adrien/infrastructure
1
0
Fork 0
forked from Deuxfleurs/infrastructure
Code Issues Pull requests Releases Wiki Activity

added Postgres and gitea, WIP

Browse source
This commit is contained in:
LUXEY Adrien 2021-06-05 08:58:36 +02:00
parent 7275c5b156
commit 8c565aac6f
7 changed files with 291 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
hammerhead/README.md
View file

@ -5,7 +5,7 @@
0. Prior 0. Prior
* The OS is fully installed and configured using the `os/config` Ansible scripts. * The OS is fully installed and configured using the `os/config` Ansible scripts.
* Since Hammerhead is its own one-node cluster, Consul and Nomad have been reconfigured wth `bootstrap_expect == 1` manually. * Nomad and Consul on HammerHead have custom configurations compared to the rest of the cluster. The configuration files `os/config/nomad.hcl` and `os/config/consul.json` need to be in sync on the server at `/etc/nomad/nomad.hcl` and `/etc/consul/consul.json` respectively.
1. Base components: things that need to be installed before services 1. Base components: things that need to be installed before services
@ -15,27 +15,36 @@
Can't do because of *separation of concerns*: files needed by nginx need to be defined in the nginx job specification. Can't do because of *separation of concerns*: files needed by nginx need to be defined in the nginx job specification.
Solution: each new service needs to add its nginx configuration to `app/nginx/config`. Solution: each new service needs to add its nginx configuration to `app/nginx/config`, plus a template stanza in `app/nginx/deploy/nginx.hcl`. Lame.
* The services URL should be accessible from Consul using tags, instead of being hard-coded in configuration files. * The services URL should be accessible from Consul using tags, instead of being hard-coded in configuration files.
* The dummy HTTP server replicas must not be accessible through the Internet. * The dummy HTTP server replicas must not be accessible through the Internet.
* TLS: Let's Encrypt will probably be part of the same job definition as nginx. * TLS: Let's Encrypt will probably be part of the same job definition as nginx.
2. Wiki installation
2. Gitea migration * Postgres database
* [x] Persistent data volume - using `host_volume` in the `client` config of Nomad (requires a restart, and it's not so fun to add volumes there).
* [ ] How can Postgres be its own job, while letting it talk to other jobs? With Consul Connect apparently.
3. Gitea migration
* Postgres database: needs to be its own Nomad job. * Postgres database: needs to be its own Nomad job.
* Gitea: setting it up on Nomad. * Gitea: setting it up on Nomad.
* Migrating data from Serenity, where the DB is MySQL. Expect fun times. * Migrating data from Serenity, where the DB is MySQL. Expect fun times.
* Database & files periodic backups * Database & files periodic backups
3. Synapse migration 4. Synapse migration
* Postgres already setup * Postgres already setup
* Migrating from a Postgres on Serenity (easier) * Migrating from a Postgres on Serenity (easier)
* Backups * Backups
4. [Own/Next]cloud: Adrien needs it for himself. 5. [Own/Next]cloud: Adrien needs it for himself.
* Compare distribution capabilities / S3-compatibility between the two solutions. The assumption is that Owncloud's Go rewrite is the better fit. * Compare distribution capabilities / S3-compatibility between the two solutions. The assumption is that Owncloud's Go rewrite is the better fit.
* Do the things. * Do the things.

89
hammerhead/app/gitea/deploy/gitea.hcl Normal file
View file

@ -0,0 +1,89 @@
job "gitea" {
datacenters = ["dc1"]
group "gitea" {
count = 1
volume "gitea-data" {
type = "host"
read_only = false
source = "gitea-data"
}
network {
port "http" { to = 3000 }
port "ssh" { to = 22 }
}
service {
name = "gitea-frontend"
port = "http"
# check {
# name = "alive"
# type = "tcp"
# interval = "10s"
# timeout = "2s"
# }
}
service {
name = "gitea-ssh"
port = "ssh"
# check {
# name = "alive"
# type = "tcp"
# interval = "10s"
# timeout = "2s"
# }
}
task "gitea" {
driver = "docker"
config {
# Exposes the http & ssh ports from the container to the host.
# Lame because anyone can access gitea bypassing nginx from :3000
# Necessary because without further mesh-net config,
# nginx can't access the container's port.
ports = ["http", "ssh"]
image = "gitea/gitea:1.14.2"
volumes = [
"/etc/timezone:/etc/timezone:ro",
"/etc/localtime:/etc/localtime:ro"
]
}
volume_mount {
volume = "gitea-data"
destination = "/data"
read_only = false
}
template {
# Consul Template only works in template stanza.
# We need it to fetch secret values from Consul.
# The "env = true" parameter sets the environment with the data.
# "destination" key is required but its value doesn't matter.
data = <<EOH
DB_TYPE = "postgres"
DB_USER = "{{ key "secrets/postgres/gitea/user" }}"
DB_PASSWD = "{{ key "secrets/postgres/gitea/password" }}"
DB_NAME = "{{ key "secrets/postgres/gitea/db_name" }}"
DB_HOST = "{{ with service "postgres" }}{{ with index . 0 }}{{ .Address }}:{{ .Port }}{{ end }}{{ end }}"
EOH
destination = "secrets/env"
env = true
change_mode = "restart"
}
env {
APP_NAME = "Gitea: git with a cup of coffee"
DOMAIN = "gitea.hammerhead.luxeylab.net"
SSH_DOMAIN = "gitea.hammerhead.luxeylab.net"
}
}
}
}

17
hammerhead/app/nginx/config/gitea.tpl Normal file
View file

@ -0,0 +1,17 @@
upstream gitea-backend {
{{ range service "gitea" }}
server {{ .Address }}:{{ .Port }};
{{ else }}
server 127.0.0.1:65535; # force a 502
{{ end }}
}
server {
listen 80;
listen [::]:80;
server_name gitea.hammerhead.luxeylab.net;
location / {
proxy_pass http://gitea-backend;
}
}

7
hammerhead/app/nginx/deploy/nginx.hcl
View file

@ -42,6 +42,13 @@ job "nginx" {
change_mode = "signal" change_mode = "signal"
change_signal = "SIGHUP" change_signal = "SIGHUP"
} }
template {
data = file("../config/gitea.tpl")
destination = "local/gitea.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
} }
} }
} }

78
hammerhead/app/postgres/deploy/postgres.hcl Normal file
View file

@ -0,0 +1,78 @@
# Example PostgreSQL job file: https://github.com/GuyBarros/nomad_jobs/blob/master/postgresSQL.nomad
job "postgres" {
datacenters = ["dc1"]
type = "service"
group "postgres" {
count = 1
volume "postgres-data" {
type = "host"
read_only = false
source = "postgres-data"
}
network {
port "db" { static = 5432 }
}
service {
name = "postgres"
port = "db"
check {
name = "alive"
type = "tcp"
interval = "10s"
timeout = "2s"
}
}
task "postgres" {
driver = "docker"
config {
ports = ["db"]
image = "postgres"
}
volume_mount {
volume = "postgres-data"
destination = "/var/lib/postgresql/data"
read_only = false
}
template {
# Consul Template only works in template stanza.
# We need it to fetch secret values from Consul.
# The "env = true" parameter sets the environment with the data.
# "destination" key is required but its value doesn't matter.
data = <<EOH
POSTGRES_USER = "{{ key "secrets/postgres/user" }}"
POSTGRES_PASSWORD = "{{ key "secrets/postgres/password" }}"
EOH
destination = "secrets/env"
env = true
change_mode = "restart"
}
env {
PGDATA = "/var/lib/postgresql/data"
}
}
# resources {
# # cpu = 1000
# # memory = 1024
# network {
# # mbits = 10
# port "db" {
# static = 5432
# }
# }
# }
}
}

29
hammerhead/os/config/consul.json Normal file
View file

@ -0,0 +1,29 @@
{
"data_dir": "/var/lib/consul",
"bind_addr": "[::]",
"advertise_addr": "2001:41d0:8:ba0b::1",
"addresses": {
"dns": "[::]",
"http": "[::]"
},
"retry_join": [
"2001:41d0:8:ba0b::1"
],
"bootstrap_expect": 1,
"server": true,
"ui": true,
"ports": {
"dns": 53
},
"recursors": [
"213.186.33.99",
"172.104.136.243"
],
"encrypt": "2B2vxbfCRzu3Q29LEJAZBg==",
"domain": "2.cluster.deuxfleurs.fr",
"performance": {
"raft_multiplier": 10,
"rpc_hold_timeout": "30s",
"leave_drain_time": "30s"
}
}

57
hammerhead/os/config/nomad.hcl Normal file
View file

@ -0,0 +1,57 @@
addresses {
http = "::"
rpc = "::"
serf = "::"
}
advertise {
http = "2001:41d0:8:ba0b::1"
rpc = "2001:41d0:8:ba0b::1"
serf = "2001:41d0:8:ba0b::1"
}
data_dir = "/var/lib/nomad"
server {
enabled = true
bootstrap_expect = 1
}
consul {
address = "[::1]:8500"
}
client {
enabled = true
#cpu_total_compute = 4000
servers = ["[::1]:4648"]
network_interface = "eno1"
options {
docker.privileged.enabled = "true"
docker.volumes.enabled = "true"
}
host_volume "postgres-data" {
path = "/opt/postgres/data"
read_only = false
}
host_volume "gitea-data" {
path = "/opt/gitea/data"
read_only = false
}
}
plugin "raw_exec" {
config {
enabled = true
}
}
telemetry {
collection_interval = "1s"
disable_hostname = false
prometheus_metrics = true
publish_allocation_metrics = true
publish_node_metrics = true
}