
304 lines
6.8 KiB
Raw Normal View History

job "bounca" {
datacenters = ["dc1"]
group "bounca" {
network {
mode = "bridge"
service {
name = "bounca"
port = 8749
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "postgres"
local_bind_port = 5432
sidecar_task {
2024-01-28 22:57:33 +01:00
config {
args = [
resources {
cpu = 50
memory = 64
tags = [
2024-01-28 22:57:33 +01:00
2024-01-28 22:57:33 +01:00
"traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
2024-01-28 22:57:33 +01:00
"traefik.http.routers.bounca-public.rule=Host(``) && PathPrefix(`/public`)",
2024-01-28 22:57:33 +01:00
"traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
# wait for required services tp be ready before starting the main task
task "wait-for" {
driver = "docker"
user = 1053
config {
image = "danielberteaud/wait-for:24.1-1"
readonly_rootfs = true
pids_limit = 20
lifecycle {
hook = "prestart"
env {
SERVICE_0 = "master.postgres.service.consul"
resources {
cpu = 10
memory = 10
memory_max = 30
task "bounca" {
driver = "docker"
user = 8749
config {
image = "danielberteaud/bounca:latest"
pids_limit = 50
readonly_rootfs = true
mount {
type = "tmpfs"
target = "/tmp"
tmpfs_options {
size = 1000000
volumes = ["local/"]
vault {
policies = ["bounca"]
env = false
disable_file = true
env {
BOUNCA_MODE = "server"
BOUNCA_UNIX_SOCKET = "/alloc/data/bounca.sock"
# Use a template block instead of env {} so we can fetch values from vault
template {
data = <<_EOT
BOUNCA_DJANGO_SECRET={{ with secret "/kv/service/bounca" }}{{ }}{{ end }}
destination = "secrets/.env"
perms = 400
env = true
template {
data = <<_EOT
from bounca.settings import *
LOGGING: dict = {
"version": 1,
"disable_existing_loggers": False,
"formatters": {
"verbose": {
"format": "%(levelname)s [%(asctime)s] %(name)s %(message)s",
"simple": {"format": "[%(asctime)s] %(message)s"},
"handlers": {
"null": {
"class": "logging.NullHandler",
"console": {
"class": "logging.StreamHandler",
"formatter": "simple",
"mail_admins": {"level": "ERROR", "class": "django.utils.log.AdminEmailHandler"},
"root": {
"level": "DEBUG",
"handlers": ["console"],
"loggers": {},
TIME_ZONE = os.environ.get('TZ')
destination = "local/"
template {
data = <<_EOT
BOUNCA_DB_USER={{ with secret "/database/creds/bounca" }}{{ .Data.username }}{{ end }}
BOUNCA_DB_PASSWORD={{ with secret "/database/creds/bounca" }}{{ .Data.password }}{{ end }}
destination = "secrets/.db.env"
2024-01-28 22:57:33 +01:00
resources {
cpu = 200
memory = 192
task "public-exporter" {
driver = "docker"
user = 8749
lifecycle {
hook = "poststart"
sidecar = true
config {
image = "danielberteaud/bounca:latest"
pids_limit = 50
readonly_rootfs = true
mount {
type = "tmpfs"
target = "/tmp"
tmpfs_options {
size = 1000000
vault {
policies = ["bounca"]
env = false
disable_file = true
env {
BOUNCA_MODE = "public-exporter"
BOUNCA_PUBLIC_DIR = "/alloc/data/public"
# Use a template block instead of env {} so we can fetch values from vault
template {
data = <<_EOT
BOUNCA_DJANGO_SECRET={{ with secret "/kv/service/bounca" }}{{ }}{{ end }}
destination = "secrets/.env"
perms = 400
env = true
resources {
cpu = 10
memory = 10
memory_max = 20
task "nginx" {
driver = "docker"
user = 8749
lifecycle {
hook = "poststart"
sidecar = true
config {
image = "danielberteaud/bounca:latest"
pids_limit = 30
readonly_rootfs = true
mount {
type = "tmpfs"
target = "/tmp"
tmpfs_options {
size = 1000000
env {
BOUNCA_MODE = "front"
BOUNCA_UNIX_SOCKET = "/alloc/data/bounca.sock"
BOUNCA_PUBLIC_DIR = "/alloc/data/public"
resources {
cpu = 20
memory = 20