Add example job

example/LICENSE

@@ -0,0 +1,9 @@
+MIT License
+
+Copyright (c) 2023 nomad
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

example/README.md

@@ -0,0 +1,3 @@
+# matrix
+
+Matrix stack (Synaspe, Element, Synapse-Admin)

example/consul/config/service-defaults/matrix.hcl

@@ -0,0 +1,3 @@
+Kind = "service-defaults"
+Name = "matrix"
+Protocol = "http"

example/consul/config/service-intentions/matrix.hcl

@@ -0,0 +1,22 @@
+Kind = "service-intentions"
+Name = "matrix"
+Sources = [
+  {
+    Name = "traefik"
+    Permissions = [
+      {
+        Action = "allow"
+        HTTP {
+          PathRegex = "^/_(matrix|synapse)/.*"
+          Methods = ["GET", "HEAD", "POST", "OPTIONS", "PUT", "DELETE"]
+        }
+      },
+      {
+        Action = "allow"
+        HTTP {
+          Methods = ["GET", "HEAD"]
+        }
+      }
+    ]
+  }
+]

example/images/matrix-element/Dockerfile

@@ -0,0 +1,23 @@
+FROM nginxinc/nginx-unprivileged:alpine
+MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
+
+ARG ELEMENT_VERSION=1.11.53 \
+    SYNAPSE_ADMIN_VERSION=0.8.7
+
+ENV ELEMENT_NGINX_BIND_ADDR=0.0.0.0 \
+    ELEMENT_NGINX_BIND_PORT=8710
+
+USER root
+
+RUN set -eux &&\
+    mkdir -p /opt/element &&\
+    mkdir -p /opt/synapse-admin &&\
+    curl -sSL https://github.com/element-hq/element-web/releases/download/v${ELEMENT_VERSION}/element-v${ELEMENT_VERSION}.tar.gz |\
+      tar xvz -C /opt/element/ --strip-components 1 &&\
+    curl -sSL https://github.com/Awesome-Technologies/synapse-admin/releases/download/${SYNAPSE_ADMIN_VERSION}/synapse-admin-${SYNAPSE_ADMIN_VERSION}-dirty.tar.gz |\
+      tar xvz -C /opt/synapse-admin --strip-components 1 &&\
+    rm -rf /opt/synapse-admin/data/* &&\
+    chown -R root: /opt/element /opt/synapse-admin
+
+USER nginx
+EXPOSE ${ELEMENT_BIND_PORT}

example/images/matrix-element/root/etc/nginx/conf.d/default.conf.template

@@ -0,0 +1,15 @@
+server {
+  listen ${ELEMENT_NGINX_BIND_ADDR}:${ELEMENT_NGINX_BIND_PORT} default_server;
+
+  location / {
+    root   /opt/element;
+    index  index.html index.htm;
+  }
+
+  # redirect server error pages to the static page /50x.html
+  error_page 500 502 503 504 /50x.html;
+  location = /50x.html {
+      root   /usr/share/nginx/html;
+  }
+}
+

example/images/matrix-synapse/Dockerfile

@@ -0,0 +1,65 @@
+# syntax=docker/dockerfile:labs
+
+FROM python:3.11-alpine AS builder
+
+ARG SYNAPSE_VERSION=1.98.0
+
+RUN set -euxo pipefail &&\
+    apk --no-cache add \
+      curl \
+      ca-certificates \
+      postgresql15-dev \
+      build-base \
+    &&\
+    mkdir /opt/synapse &&\
+    cd /opt/synapse &&\
+    python3 -m venv venv &&\
+    source venv/bin/activate &&\
+    pip --no-cache install \
+      bleach \
+      matrix-synapse-ldap3 \
+      psycopg2 \
+      authlib \
+      lxml \
+      twisted \
+      txacme \
+      Jinja2 \
+      pysaml2 \
+    &&\
+    pip --no-cache install matrix-synapse==${SYNAPSE_VERSION}
+
+FROM python:3.11-alpine
+MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
+
+ENV PATH=/opt/synapse/venv/bin:${PATH} \
+    LANG=fr_FR.utf8 \
+    TZ=Europe/Paris \
+    SYNAPSE_LISTEN_ADDR=0.0.0.0 \
+    SYNAPSE_CONFIG=/data/conf/homeserver.yml \
+    SYNAPSE_PG_DB=synapse \
+    SYNAPSE_PG_HOST=127.0.0.1 \
+    SYNAPSE_PG_PORT=5432 \
+    SYNAPSE_PG_USER=synapse \
+    SYNAPSE_PG_PASSWORD=synapse
+
+ADD https://git.lapiole.org/nomad/base_tools.git#master /
+COPY --from=builder /opt /opt
+
+RUN set -euxo pipefail &&\
+    apk --no-cache add \
+      tini \
+      libpq \
+    &&\
+    addgroup --gid 8008 synapse &&\
+    adduser --system --ingroup synapse --disabled-password --uid 8008 --home /opt/synapse --shell /sbin/nologin synapse &&\
+    mkdir /data &&\
+    chown synapse:synapse /data &&\
+    chmod 700 /data
+
+COPY root/ /
+
+EXPOSE 8008
+USER synapse
+ENTRYPOINT ["tini", "--", "/entrypoint.sh"]
+CMD ["matrix-synapse"]
+

example/images/matrix-synapse/root/entrypoint.d/40-mkdir.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -euo pipefail
+
+mkdir -p /data/uploads /data/media_store /data/conf /data/tmp

example/images/matrix-synapse/root/entrypoint.d/45-synapse.env

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+export SYNAPSE_PUBLIC_URL=${SYNAPSE_PUBLIC_URL:-https://${SYNAPSE_SERVER_NAME}}

example/images/matrix-synapse/root/entrypoint.d/50-synapse-conf.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -euo pipefail
+
+source /opt/synapse/venv/bin/activate
+
+umask 007
+
+if [ ! -e "${SYNAPSE_CONFIG}" ]; then
+  echo "Generating a default ${SYNAPSE_CONFIG}"
+  if [ -z "${SYNAPSE_SERVER_NAME}" ]; then
+    echo "You must set SYNAPSE_SERVER_NAME environment variable"
+    exit 1
+  fi
+  envsubst < /opt/synapse/templates/homeserver.yml > ${SYNAPSE_CONFIG}
+fi
+
+echo "Generate missing keys if needed"
+python3 -m synapse.app.homeserver \
+  --config-path ${SYNAPSE_CONFIG} \
+  --generate-missing-configs \
+  --report-stats=no \
+  --config-directory=/data/conf \
+  --keys-directory=/data/conf \
+  --data-directory=/data

example/images/matrix-synapse/root/opt/synapse/templates/homeserver.yml

@@ -0,0 +1,41 @@
+server_name: "${SYNAPSE_SERVER_NAME}"
+public_baseurl: '${SYNAPSE_PUBLIC_URL}'
+listeners:
+  - port: 8008
+    tls: false
+    type: http
+    x_forwarded: true
+    bind_addresses: [${SYNAPSE_LISTEN_ADDR}]
+    resources:
+      - names: [client, federation]
+        compress: false
+
+database:
+  name: psycopg2
+  args:
+    database: '${SYNAPSE_PG_DB}'
+    host: '${SYNAPSE_PG_HOST}'
+    port: ${SYNAPSE_PG_PORT}
+    user: '${SYNAPSE_PG_USER}'
+    password: '${SYNAPSE_PG_PASSWORD}'
+
+web_client: False
+soft_file_limit: 0
+filter_timeline_limit: 5000
+log_config: /opt/synapse/templates/logging.conf
+media_store_path: /data/media_store
+uploads_path: /data/uploads
+registration_shared_secret: "${SYNAPSE_SHARED_SECRET}"
+macaroon_secret_key: "${SYNAPSE_MACAROON_SECRET}"
+form_secret: "${SYNAPSE_FORM_SECERT}"
+
+signing_key_path: "/data/conf/signing.key"
+
+report_stats: false
+
+trusted_key_servers:
+  - server_name: "matrix.org"
+suppress_key_server_warning: true
+
+serve_server_wellknown: true
+

example/images/matrix-synapse/root/opt/synapse/templates/logging.conf

@@ -0,0 +1,30 @@
+version: 1
+
+formatters:
+  precise:
+   format: '%(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
+
+filters:
+  context:
+    (): synapse.util.logcontext.LoggingContextFilter
+    request: ""
+
+handlers:
+  console:
+    class: logging.StreamHandler
+    formatter: precise
+    filters: [context]
+
+loggers:
+    synapse:
+        level: ERROR
+
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: ERROR
+
+root:
+    level: ERROR
+    handlers: [console]
+

example/images/matrix-synapse/root/usr/local/bin/matrix-synapse

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -euo pipefail
+
+source /opt/synapse/venv/bin/activate
+exec python3 -m synapse.app.homeserver \
+  --config-path ${SYNAPSE_CONFIG} \
+  --config-directory=/data/conf \
+  --keys-directory=/data/conf \
+  --data-directory=/data

example/init/vault-database

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -euo pipefail
+
+vault write database/roles/matrix-synapse \
+    db_name="postgres" \
+    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
+        GRANT \"matrix-synapse\" TO \"{{name}}\"; \
+        ALTER ROLE \"{{name}}\" SET role = \"matrix-synapse\"" \
+    default_ttl="12h" \
+    max_ttl="720h"
+

example/matrix.nomad.hcl

@@ -0,0 +1,436 @@
+job "matrix" {
+
+
+  datacenters = ["dc1"]
+
+
+  group "matrix" {
+
+    network {
+      mode = "bridge"
+    }
+
+
+    volume "data" {
+      source          = "matrix-synapse-data"
+      type            = "csi"
+      access_mode     = "single-node-writer"
+      attachment_mode = "file-system"
+    }
+
+
+    service {
+      name = "matrix"
+      port = 8008
+
+      check {
+        type     = "http"
+        path     = "/health"
+        expose   = true
+        interval = "10s"
+        timeout  = "5s"
+        task     = "synapse"
+
+        check_restart {
+          limit = 12
+          grace = "10m"
+        }
+      }
+
+      tags = [
+        "traefik.enable=true",
+
+        "traefik.http.middlewares.matrix-headers.headers.contentsecuritypolicy=connect-src 'self' https://scalar.vector.im https://api.maptiler.com;frame-src 'self' blob: https://scalar.vector.im/ https://meet.element.io;img-src 'self' data: blob: https://img.youtube.com https://*.ytimg.com;script-src 'self' https://usercontent.riot.im https://scalar.vector.im;worker-src 'self' blob:;",
+
+        "traefik.http.routers.matrix-admin.rule=Host(`matrix.consul`) && (PathPrefix(`/_admin/`) || PathPrefix(`/_synapse/admin`))",
+        "traefik.http.routers.matrix-admin.entrypoints=https",
+        "traefik.http.routers.matrix-admin.middlewares=rate-limit-high@file,inflight-high@file,security-headers@file,hsts@file,compression@file",
+
+        "traefik.http.routers.matrix.rule=Host(`matrix.consul`) || (Host(`matrix.consul`) && PathRegexp(`^/(_(synapse|matrix)|\\.well-known/matrix)/.*`))",
+        "traefik.http.routers.matrix.entrypoints=https",
+        "traefik.http.routers.matrix.middlewares=rate-limit-high@file,inflight-high@file,security-headers@file,hsts@file",
+      ]
+
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              destination_name = "postgres"
+              local_bind_port  = 5432
+            }
+          }
+        }
+        sidecar_task {
+          resources {
+            cpu    = 50
+            memory = 64
+          }
+
+        }
+      }
+
+    }
+
+    # wait for required services tp be ready before starting the main task
+    task "wait-for" {
+
+      driver = "docker"
+      user   = 1053
+
+      config {
+        image           = "danielberteaud/wait-for:24.1-1"
+        readonly_rootfs = true
+        pids_limit      = 20
+      }
+
+      lifecycle {
+        hook = "prestart"
+      }
+
+      env {
+        SERVICE_0 = "postgres.service.consul"
+      }
+
+      resources {
+        cpu        = 10
+        memory     = 10
+        memory_max = 30
+      }
+    }
+
+
+
+    task "synapse" {
+      driver = "docker"
+      leader = true
+
+      config {
+        image           = "danielberteaud/matrix-synapse:1.98.0-2"
+        pids_limit      = 200
+        readonly_rootfs = true
+      }
+
+      vault {
+        policies     = ["matrix-synapse"]
+        env          = false
+        disable_file = true
+      }
+
+      env {
+        SYNAPSE_CONFIG = "/secrets/homeserver.yml"
+
+
+      }
+
+
+      # Use a template block instead of env {} so we can fetch values from vault
+      template {
+        data        = <<_EOT
+LANG=fr_FR.utf8
+TMPDIR=/data/tmp
+TZ=Europe/Paris
+_EOT
+        destination = "secrets/.env"
+        perms       = 400
+        env         = true
+      }
+
+
+      template {
+        data        = <<_EOT
+alias_creation_rules:
+  - action: allow
+    alias: '*'
+    user_id: '*'
+allow_guest_access: false
+allowed_avatar_mimetypes:
+  - image/png
+  - image/jpeg
+  - image/gif
+database:
+  args:
+    database: matrix-synapse
+    host: 127.0.0.1
+    password: '{{ with secret "database/creds/matrix-synapse" }}{{ .Data.password }}{{ end }}'
+    port: "5432"
+    user: '{{ with secret "database/creds/matrix-synapse" }}{{ .Data.username }}{{ end }}'
+  name: psycopg2
+default_identity_server: https://matrix.org
+delete_stale_devices_after: 180d
+email:
+  client_base_url: https://matrix.consul
+  enable_notifs: true
+  notif_for_new_users: true
+  notif_from: '%(app)s <no-reply@consul>'
+  require_transport_security: false
+  smtp_host: 127.0.0.1
+  smtp_port: 25
+forgotten_room_retention_period: 15d
+form_secret: '{{ with secret "kv/service/matrix" }}{{ .Data.data.form_secret }}{{ end }}'
+listeners:
+  - path: /alloc/tmp/synapse.sock
+    resources:
+      - compress: false
+        names:
+          - client
+          - federation
+    type: http
+log_config: /secrets/logging.conf
+macaroon_secret_key: '{{ with secret "kv/service/matrix" }}{{ .Data.data.macaroon_secret_key }}{{ end }}'
+max_avatar_size: 4M
+media_retention:
+  local_media_lifetime: 730d
+  remote_media_lifetime: 14d
+media_store_path: /data/media_store
+password_config:
+  enabled: false
+public_baseurl: https://matrix.consul
+push:
+  include_content: event_id_only
+report_stats: false
+request_token_inhibit_3pid_errors: true
+server_name: matrix.consul
+server_notices:
+  system_mxid_display_name: Notification bot
+  system_mxid_localpart: server
+signing_key_path: /data/conf/matrix.consul.signing.key
+sso:
+  client_whitelist:
+    - https://matrix.consul
+  update_profile_information: true
+suppress_key_server_warning: true
+trusted_key_servers:
+  - server_name: matrix.org
+url_preview_enabled: true
+url_preview_ip_range_blacklist:
+  - 127.0.0.0/8
+  - 10.0.0.0/8
+  - 172.16.0.0/12
+  - 192.168.0.0/16
+  - 100.64.0.0/10
+  - 192.0.0.0/24
+  - 169.254.0.0/16
+  - 192.88.99.0/24
+  - 198.18.0.0/15
+  - 192.0.2.0/24
+  - 198.51.100.0/24
+  - 203.0.113.0/24
+  - 224.0.0.0/4
+url_preview_url_blacklist:
+  - username: '*'
+  - netloc: ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$
+web_client: false
+
+_EOT
+        destination = "secrets/homeserver.yml"
+        uid         = 100000
+        gid         = 108008
+        perms       = 0640
+      }
+
+      template {
+        data        = <<_EOT
+version: 1
+
+formatters:
+  precise:
+   format: '%(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
+
+filters:
+  context:
+    (): synapse.util.logcontext.LoggingContextFilter
+    request: ""
+
+handlers:
+  console:
+    class: logging.StreamHandler
+    formatter: precise
+    filters: [context]
+
+loggers:
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+
+root:
+    level: DEBUG
+    handlers: [console]
+
+
+_EOT
+        destination = "secrets/logging.conf"
+      }
+
+      volume_mount {
+        volume      = "data"
+        destination = "/data"
+      }
+
+      resources {
+        cpu    = 500
+        memory = 384
+      }
+
+    }
+
+
+    task "nginx" {
+      driver = "docker"
+
+      config {
+        image           = "danielberteaud/matrix-element:1.11.53-1"
+        readonly_rootfs = true
+        pids_limit      = 100
+        volumes = [
+          "local/nginx.conf:/etc/nginx/conf.d/default.conf:ro",
+        ]
+
+        mount {
+          type   = "tmpfs"
+          target = "/tmp"
+          tmpfs_options {
+            size = 5000000
+          }
+        }
+
+
+      }
+
+      template {
+        data        = <<_EOT
+upstream synapse {
+  server unix:/alloc/tmp/synapse.sock;
+}
+
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+server {
+  listen 127.0.0.1:8008 default_server;
+  server_tokens off;
+  root /opt/element;
+  index index.html;
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+
+  proxy_http_version 1.1;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection $connection_upgrade;
+  proxy_set_header Host $host;
+  proxy_socket_keepalive on;
+  proxy_buffering off;
+  proxy_request_buffering off;
+  client_max_body_size 100m;
+  set_real_ip_from 127.0.0.1;
+  real_ip_header X-Forwarded-For;
+  real_ip_recursive on;
+
+  location /_matrix {
+   proxy_pass http://synapse;
+   proxy_read_timeout 600;
+  }
+
+  location /_synapse {
+    proxy_pass http://synapse;
+    proxy_read_timeout 600;
+  }
+
+  location = /health {
+    access_log off;
+    proxy_pass http://synapse;
+  }
+
+  location /index.html {
+    add_header Cache-Control "no-cache";
+  }
+
+  location /version {
+    add_header Cache-Control "no-cache";
+  }
+
+  location /config.json {
+    add_header Cache-Control "no-cache";
+    alias /local/element.json;
+  }
+
+  location /.well-known/matrix/server {
+    add_header Access-Control-Allow-Origin *;
+    default_type application/json;
+    expires 6h;
+    return 200 '{"m.server": "matrix.consul:443"}';
+  }
+  location /.well-known/matrix/client {
+    add_header Access-Control-Allow-Origin *;
+    default_type application/json;
+    expires 6h;
+    return 200 '{"m.homeserver": {"base_url": "https://matrix.consul"}}';
+  }
+
+  # Expose synapse admin
+  location /_admin/ {
+    alias /opt/synapse-admin/;
+    expires 30d;
+  }
+  # default files
+  location / {
+    expires 30d;
+  }
+}
+
+_EOT
+        destination = "local/nginx.conf"
+      }
+
+      template {
+        data        = <<_EOT
+{
+    "default_server_config": {
+      "m.homeserver": {
+        "base_url": "https://matrix.consul",
+        "server_name": "matrix.consul"
+      },
+      "m.identity_server": {
+        "base_url": "https://vector.im"
+      }
+    },
+    "brand": "Element",
+    "integrations_ui_url": "https://scalar.vector.im/",
+    "integrations_rest_url": "https://scalar.vector.im/api",
+    "integrations_widgets_urls": [
+        "https://scalar.vector.im/_matrix/integrations/v1",
+        "https://scalar.vector.im/api",
+        "https://scalar-staging.vector.im/_matrix/integrations/v1",
+        "https://scalar-staging.vector.im/api",
+        "https://scalar-staging.element.im/scalar/api"
+    ],
+    "show_labs_settings": true,
+    "roomDirectory": {
+        "servers": [
+            "matrix.org"
+        ]
+    },
+    "disable_guests": true,
+
+   "settingDefaults": {
+      "UIFeature.feedback": false,
+      "UIFeature.thirdPartyId": false
+   },
+   "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx",
+   "happyJson": true
+}
+
+_EOT
+        destination = "local/element.json"
+      }
+
+      resources {
+        cpu    = 20
+        memory = 16
+      }
+
+    }
+  }
+}

example/prep.d/10-mv-conf.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -eu
+
+
+
+if [ "matrix" != "matrix" ]; then
+  for DIR in vault consul nomad; do
+    if [ -d output/${DIR} ]; then
+      for FILE in $(find output/${DIR} -name "*matrix*.hcl" -type f); do
+        NEW_FILE=$(echo "${FILE}" | sed -E "s/matrix/matrix/g")
+        mv "${FILE}" "${NEW_FILE}"
+      done
+    fi
+  done
+fi
+
+
+

example/prep.d/20-rand-pwd.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -euo pipefail
+
+# Initialize random passwords if needed
+
+if ! vault kv list kv/service 2>/dev/null | grep -q -E '^matrix$'; then
+  vault kv put kv/service/matrix \
+    macaroon_secret_key=$(pwgen -s -n 50 1) \
+    form_secret=$(pwgen -s -n 50 1)
+fi
+
+for PWD in macaroon_secret_key form_secret; do
+  if ! vault kv get -field ${PWD} kv/service/matrix >/dev/null 2>&1; then
+    vault kv patch kv/service/matrix \
+      ${PWD}=$(pwgen -s -n 50 1)
+  fi
+done

example/vault/policies/matrix-synapse.hcl

@@ -0,0 +1,7 @@
+path "kv/data/service/matrix" {
+  capabilities = ["read"]
+}
+
+path "database/creds/matrix-synapse" {
+  capabilities = ["read"]
+}