From abce598e6c7933e9f902a768c974fbbd695258ad Mon Sep 17 00:00:00 2001 From: ADRN Date: Sat, 13 Jan 2024 17:58:33 +0100 Subject: [PATCH 1/3] WIP: im.deuxfleurs.fr porte de service pour Android 7. TODO : mettre le certificat dans Consul et tester. Testeeeeeer. --- .../prod/app/matrix/deploy/im-android7.hcl | 74 +++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 cluster/prod/app/matrix/deploy/im-android7.hcl diff --git a/cluster/prod/app/matrix/deploy/im-android7.hcl b/cluster/prod/app/matrix/deploy/im-android7.hcl new file mode 100644 index 0000000..1daa4e9 --- /dev/null +++ b/cluster/prod/app/matrix/deploy/im-android7.hcl @@ -0,0 +1,74 @@ +// Fichier de configuration pour exposer le service Matrix +// avec une version TLS compatible avec Android 7 +// Voir https://git.deuxfleurs.fr/Deuxfleurs/nixcfg/src/branch/main/cluster/prod/app/email/integration + + + +job "im-android7" { + datacenters = ["scorpio", "neptune"] + type = "service" + priority = 100 + + group "rsa-ecc-proxy" { + network { + port "api_port" { static = 8008 } + // port "web_port" { to = 8043 } + } + + task "api-proxy" { + driver = "docker" + config { + image = "alpine/socat:1.8.0.0" + readonly_rootfs = true + ports = [ "api_port" ] + network_mode = "host" + args = [ + "openssl-listen:8008,reuseaddr,fork,verify=0,bind=0.0.0.0,cert=/var/secrets/rsa.crt,key=/var/secrets/rsa.key", + "openssl:im.deuxfleurs.fr:8008,verify=0", + ] + volumes = [ + "secrets/certs:/var/secrets" + ] + } + + // TODO : ajouter un certificat TLS self-signed à Consul à l'adresse ci-dessous + template { + data = "{{ key \"secrets/matrix/tls-tls-proxy/rsa.crt\" }}" + destination = "secrets/certs/rsa.crt" + } + template { + data = "{{ key \"secrets/matrix/tls-tls-proxy/rsa.key\" }}" + destination = "secrets/certs/rsa.key" + } + + resources { + cpu = 50 + memory = 50 + } + + service { + name = "im-android7" + port = "api_port" + address_mode = "host" + tags = [ + "rsa-ecc-proxy", + "(diplonat (tcp_port 8008))", + "d53-a im-android7.deuxfleurs.fr", + # ipv6 is commented for now as socat does not listen on ipv6 now + # "d53-aaaa im-android7.deuxfleurs.fr" + ] + check { + type = "tcp" + port = "api_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} -- 2.45.2 From df7301e97a03a73c87c0f5be62793121a2e38245 Mon Sep 17 00:00:00 2001 From: ADRN Date: Mon, 22 Jan 2024 18:31:09 +0100 Subject: [PATCH 2/3] im-android7 avant lancement --- cluster/prod/app/matrix/deploy/im-android7.hcl | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/cluster/prod/app/matrix/deploy/im-android7.hcl b/cluster/prod/app/matrix/deploy/im-android7.hcl index 1daa4e9..d78e2db 100644 --- a/cluster/prod/app/matrix/deploy/im-android7.hcl +++ b/cluster/prod/app/matrix/deploy/im-android7.hcl @@ -31,13 +31,12 @@ job "im-android7" { ] } - // TODO : ajouter un certificat TLS self-signed à Consul à l'adresse ci-dessous template { - data = "{{ key \"secrets/matrix/tls-tls-proxy/rsa.crt\" }}" + data = "{{ key \"secrets/chat/tls-tls-proxy/rsa.crt\" }}" destination = "secrets/certs/rsa.crt" } template { - data = "{{ key \"secrets/matrix/tls-tls-proxy/rsa.key\" }}" + data = "{{ key \"secrets/chat/tls-tls-proxy/rsa.key\" }}" destination = "secrets/certs/rsa.key" } -- 2.45.2 From 3e93d193476d3f87d0a9d6208766380d324331e4 Mon Sep 17 00:00:00 2001 From: ADRN Date: Mon, 22 Jan 2024 20:24:46 +0100 Subject: [PATCH 3/3] the android bridge to android7 works, but Element does not. Solution is to use FluffyChat that embarks its own crypto. We will not merge --- .gitignore | 1 + cluster/prod/app/matrix/deploy/im-android7.hcl | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 98ba037..f8a6632 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ secrets/* cluster/*/secrets/* !cluster/*/secrets/*.sample +bugs/ diff --git a/cluster/prod/app/matrix/deploy/im-android7.hcl b/cluster/prod/app/matrix/deploy/im-android7.hcl index d78e2db..fecaaae 100644 --- a/cluster/prod/app/matrix/deploy/im-android7.hcl +++ b/cluster/prod/app/matrix/deploy/im-android7.hcl @@ -11,7 +11,7 @@ job "im-android7" { group "rsa-ecc-proxy" { network { - port "api_port" { static = 8008 } + port "api_port" { static = 18008 } // port "web_port" { to = 8043 } } @@ -23,8 +23,8 @@ job "im-android7" { ports = [ "api_port" ] network_mode = "host" args = [ - "openssl-listen:8008,reuseaddr,fork,verify=0,bind=0.0.0.0,cert=/var/secrets/rsa.crt,key=/var/secrets/rsa.key", - "openssl:im.deuxfleurs.fr:8008,verify=0", + "openssl-listen:18008,reuseaddr,fork,verify=0,bind=0.0.0.0,cert=/var/secrets/rsa.crt,key=/var/secrets/rsa.key", + "tcp:synapse.service.prod.consul:8008", ] volumes = [ "secrets/certs:/var/secrets" @@ -51,7 +51,7 @@ job "im-android7" { address_mode = "host" tags = [ "rsa-ecc-proxy", - "(diplonat (tcp_port 8008))", + "(diplonat (tcp_port 18008))", "d53-a im-android7.deuxfleurs.fr", # ipv6 is commented for now as socat does not listen on ipv6 now # "d53-aaaa im-android7.deuxfleurs.fr" -- 2.45.2