diff options
| -rw-r--r-- | cluster/prod/app/email/config/postfix/main.cf | 7 | ||||
| -rw-r--r-- | cluster/prod/app/email/deploy/email.hcl | 23 | ||||
| -rw-r--r-- | cluster/prod/app/guichet/deploy/guichet.hcl | 6 |
3 files changed, 33 insertions, 3 deletions
diff --git a/cluster/prod/app/email/config/postfix/main.cf b/cluster/prod/app/email/config/postfix/main.cf index 5593716..ca9c87d 100644 --- a/cluster/prod/app/email/config/postfix/main.cf +++ b/cluster/prod/app/email/config/postfix/main.cf @@ -83,11 +83,14 @@ smtpd_forbid_unauth_pipelining = yes smtpd_discard_ehlo_keywords = chunking smtpd_forbid_bare_newline = yes -smtpd_client_connection_rate_limit = 2 - #=== # Rate limiting #=== +smtpd_client_connection_rate_limit = 2 +# do not rate-limit ourselves +# in particular, useful for forgejo who opens a lot of SMTP connections +smtpd_client_event_limit_exceptions = $mynetworks /etc/postfix/rate-limit-exceptions + slow_destination_recipient_limit = 20 slow_destination_concurrency_limit = 2 diff --git a/cluster/prod/app/email/deploy/email.hcl b/cluster/prod/app/email/deploy/email.hcl index 10e4d50..287cff3 100644 --- a/cluster/prod/app/email/deploy/email.hcl +++ b/cluster/prod/app/email/deploy/email.hcl @@ -382,6 +382,29 @@ job "email" { destination = "secrets/postfix/transport" } + template { + # Collect machine IPs from the cluster. + # We use intermediate maps to ensure we get a sorted list with no duplicates, + # so that it is robust wrt. changes in the order of the output of ls or + # addition of new machines in an existing site. + # (scratch.MapValues returns the list of *values* in the map, sorted by *key*) + data = <<EOH + {{- range ls "diplonat/autodiscovery/ipv4" }} + {{- with $a := .Value | parseJSON }} + {{- scratch.MapSet "ipv4" $a.address $a.address }} + {{- end }} + {{- end -}} + {{- range ls "diplonat/autodiscovery/ipv6" }} + {{- with $a := .Value | parseJSON }} + {{- scratch.MapSet "ipv6" $a.address $a.address }} + {{- end }} + {{- end -}} + {{- range scratch.MapValues "ipv4" }}{{ . }} {{ end }} + {{- range scratch.MapValues "ipv6" }}[{{ . }}] {{ end }} + EOH + destination = "secrets/postfix/rate-limit-exceptions" + } + # --- secrets --- template { data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}" diff --git a/cluster/prod/app/guichet/deploy/guichet.hcl b/cluster/prod/app/guichet/deploy/guichet.hcl index 17f8134..c1476e2 100644 --- a/cluster/prod/app/guichet/deploy/guichet.hcl +++ b/cluster/prod/app/guichet/deploy/guichet.hcl @@ -28,7 +28,11 @@ job "guichet" { } resources { - memory = 200 + # limite de mémoire un peu élevée par précaution. + # avec 200M, j'ai observé guichet se faire OOM-killed au moment + # où un nouvel utilisateur clique sur un lien d'invitation + # fraichement généré. + memory = 300 } service { |