tixie/nixcfg
1
0
Fork 0
forked from Deuxfleurs/nixcfg
Code Pull requests Activity

Merge branch 'main' into simplify-network-config

Browse source
This commit is contained in:
Alex 2023-05-09 12:20:35 +02:00
commit 24cf7ddd91
10 changed files with 41 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
cluster/prod/app/backup/deploy/backup-weekly.hcl
View file

@ -1,5 +1,5 @@
job "backup_weekly" { job "backup_weekly" {
datacenters = ["orion"] datacenters = ["orion", "neptune", "bespin"]
type = "batch" type = "batch"
priority = "60" priority = "60"
@ -30,7 +30,7 @@ AWS_ENDPOINT=s3.deuxfleurs.shirokumo.net
AWS_ACCESS_KEY_ID={{ key "secrets/postgres/backup/aws_access_key_id" }} AWS_ACCESS_KEY_ID={{ key "secrets/postgres/backup/aws_access_key_id" }}
AWS_SECRET_ACCESS_KEY={{ key "secrets/postgres/backup/aws_secret_access_key" }} AWS_SECRET_ACCESS_KEY={{ key "secrets/postgres/backup/aws_secret_access_key" }}
CRYPT_PUBLIC_KEY={{ key "secrets/postgres/backup/crypt_public_key" }} CRYPT_PUBLIC_KEY={{ key "secrets/postgres/backup/crypt_public_key" }}
PSQL_HOST=psql-proxy.service.prod.consul PSQL_HOST={{ env "meta.site" }}.psql-proxy.service.prod.consul
PSQL_USER={{ key "secrets/postgres/keeper/pg_repl_username" }} PSQL_USER={{ key "secrets/postgres/keeper/pg_repl_username" }}
PGPASSWORD={{ key "secrets/postgres/keeper/pg_repl_pwd" }} PGPASSWORD={{ key "secrets/postgres/keeper/pg_repl_pwd" }}
EOH EOH

14
cluster/prod/app/email/config/sogo/sogo.conf.tpl
View file

@ -3,13 +3,13 @@
WOWorkersCount = 3; WOWorkersCount = 3;
SxVMemLimit = 300; SxVMemLimit = 300;
WOPort = "127.0.0.1:20000"; WOPort = "127.0.0.1:20000";
SOGoProfileURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_user_profile"; SOGoProfileURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/sogo/sogo_user_profile";
OCSFolderInfoURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_folder_info"; OCSFolderInfoURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/sogo/sogo_folder_info";
OCSSessionsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_sessions_folder"; OCSSessionsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/sogo/sogo_sessions_folder";
OCSEMailAlarmsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_alarms_folder"; OCSEMailAlarmsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/sogo/sogo_alarms_folder";
OCSStoreURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_store"; OCSStoreURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/sogo/sogo_store";
OCSAclURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_acl"; OCSAclURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/sogo/sogo_acl";
OCSCacheFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_cache_folder"; OCSCacheFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/sogo/sogo_cache_folder";
SOGoTimeZone = "Europe/Paris"; SOGoTimeZone = "Europe/Paris";
SOGoMailDomain = "deuxfleurs.fr"; SOGoMailDomain = "deuxfleurs.fr";
SOGoLanguage = French; SOGoLanguage = French;

2
cluster/prod/app/matrix/config/synapse/homeserver.yaml
View file

@ -61,7 +61,7 @@ database:
user: {{ key "secrets/chat/synapse/postgres_user" | trimSpace }} user: {{ key "secrets/chat/synapse/postgres_user" | trimSpace }}
password: {{ key "secrets/chat/synapse/postgres_pwd" | trimSpace }} password: {{ key "secrets/chat/synapse/postgres_pwd" | trimSpace }}
database: {{ key "secrets/chat/synapse/postgres_db" | trimSpace }} database: {{ key "secrets/chat/synapse/postgres_db" | trimSpace }}
host: psql-proxy.service.prod.consul host: {{ env "meta.site" }}.psql-proxy.service.prod.consul
port: 5432 port: 5432
cp_min: 5 cp_min: 5
cp_max: 10 cp_max: 10

18
cluster/prod/app/matrix/deploy/im.hcl
View file

@ -1,5 +1,5 @@
job "matrix" { job "matrix" {
datacenters = ["orion"] datacenters = ["orion", "neptune"]
type = "service" type = "service"
priority = 40 priority = 40
@ -8,6 +8,7 @@ job "matrix" {
network { network {
port "api_port" { static = 8008 } port "api_port" { static = 8008 }
port "web_port" { to = 8043 }
} }
task "synapse" { task "synapse" {
@ -79,6 +80,7 @@ job "matrix" {
"tricot im.deuxfleurs.fr:443/_matrix 100", "tricot im.deuxfleurs.fr:443/_matrix 100",
"tricot im.deuxfleurs.fr/_synapse 100", "tricot im.deuxfleurs.fr/_synapse 100",
"tricot-add-header Access-Control-Allow-Origin *", "tricot-add-header Access-Control-Allow-Origin *",
"d53-cname im.deuxfleurs.fr",
] ]
check { check {
type = "tcp" type = "tcp"
@ -123,24 +125,15 @@ AWS_DEFAULT_REGION=garage
PG_USER={{ key "secrets/chat/synapse/postgres_user" | trimSpace }} PG_USER={{ key "secrets/chat/synapse/postgres_user" | trimSpace }}
PG_PASS={{ key "secrets/chat/synapse/postgres_pwd" | trimSpace }} PG_PASS={{ key "secrets/chat/synapse/postgres_pwd" | trimSpace }}
PG_DB={{ key "secrets/chat/synapse/postgres_db" | trimSpace }} PG_DB={{ key "secrets/chat/synapse/postgres_db" | trimSpace }}
PG_HOST=psql-proxy.service.2.cluster.deuxfleurs.fr PG_HOST={{ env "meta.site" }}.psql-proxy.service.2.cluster.deuxfleurs.fr
PG_PORT=5432 PG_PORT=5432
EOH EOH
destination = "secrets/env" destination = "secrets/env"
env = true env = true
} }
} }
}
task "riotweb" {
group "riotweb" {
count = 1
network {
port "web_port" { to = 8043 }
}
task "server" {
driver = "docker" driver = "docker"
config { config {
image = "superboum/amd64_riotweb:v33" image = "superboum/amd64_riotweb:v33"
@ -164,6 +157,7 @@ EOH
"webstatic", "webstatic",
"tricot im.deuxfleurs.fr 10", "tricot im.deuxfleurs.fr 10",
"tricot riot.deuxfleurs.fr 10", "tricot riot.deuxfleurs.fr 10",
"d53-cname riot.deuxfleurs.fr",
] ]
port = "web_port" port = "web_port"
address_mode = "host" address_mode = "host"

2
cluster/prod/app/plume/config/app.env
View file

@ -12,7 +12,7 @@ ROCKET_SECRET_KEY={{ key "secrets/plume/secret_key" | trimSpace }}
POSTGRES_PASSWORD={{ key "secrets/plume/pgsql_pw" | trimSpace }} POSTGRES_PASSWORD={{ key "secrets/plume/pgsql_pw" | trimSpace }}
POSTGRES_USER=plume POSTGRES_USER=plume
POSTGRES_DB=plume POSTGRES_DB=plume
DATABASE_URL=postgres://plume:{{ key "secrets/plume/pgsql_pw" | trimSpace }}@psql-proxy.service.prod.consul:5432/plume DATABASE_URL=postgres://plume:{{ key "secrets/plume/pgsql_pw" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/plume
MIGRATION_DIRECTORY=migrations/postgres MIGRATION_DIRECTORY=migrations/postgres
USE_HTTPS=0 USE_HTTPS=0

20
cluster/prod/app/postgres/deploy/postgres.hcl
View file

@ -1,5 +1,5 @@
job "postgres14" { job "postgres14" {
datacenters = ["orion"] datacenters = ["orion", "neptune", "bespin"]
type = "system" type = "system"
priority = 90 priority = 90
@ -16,6 +16,20 @@ job "postgres14" {
port "psql_port" { static = 5433 } port "psql_port" { static = 5433 }
} }
constraint {
attribute = "${attr.unique.hostname}"
operator = "set_contains_any"
# target: courgette,df-ymf,abricot (or ananas)
value = "diplotaxis,courgette,concombre,df-ymf"
}
restart {
interval = "10m"
attempts = 10
delay = "15s"
mode = "delay"
}
task "sentinel" { task "sentinel" {
driver = "docker" driver = "docker"
@ -99,7 +113,7 @@ job "postgres14" {
} }
service { service {
tags = ["sql"] tags = ["sql", "${meta.site}"]
port = "psql_proxy_port" port = "psql_proxy_port"
address_mode = "host" address_mode = "host"
name = "psql-proxy" name = "psql-proxy"
@ -179,7 +193,7 @@ job "postgres14" {
} }
service { service {
tags = ["sql"] tags = ["sql", "${meta.site}"]
port = "psql_port" port = "psql_port"
address_mode = "host" address_mode = "host"
name = "psql-keeper" name = "psql-keeper"

2
cluster/prod/app/telemetry/deploy/telemetry-service.hcl
View file

@ -45,7 +45,7 @@ job "telemetry-service" {
task "grafana" { task "grafana" {
driver = "docker" driver = "docker"
config { config {
image = "grafana/grafana:9.3.2" image = "grafana/grafana:9.5.1"
network_mode = "host" network_mode = "host"
ports = [ "grafana" ] ports = [ "grafana" ]
volumes = [ volumes = [

2
cluster/prod/app/telemetry/deploy/telemetry-storage.hcl
View file

@ -20,7 +20,7 @@ job "telemetry-storage" {
task "prometheus" { task "prometheus" {
driver = "docker" driver = "docker"
config { config {
image = "prom/prometheus:v2.41.0" image = "prom/prometheus:v2.43.1"
network_mode = "host" network_mode = "host"
ports = [ "prometheus" ] ports = [ "prometheus" ]
args = [ args = [

2
cluster/prod/app/telemetry/deploy/telemetry-system.hcl
View file

@ -12,7 +12,7 @@ job "telemetry-system" {
driver = "docker" driver = "docker"
config { config {
image = "quay.io/prometheus/node-exporter:v1.4.0" image = "quay.io/prometheus/node-exporter:v1.5.0"
network_mode = "host" network_mode = "host"
volumes = [ volumes = [
"/:/host:ro,rslave" "/:/host:ro,rslave"

4
nix/deuxfleurs.nix
View file

@ -218,6 +218,10 @@ in
domain-insecure = [ "consul." ]; domain-insecure = [ "consul." ];
local-zone = [ "consul. nodefault" ]; local-zone = [ "consul. nodefault" ];
log-servfail = true; log-servfail = true;
verbosity = 1;
log-queries = true;
use-syslog = false;
logfile = "/dev/stdout";
access-control = [ access-control = [
"127.0.0.0/8 allow" "127.0.0.0/8 allow"
"172.17.0.0/16 allow" "172.17.0.0/16 allow"