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://code.jquery.com/; frame-ancestors 'self'", + "tricot-add-header Strict-Transport-Security max-age=63072000; includeSubDomains; preload", + "tricot-add-header X-Frame-Options SAMEORIGIN", + "tricot-add-header X-XSS-Protection 1; mode=block", + ] + port = 3902 + address_mode = "driver" + name = "garage-web" + check { + type = "tcp" + port = 3902 + address_mode = "driver" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + restart { + interval = "30m" + attempts = 10 + delay = "15s" + mode = "delay" + } + } + } +} diff --git a/cluster/prod/app/garage/secrets/garage/rpc_secret b/cluster/prod/app/garage/secrets/garage/rpc_secret new file mode 100644 index 0000000..d831d53 --- /dev/null +++ b/cluster/prod/app/garage/secrets/garage/rpc_secret @@ -0,0 +1 @@ +CMD_ONCE openssl rand -hex 32 |