diff options
author | Quentin Dufour <quentin@deuxfleurs.fr> | 2022-08-24 21:06:48 +0200 |
---|---|---|
committer | Quentin Dufour <quentin@deuxfleurs.fr> | 2022-08-24 21:06:48 +0200 |
commit | 3be2659aa19abfb7e676d33e9e7e1357c790a383 (patch) | |
tree | a1d267a07e86c0be0bdfff92a595ad865105053b /cluster/prod | |
parent | 243eee4322b8db098b89a13680b1dba2077498b3 (diff) | |
download | nixcfg-3be2659aa19abfb7e676d33e9e7e1357c790a383.tar.gz nixcfg-3be2659aa19abfb7e676d33e9e7e1357c790a383.zip |
Make service addressable by zones
Diffstat (limited to 'cluster/prod')
-rw-r--r-- | cluster/prod/app/core/config/bottin/config.json.tpl (renamed from cluster/prod/app/directory/config/bottin/config.json.tpl) | 0 | ||||
-rw-r--r-- | cluster/prod/app/core/deploy/core.hcl | 173 | ||||
-rw-r--r-- | cluster/prod/app/core/secrets/directory/ldap_base_dn (renamed from cluster/prod/app/directory/secrets/directory/ldap_base_dn) | 0 | ||||
-rw-r--r-- | cluster/prod/app/directory/deploy/directory.hcl | 140 | ||||
-rw-r--r-- | cluster/prod/app/frontend/deploy/frontend-tricot.hcl | 90 | ||||
-rw-r--r-- | cluster/prod/app/guichet/config/guichet/config.json.tpl (renamed from cluster/prod/app/directory/config/guichet/config.json.tpl) | 2 | ||||
-rw-r--r-- | cluster/prod/app/guichet/deploy/directory.hcl | 56 | ||||
-rw-r--r-- | cluster/prod/app/guichet/secrets/directory/guichet/mail_domain (renamed from cluster/prod/app/directory/secrets/directory/guichet/mail_domain) | 0 | ||||
-rw-r--r-- | cluster/prod/app/guichet/secrets/directory/guichet/mail_from (renamed from cluster/prod/app/directory/secrets/directory/guichet/mail_from) | 0 | ||||
-rw-r--r-- | cluster/prod/app/guichet/secrets/directory/guichet/s3_access_key (renamed from cluster/prod/app/directory/secrets/directory/guichet/s3_access_key) | 0 | ||||
-rw-r--r-- | cluster/prod/app/guichet/secrets/directory/guichet/s3_bucket (renamed from cluster/prod/app/directory/secrets/directory/guichet/s3_bucket) | 0 | ||||
-rw-r--r-- | cluster/prod/app/guichet/secrets/directory/guichet/s3_endpoint (renamed from cluster/prod/app/directory/secrets/directory/guichet/s3_endpoint) | 0 | ||||
-rw-r--r-- | cluster/prod/app/guichet/secrets/directory/guichet/s3_region (renamed from cluster/prod/app/directory/secrets/directory/guichet/s3_region) | 0 | ||||
-rw-r--r-- | cluster/prod/app/guichet/secrets/directory/guichet/s3_secret_key (renamed from cluster/prod/app/directory/secrets/directory/guichet/s3_secret_key) | 0 | ||||
-rw-r--r-- | cluster/prod/app/guichet/secrets/directory/guichet/smtp_pass (renamed from cluster/prod/app/directory/secrets/directory/guichet/smtp_pass) | 0 | ||||
-rw-r--r-- | cluster/prod/app/guichet/secrets/directory/guichet/smtp_server (renamed from cluster/prod/app/directory/secrets/directory/guichet/smtp_server) | 0 | ||||
-rw-r--r-- | cluster/prod/app/guichet/secrets/directory/guichet/smtp_user (renamed from cluster/prod/app/directory/secrets/directory/guichet/smtp_user) | 0 | ||||
-rw-r--r-- | cluster/prod/app/guichet/secrets/directory/guichet/web_hostname (renamed from cluster/prod/app/directory/secrets/directory/guichet/web_hostname) | 0 | ||||
-rw-r--r-- | cluster/prod/app/plume/deploy/plume.hcl | 2 | ||||
-rw-r--r-- | cluster/prod/ssh_config | 12 |
20 files changed, 231 insertions, 244 deletions
diff --git a/cluster/prod/app/directory/config/bottin/config.json.tpl b/cluster/prod/app/core/config/bottin/config.json.tpl index 844f7b7..844f7b7 100644 --- a/cluster/prod/app/directory/config/bottin/config.json.tpl +++ b/cluster/prod/app/core/config/bottin/config.json.tpl diff --git a/cluster/prod/app/core/deploy/core.hcl b/cluster/prod/app/core/deploy/core.hcl index 274cb5b..3625993 100644 --- a/cluster/prod/app/core/deploy/core.hcl +++ b/cluster/prod/app/core/deploy/core.hcl @@ -3,13 +3,8 @@ job "core" { type = "system" priority = 90 - constraint { - attribute = "${attr.cpu.arch}" - value = "amd64" - } - update { - max_parallel = 1 + max_parallel = 1 stagger = "1m" } @@ -69,4 +64,170 @@ EOH } } } + + group "tricot" { + constraint { + distinct_property = "${meta.site}" + value = "1" + } + + network { + port "http_port" { static = 80 } + port "https_port" { static = 443 } + } + + task "server" { + driver = "docker" + + config { + image = "lxpz/amd64_tricot:42" + network_mode = "host" + readonly_rootfs = true + ports = [ "http_port", "https_port" ] + volumes = [ + "secrets:/etc/tricot", + ] + } + + resources { + cpu = 2000 + memory = 200 + } + + restart { + interval = "30m" + attempts = 2 + delay = "15s" + mode = "delay" + } + + template { + data = "{{ key \"secrets/consul/consul-ca.crt\" }}" + destination = "secrets/consul-ca.crt" + } + + template { + data = "{{ key \"secrets/consul/consul-client.crt\" }}" + destination = "secrets/consul-client.crt" + } + + template { + data = "{{ key \"secrets/consul/consul-client.key\" }}" + destination = "secrets/consul-client.key" + } + + template { + data = <<EOH +TRICOT_NODE_NAME={{ env "attr.unique.consul.name" }} +TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me +TRICOT_ENABLE_COMPRESSION=true +TRICOT_CONSUL_HOST=https://consul.service.prod.consul:8501 +TRICOT_CONSUL_TLS_SKIP_VERIFY=true +TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt +TRICOT_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key +TRICOT_HTTP_BIND_ADDR=[::]:80 +TRICOT_HTTPS_BIND_ADDR=[::]:443 +RUST_LOG=tricot=debug +EOH + destination = "secrets/env" + env = true + } + + service { + name = "tricot-http" + port = "http_port" + tags = [ "(diplonat (tcp_port 80))", "${meta.site}" ] + address_mode = "host" + } + + service { + name = "tricot-https" + port = "https_port" + tags = [ "(diplonat (tcp_port 443))", "${meta.site}" ] + address_mode = "host" + } + } + } + + group "bottin" { + constraint { + distinct_property = "${meta.site}" + value = "1" + } + + network { + port "ldap_port" { + static = 389 + to = 389 + } + } + + task "bottin" { + driver = "docker" + config { + image = "superboum/bottin_amd64:22" + network_mode = "host" + readonly_rootfs = true + ports = [ "ldap_port" ] + volumes = [ + "secrets/config.json:/config.json", + "secrets:/etc/bottin", + ] + } + + resources { + memory = 100 + } + + template { + data = file("../config/bottin/config.json.tpl") + destination = "secrets/config.json" + } + + template { + data = "{{ key \"secrets/consul/consul.crt\" }}" + destination = "secrets/consul.crt" + } + + template { + data = "{{ key \"secrets/consul/consul-client.crt\" }}" + destination = "secrets/consul-client.crt" + } + + template { + data = "{{ key \"secrets/consul/consul-client.key\" }}" + destination = "secrets/consul-client.key" + } + + template { + data = <<EOH +CONSUL_HTTP_ADDR=https://consul.service.prod.consul:8501 +CONSUL_HTTP_SSL=true +CONSUL_CACERT=/etc/bottin/consul.crt +CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt +CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key +EOH + destination = "secrets/env" + env = true + } + + service { + tags = [ "${meta.site}" ] + port = "ldap_port" + address_mode = "host" + name = "bottin" + check { + type = "tcp" + port = "ldap_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } } diff --git a/cluster/prod/app/directory/secrets/directory/ldap_base_dn b/cluster/prod/app/core/secrets/directory/ldap_base_dn index ea5c7ae..ea5c7ae 100644 --- a/cluster/prod/app/directory/secrets/directory/ldap_base_dn +++ b/cluster/prod/app/core/secrets/directory/ldap_base_dn diff --git a/cluster/prod/app/directory/deploy/directory.hcl b/cluster/prod/app/directory/deploy/directory.hcl deleted file mode 100644 index cd503fc..0000000 --- a/cluster/prod/app/directory/deploy/directory.hcl +++ /dev/null @@ -1,140 +0,0 @@ -job "directory" { - datacenters = ["dc1", "neptune"] - type = "service" - priority = 90 - - constraint { - attribute = "${attr.cpu.arch}" - value = "amd64" - } - - group "bottin" { - count = 1 - - network { - port "ldap_port" { - static = 389 - to = 389 - } - } - - task "bottin" { - driver = "docker" - config { - image = "superboum/bottin_amd64:22" - network_mode = "host" - readonly_rootfs = true - ports = [ "ldap_port" ] - volumes = [ - "secrets/config.json:/config.json", - "secrets:/etc/bottin", - ] - } - - resources { - memory = 100 - } - - template { - data = file("../config/bottin/config.json.tpl") - destination = "secrets/config.json" - } - - template { - data = "{{ key \"secrets/consul/consul.crt\" }}" - destination = "secrets/consul.crt" - } - - template { - data = "{{ key \"secrets/consul/consul-client.crt\" }}" - destination = "secrets/consul-client.crt" - } - - template { - data = "{{ key \"secrets/consul/consul-client.key\" }}" - destination = "secrets/consul-client.key" - } - - template { - data = <<EOH -CONSUL_HTTP_ADDR=https://consul.service.prod.consul:8501 -CONSUL_HTTP_SSL=true -CONSUL_CACERT=/etc/bottin/consul.crt -CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt -CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key -EOH - destination = "secrets/env" - env = true - } - - service { - tags = ["bottin"] - port = "ldap_port" - address_mode = "host" - name = "bottin" - check { - type = "tcp" - port = "ldap_port" - interval = "60s" - timeout = "5s" - check_restart { - limit = 3 - grace = "90s" - ignore_warnings = false - } - } - } - } - } - - group "guichet" { - count = 1 - - network { - port "web_port" { to = 9991 } - } - - task "guichet" { - driver = "docker" - config { - image = "superboum/guichet_amd64:15" - readonly_rootfs = true - ports = [ "web_port" ] - volumes = [ - "secrets/config.json:/config.json" - ] - } - - template { - data = file("../config/guichet/config.json.tpl") - destination = "secrets/config.json" - } - - resources { - memory = 200 - } - - service { - name = "guichet" - tags = [ - "guichet", - "tricot guichet-new.deuxfleurs.fr", - ] - port = "web_port" - address_mode = "host" - check { - type = "tcp" - port = "web_port" - interval = "60s" - timeout = "5s" - check_restart { - limit = 3 - grace = "90s" - ignore_warnings = false - } - } - } - } - } -} - diff --git a/cluster/prod/app/frontend/deploy/frontend-tricot.hcl b/cluster/prod/app/frontend/deploy/frontend-tricot.hcl deleted file mode 100644 index fcc7c46..0000000 --- a/cluster/prod/app/frontend/deploy/frontend-tricot.hcl +++ /dev/null @@ -1,90 +0,0 @@ -job "frontend" { - datacenters = ["neptune"] - type = "service" - priority = 90 - - group "tricot" { - # Temporarily pin to single machine, remove this later - constraint { - attribute = "${attr.unique.hostname}" - value = "courgette" - } - - network { - port "http_port" { static = 80 } - port "https_port" { static = 443 } - } - - task "server" { - driver = "docker" - - config { - image = "lxpz/amd64_tricot:42" - network_mode = "host" - readonly_rootfs = true - ports = [ "http_port", "https_port" ] - volumes = [ - "secrets:/etc/tricot", - ] - } - - resources { - cpu = 2000 - memory = 200 - } - - restart { - interval = "30m" - attempts = 2 - delay = "15s" - mode = "delay" - } - - template { - data = "{{ key \"secrets/consul/consul-ca.crt\" }}" - destination = "secrets/consul-ca.crt" - } - - template { - data = "{{ key \"secrets/consul/consul-client.crt\" }}" - destination = "secrets/consul-client.crt" - } - - template { - data = "{{ key \"secrets/consul/consul-client.key\" }}" - destination = "secrets/consul-client.key" - } - - template { - data = <<EOH -TRICOT_NODE_NAME={{ env "attr.unique.consul.name" }} -TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me -TRICOT_ENABLE_COMPRESSION=true -TRICOT_CONSUL_HOST=https://consul.service.prod.consul:8501 -TRICOT_CONSUL_TLS_SKIP_VERIFY=true -TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt -TRICOT_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key -TRICOT_HTTP_BIND_ADDR=[::]:80 -TRICOT_HTTPS_BIND_ADDR=[::]:443 -RUST_LOG=tricot=debug -EOH - destination = "secrets/env" - env = true - } - - service { - name = "tricot-http" - port = "http_port" - tags = [ "(diplonat (tcp_port 80))" ] - address_mode = "host" - } - - service { - name = "tricot-https" - port = "https_port" - tags = [ "(diplonat (tcp_port 443))" ] - address_mode = "host" - } - } - } -} diff --git a/cluster/prod/app/directory/config/guichet/config.json.tpl b/cluster/prod/app/guichet/config/guichet/config.json.tpl index 1a843a8..ec0c201 100644 --- a/cluster/prod/app/directory/config/guichet/config.json.tpl +++ b/cluster/prod/app/guichet/config/guichet/config.json.tpl @@ -1,6 +1,6 @@ { "http_bind_addr": ":9991", - "ldap_server_addr": "ldap://bottin.service.staging.consul:389", + "ldap_server_addr": "ldap://{{ env "meta.site" }}.bottin.service.prod.consul:389", "base_dn": "{{ key "secrets/directory/ldap_base_dn" }}", "user_base_dn": "ou=users,{{ key "secrets/directory/ldap_base_dn" }}", diff --git a/cluster/prod/app/guichet/deploy/directory.hcl b/cluster/prod/app/guichet/deploy/directory.hcl new file mode 100644 index 0000000..bfd7e6d --- /dev/null +++ b/cluster/prod/app/guichet/deploy/directory.hcl @@ -0,0 +1,56 @@ +job "guichet" { + datacenters = [ "neptune" ] + type = "service" + priority = 90 + + group "guichet" { + count = 1 + + network { + port "web_port" { to = 9991 } + } + + task "guichet" { + driver = "docker" + config { + image = "superboum/guichet_amd64:15" + readonly_rootfs = true + ports = [ "web_port" ] + volumes = [ + "secrets/config.json:/config.json" + ] + } + + template { + data = file("../config/guichet/config.json.tpl") + destination = "secrets/config.json" + } + + resources { + memory = 200 + } + + service { + name = "guichet" + tags = [ + "guichet", + "tricot guichet-new.deuxfleurs.fr", + ] + port = "web_port" + address_mode = "host" + check { + type = "tcp" + port = "web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/cluster/prod/app/directory/secrets/directory/guichet/mail_domain b/cluster/prod/app/guichet/secrets/directory/guichet/mail_domain index 5db1ba3..5db1ba3 100644 --- a/cluster/prod/app/directory/secrets/directory/guichet/mail_domain +++ b/cluster/prod/app/guichet/secrets/directory/guichet/mail_domain diff --git a/cluster/prod/app/directory/secrets/directory/guichet/mail_from b/cluster/prod/app/guichet/secrets/directory/guichet/mail_from index 9075cbf..9075cbf 100644 --- a/cluster/prod/app/directory/secrets/directory/guichet/mail_from +++ b/cluster/prod/app/guichet/secrets/directory/guichet/mail_from diff --git a/cluster/prod/app/directory/secrets/directory/guichet/s3_access_key b/cluster/prod/app/guichet/secrets/directory/guichet/s3_access_key index e5b37ff..e5b37ff 100644 --- a/cluster/prod/app/directory/secrets/directory/guichet/s3_access_key +++ b/cluster/prod/app/guichet/secrets/directory/guichet/s3_access_key diff --git a/cluster/prod/app/directory/secrets/directory/guichet/s3_bucket b/cluster/prod/app/guichet/secrets/directory/guichet/s3_bucket index cb059cf..cb059cf 100644 --- a/cluster/prod/app/directory/secrets/directory/guichet/s3_bucket +++ b/cluster/prod/app/guichet/secrets/directory/guichet/s3_bucket diff --git a/cluster/prod/app/directory/secrets/directory/guichet/s3_endpoint b/cluster/prod/app/guichet/secrets/directory/guichet/s3_endpoint index b414269..b414269 100644 --- a/cluster/prod/app/directory/secrets/directory/guichet/s3_endpoint +++ b/cluster/prod/app/guichet/secrets/directory/guichet/s3_endpoint diff --git a/cluster/prod/app/directory/secrets/directory/guichet/s3_region b/cluster/prod/app/guichet/secrets/directory/guichet/s3_region index ef16924..ef16924 100644 --- a/cluster/prod/app/directory/secrets/directory/guichet/s3_region +++ b/cluster/prod/app/guichet/secrets/directory/guichet/s3_region diff --git a/cluster/prod/app/directory/secrets/directory/guichet/s3_secret_key b/cluster/prod/app/guichet/secrets/directory/guichet/s3_secret_key index f3e7f0f..f3e7f0f 100644 --- a/cluster/prod/app/directory/secrets/directory/guichet/s3_secret_key +++ b/cluster/prod/app/guichet/secrets/directory/guichet/s3_secret_key diff --git a/cluster/prod/app/directory/secrets/directory/guichet/smtp_pass b/cluster/prod/app/guichet/secrets/directory/guichet/smtp_pass index fc9d1e3..fc9d1e3 100644 --- a/cluster/prod/app/directory/secrets/directory/guichet/smtp_pass +++ b/cluster/prod/app/guichet/secrets/directory/guichet/smtp_pass diff --git a/cluster/prod/app/directory/secrets/directory/guichet/smtp_server b/cluster/prod/app/guichet/secrets/directory/guichet/smtp_server index c453935..c453935 100644 --- a/cluster/prod/app/directory/secrets/directory/guichet/smtp_server +++ b/cluster/prod/app/guichet/secrets/directory/guichet/smtp_server diff --git a/cluster/prod/app/directory/secrets/directory/guichet/smtp_user b/cluster/prod/app/guichet/secrets/directory/guichet/smtp_user index c9c8bd0..c9c8bd0 100644 --- a/cluster/prod/app/directory/secrets/directory/guichet/smtp_user +++ b/cluster/prod/app/guichet/secrets/directory/guichet/smtp_user diff --git a/cluster/prod/app/directory/secrets/directory/guichet/web_hostname b/cluster/prod/app/guichet/secrets/directory/guichet/web_hostname index afe2512..afe2512 100644 --- a/cluster/prod/app/directory/secrets/directory/guichet/web_hostname +++ b/cluster/prod/app/guichet/secrets/directory/guichet/web_hostname diff --git a/cluster/prod/app/plume/deploy/plume.hcl b/cluster/prod/app/plume/deploy/plume.hcl index 266a665..3e9aa77 100644 --- a/cluster/prod/app/plume/deploy/plume.hcl +++ b/cluster/prod/app/plume/deploy/plume.hcl @@ -1,5 +1,5 @@ job "plume-blog" { - datacenters = ["dc1"] + datacenters = ["orion"] type = "service" constraint { diff --git a/cluster/prod/ssh_config b/cluster/prod/ssh_config index 068f209..afae310 100644 --- a/cluster/prod/ssh_config +++ b/cluster/prod/ssh_config @@ -1,16 +1,16 @@ UserKnownHostsFile ./ssh_known_hosts Host concombre - #HostName 2a06:a004:3025:1::31 - HostName 192.168.1.31 + HostName 2a06:a004:3025:1::31 + #HostName 192.168.1.31 Host courgette - #HostName 2a06:a004:3025:1::32 - HostName 192.168.1.32 + HostName 2a06:a004:3025:1::32 + #HostName 192.168.1.32 Host celeri - #HostName 2a06:a004:3025:1::33 - HostName 192.168.1.33 + HostName 2a06:a004:3025:1::33 + #HostName 192.168.1.33 Host dahlia HostName dahlia.machine.deuxfleurs.fr |