forked from Deuxfleurs/infrastructure
Merge pull request 'Reorganize app/ and add script for secret management' (#29) from test_reorganize into master
Reviewed-on: Deuxfleurs/infrastructure#29
This commit is contained in:
commit
ad6017eea0
238 changed files with 525 additions and 134 deletions
|
@ -82,6 +82,7 @@ alias bind_df="ssh \
|
||||||
-L 8500:127.0.0.1:8500 \
|
-L 8500:127.0.0.1:8500 \
|
||||||
-L 8082:traefik-admin.service.2.cluster.deuxfleurs.fr:8082 \
|
-L 8082:traefik-admin.service.2.cluster.deuxfleurs.fr:8082 \
|
||||||
-L 5432:psql-proxy.service.2.cluster.deuxfleurs.fr:5432 \
|
-L 5432:psql-proxy.service.2.cluster.deuxfleurs.fr:5432 \
|
||||||
|
-L 1389:bottin2.service.2.cluster.deuxfleurs.fr:389 \
|
||||||
<a server from the cluster>"
|
<a server from the cluster>"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
1
app/.gitignore
vendored
Normal file
1
app/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
__pycache__
|
52
app/README.md
Normal file
52
app/README.md
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
## Understand this folder hierarchy
|
||||||
|
|
||||||
|
This folder contains the following hierarchy:
|
||||||
|
|
||||||
|
- `<module>/build/<image_name>/`: folders with dockerfiles and other necessary resources for building container images
|
||||||
|
- `<module>/config/`: folder containing configuration files, referenced by deployment file
|
||||||
|
- `<module>/secrets/`: folder containing secrets, which can be synchronized with Consul using `secretmgr.py`
|
||||||
|
- `<module>/deploy/`: folder containing the HCL file(s) necessary for deploying the module
|
||||||
|
- `<module>/integration/`: folder containing files for integration testing using docker-compose
|
||||||
|
|
||||||
|
## How to install `secretmgr.py` dependencies
|
||||||
|
|
||||||
|
How to install its dependencies:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# on fedora:
|
||||||
|
dnf install -y openldap-devel
|
||||||
|
# on ubuntu:
|
||||||
|
apt-get install -y libldap2-dev
|
||||||
|
|
||||||
|
# for eveyrone:
|
||||||
|
pip3 install --user --requirement requirements.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
## How to use `secretmgr.py`
|
||||||
|
|
||||||
|
Check that all secrets are correctly deployed for app `dummy`:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./secretmgr.py check dummy
|
||||||
|
```
|
||||||
|
|
||||||
|
Generate secrets for app `dummy` if they don't already exist:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./secretmgr.py gen dummy
|
||||||
|
```
|
||||||
|
|
||||||
|
Rotate secrets for app `dummy`, overwriting existing ones (be careful, this is dangerous!):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./secretmgr.py regen dummy
|
||||||
|
```
|
||||||
|
|
||||||
|
## How to upgrade our packaged apps to a new version?
|
||||||
|
|
||||||
|
1. Edit `docker-compose.yml`
|
||||||
|
2. Change the `VERSION` variable to the desired version
|
||||||
|
3. Increment the docker image tag by 1 (eg: superboum/riot:v13 -> superboum/riot:v14)
|
||||||
|
4. Run `docker-compose build`
|
||||||
|
5. Run `docker-compose push`
|
||||||
|
6. Done
|
|
@ -1,8 +0,0 @@
|
||||||
## How to upgrade our packaged apps to a new version?
|
|
||||||
|
|
||||||
1. Edit `docker-compose.yml`
|
|
||||||
2. Change the `VERSION` variable to the desired version
|
|
||||||
3. Increment the docker image tag by 1 (eg: superboum/riot:v13 -> superboum/riot:v14)
|
|
||||||
4. Run `docker-compose build`
|
|
||||||
5. Run `docker-compose push`
|
|
||||||
6. Done
|
|
|
@ -1,16 +0,0 @@
|
||||||
FROM amd64/debian:stretch as builder
|
|
||||||
|
|
||||||
COPY ./quentin.dufour.io/Gemfile /root/quentin.dufour.io/Gemfile
|
|
||||||
|
|
||||||
WORKDIR /root/quentin.dufour.io
|
|
||||||
|
|
||||||
RUN apt-get update && \
|
|
||||||
apt-get install -y ruby-dev gem build-essential bundler zlib1g-dev libxml2-dev && \
|
|
||||||
bundle install
|
|
||||||
|
|
||||||
COPY ./quentin.dufour.io/ /root/quentin.dufour.io/
|
|
||||||
RUN bundle exec jekyll build
|
|
||||||
|
|
||||||
FROM superboum/amd64_webserver:v2
|
|
||||||
COPY --from=builder /root/quentin.dufour.io/_site /srv/http
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
sudo docker build -t superboum/amd64_blog:v19 .
|
|
|
@ -1,8 +0,0 @@
|
||||||
FROM amd64/debian:buster
|
|
||||||
|
|
||||||
RUN apt-get update && \
|
|
||||||
apt-get dist-upgrade -y && \
|
|
||||||
apt-get install -y \
|
|
||||||
coturn
|
|
||||||
|
|
||||||
CMD ["/usr/bin/turnserver"]
|
|
|
@ -1,17 +0,0 @@
|
||||||
|
|
||||||
## Génère l'image
|
|
||||||
```
|
|
||||||
sudo docker build -t registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 .
|
|
||||||
```
|
|
||||||
|
|
||||||
## Run bash dans le container
|
|
||||||
```
|
|
||||||
sudo docker run --rm -t -i registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 bash
|
|
||||||
sudo docker run --rm -t -i -p 3478:3478/udp -p 3479:3479/udp -p 3478:3478/tcp -p 3479:3479/tcp registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1
|
|
||||||
```
|
|
||||||
|
|
||||||
## Used ports
|
|
||||||
- udp/tcp 3478 3479
|
|
||||||
|
|
||||||
## Publish
|
|
||||||
sudo docker push registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1
|
|
|
@ -1,3 +0,0 @@
|
||||||
```
|
|
||||||
docker build -t superboum/amd64_landing:v8 .
|
|
||||||
```
|
|
|
@ -1,9 +0,0 @@
|
||||||
FROM golang:1.11.1-stretch as builder
|
|
||||||
|
|
||||||
COPY ./goStatic /goStatic
|
|
||||||
WORKDIR /goStatic
|
|
||||||
RUN CGO_ENABLED=0 go build -a -o web-server .
|
|
||||||
|
|
||||||
FROM scratch
|
|
||||||
COPY --from=builder /goStatic/web-server /
|
|
||||||
ENTRYPOINT ["/web-server"]
|
|
|
@ -1,5 +0,0 @@
|
||||||
|
|
||||||
```
|
|
||||||
sudo docker build -t superboum/amd64_webserver:v3 .
|
|
||||||
sudo docker push superboum/amd64_webserver:v3
|
|
||||||
```
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit 3f97f57aaee09a142afe3ca0f1a5d51acd856436
|
|
11
app/config/secrets/.gitignore
vendored
11
app/config/secrets/.gitignore
vendored
|
@ -1,11 +0,0 @@
|
||||||
# Blacklist everything cleverly
|
|
||||||
*
|
|
||||||
!*/
|
|
||||||
|
|
||||||
# Whitelist some patterns
|
|
||||||
!*.sample
|
|
||||||
!*.gen
|
|
||||||
!*.sh
|
|
||||||
!.gitignore
|
|
||||||
|
|
||||||
# Whitelist specific files
|
|
|
@ -1 +0,0 @@
|
||||||
postgres://username:password@hostname/dbname
|
|
|
@ -1,2 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
openssl rand -base64 32 > pgsql_pw
|
|
|
@ -1,2 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
openssl rand -base64 32 > secret_key
|
|
|
@ -35,7 +35,7 @@ job "directory" {
|
||||||
}
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = file("../config/configuration/directory/bottin/config.json")
|
data = file("../config/bottin/config.json")
|
||||||
destination = "secrets/config.json"
|
destination = "secrets/config.json"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -78,7 +78,7 @@ job "directory" {
|
||||||
}
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = file("../config/configuration/directory/guichet/config.json.tpl")
|
data = file("../config/guichet/config.json.tpl")
|
||||||
destination = "secrets/config.json"
|
destination = "secrets/config.json"
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,7 +3,7 @@ services:
|
||||||
|
|
||||||
mariadb:
|
mariadb:
|
||||||
build:
|
build:
|
||||||
context: ./mariadb
|
context: ./seafile/build/mariadb
|
||||||
args:
|
args:
|
||||||
VERSION: 4 # fake for now
|
VERSION: 4 # fake for now
|
||||||
image: superboum/amd64_mariadb:v4
|
image: superboum/amd64_mariadb:v4
|
||||||
|
@ -11,7 +11,7 @@ services:
|
||||||
# Instant Messaging
|
# Instant Messaging
|
||||||
riot:
|
riot:
|
||||||
build:
|
build:
|
||||||
context: ./riotweb
|
context: ./im/build/riotweb
|
||||||
args:
|
args:
|
||||||
# https://github.com/vector-im/riot-web/releases
|
# https://github.com/vector-im/riot-web/releases
|
||||||
VERSION: 1.7.16
|
VERSION: 1.7.16
|
||||||
|
@ -19,7 +19,7 @@ services:
|
||||||
|
|
||||||
synapse:
|
synapse:
|
||||||
build:
|
build:
|
||||||
context: ./matrix-synapse
|
context: ./im/build/matrix-synapse
|
||||||
args:
|
args:
|
||||||
# https://github.com/matrix-org/synapse/releases
|
# https://github.com/matrix-org/synapse/releases
|
||||||
VERSION: 1.25.0
|
VERSION: 1.25.0
|
||||||
|
@ -28,7 +28,7 @@ services:
|
||||||
# Email
|
# Email
|
||||||
sogo:
|
sogo:
|
||||||
build:
|
build:
|
||||||
context: ./sogo
|
context: ./email/build/sogo
|
||||||
args:
|
args:
|
||||||
# fake for now
|
# fake for now
|
||||||
VERSION: 5.0.0
|
VERSION: 5.0.0
|
||||||
|
@ -36,7 +36,7 @@ services:
|
||||||
|
|
||||||
alps:
|
alps:
|
||||||
build:
|
build:
|
||||||
context: ./alps
|
context: ./email/build/alps
|
||||||
args:
|
args:
|
||||||
VERSION: 5cef0aaff2b8b6ee3e00b566123517e241d8cfb8
|
VERSION: 5cef0aaff2b8b6ee3e00b566123517e241d8cfb8
|
||||||
image: superboum/amd64_alps:v1
|
image: superboum/amd64_alps:v1
|
||||||
|
@ -44,7 +44,7 @@ services:
|
||||||
# VoIP
|
# VoIP
|
||||||
jitsi-meet:
|
jitsi-meet:
|
||||||
build:
|
build:
|
||||||
context: ./jitsi-meet
|
context: ./jitsi/build/jitsi-meet
|
||||||
args:
|
args:
|
||||||
# https://github.com/jitsi/jitsi-meet
|
# https://github.com/jitsi/jitsi-meet
|
||||||
PREFIXV: stable/jitsi-meet_
|
PREFIXV: stable/jitsi-meet_
|
||||||
|
@ -53,7 +53,7 @@ services:
|
||||||
|
|
||||||
jitsi-conference-focus:
|
jitsi-conference-focus:
|
||||||
build:
|
build:
|
||||||
context: ./jitsi-conference-focus
|
context: ./jitsi/build/jitsi-conference-focus
|
||||||
args:
|
args:
|
||||||
# https://github.com/jitsi/jicofo
|
# https://github.com/jitsi/jicofo
|
||||||
PREFIXV: stable/jitsi-meet_
|
PREFIXV: stable/jitsi-meet_
|
||||||
|
@ -62,7 +62,7 @@ services:
|
||||||
|
|
||||||
jitsi-videobridge:
|
jitsi-videobridge:
|
||||||
build:
|
build:
|
||||||
context: ./jitsi-videobridge
|
context: ./jitsi/build/jitsi-videobridge
|
||||||
args:
|
args:
|
||||||
# https://github.com/jitsi/jitsi-videobridge
|
# https://github.com/jitsi/jitsi-videobridge
|
||||||
PREFIXV: stable/jitsi-meet_
|
PREFIXV: stable/jitsi-meet_
|
||||||
|
@ -71,21 +71,21 @@ services:
|
||||||
|
|
||||||
jitsi-xmpp:
|
jitsi-xmpp:
|
||||||
build:
|
build:
|
||||||
context: ./jitsi-xmpp
|
context: ./jitsi/build/jitsi-xmpp
|
||||||
args:
|
args:
|
||||||
VERSION: 0.11.2-1
|
VERSION: 0.11.2-1
|
||||||
image: superboum/amd64_jitsi_xmpp:v8
|
image: superboum/amd64_jitsi_xmpp:v8
|
||||||
|
|
||||||
plume:
|
plume:
|
||||||
build:
|
build:
|
||||||
context: ./plume
|
context: ./plume/build/plume
|
||||||
args:
|
args:
|
||||||
VERSION: 0.6.0
|
VERSION: 0.6.0
|
||||||
image: superboum/plume:v2
|
image: superboum/plume:v2
|
||||||
|
|
||||||
postfix:
|
postfix:
|
||||||
build:
|
build:
|
||||||
context: ./postfix
|
context: ./email/build/postfix
|
||||||
args:
|
args:
|
||||||
# https://packages.debian.org/fr/buster/postfix
|
# https://packages.debian.org/fr/buster/postfix
|
||||||
VERSION: 3.4.14-0+deb10u1
|
VERSION: 3.4.14-0+deb10u1
|
1
app/dummy/secrets/dummy/test_cmd
Normal file
1
app/dummy/secrets/dummy/test_cmd
Normal file
|
@ -0,0 +1 @@
|
||||||
|
CMD head -c 10 /dev/urandom | base64
|
1
app/dummy/secrets/dummy/test_const
Normal file
1
app/dummy/secrets/dummy/test_const
Normal file
|
@ -0,0 +1 @@
|
||||||
|
CONST this is a constant
|
5
app/dummy/secrets/dummy/test_const_long
Normal file
5
app/dummy/secrets/dummy/test_const_long
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
CONST_LONG
|
||||||
|
this is a
|
||||||
|
constant
|
||||||
|
on several
|
||||||
|
lines
|
1
app/dummy/secrets/dummy/test_service_dn
Normal file
1
app/dummy/secrets/dummy/test_service_dn
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SERVICE_DN dummy Dummy service for testing secretmgr.py
|
1
app/dummy/secrets/dummy/test_service_password
Normal file
1
app/dummy/secrets/dummy/test_service_password
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SERVICE_PASSWORD dummy
|
1
app/dummy/secrets/dummy/test_user
Normal file
1
app/dummy/secrets/dummy/test_user
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER Test user value
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue