email: ensure email and email-android7 run on different sites to avoid port conflicts

.gitignore

@@ -4,4 +4,3 @@ secrets/*
 cluster/*/secrets/*
 !cluster/*/secrets/*.sample
 
-adrn-notes/

cluster/prod/app/bagage/deploy/bagage.hcl

@@ -13,8 +13,8 @@ job "bagage" {
 
     network {
       port "web_port" { 
-        static = 8080
+        static = 8015
-        to = 8080 
+        to = 8015
       }
       port "ssh_port" { 
         static = 2222

cluster/prod/app/core/deploy/d53.hcl

@@ -1,5 +1,5 @@
 job "core-d53" {
-  datacenters = ["neptune", "scorpio", "bespin", "corrin"]
+  datacenters = ["neptune", "scorpio", "bespin"]
   type = "service"
   priority = 90
 

cluster/prod/app/core/deploy/diplonat.hcl

@@ -1,5 +1,5 @@
 job "core-diplonat" {
-  datacenters = ["neptune", "scorpio", "bespin", "corrin"]
+  datacenters = ["neptune", "scorpio", "bespin"]
   type = "system"
   priority = 90
 

cluster/prod/app/core/deploy/tricot.hcl

@@ -3,7 +3,7 @@ job "core-tricot" {
   # on pourra mettre bespin quand on aura migré gitea de la vm vers le cluster
   # en attendant, les deux  ne sont pas capables de partager les certificats SSL
   # donc on laisse la VM gitea gérer les certifs et prendre tout le trafic http(s)
-  datacenters = ["corrin", "neptune", "scorpio"]
+  datacenters = ["neptune", "scorpio"]
   type = "system"
   priority = 90
 
@@ -28,7 +28,7 @@ job "core-tricot" {
       driver = "docker"
 
       config {
-        image = "armael/tricot:n6dk1b5xrdww12zf12jbcmihqs6g1brz"
+        image = "superboum/amd64_tricot:54"
         network_mode = "host"
         readonly_rootfs = true
         ports = [ "http_port", "https_port" ]

cluster/prod/app/cryptpad/build_docker/Dockerfile

@@ -1,59 +0,0 @@
-# SPDX-FileCopyrightText: 2023 XWiki CryptPad Team <contact@cryptpad.org> and contributors
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-#
-# Tweaks by Deuxfleurs
-
-# Multistage build to reduce image size and increase security
-FROM node:lts-slim AS build
-ENV DEBIAN_FRONTEND=noninteractive
-
-RUN apt-get update && apt-get install --no-install-recommends -y \
-    ca-certificates tar wget
-
-# Download the release tarball
-RUN wget https://github.com/cryptpad/cryptpad/archive/refs/tags/2024.9.0.tar.gz -O cryptpad.tar.gz
-
-# Create folder for CryptPad
-RUN mkdir /cryptpad
-
-# Extract the release into /cryptpad
-RUN tar xvzf cryptpad.tar.gz -C /cryptpad --strip-components 1
-
-# Go to /cryptpad
-WORKDIR /cryptpad
-
-# Install dependencies
-RUN npm install --production && npm run install:components
-
-# Create the actual CryptPad image
-FROM node:lts-slim
-ENV DEBIAN_FRONTEND=noninteractive
-
-# Install curl for healthcheck
-# Install git, rdfind and unzip for install-onlyoffice.sh
-RUN apt-get update && apt-get install --no-install-recommends -y \
-    curl ca-certificates git rdfind unzip && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
-
-# Copy cryptpad with installed modules
-COPY --from=build /cryptpad /cryptpad
-
-# Set workdir to cryptpad
-WORKDIR /cryptpad
-
-# Install onlyoffice
-RUN ./install-onlyoffice.sh --accept-license --trust-repository
-
-# Build static pages (?) unsure we need this
-RUN npm run build
-
-# Healthcheck
-HEALTHCHECK --interval=1m CMD curl -f http://localhost:3000/ || exit 1
-
-# Ports
-EXPOSE 3000 3003
-
-# Run cryptpad on startup
-CMD ["npm", "start"]

cluster/prod/app/cryptpad/config/config-debug.js

@@ -119,9 +119,7 @@ module.exports = {
       "[Jill@pad.deuxfleurs.fr/tLW7W8EVNB2KYETXEaOYR+HmNiBQtZj7u+SOxS3hGmg=]",
       "[vincent@pad.deuxfleurs.fr/07FQiE8w1iztRWwzbRJzEy3xIqnNR31mUFjLNiGXjwU=]",
       "[boris@pad.deuxfleurs.fr/kHo5LIhSxDFk39GuhGRp+XKlMjNe+lWfFWM75cINoTQ=]",
-      "[maximilien@pad.deuxfleurs.fr/UoXHLejYRUjvX6t55hAQKpjMdU-3ecg4eDhAeckZmyE=]",
+      "[maximilien@pad.deuxfleurs.fr/UoXHLejYRUjvX6t55hAQKpjMdU-3ecg4eDhAeckZmyE=]"
-      "[armael@pad-debug.deuxfleurs.fr/CIKMvNdFxGavwTmni0TnR3x9GM0ypgx3DMcFyzppplU=]",
-      "[bjonglez@pad-debug.deuxfleurs.fr/+RRzwcLPj5ZCWELUXMjmt3u+-lvYnyhpDt4cqAn9nh8=]"
     ],
 
     /* =====================

cluster/prod/app/cryptpad/config/config.js

@@ -119,9 +119,7 @@ module.exports = {
       "[Jill@pad.deuxfleurs.fr/tLW7W8EVNB2KYETXEaOYR+HmNiBQtZj7u+SOxS3hGmg=]",
       "[vincent@pad.deuxfleurs.fr/07FQiE8w1iztRWwzbRJzEy3xIqnNR31mUFjLNiGXjwU=]",
       "[boris@pad.deuxfleurs.fr/kHo5LIhSxDFk39GuhGRp+XKlMjNe+lWfFWM75cINoTQ=]",
-      "[maximilien@pad.deuxfleurs.fr/UoXHLejYRUjvX6t55hAQKpjMdU-3ecg4eDhAeckZmyE=]",
+      "[maximilien@pad.deuxfleurs.fr/UoXHLejYRUjvX6t55hAQKpjMdU-3ecg4eDhAeckZmyE=]"
-      "[armael@pad.deuxfleurs.fr/CIKMvNdFxGavwTmni0TnR3x9GM0ypgx3DMcFyzppplU=]",
-      "[bjonglez@pad.deuxfleurs.fr/+RRzwcLPj5ZCWELUXMjmt3u+-lvYnyhpDt4cqAn9nh8=]"
     ],
 
     /* =====================

cluster/prod/app/cryptpad/deploy/cryptpad-debug.hcl

@@ -26,7 +26,7 @@ job "cryptpad-debug" {
       }
 
       config {
-        image = "armael/cryptpad:2024.9.0"
+        image = "kokakiwi/cryptpad:2024.9.0"
         ports = [ "http" ]
 
         volumes = [
@@ -56,15 +56,13 @@ job "cryptpad-debug" {
       }
 
       service {
-        name = "cryptpad-debug"
+        name = "cryptpad"
         port = "http"
         tags = [
           "tricot pad-debug.deuxfleurs.fr",
           "tricot pad-sandbox-debug.deuxfleurs.fr",
           "tricot-add-header Cross-Origin-Resource-Policy cross-origin",
           "tricot-add-header Cross-Origin-Embedder-Policy require-corp",
-          "tricot-add-header Access-Control-Allow-Origin *",
-          "tricot-add-header Access-Control-Allow-Credentials true",
           "d53-cname pad-debug.deuxfleurs.fr",
           "d53-cname pad-sandbox-debug.deuxfleurs.fr",
         ]

cluster/prod/app/cryptpad/deploy/cryptpad.hcl

@@ -63,8 +63,6 @@ job "cryptpad" {
           "tricot pad-sandbox.deuxfleurs.fr",
           "tricot-add-header Cross-Origin-Resource-Policy cross-origin",
           "tricot-add-header Cross-Origin-Embedder-Policy require-corp",
-          "tricot-add-header Access-Control-Allow-Origin *",
-          "tricot-add-header Access-Control-Allow-Credentials true",
           "d53-cname pad.deuxfleurs.fr",
           "d53-cname pad-sandbox.deuxfleurs.fr",
         ]

cluster/prod/app/email/config/postfix/main.cf

@@ -83,14 +83,11 @@ smtpd_forbid_unauth_pipelining = yes
 smtpd_discard_ehlo_keywords = chunking
 smtpd_forbid_bare_newline = yes
 
+smtpd_client_connection_rate_limit = 2
+
 #===
 # Rate limiting
 #===
-smtpd_client_connection_rate_limit = 2
-# do not rate-limit ourselves
-# in particular, useful for forgejo who opens a lot of SMTP connections
-smtpd_client_event_limit_exceptions = $mynetworks /etc/postfix/rate-limit-exceptions
-
 slow_destination_recipient_limit = 20
 slow_destination_concurrency_limit = 2
 

cluster/prod/app/email/deploy/email.hcl

@@ -382,29 +382,6 @@ job "email" {
         destination = "secrets/postfix/transport"
       }
 
-      template {
-        # Collect machine IPs from the cluster.
-        # We use intermediate maps to ensure we get a sorted list with no duplicates,
-        # so that it is robust wrt. changes in the order of the output of ls or
-        # addition of new machines in an existing site.
-        # (scratch.MapValues returns the list of *values* in the map, sorted by *key*)
-        data = <<EOH
-        {{- range ls "diplonat/autodiscovery/ipv4" }}
-          {{- with $a := .Value | parseJSON }}
-            {{- scratch.MapSet "ipv4" $a.address $a.address }}
-          {{- end }}
-        {{- end -}}
-        {{- range ls "diplonat/autodiscovery/ipv6" }}
-          {{- with $a := .Value | parseJSON }}
-            {{- scratch.MapSet "ipv6" $a.address $a.address }}
-          {{- end }}
-        {{- end -}}
-        {{- range scratch.MapValues "ipv4" }}{{ . }} {{ end }}
-        {{- range scratch.MapValues "ipv6" }}[{{ . }}] {{ end }}
-        EOH
-        destination = "secrets/postfix/rate-limit-exceptions"
-      }
-
       # --- secrets ---
       template {
         data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"

cluster/prod/app/guichet/deploy/guichet.hcl

@@ -28,11 +28,7 @@ job "guichet" {
       }
 
       resources {
-        # limite de mémoire un peu élevée par précaution.
+        memory = 200
-        # avec 200M, j'ai observé guichet se faire OOM-killed au moment
-        # où un nouvel utilisateur clique sur un lien d'invitation
-        # fraichement généré.
-        memory = 300
       }
 
       service {

cluster/prod/app/jitsi/deploy/jitsi.hcl

@@ -1,5 +1,5 @@
 job "jitsi" {
-  datacenters = ["neptune", "scorpio", "corrin"]
+  datacenters = ["neptune", "scorpio"]
   type = "service"
 
   priority = 50

cluster/prod/app/telemetry/deploy/telemetry-system.hcl

@@ -1,5 +1,5 @@
 job "telemetry-system" {
-	datacenters = ["neptune", "scorpio", "bespin", "corrin"]
+	datacenters = ["neptune", "scorpio", "bespin"]
 	type = "system"
 	priority = "100"
 
@@ -12,7 +12,7 @@ job "telemetry-system" {
 			driver = "docker"
 
 			config {
-				image = "quay.io/prometheus/node-exporter:v1.7.0"
+				image = "quay.io/prometheus/node-exporter:v1.6.1"
 				network_mode = "host"
 				volumes = [
 					"/:/host:ro,rslave"

cluster/staging/app/core/deploy/tricot.hcl

@@ -21,25 +21,20 @@ job "core-tricot" {
     }
 
     task "server" {
-      driver = "docker"
+      driver = "nix2"
 
       config {
-        image = "armael/tricot:n6dk1b5xrdww12zf12jbcmihqs6g1brz"
+        packages = [
-        network_mode = "host"
+          "git+https://git.deuxfleurs.fr/Deuxfleurs/tricot.git?ref=main&rev=9bb505d977cb8bafd8039159241788ff25510d69"
-        readonly_rootfs = true
-        ports = [ "http_port", "https_port" ]
-        volumes = [
-          "secrets:/etc/tricot",
         ]
-        ulimit {
+        command = "tricot"
-          nofile = "65535:65535"
+        # cap_add = [ "net_bind_service" ]  # this doesn't work for whatever reason, so we need to put user = "root" instead
-        }
       }
+      user = "root"
 
       resources {
         cpu = 500
         memory = 200
-        memory_max = 500
       }
 
       restart {
@@ -51,17 +46,17 @@ job "core-tricot" {
 
       template {
         data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
-        destination = "secrets/consul-ca.crt"
+        destination = "etc/tricot/consul-ca.crt"
       }
 
       template {
         data = "{{ key \"secrets/consul/consul-client.crt\" }}"
-        destination = "secrets/consul-client.crt"
+        destination = "etc/tricot/consul-client.crt"
       }
 
       template {
         data = "{{ key \"secrets/consul/consul-client.key\" }}"
-        destination = "secrets/consul-client.key"
+        destination = "etc/tricot/consul-client.key"
       }
 
       template {

cluster/staging/app/telemetry/config/prometheus.yml

@@ -38,27 +38,3 @@ scrape_configs:
         ca_file: /etc/prom/consul.crt
         cert_file: /etc/prom/consul-client.crt
         key_file: /etc/prom/consul-client.key
-
-  # see https://prometheus.io/docs/prometheus/latest/configuration/configuration/#static_config
-  # and https://www.nomadproject.io/api-docs/metrics
-  # and https://learn.hashicorp.com/tutorials/nomad/prometheus-metrics
-  # dashboard at https://grafana.com/grafana/dashboards/3800
-  - job_name: 'nomad'
-    scrape_interval: 10s
-    metrics_path: "/v1/metrics"
-    params:
-      format: ['prometheus']
-    scheme: 'https'
-    tls_config:
-      ca_file: /etc/prom/nomad-ca.crt
-      cert_file: /etc/prom/nomad-client.crt
-      key_file: /etc/prom/nomad-client.key
-      insecure_skip_verify: true
-    consul_sd_configs:
-    - server: 'https://localhost:8501'
-      services:
-        - 'nomad-client'
-      tls_config:
-        ca_file: /etc/prom/consul.crt
-        cert_file: /etc/prom/consul-client.crt
-        key_file: /etc/prom/consul-client.key

cluster/staging/app/telemetry/deploy/telemetry-service.hcl

@@ -53,21 +53,6 @@ job "telemetry-service" {
         destination = "etc/prom/consul-client.key"
       }
 
-      template {
-        data = "{{ key \"secrets/nomad/nomad-ca.crt\" }}"
-        destination = "etc/prom/nomad-ca.crt"
-      }
-
-      template {
-        data = "{{ key \"secrets/nomad/nomad-client.crt\" }}"
-        destination = "etc/prom/nomad-client.crt"
-      }
-
-      template {
-        data = "{{ key \"secrets/nomad/nomad-client.key\" }}"
-        destination = "etc/prom/nomad-client.key"
-      }
-
       resources {
         memory = 500
         cpu = 200

doc/ports

@@ -37,6 +37,7 @@ ports so that we can avoid conflicts when adding services.
 5432    psql_proxy
 5433    postgresql
 8008    synapse
+8015    bagage
 8080    jitsi video bridge (prod) / reserved (staging)
 8300    consul
 8301    consul