diff --git a/consul/config/service-defaults/onlyoffice.hcl b/consul/config/service-defaults/onlyoffice.hcl index e977b34..f3ad32f 100644 --- a/consul/config/service-defaults/onlyoffice.hcl +++ b/consul/config/service-defaults/onlyoffice.hcl @@ -1,3 +1,3 @@ Kind = "service-defaults" -Name = "[[ .oo.instance ]][[ .consul.suffix ]]" +Name = "[[ .instance ]][[ .consul.suffix ]]" Protocol = "http" diff --git a/consul/config/service-intentions/onlyoffice.hcl b/consul/config/service-intentions/onlyoffice.hcl index a7bb8e7..c3265e9 100644 --- a/consul/config/service-intentions/onlyoffice.hcl +++ b/consul/config/service-intentions/onlyoffice.hcl @@ -1,8 +1,8 @@ Kind = "service-intentions" -Name = "[[ .oo.instance ]][[ .consul.suffix ]]" +Name = "[[ .instance ]][[ .consul.suffix ]]" Sources = [ { - Name = "[[ .traefik.instance ]]" + Name = "[[ (merge .oo .).traefik.instance ]]" Permissions = [ { Action = "deny" diff --git a/init/vault-onlyoffice-docserver b/init/vault-onlyoffice-docserver index 7cc8ba7..a44f309 100755 --- a/init/vault-onlyoffice-docserver +++ b/init/vault-onlyoffice-docserver @@ -2,7 +2,7 @@ set -euo pipefail -[[- template "common/vault.mkpgrole.sh.tpl" +[[- template "common/vault.mkpgrole.sh" dict "ctx" . - "config" (dict "role" .oo.instance "database" "postgres") + "config" (dict "role" .instance "database" "postgres") ]] diff --git a/onlyoffice-docserver.nomad.hcl b/onlyoffice-docserver.nomad.hcl index 78d707e..85b7d70 100644 --- a/onlyoffice-docserver.nomad.hcl +++ b/onlyoffice-docserver.nomad.hcl @@ -1,40 +1,24 @@ [[ $c := merge .oo.ds . -]] -job [[ .oo.instance | toJSON ]] { +job [[ .instance | toJSON ]] { -[[ template "common/job_start.tpl" $c ]] +[[ template "common/job_start" $c ]] group "onlyoffice" { network { mode = "bridge" # This can be used to ensure rabbitmq has a stable hostname # Even if for now, we do not persist rabbitmq data - hostname = "[[ .oo.instance ]][[ $c.consul.suffix ]]" + hostname = "[[ .instance ]][[ $c.consul.suffix ]]" } - volume "data" { - type = [[ .oo.volumes.data.type | toJSON ]] - source = [[ .oo.volumes.data.source | toJSON ]] -[[- if ne .oo.volumes.data.type "host" ]] - access_mode = "single-node-writer" - attachment_mode = "file-system" -[[- end ]] - } - - volume "rabbitmq" { - type = [[ .oo.volumes.rabbitmq.type | toJSON ]] - source = [[ .oo.volumes.rabbitmq.source | toJSON ]] -[[- if ne .oo.volumes.rabbitmq.type "host" ]] - access_mode = "single-node-writer" - attachment_mode = "file-system" -[[- end ]] - } +[[ template "common/volumes" .oo.volumes ]] service { - name = "[[ .oo.instance ]][[ $c.consul.suffix ]]" + name = "[[ .instance ]][[ $c.consul.suffix ]]" port = 8819 -[[ template "common/connect.tpl" $c ]] +[[ template "common/connect" $c ]] check { name = "health" @@ -53,16 +37,16 @@ job [[ .oo.instance | toJSON ]] { tags = [ [[- if $c.traefik.enabled ]] "[[ $c.traefik.instance ]].enable=true", - "[[ $c.traefik.instance ]].http.routers.[[ .oo.instance ]][[ $c.consul.suffix ]].rule=Host(`[[ (urlParse .oo.ds.public_url).Hostname ]]`) + "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ $c.consul.suffix ]].rule=Host(`[[ (urlParse .oo.ds.public_url).Hostname ]]`) [[- if not (regexp.Match "^/?$" (urlParse .oo.ds.public_url).Path) ]] && PathPrefix(`[[ (urlParse .oo.ds.public_url).Path ]]`)[[ end ]]", - "[[ $c.traefik.instance ]].http.routers.[[ .oo.instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]", - "[[ $c.traefik.instance ]].http.middlewares.[[ .oo.instance ]]-headers[[ $c.consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $c.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]", - "[[ $c.traefik.instance ]].http.middlewares.[[ .oo.instance ]]-headers[[ $c.consul.suffix ]].headers.customrequestheaders.X-Forwarded-Proto=https", + "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]", + "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ $c.consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $c.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]", + "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ $c.consul.suffix ]].headers.customrequestheaders.X-Forwarded-Proto=https", [[- if not (regexp.Match "^/?$" (urlParse .oo.ds.public_url).Path) ]] - "[[ $c.traefik.instance ]].http.middlewares.[[ .oo.instance ]][[ $c.consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse .oo.ds.public_url).Path ]]", - "[[ $c.traefik.instance ]].http.routers.[[ .oo.instance ]][[ $c.consul.suffix ]].middlewares=[[ .oo.instance ]]-headers[[ $c.consul.suffix ]],[[ .oo.instance ]][[ $c.consul.suffix ]]-prefix,[[ template "common/traefik_middlewares.tpl" $c.traefik ]]", + "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]][[ $c.consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse .oo.ds.public_url).Path ]]", + "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ $c.consul.suffix ]].middlewares=[[ .instance ]]-headers[[ $c.consul.suffix ]],[[ .instance ]][[ $c.consul.suffix ]]-prefix,[[ template "common/traefik_middlewares" $c.traefik ]]", [[- else ]] - "[[ $c.traefik.instance ]].http.routers.[[ .oo.instance ]][[ $c.consul.suffix ]].middlewares=[[ .oo.instance ]]-headers[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares.tpl" $c.traefik ]]", + "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ $c.consul.suffix ]].middlewares=[[ .instance ]]-headers[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]]", [[- end ]] [[- end ]] ] @@ -84,18 +68,18 @@ job [[ .oo.instance | toJSON ]] { } vault { - policies = ["[[ .oo.instance ]][[ $c.consul.suffix ]]"] + policies = ["[[ .instance ]][[ $c.consul.suffix ]]"] disable_file = true env = false } env { NGINX_LISTEN_IP = "127.0.0.1" - APPLICATION_NAME = "[[ .oo.instance ]][[ .consul.suffix ]]" -[[ template "common/proxy_env.tpl" $c ]] + APPLICATION_NAME = "[[ .instance ]][[ .consul.suffix ]]" +[[ template "common/proxy_env" $c ]] } -[[ template "common/file_env.tpl" $c.env ]] +[[ template "common/file_env" $c.env ]] template { data =<<_EOT @@ -109,11 +93,11 @@ _EOT destination = "/var/lib/onlyoffice/documentserver/App_Data/" } -[[ template "common/resources.tpl" $c.resources ]] +[[ template "common/resources" $c.resources ]] } -[[ template "common/task.wait_for.tpl" $c ]] +[[ template "common/task.wait_for" $c ]] task "redis" { driver = [[ $c.nomad.driver | toJSON ]] @@ -168,7 +152,7 @@ _EOT ] } -[[ template "common/file_env.tpl" $c.env ]] +[[ template "common/file_env" $c.env ]] template { data = <<_EOT @@ -185,7 +169,7 @@ _EOT destination = "/var/lib/rabbitmq" } -[[ template "common/resources.tpl" $c.resources ]] +[[ template "common/resources" $c.resources ]] } } } diff --git a/prep.d/10-mv_conf.sh b/prep.d/10-mv_conf.sh index 4a39091..5ca6941 100755 --- a/prep.d/10-mv_conf.sh +++ b/prep.d/10-mv_conf.sh @@ -1 +1 @@ -[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "onlyoffice" .oo.instance) ]] +[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "onlyoffice" .instance) ]] diff --git a/prep.d/20-rand-keys.sh b/prep.d/20-rand-keys.sh index f01ddcc..eb6c6f7 100755 --- a/prep.d/20-rand-keys.sh +++ b/prep.d/20-rand-keys.sh @@ -4,15 +4,15 @@ set -euo pipefail # Initialize random passwords if needed -if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .oo.instance ]]$'; then - vault kv put [[ .vault.prefix ]]kv/service/[[ .oo.instance ]] \ +if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then + vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \ jwt_token=$(pwgen -s -n 50 1) \ storage_secret=$(pwgen -s -n 50 1) fi for PWD in jwt_token storage_secret; do - if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .oo.instance ]] >/dev/null 2>&1; then - vault kv patch [[ .vault.prefix ]]kv/service/[[ .oo.instance ]] \ + if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then + vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \ ${PWD}=$(pwgen -s -n 50 1) fi done diff --git a/variables.yml b/variables.yml index b5229f6..d98faac 100644 --- a/variables.yml +++ b/variables.yml @@ -1,15 +1,15 @@ --- -oo: +# Name of this instance. Will control the name of the service and of various default settings (like DB name etc.) +# You must use different instance names if you want to run several copies on the same cluster +instance: onlyoffice - # Name of this instance. Will control the name of the service and of various default settings (like DB name etc.) - # You must use different instance names if you want to run several copies on the same cluster - instance: onlyoffice +oo: # Document Services ds: # Docker image to use - image: danielberteaud/onlyoffice-docserver:7.5.1-5 + image: '[[ .docker.repo ]]onlyoffice-docserver:7.5.1-5' # Resource allocation for OnlyOffice itself resources: @@ -21,13 +21,13 @@ oo: # Additional env vars to set in the container env: - OO_STORAGE_SECRET: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .oo.instance ]]" }}{{ .Data.data.storage_secret }}{{ end }}' - OO_JWT_TOKEN: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .oo.instance ]]" }}{{ .Data.data.jwt_token }}{{ end }}' + OO_STORAGE_SECRET: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.storage_secret }}{{ end }}' + OO_JWT_TOKEN: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.jwt_token }}{{ end }}' OO_DB_HOST: 127.0.0.1 OO_DB_PORT: 5432 - OO_DB_NAME: '[[ .oo.instance ]]' - OO_DB_USER: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .oo.instance ]]" }}{{ .Data.username }}{{ end }}' - OO_DB_PASS: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .oo.instance ]]" }}{{ .Data.password }}{{ end }}' + OO_DB_NAME: '[[ .instance ]]' + OO_DB_USER: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}' + OO_DB_PASS: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}' # Controls how the service will be exposed with Traefik traefik: @@ -81,9 +81,9 @@ oo: # This is for DocumentServer Data data: type: csi - source: '[[ .oo.instance ]]-data' + source: '[[ .instance ]]-data' # This is for RabbitMQ rabbitmq: type: csi - source: '[[ .oo.instance ]]-rabbitmq' + source: '[[ .instance ]]-rabbitmq' diff --git a/vault/policies/onlyoffice.hcl b/vault/policies/onlyoffice.hcl index f1f9108..5a74329 100644 --- a/vault/policies/onlyoffice.hcl +++ b/vault/policies/onlyoffice.hcl @@ -1,8 +1,8 @@ -path "[[ .vault.prefix ]]kv/data/service/[[ .oo.instance ]]" { +path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" { capabilities = ["read"] } -path "[[ .vault.prefix ]]database/creds/[[ .oo.instance ]]" { +path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" { capabilities = ["read"] }