nomad

HCL and Docker files for Nomad deployments
git clone https://git.in0rdr.ch/nomad.git
Log | Files | Refs | Pull requests |Archive

commit 76ac1efce1999959ac915530aa5a5ee2e7b98c24
parent a7585733aa4cbce436ee9c4f778e41ad2ae0384d
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date:   Mon, 18 Nov 2024 22:11:56 +0100

feat(snikket): add proxy

Diffstat:
Mhcl/default/snikket/snikket.nomad | 42+++++++++++++++++++++++++++++-------------
Ahcl/default/snikket/templates/nginx-snippets.conf.tmpl | 88+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Mhcl/default/snikket/templates/nginx.conf.tmpl | 115+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------
Mhcl/default/snikket/templates/snikket.env.tmpl | 7+++++++
4 files changed, 231 insertions(+), 21 deletions(-)

diff --git a/hcl/default/snikket/snikket.nomad b/hcl/default/snikket/snikket.nomad @@ -22,38 +22,55 @@ job "snikket" { } network { - port "prosody" {} port "portal" {} - port "https" { + port "prosody" { + static = 44409 + } + port "proxy" { static = 44408 } } - task "nginx" { + task "proxy" { driver = "podman" config { image = "docker.io/library/nginx:stable-alpine" - ports = ["https"] + ports = ["proxy"] volumes = [ # mount the templated config from the task directory to the container "local/snikket.conf:/etc/nginx/conf.d/snikket.conf", + "local/snikket-common.conf:/etc/nginx/snippets/snikket-common.conf", ] } - volume_mount { - volume = "tls" - destination = "/etc/letsencrypt" - } - template { destination = "${NOMAD_TASK_DIR}/snikket.conf" data = file("./templates/nginx.conf.tmpl") } + template { + destination = "${NOMAD_TASK_DIR}/snikket-common.conf" + data = file("./templates/nginx-snippets.conf.tmpl") + } + + template { + destination = "${NOMAD_TASK_DIR}/snikket.env" + data = file("./templates/snikket.env.tmpl") + env = true + } + + volume_mount { + volume = "snikket" + destination = "/snikket" + } + volume_mount { + volume = "tls" + destination = "/snikket/letsencrypt" + } resources { - memory = 128 - memory_max = 256 + memory = 256 + memory_max = 512 cpu = 250 } } @@ -111,9 +128,8 @@ job "snikket" { resources { memory = 256 memory_max = 512 - cpu = 250 + cpu = 200 } } - } } diff --git a/hcl/default/snikket/templates/nginx-snippets.conf.tmpl b/hcl/default/snikket/templates/nginx-snippets.conf.tmpl @@ -0,0 +1,88 @@ +root /var/www/html; + +location / { + try_files $uri /static/$uri @portal; +} + +location /admin_api { + try_files none @prosody; +} + +location /invites_api { + try_files none @prosody; +} + +location /invites_bootstrap { + try_files none @prosody; +} + +location /share { + alias /usr/share/javascript; +} + +location /upload { + client_max_body_size 104857616; # 100MB + 16 bytes (see Prosody config) + proxy_request_buffering off; + proxy_http_version 1.1; + try_files none @prosody; +} + +location /http-bind { + try_files none @prosodyws; +} + +location /xmpp-websocket { + try_files none @prosodyws; +} + +location = /.well-known/host-meta { + try_files none @prosody; +} + +location = /.well-known/host-meta.json { + try_files none @prosody; +} + +location @portal { + proxy_pass http://{{ env "NOMAD_ADDR_portal" }}; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; +} + +location @prosody { + proxy_pass http://{{ env "NOMAD_ADDR_prosody" }}; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; +} + +location @prosodyws { + proxy_pass http://{{ env "NOMAD_ADDR_prosody" }}; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + + proxy_read_timeout 900s; +} + +location /_health/portal { + proxy_pass http://{{ env "NOMAD_ADDR_portal" }}/_health; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; +} + +location /_health/xmpp { + proxy_pass http://{{ env "NOMAD_ADDR_prosody" }}/host_status_check; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; +} + +error_page 502 /_errors/502.html; +error_page 503 /_errors/503.html; +error_page 504 /_errors/504.html; diff --git a/hcl/default/snikket/templates/nginx.conf.tmpl b/hcl/default/snikket/templates/nginx.conf.tmpl @@ -1,14 +1,113 @@ server { - listen {{ env "NOMAD_PORT_https" }} ssl; + listen {{ env "NOMAD_PORT_proxy" }} ssl; + listen [::]:{{ env "NOMAD_PORT_proxy" }} ssl; - ssl_certificate /etc/letsencrypt/live/chat.in0rdr.ch/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/chat.in0rdr.ch/privkey.pem; + ssl_certificate /snikket/letsencrypt/live/chat.in0rdr.ch-0001/fullchain.pem; + ssl_certificate_key /snikket/letsencrypt/live/chat.in0rdr.ch-0001/privkey.pem; + + ssl_session_cache shared:le_nginx_SSL:1m; + ssl_session_timeout 1440m; + ssl_prefer_server_ciphers off; + + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /snikket/letsencrypt/live/chat.in0rdr.ch-0001/fullchain.pem; + + add_header Strict-Transport-Security "max-age=63072000" always; + + server_name chat.in0rdr.ch; + + include "/etc/nginx/snippets/snikket-common.conf"; +} + +server { + listen {{ env "NOMAD_PORT_proxy" }} ssl; + listen [::]:{{ env "NOMAD_PORT_proxy" }} ssl; + + ssl_certificate /snikket/letsencrypt/live/chat.in0rdr.ch-0001/fullchain.pem; + ssl_certificate_key /snikket/letsencrypt/live/chat.in0rdr.ch-0001/privkey.pem; + + ssl_session_cache shared:le_nginx_SSL:1m; + ssl_session_timeout 1440m; + ssl_prefer_server_ciphers off; + + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /snikket/letsencrypt/live/chat.in0rdr.ch-0001/fullchain.pem; + + add_header Strict-Transport-Security "max-age=63072000" always; + + server_name share.chat.in0rdr.ch; + + root /var/www/html; + + location / { + return 301 https://chat.in0rdr.ch/; + } + + location /upload/ { + client_max_body_size 104857616; # 100MB + 16 bytes (see Prosody config) + proxy_request_buffering off; + proxy_http_version 1.1; + proxy_pass http://{{ env "NOMAD_ADDR_prosody" }}; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + } +} + +server { + listen {{ env "NOMAD_PORT_proxy" }} ssl; + listen [::]:{{ env "NOMAD_PORT_proxy" }} ssl; + + ssl_certificate /snikket/letsencrypt/live/chat.in0rdr.ch-0001/fullchain.pem; + ssl_certificate_key /snikket/letsencrypt/live/chat.in0rdr.ch-0001/privkey.pem; + + ssl_session_cache shared:le_nginx_SSL:1m; + ssl_session_timeout 1440m; + ssl_prefer_server_ciphers off; + + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /snikket/letsencrypt/live/chat.in0rdr.ch-0001/fullchain.pem; + + add_header Strict-Transport-Security "max-age=63072000" always; + + server_name groups.chat.in0rdr.ch; + + root /var/www/html; + + location / { + return 301 https://chat.in0rdr.ch/; + } +} + +# Fail requests to unknown domains +server { + listen {{ env "NOMAD_PORT_proxy" }} ssl default_server; + listen [::]:{{ env "NOMAD_PORT_proxy" }} ssl default_server; + + ssl_certificate /snikket/letsencrypt/live/chat.in0rdr.ch-0001/fullchain.pem; + ssl_certificate_key /snikket/letsencrypt/live/chat.in0rdr.ch-0001/privkey.pem; + + ssl_session_cache shared:le_nginx_SSL:1m; + ssl_session_timeout 1440m; + ssl_prefer_server_ciphers off; + + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /snikket/letsencrypt/live/chat.in0rdr.ch-0001/fullchain.pem; + + add_header Strict-Transport-Security "max-age=63072000" always; + + error_page 404 /_errors/404_site.html; + + location = /_errors/404_site.html { + root /var/www/html; + internal; + } location / { - proxy_pass http://{{ env "NOMAD_ADDR_portal" }}; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + try_files none =404; } } diff --git a/hcl/default/snikket/templates/snikket.env.tmpl b/hcl/default/snikket/templates/snikket.env.tmpl @@ -14,3 +14,10 @@ SNIKKET_TWEAK_INTERNAL_HTTP_PORT={{ env "NOMAD_PORT_prosody" }} SNIKKET_TWEAK_PORTAL_INTERNAL_HTTP_INTERFACE=0.0.0.0 SNIKKET_TWEAK_PORTAL_INTERNAL_HTTP_PORT={{ env "NOMAD_PORT_portal" }} SNIKKET_WEB_PROSODY_ENDPOINT=http://{{ env "NOMAD_ADDR_prosody" }} + +# Proxy ports +# https://github.com/snikket-im/snikket-server/blob/master/docs/advanced/reverse_proxy.md +#SNIKKET_TWEAK_HTTP_PORT={{ env "NOMAD_PORT_prosody" }} +#SNIKKET_TWEAK_HTTPS_PORT={{ env "NOMAD_PORT_proxy" }} + +SNIKKET_LOGLEVEL=debug