Simplify network configuration #11
12 changed files with 131 additions and 22 deletions
20
README.md
20
README.md
|
@ -15,18 +15,26 @@ Our first abstraction level is the NixOS level, which installs a bunch of standa
|
|||
|
||||
Then, inside our Nomad+Consul orchestrator, we deploy a number of base services:
|
||||
|
||||
* **[Garage](https://git.deuxfleurs.fr/Deuxfleurs/garage/):** S3-compatible lightweight object store for self-hosted geo-distributed deployments (we also have a legacy glusterfs cluster)
|
||||
* **[DiploNAT](https://git.deuxfleurs.fr/Deuxfleurs/diplonat):** network automation (firewalling, upnp igd)
|
||||
* **[Bottin](https://git.deuxfleurs.fr/Deuxfleurs/bottin):** authentication and authorization (LDAP protocol, consul backend)
|
||||
* **[Guichet](https://git.deuxfleurs.fr/Deuxfleurs/guichet):** a dashboard for our users and administrators
|
||||
* **Stolon + PostgreSQL:** distributed relational database
|
||||
* **Prometheus + Grafana:** monitoring
|
||||
* Data management
|
||||
* **[Garage](https://git.deuxfleurs.fr/Deuxfleurs/garage/):** S3-compatible lightweight object store for self-hosted geo-distributed deployments
|
||||
* **Stolon + PostgreSQL:** distributed relational database
|
||||
* Network Control Plane
|
||||
* **[DiploNAT](https://git.deuxfleurs.fr/Deuxfleurs/diplonat):** - network automation (firewalling, upnp igd)
|
||||
* **[D53](https://git.deuxfleurs.fr/lx/d53)** - update DNS entries (A and AAAA) dynamically based on Nomad service scheduling and local node info
|
||||
* **[Tricot](https://git.deuxfleurs.fr/Deuxfleurs/tricot)** - a dynamic reverse proxy for nomad+consul inspired by traefik
|
||||
* **[wgautomesh](https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh)** - a dynamic wireguard mesh configurator
|
||||
* User Management
|
||||
* **[Bottin](https://git.deuxfleurs.fr/Deuxfleurs/bottin):** authentication and authorization (LDAP protocol, consul backend)
|
||||
* **[Guichet](https://git.deuxfleurs.fr/Deuxfleurs/guichet):** a dashboard for our users and administrators7
|
||||
* Observability
|
||||
* **Prometheus + Grafana:** monitoring
|
||||
|
||||
Some services we provide based on this abstraction:
|
||||
|
||||
* **Websites:** Garage (static) + fediverse blog (Plume)
|
||||
* **Chat:** Synapse + Element Web (Matrix protocol)
|
||||
* **Email:** Postfix SMTP + Dovecot IMAP + opendkim DKIM + Sogo webmail | Alps webmail (experimental)
|
||||
- **[Aerogramme](https://git.deuxfleurs.fr/Deuxfleurs/aerogramme/):** an encrypted IMAP server
|
||||
* **Visioconference:** Jitsi
|
||||
* **Collaboration:** CryptPad
|
||||
|
||||
|
|
86
cluster/prod/app/bagage/deploy/bagage.hcl
Normal file
86
cluster/prod/app/bagage/deploy/bagage.hcl
Normal file
|
@ -0,0 +1,86 @@
|
|||
job "bagage" {
|
||||
datacenters = ["orion", "neptune"]
|
||||
type = "service"
|
||||
priority = 90
|
||||
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
|
||||
group "main" {
|
||||
count = 1
|
||||
|
||||
network {
|
||||
port "web_port" {
|
||||
static = 8080
|
||||
to = 8080
|
||||
}
|
||||
port "ssh_port" {
|
||||
static = 2222
|
||||
to = 2222
|
||||
}
|
||||
}
|
||||
|
||||
task "server" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "superboum/amd64_bagage:v11"
|
||||
readonly_rootfs = false
|
||||
network_mode = "host"
|
||||
volumes = [
|
||||
"secrets/id_rsa:/id_rsa"
|
||||
]
|
||||
ports = [ "web_port", "ssh_port" ]
|
||||
}
|
||||
|
||||
env {
|
||||
BAGAGE_LDAP_ENDPOINT = "bottin.service.prod.consul:389"
|
||||
}
|
||||
|
||||
resources {
|
||||
memory = 200
|
||||
cpu = 100
|
||||
}
|
||||
|
||||
template {
|
||||
data = "{{ key \"secrets/bagage/id_rsa\" }}"
|
||||
destination = "secrets/id_rsa"
|
||||
}
|
||||
|
||||
service {
|
||||
name = "bagage-ssh"
|
||||
port = "ssh_port"
|
||||
address_mode = "host"
|
||||
tags = [
|
||||
"bagage",
|
||||
"(diplonat (tcp_port 2222))"
|
||||
]
|
||||
}
|
||||
|
||||
service {
|
||||
name = "bagage-webdav"
|
||||
tags = [
|
||||
"bagage",
|
||||
"tricot bagage.deuxfleurs.fr",
|
||||
"d53-cname bagage.deuxfleurs.fr",
|
||||
]
|
||||
port = "web_port"
|
||||
address_mode = "host"
|
||||
check {
|
||||
type = "tcp"
|
||||
port = "web_port"
|
||||
address_mode = "host"
|
||||
interval = "60s"
|
||||
timeout = "5s"
|
||||
check_restart {
|
||||
limit = 3
|
||||
grace = "90s"
|
||||
ignore_warnings = false
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
4
cluster/prod/app/bagage/secrets.toml
Normal file
4
cluster/prod/app/bagage/secrets.toml
Normal file
|
@ -0,0 +1,4 @@
|
|||
[secrets."bagage/id_rsa"]
|
||||
type = 'command'
|
||||
rotate = true
|
||||
command = 'ssh-keygen -q -f >(cat) -N "" <<< y 2>/dev/null 1>&2 ; true'
|
|
@ -1,5 +1,5 @@
|
|||
job "core" {
|
||||
datacenters = ["orion", "neptune", "bespin", "scorpio"]
|
||||
datacenters = ["orion", "neptune", "scorpio"]
|
||||
type = "system"
|
||||
priority = 90
|
||||
|
||||
|
@ -13,7 +13,7 @@ job "core" {
|
|||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "lxpz/amd64_diplonat:4"
|
||||
image = "lxpz/amd64_diplonat:5"
|
||||
network_mode = "host"
|
||||
readonly_rootfs = true
|
||||
privileged = true
|
||||
|
@ -181,7 +181,7 @@ EOH
|
|||
task "bottin" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "superboum/bottin_amd64:22"
|
||||
image = "dxflrs/bottin:7h18i30cckckaahv87d3c86pn4a7q41z"
|
||||
network_mode = "host"
|
||||
readonly_rootfs = true
|
||||
ports = [ "ldap_port" ]
|
||||
|
|
|
@ -1,2 +1,3 @@
|
|||
*@deuxfleurs.fr smtp._domainkey.deuxfleurs.fr
|
||||
*@dufour.io smtp._domainkey.deuxfleurs.fr
|
||||
*@luxeylab.net smtp._domainkey.deuxfleurs.fr
|
||||
|
|
|
@ -63,7 +63,6 @@ job "email" {
|
|||
port = "imap_port"
|
||||
tags = [
|
||||
"dovecot",
|
||||
"d53-a imap.deuxfleurs.fr",
|
||||
]
|
||||
check {
|
||||
type = "tcp"
|
||||
|
@ -83,7 +82,9 @@ job "email" {
|
|||
port = "imaps_port"
|
||||
tags = [
|
||||
"dovecot",
|
||||
"(diplonat (tcp_port 993))"
|
||||
"(diplonat (tcp_port 993))",
|
||||
"d53-a imap.deuxfleurs.fr",
|
||||
"d53-aaaa imap.deuxfleurs.fr",
|
||||
]
|
||||
|
||||
check {
|
||||
|
@ -283,8 +284,7 @@ job "email" {
|
|||
"postfix",
|
||||
"(diplonat (tcp_port 25 465 587))",
|
||||
"d53-a smtp.deuxfleurs.fr",
|
||||
# ipv6 is commented for now as port is not open in firewall (TODO)
|
||||
# "d53-aaaa smtp.deuxfleurs.fr"
|
||||
"d53-aaaa smtp.deuxfleurs.fr"
|
||||
]
|
||||
check {
|
||||
type = "tcp"
|
||||
|
|
|
@ -28,6 +28,9 @@
|
|||
"group_can_admin": "cn=admin,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
|
||||
"group_can_invite": "cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
|
||||
|
||||
"s3_admin_endpoint": "garage-admin.service.prod.consul:3903",
|
||||
"s3_admin_token": "{{ key "secrets/garage/admin_token" | trimSpace }}",
|
||||
|
||||
"s3_endpoint": "{{ key "secrets/directory/guichet/s3_endpoint" }}",
|
||||
"s3_access_key": "{{ key "secrets/directory/guichet/s3_access_key" | trimSpace }}",
|
||||
"s3_secret_key": "{{ key "secrets/directory/guichet/s3_secret_key" | trimSpace }}",
|
||||
|
|
|
@ -13,7 +13,7 @@ job "guichet" {
|
|||
task "guichet" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "dxflrs/guichet:17"
|
||||
image = "dxflrs/guichet:18"
|
||||
readonly_rootfs = true
|
||||
ports = [ "web_port" ]
|
||||
volumes = [
|
||||
|
|
|
@ -65,7 +65,8 @@ job "matrix" {
|
|||
|
||||
resources {
|
||||
cpu = 1000
|
||||
memory = 1000
|
||||
memory = 500
|
||||
memory_max = 1000
|
||||
}
|
||||
|
||||
service {
|
||||
|
|
|
@ -37,7 +37,8 @@ job "postgres14" {
|
|||
]
|
||||
}
|
||||
resources {
|
||||
memory = 100
|
||||
memory = 20
|
||||
memory_max = 100
|
||||
}
|
||||
|
||||
template {
|
||||
|
@ -80,7 +81,8 @@ job "postgres14" {
|
|||
}
|
||||
|
||||
resources {
|
||||
memory = 100
|
||||
memory = 20
|
||||
memory_max = 100
|
||||
}
|
||||
|
||||
template {
|
||||
|
@ -172,7 +174,8 @@ job "postgres14" {
|
|||
}
|
||||
|
||||
resources {
|
||||
memory = 600
|
||||
memory = 400
|
||||
memory_max = 600
|
||||
}
|
||||
|
||||
service {
|
||||
|
|
|
@ -36,7 +36,8 @@ job "telemetry-service" {
|
|||
}
|
||||
|
||||
resources {
|
||||
memory = 200
|
||||
memory = 50
|
||||
memory_max = 200
|
||||
cpu = 100
|
||||
}
|
||||
}
|
||||
|
@ -75,7 +76,8 @@ EOH
|
|||
}
|
||||
|
||||
resources {
|
||||
memory = 500
|
||||
memory = 100
|
||||
memory_max = 400
|
||||
cpu = 500
|
||||
}
|
||||
|
||||
|
@ -123,7 +125,8 @@ EOH
|
|||
}
|
||||
|
||||
resources {
|
||||
memory = 200
|
||||
memory = 50
|
||||
memory_max = 200
|
||||
cpu = 100
|
||||
}
|
||||
}
|
||||
|
|
|
@ -22,7 +22,7 @@ job "albatros" {
|
|||
task "controller" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "dxflrs/albatros:750015b3fff91af8b9b86869411216a06bd13614"
|
||||
image = "dxflrs/albatros:76c59221d171eb56a2ce2bfa630502ff78eeae74"
|
||||
ports = [ "http" ]
|
||||
volumes = [
|
||||
"secrets/certs:/var/run/secrets/albatros"
|
||||
|
|
Loading…
Reference in a new issue