prod: garage: Enable on-demand-tls check for *.garage S3 endpoint

We were hitting Let's Encrypt rate limits because we were generating thousands of non-sense certificates like "foo.bar.baz.garage.deuxfleurs.fr" See https://crt.sh Subdomains of garage.deuxfleurs.fr only make sense when accessing buckets through S3 with vhost-style, so let's enable the on-demand-tls check to make sure that the bucket exists in Garage. In the long term, we might want to have a wildcard certificate for this usage, or simply stop supporting vhost-style S3 access.
author: Baptiste Jonglez <git@bitsofnetworks.org> 2024-06-08 17:14:44 +0200
committer: Baptiste Jonglez <git@bitsofnetworks.org> 2024-06-08 17:14:48 +0200
commit: 7e88a88e04db20b0c5552742dae78ae50d3f4318 (patch)
tree: 7d2d9af8e58a8a2195e66fb1973a93ca1d9154f6 /cluster/prod/app
parent: 9fc22d72d44e3c987bb9fa589fde8af1626cb98f (diff)
download: nixcfg-7e88a88e04db20b0c5552742dae78ae50d3f4318.tar.gz
nixcfg-7e88a88e04db20b0c5552742dae78ae50d3f4318.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/cluster/prod/app/garage/deploy/garage.hcl b/cluster/prod/app/garage/deploy/garage.hcl
index aad5c9b..68edc94 100644
--- a/cluster/prod/app/garage/deploy/garage.hcl
+++ b/cluster/prod/app/garage/deploy/garage.hcl
@@ -104,6 +104,7 @@ job "garage" {
           "garage_api",
           "tricot garage.deuxfleurs.fr",
           "tricot *.garage.deuxfleurs.fr",
+          "tricot-on-demand-tls-ask http://garage-admin.service.prod.consul:3903/check",
           "tricot-site-lb",
         ]
         port = "s3"
author	Baptiste Jonglez <git@bitsofnetworks.org>	2024-06-08 17:14:44 +0200
committer	Baptiste Jonglez <git@bitsofnetworks.org>	2024-06-08 17:14:48 +0200
commit	7e88a88e04db20b0c5552742dae78ae50d3f4318 (patch)
tree	7d2d9af8e58a8a2195e66fb1973a93ca1d9154f6 /cluster/prod/app
parent	9fc22d72d44e3c987bb9fa589fde8af1626cb98f (diff)
download	nixcfg-7e88a88e04db20b0c5552742dae78ae50d3f4318.tar.gz nixcfg-7e88a88e04db20b0c5552742dae78ae50d3f4318.zip