285 lines
6.0 KiB
HCL
285 lines
6.0 KiB
HCL
job "bounca" {
|
|
|
|
|
|
datacenters = ["dc1"]
|
|
|
|
|
|
group "bounca" {
|
|
network {
|
|
mode = "bridge"
|
|
}
|
|
|
|
service {
|
|
name = "bounca"
|
|
port = 8749
|
|
|
|
connect {
|
|
sidecar_service {
|
|
proxy {
|
|
upstreams {
|
|
destination_name = "postgres"
|
|
local_bind_port = 5432
|
|
}
|
|
}
|
|
}
|
|
sidecar_task {
|
|
resources {
|
|
cpu = 50
|
|
memory = 64
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
|
|
tags = [
|
|
"traefik.enable=true",
|
|
|
|
"traefik.http.routers.bounca-public.rule=Host(`pki.example.org`) && PathPrefix(`/public/`)",
|
|
"traefik.http.routers.bounca-public.priority=200",
|
|
"traefik.http.routers.bounca-public.entrypoints=https",
|
|
"traefik.http.routers.bounca-public.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file,compression@file,csp-relaxed@file",
|
|
|
|
"traefik.http.routers.bounca.rule=Host(`pki.example.org`)",
|
|
"traefik.http.routers.bounca.priority=100",
|
|
"traefik.http.routers.bounca.entrypoints=https",
|
|
"traefik.http.routers.bounca.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file,compression@file,csp-relaxed@file",
|
|
]
|
|
|
|
|
|
}
|
|
|
|
# wait for required services tp be ready before starting the main task
|
|
task "wait-for" {
|
|
|
|
driver = "docker"
|
|
user = 1053
|
|
|
|
config {
|
|
image = "danielberteaud/wait-for:24.1-1"
|
|
readonly_rootfs = true
|
|
pids_limit = 20
|
|
}
|
|
|
|
lifecycle {
|
|
hook = "prestart"
|
|
}
|
|
|
|
env {
|
|
SERVICE_0 = "master.postgres.service.consul"
|
|
}
|
|
|
|
resources {
|
|
cpu = 10
|
|
memory = 10
|
|
memory_max = 30
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
task "bounca" {
|
|
driver = "docker"
|
|
user = 8749
|
|
|
|
config {
|
|
image = "danielberteaud/bounca:latest"
|
|
pids_limit = 50
|
|
readonly_rootfs = true
|
|
mount {
|
|
type = "tmpfs"
|
|
target = "/tmp"
|
|
tmpfs_options {
|
|
size = 1000000
|
|
}
|
|
}
|
|
|
|
volumes = ["local/docker_settings.py:/opt/bounca/bounca/docker_settings.py:ro"]
|
|
}
|
|
|
|
|
|
vault {
|
|
policies = ["bounca"]
|
|
env = false
|
|
disable_file = true
|
|
}
|
|
|
|
|
|
env {
|
|
BOUNCA_MODE = "server"
|
|
BOUNCA_UNIX_SOCKET = "/alloc/data/bounca.sock"
|
|
BOUNCA_HOST = "pki.example.org"
|
|
}
|
|
|
|
# Use a template block instead of env {} so we can fetch values from vault
|
|
template {
|
|
data = <<_EOT
|
|
BOUNCA_DB_NAME=bounca
|
|
BOUNCA_DJANGO_SECRET={{ with secret "/kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
|
|
LANG=fr_FR.utf8
|
|
TZ=Europe/Paris
|
|
_EOT
|
|
destination = "secrets/.env"
|
|
perms = 400
|
|
env = true
|
|
}
|
|
|
|
|
|
template {
|
|
data = <<_EOT
|
|
from bounca.settings import *
|
|
|
|
LOGGING: dict = {
|
|
"version": 1,
|
|
"disable_existing_loggers": False,
|
|
"formatters": {
|
|
"verbose": {
|
|
"format": "%(levelname)s [%(asctime)s] %(name)s %(message)s",
|
|
},
|
|
"simple": {"format": "[%(asctime)s] %(message)s"},
|
|
},
|
|
"handlers": {
|
|
"null": {
|
|
"class": "logging.NullHandler",
|
|
},
|
|
"console": {
|
|
"class": "logging.StreamHandler",
|
|
"formatter": "simple",
|
|
},
|
|
"mail_admins": {"level": "ERROR", "class": "django.utils.log.AdminEmailHandler"},
|
|
},
|
|
"root": {
|
|
"level": "DEBUG",
|
|
"handlers": ["console"],
|
|
},
|
|
"loggers": {},
|
|
}
|
|
|
|
TIME_ZONE = os.environ.get('TZ')
|
|
|
|
CSRF_TRUSTED_ORIGINS = [
|
|
"https://pki.example.org"
|
|
]
|
|
|
|
|
|
|
|
|
|
|
|
_EOT
|
|
destination = "local/docker_settings.py"
|
|
}
|
|
|
|
template {
|
|
data = <<_EOT
|
|
BOUNCA_DB_USER={{ with secret "/database/creds/bounca" }}{{ .Data.username }}{{ end }}
|
|
BOUNCA_DB_PASSWORD={{ with secret "/database/creds/bounca" }}{{ .Data.password }}{{ end }}
|
|
BOUNCA_DB_PORT=5432
|
|
_EOT
|
|
destination = "secrets/.db.env"
|
|
}
|
|
|
|
resources {
|
|
cpu = 200
|
|
memory = 192
|
|
}
|
|
|
|
}
|
|
|
|
task "public-exporter" {
|
|
driver = "docker"
|
|
user = 8749
|
|
|
|
lifecycle {
|
|
hook = "poststart"
|
|
sidecar = true
|
|
}
|
|
|
|
config {
|
|
image = "danielberteaud/bounca:latest"
|
|
pids_limit = 50
|
|
readonly_rootfs = true
|
|
mount {
|
|
type = "tmpfs"
|
|
target = "/tmp"
|
|
tmpfs_options {
|
|
size = 1000000
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
|
|
vault {
|
|
policies = ["bounca"]
|
|
env = false
|
|
disable_file = true
|
|
}
|
|
|
|
|
|
env {
|
|
BOUNCA_MODE = "public-exporter"
|
|
BOUNCA_PUBLIC_DIR = "/alloc/data/public"
|
|
}
|
|
|
|
# Use a template block instead of env {} so we can fetch values from vault
|
|
template {
|
|
data = <<_EOT
|
|
BOUNCA_DB_NAME=bounca
|
|
BOUNCA_DJANGO_SECRET={{ with secret "/kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
|
|
LANG=fr_FR.utf8
|
|
TZ=Europe/Paris
|
|
_EOT
|
|
destination = "secrets/.env"
|
|
perms = 400
|
|
env = true
|
|
}
|
|
|
|
|
|
resources {
|
|
cpu = 10
|
|
memory = 10
|
|
memory_max = 20
|
|
}
|
|
}
|
|
|
|
task "nginx" {
|
|
driver = "docker"
|
|
user = 8749
|
|
|
|
lifecycle {
|
|
hook = "poststart"
|
|
sidecar = true
|
|
}
|
|
|
|
config {
|
|
image = "danielberteaud/bounca:latest"
|
|
pids_limit = 30
|
|
readonly_rootfs = true
|
|
mount {
|
|
type = "tmpfs"
|
|
target = "/tmp"
|
|
tmpfs_options {
|
|
size = 1000000
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
env {
|
|
BOUNCA_MODE = "front"
|
|
BOUNCA_BIND_ADDR = "127.0.0.1:8749"
|
|
BOUNCA_UNIX_SOCKET = "/alloc/data/bounca.sock"
|
|
BOUNCA_PUBLIC_DIR = "/alloc/data/public"
|
|
BOUNCA_HOST = "pki.example.org"
|
|
}
|
|
|
|
resources {
|
|
cpu = 20
|
|
memory = 20
|
|
}
|
|
}
|
|
}
|
|
}
|