From 2de291e9b7059ad7d3c06b7ef930f9e470d65c70 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Sun, 26 Mar 2023 10:13:51 +0200 Subject: [PATCH 1/9] upgrade bottin + remove bespin --- cluster/prod/app/core/deploy/core-system.hcl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cluster/prod/app/core/deploy/core-system.hcl b/cluster/prod/app/core/deploy/core-system.hcl index 03886b4..6ece3d6 100644 --- a/cluster/prod/app/core/deploy/core-system.hcl +++ b/cluster/prod/app/core/deploy/core-system.hcl @@ -1,5 +1,5 @@ job "core" { - datacenters = ["orion", "neptune", "bespin", "scorpio"] + datacenters = ["orion", "neptune", "scorpio"] type = "system" priority = 90 @@ -181,7 +181,7 @@ EOH task "bottin" { driver = "docker" config { - image = "superboum/bottin_amd64:22" + image = "dxflrs/bottin:7h18i30cckckaahv87d3c86pn4a7q41z" network_mode = "host" readonly_rootfs = true ports = [ "ldap_port" ] From 4c903a24472d6966835ac6737d0dbd3b23b6da68 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Mon, 27 Mar 2023 12:22:00 +0200 Subject: [PATCH 2/9] update readme --- README.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3527dbb..3d427cb 100644 --- a/README.md +++ b/README.md @@ -16,9 +16,14 @@ Our first abstraction level is the NixOS level, which installs a bunch of standa Then, inside our Nomad+Consul orchestrator, we deploy a number of base services: * **[Garage](https://git.deuxfleurs.fr/Deuxfleurs/garage/):** S3-compatible lightweight object store for self-hosted geo-distributed deployments (we also have a legacy glusterfs cluster) - * **[DiploNAT](https://git.deuxfleurs.fr/Deuxfleurs/diplonat):** network automation (firewalling, upnp igd) - * **[Bottin](https://git.deuxfleurs.fr/Deuxfleurs/bottin):** authentication and authorization (LDAP protocol, consul backend) - * **[Guichet](https://git.deuxfleurs.fr/Deuxfleurs/guichet):** a dashboard for our users and administrators + * Network Control Plane + * **[DiploNAT](https://git.deuxfleurs.fr/Deuxfleurs/diplonat):** network automation (firewalling, upnp igd) + * **[D53](https://git.deuxfleurs.fr/lx/d53)** + * **[Tricot](https://git.deuxfleurs.fr/Deuxfleurs/tricot)** + * **[wgautomesh](https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh)** + * User Management + * **[Bottin](https://git.deuxfleurs.fr/Deuxfleurs/bottin):** authentication and authorization (LDAP protocol, consul backend) + * **[Guichet](https://git.deuxfleurs.fr/Deuxfleurs/guichet):** a dashboard for our users and administrators * **Stolon + PostgreSQL:** distributed relational database * **Prometheus + Grafana:** monitoring From 3ce25b880a0698ff7d48d4cd58acb4e6cddadc47 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Mon, 27 Mar 2023 12:24:12 +0200 Subject: [PATCH 3/9] update descriptios --- README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3d427cb..c7e381b 100644 --- a/README.md +++ b/README.md @@ -17,10 +17,10 @@ Then, inside our Nomad+Consul orchestrator, we deploy a number of base services: * **[Garage](https://git.deuxfleurs.fr/Deuxfleurs/garage/):** S3-compatible lightweight object store for self-hosted geo-distributed deployments (we also have a legacy glusterfs cluster) * Network Control Plane - * **[DiploNAT](https://git.deuxfleurs.fr/Deuxfleurs/diplonat):** network automation (firewalling, upnp igd) - * **[D53](https://git.deuxfleurs.fr/lx/d53)** - * **[Tricot](https://git.deuxfleurs.fr/Deuxfleurs/tricot)** - * **[wgautomesh](https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh)** + * **[DiploNAT](https://git.deuxfleurs.fr/Deuxfleurs/diplonat):** - network automation (firewalling, upnp igd) + * **[D53](https://git.deuxfleurs.fr/lx/d53)** - update DNS entries (A and AAAA) dynamically based on Nomad service scheduling and local node info + * **[Tricot](https://git.deuxfleurs.fr/Deuxfleurs/tricot)** - a dynamic reverse proxy for nomad+consul inspired by traefik + * **[wgautomesh](https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh)** - a dynamic wireguard mesh configurator * User Management * **[Bottin](https://git.deuxfleurs.fr/Deuxfleurs/bottin):** authentication and authorization (LDAP protocol, consul backend) * **[Guichet](https://git.deuxfleurs.fr/Deuxfleurs/guichet):** a dashboard for our users and administrators @@ -32,6 +32,7 @@ Some services we provide based on this abstraction: * **Websites:** Garage (static) + fediverse blog (Plume) * **Chat:** Synapse + Element Web (Matrix protocol) * **Email:** Postfix SMTP + Dovecot IMAP + opendkim DKIM + Sogo webmail | Alps webmail (experimental) + - **[Aerogramme](https://git.deuxfleurs.fr/Deuxfleurs/aerogramme/):** an encrypted IMAP server * **Visioconference:** Jitsi * **Collaboration:** CryptPad From 3a883b51dfd46f64fade7684c41632c3940cafd2 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Mon, 27 Mar 2023 12:26:01 +0200 Subject: [PATCH 4/9] better classification --- README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c7e381b..bf53a1c 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,9 @@ Our first abstraction level is the NixOS level, which installs a bunch of standa Then, inside our Nomad+Consul orchestrator, we deploy a number of base services: - * **[Garage](https://git.deuxfleurs.fr/Deuxfleurs/garage/):** S3-compatible lightweight object store for self-hosted geo-distributed deployments (we also have a legacy glusterfs cluster) + * Data management + * **[Garage](https://git.deuxfleurs.fr/Deuxfleurs/garage/):** S3-compatible lightweight object store for self-hosted geo-distributed deployments + * **Stolon + PostgreSQL:** distributed relational database * Network Control Plane * **[DiploNAT](https://git.deuxfleurs.fr/Deuxfleurs/diplonat):** - network automation (firewalling, upnp igd) * **[D53](https://git.deuxfleurs.fr/lx/d53)** - update DNS entries (A and AAAA) dynamically based on Nomad service scheduling and local node info @@ -23,9 +25,9 @@ Then, inside our Nomad+Consul orchestrator, we deploy a number of base services: * **[wgautomesh](https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh)** - a dynamic wireguard mesh configurator * User Management * **[Bottin](https://git.deuxfleurs.fr/Deuxfleurs/bottin):** authentication and authorization (LDAP protocol, consul backend) - * **[Guichet](https://git.deuxfleurs.fr/Deuxfleurs/guichet):** a dashboard for our users and administrators - * **Stolon + PostgreSQL:** distributed relational database - * **Prometheus + Grafana:** monitoring + * **[Guichet](https://git.deuxfleurs.fr/Deuxfleurs/guichet):** a dashboard for our users and administrators7 + * Observability + * **Prometheus + Grafana:** monitoring Some services we provide based on this abstraction: From d83d230aeef0261bde13ea910b25bf4f667b147c Mon Sep 17 00:00:00 2001 From: Adrien Date: Thu, 30 Mar 2023 18:09:07 +0200 Subject: [PATCH 5/9] added luxeylab to dkim signingtable --- cluster/prod/app/email/config/dkim/signingtable | 1 + 1 file changed, 1 insertion(+) diff --git a/cluster/prod/app/email/config/dkim/signingtable b/cluster/prod/app/email/config/dkim/signingtable index 60d66ff..8ed56d4 100644 --- a/cluster/prod/app/email/config/dkim/signingtable +++ b/cluster/prod/app/email/config/dkim/signingtable @@ -1,2 +1,3 @@ *@deuxfleurs.fr smtp._domainkey.deuxfleurs.fr *@dufour.io smtp._domainkey.deuxfleurs.fr +*@luxeylab.net smtp._domainkey.deuxfleurs.fr From c9f122bcd38b0f7d775dbd197aac7dd192f0e653 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Tue, 4 Apr 2023 14:13:57 +0200 Subject: [PATCH 6/9] diplonat with ipv6 firewall support; email ipv6 addresses in dns --- cluster/prod/app/core/deploy/core-system.hcl | 2 +- cluster/prod/app/email/deploy/email.hcl | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cluster/prod/app/core/deploy/core-system.hcl b/cluster/prod/app/core/deploy/core-system.hcl index 6ece3d6..004a2ef 100644 --- a/cluster/prod/app/core/deploy/core-system.hcl +++ b/cluster/prod/app/core/deploy/core-system.hcl @@ -13,7 +13,7 @@ job "core" { driver = "docker" config { - image = "lxpz/amd64_diplonat:4" + image = "lxpz/amd64_diplonat:5" network_mode = "host" readonly_rootfs = true privileged = true diff --git a/cluster/prod/app/email/deploy/email.hcl b/cluster/prod/app/email/deploy/email.hcl index 9fb249a..f4539ae 100644 --- a/cluster/prod/app/email/deploy/email.hcl +++ b/cluster/prod/app/email/deploy/email.hcl @@ -63,7 +63,6 @@ job "email" { port = "imap_port" tags = [ "dovecot", - "d53-a imap.deuxfleurs.fr", ] check { type = "tcp" @@ -83,7 +82,9 @@ job "email" { port = "imaps_port" tags = [ "dovecot", - "(diplonat (tcp_port 993))" + "(diplonat (tcp_port 993))", + "d53-a imap.deuxfleurs.fr", + "d53-aaaa imap.deuxfleurs.fr", ] check { @@ -283,8 +284,7 @@ job "email" { "postfix", "(diplonat (tcp_port 25 465 587))", "d53-a smtp.deuxfleurs.fr", - # ipv6 is commented for now as port is not open in firewall (TODO) - # "d53-aaaa smtp.deuxfleurs.fr" + "d53-aaaa smtp.deuxfleurs.fr" ] check { type = "tcp" From 0e4c641db741c91dd95934b61e70a2f5268b3c7e Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 5 Apr 2023 15:50:46 +0200 Subject: [PATCH 7/9] redeploy bagage --- cluster/prod/app/bagage/deploy/bagage.hcl | 86 ++++++++++++++++++++++ cluster/prod/app/bagage/secrets.toml | 4 + cluster/staging/app/ci/deploy/albatros.hcl | 2 +- 3 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 cluster/prod/app/bagage/deploy/bagage.hcl create mode 100644 cluster/prod/app/bagage/secrets.toml diff --git a/cluster/prod/app/bagage/deploy/bagage.hcl b/cluster/prod/app/bagage/deploy/bagage.hcl new file mode 100644 index 0000000..c9b7781 --- /dev/null +++ b/cluster/prod/app/bagage/deploy/bagage.hcl @@ -0,0 +1,86 @@ +job "bagage" { + datacenters = ["orion", "neptune"] + type = "service" + priority = 90 + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "main" { + count = 1 + + network { + port "web_port" { + static = 8080 + to = 8080 + } + port "ssh_port" { + static = 2222 + to = 2222 + } + } + + task "server" { + driver = "docker" + config { + image = "superboum/amd64_bagage:v11" + readonly_rootfs = false + network_mode = "host" + volumes = [ + "secrets/id_rsa:/id_rsa" + ] + ports = [ "web_port", "ssh_port" ] + } + + env { + BAGAGE_LDAP_ENDPOINT = "bottin.service.prod.consul:389" + } + + resources { + memory = 200 + cpu = 100 + } + + template { + data = "{{ key \"secrets/bagage/id_rsa\" }}" + destination = "secrets/id_rsa" + } + + service { + name = "bagage-ssh" + port = "ssh_port" + address_mode = "host" + tags = [ + "bagage", + "(diplonat (tcp_port 2222))" + ] + } + + service { + name = "bagage-webdav" + tags = [ + "bagage", + "tricot bagage.deuxfleurs.fr", + "d53-cname bagage.deuxfleurs.fr", + ] + port = "web_port" + address_mode = "host" + check { + type = "tcp" + port = "web_port" + address_mode = "host" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/cluster/prod/app/bagage/secrets.toml b/cluster/prod/app/bagage/secrets.toml new file mode 100644 index 0000000..71b760a --- /dev/null +++ b/cluster/prod/app/bagage/secrets.toml @@ -0,0 +1,4 @@ +[secrets."bagage/id_rsa"] +type = 'command' +rotate = true +command = 'ssh-keygen -q -f >(cat) -N "" <<< y 2>/dev/null 1>&2 ; true' diff --git a/cluster/staging/app/ci/deploy/albatros.hcl b/cluster/staging/app/ci/deploy/albatros.hcl index f044b32..6e8d7b5 100644 --- a/cluster/staging/app/ci/deploy/albatros.hcl +++ b/cluster/staging/app/ci/deploy/albatros.hcl @@ -22,7 +22,7 @@ job "albatros" { task "controller" { driver = "docker" config { - image = "dxflrs/albatros:750015b3fff91af8b9b86869411216a06bd13614" + image = "dxflrs/albatros:76c59221d171eb56a2ce2bfa630502ff78eeae74" ports = [ "http" ] volumes = [ "secrets/certs:/var/run/secrets/albatros" From a614f495ad25adc180a30c8cdc5dadc4f11aa3a6 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Sat, 8 Apr 2023 10:41:50 +0200 Subject: [PATCH 8/9] allow memory overprovisionning --- cluster/prod/app/matrix/deploy/im.hcl | 3 ++- cluster/prod/app/postgres/deploy/postgres.hcl | 9 ++++++--- cluster/prod/app/telemetry/deploy/telemetry-service.hcl | 9 ++++++--- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/cluster/prod/app/matrix/deploy/im.hcl b/cluster/prod/app/matrix/deploy/im.hcl index 0d5387e..ed05ffc 100644 --- a/cluster/prod/app/matrix/deploy/im.hcl +++ b/cluster/prod/app/matrix/deploy/im.hcl @@ -65,7 +65,8 @@ job "matrix" { resources { cpu = 1000 - memory = 1000 + memory = 500 + memory_max = 1000 } service { diff --git a/cluster/prod/app/postgres/deploy/postgres.hcl b/cluster/prod/app/postgres/deploy/postgres.hcl index 749731d..9bad079 100644 --- a/cluster/prod/app/postgres/deploy/postgres.hcl +++ b/cluster/prod/app/postgres/deploy/postgres.hcl @@ -37,7 +37,8 @@ job "postgres14" { ] } resources { - memory = 100 + memory = 20 + memory_max = 100 } template { @@ -80,7 +81,8 @@ job "postgres14" { } resources { - memory = 100 + memory = 20 + memory_max = 100 } template { @@ -172,7 +174,8 @@ job "postgres14" { } resources { - memory = 600 + memory = 400 + memory_max = 600 } service { diff --git a/cluster/prod/app/telemetry/deploy/telemetry-service.hcl b/cluster/prod/app/telemetry/deploy/telemetry-service.hcl index 9955872..afa8a8d 100644 --- a/cluster/prod/app/telemetry/deploy/telemetry-service.hcl +++ b/cluster/prod/app/telemetry/deploy/telemetry-service.hcl @@ -36,7 +36,8 @@ job "telemetry-service" { } resources { - memory = 200 + memory = 50 + memory_max = 200 cpu = 100 } } @@ -75,7 +76,8 @@ EOH } resources { - memory = 500 + memory = 100 + memory_max = 400 cpu = 500 } @@ -123,7 +125,8 @@ EOH } resources { - memory = 200 + memory = 50 + memory_max = 200 cpu = 100 } } From 57aa2ce1d22dfe7963afdfc1908ae2ba60184dcb Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 19 Apr 2023 15:20:49 +0200 Subject: [PATCH 9/9] interface gestion site web guichet --- cluster/prod/app/guichet/config/guichet/config.json.tpl | 3 +++ cluster/prod/app/guichet/deploy/directory.hcl | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/cluster/prod/app/guichet/config/guichet/config.json.tpl b/cluster/prod/app/guichet/config/guichet/config.json.tpl index 467c92d..51c119c 100644 --- a/cluster/prod/app/guichet/config/guichet/config.json.tpl +++ b/cluster/prod/app/guichet/config/guichet/config.json.tpl @@ -28,6 +28,9 @@ "group_can_admin": "cn=admin,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}", "group_can_invite": "cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}", + "s3_admin_endpoint": "garage-admin.service.prod.consul:3903", + "s3_admin_token": "{{ key "secrets/garage/admin_token" | trimSpace }}", + "s3_endpoint": "{{ key "secrets/directory/guichet/s3_endpoint" }}", "s3_access_key": "{{ key "secrets/directory/guichet/s3_access_key" | trimSpace }}", "s3_secret_key": "{{ key "secrets/directory/guichet/s3_secret_key" | trimSpace }}", diff --git a/cluster/prod/app/guichet/deploy/directory.hcl b/cluster/prod/app/guichet/deploy/directory.hcl index 7e445ae..a64b7e6 100644 --- a/cluster/prod/app/guichet/deploy/directory.hcl +++ b/cluster/prod/app/guichet/deploy/directory.hcl @@ -13,7 +13,7 @@ job "guichet" { task "guichet" { driver = "docker" config { - image = "dxflrs/guichet:17" + image = "dxflrs/guichet:18" readonly_rootfs = true ports = [ "web_port" ] volumes = [