Add rendered example

2024-01-05 14:32:35 +01:00 · 2024-01-05 14:32:35 +01:00 · 8a0de8df6a
parent 8fb6686d37
commit 8a0de8df6a
7 changed files with 219 additions and 0 deletions
--- a/example/consul/config/service-defaults/miniflux.hcl
+++ b/example/consul/config/service-defaults/miniflux.hcl
@ -0,0 +1,3 @@
+Kind = "service-defaults"
+Name = "miniflux"
+Protocol = "http"
--- a/example/consul/config/service-intentions/miniflux.hcl
+++ b/example/consul/config/service-intentions/miniflux.hcl
@ -0,0 +1,15 @@
+Kind = "service-intentions"
+Name = "miniflux"
+Sources = [
+  {
+    Name = "traefik"
+    Permissions = [
+      {
+        Action = "allow"
+        HTTP {
+          Methods = ["GET", "HEAD", "POST", "PUT", "DELETE"]
+        }
+      }
+    ]
+  }
+]
--- a/example/images/miniflux/Dockerfile
+++ b/example/images/miniflux/Dockerfile
@ -0,0 +1,26 @@
+FROM danielberteaud/alpine:24.1-1
+MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
+
+ARG MINIFLUX_VERSION=2.0.51
+
+ENV LISTEN_ADDR=0.0.0.0:8085 \
+    RUN_MIGRATIONS=1 \
+    CREATE_ADMIN=1 \
+    ADMIN_USERNAME=admin \
+    ADMIN_PASSWORD=miniflux \
+    PROXY_IMAGES=all \
+    POLLING_FREQUENCY=15 \
+    POLLING_PARSING_ERROR_LIMIT=8
+
+RUN set -eux &&\
+    apk --no-cache upgrade &&\
+    apk --no-cache add curl ca-certificates &&\
+    curl -sSLo /usr/local/bin/miniflux https://github.com/miniflux/v2/releases/download/${MINIFLUX_VERSION}/miniflux-linux-amd64 &&\
+    chown root:root /usr/local/bin/miniflux &&\
+    chmod 755 /usr/local/bin/miniflux &&\
+    addgroup -g 8085 miniflux &&\
+    adduser --system --ingroup miniflux --disabled-password --uid 8085 --shell /sbin/nologin miniflux
+
+EXPOSE 8085
+USER miniflux
+CMD ["miniflux"]
--- a/example/init/vault-miniflux
+++ b/example/init/vault-miniflux
@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -euo pipefail
+
+vault write database/roles/miniflux \
+    db_name="postgres" \
+    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
+        GRANT \"miniflux\" TO \"{{name}}\"; \
+        ALTER ROLE \"{{name}}\" SET role = \"miniflux\"" \
+    default_ttl="12h" \
+    max_ttl="720h"
+
--- a/example/miniflux.nomad.hcl
+++ b/example/miniflux.nomad.hcl
@ -0,0 +1,138 @@
+job "miniflux" {
+
+
+  datacenters = ["dc1"]
+
+
+  group "miniflux" {
+
+    count = 1
+
+    network {
+      mode = "bridge"
+    }
+
+    ephemeral_disk {
+      size = 101
+    }
+
+    service {
+      name = "miniflux"
+      port = 8085
+
+
+
+
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              destination_name = "postgres"
+              local_bind_port  = 5432
+            }
+          }
+        }
+        sidecar_task {
+          resources {
+            cpu    = 50
+            memory = 64
+          }
+
+        }
+      }
+
+
+      check {
+        type     = "http"
+        path     = "/healthcheck"
+        expose   = true
+        interval = "10s"
+        timeout  = "3s"
+
+        check_restart {
+          limit = 20
+          grace = "20s"
+        }
+      }
+
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.miniflux.rule=Host(`flux.example.org`)",
+        "traefik.http.routers.miniflux.entrypoints=https",
+        "traefik.http.routers.miniflux.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file,compression@file,csp-relaxed@file",
+      ]
+    }
+
+    # wait for required services tp be ready before starting the main task
+    task "wait-for" {
+
+      driver = "docker"
+      user   = 1053
+
+      config {
+        image           = "danielberteaud/wait-for:24.1-1"
+        readonly_rootfs = true
+        pids_limit      = 20
+      }
+
+      lifecycle {
+        hook = "prestart"
+      }
+
+      env {
+        SERVICE_0 = "master.postgres.service.consul"
+      }
+
+      resources {
+        cpu        = 10
+        memory     = 10
+        memory_max = 30
+      }
+    }
+
+
+
+    task "miniflux" {
+      driver = "docker"
+
+      config {
+        image           = "danielberteaud/miniflux:2.0.51-1"
+        pids_limit      = 100
+        readonly_rootfs = true
+      }
+
+      vault {
+        policies     = ["miniflux"]
+        env          = false
+        disable_file = true
+      }
+
+      env {
+        LISTEN_ADDR = "127.0.0.1:8085"
+        BASE_URL    = "https://flux.example.org"
+
+
+      }
+
+
+      # Use a template block instead of env {} so we can fetch values from vault
+      template {
+        data        = <<_EOT
+DATABASE_URL=postgresql://{{ with secret "database/creds/miniflux" }}{{ .Data.username }}:{{ urlquery .Data.password }}{{ end }}@localhost:5432/miniflux?sslmode=disable
+LANG=fr_FR.utf8
+TZ=Europe/Paris
+_EOT
+        destination = "secrets/.env"
+        perms       = 400
+        env         = true
+      }
+
+
+      resources {
+        cpu    = 50
+        memory = 192
+      }
+
+    }
+  }
+}
--- a/example/prep.d/mv_conf.sh
+++ b/example/prep.d/mv_conf.sh
@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -eu
+
+
+
+if [ "miniflux" != "miniflux" ]; then
+  for DIR in vault consul nomad; do
+    if [ -d output/${DIR} ]; then
+      for FILE in $(find output/${DIR} -name "*miniflux*.hcl" -type f); do
+        NEW_FILE=$(echo "${FILE}" | sed -E "s/miniflux/miniflux/g")
+        mv "${FILE}" "${NEW_FILE}"
+      done
+    fi
+  done
+fi
+
+
+
--- a/example/vault/policies/miniflux.hcl
+++ b/example/vault/policies/miniflux.hcl
@ -0,0 +1,6 @@
+path "kv/data/service/miniflux" {
+  capabilities = ["read"]
+}
+path "database/creds/miniflux" {
+  capabilities = ["read"]
+}