forked from Deuxfleurs/nixcfg
Reconfigure services to use correct tricot url, TLS fails
This commit is contained in:
parent
a0c8280c02
commit
cfb1d623d9
7 changed files with 169 additions and 12 deletions
|
@ -34,8 +34,8 @@ job "core" {
|
||||||
}
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
|
data = "{{ key \"secrets/consul/consul.crt\" }}"
|
||||||
destination = "secrets/consul-ca.crt"
|
destination = "secrets/consul.crt"
|
||||||
}
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
|
@ -53,8 +53,8 @@ job "core" {
|
||||||
DIPLONAT_REFRESH_TIME=60
|
DIPLONAT_REFRESH_TIME=60
|
||||||
DIPLONAT_EXPIRATION_TIME=300
|
DIPLONAT_EXPIRATION_TIME=300
|
||||||
DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }}
|
DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }}
|
||||||
DIPLONAT_CONSUL_URL=https://localhost:8501
|
DIPLONAT_CONSUL_URL=https://consul.service.prod.consul:8501
|
||||||
DIPLONAT_CONSUL_CA_CERT=/etc/diplonat/consul-ca.crt
|
DIPLONAT_CONSUL_CA_CERT=/etc/diplonat/consul.crt
|
||||||
DIPLONAT_CONSUL_CLIENT_CERT=/etc/diplonat/consul-client.crt
|
DIPLONAT_CONSUL_CLIENT_CERT=/etc/diplonat/consul-client.crt
|
||||||
DIPLONAT_CONSUL_CLIENT_KEY=/etc/diplonat/consul-client.key
|
DIPLONAT_CONSUL_CLIENT_KEY=/etc/diplonat/consul-client.key
|
||||||
RUST_LOG=debug
|
RUST_LOG=debug
|
||||||
|
|
|
@ -41,8 +41,8 @@ job "directory" {
|
||||||
}
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
|
data = "{{ key \"secrets/consul/consul.crt\" }}"
|
||||||
destination = "secrets/consul-ca.crt"
|
destination = "secrets/consul.crt"
|
||||||
}
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
|
@ -57,9 +57,9 @@ job "directory" {
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<EOH
|
data = <<EOH
|
||||||
CONSUL_HTTP_ADDR=https://localhost:8501
|
CONSUL_HTTP_ADDR=https://consul.service.prod.consul:8501
|
||||||
CONSUL_HTTP_SSL=true
|
CONSUL_HTTP_SSL=true
|
||||||
CONSUL_CACERT=/etc/bottin/consul-ca.crt
|
CONSUL_CACERT=/etc/bottin/consul.crt
|
||||||
CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt
|
CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt
|
||||||
CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key
|
CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key
|
||||||
EOH
|
EOH
|
||||||
|
|
|
@ -41,8 +41,8 @@ job "frontend" {
|
||||||
}
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
|
data = "{{ key \"secrets/consul/consul.crt\" }}"
|
||||||
destination = "secrets/consul-ca.crt"
|
destination = "secrets/consul.crt"
|
||||||
}
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
|
@ -60,8 +60,8 @@ job "frontend" {
|
||||||
TRICOT_NODE_NAME={{ env "attr.unique.consul.name" }}
|
TRICOT_NODE_NAME={{ env "attr.unique.consul.name" }}
|
||||||
TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me
|
TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me
|
||||||
TRICOT_ENABLE_COMPRESSION=true
|
TRICOT_ENABLE_COMPRESSION=true
|
||||||
TRICOT_CONSUL_HOST=https://localhost:8501
|
TRICOT_CONSUL_HOST=https://consul.service.prod.consul:8501
|
||||||
TRICOT_CONSUL_CA_CERT=/etc/tricot/consul-ca.crt
|
TRICOT_CONSUL_CA_CERT=/etc/tricot/consul.crt
|
||||||
TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt
|
TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt
|
||||||
TRICOT_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key
|
TRICOT_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key
|
||||||
TRICOT_HTTP_BIND_ADDR=[::]:80
|
TRICOT_HTTP_BIND_ADDR=[::]:80
|
24
cluster/prod/app/garage/config/garage.toml
Normal file
24
cluster/prod/app/garage/config/garage.toml
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
block_size = 1048576
|
||||||
|
|
||||||
|
metadata_dir = "/meta"
|
||||||
|
data_dir = "/data"
|
||||||
|
|
||||||
|
replication_mode = "3"
|
||||||
|
|
||||||
|
rpc_bind_addr = "[::]:3901"
|
||||||
|
rpc_secret = "{{ key "secrets/garage/rpc_secret" | trimSpace }}"
|
||||||
|
|
||||||
|
sled_cache_capacity = 536870912
|
||||||
|
sled_sync_interval_ms = 10000
|
||||||
|
|
||||||
|
[s3_api]
|
||||||
|
s3_region = "garage"
|
||||||
|
api_bind_addr = "[::]:3900"
|
||||||
|
root_domain = ".garage.deuxfleurs.fr"
|
||||||
|
|
||||||
|
[s3_web]
|
||||||
|
bind_addr = "[::]:3902"
|
||||||
|
root_domain = ".web.deuxfleurs.fr"
|
||||||
|
|
||||||
|
[admin]
|
||||||
|
api_bind_addr = "[::1]:3903"
|
131
cluster/prod/app/garage/deploy/garage.hcl
Normal file
131
cluster/prod/app/garage/deploy/garage.hcl
Normal file
|
@ -0,0 +1,131 @@
|
||||||
|
job "garage" {
|
||||||
|
datacenters = ["neptune", "orion"]
|
||||||
|
type = "system"
|
||||||
|
priority = 80
|
||||||
|
|
||||||
|
constraint {
|
||||||
|
attribute = "${attr.cpu.arch}"
|
||||||
|
value = "amd64"
|
||||||
|
}
|
||||||
|
|
||||||
|
group "garage" {
|
||||||
|
network {
|
||||||
|
port "s3" { static = 3900 }
|
||||||
|
port "rpc" { static = 3901 }
|
||||||
|
port "web" { static = 3902 }
|
||||||
|
}
|
||||||
|
|
||||||
|
update {
|
||||||
|
max_parallel = 1
|
||||||
|
min_healthy_time = "30s"
|
||||||
|
healthy_deadline = "5m"
|
||||||
|
}
|
||||||
|
|
||||||
|
task "server" {
|
||||||
|
driver = "docker"
|
||||||
|
config {
|
||||||
|
advertise_ipv6_address = true
|
||||||
|
image = "dxflrs/amd64_garage:v0.7.1"
|
||||||
|
command = "/garage"
|
||||||
|
args = [ "server" ]
|
||||||
|
network_mode = "host"
|
||||||
|
volumes = [
|
||||||
|
"/mnt/storage/garage/data:/data",
|
||||||
|
"/mnt/ssd/garage/meta:/meta",
|
||||||
|
"secrets/garage.toml:/etc/garage.toml",
|
||||||
|
]
|
||||||
|
logging {
|
||||||
|
type = "journald"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = file("../config/garage.toml")
|
||||||
|
destination = "secrets/garage.toml"
|
||||||
|
}
|
||||||
|
|
||||||
|
resources {
|
||||||
|
memory = 1500
|
||||||
|
cpu = 1000
|
||||||
|
}
|
||||||
|
|
||||||
|
kill_signal = "SIGINT"
|
||||||
|
kill_timeout = "20s"
|
||||||
|
|
||||||
|
service {
|
||||||
|
tags = [
|
||||||
|
"garage_api",
|
||||||
|
"tricot garage.deuxfleurs.fr",
|
||||||
|
"tricot *.garage.deuxfleurs.fr",
|
||||||
|
]
|
||||||
|
port = 3900
|
||||||
|
address_mode = "driver"
|
||||||
|
name = "garage-api"
|
||||||
|
check {
|
||||||
|
type = "tcp"
|
||||||
|
port = 3900
|
||||||
|
address_mode = "driver"
|
||||||
|
interval = "60s"
|
||||||
|
timeout = "5s"
|
||||||
|
check_restart {
|
||||||
|
limit = 3
|
||||||
|
grace = "90s"
|
||||||
|
ignore_warnings = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
service {
|
||||||
|
tags = ["garage-rpc"]
|
||||||
|
port = 3901
|
||||||
|
address_mode = "driver"
|
||||||
|
name = "garage-rpc"
|
||||||
|
check {
|
||||||
|
type = "tcp"
|
||||||
|
port = 3901
|
||||||
|
address_mode = "driver"
|
||||||
|
interval = "60s"
|
||||||
|
timeout = "5s"
|
||||||
|
check_restart {
|
||||||
|
limit = 3
|
||||||
|
grace = "90s"
|
||||||
|
ignore_warnings = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
service {
|
||||||
|
tags = [
|
||||||
|
"garage-web",
|
||||||
|
"tricot * 1",
|
||||||
|
"tricot-add-header Content-Security-Policy default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://code.jquery.com/; frame-ancestors 'self'",
|
||||||
|
"tricot-add-header Strict-Transport-Security max-age=63072000; includeSubDomains; preload",
|
||||||
|
"tricot-add-header X-Frame-Options SAMEORIGIN",
|
||||||
|
"tricot-add-header X-XSS-Protection 1; mode=block",
|
||||||
|
]
|
||||||
|
port = 3902
|
||||||
|
address_mode = "driver"
|
||||||
|
name = "garage-web"
|
||||||
|
check {
|
||||||
|
type = "tcp"
|
||||||
|
port = 3902
|
||||||
|
address_mode = "driver"
|
||||||
|
interval = "60s"
|
||||||
|
timeout = "5s"
|
||||||
|
check_restart {
|
||||||
|
limit = 3
|
||||||
|
grace = "90s"
|
||||||
|
ignore_warnings = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
restart {
|
||||||
|
interval = "30m"
|
||||||
|
attempts = 10
|
||||||
|
delay = "15s"
|
||||||
|
mode = "delay"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
1
cluster/prod/app/garage/secrets/garage/rpc_secret
Normal file
1
cluster/prod/app/garage/secrets/garage/rpc_secret
Normal file
|
@ -0,0 +1 @@
|
||||||
|
CMD_ONCE openssl rand -hex 32
|
|
@ -34,5 +34,6 @@ set_env CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt
|
||||||
set_env CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key
|
set_env CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key
|
||||||
|
|
||||||
cmd "consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt"
|
cmd "consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt"
|
||||||
|
cmd "consul kv put secrets/consul/consul.crt - < /var/lib/consul/pki/consul$YEAR.crt"
|
||||||
cmd "consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt"
|
cmd "consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt"
|
||||||
cmd "consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key"
|
cmd "consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key"
|
||||||
|
|
Loading…
Reference in a new issue