Compare commits

...

36 commits

Author SHA1 Message Date
Armaël Guéneau
344b586ad0 {prod,staging}: upgrade tricot (use PR #17) 2024-12-01 16:32:01 +01:00
Armaël Guéneau
90f56a45a7 Revert "staging: test de Deuxfleurs/tricot#16"
This reverts commit 1c224fcece.
2024-12-01 15:03:32 +01:00
Armaël Guéneau
d1de8cb2b4 staging: déploiement de test de cryptpad 2024-12-01 12:00:39 +01:00
e87942dad3 Merge pull request 'Deploy new postgres replica on pasteque@corrin' (#46) from migration-neptune into main
Reviewed-on: #46
2024-12-01 10:21:49 +00:00
a162754fb1
Deploy new postgres replica on pasteque@corrin 2024-12-01 11:21:04 +01:00
Baptiste Jonglez
0b911436ad prod: allow all stateless services on corrin 2024-11-30 01:52:51 +01:00
Baptiste Jonglez
2e99ca2c52 prod: migrate prometheus storage from neptune to scorpio 2024-11-30 01:30:12 +01:00
Baptiste Jonglez
3bff7075b3 prod: add pasteque IP to ssh config 2024-11-28 23:27:02 +01:00
Baptiste Jonglez
7ae8f05510 prod: Move Raft server from neptune to corrin 2024-11-28 21:51:38 +01:00
Baptiste Jonglez
070c7281c8 prod: Remove dahlia, doradille, diplotaxis (very old nodes) 2024-11-28 21:51:30 +01:00
Baptiste Jonglez
177265b4f1 Ajout noeud pasteque 2024-11-28 21:50:19 +01:00
Armaël Guéneau
412f4018f9 suppression de cryptpad-debug 2024-11-28 21:28:48 +01:00
Armaël Guéneau
83060bab27 migration cryptpad courgette (neptune) -> abricot (scorpio) 2024-11-28 21:26:59 +01:00
Armaël Guéneau
1c61d0c9c8 email: migration celeri (site neptune) -> ananas (site scorpio) 2024-11-28 20:41:52 +01:00
Baptiste Jonglez
ea270e30db garage: Ajout datacenter corrin 2024-11-28 19:51:56 +01:00
Armaël Guéneau
1c224fcece staging: test de Deuxfleurs/tricot#16
(fonctionnalité de tricot permettant de blocker certains user-agent)
2024-11-24 16:05:34 +01:00
90f861e1e1 Merge pull request 'postfix: add rate-limiting exceptions for our own nodes' (#39) from postfix-rate-limit-exceptions into main
Reviewed-on: #39
2024-11-21 17:49:15 +00:00
Armaël Guéneau
e0385b0456 make the list of IPs sorted and without duplicates for robustness 2024-11-20 13:04:41 +01:00
Armaël Guéneau
c66bff55f4 postfix: add rate-limiting exceptions for our own nodes 2024-11-19 20:24:09 +01:00
Armaël Guéneau
3f51534e03 guichet: augmentation de la limite de mémoire
Guichet s'est fait OOM-killed par Nomad en utilisation normale (nouvel
utilisateur qui clique sur un lien d'invitation).
2024-11-19 20:21:44 +01:00
ff5178bcdc added personal notes folder to gitignore 2024-11-12 14:22:08 +01:00
Armaël Guéneau
e5cc0db639 staging: enable telemetry for nomad allocations 2024-11-10 15:45:35 +01:00
Armaël Guéneau
fe7725b49e prod: tricot (build musl) 2024-11-09 23:28:57 +01:00
Armaël Guéneau
b279f1e0db staging: tricot compilé avec musl, dans une image docker
Correspond à: Deuxfleurs/tricot#15
2024-11-09 18:49:11 +01:00
Armaël Guéneau
d0341caf77 cryptpad: repassage en 2024.9.0, pour tester l'ajout des headers 2024-11-08 19:11:10 +01:00
Armaël Guéneau
1a739636ca cryptpad: relax the CORS headers further to allow for onlyoffice fonts 2024-11-07 23:45:49 +01:00
Armaël Guéneau
f32c0c34f3 cryptpad-debug: essai avec un Dockerfile basique plutôt que construit par nix 2024-11-07 23:26:12 +01:00
Armaël Guéneau
bc49f33d65 cryptpad: ajout de headers CORS manquants pour le domaine de sandbox 2024-11-07 23:19:37 +01:00
Armaël Guéneau
00c56a4dda cryptpad-debug: rollback to 2024.6.1 + add some admins 2024-11-07 20:37:31 +01:00
Baptiste Jonglez
3053f7998f cryptpad: add admin 2024-11-07 20:33:41 +01:00
Baptiste Jonglez
bbfd630d58 cryptpad: revert prod to known working version 2024-11-07 20:33:27 +01:00
Baptiste Jonglez
1477417aa8 d53: allow to schedule on corrin 2024-11-07 00:34:15 +01:00
Baptiste Jonglez
0288aefda4 jitsi: allow to schedule on corrin 2024-11-07 00:29:55 +01:00
Baptiste Jonglez
ba27b2f2c2 prod: Schedule some basic services on corrin 2024-11-07 00:17:30 +01:00
Baptiste Jonglez
9c712b0d78 telemetry: update node-exporter (somebody forgot to commit) 2024-11-06 23:50:45 +01:00
d1e979d3ae Merge pull request 'cryptpad: add armael to admins' (#38) from armael-cryptpad-admin into main
Reviewed-on: #38
2024-11-06 21:18:28 +00:00
40 changed files with 546 additions and 90 deletions

1
.gitignore vendored
View file

@ -4,3 +4,4 @@ secrets/*
cluster/*/secrets/*
!cluster/*/secrets/*.sample
adrn-notes/

View file

@ -14,7 +14,7 @@ job "backup_daily" {
constraint {
attribute = "${attr.unique.hostname}"
operator = "="
value = "celeri"
value = "ananas"
}
task "main" {
@ -152,7 +152,7 @@ EOH
constraint {
attribute = "${attr.unique.hostname}"
operator = "="
value = "courgette"
value = "abricot"
}
task "main" {

View file

@ -1,5 +1,5 @@
job "bagage" {
datacenters = ["scorpio", "neptune"]
datacenters = ["corrin", "neptune", "scorpio"]
type = "service"
priority = 90

View file

@ -1,5 +1,5 @@
job "cms" {
datacenters = ["neptune", "scorpio"]
datacenters = ["corrin", "neptune", "scorpio"]
type = "service"
priority = 100

View file

@ -1,5 +1,5 @@
job "core-bottin" {
datacenters = ["neptune", "scorpio"]
datacenters = ["corrin", "neptune", "scorpio", "bespin"]
type = "system"
priority = 90

View file

@ -1,5 +1,5 @@
job "core-d53" {
datacenters = ["neptune", "scorpio", "bespin"]
datacenters = ["neptune", "scorpio", "bespin", "corrin"]
type = "service"
priority = 90

View file

@ -1,5 +1,5 @@
job "core-diplonat" {
datacenters = ["neptune", "scorpio", "bespin"]
datacenters = ["neptune", "scorpio", "bespin", "corrin"]
type = "system"
priority = 90

View file

@ -3,7 +3,7 @@ job "core-tricot" {
# on pourra mettre bespin quand on aura migré gitea de la vm vers le cluster
# en attendant, les deux ne sont pas capables de partager les certificats SSL
# donc on laisse la VM gitea gérer les certifs et prendre tout le trafic http(s)
datacenters = ["neptune", "scorpio"]
datacenters = ["corrin", "neptune", "scorpio"]
type = "system"
priority = 90
@ -28,7 +28,7 @@ job "core-tricot" {
driver = "docker"
config {
image = "superboum/amd64_tricot:54"
image = "armael/tricot:40g7jpp915jkfszlczfh1yw2x6syjkxs-redir-headers"
network_mode = "host"
readonly_rootfs = true
ports = [ "http_port", "https_port" ]

View file

@ -1,5 +1,5 @@
job "coturn" {
datacenters = ["neptune", "scorpio"]
datacenters = ["corrin", "neptune", "scorpio"]
type = "service"
priority = 100

View file

@ -0,0 +1,59 @@
# SPDX-FileCopyrightText: 2023 XWiki CryptPad Team <contact@cryptpad.org> and contributors
#
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Tweaks by Deuxfleurs
# Multistage build to reduce image size and increase security
FROM node:lts-slim AS build
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install --no-install-recommends -y \
ca-certificates tar wget
# Download the release tarball
RUN wget https://github.com/cryptpad/cryptpad/archive/refs/tags/2024.9.0.tar.gz -O cryptpad.tar.gz
# Create folder for CryptPad
RUN mkdir /cryptpad
# Extract the release into /cryptpad
RUN tar xvzf cryptpad.tar.gz -C /cryptpad --strip-components 1
# Go to /cryptpad
WORKDIR /cryptpad
# Install dependencies
RUN npm install --production && npm run install:components
# Create the actual CryptPad image
FROM node:lts-slim
ENV DEBIAN_FRONTEND=noninteractive
# Install curl for healthcheck
# Install git, rdfind and unzip for install-onlyoffice.sh
RUN apt-get update && apt-get install --no-install-recommends -y \
curl ca-certificates git rdfind unzip && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
# Copy cryptpad with installed modules
COPY --from=build /cryptpad /cryptpad
# Set workdir to cryptpad
WORKDIR /cryptpad
# Install onlyoffice
RUN ./install-onlyoffice.sh --accept-license --trust-repository
# Build static pages (?) unsure we need this
RUN npm run build
# Healthcheck
HEALTHCHECK --interval=1m CMD curl -f http://localhost:3000/ || exit 1
# Ports
EXPOSE 3000 3003
# Run cryptpad on startup
CMD ["npm", "start"]

View file

@ -119,7 +119,9 @@ module.exports = {
"[Jill@pad.deuxfleurs.fr/tLW7W8EVNB2KYETXEaOYR+HmNiBQtZj7u+SOxS3hGmg=]",
"[vincent@pad.deuxfleurs.fr/07FQiE8w1iztRWwzbRJzEy3xIqnNR31mUFjLNiGXjwU=]",
"[boris@pad.deuxfleurs.fr/kHo5LIhSxDFk39GuhGRp+XKlMjNe+lWfFWM75cINoTQ=]",
"[maximilien@pad.deuxfleurs.fr/UoXHLejYRUjvX6t55hAQKpjMdU-3ecg4eDhAeckZmyE=]"
"[maximilien@pad.deuxfleurs.fr/UoXHLejYRUjvX6t55hAQKpjMdU-3ecg4eDhAeckZmyE=]",
"[armael@pad-debug.deuxfleurs.fr/CIKMvNdFxGavwTmni0TnR3x9GM0ypgx3DMcFyzppplU=]",
"[bjonglez@pad-debug.deuxfleurs.fr/+RRzwcLPj5ZCWELUXMjmt3u+-lvYnyhpDt4cqAn9nh8=]"
],
/* =====================

View file

@ -120,7 +120,8 @@ module.exports = {
"[vincent@pad.deuxfleurs.fr/07FQiE8w1iztRWwzbRJzEy3xIqnNR31mUFjLNiGXjwU=]",
"[boris@pad.deuxfleurs.fr/kHo5LIhSxDFk39GuhGRp+XKlMjNe+lWfFWM75cINoTQ=]",
"[maximilien@pad.deuxfleurs.fr/UoXHLejYRUjvX6t55hAQKpjMdU-3ecg4eDhAeckZmyE=]",
"[armael@pad.deuxfleurs.fr/CIKMvNdFxGavwTmni0TnR3x9GM0ypgx3DMcFyzppplU=]"
"[armael@pad.deuxfleurs.fr/CIKMvNdFxGavwTmni0TnR3x9GM0ypgx3DMcFyzppplU=]",
"[bjonglez@pad.deuxfleurs.fr/+RRzwcLPj5ZCWELUXMjmt3u+-lvYnyhpDt4cqAn9nh8=]"
],
/* =====================

View file

@ -1,5 +1,5 @@
job "cryptpad" {
datacenters = ["neptune"]
datacenters = ["scorpio"]
type = "service"
group "cryptpad" {
@ -22,7 +22,7 @@ job "cryptpad" {
constraint {
attribute = "${attr.unique.hostname}"
operator = "="
value = "courgette"
value = "abricot"
}
config {
@ -63,6 +63,8 @@ job "cryptpad" {
"tricot pad-sandbox.deuxfleurs.fr",
"tricot-add-header Cross-Origin-Resource-Policy cross-origin",
"tricot-add-header Cross-Origin-Embedder-Policy require-corp",
"tricot-add-header Access-Control-Allow-Origin *",
"tricot-add-header Access-Control-Allow-Credentials true",
"d53-cname pad.deuxfleurs.fr",
"d53-cname pad-sandbox.deuxfleurs.fr",
]

View file

@ -83,11 +83,14 @@ smtpd_forbid_unauth_pipelining = yes
smtpd_discard_ehlo_keywords = chunking
smtpd_forbid_bare_newline = yes
smtpd_client_connection_rate_limit = 2
#===
# Rate limiting
#===
smtpd_client_connection_rate_limit = 2
# do not rate-limit ourselves
# in particular, useful for forgejo who opens a lot of SMTP connections
smtpd_client_event_limit_exceptions = $mynetworks /etc/postfix/rate-limit-exceptions
slow_destination_recipient_limit = 20
slow_destination_concurrency_limit = 2

View file

@ -1,6 +1,6 @@
job "email" {
# Should not run on the same site as email-android7.hcl (port conflict in diplonat)
datacenters = ["neptune"]
datacenters = ["scorpio"]
type = "service"
priority = 65
@ -32,7 +32,7 @@ job "email" {
constraint {
attribute = "${attr.unique.hostname}"
operator = "="
value = "celeri"
value = "ananas"
}
config {
@ -382,6 +382,29 @@ job "email" {
destination = "secrets/postfix/transport"
}
template {
# Collect machine IPs from the cluster.
# We use intermediate maps to ensure we get a sorted list with no duplicates,
# so that it is robust wrt. changes in the order of the output of ls or
# addition of new machines in an existing site.
# (scratch.MapValues returns the list of *values* in the map, sorted by *key*)
data = <<EOH
{{- range ls "diplonat/autodiscovery/ipv4" }}
{{- with $a := .Value | parseJSON }}
{{- scratch.MapSet "ipv4" $a.address $a.address }}
{{- end }}
{{- end -}}
{{- range ls "diplonat/autodiscovery/ipv6" }}
{{- with $a := .Value | parseJSON }}
{{- scratch.MapSet "ipv6" $a.address $a.address }}
{{- end }}
{{- end -}}
{{- range scratch.MapValues "ipv4" }}{{ . }} {{ end }}
{{- range scratch.MapValues "ipv6" }}[{{ . }}] {{ end }}
EOH
destination = "secrets/postfix/rate-limit-exceptions"
}
# --- secrets ---
template {
data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"

View file

@ -1,5 +1,5 @@
job "garage" {
datacenters = [ "neptune", "bespin", "scorpio" ]
datacenters = ["neptune", "bespin", "scorpio", "corrin"]
type = "system"
priority = 80

View file

@ -1,5 +1,5 @@
job "guichet" {
datacenters = [ "neptune", "scorpio" ]
datacenters = ["corrin", "neptune", "scorpio"]
type = "service"
priority = 90
@ -28,7 +28,11 @@ job "guichet" {
}
resources {
memory = 200
# limite de mémoire un peu élevée par précaution.
# avec 200M, j'ai observé guichet se faire OOM-killed au moment
# un nouvel utilisateur clique sur un lien d'invitation
# fraichement généré.
memory = 300
}
service {

View file

@ -1,5 +1,5 @@
job "jitsi" {
datacenters = ["neptune", "scorpio"]
datacenters = ["neptune", "scorpio", "corrin"]
type = "service"
priority = 50

View file

@ -1,5 +1,5 @@
job "plume-blog" {
datacenters = ["scorpio", "neptune"]
datacenters = ["corrin", "neptune", "scorpio"]
type = "service"
group "plume" {

View file

@ -1,5 +1,5 @@
job "postgres14" {
datacenters = ["neptune", "bespin", "scorpio"]
datacenters = ["neptune", "bespin", "scorpio", "corrin"]
type = "system"
priority = 90
@ -19,8 +19,7 @@ job "postgres14" {
constraint {
attribute = "${attr.unique.hostname}"
operator = "set_contains_any"
value = "courgette,df-ymf,abricot"
# old (orion) = diplotaxis
value = "courgette,df-ymf,abricot,pasteque"
}
restart {

View file

@ -1,5 +1,5 @@
job "telemetry-service" {
datacenters = ["neptune", "scorpio"]
datacenters = ["corrin", "scorpio"]
type = "service"
group "grafana" {

View file

@ -1,5 +1,5 @@
job "telemetry-storage" {
datacenters = ["neptune", "bespin"]
datacenters = ["scorpio", "bespin"]
type = "service"
group "prometheus" {
@ -14,7 +14,7 @@ job "telemetry-storage" {
constraint {
attribute = "${attr.unique.hostname}"
operator = "set_contains_any"
value = "celeri,df-ymk"
value = "ananas,df-ymk"
}
task "prometheus" {

View file

@ -1,5 +1,5 @@
job "telemetry-system" {
datacenters = ["neptune", "scorpio", "bespin"]
datacenters = ["neptune", "scorpio", "bespin", "corrin"]
type = "system"
priority = "100"
@ -12,7 +12,7 @@ job "telemetry-system" {
driver = "docker"
config {
image = "quay.io/prometheus/node-exporter:v1.6.1"
image = "quay.io/prometheus/node-exporter:v1.7.0"
network_mode = "host"
volumes = [
"/:/host:ro,rslave"

View file

@ -105,6 +105,12 @@
address = "10.83.6.1";
endpoint = "45.81.62.36:33731";
};
"pasteque" = {
siteName = "corrin";
publicKey = "7vPq0z6JVxTLEebasUlR5Uu4dAFZxfddhjWtIYhCoXw=";
address = "10.83.6.2";
endpoint = "45.81.62.36:33732";
};
};
# Pin Nomad version
@ -114,9 +120,9 @@
# Bootstrap IPs for Consul cluster,
# these are IPs on the Wireguard overlay
services.consul.extraConfig.retry_join = [
"10.83.1.1" # concombre
"10.83.2.1" # dahlia
"10.83.3.1" # df-ykl
"10.83.4.2" # ananas
"10.83.6.1" # pamplemousse
];
deuxfleurs.adminAccounts = {

View file

@ -11,5 +11,4 @@
deuxfleurs.hostName = "concombre";
deuxfleurs.staticIPv4.address = "192.168.1.31";
deuxfleurs.staticIPv6.address = "2001:910:1204:1::31";
deuxfleurs.isRaftServer = true;
}

View file

@ -1 +0,0 @@
../site/orion.nix

View file

@ -1,14 +0,0 @@
# Configuration file local to this node
{ config, pkgs, ... }:
{
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/nvme0n1"; # or "nodev" for efi only
deuxfleurs.hostName = "diplotaxis";
deuxfleurs.staticIPv4.address = "192.168.1.12";
deuxfleurs.staticIPv6.address = "2a01:e0a:28f:5e60::12";
}

View file

@ -1 +0,0 @@
../site/orion.nix

View file

@ -1,14 +0,0 @@
# Configuration file local to this node
{ config, pkgs, ... }:
{
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/nvme0n1"; # or "nodev" for efi only
deuxfleurs.hostName = "doradille";
deuxfleurs.staticIPv4.address = "192.168.1.13";
deuxfleurs.staticIPv6.address = "2a01:e0a:28f:5e60::13";
}

View file

@ -1 +0,0 @@
../site/orion.nix

View file

@ -11,4 +11,5 @@
deuxfleurs.hostName = "pamplemousse";
deuxfleurs.staticIPv4.address = "192.168.5.201";
deuxfleurs.staticIPv6.address = "2001:912:1ac0:2200::201";
deuxfleurs.isRaftServer = true;
}

View file

@ -5,9 +5,10 @@
{
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.timeout = 5;
boot.loader.efi.canTouchEfiVariables = true;
deuxfleurs.hostName = "dahlia";
deuxfleurs.staticIPv4.address = "192.168.1.11";
deuxfleurs.staticIPv6.address = "2a01:e0a:28f:5e60::11";
deuxfleurs.hostName = "pasteque";
deuxfleurs.staticIPv4.address = "192.168.5.202";
deuxfleurs.staticIPv6.address = "2001:912:1ac0:2200::202";
}

View file

@ -0,0 +1 @@
../site/corrin.nix

View file

@ -47,3 +47,6 @@ Host ortie
Host pamplemousse
HostName 2001:912:1ac0:2200::201
Host pasteque
HostName 2001:912:1ac0:2200::202

View file

@ -21,20 +21,25 @@ job "core-tricot" {
}
task "server" {
driver = "nix2"
driver = "docker"
config {
packages = [
"git+https://git.deuxfleurs.fr/Deuxfleurs/tricot.git?ref=main&rev=9bb505d977cb8bafd8039159241788ff25510d69"
image = "armael/tricot:40g7jpp915jkfszlczfh1yw2x6syjkxs-redir-headers"
network_mode = "host"
readonly_rootfs = true
ports = [ "http_port", "https_port" ]
volumes = [
"secrets:/etc/tricot",
]
command = "tricot"
# cap_add = [ "net_bind_service" ] # this doesn't work for whatever reason, so we need to put user = "root" instead
ulimit {
nofile = "65535:65535"
}
}
user = "root"
resources {
cpu = 500
memory = 200
memory_max = 500
}
restart {
@ -46,17 +51,17 @@ job "core-tricot" {
template {
data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
destination = "etc/tricot/consul-ca.crt"
destination = "secrets/consul-ca.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.crt\" }}"
destination = "etc/tricot/consul-client.crt"
destination = "secrets/consul-client.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.key\" }}"
destination = "etc/tricot/consul-client.key"
destination = "secrets/consul-client.key"
}
template {
@ -72,7 +77,7 @@ TRICOT_HTTP_BIND_ADDR=[::]:80
TRICOT_HTTPS_BIND_ADDR=[::]:443
TRICOT_METRICS_BIND_ADDR=[::]:9334
TRICOT_WARMUP_CERT_MEMORY_STORE=true
RUST_LOG=tricot=debug
RUST_LOG=tricot=trace
RUST_BACKTRACE=1
EOH
destination = "secrets/env"

View file

@ -0,0 +1,40 @@
/*
* You can override the configurable values from this file.
* The recommended method is to make a copy of this file (/customize.dist/application_config.js)
in a 'customize' directory (/customize/application_config.js).
* If you want to check all the configurable values, you can open the internal configuration file
but you should not change it directly (/common/application_config_internal.js)
*/
define(['/common/application_config_internal.js'], function (AppConfig) {
// To inform users of the support ticket panel which languages your admins speak:
AppConfig.supportLanguages = [ 'en', 'fr' ];
/* Select the buttons displayed on the main page to create new collaborative sessions.
* Removing apps from the list will prevent users from accessing them. They will instead be
* redirected to the drive.
* You should never remove the drive from this list.
*/
AppConfig.availablePadTypes = ['drive', 'teams', 'doc', 'presentation', 'pad', 'kanban', 'code', 'form', 'poll', 'whiteboard',
'file', 'contacts', 'slide', 'convert'];
// disabled: sheet
/* You can display a link to your own privacy policy in the static pages footer.
* Since this is different for each individual or organization there is no default value.
* See the comments above for a description of possible configurations.
*/
AppConfig.privacy = {
"default": "https://deuxfleurs.fr/CGU.html",
};
/* You can display a link to your instances's terms of service in the static pages footer.
* A default is included for backwards compatibility, but we recommend replacing this
* with your own terms.
*
* See the comments above for a description of possible configurations.
*/
AppConfig.terms = {
"default": "https://deuxfleurs.fr/CGU.html",
};
return AppConfig;
});

View file

@ -0,0 +1,296 @@
/* globals module */
/* DISCLAIMER:
There are two recommended methods of running a CryptPad instance:
1. Using a standalone nodejs server without HTTPS (suitable for local development)
2. Using NGINX to serve static assets and to handle HTTPS for API server's websocket traffic
We do not officially recommend or support Apache, Docker, Kubernetes, Traefik, or any other configuration.
Support requests for such setups should be directed to their authors.
If you're having difficulty difficulty configuring your instance
we suggest that you join the project's IRC/Matrix channel.
If you don't have any difficulty configuring your instance and you'd like to
support us for the work that went into making it pain-free we are quite happy
to accept donations via our opencollective page: https://opencollective.com/cryptpad
*/
module.exports = {
/* CryptPad is designed to serve its content over two domains.
* Account passwords and cryptographic content is handled on the 'main' domain,
* while the user interface is loaded on a 'sandbox' domain
* which can only access information which the main domain willingly shares.
*
* In the event of an XSS vulnerability in the UI (that's bad)
* this system prevents attackers from gaining access to your account (that's good).
*
* Most problems with new instances are related to this system blocking access
* because of incorrectly configured sandboxes. If you only see a white screen
* when you try to load CryptPad, this is probably the cause.
*
* PLEASE READ THE FOLLOWING COMMENTS CAREFULLY.
*
*/
/* httpUnsafeOrigin is the URL that clients will enter to load your instance.
* Any other URL that somehow points to your instance is supposed to be blocked.
* The default provided below assumes you are loading CryptPad from a server
* which is running on the same machine, using port 3000.
*
* In a production instance this should be available ONLY over HTTPS
* using the default port for HTTPS (443) ie. https://cryptpad.fr
* In such a case this should be also handled by NGINX, as documented in
* cryptpad/docs/example.nginx.conf (see the $main_domain variable)
*
*/
httpUnsafeOrigin: 'https://pad.staging.deuxfleurs.org',
/* httpSafeOrigin is the URL that is used for the 'sandbox' described above.
* If you're testing or developing with CryptPad on your local machine then
* it is appropriate to leave this blank. The default behaviour is to serve
* the main domain over port 3000 and to serve the sandbox content over port 3001.
*
* This is not appropriate in a production environment where invasive networks
* may filter traffic going over abnormal ports.
* To correctly configure your production instance you must provide a URL
* with a different domain (a subdomain is sufficient).
* It will be used to load the UI in our 'sandbox' system.
*
* This value corresponds to the $sandbox_domain variable
* in the example nginx file.
*
* Note that in order for the sandboxing system to be effective
* httpSafeOrigin must be different from httpUnsafeOrigin.
*
* CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
*/
httpSafeOrigin: "https://pad-sandbox.staging.deuxfleurs.org",
/* httpAddress specifies the address on which the nodejs server
* should be accessible. By default it will listen on 127.0.0.1
* (IPv4 localhost on most systems). If you want it to listen on
* all addresses, including IPv6, set this to '::'.
*
*/
httpAddress: '::',
/* httpPort specifies on which port the nodejs server should listen.
* By default it will serve content over port 3000, which is suitable
* for both local development and for use with the provided nginx example,
* which will proxy websocket traffic to your node server.
*
*/
httpPort: 3000,
/* httpSafePort allows you to specify an alternative port from which
* the node process should serve sandboxed assets. The default value is
* that of your httpPort + 1. You probably don't need to change this.
*
*/
// httpSafePort: 3001,
/* CryptPad will launch a child process for every core available
* in order to perform CPU-intensive tasks in parallel.
* Some host environments may have a very large number of cores available
* or you may want to limit how much computing power CryptPad can take.
* If so, set 'maxWorkers' to a positive integer.
*/
// maxWorkers: 4,
/* =====================
* Admin
* ===================== */
/*
* CryptPad contains an administration panel. Its access is restricted to specific
* users using the following list.
* To give access to the admin panel to a user account, just add their public signing
* key, which can be found on the settings page for registered users.
* Entries should be strings separated by a comma.
*/
adminKeys: [
"[quentin@pad.deuxfleurs.fr/EWtzm-CiqJnM9RZL9mj-YyTgAtX-Zh76sru1K5bFpN8=]",
"[adrn@pad.deuxfleurs.fr/PxDpkPwd-jDJWkfWdAzFX7wtnLpnPlBeYZ4MmoEYS6E=]",
"[lx@pad.deuxfleurs.fr/FwQzcXywx1FIb83z6COB7c3sHnz8rNSDX1xhjPuH3Fg=]",
"[trinity-1686a@pad.deuxfleurs.fr/Pu6Ef03jEsAGBbZI6IOdKd6+5pORD5N51QIYt4-Ys1c=]",
"[Jill@pad.deuxfleurs.fr/tLW7W8EVNB2KYETXEaOYR+HmNiBQtZj7u+SOxS3hGmg=]",
"[vincent@pad.deuxfleurs.fr/07FQiE8w1iztRWwzbRJzEy3xIqnNR31mUFjLNiGXjwU=]",
"[boris@pad.deuxfleurs.fr/kHo5LIhSxDFk39GuhGRp+XKlMjNe+lWfFWM75cINoTQ=]",
"[maximilien@pad.deuxfleurs.fr/UoXHLejYRUjvX6t55hAQKpjMdU-3ecg4eDhAeckZmyE=]",
"[armael@pad.deuxfleurs.fr/CIKMvNdFxGavwTmni0TnR3x9GM0ypgx3DMcFyzppplU=]",
"[bjonglez@pad.deuxfleurs.fr/+RRzwcLPj5ZCWELUXMjmt3u+-lvYnyhpDt4cqAn9nh8=]"
],
/* =====================
* STORAGE
* ===================== */
/* Pads that are not 'pinned' by any registered user can be set to expire
* after a configurable number of days of inactivity (default 90 days).
* The value can be changed or set to false to remove expiration.
* Expired pads can then be removed using a cron job calling the
* `evict-inactive.js` script with node
*
* defaults to 90 days if nothing is provided
*/
//inactiveTime: 90, // days
/* CryptPad archives some data instead of deleting it outright.
* This archived data still takes up space and so you'll probably still want to
* remove these files after a brief period.
*
* cryptpad/scripts/evict-inactive.js is intended to be run daily
* from a crontab or similar scheduling service.
*
* The intent with this feature is to provide a safety net in case of accidental
* deletion. Set this value to the number of days you'd like to retain
* archived data before it's removed permanently.
*
* defaults to 15 days if nothing is provided
*/
//archiveRetentionTime: 15,
/* It's possible to configure your instance to remove data
* stored on behalf of inactive accounts. Set 'accountRetentionTime'
* to the number of days an account can remain idle before its
* documents and other account data is removed.
*
* Leave this value commented out to preserve all data stored
* by user accounts regardless of inactivity.
*/
//accountRetentionTime: 365,
/* Starting with CryptPad 3.23.0, the server automatically runs
* the script responsible for removing inactive data according to
* your configured definition of inactivity. Set this value to `true`
* if you prefer not to remove inactive data, or if you prefer to
* do so manually using `scripts/evict-inactive.js`.
*/
//disableIntegratedEviction: true,
/* Max Upload Size (bytes)
* this sets the maximum size of any one file uploaded to the server.
* anything larger than this size will be rejected
* defaults to 20MB if no value is provided
*/
//maxUploadSize: 20 * 1024 * 1024,
/* Users with premium accounts (those with a plan included in their customLimit)
* can benefit from an increased upload size limit. By default they are restricted to the same
* upload size as any other registered user.
*
*/
//premiumUploadSize: 100 * 1024 * 1024,
/* =====================
* DATABASE VOLUMES
* ===================== */
/*
* We need this config entry, else CryptPad will try to mkdir
* some stuff into Nix store apparently...
*/
base: '/mnt/data',
/*
* CryptPad stores each document in an individual file on your hard drive.
* Specify a directory where files should be stored.
* It will be created automatically if it does not already exist.
*/
filePath: '/mnt/datastore/',
/* CryptPad offers the ability to archive data for a configurable period
* before deleting it, allowing a means of recovering data in the event
* that it was deleted accidentally.
*
* To set the location of this archive directory to a custom value, change
* the path below:
*/
archivePath: '/mnt/data/archive',
/* CryptPad allows logged in users to request that particular documents be
* stored by the server indefinitely. This is called 'pinning'.
* Pin requests are stored in a pin-store. The location of this store is
* defined here.
*/
pinPath: '/mnt/data/pins',
/* if you would like the list of scheduled tasks to be stored in
a custom location, change the path below:
*/
taskPath: '/mnt/data/tasks',
/* if you would like users' authenticated blocks to be stored in
a custom location, change the path below:
*/
blockPath: '/mnt/block',
/* CryptPad allows logged in users to upload encrypted files. Files/blobs
* are stored in a 'blob-store'. Set its location here.
*/
blobPath: '/mnt/blob',
/* CryptPad stores incomplete blobs in a 'staging' area until they are
* fully uploaded. Set its location here.
*/
blobStagingPath: '/mnt/data/blobstage',
decreePath: '/mnt/data/decrees',
/* CryptPad supports logging events directly to the disk in a 'logs' directory
* Set its location here, or set it to false (or nothing) if you'd rather not log
*/
logPath: false,
/* =====================
* Debugging
* ===================== */
/* CryptPad can log activity to stdout
* This may be useful for debugging
*/
logToStdout: true,
/* CryptPad can be configured to log more or less
* the various settings are listed below by order of importance
*
* silly, verbose, debug, feedback, info, warn, error
*
* Choose the least important level of logging you wish to see.
* For example, a 'silly' logLevel will display everything,
* while 'info' will display 'info', 'warn', and 'error' logs
*
* This will affect both logging to the console and the disk.
*/
logLevel: 'silly',
/* clients can use the /settings/ app to opt out of usage feedback
* which informs the server of things like how much each app is being
* used, and whether certain clientside features are supported by
* the client's browser. The intent is to provide feedback to the admin
* such that the service can be improved. Enable this with `true`
* and ignore feedback with `false` or by commenting the attribute
*
* You will need to set your logLevel to include 'feedback'. Set this
* to false if you'd like to exclude feedback from your logs.
*/
logFeedback: false,
/* CryptPad supports verbose logging
* (false by default)
*/
verbose: true,
/* Surplus information:
*
* 'installMethod' is included in server telemetry to voluntarily
* indicate how many instances are using unofficial installation methods
* such as Docker.
*
*/
installMethod: 'deuxfleurs.fr',
};

View file

@ -1,4 +1,4 @@
job "cryptpad-debug" {
job "cryptpad" {
datacenters = ["neptune"]
type = "service"
@ -22,7 +22,7 @@ job "cryptpad-debug" {
constraint {
attribute = "${attr.unique.hostname}"
operator = "="
value = "courgette"
value = "caribou"
}
config {
@ -30,8 +30,8 @@ job "cryptpad-debug" {
ports = [ "http" ]
volumes = [
"/mnt/ssd/cryptpad-debug:/mnt",
"secrets/config-debug.js:/cryptpad/config.js",
"/mnt/ssd/cryptpad:/mnt",
"secrets/config.js:/cryptpad/config.js",
]
}
env {
@ -39,14 +39,14 @@ job "cryptpad-debug" {
}
template {
data = file("../config/config-debug.js")
destination = "secrets/config-debug.js"
data = file("../config/config.js")
destination = "secrets/config.js"
}
/* Disabled because it requires modifications to the docker image and I do not want to invest the time yet
template {
data = file("../config/application_config-debug.js")
destination = "secrets/config-debug.js"
data = file("../config/application_config.js")
destination = "secrets/config.js"
}
*/
@ -59,12 +59,14 @@ job "cryptpad-debug" {
name = "cryptpad"
port = "http"
tags = [
"tricot pad-debug.deuxfleurs.fr",
"tricot pad-sandbox-debug.deuxfleurs.fr",
"tricot pad.staging.deuxfleurs.org",
"tricot pad-sandbox.staging.deuxfleurs.org",
"tricot-add-header Cross-Origin-Resource-Policy cross-origin",
"tricot-add-header Cross-Origin-Embedder-Policy require-corp",
"d53-cname pad-debug.deuxfleurs.fr",
"d53-cname pad-sandbox-debug.deuxfleurs.fr",
"tricot-add-header Access-Control-Allow-Origin *",
"tricot-add-header Access-Control-Allow-Credentials true",
"d53-cname pad.staging.deuxfleurs.org",
"d53-cname pad-sandbox.staging.deuxfleurs.org",
]
check {
type = "http"

View file

@ -38,3 +38,27 @@ scrape_configs:
ca_file: /etc/prom/consul.crt
cert_file: /etc/prom/consul-client.crt
key_file: /etc/prom/consul-client.key
# see https://prometheus.io/docs/prometheus/latest/configuration/configuration/#static_config
# and https://www.nomadproject.io/api-docs/metrics
# and https://learn.hashicorp.com/tutorials/nomad/prometheus-metrics
# dashboard at https://grafana.com/grafana/dashboards/3800
- job_name: 'nomad'
scrape_interval: 10s
metrics_path: "/v1/metrics"
params:
format: ['prometheus']
scheme: 'https'
tls_config:
ca_file: /etc/prom/nomad-ca.crt
cert_file: /etc/prom/nomad-client.crt
key_file: /etc/prom/nomad-client.key
insecure_skip_verify: true
consul_sd_configs:
- server: 'https://localhost:8501'
services:
- 'nomad-client'
tls_config:
ca_file: /etc/prom/consul.crt
cert_file: /etc/prom/consul-client.crt
key_file: /etc/prom/consul-client.key

View file

@ -53,6 +53,21 @@ job "telemetry-service" {
destination = "etc/prom/consul-client.key"
}
template {
data = "{{ key \"secrets/nomad/nomad-ca.crt\" }}"
destination = "etc/prom/nomad-ca.crt"
}
template {
data = "{{ key \"secrets/nomad/nomad-client.crt\" }}"
destination = "etc/prom/nomad-client.crt"
}
template {
data = "{{ key \"secrets/nomad/nomad-client.key\" }}"
destination = "etc/prom/nomad-client.key"
}
resources {
memory = 500
cpu = 200