nomad

HCL and Docker files for Nomad deployments
git clone https://git.in0rdr.ch/nomad.git
Log | Files | Refs | Pull requests |Archive

commit 594d0c70404e0f21b5555c3bee8b036923bfe442
parent a71a59e5d723bde5da73758c9c8f6c16a6ed7cea
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date:   Sun,  3 Nov 2024 14:58:47 +0100

feat: remove mastodon

Diffstat:
Dhcl/default/mastodon/data-volume.hcl | 31-------------------------------
Dhcl/default/mastodon/mastodon.nomad | 202-------------------------------------------------------------------------------
Dhcl/default/mastodon/templates/env.production.tmpl | 61-------------------------------------------------------------
Dhcl/default/mastodon/templates/nginx.conf.tmpl | 109-------------------------------------------------------------------------------
4 files changed, 0 insertions(+), 403 deletions(-)

diff --git a/hcl/default/mastodon/data-volume.hcl b/hcl/default/mastodon/data-volume.hcl @@ -1,31 +0,0 @@ -# Register external nfs volume with Nomad CSI -# https://www.nomadproject.io/docs/commands/volume/register -type = "csi" -# Unique ID of the volume, volume.source field in a job -id = "mastodon" -# Display name of the volume. -name = "mastodon" -# ID of the physical volume from the storage provider -external_id = "csi-mastodon" -plugin_id = "nfs" - -# You must provide at least one capability block -# You must provide a block for each capability -# youintend to use in a job's volume block -# https://www.nomadproject.io/docs/commands/volume/register -capability { - access_mode = "multi-node-multi-writer" - attachment_mode = "file-system" -} - -# https://github.com/kubernetes-csi/csi-driver-nfs/blob/master/docs/driver-parameters.md -context { - server = "turris" - share = "csi-mastodon" -} - -mount_options { - # mount.nfs: Either use '-o nolock' to keep locks local, or start statd. - mount_flags = ["nolock"] -} - diff --git a/hcl/default/mastodon/mastodon.nomad b/hcl/default/mastodon/mastodon.nomad @@ -1,202 +0,0 @@ -# https://github.com/mastodon/mastodon/blob/main/docker-compose.yml - -job "mastodon" { - datacenters = ["dc1"] - - vault {} - - group "server" { - count = 1 - - volume "tls" { - type = "csi" - source = "certbot" - access_mode = "multi-node-multi-writer" - attachment_mode = "file-system" - } - volume "mastodon" { - type = "csi" - source = "mastodon" - access_mode = "multi-node-multi-writer" - attachment_mode = "file-system" - } - - network { - port "redis" { - to = 6379 - } - port "https" { - static = 44393 - } - port "mastodon_web" {} - port "mastodon_streaming" { - to = 4000 - } - } - - # Prepare database migrations - task "db-upgrade" { - driver = "podman" - - volume_mount { - volume = "mastodon" - destination = "/mastodon/public/system" - } - - template { - destination = "${NOMAD_TASK_DIR}/env.production" - data = file("./templates/env.production.tmpl") - env = true - } - - config { - image = "docker.io/tootsuite/mastodon:latest" - force_pull = true - command = "bundle" - args = ["exec", "rake", "db:migrate"] - } - - resources { - memory = 50 - memory_max = 256 - cpu = 200 - } - - lifecycle { - hook = "prestart" - sidecar = false - } - } - - task "nginx" { - driver = "podman" - - config { - image = "docker.io/library/nginx:stable-alpine" - ports = ["https"] - volumes = [ - # mount the templated config from the task directory to the container - "local/mastodon.conf:/etc/nginx/conf.d/mastodon.conf", - ] - } - - volume_mount { - volume = "tls" - destination = "/etc/letsencrypt" - } - - template { - destination = "${NOMAD_TASK_DIR}/mastodon.conf" - data = file("./templates/nginx.conf.tmpl") - } - - resources { - memory = 50 - memory_max = 256 - cpu = 200 - } - } - - task "mastodon-web" { - driver = "podman" - - config { - image = "docker.io/tootsuite/mastodon:latest" - force_pull = true - ports = ["mastodon_web"] - command = "bash" - args = ["-c", "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p ${NOMAD_PORT_mastodon_web}"] - } - - volume_mount { - volume = "mastodon" - destination = "/mastodon/public/system" - } - - template { - destination = "${NOMAD_TASK_DIR}/env.production" - data = file("./templates/env.production.tmpl") - env = true - } - - resources { - memory = 50 - memory_max = 512 - cpu = 300 - } - } - - task "mastodon-streaming" { - driver = "podman" - - config { - image = "ghcr.io/mastodon/mastodon-streaming:latest" - force_pull = true - ports = ["mastodon_streaming"] - command = "node" - args = ["./streaming"] - } - - template { - destination = "${NOMAD_TASK_DIR}/env.production" - data = file("./templates/env.production.tmpl") - env = true - } - - resources { - memory = 50 - memory_max = 300 - cpu = 200 - } - } - - task "mastodon-sidekiq" { - driver = "podman" - - config { - image = "docker.io/tootsuite/mastodon:latest" - force_pull = true - command = "bundle" - args = ["exec", "sidekiq"] - } - - volume_mount { - volume = "mastodon" - destination = "/mastodon/public/system" - } - - template { - destination = "${NOMAD_TASK_DIR}/env.production" - data = file("./templates/env.production.tmpl") - env = true - } - - resources { - memory = 50 - memory_max = 500 - cpu = 200 - } - } - - task "redis" { - driver = "podman" - - config { - image = "docker.io/library/redis:7-alpine" - ports = ["redis"] - } - - resources { - memory = 32 - memory_max = 128 - cpu = 100 - } - - lifecycle { - hook = "prestart" - sidecar = true - } - } - - } -} diff --git a/hcl/default/mastodon/templates/env.production.tmpl b/hcl/default/mastodon/templates/env.production.tmpl @@ -1,61 +0,0 @@ -# https://raw.githubusercontent.com/mastodon/mastodon/main/.env.production.sample - -# Federation -# ---------- -# This identifies your server and cannot be changed safely later -# ---------- -LOCAL_DOMAIN=m.in0rdr.ch - -# Redis -# ----- -REDIS_HOST={{ env "NOMAD_IP_redis" }} -REDIS_PORT={{ env "NOMAD_HOST_PORT_redis" }} - -# PostgreSQL -# ---------- -DB_HOST=postgres.lan -DB_USER=mastodon -DB_NAME=mastodon -DB_PASS="{{with secret "kv/mastodon"}}{{index .Data.data.db_password}}{{end}}" -DB_PORT=5432 - -# Secrets -# ------- -# Make sure to use `rake secret` to generate secrets -# ------- -SECRET_KEY_BASE={{with secret "kv/mastodon"}}{{index .Data.data.secret_key_base}}{{end}} -OTP_SECRET={{with secret "kv/mastodon"}}{{index .Data.data.otp_secret}}{{end}} - -# Web Push -# -------- -# Generate with `rake mastodon:webpush:generate_vapid_key` -# -------- -VAPID_PRIVATE_KEY={{with secret "kv/mastodon"}}{{index .Data.data.vapid_private_key}}{{end}} -VAPID_PUBLIC_KEY={{with secret "kv/mastodon"}}{{index .Data.data.vapid_public_key}}{{end}} - -# Sending mail -# ------------ -SMTP_SERVER=smtp.mailgun.org -SMTP_PORT=587 -SMTP_LOGIN=postmaster@sandboxbba7fd32d470463d8a79b76645b9575c.mailgun.org -SMTP_PASSWORD={{with secret "kv/mastodon"}}{{index .Data.data.smtp_password}}{{end}} -SMTP_FROM_ADDRESS=no-reply@m.in0rdr.ch - -# IP and session retention -# ----------------------- -# Make sure to modify the scheduling of ip_cleanup_scheduler in config/sidekiq.yml -# to be less than daily if you lower IP_RETENTION_PERIOD below two days (172800). -# ----------------------- -IP_RETENTION_PERIOD=31556952 -SESSION_RETENTION_PERIOD=31556952 - -# Encryption secrets -# ------------------ -# Must be available (and set to same values) for all server processes -# These are private/secret values, do not share outside hosting environment -# Use `bin/rails db:encryption:init` to generate fresh secrets -# Do not change these secrets once in use, as this would cause data loss and other issues -# ------------------ -ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY={{with secret "kv/mastodon"}}{{index .Data.data.ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY}}{{end}} -ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{with secret "kv/mastodon"}}{{index .Data.data.ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT}}{{end}} -ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{with secret "kv/mastodon"}}{{index .Data.data.ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY}}{{end}} diff --git a/hcl/default/mastodon/templates/nginx.conf.tmpl b/hcl/default/mastodon/templates/nginx.conf.tmpl @@ -1,109 +0,0 @@ -# https://github.com/mastodon/mastodon/blob/main/dist/nginx.conf - -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -upstream backend { - server {{ env "NOMAD_ADDR_mastodon_web" }} fail_timeout=0; -} - -upstream streaming { - server {{ env "NOMAD_ADDR_mastodon_streaming" }} fail_timeout=0; -} - -proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g; - -server { - listen {{ env "NOMAD_PORT_https" }} ssl http2; - listen [::]:{{ env "NOMAD_PORT_https" }} ssl http2; - server_name m.in0rdr.ch; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - ssl_certificate /etc/letsencrypt/live/m.in0rdr.ch/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/m.in0rdr.ch/privkey.pem; - - keepalive_timeout 70; - sendfile on; - client_max_body_size 80m; - - root /mastodon/public; - - gzip on; - gzip_disable "msie6"; - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon; - - add_header Strict-Transport-Security "max-age=31536000" always; - - location / { - try_files $uri @proxy; - } - - location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { - add_header Cache-Control "public, max-age=31536000, immutable"; - add_header Strict-Transport-Security "max-age=31536000" always; - try_files $uri @proxy; - } - - location /sw.js { - add_header Cache-Control "public, max-age=0"; - add_header Strict-Transport-Security "max-age=31536000" always; - try_files $uri @proxy; - } - - location @proxy { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Proxy ""; - proxy_pass_header Server; - - proxy_pass http://backend; - proxy_buffering on; - proxy_redirect off; - proxy_http_version 1.1; - proxy_force_ranges on; # for iOS clients - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_cache CACHE; - proxy_cache_valid 200 7d; - proxy_cache_valid 410 24h; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; - add_header X-Cached $upstream_cache_status; - add_header Strict-Transport-Security "max-age=31536000" always; - - tcp_nodelay on; - } - - location /api/v1/streaming { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Proxy ""; - - proxy_pass http://streaming; - proxy_buffering off; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - tcp_nodelay on; - } - - error_page 500 501 502 503 504 /500.html; -}