commit 495e6fe0ad61e5484eb7c9471b6c1d94a0d29a2f parent 4955730ac57f033a8c313fcd8b3fd861cd4729a2 Author: Andreas Gruhler <agruhl@gmx.ch> Date: Sun, 16 Mar 2025 21:16:20 +0100 feat(todo): add nomad files Diffstat:
| A | hcl/default/todo/README.md | | | 34 | ++++++++++++++++++++++++++++++++++ |
| A | hcl/default/todo/templates/config.ini.tmpl | | | 134 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | hcl/default/todo/templates/nginx.conf.tmpl | | | 25 | +++++++++++++++++++++++++ |
| A | hcl/default/todo/templates/uwsgi.ini.tmpl | | | 9 | +++++++++ |
| A | hcl/default/todo/todo.nomad | | | 178 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
5 files changed, 380 insertions(+), 0 deletions(-)
diff --git a/hcl/default/todo/README.md b/hcl/default/todo/README.md @@ -0,0 +1,34 @@ +# todo.sr.ht deployment + +Deployment for todo.sr.ht: +* https://man.sr.ht/hacking.md + +## Components +* Redict (https://redict.io/docs/install/containers) bundled in this deployment +* PostgreSQL database for `todo` service +* `meta` neighbor service + +## Configuration files + +Copy sections from services into meta config.ini. + +## Database schema and super user + +``` +# https://git.sr.ht/~sircmpwn/todo.sr.ht/blob/master/schema.sql +psql -h postgres.lan -U meta -f todo-schema.sql + +# https://git.sr.ht/~sircmpwn/meta.sr.ht/blob/master/schema.sql +psql -h postgres.lan -U meta -f meta-schema.sql +meta.sr.ht-manageuser -e root@root.root -p -t ADMIN admin +``` + +## Key generation + +Generate keys once and store them in Vault: +``` +sr.ht-keygen service +sr.ht-keygen network +sr.ht-keygen webhook +``` + diff --git a/hcl/default/todo/templates/config.ini.tmpl b/hcl/default/todo/templates/config.ini.tmpl @@ -0,0 +1,134 @@ +# https://git.sr.ht/~sircmpwn/todo.sr.ht/tree/master/item/config.example.ini + +[sr.ht] +# +# The name of your network of sr.ht-based sites +site-name=p0c +# +# The top-level info page for your site +site-info=https://p0c.ch +# +# site-name, site-blurb +site-blurb=proof of concepts for fun and profit +# +# If this != production, we add a banner to each page +environment=production +# +# Contact information for the site owners +owner-name=Andreas Gruhler +owner-email=contact@p0c.ch +# +# The source code for your fork of sr.ht +source-url=https://git.sr.ht/~sircmpwn/srht +# +# A key used for encrypting session cookies. Use `srht-keygen service` to +# generate the service key. This must be shared between each node of the same +# service (e.g. git1.sr.ht and git2.sr.ht), but different services may use +# different keys. If you configure all of your services with the same +# config.ini, you may use the same service-key for all of them. +service-key={{with secret "kv/todo"}}{{index .Data.data.service_key}}{{end}} +# +# A secret key to encrypt internal messages with. Use `srht-keygen network` to +# generate this key. It must be consistent between all services and nodes. +network-key={{with secret "kv/todo"}}{{index .Data.data.service_key}}{{end}} +# +# The redis host URL. This is used for caching and temporary storage, and must +# be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be +# shared between services. It may be shared between services, however, with no +# ill effect, if this better suits your infrastructure. +redis-host=redis://{{ env "NOMAD_ADDR_redis" }} +# +# Path to static asses (default PREFIX from make installation) +# https://git.sr.ht/~sircmpwn/core.sr.ht/tree/master/item/Makefile +assets=/usr/local/share/sourcehut + +[mail] +# +# Outgoing SMTP settings +smtp-host={{with secret "kv/todo"}}{{index .Data.data.smtp_host}}{{end}} +smtp-port={{with secret "kv/todo"}}{{index .Data.data.smtp_port}}{{end}} +smtp-from={{with secret "kv/todo"}}{{index .Data.data.smtp_from}}{{end}} +# +# Default: starttls +# Options: starttls, tls, insecure +smtp-encryption=starttls +# +# Default: plain +# Options: plain, none +smtp-auth=plain +# user is required as it is used in Sender e-mail header +smtp-user={{with secret "kv/todo"}}{{index .Data.data.smtp_user}}{{end}} +# password is required if smtp-auth is plain +smtp-password={{with secret "kv/todo"}}{{index .Data.data.smtp_password}}{{end}} +# +# Application exceptions are emailed to this address +error-to=contact@p0c.ch +error-from=contact@p0c.ch +# +# You should generate a PGP key to allow users to authenticate emails received +# from your services. Use `gpg --edit-key [key id]` to remove the password from +# your private key, then export it to a file and set pgp-privkey to the path to +# that file. pgp-pubkey should be set to the path to your public key, and +# pgp-key-id should be set to the key ID string. Outgoing emails are signed with +# this PGP key. +pgp-privkey={{ env "NOMAD_SECRETS_DIR" }}/pgp_privkey.pem +pgp-pubkey={{ env "NOMAD_SECRETS_DIR" }}/pgp_pubkey.pem +pgp-key-id={{with secret "kv/todo"}}{{index .Data.data.pgp_key_id}}{{end}} + +[webhooks] +# +# base64-encoded Ed25519 key for signing webhook payloads. This should be +# consistent between all services. +# +# Use the `srht-keygen webhook` command to generate this key. Put the private +# key here and distribute the public key to anyone who would want to verify +# webhook payloads from your service. +private-key={{with secret "kv/todo"}}{{index .Data.data.webhook_private_key}}{{end}} + +[todo.sr.ht] +# +# URL todo.sr.ht is being served at (protocol://domain) +origin=https://todo.p0c.ch +# +# Address and port to bind the debug server to +#debug-host=0.0.0.0 +#debug-port={{ env "NOMAD_PORT_web" }} +# +# Configures the SQLAlchemy connection string for the database. +connection-string=postgresql://todo:{{with secret "kv/todo"}}{{index .Data.data.postgresql_password}}{{end}}@postgres.lan/todo +# +# Set to "yes" to automatically run migrations on package upgrade. +migrate-on-upgrade=yes +# +# todo.sr.ht's OAuth client ID and secret for meta.sr.ht +# Register your client at meta.example.org/oauth +oauth-client-id={{with secret "kv/todo"}}{{index .Data.data.oauth_client_id}}{{end}} +oauth-client-secret={{with secret "kv/todo"}}{{index .Data.data.oauth_client_secret}}{{end}} +# +# Outgoing email for notifications generated by users +notify-from=no-reply@p0c.ch +# +# The redis connection used for the webhooks worker +webhooks=redis://{{ env "NOMAD_ADDR_redis" }}/1 +# +# Origin URL for the API +# Only needed if not run behind a reverse proxy, e.g. for local development. +# By default, the API port is 100 more than the web port +api-origin=http://{{ env "NOMAD_ADDR_api" }} + +[todo.sr.ht::mail] +# +# Path for the lmtp daemon's unix socket. Direct incoming mail to this socket. +# Alternatively, specify IP:PORT and an SMTP server will be run instead. +sock=/tmp/todo.sr.ht-lmtp.sock +# +# The lmtp daemon will make the unix socket group-read/write for users in this +# group. +sock-group=postfix +# +# Fill this in with the name of the domain to which emails should be sent. +# Leave blank to disable email submission. +posting-domain= + +[meta.sr.ht] +origin=https://meta.p0c.ch diff --git a/hcl/default/todo/templates/nginx.conf.tmpl b/hcl/default/todo/templates/nginx.conf.tmpl @@ -0,0 +1,25 @@ +# https://man.sr.ht/configuration.md +# https://git.sr.ht/~sircmpwn/sr.ht-nginx/tree/master/item/todo.sr.ht.conf + +server { + listen {{ env "NOMAD_PORT_https" }} ssl; + + ssl_certificate /etc/letsencrypt/live/todo.p0c.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/todo.p0c.ch/privkey.pem; + + location / { + # https://uwsgi-docs.readthedocs.io/en/latest/WSGIquickstart.html#putting-behind-a-full-webserver + include uwsgi_params; + uwsgi_pass {{ env "NOMAD_ADDR_web" }}; + } + + location /query { + # the API is a binary, no uwsgi app + proxy_pass http://{{ env "NOMAD_ADDR_api" }}; + } + + location /static { + # static assets are served from the allocations ephemeral disk + root /alloc/data; + } +} diff --git a/hcl/default/todo/templates/uwsgi.ini.tmpl b/hcl/default/todo/templates/uwsgi.ini.tmpl @@ -0,0 +1,9 @@ +[uwsgi] +# https://uwsgi-docs.readthedocs.io/en/latest/WSGIquickstart.html#putting-behind-a-full-webserver +plugins = python3 +socket = :{{ env "NOMAD_PORT_web" }} +wsgi-file = /todo/metasrht/app.py +callable = app +master = true +processes = 2 +threads = 1 diff --git a/hcl/default/todo/todo.nomad b/hcl/default/todo/todo.nomad @@ -0,0 +1,178 @@ +# https://man.sr.ht/configuration.md + +job "todo" { + datacenters = ["dc1"] + + vault {} + + group "server" { + count = 1 + + # /alloc/data for static assets + ephemeral_disk { + size = 500 + } + + volume "tls" { + type = "csi" + source = "certbot" + access_mode = "multi-node-multi-writer" + attachment_mode = "file-system" + } + + network { + port "web" {} + port "api" { + # todo: api-origin config.ini not working? + #to = 5103 + } + port "redis" { + to = 6379 + } + port "https" { + static = 44408 + } + } + + # Prepare static assets + task "prepare_static_assets" { + driver = "podman" + + config { + image = "127.0.0.1:5000/todo:0.77.4" + command = "/bin/sh" + args = [ "-c", <<EOT + cp -r /usr/local/share/sourcehut/static /alloc/data/ + EOT + ] + } + + lifecycle { + hook = "prestart" + } + } + + task "redict" { + driver = "podman" + + config { + image = "registry.redict.io/redict:alpine" + ports = ["redis"] + } + + resources { + memory = 50 + memory_max = 128 + cpu = 100 + } + + lifecycle { + hook = "prestart" + sidecar = true + } + } + + task "todo_web" { + driver = "podman" + + config { + image = "127.0.0.1:5000/todo:0.77.4" + command = "uwsgi" + args = ["${NOMAD_TASK_DIR}/uwsgi.ini"] + force_pull = true + ports = ["web"] + volumes = [ + # mount the templated config from the task directory to the container + "local/config.ini:/etc/sr.ht/config.ini", + ] + } + + template { + destination = "${NOMAD_TASK_DIR}/uwsgi.ini" + data = file("./templates/uwsgi.ini.tmpl") + } + template { + destination = "${NOMAD_TASK_DIR}/config.ini" + data = file("./templates/config.ini.tmpl") + } + + resources { + memory = 50 + memory_max = 256 + cpu = 200 + } + } + + task "todo_api" { + driver = "podman" + + config { + image = "127.0.0.1:5000/todo:0.77.4" + command = "/todo/todo.sr.ht-api" + force_pull = true + ports = ["api"] + volumes = [ + # mount the templated config from the task directory to the container + "local/config.ini:/etc/sr.ht/config.ini", + ] + } + + # template config file + template { + destination = "${NOMAD_TASK_DIR}/config.ini" + data = file("./templates/config.ini.tmpl") + } + + # template pgp data + template { + destination = "${NOMAD_SECRETS_DIR}/pgp_privkey.pem" + data = <<EOT + {{with secret "kv/todo"}}{{index .Data.data.pgp_privkey}}{{end}} + EOT + } + template { + destination = "${NOMAD_SECRETS_DIR}/pgp_pubkey.pem" + data = <<EOT + {{with secret "kv/todo"}}{{index .Data.data.pgp_pubkey}}{{end}} + EOT + } + + resources { + memory = 50 + memory_max = 256 + cpu = 200 + } + } + + + task "nginx" { + driver = "podman" + + config { + image = "docker.io/library/nginx:stable-alpine" + ports = ["https"] + volumes = [ + # mount the templated config from the task directory to the container + "local/todo.conf:/etc/nginx/conf.d/todo.conf", + ] + } + + volume_mount { + volume = "tls" + destination = "/etc/letsencrypt" + } + + template { + destination = "${NOMAD_TASK_DIR}/todo.conf" + data = file("./templates/nginx.conf.tmpl") + } + + resources { + memory = 50 + memory_max = 256 + cpu = 200 + } + } + + } +}