nomad/bounca
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
69de6b0967
bounca/example/bounca.nomad.hcl

315 lines
7.1 KiB
HCL
Raw Blame History

job "bounca" {
datacenters = ["dc1"]
group "bounca" {
network {
mode = "bridge"
}
service {
name = "bounca"
port = 8749
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "postgres"
local_bind_port = 5432
}
}
}
sidecar_task {
config {
args = [
"-c",
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
"-l",
"${meta.connect.log_level}",
"--concurrency",
"${meta.connect.proxy_concurrency}",
"--disable-hot-restart"
]
}
resources {
cpu = 50
memory = 64
}
}
}
tags = [
"traefik.enable=true",
"traefik.http.routers.bounca-public.entrypoints=https",
"traefik.http.middlewares.csp-bounca-public.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.routers.bounca-public.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-bounca-public",
"traefik.http.routers.bounca-public.rule=Host(`pki.example.org`) && PathPrefix(`/public`)",
"traefik.enable=true",
"traefik.http.routers.bounca.entrypoints=https",
"traefik.http.routers.bounca.rule=Host(`pki.example.org`)",
"traefik.http.middlewares.csp-bounca.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.routers.bounca.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-bounca",
]
}
# wait for required services tp be ready before starting the main task
task "wait-for" {
driver = "docker"
user = 1053
config {
image = "danielberteaud/wait-for:24.2-1"
readonly_rootfs = true
pids_limit = 20
}
lifecycle {
hook = "prestart"
}
env {
SERVICE_0 = "master.postgres.service.consul"
}
resources {
cpu = 10
memory = 10
memory_max = 30
}
}
task "bounca" {
driver = "docker"
user = 8749
config {
image = "danielberteaud/bounca:latest"
pids_limit = 50
readonly_rootfs = true
mount {
type = "tmpfs"
target = "/tmp"
tmpfs_options {
size = 1000000
}
}
volumes = ["local/docker_settings.py:/opt/bounca/bounca/docker_settings.py:ro"]
}
vault {
policies = ["bounca"]
env = false
disable_file = true
}
env {
BOUNCA_MODE = "server"
BOUNCA_UNIX_SOCKET = "/alloc/data/bounca.sock"
BOUNCA_HOST = "pki.example.org"
}
# Use a template block instead of env {} so we can fetch values from vault
template {
data = <<_EOT
BOUNCA_DB_NAME=bounca
BOUNCA_DJANGO_SECRET={{ with secret "//kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
LANG=fr_FR.utf8
TZ=Europe/Paris
_EOT
destination = "secrets/.env"
perms = 400
env = true
}
template {
data = <<_EOT
from bounca.settings import *
LOGGING: dict = {
"version": 1,
"disable_existing_loggers": False,
"formatters": {
"verbose": {
"format": "%(levelname)s [%(asctime)s] %(name)s %(message)s",
},
"simple": {"format": "[%(asctime)s] %(message)s"},
},
"handlers": {
"null": {
"class": "logging.NullHandler",
},
"console": {
"class": "logging.StreamHandler",
"formatter": "simple",
},
"mail_admins": {"level": "ERROR", "class": "django.utils.log.AdminEmailHandler"},
},
"root": {
"level": "DEBUG",
"handlers": ["console"],
},
"loggers": {},
}
TIME_ZONE = os.environ.get('TZ')
CSRF_TRUSTED_ORIGINS = [
"https://pki.example.org"
]
_EOT
destination = "local/docker_settings.py"
}
template {
data = <<_EOT
BOUNCA_DB_USER={{ with secret "//database/creds/bounca" }}{{ .Data.username }}{{ end }}
BOUNCA_DB_PASSWORD={{ with secret "//database/creds/bounca" }}{{ .Data.password }}{{ end }}
BOUNCA_DB_PORT=5432
_EOT
destination = "secrets/.db.env"
env = true
perms = 400
}
resources {
cpu = 200
memory = 192
}
}
task "public-exporter" {
driver = "docker"
user = 8749
lifecycle {
hook = "poststart"
sidecar = true
}
config {
image = "danielberteaud/bounca:latest"
pids_limit = 50
readonly_rootfs = true
mount {
type = "tmpfs"
target = "/tmp"
tmpfs_options {
size = 1000000
}
}
}
vault {
policies = ["bounca"]
env = false
disable_file = true
}
env {
BOUNCA_MODE = "public-exporter"
BOUNCA_PUBLIC_DIR = "/alloc/data/public"
}
# Use a template block instead of env {} so we can fetch values from vault
template {
data = <<_EOT
BOUNCA_DB_NAME=bounca
BOUNCA_DJANGO_SECRET={{ with secret "//kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
LANG=fr_FR.utf8
TZ=Europe/Paris
_EOT
destination = "secrets/.env"
perms = 400
env = true
}
template {
data = <<_EOT
BOUNCA_DB_USER={{ with secret "//database/creds/bounca" }}{{ .Data.username }}{{ end }}
BOUNCA_DB_PASSWORD={{ with secret "//database/creds/bounca" }}{{ .Data.password }}{{ end }}
BOUNCA_DB_PORT=5432
_EOT
destination = "secrets/.db.env"
env = true
perms = 400
}
resources {
cpu = 10
memory = 10
memory_max = 20
}
}
task "nginx" {
driver = "docker"
user = 8749
lifecycle {
hook = "poststart"
sidecar = true
}
config {
image = "danielberteaud/bounca:latest"
pids_limit = 30
readonly_rootfs = true
mount {
type = "tmpfs"
target = "/tmp"
tmpfs_options {
size = 1000000
}
}
}
env {
BOUNCA_MODE = "front"
BOUNCA_BIND_ADDR = "127.0.0.1:8749"
BOUNCA_UNIX_SOCKET = "/alloc/data/bounca.sock"
BOUNCA_PUBLIC_DIR = "/alloc/data/public"
BOUNCA_HOST = "pki.example.org"
}
resources {
cpu = 20
memory = 20
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink