nomad

HCL and Docker files for Nomad deployments
git clone https://git.in0rdr.ch/nomad.git
Log | Files | Refs | Pull requests
commit 6417dc1977389921a0300044dee948b8bf979417
parent a7eba5dee10712e7fee0c2eb7e99d200967a99d2
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date:   Sat, 28 Sep 2024 14:47:33 +0200

feat(myheats): use one image

Diffstat:

Dhcl/default/myheats-demo/data-volume.hcl | 31-------------------------------


Mhcl/default/myheats-demo/myheats-demo.nomad | 68++++++++++++++++++++++++++++++++++++++++++++++++--------------------


Mhcl/default/myheats-demo/templates/env.local.tmpl | 17+++++++++--------


Mhcl/default/myheats-demo/templates/nginx.conf.tmpl | 23++++++++++-------------


4 files changed, 67 insertions(+), 72 deletions(-)

diff --git a/hcl/default/myheats-demo/data-volume.hcl b/hcl/default/myheats-demo/data-volume.hcl
@@ -1,31 +0,0 @@
-# Register external nfs volume with Nomad CSI
-# https://www.nomadproject.io/docs/commands/volume/register
-type = "csi"
-# Unique ID of the volume, volume.source field in a job 
-id = "myheats-demo"
-# Display name of the volume.
-name = "myheats-demo"
-# ID of the physical volume from the storage provider
-external_id = "csi-myheats-demo"
-plugin_id = "nfs"
-
-# You must provide at least one capability block
-# You must provide a block for each capability
-# youintend to use in a job's volume block
-# https://www.nomadproject.io/docs/commands/volume/register
-capability {
-  access_mode = "multi-node-multi-writer"
-  attachment_mode = "file-system"
-}
-
-# https://github.com/kubernetes-csi/csi-driver-nfs/blob/master/docs/driver-parameters.md
-context {
-  server = "turris"
-  share = "csi-myheats-demo"
-}
-
-mount_options {
-  # mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
-  mount_flags = ["nolock"]
-}
-
diff --git a/hcl/default/myheats-demo/myheats-demo.nomad b/hcl/default/myheats-demo/myheats-demo.nomad
@@ -14,36 +14,64 @@ job "myheats-demo" {
       access_mode = "multi-node-multi-writer"		
       attachment_mode = "file-system"		
     }
-    volume "myheats-demo" {
-      type = "csi"
-      source = "myheats-demo"
-      access_mode = "multi-node-multi-writer"
-      attachment_mode = "file-system"
-    }
 
     network {
-      port "https" {
+      port "frontent_https" {
         static = 44396
       }
-      port "api" {}
-      port "wss" {}
+      port "fontend_http" {
+        to = 5173
+      }
+      port "api_http" {
+        to = 8000
+      }
+      port "api_https" {
+        static = 44407
+      }
+    }
+
+    task "nginx" {
+      driver = "podman"
+
+      config {
+        image = "docker.io/library/nginx:stable-alpine"
+        ports = ["frontend_https", "api_https"]
+        volumes = [
+          # mount the templated config from the task directory to the container
+          "local/myheats-demo.conf:/etc/nginx/conf.d/myheats-demo.conf",
+        ]
+      }
+
+      volume_mount {
+        volume = "tls"
+        destination = "/etc/letsencrypt"
+      }
+
+      template {
+        destination = "${NOMAD_TASK_DIR}/myheats-demo.conf"
+        data = file("./templates/nginx.conf.tmpl")
+      }
+
+      resources {
+        memory = 50
+        memory_max = 256
+        cpu    = 200
+      }
     }
 
     task "frontend" {
       driver = "podman"
 
       config {
-        image = "127.0.0.1:5000/myheats-nginx:latest"
+        image = "127.0.0.1:5000/myheats:latest"
         command = "/bin/sh"
-        # prod build with .env.production and move to Nginx serve dir
-        args = ["-c", "npm run build && cp -r dist /srv/app && nginx -g 'daemon off;'"]
+        # run dev build
+        args = ["-c", "npm run dev"]
         force_pull = true
-        ports = ["https"]
+        ports = ["frontend_http"]
         volumes = [
-          # mount the templated config from the task directory to the container
-          "local/myheats-demo.conf:/etc/nginx/conf.d/myheats-demo.conf",
-          # mount prod variables to app build dir
-          "secrets/env:/app/.env.production",
+          # mount variables to app dir
+          "secrets/env:/app/.env.local",
         ]
       }
 
@@ -74,12 +102,12 @@ job "myheats-demo" {
       driver = "podman"
 
       config {
-        image = "127.0.0.1:5000/myheats-backend:latest"
+        image = "127.0.0.1:5000/myheats:latest"
         force_pull = true
-        ports = ["api", "wss"]
+        ports = ["api_http"]
         volumes = [
           # mount the templated config from the task directory to the container
-          "secrets/env:/app/.env.production",
+          "secrets/env:/app/.env.local",
         ]
       }
 
diff --git a/hcl/default/myheats-demo/templates/env.local.tmpl b/hcl/default/myheats-demo/templates/env.local.tmpl
@@ -5,28 +5,29 @@
 # Application window title
 VITE_APP_DOC_TITLE='MyHeats Demo'
 # Cookie TTL in seconds (session ttl in the admin/judges frontend), 60m
-VITE_SESSION_TTL=259200 #27h
+VITE_SESSION_TTL=259200 #72h
 # Full URI to backend http API
-VITE_API_URI=http://{{ env "NOMAD_IP_api" }}
+VITE_API_URI=http://{{ env "NOMAD_IP_api_http" }}
 # Backend API port
-VITE_API_PORT={{ env "NOMAD_PORT_api" }}
+VITE_API_PORT={{ env "NOMAD_PORT_api_http" }}
 # Full URI to backend websocket API
-VITE_WS_URI=wss://{{ env "NOMAD_ADDR_api" }}
+VITE_WS_URI=wss://{{ env "NOMAD_IP_api_https" }}
 # Backend API websocket port
-VITE_WS_PORT={{ env "NOMAD_PORT_api" }}
+VITE_WS_PORT={{ env "NOMAD_PORT_api_https" }}
 # Locale for frontend date formatting
 VITE_LOCALE=de-CH
 
 ###########
 # Backend #
 ###########
+
 API_REDIRECT_URI=https://myheats-demo.p0c.ch/authverify
 # Backend API CORS allowed origins
-API_CORS_ALLOW_ORIGIN=http://{{ env "NOMAD_ADDR_https" }}
+API_CORS_ALLOW_ORIGIN=https://myheats-demo.p0c.ch
 # JWT secret for magic links (`openssl rand -base64 48`)
 API_JWT_SECRET={{with secret "kv/myheats-demo"}}{{index .Data.data.api_jwt_secret}}{{end}}
-# JWT TTL in seconds (validity of the magic link), 5m
-API_JWT_TTL=3600 #60m
+# JWT TTL in seconds, make it biger than VITE_SESSION_TTL, 60m
+API_JWT_TTL=259200 #72h
 
 # SMTP settings for sending magic links
 SMTP_HOST={{with secret "kv/myheats-demo"}}{{index .Data.data.smtp_host}}{{end}}
diff --git a/hcl/default/myheats-demo/templates/nginx.conf.tmpl b/hcl/default/myheats-demo/templates/nginx.conf.tmpl
@@ -1,32 +1,29 @@
 server {
-    listen               {{ env "NOMAD_PORT_https" }} ssl;
+    listen               {{ env "NOMAD_PORT_frontend_https" }} ssl;
 
     ssl_certificate      /etc/letsencrypt/live/myheats-demo.p0c.ch/fullchain.pem;
     ssl_certificate_key  /etc/letsencrypt/live/myheats-demo.p0c.ch/privkey.pem;
 
-    root                 /srv/app;
-
     location / {
-        try_files        $uri /index.html;
+        proxy_pass       http://{{ env "NOMAD_ADDR_frontend_http" }};
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
     }
 }
 
 server {
-    listen               {{ env "NOMAD_PORT_wss" }} ssl;
+    listen               {{ env "NOMAD_PORT_api_https" }} ssl;
 
-    ssl_certificate      /etc/letsencrypt/live/myheats-demo.p0c.ch/fullchain.pem;
-    ssl_certificate_key  /etc/letsencrypt/live/myheats-demo.p0c.ch/privkey.pem;
+    ssl_certificate      /etc/letsencrypt/live/api.myheats-demo.p0c.ch/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/api.myheats-demo.p0c.ch/privkey.pem;
 
     location / {
-        proxy_pass       http://{{ env "NOMAD_ADDR_api" }};
+        proxy_pass       http://{{ env "NOMAD_ADDR_api_http" }};
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
-
-        # WebSocket support
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
     }
 }