diff options
author | Alex Auvolat <alex@adnab.me> | 2022-08-24 17:31:08 +0200 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2022-08-24 17:31:08 +0200 |
commit | cfb1d623d9711156a1195312afa5cebadc8a6697 (patch) | |
tree | 78acc1e564d2e0e053f9be21ac5b0ec29f48048e /cluster/prod | |
parent | a0c8280c02855fa2731d3f89df1dec0ae9627990 (diff) | |
download | nixcfg-cfb1d623d9711156a1195312afa5cebadc8a6697.tar.gz nixcfg-cfb1d623d9711156a1195312afa5cebadc8a6697.zip |
Reconfigure services to use correct tricot url, TLS fails
Diffstat (limited to 'cluster/prod')
-rw-r--r-- | cluster/prod/app/core/deploy/core.hcl | 8 | ||||
-rw-r--r-- | cluster/prod/app/directory/deploy/directory.hcl | 8 | ||||
-rw-r--r-- | cluster/prod/app/frontend/deploy/frontend-tricot.hcl (renamed from cluster/prod/app/frontend/deploy/frontend-tricot-prod.hcl) | 8 | ||||
-rw-r--r-- | cluster/prod/app/garage/config/garage.toml | 24 | ||||
-rw-r--r-- | cluster/prod/app/garage/deploy/garage.hcl | 131 | ||||
-rw-r--r-- | cluster/prod/app/garage/secrets/garage/rpc_secret | 1 |
6 files changed, 168 insertions, 12 deletions
diff --git a/cluster/prod/app/core/deploy/core.hcl b/cluster/prod/app/core/deploy/core.hcl index f57f21d..b87f15d 100644 --- a/cluster/prod/app/core/deploy/core.hcl +++ b/cluster/prod/app/core/deploy/core.hcl @@ -34,8 +34,8 @@ job "core" { } template { - data = "{{ key \"secrets/consul/consul-ca.crt\" }}" - destination = "secrets/consul-ca.crt" + data = "{{ key \"secrets/consul/consul.crt\" }}" + destination = "secrets/consul.crt" } template { @@ -53,8 +53,8 @@ job "core" { DIPLONAT_REFRESH_TIME=60 DIPLONAT_EXPIRATION_TIME=300 DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }} -DIPLONAT_CONSUL_URL=https://localhost:8501 -DIPLONAT_CONSUL_CA_CERT=/etc/diplonat/consul-ca.crt +DIPLONAT_CONSUL_URL=https://consul.service.prod.consul:8501 +DIPLONAT_CONSUL_CA_CERT=/etc/diplonat/consul.crt DIPLONAT_CONSUL_CLIENT_CERT=/etc/diplonat/consul-client.crt DIPLONAT_CONSUL_CLIENT_KEY=/etc/diplonat/consul-client.key RUST_LOG=debug diff --git a/cluster/prod/app/directory/deploy/directory.hcl b/cluster/prod/app/directory/deploy/directory.hcl index 89f5ebc..cd503fc 100644 --- a/cluster/prod/app/directory/deploy/directory.hcl +++ b/cluster/prod/app/directory/deploy/directory.hcl @@ -41,8 +41,8 @@ job "directory" { } template { - data = "{{ key \"secrets/consul/consul-ca.crt\" }}" - destination = "secrets/consul-ca.crt" + data = "{{ key \"secrets/consul/consul.crt\" }}" + destination = "secrets/consul.crt" } template { @@ -57,9 +57,9 @@ job "directory" { template { data = <<EOH -CONSUL_HTTP_ADDR=https://localhost:8501 +CONSUL_HTTP_ADDR=https://consul.service.prod.consul:8501 CONSUL_HTTP_SSL=true -CONSUL_CACERT=/etc/bottin/consul-ca.crt +CONSUL_CACERT=/etc/bottin/consul.crt CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key EOH diff --git a/cluster/prod/app/frontend/deploy/frontend-tricot-prod.hcl b/cluster/prod/app/frontend/deploy/frontend-tricot.hcl index 804345b..904e9fb 100644 --- a/cluster/prod/app/frontend/deploy/frontend-tricot-prod.hcl +++ b/cluster/prod/app/frontend/deploy/frontend-tricot.hcl @@ -41,8 +41,8 @@ job "frontend" { } template { - data = "{{ key \"secrets/consul/consul-ca.crt\" }}" - destination = "secrets/consul-ca.crt" + data = "{{ key \"secrets/consul/consul.crt\" }}" + destination = "secrets/consul.crt" } template { @@ -60,8 +60,8 @@ job "frontend" { TRICOT_NODE_NAME={{ env "attr.unique.consul.name" }} TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me TRICOT_ENABLE_COMPRESSION=true -TRICOT_CONSUL_HOST=https://localhost:8501 -TRICOT_CONSUL_CA_CERT=/etc/tricot/consul-ca.crt +TRICOT_CONSUL_HOST=https://consul.service.prod.consul:8501 +TRICOT_CONSUL_CA_CERT=/etc/tricot/consul.crt TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt TRICOT_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key TRICOT_HTTP_BIND_ADDR=[::]:80 diff --git a/cluster/prod/app/garage/config/garage.toml b/cluster/prod/app/garage/config/garage.toml new file mode 100644 index 0000000..a721886 --- /dev/null +++ b/cluster/prod/app/garage/config/garage.toml @@ -0,0 +1,24 @@ +block_size = 1048576 + +metadata_dir = "/meta" +data_dir = "/data" + +replication_mode = "3" + +rpc_bind_addr = "[::]:3901" +rpc_secret = "{{ key "secrets/garage/rpc_secret" | trimSpace }}" + +sled_cache_capacity = 536870912 +sled_sync_interval_ms = 10000 + +[s3_api] +s3_region = "garage" +api_bind_addr = "[::]:3900" +root_domain = ".garage.deuxfleurs.fr" + +[s3_web] +bind_addr = "[::]:3902" +root_domain = ".web.deuxfleurs.fr" + +[admin] +api_bind_addr = "[::1]:3903" diff --git a/cluster/prod/app/garage/deploy/garage.hcl b/cluster/prod/app/garage/deploy/garage.hcl new file mode 100644 index 0000000..8d4ee6a --- /dev/null +++ b/cluster/prod/app/garage/deploy/garage.hcl @@ -0,0 +1,131 @@ +job "garage" { + datacenters = ["neptune", "orion"] + type = "system" + priority = 80 + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "garage" { + network { + port "s3" { static = 3900 } + port "rpc" { static = 3901 } + port "web" { static = 3902 } + } + + update { + max_parallel = 1 + min_healthy_time = "30s" + healthy_deadline = "5m" + } + + task "server" { + driver = "docker" + config { + advertise_ipv6_address = true + image = "dxflrs/amd64_garage:v0.7.1" + command = "/garage" + args = [ "server" ] + network_mode = "host" + volumes = [ + "/mnt/storage/garage/data:/data", + "/mnt/ssd/garage/meta:/meta", + "secrets/garage.toml:/etc/garage.toml", + ] + logging { + type = "journald" + } + } + + template { + data = file("../config/garage.toml") + destination = "secrets/garage.toml" + } + + resources { + memory = 1500 + cpu = 1000 + } + + kill_signal = "SIGINT" + kill_timeout = "20s" + + service { + tags = [ + "garage_api", + "tricot garage.deuxfleurs.fr", + "tricot *.garage.deuxfleurs.fr", + ] + port = 3900 + address_mode = "driver" + name = "garage-api" + check { + type = "tcp" + port = 3900 + address_mode = "driver" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + tags = ["garage-rpc"] + port = 3901 + address_mode = "driver" + name = "garage-rpc" + check { + type = "tcp" + port = 3901 + address_mode = "driver" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + tags = [ + "garage-web", + "tricot * 1", + "tricot-add-header Content-Security-Policy default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://code.jquery.com/; frame-ancestors 'self'", + "tricot-add-header Strict-Transport-Security max-age=63072000; includeSubDomains; preload", + "tricot-add-header X-Frame-Options SAMEORIGIN", + "tricot-add-header X-XSS-Protection 1; mode=block", + ] + port = 3902 + address_mode = "driver" + name = "garage-web" + check { + type = "tcp" + port = 3902 + address_mode = "driver" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + restart { + interval = "30m" + attempts = 10 + delay = "15s" + mode = "delay" + } + } + } +} diff --git a/cluster/prod/app/garage/secrets/garage/rpc_secret b/cluster/prod/app/garage/secrets/garage/rpc_secret new file mode 100644 index 0000000..d831d53 --- /dev/null +++ b/cluster/prod/app/garage/secrets/garage/rpc_secret @@ -0,0 +1 @@ +CMD_ONCE openssl rand -hex 32 |