nomad

commit a7585733aa4cbce436ee9c4f778e41ad2ae0384d
parent b0fd6ede14a1a7f8f5242651543e5ed1ed2a9a61
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date:   Sun, 10 Nov 2024 16:53:29 +0100

feat: add snikket

Diffstat:
A
hcl/default/snikket/data-volume.hcl
 | 
31
+++++++++++++++++++++++++++++++
A
hcl/default/snikket/snikket.nomad
 | 
119
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
hcl/default/snikket/templates/nginx.conf.tmpl
 | 
14
++++++++++++++
A
hcl/default/snikket/templates/snikket.env.tmpl
 | 
16
++++++++++++++++

4 files changed, 180 insertions(+), 0 deletions(-)
diff --git a/hcl/default/snikket/data-volume.hcl b/hcl/default/snikket/data-volume.hcl
@@ -0,0 +1,31 @@
+# Register external nfs volume with Nomad CSI
+# https://www.nomadproject.io/docs/commands/volume/register
+type = "csi"
+# Unique ID of the volume, volume.source field in a job 
+id = "snikket"
+# Display name of the volume.
+name = "snikket"
+# ID of the physical volume from the storage provider
+external_id = "csi-snikket"
+plugin_id = "nfs"
+
+# You must provide at least one capability block
+# You must provide a block for each capability
+# youintend to use in a job's volume block
+# https://www.nomadproject.io/docs/commands/volume/register
+capability {
+  access_mode = "multi-node-multi-writer"
+  attachment_mode = "file-system"
+}
+
+# https://github.com/kubernetes-csi/csi-driver-nfs/blob/master/docs/driver-parameters.md
+context {
+  server = "turris"
+  share = "csi-snikket"
+}
+
+mount_options {
+  # mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
+  mount_flags = ["nolock"]
+}
+
diff --git a/hcl/default/snikket/snikket.nomad b/hcl/default/snikket/snikket.nomad
@@ -0,0 +1,119 @@
+# https://snikket.org/service/resources/docker-compose.yml
+
+job "snikket" {
+  datacenters = ["dc1"]
+
+  vault {}
+
+  group "server" {
+    count = 1
+
+    volume "tls" {
+      type = "csi"
+      source = "certbot"
+      access_mode = "multi-node-multi-writer"
+      attachment_mode = "file-system"
+    }
+    volume "snikket" {
+      type = "csi"
+      source = "snikket"
+      access_mode = "multi-node-multi-writer"
+      attachment_mode = "file-system"
+    }
+
+    network {
+      port "prosody" {}
+      port "portal" {}
+      port "https" {
+        static = 44408
+      }
+    }
+
+    task "nginx" {
+      driver = "podman"
+
+      config {
+        image = "docker.io/library/nginx:stable-alpine"
+        ports = ["https"]
+        volumes = [
+          # mount the templated config from the task directory to the container
+          "local/snikket.conf:/etc/nginx/conf.d/snikket.conf",
+        ]
+      }
+
+      volume_mount {
+        volume = "tls"
+        destination = "/etc/letsencrypt"
+      }
+
+      template {
+        destination = "${NOMAD_TASK_DIR}/snikket.conf"
+        data = file("./templates/nginx.conf.tmpl")
+      }
+
+      resources {
+        memory = 128
+        memory_max = 256
+        cpu    = 250
+      }
+    }
+
+    task "portal" {
+      driver = "podman"
+
+      config {
+        image = "docker.io/snikket/snikket-web-portal:stable"
+        ports = ["portal"]
+      }
+
+      volume_mount {
+        volume = "snikket"
+        destination = "/snikket"
+      }
+
+      template {
+        destination = "${NOMAD_TASK_DIR}/snikket.env"
+        data = file("./templates/snikket.env.tmpl")
+        env = true
+      }
+
+      resources {
+        memory = 256
+        memory_max = 512
+        cpu    = 250
+      }
+    }
+
+    task "snikket" {
+      driver = "podman"
+
+      config {
+        image = "docker.io/snikket/snikket-server:stable"
+        ports = ["prosody"]
+      }
+
+      volume_mount {
+        volume = "snikket"
+        destination = "/snikket"
+      }
+      # Snikket prosody service waits for certificates
+      volume_mount {
+        volume = "tls"
+        destination = "/snikket/letsencrypt"
+      }
+
+      template {
+        destination = "${NOMAD_TASK_DIR}/snikket.env"
+        data = file("./templates/snikket.env.tmpl")
+        env = true
+      }
+
+      resources {
+        memory = 256
+        memory_max = 512
+        cpu    = 250
+      }
+    }
+
+  }
+}
diff --git a/hcl/default/snikket/templates/nginx.conf.tmpl b/hcl/default/snikket/templates/nginx.conf.tmpl
@@ -0,0 +1,14 @@
+server {
+    listen               {{ env "NOMAD_PORT_https" }} ssl;
+
+    ssl_certificate      /etc/letsencrypt/live/chat.in0rdr.ch/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/chat.in0rdr.ch/privkey.pem;
+
+    location / {
+        proxy_pass       http://{{ env "NOMAD_ADDR_portal" }};
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
diff --git a/hcl/default/snikket/templates/snikket.env.tmpl b/hcl/default/snikket/templates/snikket.env.tmpl
@@ -0,0 +1,16 @@
+# The domain of your Snikket instance
+SNIKKET_DOMAIN=chat.in0rdr.ch
+
+# The email address of the primary admin
+SNIKKET_ADMIN_EMAIL={{with secret "kv/snikket"}}{{index .Data.data.admin_email}}{{end}}
+
+# Server bind settings
+# https://github.com/snikket-im/snikket-server/blob/master/Dockerfile
+SNIKKET_TWEAK_INTERNAL_HTTP_INTERFACE=0.0.0.0
+SNIKKET_TWEAK_INTERNAL_HTTP_PORT={{ env "NOMAD_PORT_prosody" }}
+
+# Web portal bind settings
+# https://github.com/snikket-im/snikket-web-portal/blob/master/Dockerfile
+SNIKKET_TWEAK_PORTAL_INTERNAL_HTTP_INTERFACE=0.0.0.0
+SNIKKET_TWEAK_PORTAL_INTERNAL_HTTP_PORT={{ env "NOMAD_PORT_portal" }}
+SNIKKET_WEB_PROSODY_ENDPOINT=http://{{ env "NOMAD_ADDR_prosody" }}