aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md20
-rw-r--r--cluster/prod/app/bagage/deploy/bagage.hcl86
-rw-r--r--cluster/prod/app/bagage/secrets.toml4
-rw-r--r--cluster/prod/app/core/deploy/core-system.hcl6
-rw-r--r--cluster/prod/app/email/config/dkim/signingtable1
-rw-r--r--cluster/prod/app/email/deploy/email.hcl8
-rw-r--r--cluster/prod/app/guichet/config/guichet/config.json.tpl3
-rw-r--r--cluster/prod/app/guichet/deploy/directory.hcl2
-rw-r--r--cluster/prod/app/matrix/deploy/im.hcl3
-rw-r--r--cluster/prod/app/postgres/deploy/postgres.hcl9
-rw-r--r--cluster/prod/app/telemetry/deploy/telemetry-service.hcl9
-rw-r--r--cluster/staging/app/ci/deploy/albatros.hcl2
12 files changed, 131 insertions, 22 deletions
diff --git a/README.md b/README.md
index 3527dbb..bf53a1c 100644
--- a/README.md
+++ b/README.md
@@ -15,18 +15,26 @@ Our first abstraction level is the NixOS level, which installs a bunch of standa
Then, inside our Nomad+Consul orchestrator, we deploy a number of base services:
- * **[Garage](https://git.deuxfleurs.fr/Deuxfleurs/garage/):** S3-compatible lightweight object store for self-hosted geo-distributed deployments (we also have a legacy glusterfs cluster)
- * **[DiploNAT](https://git.deuxfleurs.fr/Deuxfleurs/diplonat):** network automation (firewalling, upnp igd)
- * **[Bottin](https://git.deuxfleurs.fr/Deuxfleurs/bottin):** authentication and authorization (LDAP protocol, consul backend)
- * **[Guichet](https://git.deuxfleurs.fr/Deuxfleurs/guichet):** a dashboard for our users and administrators
- * **Stolon + PostgreSQL:** distributed relational database
- * **Prometheus + Grafana:** monitoring
+ * Data management
+ * **[Garage](https://git.deuxfleurs.fr/Deuxfleurs/garage/):** S3-compatible lightweight object store for self-hosted geo-distributed deployments
+ * **Stolon + PostgreSQL:** distributed relational database
+ * Network Control Plane
+ * **[DiploNAT](https://git.deuxfleurs.fr/Deuxfleurs/diplonat):** - network automation (firewalling, upnp igd)
+ * **[D53](https://git.deuxfleurs.fr/lx/d53)** - update DNS entries (A and AAAA) dynamically based on Nomad service scheduling and local node info
+ * **[Tricot](https://git.deuxfleurs.fr/Deuxfleurs/tricot)** - a dynamic reverse proxy for nomad+consul inspired by traefik
+ * **[wgautomesh](https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh)** - a dynamic wireguard mesh configurator
+ * User Management
+ * **[Bottin](https://git.deuxfleurs.fr/Deuxfleurs/bottin):** authentication and authorization (LDAP protocol, consul backend)
+ * **[Guichet](https://git.deuxfleurs.fr/Deuxfleurs/guichet):** a dashboard for our users and administrators7
+ * Observability
+ * **Prometheus + Grafana:** monitoring
Some services we provide based on this abstraction:
* **Websites:** Garage (static) + fediverse blog (Plume)
* **Chat:** Synapse + Element Web (Matrix protocol)
* **Email:** Postfix SMTP + Dovecot IMAP + opendkim DKIM + Sogo webmail | Alps webmail (experimental)
+ - **[Aerogramme](https://git.deuxfleurs.fr/Deuxfleurs/aerogramme/):** an encrypted IMAP server
* **Visioconference:** Jitsi
* **Collaboration:** CryptPad
diff --git a/cluster/prod/app/bagage/deploy/bagage.hcl b/cluster/prod/app/bagage/deploy/bagage.hcl
new file mode 100644
index 0000000..c9b7781
--- /dev/null
+++ b/cluster/prod/app/bagage/deploy/bagage.hcl
@@ -0,0 +1,86 @@
+job "bagage" {
+ datacenters = ["orion", "neptune"]
+ type = "service"
+ priority = 90
+
+ constraint {
+ attribute = "${attr.cpu.arch}"
+ value = "amd64"
+ }
+
+ group "main" {
+ count = 1
+
+ network {
+ port "web_port" {
+ static = 8080
+ to = 8080
+ }
+ port "ssh_port" {
+ static = 2222
+ to = 2222
+ }
+ }
+
+ task "server" {
+ driver = "docker"
+ config {
+ image = "superboum/amd64_bagage:v11"
+ readonly_rootfs = false
+ network_mode = "host"
+ volumes = [
+ "secrets/id_rsa:/id_rsa"
+ ]
+ ports = [ "web_port", "ssh_port" ]
+ }
+
+ env {
+ BAGAGE_LDAP_ENDPOINT = "bottin.service.prod.consul:389"
+ }
+
+ resources {
+ memory = 200
+ cpu = 100
+ }
+
+ template {
+ data = "{{ key \"secrets/bagage/id_rsa\" }}"
+ destination = "secrets/id_rsa"
+ }
+
+ service {
+ name = "bagage-ssh"
+ port = "ssh_port"
+ address_mode = "host"
+ tags = [
+ "bagage",
+ "(diplonat (tcp_port 2222))"
+ ]
+ }
+
+ service {
+ name = "bagage-webdav"
+ tags = [
+ "bagage",
+ "tricot bagage.deuxfleurs.fr",
+ "d53-cname bagage.deuxfleurs.fr",
+ ]
+ port = "web_port"
+ address_mode = "host"
+ check {
+ type = "tcp"
+ port = "web_port"
+ address_mode = "host"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+}
+
diff --git a/cluster/prod/app/bagage/secrets.toml b/cluster/prod/app/bagage/secrets.toml
new file mode 100644
index 0000000..71b760a
--- /dev/null
+++ b/cluster/prod/app/bagage/secrets.toml
@@ -0,0 +1,4 @@
+[secrets."bagage/id_rsa"]
+type = 'command'
+rotate = true
+command = 'ssh-keygen -q -f >(cat) -N "" <<< y 2>/dev/null 1>&2 ; true'
diff --git a/cluster/prod/app/core/deploy/core-system.hcl b/cluster/prod/app/core/deploy/core-system.hcl
index 03886b4..004a2ef 100644
--- a/cluster/prod/app/core/deploy/core-system.hcl
+++ b/cluster/prod/app/core/deploy/core-system.hcl
@@ -1,5 +1,5 @@
job "core" {
- datacenters = ["orion", "neptune", "bespin", "scorpio"]
+ datacenters = ["orion", "neptune", "scorpio"]
type = "system"
priority = 90
@@ -13,7 +13,7 @@ job "core" {
driver = "docker"
config {
- image = "lxpz/amd64_diplonat:4"
+ image = "lxpz/amd64_diplonat:5"
network_mode = "host"
readonly_rootfs = true
privileged = true
@@ -181,7 +181,7 @@ EOH
task "bottin" {
driver = "docker"
config {
- image = "superboum/bottin_amd64:22"
+ image = "dxflrs/bottin:7h18i30cckckaahv87d3c86pn4a7q41z"
network_mode = "host"
readonly_rootfs = true
ports = [ "ldap_port" ]
diff --git a/cluster/prod/app/email/config/dkim/signingtable b/cluster/prod/app/email/config/dkim/signingtable
index 60d66ff..8ed56d4 100644
--- a/cluster/prod/app/email/config/dkim/signingtable
+++ b/cluster/prod/app/email/config/dkim/signingtable
@@ -1,2 +1,3 @@
*@deuxfleurs.fr smtp._domainkey.deuxfleurs.fr
*@dufour.io smtp._domainkey.deuxfleurs.fr
+*@luxeylab.net smtp._domainkey.deuxfleurs.fr
diff --git a/cluster/prod/app/email/deploy/email.hcl b/cluster/prod/app/email/deploy/email.hcl
index 9fb249a..f4539ae 100644
--- a/cluster/prod/app/email/deploy/email.hcl
+++ b/cluster/prod/app/email/deploy/email.hcl
@@ -63,7 +63,6 @@ job "email" {
port = "imap_port"
tags = [
"dovecot",
- "d53-a imap.deuxfleurs.fr",
]
check {
type = "tcp"
@@ -83,7 +82,9 @@ job "email" {
port = "imaps_port"
tags = [
"dovecot",
- "(diplonat (tcp_port 993))"
+ "(diplonat (tcp_port 993))",
+ "d53-a imap.deuxfleurs.fr",
+ "d53-aaaa imap.deuxfleurs.fr",
]
check {
@@ -283,8 +284,7 @@ job "email" {
"postfix",
"(diplonat (tcp_port 25 465 587))",
"d53-a smtp.deuxfleurs.fr",
- # ipv6 is commented for now as port is not open in firewall (TODO)
- # "d53-aaaa smtp.deuxfleurs.fr"
+ "d53-aaaa smtp.deuxfleurs.fr"
]
check {
type = "tcp"
diff --git a/cluster/prod/app/guichet/config/guichet/config.json.tpl b/cluster/prod/app/guichet/config/guichet/config.json.tpl
index 467c92d..51c119c 100644
--- a/cluster/prod/app/guichet/config/guichet/config.json.tpl
+++ b/cluster/prod/app/guichet/config/guichet/config.json.tpl
@@ -28,6 +28,9 @@
"group_can_admin": "cn=admin,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
"group_can_invite": "cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
+ "s3_admin_endpoint": "garage-admin.service.prod.consul:3903",
+ "s3_admin_token": "{{ key "secrets/garage/admin_token" | trimSpace }}",
+
"s3_endpoint": "{{ key "secrets/directory/guichet/s3_endpoint" }}",
"s3_access_key": "{{ key "secrets/directory/guichet/s3_access_key" | trimSpace }}",
"s3_secret_key": "{{ key "secrets/directory/guichet/s3_secret_key" | trimSpace }}",
diff --git a/cluster/prod/app/guichet/deploy/directory.hcl b/cluster/prod/app/guichet/deploy/directory.hcl
index 7e445ae..a64b7e6 100644
--- a/cluster/prod/app/guichet/deploy/directory.hcl
+++ b/cluster/prod/app/guichet/deploy/directory.hcl
@@ -13,7 +13,7 @@ job "guichet" {
task "guichet" {
driver = "docker"
config {
- image = "dxflrs/guichet:17"
+ image = "dxflrs/guichet:18"
readonly_rootfs = true
ports = [ "web_port" ]
volumes = [
diff --git a/cluster/prod/app/matrix/deploy/im.hcl b/cluster/prod/app/matrix/deploy/im.hcl
index 0d5387e..ed05ffc 100644
--- a/cluster/prod/app/matrix/deploy/im.hcl
+++ b/cluster/prod/app/matrix/deploy/im.hcl
@@ -65,7 +65,8 @@ job "matrix" {
resources {
cpu = 1000
- memory = 1000
+ memory = 500
+ memory_max = 1000
}
service {
diff --git a/cluster/prod/app/postgres/deploy/postgres.hcl b/cluster/prod/app/postgres/deploy/postgres.hcl
index 749731d..9bad079 100644
--- a/cluster/prod/app/postgres/deploy/postgres.hcl
+++ b/cluster/prod/app/postgres/deploy/postgres.hcl
@@ -37,7 +37,8 @@ job "postgres14" {
]
}
resources {
- memory = 100
+ memory = 20
+ memory_max = 100
}
template {
@@ -80,7 +81,8 @@ job "postgres14" {
}
resources {
- memory = 100
+ memory = 20
+ memory_max = 100
}
template {
@@ -172,7 +174,8 @@ job "postgres14" {
}
resources {
- memory = 600
+ memory = 400
+ memory_max = 600
}
service {
diff --git a/cluster/prod/app/telemetry/deploy/telemetry-service.hcl b/cluster/prod/app/telemetry/deploy/telemetry-service.hcl
index 9955872..afa8a8d 100644
--- a/cluster/prod/app/telemetry/deploy/telemetry-service.hcl
+++ b/cluster/prod/app/telemetry/deploy/telemetry-service.hcl
@@ -36,7 +36,8 @@ job "telemetry-service" {
}
resources {
- memory = 200
+ memory = 50
+ memory_max = 200
cpu = 100
}
}
@@ -75,7 +76,8 @@ EOH
}
resources {
- memory = 500
+ memory = 100
+ memory_max = 400
cpu = 500
}
@@ -123,7 +125,8 @@ EOH
}
resources {
- memory = 200
+ memory = 50
+ memory_max = 200
cpu = 100
}
}
diff --git a/cluster/staging/app/ci/deploy/albatros.hcl b/cluster/staging/app/ci/deploy/albatros.hcl
index f044b32..6e8d7b5 100644
--- a/cluster/staging/app/ci/deploy/albatros.hcl
+++ b/cluster/staging/app/ci/deploy/albatros.hcl
@@ -22,7 +22,7 @@ job "albatros" {
task "controller" {
driver = "docker"
config {
- image = "dxflrs/albatros:750015b3fff91af8b9b86869411216a06bd13614"
+ image = "dxflrs/albatros:76c59221d171eb56a2ce2bfa630502ff78eeae74"
ports = [ "http" ]
volumes = [
"secrets/certs:/var/run/secrets/albatros"