diff options
Diffstat (limited to 'cluster/prod')
42 files changed, 180 insertions, 296 deletions
diff --git a/cluster/prod/app/backup/deploy/backup-daily.hcl b/cluster/prod/app/backup/deploy/backup-daily.hcl index d9d9f2a..9650735 100644 --- a/cluster/prod/app/backup/deploy/backup-daily.hcl +++ b/cluster/prod/app/backup/deploy/backup-daily.hcl @@ -14,7 +14,7 @@ job "backup_daily" { constraint { attribute = "${attr.unique.hostname}" operator = "=" - value = "celeri" + value = "ananas" } task "main" { @@ -152,7 +152,7 @@ EOH constraint { attribute = "${attr.unique.hostname}" operator = "=" - value = "courgette" + value = "abricot" } task "main" { diff --git a/cluster/prod/app/bagage/deploy/bagage.hcl b/cluster/prod/app/bagage/deploy/bagage.hcl index fbb571d..51af59e 100644 --- a/cluster/prod/app/bagage/deploy/bagage.hcl +++ b/cluster/prod/app/bagage/deploy/bagage.hcl @@ -1,5 +1,5 @@ job "bagage" { - datacenters = ["scorpio", "neptune"] + datacenters = ["corrin", "neptune", "scorpio"] type = "service" priority = 90 diff --git a/cluster/prod/app/cms/deploy/cms.hcl b/cluster/prod/app/cms/deploy/cms.hcl index 71192d2..ce1a0a3 100644 --- a/cluster/prod/app/cms/deploy/cms.hcl +++ b/cluster/prod/app/cms/deploy/cms.hcl @@ -1,5 +1,5 @@ job "cms" { - datacenters = ["neptune", "scorpio"] + datacenters = ["corrin", "neptune", "scorpio"] type = "service" priority = 100 diff --git a/cluster/prod/app/core/deploy/bottin.hcl b/cluster/prod/app/core/deploy/bottin.hcl index e21eb72..9cae97e 100644 --- a/cluster/prod/app/core/deploy/bottin.hcl +++ b/cluster/prod/app/core/deploy/bottin.hcl @@ -1,5 +1,5 @@ job "core-bottin" { - datacenters = ["neptune", "scorpio"] + datacenters = ["corrin", "neptune", "scorpio", "bespin"] type = "system" priority = 90 diff --git a/cluster/prod/app/core/deploy/tricot.hcl b/cluster/prod/app/core/deploy/tricot.hcl index 2131b11..f54657f 100644 --- a/cluster/prod/app/core/deploy/tricot.hcl +++ b/cluster/prod/app/core/deploy/tricot.hcl @@ -28,7 +28,7 @@ job "core-tricot" { driver = "docker" config { - image = "armael/tricot:n6dk1b5xrdww12zf12jbcmihqs6g1brz" + image = "armael/tricot:40g7jpp915jkfszlczfh1yw2x6syjkxs-redir-headers" network_mode = "host" readonly_rootfs = true ports = [ "http_port", "https_port" ] diff --git a/cluster/prod/app/coturn/deploy/coturn.hcl b/cluster/prod/app/coturn/deploy/coturn.hcl index 8923b2b..8b29d8f 100644 --- a/cluster/prod/app/coturn/deploy/coturn.hcl +++ b/cluster/prod/app/coturn/deploy/coturn.hcl @@ -1,5 +1,5 @@ job "coturn" { - datacenters = ["neptune", "scorpio"] + datacenters = ["corrin", "neptune", "scorpio"] type = "service" priority = 100 diff --git a/cluster/prod/app/cryptpad/build/README.md b/cluster/prod/app/cryptpad/build/README.md index 13c6ea2..f97fce4 100644 --- a/cluster/prod/app/cryptpad/build/README.md +++ b/cluster/prod/app/cryptpad/build/README.md @@ -1,6 +1,24 @@ # CryptPad for NixOS with Deuxfleurs flavour -## Building +## Basic Usage + +### Building + +To build and load the Docker image used in our Deuxfleurs deployment, run: + +``` shell +docker load -i $(nix-build deuxfleurs.nix -A docker) +``` + +### Updating Cryptpad to a newer version + +- Check whether the cryptpad build instructions and the `install-onlyoffice.sh` + script has changed. If yes, then update `default.nix` accordingly. +- In `default.nix`, update the `version` field for cryptpad +- In `default.nix`, change the hash (any change works) of the release and `npmDepsHash` to trigger a rebuild +- Run `nix-build deuxfleurs.nix`. This will fail because the hashes have changed, but tell you the correct hash to insert in `default.nix`. + +## More info The `default.nix` file follows the nixpkgs `callPackage` convention for fetching dependencies, so you need to either: diff --git a/cluster/prod/app/cryptpad/build/default.nix b/cluster/prod/app/cryptpad/build/default.nix index 458253a..fffbd91 100644 --- a/cluster/prod/app/cryptpad/build/default.nix +++ b/cluster/prod/app/cryptpad/build/default.nix @@ -71,16 +71,16 @@ }); in buildNpmPackage rec { pname = "cryptpad"; - version = "2024.9.0"; + version = "2024.12.0"; src = fetchFromGitHub { owner = "cryptpad"; repo = "cryptpad"; rev = version; - hash = "sha256-OUtWaDVLRUbKS0apwY0aNq4MalGFv+fH9VA7LvWWYRs="; + hash = "sha256-oSrDajaCEc7I2AsDzKoO34ffd4OeXDwFDGm45yQDSvE="; }; - npmDepsHash = "sha256-pK0b7q1kJja9l8ANwudbfo3jpldwuO56kuulS8X9A5s="; + npmDepsHash = "sha256-1EwxAe+8FOrngZx5+FEeu9uHKWZNBpsECEGrsyiZ2GU="; inherit nodejs; diff --git a/cluster/prod/app/cryptpad/build/npins/sources.json b/cluster/prod/app/cryptpad/build/npins/sources.json index 3372fd0..1f513ad 100644 --- a/cluster/prod/app/cryptpad/build/npins/sources.json +++ b/cluster/prod/app/cryptpad/build/npins/sources.json @@ -3,8 +3,8 @@ "nixpkgs": { "type": "Channel", "name": "nixos-24.05", - "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.5385.1719f27dd95f/nixexprs.tar.xz", - "hash": "0f7i315g1z8kjh10hvj2zv7y2vfqxmwvd96hwlcrr8aig6qq5gzm" + "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.7376.b134951a4c9f/nixexprs.tar.xz", + "hash": "1f8j7fh0nl4qmqlxn6lis8zf7dnckm6jri4rwmj0qm1qivhr58lv" } }, "version": 3 diff --git a/cluster/prod/app/cryptpad/build_docker/README.md b/cluster/prod/app/cryptpad/build_docker/README.md new file mode 100644 index 0000000..03e11bb --- /dev/null +++ b/cluster/prod/app/cryptpad/build_docker/README.md @@ -0,0 +1,4 @@ +# Dockerfile for Cryptpad + +This was an experiment but is not used or maintained currently. +The docker image we use is the one build using nix; see the `build/` directory. diff --git a/cluster/prod/app/cryptpad/deploy/cryptpad-debug.hcl b/cluster/prod/app/cryptpad/deploy/cryptpad-debug.hcl deleted file mode 100644 index 7788273..0000000 --- a/cluster/prod/app/cryptpad/deploy/cryptpad-debug.hcl +++ /dev/null @@ -1,80 +0,0 @@ -job "cryptpad-debug" { - datacenters = ["neptune"] - type = "service" - - group "cryptpad" { - count = 1 - - network { - port "http" { - to = 3000 - } - } - - restart { - attempts = 10 - delay = "30s" - } - - task "main" { - driver = "docker" - - constraint { - attribute = "${attr.unique.hostname}" - operator = "=" - value = "courgette" - } - - config { - image = "armael/cryptpad:2024.9.0" - ports = [ "http" ] - - volumes = [ - "/mnt/ssd/cryptpad-debug:/mnt", - "secrets/config-debug.js:/cryptpad/config.js", - ] - } - env { - CRYPTPAD_CONFIG = "/cryptpad/config.js" - } - - template { - data = file("../config/config-debug.js") - destination = "secrets/config-debug.js" - } - - /* Disabled because it requires modifications to the docker image and I do not want to invest the time yet - template { - data = file("../config/application_config-debug.js") - destination = "secrets/config-debug.js" - } - */ - - resources { - memory = 1000 - cpu = 500 - } - - service { - name = "cryptpad-debug" - port = "http" - tags = [ - "tricot pad-debug.deuxfleurs.fr", - "tricot pad-sandbox-debug.deuxfleurs.fr", - "tricot-add-header Cross-Origin-Resource-Policy cross-origin", - "tricot-add-header Cross-Origin-Embedder-Policy require-corp", - "tricot-add-header Access-Control-Allow-Origin *", - "tricot-add-header Access-Control-Allow-Credentials true", - "d53-cname pad-debug.deuxfleurs.fr", - "d53-cname pad-sandbox-debug.deuxfleurs.fr", - ] - check { - type = "http" - path = "/" - interval = "10s" - timeout = "2s" - } - } - } - } -} diff --git a/cluster/prod/app/cryptpad/deploy/cryptpad.hcl b/cluster/prod/app/cryptpad/deploy/cryptpad.hcl index 76737a6..5e19919 100644 --- a/cluster/prod/app/cryptpad/deploy/cryptpad.hcl +++ b/cluster/prod/app/cryptpad/deploy/cryptpad.hcl @@ -1,5 +1,5 @@ job "cryptpad" { - datacenters = ["neptune"] + datacenters = ["scorpio"] type = "service" group "cryptpad" { @@ -22,11 +22,11 @@ job "cryptpad" { constraint { attribute = "${attr.unique.hostname}" operator = "=" - value = "courgette" + value = "abricot" } config { - image = "kokakiwi/cryptpad:2024.9.0" + image = "armael/cryptpad:2024.12.0" ports = [ "http" ] volumes = [ diff --git a/cluster/prod/app/email/config/dkim/signingtable b/cluster/prod/app/email/config/dkim/signingtable index 102f6db..2c74b4d 100644 --- a/cluster/prod/app/email/config/dkim/signingtable +++ b/cluster/prod/app/email/config/dkim/signingtable @@ -7,3 +7,5 @@ *@e-x-t-r-a-c-t.me smtp._domainkey.deuxfleurs.fr *@courderec.re smtp._domainkey.deuxfleurs.fr *@trinity.fr.eu.org smtp._domainkey.deuxfleurs.fr +*@scrutin.app smtp._domainkey.deuxfleurs.fr +*@lalis.se smtp._domainkey.deuxfleurs.fr diff --git a/cluster/prod/app/email/config/postfix/main.cf b/cluster/prod/app/email/config/postfix/main.cf index 5593716..ca9c87d 100644 --- a/cluster/prod/app/email/config/postfix/main.cf +++ b/cluster/prod/app/email/config/postfix/main.cf @@ -83,11 +83,14 @@ smtpd_forbid_unauth_pipelining = yes smtpd_discard_ehlo_keywords = chunking smtpd_forbid_bare_newline = yes -smtpd_client_connection_rate_limit = 2 - #=== # Rate limiting #=== +smtpd_client_connection_rate_limit = 2 +# do not rate-limit ourselves +# in particular, useful for forgejo who opens a lot of SMTP connections +smtpd_client_event_limit_exceptions = $mynetworks /etc/postfix/rate-limit-exceptions + slow_destination_recipient_limit = 20 slow_destination_concurrency_limit = 2 diff --git a/cluster/prod/app/email/deploy/email.hcl b/cluster/prod/app/email/deploy/email.hcl index 10e4d50..fc8f7e4 100644 --- a/cluster/prod/app/email/deploy/email.hcl +++ b/cluster/prod/app/email/deploy/email.hcl @@ -1,6 +1,6 @@ job "email" { # Should not run on the same site as email-android7.hcl (port conflict in diplonat) - datacenters = ["neptune"] + datacenters = ["scorpio"] type = "service" priority = 65 @@ -32,7 +32,7 @@ job "email" { constraint { attribute = "${attr.unique.hostname}" operator = "=" - value = "celeri" + value = "ananas" } config { @@ -382,6 +382,29 @@ job "email" { destination = "secrets/postfix/transport" } + template { + # Collect machine IPs from the cluster. + # We use intermediate maps to ensure we get a sorted list with no duplicates, + # so that it is robust wrt. changes in the order of the output of ls or + # addition of new machines in an existing site. + # (scratch.MapValues returns the list of *values* in the map, sorted by *key*) + data = <<EOH + {{- range ls "diplonat/autodiscovery/ipv4" }} + {{- with $a := .Value | parseJSON }} + {{- scratch.MapSet "ipv4" $a.address $a.address }} + {{- end }} + {{- end -}} + {{- range ls "diplonat/autodiscovery/ipv6" }} + {{- with $a := .Value | parseJSON }} + {{- scratch.MapSet "ipv6" $a.address $a.address }} + {{- end }} + {{- end -}} + {{- range scratch.MapValues "ipv4" }}{{ . }} {{ end }} + {{- range scratch.MapValues "ipv6" }}[{{ . }}] {{ end }} + EOH + destination = "secrets/postfix/rate-limit-exceptions" + } + # --- secrets --- template { data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}" diff --git a/cluster/prod/app/garage/deploy/garage.hcl b/cluster/prod/app/garage/deploy/garage.hcl index 68edc94..81a22c3 100644 --- a/cluster/prod/app/garage/deploy/garage.hcl +++ b/cluster/prod/app/garage/deploy/garage.hcl @@ -1,5 +1,5 @@ job "garage" { - datacenters = [ "neptune", "bespin", "scorpio" ] + datacenters = ["neptune", "bespin", "scorpio", "corrin"] type = "system" priority = 80 diff --git a/cluster/prod/app/guichet/deploy/guichet.hcl b/cluster/prod/app/guichet/deploy/guichet.hcl index c1476e2..aca811f 100644 --- a/cluster/prod/app/guichet/deploy/guichet.hcl +++ b/cluster/prod/app/guichet/deploy/guichet.hcl @@ -1,5 +1,5 @@ job "guichet" { - datacenters = [ "neptune", "scorpio" ] + datacenters = ["corrin", "neptune", "scorpio"] type = "service" priority = 90 diff --git a/cluster/prod/app/matrix/build/docker-compose.yml b/cluster/prod/app/matrix/build/docker-compose.yml index b61fb39..4f2c573 100644 --- a/cluster/prod/app/matrix/build/docker-compose.yml +++ b/cluster/prod/app/matrix/build/docker-compose.yml @@ -1,4 +1,3 @@ -version: '3.4' services: # Instant Messaging riot: @@ -6,18 +5,18 @@ services: context: ./riotweb args: # https://github.com/vector-im/element-web/releases - VERSION: v1.11.78 - image: particallydone/amd64_elementweb:v36 + VERSION: v1.11.90 + image: superboum/amd64_elementweb:v37 synapse: build: context: ./matrix-synapse args: - # https://github.com/matrix-org/synapse/releases - VERSION: v1.104.0 + # https://github.com/element-hq/synapse/releases + VERSION: v1.122.0 # https://github.com/matrix-org/synapse-s3-storage-provider/commits/main # Update with the latest commit on main each time you update the synapse version # otherwise synapse may fail to launch due to incompatibility issues # see this issue for an example: https://github.com/matrix-org/synapse-s3-storage-provider/issues/64 - S3_VERSION: 2c46a764f700e6439afa11c00db827ddf21a9e89 - image: particallydone/amd64_synapse:v60 + S3_VERSION: bdc46a71aa16bcbcf8ed1b157ca6756ddb0131ef + image: superboum/amd64_synapse:v61 diff --git a/cluster/prod/app/matrix/build/riotweb/Dockerfile b/cluster/prod/app/matrix/build/riotweb/Dockerfile index ec4f5dd..0bb408a 100644 --- a/cluster/prod/app/matrix/build/riotweb/Dockerfile +++ b/cluster/prod/app/matrix/build/riotweb/Dockerfile @@ -1,4 +1,4 @@ -FROM amd64/debian:trixie as builder +FROM amd64/debian:trixie AS builder ARG VERSION WORKDIR /root diff --git a/cluster/prod/app/matrix/config/synapse/homeserver.yaml b/cluster/prod/app/matrix/config/synapse/homeserver.yaml index fb223eb..41241f0 100644 --- a/cluster/prod/app/matrix/config/synapse/homeserver.yaml +++ b/cluster/prod/app/matrix/config/synapse/homeserver.yaml @@ -110,6 +110,7 @@ federation_rc_concurrent: 3 # Directory where uploaded images and attachments are stored. media_store_path: "/var/lib/matrix-synapse/media" uploads_path: "/var/lib/matrix-synapse/uploads" +enable_authenticated_media: False media_storage_providers: - module: s3_storage_provider.S3StorageProviderBackend @@ -121,7 +122,7 @@ media_storage_providers: # All of the below options are optional, for use with non-AWS S3-like # services, or to specify access tokens here instead of some external method. region_name: garage - endpoint_url: https://garage.deuxfleurs.fr + endpoint_url: http://localhost:3900 access_key_id: {{ key "secrets/chat/synapse/s3_access_key" | trimSpace }} secret_access_key: {{ key "secrets/chat/synapse/s3_secret_key" | trimSpace }} diff --git a/cluster/prod/app/matrix/deploy/im.hcl b/cluster/prod/app/matrix/deploy/im.hcl index c348131..c0f3a1a 100644 --- a/cluster/prod/app/matrix/deploy/im.hcl +++ b/cluster/prod/app/matrix/deploy/im.hcl @@ -15,7 +15,7 @@ job "matrix" { driver = "docker" config { - image = "particallydone/amd64_synapse:v60" + image = "superboum/amd64_synapse:v61" network_mode = "host" readonly_rootfs = true ports = [ "api_port" ] @@ -101,7 +101,7 @@ job "matrix" { driver = "docker" config { - image = "particallydone/amd64_synapse:v60" + image = "superboum/amd64_synapse:v61" readonly_rootfs = true command = "/usr/local/bin/matrix-s3-async" work_dir = "/tmp" @@ -126,7 +126,7 @@ AWS_DEFAULT_REGION=garage PG_USER={{ key "secrets/chat/synapse/postgres_user" | trimSpace }} PG_PASS={{ key "secrets/chat/synapse/postgres_pwd" | trimSpace }} PG_DB={{ key "secrets/chat/synapse/postgres_db" | trimSpace }} -PG_HOST={{ env "meta.site" }}.psql-proxy.service.2.cluster.deuxfleurs.fr +PG_HOST={{ env "meta.site" }}.psql-proxy.service.prod.consul PG_PORT=5432 EOH destination = "secrets/env" @@ -137,7 +137,7 @@ EOH task "riotweb" { driver = "docker" config { - image = "particallydone/amd64_elementweb:v36" + image = "superboum/amd64_elementweb:v37" ports = [ "web_port" ] volumes = [ "secrets/config.json:/srv/http/config.json" @@ -177,70 +177,5 @@ EOH } } } - - group "syncv3" { - count = 1 - - network { - port "syncv3_api" { to = 8009 } - port "syncv3_metrics" { to = 2112 } - } - - task "syncv3" { - driver = "docker" - - config { - image = "ghcr.io/matrix-org/sliding-sync:v0.99.16" - ports = [ "syncv3_api", "syncv3_metrics" ] - } - - resources { - cpu = 1000 - memory = 500 - memory_max = 1000 - } - - template { - data = <<EOH -SYNCV3_SERVER=http://synapse.service.prod.consul:8008 -SYNCV3_DB=postgresql://{{ key "secrets/chat/syncv3/postgres_user"|trimSpace }}:{{ key "secrets/chat/syncv3/postgres_pwd"|trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul/{{ key "secrets/chat/syncv3/postgres_db"|trimSpace }}?sslmode=disable -SYNCV3_SECRET={{ key "secrets/chat/syncv3/secret"|trimSpace }} -SYNCV3_BINDADDR=0.0.0.0:8009 -SYNCV3_PROM=0.0.0.0:2112 -EOH - destination = "secrets/env" - env = true - } - - service { - name = "matrix-syncv3" - port = "syncv3_api" - address_mode = "host" - tags = [ - "matrix", - "tricot im-syncv3.deuxfleurs.fr 100", - "tricot-add-header Access-Control-Allow-Origin *", - "d53-cname im-syncv3.deuxfleurs.fr", - ] - check { - type = "tcp" - port = "syncv3_api" - interval = "60s" - timeout = "5s" - check_restart { - limit = 3 - grace = "90s" - ignore_warnings = false - } - } - } - - service { - name = "matrix-syncv3-metrics" - port = "syncv3_metrics" - address_mode = "host" - } - } - } } diff --git a/cluster/prod/app/plume/config/app.env b/cluster/prod/app/plume/config/app.env index b663d81..36000c2 100644 --- a/cluster/prod/app/plume/config/app.env +++ b/cluster/prod/app/plume/config/app.env @@ -28,7 +28,7 @@ MIGRATION_DIRECTORY=migrations/postgres USE_HTTPS=0 ROCKET_ADDRESS=:: -ROCKET_PORT={{ env "NOMAD_PORT_web_port" }} +ROCKET_PORT={{ env "NOMAD_PORT_back_port" }} MEDIA_UPLOAD_DIRECTORY=/app/static/media SEARCH_INDEX=/app/search_index diff --git a/cluster/prod/app/plume/deploy/plume.hcl b/cluster/prod/app/plume/deploy/plume.hcl index 5d10339..c759a02 100644 --- a/cluster/prod/app/plume/deploy/plume.hcl +++ b/cluster/prod/app/plume/deploy/plume.hcl @@ -1,12 +1,50 @@ job "plume-blog" { - datacenters = ["scorpio", "neptune"] + datacenters = ["corrin", "neptune", "scorpio"] type = "service" group "plume" { count = 1 network { - port "web_port" { } + port "back_port" { } + port "cache_port" { } + } + + task "varnish" { + driver = "docker" + config { + image = "varnish:7.6.1" + network_mode = "host" + ports = [ "cache_port" ] + + # cache + mount { + type = "tmpfs" + target = "/var/lib/varnish/varnishd:exec" + readonly = false + tmpfs_options { + size = 2684354559 # 2.5GB in bytes + } + } + } + + env { + VARNISH_SIZE = "2G" + VARNISH_BACKEND_HOST = "localhost" + VARNISH_BACKEND_PORT = "${NOMAD_PORT_back_port}" + VARNISH_HTTP_PORT = "${NOMAD_PORT_cache_port}" + } + + service { + name = "plume-cache" + tags = [ + "plume", + "tricot plume.deuxfleurs.fr", + "d53-cname plume.deuxfleurs.fr", + ] + port = "cache_port" + address_mode = "host" + } } task "plume" { @@ -14,9 +52,9 @@ job "plume-blog" { config { image = "lxpz/plume_s3:v1" network_mode = "host" - ports = [ "web_port" ] + ports = [ "back_port" ] command = "sh" - args = [ "-c", "plm search init; plm search refill; plume" ] + args = [ "-c", "plm search init; plume" ] } template { @@ -26,24 +64,22 @@ job "plume-blog" { } resources { - memory = 200 - memory_max = 800 + memory = 512 + memory_max = 512 cpu = 100 } service { - name = "plume" + name = "plume-back" tags = [ "plume", - "tricot plume.deuxfleurs.fr", - "d53-cname plume.deuxfleurs.fr", ] - port = "web_port" + port = "back_port" address_mode = "host" check { type = "http" protocol = "http" - port = "web_port" + port = "back_port" path = "/" interval = "60s" timeout = "5s" @@ -55,7 +91,7 @@ job "plume-blog" { } } restart { - interval = "30m" + interval = "20m" attempts = 20 delay = "15s" mode = "delay" diff --git a/cluster/prod/app/postgres/deploy/postgres.hcl b/cluster/prod/app/postgres/deploy/postgres.hcl index a42d57e..424a993 100644 --- a/cluster/prod/app/postgres/deploy/postgres.hcl +++ b/cluster/prod/app/postgres/deploy/postgres.hcl @@ -1,5 +1,5 @@ job "postgres14" { - datacenters = ["neptune", "bespin", "scorpio"] + datacenters = ["neptune", "bespin", "scorpio", "corrin"] type = "system" priority = 90 @@ -19,8 +19,7 @@ job "postgres14" { constraint { attribute = "${attr.unique.hostname}" operator = "set_contains_any" - value = "courgette,df-ymf,abricot" - # old (orion) = diplotaxis + value = "courgette,df-ymf,abricot,pasteque" } restart { diff --git a/cluster/prod/app/telemetry/deploy/telemetry-service.hcl b/cluster/prod/app/telemetry/deploy/telemetry-service.hcl index 13efddb..0744abc 100644 --- a/cluster/prod/app/telemetry/deploy/telemetry-service.hcl +++ b/cluster/prod/app/telemetry/deploy/telemetry-service.hcl @@ -1,5 +1,5 @@ job "telemetry-service" { - datacenters = ["neptune", "scorpio"] + datacenters = ["corrin", "scorpio", "dathormir"] type = "service" group "grafana" { @@ -45,7 +45,7 @@ job "telemetry-service" { task "grafana" { driver = "docker" config { - image = "grafana/grafana:10.3.4" + image = "grafana/grafana:11.4.1" network_mode = "host" ports = [ "grafana" ] volumes = [ @@ -76,9 +76,9 @@ EOH } resources { - memory = 100 + memory = 200 memory_max = 400 - cpu = 500 + cpu = 300 } service { diff --git a/cluster/prod/app/telemetry/deploy/telemetry-storage.hcl b/cluster/prod/app/telemetry/deploy/telemetry-storage.hcl index d87f3c6..1fe0d38 100644 --- a/cluster/prod/app/telemetry/deploy/telemetry-storage.hcl +++ b/cluster/prod/app/telemetry/deploy/telemetry-storage.hcl @@ -1,5 +1,5 @@ job "telemetry-storage" { - datacenters = ["neptune", "bespin"] + datacenters = ["scorpio", "bespin"] type = "service" group "prometheus" { @@ -14,13 +14,13 @@ job "telemetry-storage" { constraint { attribute = "${attr.unique.hostname}" operator = "set_contains_any" - value = "celeri,df-ymk" + value = "ananas,df-ymk" } task "prometheus" { driver = "docker" config { - image = "prom/prometheus:v2.50.1" + image = "prom/prometheus:v3.1.0" network_mode = "host" ports = [ "prometheus" ] args = [ diff --git a/cluster/prod/app/telemetry/deploy/telemetry-system.hcl b/cluster/prod/app/telemetry/deploy/telemetry-system.hcl index 76fad83..b80153f 100644 --- a/cluster/prod/app/telemetry/deploy/telemetry-system.hcl +++ b/cluster/prod/app/telemetry/deploy/telemetry-system.hcl @@ -1,5 +1,5 @@ job "telemetry-system" { - datacenters = ["neptune", "scorpio", "bespin", "corrin"] + datacenters = ["neptune", "scorpio", "bespin", "corrin", "dathomir"] type = "system" priority = "100" @@ -12,7 +12,7 @@ job "telemetry-system" { driver = "docker" config { - image = "quay.io/prometheus/node-exporter:v1.7.0" + image = "quay.io/prometheus/node-exporter:v1.8.1" network_mode = "host" volumes = [ "/:/host:ro,rslave" diff --git a/cluster/prod/app/woodpecker-ci/deploy/server.hcl b/cluster/prod/app/woodpecker-ci/deploy/server.hcl index c974e3f..60806b9 100644 --- a/cluster/prod/app/woodpecker-ci/deploy/server.hcl +++ b/cluster/prod/app/woodpecker-ci/deploy/server.hcl @@ -23,7 +23,7 @@ job "woodpecker-ci" { task "server" { driver = "docker" config { - image = "woodpeckerci/woodpecker-server:v2.7.1" + image = "woodpeckerci/woodpecker-server:v3.0.1" ports = [ "web_port", "grpc_port" ] network_mode = "host" } @@ -31,7 +31,7 @@ job "woodpecker-ci" { template { data = <<EOH WOODPECKER_OPEN=true -WOODPECKER_ORGS=Deuxfleurs +WOODPECKER_ORGS=Deuxfleurs,distorsion WOODPECKER_ADMIN=lx WOODPECKER_HOST=https://woodpecker.deuxfleurs.fr @@ -93,6 +93,10 @@ EOH name = "woodpecker-grpc" tags = [ "woodpecker-grpc", + # The tricot tag is necessary for tricot to get us a tls certificate, + # but it will not make the grpc endpoint work as tricot cannot + # proxy grpc traffic by itself. + "tricot woodpecker-grpc.deuxfleurs.fr", ] port = "grpc_port" address_mode = "host" @@ -120,7 +124,7 @@ http { listen 0.0.0.0:14453 ssl; listen [::]:14453 ssl; http2 on; - server_name woodpecker.deuxfleurs.fr; + server_name woodpecker-grpc.deuxfleurs.fr; resolver 127.0.0.1 valid=30s; ssl_certificate "/etc/ssl/certs/woodpecker.cert"; @@ -128,6 +132,8 @@ http { location / { grpc_pass grpc://woodpecker-grpc.service.prod.consul:14090; + grpc_read_timeout 1800s; + grpc_send_timeout 1800s; } } } @@ -136,11 +142,11 @@ EOH } template { - data = "{{ with $d := key \"tricot/certs/woodpecker.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}" + data = "{{ with $d := key \"tricot/certs/woodpecker-grpc.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}" destination = "secrets/ssl/certs/woodpecker.key" } template { - data = "{{ with $d := key \"tricot/certs/woodpecker.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}" + data = "{{ with $d := key \"tricot/certs/woodpecker-grpc.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}" destination = "secrets/ssl/certs/woodpecker.cert" } diff --git a/cluster/prod/app/woodpecker-ci/integration/docker-compose.yml b/cluster/prod/app/woodpecker-ci/integration/docker-compose.yml index 7b825df..5756b25 100644 --- a/cluster/prod/app/woodpecker-ci/integration/docker-compose.yml +++ b/cluster/prod/app/woodpecker-ci/integration/docker-compose.yml @@ -10,7 +10,7 @@ services: - "./nix.conf:/etc/nix/nix.conf:ro" woodpecker-runner: - image: woodpeckerci/woodpecker-agent:v2.4.1 + image: woodpeckerci/woodpecker-agent:v3.0.1 restart: always environment: # -- change these for each agent diff --git a/cluster/prod/cluster.nix b/cluster/prod/cluster.nix index ff4e4b5..66da48d 100644 --- a/cluster/prod/cluster.nix +++ b/cluster/prod/cluster.nix @@ -7,44 +7,6 @@ deuxfleurs.clusterPrefix = "10.83.0.0/16"; deuxfleurs.clusterNodes = { - "concombre" = { - siteName = "neptune"; - publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34="; - address = "10.83.1.1"; - endpoint = "82.67.87.112:33731"; - }; - "courgette" = { - siteName = "neptune"; - publicKey = "goTkBJGmzrGDOAjUcdH9G0JekipqSMoaYQdB6IHnzi0="; - address = "10.83.1.2"; - endpoint = "82.67.87.112:33732"; - }; - "celeri" = { - siteName = "neptune"; - publicKey = "oZDAb8LoLW87ktUHyFFec0VaIar97bqq47mGbdVqJ0U="; - address = "10.83.1.3"; - endpoint = "82.67.87.112:33733"; - }; - /* - "dahlia" = { - siteName = "orion"; - publicKey = "EtRoWBYCdjqgXX0L+uWLg8KxNfIK8k9OTh30tL19bXU="; - address = "10.83.2.1"; - endpoint = "82.66.80.201:33731"; - }; - "diplotaxis" = { - siteName = "orion"; - publicKey = "HbLC938mysadMSOxWgq8+qrv+dBKzPP/43OMJp/3phA="; - address = "10.83.2.2"; - endpoint = "82.66.80.201:33732"; - }; - "doradille" = { - siteName = "orion"; - publicKey = "e1C8jgTj9eD20ywG08G1FQZ+Js3wMK/msDUE1wO3l1Y="; - address = "10.83.2.3"; - endpoint = "82.66.80.201:33733"; - }; - */ "df-ykl" = { siteName = "bespin"; publicKey = "bIjxey/VhBgVrLa0FxN/KISOt2XFmQeSh1MPivUq9gg="; @@ -105,6 +67,12 @@ address = "10.83.6.1"; endpoint = "45.81.62.36:33731"; }; + "pasteque" = { + siteName = "corrin"; + publicKey = "7vPq0z6JVxTLEebasUlR5Uu4dAFZxfddhjWtIYhCoXw="; + address = "10.83.6.2"; + endpoint = "45.81.62.36:33732"; + }; }; # Pin Nomad version @@ -114,15 +82,13 @@ # Bootstrap IPs for Consul cluster, # these are IPs on the Wireguard overlay services.consul.extraConfig.retry_join = [ - "10.83.1.1" # concombre - "10.83.2.1" # dahlia "10.83.3.1" # df-ykl + "10.83.4.2" # ananas + "10.83.6.1" # pamplemousse ]; deuxfleurs.adminAccounts = { lx = [ - # Keys for accessing nodes from outside - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIw+IIX8+lZX9RrHAbwi/bncLYStXpI4EmK3AUcqPY2O lx@kusanagi " ]; quentin = [ @@ -167,6 +133,9 @@ kokakiwi = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPTsEgcOtb2bij+Ih8eg8ZqO7d3IMiWykv6deMzlSSS kokakiwi@kira" ]; + stitch = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdT28Emp9yJqTPrxz+oDP08KZaN1kbsNyVqt9p9IMED" + ]; }; # For Garage external communication diff --git a/cluster/prod/known_hosts b/cluster/prod/known_hosts index 2bce50f..938b7b8 100644 --- a/cluster/prod/known_hosts +++ b/cluster/prod/known_hosts @@ -15,3 +15,4 @@ io.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvgCJ7Jew7ou1RZuaT ortie.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqtfIPLk8a5tM6Upj7GQwlIS16nBPrZYVXE2FVlO2Yn pamplemousse.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAI0M5qny9yQ6LNzWqPfSlOWwTYpvxQtuSpFiOb6aVtA 2001:912:1ac0:2200::201 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAI0M5qny9yQ6LNzWqPfSlOWwTYpvxQtuSpFiOb6aVtA +2001:912:1ac0:2200::202 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmngRvteIMEcy9UcRX6hcSsO7Pq+gY2dfLvhcUUciEZ diff --git a/cluster/prod/node/concombre.nix b/cluster/prod/node/concombre.nix index 9a9e456..acd2598 100644 --- a/cluster/prod/node/concombre.nix +++ b/cluster/prod/node/concombre.nix @@ -11,5 +11,4 @@ deuxfleurs.hostName = "concombre"; deuxfleurs.staticIPv4.address = "192.168.1.31"; deuxfleurs.staticIPv6.address = "2001:910:1204:1::31"; - deuxfleurs.isRaftServer = true; } diff --git a/cluster/prod/node/dahlia.site.nix b/cluster/prod/node/dahlia.site.nix deleted file mode 120000 index 3af56c7..0000000 --- a/cluster/prod/node/dahlia.site.nix +++ /dev/null @@ -1 +0,0 @@ -../site/orion.nix
\ No newline at end of file diff --git a/cluster/prod/node/diplotaxis.nix b/cluster/prod/node/diplotaxis.nix deleted file mode 100644 index f9c7faf..0000000 --- a/cluster/prod/node/diplotaxis.nix +++ /dev/null @@ -1,14 +0,0 @@ -# Configuration file local to this node - -{ config, pkgs, ... }: - -{ - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/nvme0n1"; # or "nodev" for efi only - - deuxfleurs.hostName = "diplotaxis"; - deuxfleurs.staticIPv4.address = "192.168.1.12"; - deuxfleurs.staticIPv6.address = "2a01:e0a:28f:5e60::12"; -} diff --git a/cluster/prod/node/diplotaxis.site.nix b/cluster/prod/node/diplotaxis.site.nix deleted file mode 120000 index 3af56c7..0000000 --- a/cluster/prod/node/diplotaxis.site.nix +++ /dev/null @@ -1 +0,0 @@ -../site/orion.nix
\ No newline at end of file diff --git a/cluster/prod/node/doradille.nix b/cluster/prod/node/doradille.nix deleted file mode 100644 index a4dc691..0000000 --- a/cluster/prod/node/doradille.nix +++ /dev/null @@ -1,14 +0,0 @@ -# Configuration file local to this node - -{ config, pkgs, ... }: - -{ - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/nvme0n1"; # or "nodev" for efi only - - deuxfleurs.hostName = "doradille"; - deuxfleurs.staticIPv4.address = "192.168.1.13"; - deuxfleurs.staticIPv6.address = "2a01:e0a:28f:5e60::13"; -} diff --git a/cluster/prod/node/doradille.site.nix b/cluster/prod/node/doradille.site.nix deleted file mode 120000 index 3af56c7..0000000 --- a/cluster/prod/node/doradille.site.nix +++ /dev/null @@ -1 +0,0 @@ -../site/orion.nix
\ No newline at end of file diff --git a/cluster/prod/node/pamplemousse.nix b/cluster/prod/node/pamplemousse.nix index 00ab784..61463c8 100644 --- a/cluster/prod/node/pamplemousse.nix +++ b/cluster/prod/node/pamplemousse.nix @@ -11,4 +11,5 @@ deuxfleurs.hostName = "pamplemousse"; deuxfleurs.staticIPv4.address = "192.168.5.201"; deuxfleurs.staticIPv6.address = "2001:912:1ac0:2200::201"; + deuxfleurs.isRaftServer = true; } diff --git a/cluster/prod/node/dahlia.nix b/cluster/prod/node/pasteque.nix index 121a34d..98cd2e6 100644 --- a/cluster/prod/node/dahlia.nix +++ b/cluster/prod/node/pasteque.nix @@ -5,9 +5,10 @@ { # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; + boot.loader.timeout = 5; boot.loader.efi.canTouchEfiVariables = true; - deuxfleurs.hostName = "dahlia"; - deuxfleurs.staticIPv4.address = "192.168.1.11"; - deuxfleurs.staticIPv6.address = "2a01:e0a:28f:5e60::11"; + deuxfleurs.hostName = "pasteque"; + deuxfleurs.staticIPv4.address = "192.168.5.202"; + deuxfleurs.staticIPv6.address = "2001:912:1ac0:2200::202"; } diff --git a/cluster/prod/node/pasteque.site.nix b/cluster/prod/node/pasteque.site.nix new file mode 120000 index 0000000..0a97c41 --- /dev/null +++ b/cluster/prod/node/pasteque.site.nix @@ -0,0 +1 @@ +../site/corrin.nix
\ No newline at end of file diff --git a/cluster/prod/site/orion.nix b/cluster/prod/site/orion.nix deleted file mode 100644 index dd8e208..0000000 --- a/cluster/prod/site/orion.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, pkgs, ... }: - -{ - deuxfleurs.siteName = "orion"; - deuxfleurs.staticIPv4.defaultGateway = "192.168.1.254"; - deuxfleurs.cnameTarget = "orion.site.deuxfleurs.fr."; - deuxfleurs.publicIPv4 = "82.66.80.201"; -} diff --git a/cluster/prod/ssh_config b/cluster/prod/ssh_config index c8abb42..f63a335 100644 --- a/cluster/prod/ssh_config +++ b/cluster/prod/ssh_config @@ -1,4 +1,6 @@ UserKnownHostsFile ./cluster/prod/known_hosts +Host * + Port 110 Host concombre HostName concombre.machine.deuxfleurs.fr @@ -47,3 +49,6 @@ Host ortie Host pamplemousse HostName 2001:912:1ac0:2200::201 + +Host pasteque + HostName 2001:912:1ac0:2200::202 |