nomad

HCL and Docker files for Nomad deployments
git clone https://git.in0rdr.ch/nomad.git
Log | Files | Refs | Pull requests
commit 76ac1efce1999959ac915530aa5a5ee2e7b98c24
parent a7585733aa4cbce436ee9c4f778e41ad2ae0384d
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date:   Mon, 18 Nov 2024 22:11:56 +0100

feat(snikket): add proxy

Diffstat:

Mhcl/default/snikket/snikket.nomad | 42+++++++++++++++++++++++++++++-------------


Ahcl/default/snikket/templates/nginx-snippets.conf.tmpl | 88+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Mhcl/default/snikket/templates/nginx.conf.tmpl | 115+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------


Mhcl/default/snikket/templates/snikket.env.tmpl | 7+++++++


4 files changed, 231 insertions(+), 21 deletions(-)

diff --git a/hcl/default/snikket/snikket.nomad b/hcl/default/snikket/snikket.nomad
@@ -22,38 +22,55 @@ job "snikket" {
     }
 
     network {
-      port "prosody" {}
       port "portal" {}
-      port "https" {
+      port "prosody" {
+        static = 44409
+      }
+      port "proxy" {
         static = 44408
       }
     }
 
-    task "nginx" {
+    task "proxy" {
       driver = "podman"
 
       config {
         image = "docker.io/library/nginx:stable-alpine"
-        ports = ["https"]
+        ports = ["proxy"]
         volumes = [
           # mount the templated config from the task directory to the container
           "local/snikket.conf:/etc/nginx/conf.d/snikket.conf",
+          "local/snikket-common.conf:/etc/nginx/snippets/snikket-common.conf",
         ]
       }
 
-      volume_mount {
-        volume = "tls"
-        destination = "/etc/letsencrypt"
-      }
-
       template {
         destination = "${NOMAD_TASK_DIR}/snikket.conf"
         data = file("./templates/nginx.conf.tmpl")
       }
+      template {
+        destination = "${NOMAD_TASK_DIR}/snikket-common.conf"
+        data = file("./templates/nginx-snippets.conf.tmpl")
+      }
+
+      template {
+        destination = "${NOMAD_TASK_DIR}/snikket.env"
+        data = file("./templates/snikket.env.tmpl")
+        env = true
+      }
+
+      volume_mount {
+        volume = "snikket"
+        destination = "/snikket"
+      }
+      volume_mount {
+        volume = "tls"
+        destination = "/snikket/letsencrypt"
+      }
 
       resources {
-        memory = 128
-        memory_max = 256
+        memory = 256
+        memory_max = 512
         cpu    = 250
       }
     }
@@ -111,9 +128,8 @@ job "snikket" {
       resources {
         memory = 256
         memory_max = 512
-        cpu    = 250
+        cpu    = 200
       }
     }
-
   }
 }
diff --git a/hcl/default/snikket/templates/nginx-snippets.conf.tmpl b/hcl/default/snikket/templates/nginx-snippets.conf.tmpl
@@ -0,0 +1,88 @@
+root /var/www/html;
+
+location / {
+	try_files $uri /static/$uri @portal;
+}
+
+location /admin_api {
+	try_files none @prosody;
+}
+
+location /invites_api {
+	try_files none @prosody;
+}
+
+location /invites_bootstrap {
+	try_files none @prosody;
+}
+
+location /share {
+	alias /usr/share/javascript;
+}
+
+location /upload {
+	client_max_body_size 104857616; # 100MB + 16 bytes (see Prosody config)
+	proxy_request_buffering off;
+	proxy_http_version 1.1;
+	try_files none @prosody;
+}
+
+location /http-bind {
+	try_files none @prosodyws;
+}
+
+location /xmpp-websocket {
+	try_files none @prosodyws;
+}
+
+location = /.well-known/host-meta {
+	try_files none @prosody;
+}
+
+location = /.well-known/host-meta.json {
+	try_files none @prosody;
+}
+
+location @portal {
+	proxy_pass http://{{ env "NOMAD_ADDR_portal" }};
+	proxy_set_header  Host            $host;
+	proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+	proxy_set_header  X-Forwarded-Proto https;
+}
+
+location @prosody {
+	proxy_pass http://{{ env "NOMAD_ADDR_prosody" }};
+	proxy_set_header  Host            $host;
+	proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+	proxy_set_header  X-Forwarded-Proto https;
+}
+
+location @prosodyws {
+	proxy_pass http://{{ env "NOMAD_ADDR_prosody" }};
+	proxy_http_version 1.1;
+	proxy_set_header  Host            $host;
+	proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+	proxy_set_header  X-Forwarded-Proto https;
+	proxy_set_header Connection $http_connection;
+	proxy_set_header Upgrade $http_upgrade;
+
+	proxy_read_timeout 900s;
+}
+
+location /_health/portal {
+	proxy_pass http://{{ env "NOMAD_ADDR_portal" }}/_health;
+	proxy_set_header  Host            $host;
+	proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+	proxy_set_header  X-Forwarded-Proto https;
+}
+
+location /_health/xmpp {
+	proxy_pass http://{{ env "NOMAD_ADDR_prosody" }}/host_status_check;
+	proxy_set_header  Host            $host;
+	proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+	proxy_set_header  X-Forwarded-Proto https;
+}
+
+error_page 502 /_errors/502.html;
+error_page 503 /_errors/503.html;
+error_page 504 /_errors/504.html;
diff --git a/hcl/default/snikket/templates/nginx.conf.tmpl b/hcl/default/snikket/templates/nginx.conf.tmpl
@@ -1,14 +1,113 @@
 server {
-    listen               {{ env "NOMAD_PORT_https" }} ssl;
+    listen {{ env "NOMAD_PORT_proxy" }} ssl;
+    listen [::]:{{ env "NOMAD_PORT_proxy" }} ssl;
 
-    ssl_certificate      /etc/letsencrypt/live/chat.in0rdr.ch/fullchain.pem;
-    ssl_certificate_key  /etc/letsencrypt/live/chat.in0rdr.ch/privkey.pem;
+    ssl_certificate     /snikket/letsencrypt/live/chat.in0rdr.ch-0001/fullchain.pem;
+    ssl_certificate_key /snikket/letsencrypt/live/chat.in0rdr.ch-0001/privkey.pem;
+
+    ssl_session_cache shared:le_nginx_SSL:1m;
+    ssl_session_timeout 1440m;
+    ssl_prefer_server_ciphers off;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate  /snikket/letsencrypt/live/chat.in0rdr.ch-0001/fullchain.pem;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    server_name chat.in0rdr.ch;
+
+    include "/etc/nginx/snippets/snikket-common.conf";
+}
+
+server {
+    listen {{ env "NOMAD_PORT_proxy" }} ssl;
+    listen [::]:{{ env "NOMAD_PORT_proxy" }} ssl;
+
+    ssl_certificate     /snikket/letsencrypt/live/chat.in0rdr.ch-0001/fullchain.pem;
+    ssl_certificate_key /snikket/letsencrypt/live/chat.in0rdr.ch-0001/privkey.pem;
+
+    ssl_session_cache shared:le_nginx_SSL:1m;
+    ssl_session_timeout 1440m;
+    ssl_prefer_server_ciphers off;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate  /snikket/letsencrypt/live/chat.in0rdr.ch-0001/fullchain.pem;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    server_name share.chat.in0rdr.ch;
+
+    root /var/www/html;
+
+    location / {
+        return 301 https://chat.in0rdr.ch/;
+    }
+
+    location /upload/ {
+        client_max_body_size 104857616; # 100MB + 16 bytes (see Prosody config)
+        proxy_request_buffering off;
+        proxy_http_version 1.1;
+        proxy_pass http://{{ env "NOMAD_ADDR_prosody" }};
+        proxy_set_header  Host            $host;
+        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Proto https;
+    }
+}
+
+server {
+    listen {{ env "NOMAD_PORT_proxy" }} ssl;
+    listen [::]:{{ env "NOMAD_PORT_proxy" }} ssl;
+
+    ssl_certificate     /snikket/letsencrypt/live/chat.in0rdr.ch-0001/fullchain.pem;
+    ssl_certificate_key /snikket/letsencrypt/live/chat.in0rdr.ch-0001/privkey.pem;
+
+    ssl_session_cache shared:le_nginx_SSL:1m;
+    ssl_session_timeout 1440m;
+    ssl_prefer_server_ciphers off;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate  /snikket/letsencrypt/live/chat.in0rdr.ch-0001/fullchain.pem;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    server_name groups.chat.in0rdr.ch;
+
+    root /var/www/html;
+
+    location / {
+        return 301 https://chat.in0rdr.ch/;
+    }
+}
+
+# Fail requests to unknown domains
+server {
+    listen {{ env "NOMAD_PORT_proxy" }} ssl default_server;
+    listen [::]:{{ env "NOMAD_PORT_proxy" }} ssl default_server;
+
+    ssl_certificate     /snikket/letsencrypt/live/chat.in0rdr.ch-0001/fullchain.pem;
+    ssl_certificate_key /snikket/letsencrypt/live/chat.in0rdr.ch-0001/privkey.pem;
+
+    ssl_session_cache shared:le_nginx_SSL:1m;
+    ssl_session_timeout 1440m;
+    ssl_prefer_server_ciphers off;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate  /snikket/letsencrypt/live/chat.in0rdr.ch-0001/fullchain.pem;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    error_page 404 /_errors/404_site.html;
+
+    location = /_errors/404_site.html {
+        root /var/www/html;
+        internal;
+    }
 
     location / {
-        proxy_pass       http://{{ env "NOMAD_ADDR_portal" }};
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        try_files none =404;
     }
 }
diff --git a/hcl/default/snikket/templates/snikket.env.tmpl b/hcl/default/snikket/templates/snikket.env.tmpl
@@ -14,3 +14,10 @@ SNIKKET_TWEAK_INTERNAL_HTTP_PORT={{ env "NOMAD_PORT_prosody" }}
 SNIKKET_TWEAK_PORTAL_INTERNAL_HTTP_INTERFACE=0.0.0.0
 SNIKKET_TWEAK_PORTAL_INTERNAL_HTTP_PORT={{ env "NOMAD_PORT_portal" }}
 SNIKKET_WEB_PROSODY_ENDPOINT=http://{{ env "NOMAD_ADDR_prosody" }}
+
+# Proxy ports
+# https://github.com/snikket-im/snikket-server/blob/master/docs/advanced/reverse_proxy.md
+#SNIKKET_TWEAK_HTTP_PORT={{ env "NOMAD_PORT_prosody" }}
+#SNIKKET_TWEAK_HTTPS_PORT={{ env "NOMAD_PORT_proxy" }}
+
+SNIKKET_LOGLEVEL=debug