diff --git a/README.md b/README.md index 3527dbb..bf53a1c 100644 --- a/README.md +++ b/README.md @@ -15,18 +15,26 @@ Our first abstraction level is the NixOS level, which installs a bunch of standa Then, inside our Nomad+Consul orchestrator, we deploy a number of base services: - * **[Garage](https://git.deuxfleurs.fr/Deuxfleurs/garage/):** S3-compatible lightweight object store for self-hosted geo-distributed deployments (we also have a legacy glusterfs cluster) - * **[DiploNAT](https://git.deuxfleurs.fr/Deuxfleurs/diplonat):** network automation (firewalling, upnp igd) - * **[Bottin](https://git.deuxfleurs.fr/Deuxfleurs/bottin):** authentication and authorization (LDAP protocol, consul backend) - * **[Guichet](https://git.deuxfleurs.fr/Deuxfleurs/guichet):** a dashboard for our users and administrators - * **Stolon + PostgreSQL:** distributed relational database - * **Prometheus + Grafana:** monitoring + * Data management + * **[Garage](https://git.deuxfleurs.fr/Deuxfleurs/garage/):** S3-compatible lightweight object store for self-hosted geo-distributed deployments + * **Stolon + PostgreSQL:** distributed relational database + * Network Control Plane + * **[DiploNAT](https://git.deuxfleurs.fr/Deuxfleurs/diplonat):** - network automation (firewalling, upnp igd) + * **[D53](https://git.deuxfleurs.fr/lx/d53)** - update DNS entries (A and AAAA) dynamically based on Nomad service scheduling and local node info + * **[Tricot](https://git.deuxfleurs.fr/Deuxfleurs/tricot)** - a dynamic reverse proxy for nomad+consul inspired by traefik + * **[wgautomesh](https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh)** - a dynamic wireguard mesh configurator + * User Management + * **[Bottin](https://git.deuxfleurs.fr/Deuxfleurs/bottin):** authentication and authorization (LDAP protocol, consul backend) + * **[Guichet](https://git.deuxfleurs.fr/Deuxfleurs/guichet):** a dashboard for our users and administrators7 + * Observability + * **Prometheus + Grafana:** monitoring Some services we provide based on this abstraction: * **Websites:** Garage (static) + fediverse blog (Plume) * **Chat:** Synapse + Element Web (Matrix protocol) * **Email:** Postfix SMTP + Dovecot IMAP + opendkim DKIM + Sogo webmail | Alps webmail (experimental) + - **[Aerogramme](https://git.deuxfleurs.fr/Deuxfleurs/aerogramme/):** an encrypted IMAP server * **Visioconference:** Jitsi * **Collaboration:** CryptPad diff --git a/cluster/prod/app/bagage/deploy/bagage.hcl b/cluster/prod/app/bagage/deploy/bagage.hcl new file mode 100644 index 0000000..c9b7781 --- /dev/null +++ b/cluster/prod/app/bagage/deploy/bagage.hcl @@ -0,0 +1,86 @@ +job "bagage" { + datacenters = ["orion", "neptune"] + type = "service" + priority = 90 + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "main" { + count = 1 + + network { + port "web_port" { + static = 8080 + to = 8080 + } + port "ssh_port" { + static = 2222 + to = 2222 + } + } + + task "server" { + driver = "docker" + config { + image = "superboum/amd64_bagage:v11" + readonly_rootfs = false + network_mode = "host" + volumes = [ + "secrets/id_rsa:/id_rsa" + ] + ports = [ "web_port", "ssh_port" ] + } + + env { + BAGAGE_LDAP_ENDPOINT = "bottin.service.prod.consul:389" + } + + resources { + memory = 200 + cpu = 100 + } + + template { + data = "{{ key \"secrets/bagage/id_rsa\" }}" + destination = "secrets/id_rsa" + } + + service { + name = "bagage-ssh" + port = "ssh_port" + address_mode = "host" + tags = [ + "bagage", + "(diplonat (tcp_port 2222))" + ] + } + + service { + name = "bagage-webdav" + tags = [ + "bagage", + "tricot bagage.deuxfleurs.fr", + "d53-cname bagage.deuxfleurs.fr", + ] + port = "web_port" + address_mode = "host" + check { + type = "tcp" + port = "web_port" + address_mode = "host" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/cluster/prod/app/bagage/secrets.toml b/cluster/prod/app/bagage/secrets.toml new file mode 100644 index 0000000..71b760a --- /dev/null +++ b/cluster/prod/app/bagage/secrets.toml @@ -0,0 +1,4 @@ +[secrets."bagage/id_rsa"] +type = 'command' +rotate = true +command = 'ssh-keygen -q -f >(cat) -N "" <<< y 2>/dev/null 1>&2 ; true' diff --git a/cluster/prod/app/core/deploy/core-system.hcl b/cluster/prod/app/core/deploy/core-system.hcl index 03886b4..004a2ef 100644 --- a/cluster/prod/app/core/deploy/core-system.hcl +++ b/cluster/prod/app/core/deploy/core-system.hcl @@ -1,5 +1,5 @@ job "core" { - datacenters = ["orion", "neptune", "bespin", "scorpio"] + datacenters = ["orion", "neptune", "scorpio"] type = "system" priority = 90 @@ -13,7 +13,7 @@ job "core" { driver = "docker" config { - image = "lxpz/amd64_diplonat:4" + image = "lxpz/amd64_diplonat:5" network_mode = "host" readonly_rootfs = true privileged = true @@ -181,7 +181,7 @@ EOH task "bottin" { driver = "docker" config { - image = "superboum/bottin_amd64:22" + image = "dxflrs/bottin:7h18i30cckckaahv87d3c86pn4a7q41z" network_mode = "host" readonly_rootfs = true ports = [ "ldap_port" ] diff --git a/cluster/prod/app/email/config/dkim/signingtable b/cluster/prod/app/email/config/dkim/signingtable index 60d66ff..8ed56d4 100644 --- a/cluster/prod/app/email/config/dkim/signingtable +++ b/cluster/prod/app/email/config/dkim/signingtable @@ -1,2 +1,3 @@ *@deuxfleurs.fr smtp._domainkey.deuxfleurs.fr *@dufour.io smtp._domainkey.deuxfleurs.fr +*@luxeylab.net smtp._domainkey.deuxfleurs.fr diff --git a/cluster/prod/app/email/deploy/email.hcl b/cluster/prod/app/email/deploy/email.hcl index 9fb249a..f4539ae 100644 --- a/cluster/prod/app/email/deploy/email.hcl +++ b/cluster/prod/app/email/deploy/email.hcl @@ -63,7 +63,6 @@ job "email" { port = "imap_port" tags = [ "dovecot", - "d53-a imap.deuxfleurs.fr", ] check { type = "tcp" @@ -83,7 +82,9 @@ job "email" { port = "imaps_port" tags = [ "dovecot", - "(diplonat (tcp_port 993))" + "(diplonat (tcp_port 993))", + "d53-a imap.deuxfleurs.fr", + "d53-aaaa imap.deuxfleurs.fr", ] check { @@ -283,8 +284,7 @@ job "email" { "postfix", "(diplonat (tcp_port 25 465 587))", "d53-a smtp.deuxfleurs.fr", - # ipv6 is commented for now as port is not open in firewall (TODO) - # "d53-aaaa smtp.deuxfleurs.fr" + "d53-aaaa smtp.deuxfleurs.fr" ] check { type = "tcp" diff --git a/cluster/prod/app/guichet/config/guichet/config.json.tpl b/cluster/prod/app/guichet/config/guichet/config.json.tpl index 467c92d..51c119c 100644 --- a/cluster/prod/app/guichet/config/guichet/config.json.tpl +++ b/cluster/prod/app/guichet/config/guichet/config.json.tpl @@ -28,6 +28,9 @@ "group_can_admin": "cn=admin,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}", "group_can_invite": "cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}", + "s3_admin_endpoint": "garage-admin.service.prod.consul:3903", + "s3_admin_token": "{{ key "secrets/garage/admin_token" | trimSpace }}", + "s3_endpoint": "{{ key "secrets/directory/guichet/s3_endpoint" }}", "s3_access_key": "{{ key "secrets/directory/guichet/s3_access_key" | trimSpace }}", "s3_secret_key": "{{ key "secrets/directory/guichet/s3_secret_key" | trimSpace }}", diff --git a/cluster/prod/app/guichet/deploy/directory.hcl b/cluster/prod/app/guichet/deploy/directory.hcl index 7e445ae..a64b7e6 100644 --- a/cluster/prod/app/guichet/deploy/directory.hcl +++ b/cluster/prod/app/guichet/deploy/directory.hcl @@ -13,7 +13,7 @@ job "guichet" { task "guichet" { driver = "docker" config { - image = "dxflrs/guichet:17" + image = "dxflrs/guichet:18" readonly_rootfs = true ports = [ "web_port" ] volumes = [ diff --git a/cluster/prod/app/matrix/deploy/im.hcl b/cluster/prod/app/matrix/deploy/im.hcl index 0d5387e..ed05ffc 100644 --- a/cluster/prod/app/matrix/deploy/im.hcl +++ b/cluster/prod/app/matrix/deploy/im.hcl @@ -65,7 +65,8 @@ job "matrix" { resources { cpu = 1000 - memory = 1000 + memory = 500 + memory_max = 1000 } service { diff --git a/cluster/prod/app/postgres/deploy/postgres.hcl b/cluster/prod/app/postgres/deploy/postgres.hcl index 749731d..9bad079 100644 --- a/cluster/prod/app/postgres/deploy/postgres.hcl +++ b/cluster/prod/app/postgres/deploy/postgres.hcl @@ -37,7 +37,8 @@ job "postgres14" { ] } resources { - memory = 100 + memory = 20 + memory_max = 100 } template { @@ -80,7 +81,8 @@ job "postgres14" { } resources { - memory = 100 + memory = 20 + memory_max = 100 } template { @@ -172,7 +174,8 @@ job "postgres14" { } resources { - memory = 600 + memory = 400 + memory_max = 600 } service { diff --git a/cluster/prod/app/telemetry/deploy/telemetry-service.hcl b/cluster/prod/app/telemetry/deploy/telemetry-service.hcl index 9955872..afa8a8d 100644 --- a/cluster/prod/app/telemetry/deploy/telemetry-service.hcl +++ b/cluster/prod/app/telemetry/deploy/telemetry-service.hcl @@ -36,7 +36,8 @@ job "telemetry-service" { } resources { - memory = 200 + memory = 50 + memory_max = 200 cpu = 100 } } @@ -75,7 +76,8 @@ EOH } resources { - memory = 500 + memory = 100 + memory_max = 400 cpu = 500 } @@ -123,7 +125,8 @@ EOH } resources { - memory = 200 + memory = 50 + memory_max = 200 cpu = 100 } } diff --git a/cluster/staging/app/ci/deploy/albatros.hcl b/cluster/staging/app/ci/deploy/albatros.hcl index f044b32..6e8d7b5 100644 --- a/cluster/staging/app/ci/deploy/albatros.hcl +++ b/cluster/staging/app/ci/deploy/albatros.hcl @@ -22,7 +22,7 @@ job "albatros" { task "controller" { driver = "docker" config { - image = "dxflrs/albatros:750015b3fff91af8b9b86869411216a06bd13614" + image = "dxflrs/albatros:76c59221d171eb56a2ce2bfa630502ff78eeae74" ports = [ "http" ] volumes = [ "secrets/certs:/var/run/secrets/albatros"