From cfb1d623d9711156a1195312afa5cebadc8a6697 Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Wed, 24 Aug 2022 17:31:08 +0200
Subject: [PATCH] Reconfigure services to use correct tricot url, TLS fails

---
 cluster/prod/app/core/deploy/core.hcl         |   8 +-
 .../prod/app/directory/deploy/directory.hcl   |   8 +-
 ...nd-tricot-prod.hcl => frontend-tricot.hcl} |   8 +-
 cluster/prod/app/garage/config/garage.toml    |  24 ++++
 cluster/prod/app/garage/deploy/garage.hcl     | 131 ++++++++++++++++++
 .../prod/app/garage/secrets/garage/rpc_secret |   1 +
 deploy_pki                                    |   1 +
 7 files changed, 169 insertions(+), 12 deletions(-)
 rename cluster/prod/app/frontend/deploy/{frontend-tricot-prod.hcl => frontend-tricot.hcl} (90%)
 create mode 100644 cluster/prod/app/garage/config/garage.toml
 create mode 100644 cluster/prod/app/garage/deploy/garage.hcl
 create mode 100644 cluster/prod/app/garage/secrets/garage/rpc_secret

diff --git a/cluster/prod/app/core/deploy/core.hcl b/cluster/prod/app/core/deploy/core.hcl
index f57f21d..b87f15d 100644
--- a/cluster/prod/app/core/deploy/core.hcl
+++ b/cluster/prod/app/core/deploy/core.hcl
@@ -34,8 +34,8 @@ job "core" {
       }
 
       template {
-        data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
-        destination = "secrets/consul-ca.crt"
+        data = "{{ key \"secrets/consul/consul.crt\" }}"
+        destination = "secrets/consul.crt"
       }
 
       template {
@@ -53,8 +53,8 @@ job "core" {
 DIPLONAT_REFRESH_TIME=60
 DIPLONAT_EXPIRATION_TIME=300
 DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }}
-DIPLONAT_CONSUL_URL=https://localhost:8501
-DIPLONAT_CONSUL_CA_CERT=/etc/diplonat/consul-ca.crt
+DIPLONAT_CONSUL_URL=https://consul.service.prod.consul:8501
+DIPLONAT_CONSUL_CA_CERT=/etc/diplonat/consul.crt
 DIPLONAT_CONSUL_CLIENT_CERT=/etc/diplonat/consul-client.crt
 DIPLONAT_CONSUL_CLIENT_KEY=/etc/diplonat/consul-client.key
 RUST_LOG=debug
diff --git a/cluster/prod/app/directory/deploy/directory.hcl b/cluster/prod/app/directory/deploy/directory.hcl
index 89f5ebc..cd503fc 100644
--- a/cluster/prod/app/directory/deploy/directory.hcl
+++ b/cluster/prod/app/directory/deploy/directory.hcl
@@ -41,8 +41,8 @@ job "directory" {
       }
 
       template {
-        data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
-        destination = "secrets/consul-ca.crt"
+        data = "{{ key \"secrets/consul/consul.crt\" }}"
+        destination = "secrets/consul.crt"
       }
 
       template {
@@ -57,9 +57,9 @@ job "directory" {
 
       template {
         data = <<EOH
-CONSUL_HTTP_ADDR=https://localhost:8501
+CONSUL_HTTP_ADDR=https://consul.service.prod.consul:8501
 CONSUL_HTTP_SSL=true
-CONSUL_CACERT=/etc/bottin/consul-ca.crt
+CONSUL_CACERT=/etc/bottin/consul.crt
 CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt
 CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key
 EOH
diff --git a/cluster/prod/app/frontend/deploy/frontend-tricot-prod.hcl b/cluster/prod/app/frontend/deploy/frontend-tricot.hcl
similarity index 90%
rename from cluster/prod/app/frontend/deploy/frontend-tricot-prod.hcl
rename to cluster/prod/app/frontend/deploy/frontend-tricot.hcl
index 804345b..904e9fb 100644
--- a/cluster/prod/app/frontend/deploy/frontend-tricot-prod.hcl
+++ b/cluster/prod/app/frontend/deploy/frontend-tricot.hcl
@@ -41,8 +41,8 @@ job "frontend" {
       }
 
       template {
-        data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
-        destination = "secrets/consul-ca.crt"
+        data = "{{ key \"secrets/consul/consul.crt\" }}"
+        destination = "secrets/consul.crt"
       }
 
       template {
@@ -60,8 +60,8 @@ job "frontend" {
 TRICOT_NODE_NAME={{ env "attr.unique.consul.name" }}
 TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me
 TRICOT_ENABLE_COMPRESSION=true
-TRICOT_CONSUL_HOST=https://localhost:8501
-TRICOT_CONSUL_CA_CERT=/etc/tricot/consul-ca.crt
+TRICOT_CONSUL_HOST=https://consul.service.prod.consul:8501
+TRICOT_CONSUL_CA_CERT=/etc/tricot/consul.crt
 TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt
 TRICOT_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key
 TRICOT_HTTP_BIND_ADDR=[::]:80
diff --git a/cluster/prod/app/garage/config/garage.toml b/cluster/prod/app/garage/config/garage.toml
new file mode 100644
index 0000000..a721886
--- /dev/null
+++ b/cluster/prod/app/garage/config/garage.toml
@@ -0,0 +1,24 @@
+block_size = 1048576
+
+metadata_dir = "/meta"
+data_dir = "/data"
+
+replication_mode = "3"
+
+rpc_bind_addr = "[::]:3901"
+rpc_secret = "{{ key "secrets/garage/rpc_secret" | trimSpace }}"
+
+sled_cache_capacity = 536870912
+sled_sync_interval_ms = 10000
+
+[s3_api]
+s3_region = "garage"
+api_bind_addr = "[::]:3900"
+root_domain = ".garage.deuxfleurs.fr"
+
+[s3_web]
+bind_addr = "[::]:3902"
+root_domain = ".web.deuxfleurs.fr"
+
+[admin]
+api_bind_addr = "[::1]:3903"
diff --git a/cluster/prod/app/garage/deploy/garage.hcl b/cluster/prod/app/garage/deploy/garage.hcl
new file mode 100644
index 0000000..8d4ee6a
--- /dev/null
+++ b/cluster/prod/app/garage/deploy/garage.hcl
@@ -0,0 +1,131 @@
+job "garage" {
+  datacenters = ["neptune", "orion"]
+  type = "system"
+  priority = 80
+
+  constraint {
+    attribute = "${attr.cpu.arch}"
+    value     = "amd64"
+  }
+
+  group "garage" {
+    network {
+      port "s3" { static = 3900 }
+      port "rpc" { static = 3901 }
+      port "web" { static = 3902 }
+    }
+
+	update {
+		max_parallel = 1
+		min_healthy_time = "30s"
+		healthy_deadline = "5m"
+	}
+
+    task "server" {
+      driver = "docker"
+      config {
+        advertise_ipv6_address = true
+        image = "dxflrs/amd64_garage:v0.7.1"
+        command = "/garage"
+        args = [ "server" ]
+        network_mode = "host"
+        volumes = [
+          "/mnt/storage/garage/data:/data",
+          "/mnt/ssd/garage/meta:/meta",
+          "secrets/garage.toml:/etc/garage.toml",
+        ]
+        logging {
+          type = "journald"
+        }
+      }
+
+      template {
+        data = file("../config/garage.toml")
+        destination = "secrets/garage.toml"
+      }
+
+      resources {
+        memory = 1500
+        cpu = 1000
+      }
+
+      kill_signal = "SIGINT"
+      kill_timeout = "20s"
+
+      service {
+        tags = [
+          "garage_api",
+          "tricot garage.deuxfleurs.fr",
+          "tricot *.garage.deuxfleurs.fr",
+        ]
+        port = 3900
+        address_mode = "driver"
+        name = "garage-api"
+        check {
+          type = "tcp"
+          port = 3900
+          address_mode = "driver"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+
+      service {
+        tags = ["garage-rpc"]
+        port = 3901
+        address_mode = "driver"
+        name = "garage-rpc"
+        check {
+          type = "tcp"
+          port = 3901
+          address_mode = "driver"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+
+      service {
+        tags = [
+            "garage-web",
+            "tricot * 1",
+            "tricot-add-header Content-Security-Policy default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://code.jquery.com/; frame-ancestors 'self'",
+            "tricot-add-header Strict-Transport-Security max-age=63072000; includeSubDomains; preload",
+            "tricot-add-header X-Frame-Options SAMEORIGIN",
+            "tricot-add-header X-XSS-Protection 1; mode=block",
+        ]
+        port = 3902
+        address_mode = "driver"
+        name = "garage-web"
+        check {
+          type = "tcp"
+          port = 3902
+          address_mode = "driver"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+
+      restart { 
+        interval = "30m"  
+        attempts = 10  
+        delay    = "15s"  
+        mode     = "delay"
+      }
+    }
+  }
+}
diff --git a/cluster/prod/app/garage/secrets/garage/rpc_secret b/cluster/prod/app/garage/secrets/garage/rpc_secret
new file mode 100644
index 0000000..d831d53
--- /dev/null
+++ b/cluster/prod/app/garage/secrets/garage/rpc_secret
@@ -0,0 +1 @@
+CMD_ONCE openssl rand -hex 32
diff --git a/deploy_pki b/deploy_pki
index 167ac50..cb39bec 100755
--- a/deploy_pki
+++ b/deploy_pki
@@ -34,5 +34,6 @@ set_env CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt
 set_env CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key
 
 cmd "consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt"
+cmd "consul kv put secrets/consul/consul.crt - < /var/lib/consul/pki/consul$YEAR.crt"
 cmd "consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt"
 cmd "consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key"