cluster(prod/cryptpad): Update cryptpad image on Nomad cluster

2024-06-23 11:54:12 +02:00
10 changed files with 189 additions and 228 deletions
--- a/cluster/prod/app/core/secrets.toml
+++ b/cluster/prod/app/core/secrets.toml
@ -3,7 +3,3 @@ type = 'user'
 description = 'LDAP base DN for everything'
 example = 'dc=example,dc=com'

-[secrets."d53/gandi_api_key"]
-type = 'user'
-description = 'Gandi API key'
-
--- a/cluster/prod/app/guichet/deploy/directory.hcl
+++ b/cluster/prod/app/guichet/deploy/directory.hcl
@ -13,8 +13,8 @@ job "guichet" {
    task "guichet" {
      driver = "docker"
      config {
-        image = "dxflrs/guichet:0x4y7bj1qb8w8hckvpbzlgyxh63j66ij"
-        args = [ "server", "-config", "/etc/config.json" ]
+        image = "dxflrs/guichet:m1gzk1r00xp0kz566fwbpc87z7haq7xj"
+	args = [ "server", "-config", "/etc/config.json" ]
        readonly_rootfs = true
        ports = [ "web_port" ]
        volumes = [
--- a/cluster/staging/app/core/deploy/bottin.hcl
+++ b/cluster/staging/app/core/deploy/bottin.hcl
@ -1,100 +0,0 @@
-job "core-bottin" {
-  datacenters = ["neptune", "jupiter", "corrin", "bespin"]
-  type = "system"
-  priority = 90
-
-  update {
-    max_parallel = 1
-    stagger = "1m"
-  }
-
-  group "bottin" {
-    constraint {
-      distinct_property = "${meta.site}"
-      value = "1"
-    }
-
-    network {
-      port "ldap_port" {
-        static = 389
-        to = 389
-      }
-    }
-
-    task "bottin" {
-      driver = "docker"
-      config {
-        image = "dxflrs/bottin:7h18i30cckckaahv87d3c86pn4a7q41z"
-        network_mode = "host"
-        readonly_rootfs = true
-        ports = [ "ldap_port" ]
-        volumes = [
-          "secrets/config.json:/config.json",
-          "secrets:/etc/bottin",
-        ]
-      }
-
-      restart {
-        interval = "5m"
-        attempts = 10
-        delay    = "15s"
-        mode     = "delay"
-      }
-
-      resources {
-        memory = 100
-        memory_max = 200
-      }
-
-      template {
-        data = file("../config/bottin/config.json.tpl")
-        destination = "secrets/config.json"
-      }
-
-      template {
-        data = "{{ key \"secrets/consul/consul.crt\" }}"
-        destination = "secrets/consul.crt"
-      }
-
-      template {
-        data = "{{ key \"secrets/consul/consul-client.crt\" }}"
-        destination = "secrets/consul-client.crt"
-      }
-
-      template {
-        data = "{{ key \"secrets/consul/consul-client.key\" }}"
-        destination = "secrets/consul-client.key"
-      }
-
-      template {
-        data = <<EOH
-CONSUL_HTTP_ADDR=https://consul.service.staging.consul:8501
-CONSUL_HTTP_SSL=true
-CONSUL_CACERT=/etc/bottin/consul.crt
-CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt
-CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key
-EOH
-        destination = "secrets/env"
-        env = true
-      }
-
-      service {
-        tags = [ "${meta.site}" ]
-        port = "ldap_port"
-        address_mode = "host"
-        name = "bottin"
-        check {
-          type = "tcp"
-          port = "ldap_port"
-          interval = "60s"
-          timeout = "5s"
-          check_restart {
-            limit = 3
-            grace = "90s"
-            ignore_warnings = false
-          }
-        }
-      }
-    }
-  }
-}
--- a/cluster/staging/app/core/secrets.toml
+++ b/cluster/staging/app/core/secrets.toml
@ -1,8 +1,3 @@
-[secrets."directory/ldap_base_dn"]
-type = 'user'
-description = 'LDAP base DN for everything'
-example = 'dc=example,dc=com'
-
 [secrets."d53/gandi_api_key"]
 type = 'user'
 description = 'Gandi API key'
--- a/cluster/staging/app/directory/config/bottin/config.json.tpl
+++ b/cluster/staging/app/directory/config/bottin/config.json.tpl
--- a/cluster/staging/app/directory/config/guichet/config.json.tpl
+++ b/cluster/staging/app/directory/config/guichet/config.json.tpl
@ -1,15 +1,12 @@
 {
  "http_bind_addr": ":9991",
-  "ldap_server_addr": "ldap://{{ env "meta.site" }}.bottin.service.staging.consul:389",
+  "ldap_server_addr": "ldap://bottin.service.staging.consul:389",

  "base_dn": "{{ key "secrets/directory/ldap_base_dn" }}",
  "user_base_dn": "ou=users,{{ key "secrets/directory/ldap_base_dn" }}",
  "user_name_attr": "cn",
  "group_base_dn": "ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
  "group_name_attr": "cn",
-  "mailing_list_base_dn": "ou=mailing_lists,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
-  "mailing_list_name_attr": "cn",
-  "mailing_list_guest_user_base_dn": "ou=guests,ou=users,{{ key "secrets/directory/ldap_base_dn" }}",

  "invitation_base_dn": "ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}",
  "invitation_name_attr": "cn",
--- a/cluster/staging/app/directory/deploy/directory.hcl
+++ b/cluster/staging/app/directory/deploy/directory.hcl
@ -0,0 +1,133 @@
+job "directory" {
+  datacenters = ["neptune", "jupiter", "corrin", "bespin"]
+  type = "service"
+  priority = 90
+
+  constraint {
+    attribute = "${attr.cpu.arch}"
+    value     = "amd64"
+  }
+
+  group "bottin" {
+    count = 1
+
+    network {
+      port "ldap_port" {
+        static = 389
+      }
+    }
+
+    task "bottin" {
+      driver = "nix2"
+      config {
+        packages = [
+          "git+https://git.deuxfleurs.fr/Deuxfleurs/bottin.git?ref=main&rev=9cab98d2cee386ece54b000bbdf2346da8b55eed"
+        ]
+        command = "bottin"
+      }
+      user = "root" # needed to bind port 389
+
+      resources {
+        memory = 100
+      }
+
+      template {
+        data = file("../config/bottin/config.json.tpl")
+        destination = "config.json"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
+        destination = "etc/bottin/consul-ca.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.crt\" }}"
+        destination = "etc/bottin/consul-client.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.key\" }}"
+        destination = "etc/bottin/consul-client.key"
+      }
+
+      template {
+        data = <<EOH
+CONSUL_HTTP_ADDR=https://localhost:8501
+CONSUL_HTTP_SSL=true
+CONSUL_CACERT=/etc/bottin/consul-ca.crt
+CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt
+CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key
+EOH
+        destination = "secrets/env"
+        env = true
+      }
+
+      service {
+        tags = ["bottin"]
+        port = "ldap_port"
+        name = "bottin"
+        check {
+          type = "tcp"
+          port = "ldap_port"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+    }
+  }
+
+  group "guichet" {
+    count = 1
+
+    network {
+      port "web_port" { static = 9991 }
+    }
+
+    task "guichet" {
+      driver = "nix2"
+      config {
+        packages = [
+          "git+https://git.deuxfleurs.fr/Deuxfleurs/guichet.git?ref=main&rev=10bdee10cf6947ec6dd0ba5040d7274d6c3316a7"
+        ]
+        command = "guichet"
+      }
+
+      template {
+        data = file("../config/guichet/config.json.tpl")
+        destination = "config.json"
+      }
+
+      resources {
+        memory = 200
+      }
+
+      service {
+        name = "guichet"
+        tags = [
+          "guichet",
+          "tricot guichet.staging.deuxfleurs.org",
+          "d53-cname guichet.staging.deuxfleurs.org",
+        ]
+        port = "web_port"
+        check {
+          type = "tcp"
+          port = "web_port"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+    }
+  }
+}
+
--- a/cluster/staging/app/directory/secrets.toml
+++ b/cluster/staging/app/directory/secrets.toml
@ -1,51 +1,51 @@
-# General configuration 
-
-[secrets."directory/guichet/web_hostname"]
+[secrets."directory/ldap_base_dn"]
 type = 'user'
-description = 'Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)'
-
-
-# Mailing configuration
+description = 'LDAP base DN for everything'
+example = 'dc=example,dc=com'

 [secrets."directory/guichet/smtp_user"]
 type = 'user'
 description = 'SMTP username'

+[secrets."directory/guichet/s3_access_key"]
+type = 'user'
+description = 'Garage access key for Guichet profile pictures'
+
+[secrets."directory/guichet/s3_endpoint"]
+type = 'user'
+description = 'S3 endpoint URL'
+
+[secrets."directory/guichet/s3_region"]
+type = 'user'
+description = 'S3 region'
+
 [secrets."directory/guichet/smtp_pass"]
 type = 'user'
 description = 'SMTP password'

+[secrets."directory/guichet/web_hostname"]
+type = 'user'
+description = 'Public hostname from which Guichet is accessible via HTTP'
+example = 'guichet.example.com'
+
+[secrets."directory/guichet/s3_bucket"]
+type = 'user'
+description = 'S3 bucket in which to store data files (such as profile pictures)'
+
 [secrets."directory/guichet/smtp_server"]
 type = 'user'
 description = 'SMTP server address (hostname:port)'

+[secrets."directory/guichet/s3_secret_key"]
+type = 'user'
+description = 'Garage secret key for Guichet profile pictures'
+
 [secrets."directory/guichet/mail_from"]
 type = 'user'
 description = 'E-mail address from which to send welcome emails to new users'

 [secrets."directory/guichet/mail_domain"]
 type = 'user'
-description = 'E-mail domain for new users (e.g. example.com)'
+description = 'E-mail domain for new users'
+example = 'example.com'

-
-# S3 configuration
-
-[secrets."directory/guichet/s3_endpoint"]
-type = 'user'
-description = 'S3 endpoint URL'
-
-[secrets."directory/guichet/s3_bucket"]
-type = 'user'
-description = 'S3 bucket in which to store data files (such as profile pictures)'
-
-[secrets."directory/guichet/s3_region"]
-type = 'user'
-description = 'S3 region'
-
-[secrets."directory/guichet/s3_access_key"]
-type = 'user'
-description = 'Garage access key for Guichet profile pictures'
-
-[secrets."directory/guichet/s3_secret_key"]
-type = 'user'
-description = 'Garage secret key for Guichet profile pictures'
--- a/cluster/staging/app/garage/deploy/garage.hcl
+++ b/cluster/staging/app/garage/deploy/garage.hcl
@ -1,12 +1,13 @@
 job "garage-staging" {
-  datacenters = [ "neptune", "jupiter", "corrin", "bespin" ]
  type = "system"
  priority = 90

+  datacenters = [ "neptune", "jupiter", "corrin", "bespin" ]

  update {
-    max_parallel = 2
-    min_healthy_time  = "60s"
+    max_parallel = 1
+    stagger = "1m"
+    min_healthy_time = "10s"
  }

  group "garage-staging" {
@ -18,27 +19,21 @@ job "garage-staging" {
      port "admin" { static = 3909 }
    }

-    update {
-      max_parallel = 10
-      min_healthy_time = "30s"
-      healthy_deadline = "5m"
-    }
-
    task "server" {
-      driver = "docker"
+      driver = "nix2"
+
      config {
-        image = "superboum/garage:v1.0.0-rc1-hotfix-red-ftr-wquorum"
-        command = "/garage"
-        args = [ "server" ]
-        network_mode = "host"
-        volumes = [
-          "/mnt/storage/garage-staging/data:/data",
-          "/mnt/ssd/garage-staging/meta:/meta",
-          "secrets/garage.toml:/etc/garage.toml",
-          "secrets:/etc/garage",
+        packages = [
+          "#bash", # so that we can enter a shell inside container
+          "#coreutils",
+          # garage v1.0.0-rc1 as of 2024-03-28
+          "git+https://git.deuxfleurs.fr/Deuxfleurs/garage.git?ref=next-0.10&rev=afad62939e071621666ca7255f7164f92c4475bb"
        ]
-        logging {
-          type = "journald"
+        command = "garage"
+        args = [ "server" ]
+        bind = {
+          "/mnt/storage/garage-staging/data" = "/data",
+          "/mnt/ssd/garage-staging/meta" = "/meta",
        }
      }

@ -46,24 +41,27 @@ job "garage-staging" {
        RUST_LOG = "garage=info,garage_api=debug",
      }

+      # files currently owned by root, we don't want to chown everything
+      user = "root"
+
      template {
        data = file("../config/garage.toml")
-        destination = "secrets/garage.toml"
+        destination = "etc/garage.toml"
      }

      template {
        data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
-        destination = "secrets/consul-ca.crt"
+        destination = "etc/garage/consul-ca.crt"
      }

      template {
        data = "{{ key \"secrets/consul/consul-client.crt\" }}"
-        destination = "secrets/consul-client.crt"
+        destination = "etc/garage/consul-client.crt"
      }

      template {
        data = "{{ key \"secrets/consul/consul-client.key\" }}"
-        destination = "secrets/consul-client.key"
+        destination = "etc/garage/consul-client.key"
      }

      resources {
--- a/cluster/staging/app/guichet/deploy/guichet.hcl
+++ b/cluster/staging/app/guichet/deploy/guichet.hcl
@ -1,58 +0,0 @@
-job "guichet" {
-  datacenters = ["neptune", "jupiter", "corrin", "bespin"]
-  type = "service"
-  priority = 90
-
-  group "guichet" {
-    count = 1
-
-    network {
-      port "web_port" { to = 9991 }
-    }
-
-    task "guichet" {
-      driver = "docker"
-      config {
-        image = "dxflrs/guichet:m1gzk1r00xp0kz566fwbpc87z7haq7xj"
-        args = [ "server", "-config", "/etc/config.json" ]
-        readonly_rootfs = true
-        ports = [ "web_port" ]
-        volumes = [
-          "secrets/config.json:/etc/config.json"
-        ]
-      }
-
-      template {
-        data = file("../config/guichet/config.json.tpl")
-        destination = "secrets/config.json"
-      }
-
-      resources {
-        memory = 200
-      }
-
-      service {
-        name = "guichet"
-        tags = [
-          "guichet",
-          "tricot guichet.staging.deuxfleurs.org",
-          "d53-cname guichet.staging.deuxfleurs.org",
-        ]
-        port = "web_port"
-        address_mode = "host"
-        check {
-          type = "tcp"
-          port = "web_port"
-          interval = "60s"
-          timeout = "5s"
-          check_restart {
-            limit = 3
-            grace = "90s"
-            ignore_warnings = false
-          }
-        }
-      }
-    }
-  }
-}
-