commit beb0cca096b82fc1a134fc91d88d6ca79f8bf703
parent b788658b9c61d2ac0f25d79879edf579cd67e294
Author: Andreas Gruhler <agruhl@gmx.ch>
Date: Sun, 16 Mar 2025 12:47:25 +0100
feat(meta): add meta deployment
Diffstat:
3 files changed, 430 insertions(+), 0 deletions(-)
diff --git a/hcl/default/meta/meta.nomad b/hcl/default/meta/meta.nomad
@@ -0,0 +1,173 @@
+# https://man.sr.ht/configuration.md
+
+job "meta" {
+ datacenters = ["dc1"]
+
+ vault {}
+
+ group "server" {
+ count = 1
+
+ # /alloc/data for static assets
+ ephemeral_disk {
+ size = 500
+ }
+
+ volume "tls" {
+ type = "csi"
+ source = "certbot"
+ access_mode = "multi-node-multi-writer"
+ attachment_mode = "file-system"
+ }
+
+ network {
+ port "web" {}
+ port "api" {
+ # todo: api-origin config.ini not working?
+ to = 5100
+ }
+ port "redis" {
+ to = 6379
+ }
+ port "https" {
+ static = 44409
+ }
+ }
+
+ # Prepare static assets
+ task "prepare_static_assets" {
+ driver = "podman"
+
+ config {
+ image = "127.0.0.1:5000/meta:0.72.1"
+ command = "/bin/sh"
+ args = [ "-c", <<EOT
+ cp -r /usr/local/share/sourcehut/static /alloc/data/
+ EOT
+ ]
+ }
+
+ lifecycle {
+ hook = "prestart"
+ }
+ }
+
+ task "redict" {
+ driver = "podman"
+
+ config {
+ image = "registry.redict.io/redict:alpine"
+ ports = ["redis"]
+ }
+
+ resources {
+ memory = 50
+ memory_max = 128
+ cpu = 100
+ }
+
+ lifecycle {
+ hook = "prestart"
+ sidecar = true
+ }
+ }
+
+ task "meta_web" {
+ driver = "podman"
+
+ config {
+ image = "127.0.0.1:5000/meta:0.72.1"
+ command = "python3"
+ args = ["/meta/run.py"]
+ force_pull = true
+ ports = ["web"]
+ volumes = [
+ # mount the templated config from the task directory to the container
+ "local/config.ini:/etc/sr.ht/config.ini",
+ ]
+ }
+
+ template {
+ destination = "${NOMAD_TASK_DIR}/config.ini"
+ data = file("./templates/config.ini.tmpl")
+ }
+
+ resources {
+ memory = 50
+ memory_max = 256
+ cpu = 200
+ }
+ }
+
+ task "meta_api" {
+ driver = "podman"
+
+ config {
+ image = "127.0.0.1:5000/meta:0.72.1"
+ command = "/meta/meta.sr.ht-api"
+ force_pull = true
+ ports = ["api"]
+ volumes = [
+ # mount the templated config from the task directory to the container
+ "local/config.ini:/etc/sr.ht/config.ini",
+ ]
+ }
+
+ # template config file
+ template {
+ destination = "${NOMAD_TASK_DIR}/config.ini"
+ data = file("./templates/config.ini.tmpl")
+ }
+
+ # template pgp data
+ template {
+ destination = "${NOMAD_SECRETS_DIR}/pgp_privkey.pem"
+ data = <<EOT
+ {{with secret "kv/meta"}}{{index .Data.data.pgp_privkey}}{{end}}
+ EOT
+ }
+ template {
+ destination = "${NOMAD_SECRETS_DIR}/pgp_pubkey.pem"
+ data = <<EOT
+ {{with secret "kv/meta"}}{{index .Data.data.pgp_pubkey}}{{end}}
+ EOT
+ }
+
+ resources {
+ memory = 50
+ memory_max = 256
+ cpu = 200
+ }
+ }
+
+ task "nginx" {
+ driver = "podman"
+
+ config {
+ image = "docker.io/library/nginx:stable-alpine"
+ ports = ["https"]
+ volumes = [
+ # mount the templated config from the task directory to the container
+ "local/meta.conf:/etc/nginx/conf.d/meta.conf",
+ ]
+ }
+
+ volume_mount {
+ volume = "tls"
+ destination = "/etc/letsencrypt"
+ }
+
+ template {
+ destination = "${NOMAD_TASK_DIR}/meta.conf"
+ data = file("./templates/nginx.conf.tmpl")
+ }
+
+ resources {
+ memory = 50
+ memory_max = 256
+ cpu = 200
+ }
+ }
+
+ }
+}
diff --git a/hcl/default/meta/templates/config.ini.tmpl b/hcl/default/meta/templates/config.ini.tmpl
@@ -0,0 +1,236 @@
+# https://git.sr.ht/~sircmpwn/meta.sr.ht/tree/master/item/config.example.ini
+
+[sr.ht]
+#
+# The name of your network of sr.ht-based sites
+site-name=p0c
+#
+# The top-level info page for your site
+site-info=https://p0c.ch
+#
+# site-name, site-blurb
+site-blurb=proof of concepts for fun and profit
+#
+# If this != production, we add a banner to each page
+environment=development
+#
+# Contact information for the site owners
+owner-name=Andreas Gruhler
+owner-email=contact@p0c.ch
+#
+# The source code for your fork of sr.ht
+source-url=https://git.sr.ht/~sircmpwn/srht
+#
+# Link to your instance's privacy policy. Uses the sr.ht privacy policy as the
+# default, which describes the information collected by the upstream SourceHut
+# code.
+privacy-policy=
+#
+# A key used for encrypting session cookies. Use `srht-keygen service` to
+# generate the service key. This must be shared between each node of the same
+# service (e.g. git1.sr.ht and git2.sr.ht), but different services may use
+# different keys. If you configure all of your services with the same
+# config.ini, you may use the same service-key for all of them.
+service-key={{with secret "kv/meta"}}{{index .Data.data.service_key}}{{end}}
+#
+# A secret key to encrypt internal messages with. Use `srht-keygen network` to
+# generate this key. It must be consistent between all services and nodes.
+network-key={{with secret "kv/meta"}}{{index .Data.data.network_key}}{{end}}
+#
+# The redis host URL. This is used for caching and temporary storage, and must
+# be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be
+# shared between services. It may be shared between services, however, with no
+# ill effect, if this better suits your infrastructure.
+redis-host=redis://{{ env "NOMAD_ADDR_redis" }}
+#
+# Optional email address for reporting security-related issues.
+security-address=contact@p0c.ch
+#
+# The global domain of the site. If unset, the global domain will be determined
+# from the service URL: each service is assumed to be a sub-domain of the global
+# domain, i.e. of the form `meta.globaldomain.com`.
+global-domain=
+
+[abused]
+#
+# Optional abused configuration for mitigating abusive traffic & usage
+#
+# See https://sr.ht/~sircmpwn/abused/
+endpoint=
+token=
+
+[objects]
+#
+# Configure S3-compatible object storage for services. Optional.
+#
+# Minio is recommended as a FOSS solution over AWS: https://min.io
+s3-upstream=
+s3-access-key=
+s3-secret-key=
+
+[mail]
+#
+# Outgoing SMTP settings
+smtp-host={{with secret "kv/meta"}}{{index .Data.data.smtp_host}}{{end}}
+smtp-port={{with secret "kv/meta"}}{{index .Data.data.smtp_port}}{{end}}
+smtp-from={{with secret "kv/meta"}}{{index .Data.data.smtp_from}}{{end}}
+#
+# Default: starttls
+# Options: starttls, tls, insecure
+smtp-encryption=starttls
+#
+# Default: plain
+# Options: plain, none
+smtp-auth=plain
+# user / password are required if smtp-auth is plain
+smtp-user=
+smtp-password=
+#
+# Application exceptions are emailed to this address
+error-to={{with secret "kv/meta"}}{{index .Data.data.smtp_user}}{{end}}
+error-from={{with secret "kv/meta"}}{{index .Data.data.smtp_password}}{{end}}
+#
+# You should generate a PGP key to allow users to authenticate emails received
+# from your services. Use `gpg --edit-key [key id]` to remove the password from
+# your private key, then export it to a file and set pgp-privkey to the path to
+# that file. pgp-pubkey should be set to the path to your public key, and
+# pgp-key-id should be set to the key ID string. Outgoing emails are signed with
+# this PGP key.
+pgp-privkey={{ env "NOMAD_SECRETS_DIR" }}/pgp_privkey.pem
+pgp-pubkey={{ env "NOMAD_SECRETS_DIR" }}/pgp_pubkey.pem
+pgp-key-id={{with secret "kv/meta"}}{{index .Data.data.pgp_key_id}}{{end}}
+
+[webhooks]
+#
+# base64-encoded Ed25519 key for signing webhook payloads. This should be
+# consistent between all services.
+#
+# Use the `srht-keygen webhook` command to generate this key. Put the private
+# key here and distribute the public key to anyone who would want to verify
+# webhook payloads from your service.
+private-key={{with secret "kv/meta"}}{{index .Data.data.webhook_private_key}}{{end}}
+
+[meta.sr.ht]
+#
+# URL meta.sr.ht is being served at (protocol://domain)
+origin=https://meta.p0c.ch
+#
+# Address and port to bind the debug server to
+debug-host=0.0.0.0
+debug-port={{ env "NOMAD_PORT_web" }}
+#
+# Configures the SQLAlchemy connection string for the database.
+connection-string=postgresql://meta:{{with secret "kv/meta"}}{{index .Data.data.postgresql_password}}{{end}}:@turris/meta
+#
+# Set to "yes" to automatically run migrations on package upgrade.
+migrate-on-upgrade=yes
+#
+# The redis connection used for the webhooks worker
+webhooks=redis://{{ env "NOMAD_ADDR_redis" }}/1
+
+#
+# Origin URL for the API
+# By default, the API port is 100 more than the web port
+api-origin=http://{{ env "NOMAD_ADDR_api" }}
+
+[meta.sr.ht::api]
+#
+# Maximum complexity of GraphQL queries. The higher this number, the more work
+# that API clients can burden the API backend with. Complexity is equal to the
+# number of discrete fields which would be returned to the user. 200 is a good
+# default.
+max-complexity=200
+
+#
+# The maximum time the API backend will spend processing a single API request.
+#
+# See https://golang.org/pkg/time/#ParseDuration
+max-duration=3s
+
+#
+# Set of IP subnets which are permitted to utilize internal API
+# authentication. This should be limited to the subnets from which your
+# *.sr.ht services are running.
+#
+# Comma-separated, CIDR notation.
+internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8
+
+#
+# Queue size for account deletion operations.
+#
+# Default: 512
+#account-del-queue-size=512
+
+[meta.sr.ht::settings]
+#
+# If "no", public registration will not be permitted.
+registration=no
+#
+# Where to redirect new users upon registration
+onboarding-redirect=https://todo.p0c.ch
+#
+# If "yes", the user will be sent the stock sourcehut welcome emails after
+# signup (requires cron to be configured properly). These are specific to the
+# sr.ht instance so you probably want to patch these before enabling this.
+welcome-emails=no
+#
+# If "yes", the user will be sent an email reminder if their registered PGP key
+# will expire soon (requires cron to be configured properly).
+key-expiration-emails=no
+
+[meta.sr.ht::aliases]
+#
+# You can add aliases for the client IDs of commonly used OAuth clients here.
+#
+# Example:
+# git.sr.ht=12345
+
+[meta.sr.ht::billing]
+#
+# "yes" to enable the billing system
+enabled=no
+
+#
+# Get your keys at https://dashboard.stripe.com/account/apikeys
+stripe-public-key=
+stripe-secret-key=
+
+# List of countries to refuse paid service to (for reasons of e.g. sanctions
+# compliance). Space-separated list of ISO 3166 two-letter codes.
+prohibited-countries=
+
+[meta.sr.ht::auth]
+#
+# What authentication method to use.
+# builtin: use sr.ht builtin authentication
+# unix-pam: use Unix PAM authentication
+#auth-method=builtin
+
+[meta.sr.ht::auth::unix-pam]
+#
+# The default email domain to assign to newly created users when they first log
+# in.
+# User's email will be set to <username>@<email-default-domain>
+email-default-domain=p0c.ch
+#
+# The PAM service to use for logging in.
+#service=sshd
+#
+# Whether to automatically create new users when authentication succeeds but the
+# user is not in the database.
+create-users=yes
+#
+# The UNIX group users need to belong to to have access to sourcehut.
+# If set,
+# only users belonging to this group will be able to log into the site.
+# If unset, any user on the system is able to log in if PAM authentication
+# succeeds.
+user-group=
+#
+# The UNIX group users need to belong to to have administrator permissions.
+# If set, administrator status on the site will be synced with group
+# association. Additionally, any user of this group will also be able to access
+# sourcehut even if they are not in the group specified in user-group.
+# If unset, administrator status can be manually assigned from the web
+# interface.
+admin-group=wheel
diff --git a/hcl/default/meta/templates/nginx.conf.tmpl b/hcl/default/meta/templates/nginx.conf.tmpl
@@ -0,0 +1,21 @@
+# https://man.sr.ht/configuration.md
+# https://git.sr.ht/~sircmpwn/sr.ht-nginx/tree/master/item/meta.sr.ht.conf
+
+server {
+ listen {{ env "NOMAD_PORT_https" }} ssl;
+
+ ssl_certificate /etc/letsencrypt/live/meta.p0c.ch/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/meta.p0c.ch/privkey.pem;
+
+ location / {
+ proxy_pass http://{{ env "NOMAD_ADDR_web" }};
+ }
+
+ location /query {
+ proxy_pass http://{{ env "NOMAD_ADDR_api" }};
+ }
+
+ location /static {
+ root /alloc/data;
+ }
+}
