Compare commits
2 commits
main
...
fix_ports_
Author | SHA1 | Date | |
---|---|---|---|
|
0c7e85f117 | ||
|
d2584fbf1d |
20 changed files with 26 additions and 170 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -4,4 +4,3 @@ secrets/*
|
|||
cluster/*/secrets/*
|
||||
!cluster/*/secrets/*.sample
|
||||
|
||||
adrn-notes/
|
||||
|
|
|
@ -13,8 +13,8 @@ job "bagage" {
|
|||
|
||||
network {
|
||||
port "web_port" {
|
||||
static = 8080
|
||||
to = 8080
|
||||
static = 8015
|
||||
to = 8015
|
||||
}
|
||||
port "ssh_port" {
|
||||
static = 2222
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
job "core-d53" {
|
||||
datacenters = ["neptune", "scorpio", "bespin", "corrin"]
|
||||
datacenters = ["neptune", "scorpio", "bespin"]
|
||||
type = "service"
|
||||
priority = 90
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
job "core-diplonat" {
|
||||
datacenters = ["neptune", "scorpio", "bespin", "corrin"]
|
||||
datacenters = ["neptune", "scorpio", "bespin"]
|
||||
type = "system"
|
||||
priority = 90
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@ job "core-tricot" {
|
|||
# on pourra mettre bespin quand on aura migré gitea de la vm vers le cluster
|
||||
# en attendant, les deux ne sont pas capables de partager les certificats SSL
|
||||
# donc on laisse la VM gitea gérer les certifs et prendre tout le trafic http(s)
|
||||
datacenters = ["corrin", "neptune", "scorpio"]
|
||||
datacenters = ["neptune", "scorpio"]
|
||||
type = "system"
|
||||
priority = 90
|
||||
|
||||
|
@ -28,7 +28,7 @@ job "core-tricot" {
|
|||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "armael/tricot:n6dk1b5xrdww12zf12jbcmihqs6g1brz"
|
||||
image = "superboum/amd64_tricot:54"
|
||||
network_mode = "host"
|
||||
readonly_rootfs = true
|
||||
ports = [ "http_port", "https_port" ]
|
||||
|
|
|
@ -1,59 +0,0 @@
|
|||
# SPDX-FileCopyrightText: 2023 XWiki CryptPad Team <contact@cryptpad.org> and contributors
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#
|
||||
# Tweaks by Deuxfleurs
|
||||
|
||||
# Multistage build to reduce image size and increase security
|
||||
FROM node:lts-slim AS build
|
||||
ENV DEBIAN_FRONTEND=noninteractive
|
||||
|
||||
RUN apt-get update && apt-get install --no-install-recommends -y \
|
||||
ca-certificates tar wget
|
||||
|
||||
# Download the release tarball
|
||||
RUN wget https://github.com/cryptpad/cryptpad/archive/refs/tags/2024.9.0.tar.gz -O cryptpad.tar.gz
|
||||
|
||||
# Create folder for CryptPad
|
||||
RUN mkdir /cryptpad
|
||||
|
||||
# Extract the release into /cryptpad
|
||||
RUN tar xvzf cryptpad.tar.gz -C /cryptpad --strip-components 1
|
||||
|
||||
# Go to /cryptpad
|
||||
WORKDIR /cryptpad
|
||||
|
||||
# Install dependencies
|
||||
RUN npm install --production && npm run install:components
|
||||
|
||||
# Create the actual CryptPad image
|
||||
FROM node:lts-slim
|
||||
ENV DEBIAN_FRONTEND=noninteractive
|
||||
|
||||
# Install curl for healthcheck
|
||||
# Install git, rdfind and unzip for install-onlyoffice.sh
|
||||
RUN apt-get update && apt-get install --no-install-recommends -y \
|
||||
curl ca-certificates git rdfind unzip && \
|
||||
apt-get clean && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Copy cryptpad with installed modules
|
||||
COPY --from=build /cryptpad /cryptpad
|
||||
|
||||
# Set workdir to cryptpad
|
||||
WORKDIR /cryptpad
|
||||
|
||||
# Install onlyoffice
|
||||
RUN ./install-onlyoffice.sh --accept-license --trust-repository
|
||||
|
||||
# Build static pages (?) unsure we need this
|
||||
RUN npm run build
|
||||
|
||||
# Healthcheck
|
||||
HEALTHCHECK --interval=1m CMD curl -f http://localhost:3000/ || exit 1
|
||||
|
||||
# Ports
|
||||
EXPOSE 3000 3003
|
||||
|
||||
# Run cryptpad on startup
|
||||
CMD ["npm", "start"]
|
|
@ -119,9 +119,7 @@ module.exports = {
|
|||
"[Jill@pad.deuxfleurs.fr/tLW7W8EVNB2KYETXEaOYR+HmNiBQtZj7u+SOxS3hGmg=]",
|
||||
"[vincent@pad.deuxfleurs.fr/07FQiE8w1iztRWwzbRJzEy3xIqnNR31mUFjLNiGXjwU=]",
|
||||
"[boris@pad.deuxfleurs.fr/kHo5LIhSxDFk39GuhGRp+XKlMjNe+lWfFWM75cINoTQ=]",
|
||||
"[maximilien@pad.deuxfleurs.fr/UoXHLejYRUjvX6t55hAQKpjMdU-3ecg4eDhAeckZmyE=]",
|
||||
"[armael@pad-debug.deuxfleurs.fr/CIKMvNdFxGavwTmni0TnR3x9GM0ypgx3DMcFyzppplU=]",
|
||||
"[bjonglez@pad-debug.deuxfleurs.fr/+RRzwcLPj5ZCWELUXMjmt3u+-lvYnyhpDt4cqAn9nh8=]"
|
||||
"[maximilien@pad.deuxfleurs.fr/UoXHLejYRUjvX6t55hAQKpjMdU-3ecg4eDhAeckZmyE=]"
|
||||
],
|
||||
|
||||
/* =====================
|
||||
|
|
|
@ -119,9 +119,7 @@ module.exports = {
|
|||
"[Jill@pad.deuxfleurs.fr/tLW7W8EVNB2KYETXEaOYR+HmNiBQtZj7u+SOxS3hGmg=]",
|
||||
"[vincent@pad.deuxfleurs.fr/07FQiE8w1iztRWwzbRJzEy3xIqnNR31mUFjLNiGXjwU=]",
|
||||
"[boris@pad.deuxfleurs.fr/kHo5LIhSxDFk39GuhGRp+XKlMjNe+lWfFWM75cINoTQ=]",
|
||||
"[maximilien@pad.deuxfleurs.fr/UoXHLejYRUjvX6t55hAQKpjMdU-3ecg4eDhAeckZmyE=]",
|
||||
"[armael@pad.deuxfleurs.fr/CIKMvNdFxGavwTmni0TnR3x9GM0ypgx3DMcFyzppplU=]",
|
||||
"[bjonglez@pad.deuxfleurs.fr/+RRzwcLPj5ZCWELUXMjmt3u+-lvYnyhpDt4cqAn9nh8=]"
|
||||
"[maximilien@pad.deuxfleurs.fr/UoXHLejYRUjvX6t55hAQKpjMdU-3ecg4eDhAeckZmyE=]"
|
||||
],
|
||||
|
||||
/* =====================
|
||||
|
|
|
@ -26,7 +26,7 @@ job "cryptpad-debug" {
|
|||
}
|
||||
|
||||
config {
|
||||
image = "armael/cryptpad:2024.9.0"
|
||||
image = "kokakiwi/cryptpad:2024.9.0"
|
||||
ports = [ "http" ]
|
||||
|
||||
volumes = [
|
||||
|
@ -56,15 +56,13 @@ job "cryptpad-debug" {
|
|||
}
|
||||
|
||||
service {
|
||||
name = "cryptpad-debug"
|
||||
name = "cryptpad"
|
||||
port = "http"
|
||||
tags = [
|
||||
"tricot pad-debug.deuxfleurs.fr",
|
||||
"tricot pad-sandbox-debug.deuxfleurs.fr",
|
||||
"tricot-add-header Cross-Origin-Resource-Policy cross-origin",
|
||||
"tricot-add-header Cross-Origin-Embedder-Policy require-corp",
|
||||
"tricot-add-header Access-Control-Allow-Origin *",
|
||||
"tricot-add-header Access-Control-Allow-Credentials true",
|
||||
"d53-cname pad-debug.deuxfleurs.fr",
|
||||
"d53-cname pad-sandbox-debug.deuxfleurs.fr",
|
||||
]
|
||||
|
|
|
@ -63,8 +63,6 @@ job "cryptpad" {
|
|||
"tricot pad-sandbox.deuxfleurs.fr",
|
||||
"tricot-add-header Cross-Origin-Resource-Policy cross-origin",
|
||||
"tricot-add-header Cross-Origin-Embedder-Policy require-corp",
|
||||
"tricot-add-header Access-Control-Allow-Origin *",
|
||||
"tricot-add-header Access-Control-Allow-Credentials true",
|
||||
"d53-cname pad.deuxfleurs.fr",
|
||||
"d53-cname pad-sandbox.deuxfleurs.fr",
|
||||
]
|
||||
|
|
|
@ -83,14 +83,11 @@ smtpd_forbid_unauth_pipelining = yes
|
|||
smtpd_discard_ehlo_keywords = chunking
|
||||
smtpd_forbid_bare_newline = yes
|
||||
|
||||
smtpd_client_connection_rate_limit = 2
|
||||
|
||||
#===
|
||||
# Rate limiting
|
||||
#===
|
||||
smtpd_client_connection_rate_limit = 2
|
||||
# do not rate-limit ourselves
|
||||
# in particular, useful for forgejo who opens a lot of SMTP connections
|
||||
smtpd_client_event_limit_exceptions = $mynetworks /etc/postfix/rate-limit-exceptions
|
||||
|
||||
slow_destination_recipient_limit = 20
|
||||
slow_destination_concurrency_limit = 2
|
||||
|
||||
|
|
|
@ -382,29 +382,6 @@ job "email" {
|
|||
destination = "secrets/postfix/transport"
|
||||
}
|
||||
|
||||
template {
|
||||
# Collect machine IPs from the cluster.
|
||||
# We use intermediate maps to ensure we get a sorted list with no duplicates,
|
||||
# so that it is robust wrt. changes in the order of the output of ls or
|
||||
# addition of new machines in an existing site.
|
||||
# (scratch.MapValues returns the list of *values* in the map, sorted by *key*)
|
||||
data = <<EOH
|
||||
{{- range ls "diplonat/autodiscovery/ipv4" }}
|
||||
{{- with $a := .Value | parseJSON }}
|
||||
{{- scratch.MapSet "ipv4" $a.address $a.address }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
{{- range ls "diplonat/autodiscovery/ipv6" }}
|
||||
{{- with $a := .Value | parseJSON }}
|
||||
{{- scratch.MapSet "ipv6" $a.address $a.address }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
{{- range scratch.MapValues "ipv4" }}{{ . }} {{ end }}
|
||||
{{- range scratch.MapValues "ipv6" }}[{{ . }}] {{ end }}
|
||||
EOH
|
||||
destination = "secrets/postfix/rate-limit-exceptions"
|
||||
}
|
||||
|
||||
# --- secrets ---
|
||||
template {
|
||||
data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
|
||||
|
|
|
@ -28,11 +28,7 @@ job "guichet" {
|
|||
}
|
||||
|
||||
resources {
|
||||
# limite de mémoire un peu élevée par précaution.
|
||||
# avec 200M, j'ai observé guichet se faire OOM-killed au moment
|
||||
# où un nouvel utilisateur clique sur un lien d'invitation
|
||||
# fraichement généré.
|
||||
memory = 300
|
||||
memory = 200
|
||||
}
|
||||
|
||||
service {
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
job "jitsi" {
|
||||
datacenters = ["neptune", "scorpio", "corrin"]
|
||||
datacenters = ["neptune", "scorpio"]
|
||||
type = "service"
|
||||
|
||||
priority = 50
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
job "telemetry-system" {
|
||||
datacenters = ["neptune", "scorpio", "bespin", "corrin"]
|
||||
datacenters = ["neptune", "scorpio", "bespin"]
|
||||
type = "system"
|
||||
priority = "100"
|
||||
|
||||
|
@ -12,7 +12,7 @@ job "telemetry-system" {
|
|||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "quay.io/prometheus/node-exporter:v1.7.0"
|
||||
image = "quay.io/prometheus/node-exporter:v1.6.1"
|
||||
network_mode = "host"
|
||||
volumes = [
|
||||
"/:/host:ro,rslave"
|
||||
|
|
|
@ -21,25 +21,20 @@ job "core-tricot" {
|
|||
}
|
||||
|
||||
task "server" {
|
||||
driver = "docker"
|
||||
driver = "nix2"
|
||||
|
||||
config {
|
||||
image = "armael/tricot:8sa24l6pxdppb5gq0nnj9kvcl9mijliy-block_user_agent"
|
||||
network_mode = "host"
|
||||
readonly_rootfs = true
|
||||
ports = [ "http_port", "https_port" ]
|
||||
volumes = [
|
||||
"secrets:/etc/tricot",
|
||||
packages = [
|
||||
"git+https://git.deuxfleurs.fr/Deuxfleurs/tricot.git?ref=main&rev=9bb505d977cb8bafd8039159241788ff25510d69"
|
||||
]
|
||||
ulimit {
|
||||
nofile = "65535:65535"
|
||||
}
|
||||
command = "tricot"
|
||||
# cap_add = [ "net_bind_service" ] # this doesn't work for whatever reason, so we need to put user = "root" instead
|
||||
}
|
||||
user = "root"
|
||||
|
||||
resources {
|
||||
cpu = 500
|
||||
memory = 200
|
||||
memory_max = 500
|
||||
}
|
||||
|
||||
restart {
|
||||
|
@ -51,17 +46,17 @@ job "core-tricot" {
|
|||
|
||||
template {
|
||||
data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
|
||||
destination = "secrets/consul-ca.crt"
|
||||
destination = "etc/tricot/consul-ca.crt"
|
||||
}
|
||||
|
||||
template {
|
||||
data = "{{ key \"secrets/consul/consul-client.crt\" }}"
|
||||
destination = "secrets/consul-client.crt"
|
||||
destination = "etc/tricot/consul-client.crt"
|
||||
}
|
||||
|
||||
template {
|
||||
data = "{{ key \"secrets/consul/consul-client.key\" }}"
|
||||
destination = "secrets/consul-client.key"
|
||||
destination = "etc/tricot/consul-client.key"
|
||||
}
|
||||
|
||||
template {
|
||||
|
|
|
@ -192,9 +192,6 @@ job "garage-staging" {
|
|||
"tricot-add-header Access-Control-Allow-Origin *",
|
||||
"tricot-on-demand-tls-ask http://garage-staging-admin.service.staging.consul:3909/check",
|
||||
"tricot-site-lb",
|
||||
"tricot-block-user-agent Claude-Web",
|
||||
"tricot-block-user-agent ClaudeBot",
|
||||
"tricot-block-user-agent anthropic-ai",
|
||||
]
|
||||
port = "web"
|
||||
# Check 1: Garage is alive and answering TCP connections
|
||||
|
|
|
@ -38,27 +38,3 @@ scrape_configs:
|
|||
ca_file: /etc/prom/consul.crt
|
||||
cert_file: /etc/prom/consul-client.crt
|
||||
key_file: /etc/prom/consul-client.key
|
||||
|
||||
# see https://prometheus.io/docs/prometheus/latest/configuration/configuration/#static_config
|
||||
# and https://www.nomadproject.io/api-docs/metrics
|
||||
# and https://learn.hashicorp.com/tutorials/nomad/prometheus-metrics
|
||||
# dashboard at https://grafana.com/grafana/dashboards/3800
|
||||
- job_name: 'nomad'
|
||||
scrape_interval: 10s
|
||||
metrics_path: "/v1/metrics"
|
||||
params:
|
||||
format: ['prometheus']
|
||||
scheme: 'https'
|
||||
tls_config:
|
||||
ca_file: /etc/prom/nomad-ca.crt
|
||||
cert_file: /etc/prom/nomad-client.crt
|
||||
key_file: /etc/prom/nomad-client.key
|
||||
insecure_skip_verify: true
|
||||
consul_sd_configs:
|
||||
- server: 'https://localhost:8501'
|
||||
services:
|
||||
- 'nomad-client'
|
||||
tls_config:
|
||||
ca_file: /etc/prom/consul.crt
|
||||
cert_file: /etc/prom/consul-client.crt
|
||||
key_file: /etc/prom/consul-client.key
|
||||
|
|
|
@ -53,21 +53,6 @@ job "telemetry-service" {
|
|||
destination = "etc/prom/consul-client.key"
|
||||
}
|
||||
|
||||
template {
|
||||
data = "{{ key \"secrets/nomad/nomad-ca.crt\" }}"
|
||||
destination = "etc/prom/nomad-ca.crt"
|
||||
}
|
||||
|
||||
template {
|
||||
data = "{{ key \"secrets/nomad/nomad-client.crt\" }}"
|
||||
destination = "etc/prom/nomad-client.crt"
|
||||
}
|
||||
|
||||
template {
|
||||
data = "{{ key \"secrets/nomad/nomad-client.key\" }}"
|
||||
destination = "etc/prom/nomad-client.key"
|
||||
}
|
||||
|
||||
resources {
|
||||
memory = 500
|
||||
cpu = 200
|
||||
|
|
|
@ -37,6 +37,7 @@ ports so that we can avoid conflicts when adding services.
|
|||
5432 psql_proxy
|
||||
5433 postgresql
|
||||
8008 synapse
|
||||
8015 bagage
|
||||
8080 jitsi video bridge (prod) / reserved (staging)
|
||||
8300 consul
|
||||
8301 consul
|
||||
|
|
Loading…
Reference in a new issue