From 8c565aac6ffbe42aadbc0610fe47c339fcbf83a6 Mon Sep 17 00:00:00 2001
From: LUXEY Adrien <adrien.luxey@inria.fr>
Date: Sat, 5 Jun 2021 08:58:36 +0200
Subject: [PATCH] added Postgres and gitea, WIP

---
 hammerhead/README.md                        | 19 +++--
 hammerhead/app/gitea/deploy/gitea.hcl       | 89 +++++++++++++++++++++
 hammerhead/app/nginx/config/gitea.tpl       | 17 ++++
 hammerhead/app/nginx/deploy/nginx.hcl       |  7 ++
 hammerhead/app/postgres/deploy/postgres.hcl | 78 ++++++++++++++++++
 hammerhead/os/config/consul.json            | 29 +++++++
 hammerhead/os/config/nomad.hcl              | 57 +++++++++++++
 7 files changed, 291 insertions(+), 5 deletions(-)
 create mode 100644 hammerhead/app/gitea/deploy/gitea.hcl
 create mode 100644 hammerhead/app/nginx/config/gitea.tpl
 create mode 100644 hammerhead/app/postgres/deploy/postgres.hcl
 create mode 100644 hammerhead/os/config/consul.json
 create mode 100644 hammerhead/os/config/nomad.hcl

diff --git a/hammerhead/README.md b/hammerhead/README.md
index 6601c11..c6834c7 100644
--- a/hammerhead/README.md
+++ b/hammerhead/README.md
@@ -5,7 +5,7 @@
 0. Prior
 
 	* The OS is fully installed and configured using the `os/config` Ansible scripts. 
-	* Since Hammerhead is its own one-node cluster, Consul and Nomad have been reconfigured wth `bootstrap_expect == 1` manually.
+	* Nomad and Consul on HammerHead have custom configurations compared to the rest of the cluster. The configuration files `os/config/nomad.hcl` and `os/config/consul.json` need to be in sync on the server at `/etc/nomad/nomad.hcl` and `/etc/consul/consul.json` respectively.
 
 1. Base components: things that need to be installed before services
 
@@ -15,27 +15,36 @@
 
 		Can't do because of *separation of concerns*: files needed by nginx need to be defined in the nginx job specification.
 
-		Solution: each new service needs to add its nginx configuration to `app/nginx/config`.
+		Solution: each new service needs to add its nginx configuration to `app/nginx/config`, plus a template stanza in `app/nginx/deploy/nginx.hcl`. Lame.
 
 	* The services URL should be accessible from Consul using tags, instead of being hard-coded in configuration files.
 	* The dummy HTTP server replicas must not be accessible through the Internet.
 	* TLS: Let's Encrypt will probably be part of the same job definition as nginx.
 
+2. Wiki installation
 
-2. Gitea migration
+	* Postgres database
+
+		* [x] Persistent data volume - using `host_volume` in the `client` config of Nomad (requires a restart, and it's not so fun to add volumes there).
+
+		* [ ] How can Postgres be its own job, while letting it talk to other jobs? With Consul Connect apparently.
+
+
+
+3. Gitea migration
 
 	* Postgres database: needs to be its own Nomad job.
 	* Gitea: setting it up on Nomad.
 	* Migrating data from Serenity, where the DB is MySQL. Expect fun times.
 	* Database & files periodic backups
 
-3. Synapse migration 
+4. Synapse migration 
 
 	* Postgres already setup 
 	* Migrating from a Postgres on Serenity (easier)
 	* Backups
 
-4. [Own/Next]cloud: Adrien needs it for himself.
+5. [Own/Next]cloud: Adrien needs it for himself.
 
 	* Compare distribution capabilities / S3-compatibility between the two solutions. The assumption is that Owncloud's Go rewrite is the better fit.
 	* Do the things.
diff --git a/hammerhead/app/gitea/deploy/gitea.hcl b/hammerhead/app/gitea/deploy/gitea.hcl
new file mode 100644
index 0000000..f2af71e
--- /dev/null
+++ b/hammerhead/app/gitea/deploy/gitea.hcl
@@ -0,0 +1,89 @@
+job "gitea" {
+  datacenters = ["dc1"]
+
+  group "gitea" {
+    count = 1
+
+    volume "gitea-data" {
+      type      = "host"
+      read_only = false
+      source    = "gitea-data"
+    }
+
+    network {
+      port "http" { to = 3000 }
+      port "ssh" { to = 22 }
+    }
+
+    service {
+      name = "gitea-frontend"
+      port = "http"
+
+      # check {
+      #   name     = "alive"
+      #   type     = "tcp"
+      #   interval = "10s"
+      #   timeout  = "2s"
+      # }
+    }
+    service {
+      name = "gitea-ssh"
+      port = "ssh"
+
+      # check {
+      #   name     = "alive"
+      #   type     = "tcp"
+      #   interval = "10s"
+      #   timeout  = "2s"
+      # }
+    }
+
+    task "gitea" {
+      driver = "docker"
+
+      config {
+        # Exposes the http & ssh ports from the container to the host.
+        # Lame because anyone can access gitea bypassing nginx from :3000
+        # Necessary because without further mesh-net config, 
+        # nginx can't access the container's port.
+        ports = ["http", "ssh"]
+        image = "gitea/gitea:1.14.2"
+
+        volumes = [
+          "/etc/timezone:/etc/timezone:ro",
+          "/etc/localtime:/etc/localtime:ro"
+        ]
+      }
+
+      volume_mount {
+        volume      = "gitea-data"
+        destination = "/data"
+        read_only   = false
+      }
+
+      template {
+        # Consul Template only works in template stanza.
+        # We need it to fetch secret values from Consul.
+        # The "env = true" parameter sets the environment with the data.
+        # "destination" key is required but its value doesn't matter.
+        data = <<EOH
+DB_TYPE   = "postgres"
+DB_USER   = "{{ key "secrets/postgres/gitea/user" }}"
+DB_PASSWD = "{{ key "secrets/postgres/gitea/password" }}"
+DB_NAME   = "{{ key "secrets/postgres/gitea/db_name" }}"
+DB_HOST   = "{{ with service "postgres" }}{{ with index . 0 }}{{ .Address }}:{{ .Port }}{{ end }}{{ end }}"
+EOH
+
+        destination = "secrets/env"
+        env         = true
+        change_mode = "restart"
+      }
+
+      env {
+        APP_NAME = "Gitea: git with a cup of coffee"
+        DOMAIN = "gitea.hammerhead.luxeylab.net"
+        SSH_DOMAIN = "gitea.hammerhead.luxeylab.net"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/hammerhead/app/nginx/config/gitea.tpl b/hammerhead/app/nginx/config/gitea.tpl
new file mode 100644
index 0000000..c18e9e1
--- /dev/null
+++ b/hammerhead/app/nginx/config/gitea.tpl
@@ -0,0 +1,17 @@
+upstream gitea-backend {
+{{ range service "gitea" }}
+  server {{ .Address }}:{{ .Port }};
+{{ else }}
+  server 127.0.0.1:65535; # force a 502
+{{ end }}
+}
+
+server {
+   listen 80;
+   listen [::]:80;
+   server_name gitea.hammerhead.luxeylab.net;
+
+   location / {
+      proxy_pass http://gitea-backend;
+   }
+}
\ No newline at end of file
diff --git a/hammerhead/app/nginx/deploy/nginx.hcl b/hammerhead/app/nginx/deploy/nginx.hcl
index 1699347..d120752 100644
--- a/hammerhead/app/nginx/deploy/nginx.hcl
+++ b/hammerhead/app/nginx/deploy/nginx.hcl
@@ -42,6 +42,13 @@ job "nginx" {
         change_mode   = "signal"
         change_signal = "SIGHUP"
       }
+
+      template {
+        data = file("../config/gitea.tpl")
+        destination   = "local/gitea.conf"
+        change_mode   = "signal"
+        change_signal = "SIGHUP"
+      }
     }
   }
 }
\ No newline at end of file
diff --git a/hammerhead/app/postgres/deploy/postgres.hcl b/hammerhead/app/postgres/deploy/postgres.hcl
new file mode 100644
index 0000000..19e0e0a
--- /dev/null
+++ b/hammerhead/app/postgres/deploy/postgres.hcl
@@ -0,0 +1,78 @@
+# Example PostgreSQL job file: https://github.com/GuyBarros/nomad_jobs/blob/master/postgresSQL.nomad
+
+job "postgres" {
+  datacenters = ["dc1"]
+  type        = "service"
+
+  group "postgres" {
+    count = 1
+
+    volume "postgres-data" {
+      type      = "host"
+      read_only = false
+      source    = "postgres-data"
+    }
+
+    network {
+      port "db" { static = 5432 }
+    }
+
+    service {
+      name = "postgres"
+      port = "db"
+
+      check {
+        name     = "alive"
+        type     = "tcp"
+        interval = "10s"
+        timeout  = "2s"
+      }
+    }
+
+    task "postgres" {
+      driver = "docker"
+
+      config {
+        ports = ["db"]
+        image = "postgres"
+      }
+
+      volume_mount {
+        volume      = "postgres-data"
+        destination = "/var/lib/postgresql/data"
+        read_only   = false
+      }
+
+      template {
+        # Consul Template only works in template stanza.
+        # We need it to fetch secret values from Consul.
+        # The "env = true" parameter sets the environment with the data.
+        # "destination" key is required but its value doesn't matter.
+        data = <<EOH
+POSTGRES_USER     = "{{ key "secrets/postgres/user" }}"
+POSTGRES_PASSWORD = "{{ key "secrets/postgres/password" }}"
+EOH
+
+        destination = "secrets/env"
+        env         = true
+        change_mode = "restart"
+      }
+
+      env {
+        PGDATA = "/var/lib/postgresql/data"
+      }
+    }
+
+      # resources {
+      #   # cpu = 1000
+      #   # memory = 1024
+      #   network {
+      #     # mbits = 10
+      #     port "db"  {
+      #       static = 5432
+      #     }
+      #   }
+      # }
+
+  }
+}
\ No newline at end of file
diff --git a/hammerhead/os/config/consul.json b/hammerhead/os/config/consul.json
new file mode 100644
index 0000000..aab2c2b
--- /dev/null
+++ b/hammerhead/os/config/consul.json
@@ -0,0 +1,29 @@
+{
+  "data_dir": "/var/lib/consul",
+  "bind_addr": "[::]",
+  "advertise_addr": "2001:41d0:8:ba0b::1",
+  "addresses": {
+    "dns": "[::]",
+    "http": "[::]"
+  },
+  "retry_join": [
+        "2001:41d0:8:ba0b::1" 
+     ],
+  "bootstrap_expect": 1,
+  "server": true,
+  "ui": true,
+  "ports": {
+     "dns": 53
+  },
+  "recursors": [
+    "213.186.33.99",
+    "172.104.136.243"
+  ],
+  "encrypt": "2B2vxbfCRzu3Q29LEJAZBg==",
+  "domain": "2.cluster.deuxfleurs.fr",
+  "performance": {
+    "raft_multiplier": 10,
+    "rpc_hold_timeout": "30s",
+    "leave_drain_time": "30s"
+  }
+}
diff --git a/hammerhead/os/config/nomad.hcl b/hammerhead/os/config/nomad.hcl
new file mode 100644
index 0000000..d7107b8
--- /dev/null
+++ b/hammerhead/os/config/nomad.hcl
@@ -0,0 +1,57 @@
+addresses {
+  http = "::"
+  rpc = "::"
+  serf = "::"
+}
+
+advertise {
+  http = "2001:41d0:8:ba0b::1"
+  rpc = "2001:41d0:8:ba0b::1"
+  serf = "2001:41d0:8:ba0b::1"
+}
+
+data_dir = "/var/lib/nomad"
+
+server {
+  enabled          = true
+  bootstrap_expect = 1
+}
+
+consul {
+  address = "[::1]:8500"
+}
+
+client {
+  enabled = true
+  #cpu_total_compute = 4000
+  servers = ["[::1]:4648"]
+  network_interface = "eno1"
+  options {
+    docker.privileged.enabled = "true"
+    docker.volumes.enabled = "true"
+  }
+
+  host_volume "postgres-data" {
+    path      = "/opt/postgres/data"
+    read_only = false
+  }
+
+  host_volume "gitea-data" {
+    path      = "/opt/gitea/data"
+    read_only = false
+  }
+}
+
+plugin "raw_exec" {
+  config {
+    enabled = true
+  }
+}
+
+telemetry {
+  collection_interval = "1s"
+  disable_hostname = false
+  prometheus_metrics = true
+  publish_allocation_metrics = true
+  publish_node_metrics = true
+}