Merge branch 'main' into simplify-network-config

This commit is contained in:
Alex 2023-04-19 20:15:03 +02:00
commit 9737c661a4
12 changed files with 131 additions and 22 deletions

View file

@ -15,11 +15,18 @@ Our first abstraction level is the NixOS level, which installs a bunch of standa
Then, inside our Nomad+Consul orchestrator, we deploy a number of base services: Then, inside our Nomad+Consul orchestrator, we deploy a number of base services:
* **[Garage](https://git.deuxfleurs.fr/Deuxfleurs/garage/):** S3-compatible lightweight object store for self-hosted geo-distributed deployments (we also have a legacy glusterfs cluster) * Data management
* **[DiploNAT](https://git.deuxfleurs.fr/Deuxfleurs/diplonat):** network automation (firewalling, upnp igd) * **[Garage](https://git.deuxfleurs.fr/Deuxfleurs/garage/):** S3-compatible lightweight object store for self-hosted geo-distributed deployments
* **[Bottin](https://git.deuxfleurs.fr/Deuxfleurs/bottin):** authentication and authorization (LDAP protocol, consul backend)
* **[Guichet](https://git.deuxfleurs.fr/Deuxfleurs/guichet):** a dashboard for our users and administrators
* **Stolon + PostgreSQL:** distributed relational database * **Stolon + PostgreSQL:** distributed relational database
* Network Control Plane
* **[DiploNAT](https://git.deuxfleurs.fr/Deuxfleurs/diplonat):** - network automation (firewalling, upnp igd)
* **[D53](https://git.deuxfleurs.fr/lx/d53)** - update DNS entries (A and AAAA) dynamically based on Nomad service scheduling and local node info
* **[Tricot](https://git.deuxfleurs.fr/Deuxfleurs/tricot)** - a dynamic reverse proxy for nomad+consul inspired by traefik
* **[wgautomesh](https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh)** - a dynamic wireguard mesh configurator
* User Management
* **[Bottin](https://git.deuxfleurs.fr/Deuxfleurs/bottin):** authentication and authorization (LDAP protocol, consul backend)
* **[Guichet](https://git.deuxfleurs.fr/Deuxfleurs/guichet):** a dashboard for our users and administrators7
* Observability
* **Prometheus + Grafana:** monitoring * **Prometheus + Grafana:** monitoring
Some services we provide based on this abstraction: Some services we provide based on this abstraction:
@ -27,6 +34,7 @@ Some services we provide based on this abstraction:
* **Websites:** Garage (static) + fediverse blog (Plume) * **Websites:** Garage (static) + fediverse blog (Plume)
* **Chat:** Synapse + Element Web (Matrix protocol) * **Chat:** Synapse + Element Web (Matrix protocol)
* **Email:** Postfix SMTP + Dovecot IMAP + opendkim DKIM + Sogo webmail | Alps webmail (experimental) * **Email:** Postfix SMTP + Dovecot IMAP + opendkim DKIM + Sogo webmail | Alps webmail (experimental)
- **[Aerogramme](https://git.deuxfleurs.fr/Deuxfleurs/aerogramme/):** an encrypted IMAP server
* **Visioconference:** Jitsi * **Visioconference:** Jitsi
* **Collaboration:** CryptPad * **Collaboration:** CryptPad

View file

@ -0,0 +1,86 @@
job "bagage" {
datacenters = ["orion", "neptune"]
type = "service"
priority = 90
constraint {
attribute = "${attr.cpu.arch}"
value = "amd64"
}
group "main" {
count = 1
network {
port "web_port" {
static = 8080
to = 8080
}
port "ssh_port" {
static = 2222
to = 2222
}
}
task "server" {
driver = "docker"
config {
image = "superboum/amd64_bagage:v11"
readonly_rootfs = false
network_mode = "host"
volumes = [
"secrets/id_rsa:/id_rsa"
]
ports = [ "web_port", "ssh_port" ]
}
env {
BAGAGE_LDAP_ENDPOINT = "bottin.service.prod.consul:389"
}
resources {
memory = 200
cpu = 100
}
template {
data = "{{ key \"secrets/bagage/id_rsa\" }}"
destination = "secrets/id_rsa"
}
service {
name = "bagage-ssh"
port = "ssh_port"
address_mode = "host"
tags = [
"bagage",
"(diplonat (tcp_port 2222))"
]
}
service {
name = "bagage-webdav"
tags = [
"bagage",
"tricot bagage.deuxfleurs.fr",
"d53-cname bagage.deuxfleurs.fr",
]
port = "web_port"
address_mode = "host"
check {
type = "tcp"
port = "web_port"
address_mode = "host"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}
}
}
}

View file

@ -0,0 +1,4 @@
[secrets."bagage/id_rsa"]
type = 'command'
rotate = true
command = 'ssh-keygen -q -f >(cat) -N "" <<< y 2>/dev/null 1>&2 ; true'

View file

@ -1,5 +1,5 @@
job "core" { job "core" {
datacenters = ["orion", "neptune", "bespin", "scorpio"] datacenters = ["orion", "neptune", "scorpio"]
type = "system" type = "system"
priority = 90 priority = 90
@ -13,7 +13,7 @@ job "core" {
driver = "docker" driver = "docker"
config { config {
image = "lxpz/amd64_diplonat:4" image = "lxpz/amd64_diplonat:5"
network_mode = "host" network_mode = "host"
readonly_rootfs = true readonly_rootfs = true
privileged = true privileged = true
@ -181,7 +181,7 @@ EOH
task "bottin" { task "bottin" {
driver = "docker" driver = "docker"
config { config {
image = "superboum/bottin_amd64:22" image = "dxflrs/bottin:7h18i30cckckaahv87d3c86pn4a7q41z"
network_mode = "host" network_mode = "host"
readonly_rootfs = true readonly_rootfs = true
ports = [ "ldap_port" ] ports = [ "ldap_port" ]

View file

@ -1,2 +1,3 @@
*@deuxfleurs.fr smtp._domainkey.deuxfleurs.fr *@deuxfleurs.fr smtp._domainkey.deuxfleurs.fr
*@dufour.io smtp._domainkey.deuxfleurs.fr *@dufour.io smtp._domainkey.deuxfleurs.fr
*@luxeylab.net smtp._domainkey.deuxfleurs.fr

View file

@ -63,7 +63,6 @@ job "email" {
port = "imap_port" port = "imap_port"
tags = [ tags = [
"dovecot", "dovecot",
"d53-a imap.deuxfleurs.fr",
] ]
check { check {
type = "tcp" type = "tcp"
@ -83,7 +82,9 @@ job "email" {
port = "imaps_port" port = "imaps_port"
tags = [ tags = [
"dovecot", "dovecot",
"(diplonat (tcp_port 993))" "(diplonat (tcp_port 993))",
"d53-a imap.deuxfleurs.fr",
"d53-aaaa imap.deuxfleurs.fr",
] ]
check { check {
@ -283,8 +284,7 @@ job "email" {
"postfix", "postfix",
"(diplonat (tcp_port 25 465 587))", "(diplonat (tcp_port 25 465 587))",
"d53-a smtp.deuxfleurs.fr", "d53-a smtp.deuxfleurs.fr",
# ipv6 is commented for now as port is not open in firewall (TODO) "d53-aaaa smtp.deuxfleurs.fr"
# "d53-aaaa smtp.deuxfleurs.fr"
] ]
check { check {
type = "tcp" type = "tcp"

View file

@ -28,6 +28,9 @@
"group_can_admin": "cn=admin,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}", "group_can_admin": "cn=admin,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
"group_can_invite": "cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}", "group_can_invite": "cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
"s3_admin_endpoint": "garage-admin.service.prod.consul:3903",
"s3_admin_token": "{{ key "secrets/garage/admin_token" | trimSpace }}",
"s3_endpoint": "{{ key "secrets/directory/guichet/s3_endpoint" }}", "s3_endpoint": "{{ key "secrets/directory/guichet/s3_endpoint" }}",
"s3_access_key": "{{ key "secrets/directory/guichet/s3_access_key" | trimSpace }}", "s3_access_key": "{{ key "secrets/directory/guichet/s3_access_key" | trimSpace }}",
"s3_secret_key": "{{ key "secrets/directory/guichet/s3_secret_key" | trimSpace }}", "s3_secret_key": "{{ key "secrets/directory/guichet/s3_secret_key" | trimSpace }}",

View file

@ -13,7 +13,7 @@ job "guichet" {
task "guichet" { task "guichet" {
driver = "docker" driver = "docker"
config { config {
image = "dxflrs/guichet:17" image = "dxflrs/guichet:18"
readonly_rootfs = true readonly_rootfs = true
ports = [ "web_port" ] ports = [ "web_port" ]
volumes = [ volumes = [

View file

@ -65,7 +65,8 @@ job "matrix" {
resources { resources {
cpu = 1000 cpu = 1000
memory = 1000 memory = 500
memory_max = 1000
} }
service { service {

View file

@ -37,7 +37,8 @@ job "postgres14" {
] ]
} }
resources { resources {
memory = 100 memory = 20
memory_max = 100
} }
template { template {
@ -80,7 +81,8 @@ job "postgres14" {
} }
resources { resources {
memory = 100 memory = 20
memory_max = 100
} }
template { template {
@ -172,7 +174,8 @@ job "postgres14" {
} }
resources { resources {
memory = 600 memory = 400
memory_max = 600
} }
service { service {

View file

@ -36,7 +36,8 @@ job "telemetry-service" {
} }
resources { resources {
memory = 200 memory = 50
memory_max = 200
cpu = 100 cpu = 100
} }
} }
@ -75,7 +76,8 @@ EOH
} }
resources { resources {
memory = 500 memory = 100
memory_max = 400
cpu = 500 cpu = 500
} }
@ -123,7 +125,8 @@ EOH
} }
resources { resources {
memory = 200 memory = 50
memory_max = 200
cpu = 100 cpu = 100
} }
} }

View file

@ -22,7 +22,7 @@ job "albatros" {
task "controller" { task "controller" {
driver = "docker" driver = "docker"
config { config {
image = "dxflrs/albatros:750015b3fff91af8b9b86869411216a06bd13614" image = "dxflrs/albatros:76c59221d171eb56a2ce2bfa630502ff78eeae74"
ports = [ "http" ] ports = [ "http" ]
volumes = [ volumes = [
"secrets/certs:/var/run/secrets/albatros" "secrets/certs:/var/run/secrets/albatros"