Cleanup
This commit is contained in:
parent
53b5ede01d
commit
4d53b13d4a
|
@ -1,3 +1,3 @@
|
||||||
Kind = "service-defaults"
|
Kind = "service-defaults"
|
||||||
Name = "[[ .oo.instance ]][[ .consul.suffix ]]"
|
Name = "[[ .instance ]][[ .consul.suffix ]]"
|
||||||
Protocol = "http"
|
Protocol = "http"
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
Kind = "service-intentions"
|
Kind = "service-intentions"
|
||||||
Name = "[[ .oo.instance ]][[ .consul.suffix ]]"
|
Name = "[[ .instance ]][[ .consul.suffix ]]"
|
||||||
Sources = [
|
Sources = [
|
||||||
{
|
{
|
||||||
Name = "[[ .traefik.instance ]]"
|
Name = "[[ (merge .oo .).traefik.instance ]]"
|
||||||
Permissions = [
|
Permissions = [
|
||||||
{
|
{
|
||||||
Action = "deny"
|
Action = "deny"
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
[[- template "common/vault.mkpgrole.sh.tpl"
|
[[- template "common/vault.mkpgrole.sh"
|
||||||
dict "ctx" .
|
dict "ctx" .
|
||||||
"config" (dict "role" .oo.instance "database" "postgres")
|
"config" (dict "role" .instance "database" "postgres")
|
||||||
]]
|
]]
|
||||||
|
|
|
@ -1,40 +1,24 @@
|
||||||
[[ $c := merge .oo.ds . -]]
|
[[ $c := merge .oo.ds . -]]
|
||||||
|
|
||||||
job [[ .oo.instance | toJSON ]] {
|
job [[ .instance | toJSON ]] {
|
||||||
|
|
||||||
[[ template "common/job_start.tpl" $c ]]
|
[[ template "common/job_start" $c ]]
|
||||||
|
|
||||||
group "onlyoffice" {
|
group "onlyoffice" {
|
||||||
network {
|
network {
|
||||||
mode = "bridge"
|
mode = "bridge"
|
||||||
# This can be used to ensure rabbitmq has a stable hostname
|
# This can be used to ensure rabbitmq has a stable hostname
|
||||||
# Even if for now, we do not persist rabbitmq data
|
# Even if for now, we do not persist rabbitmq data
|
||||||
hostname = "[[ .oo.instance ]][[ $c.consul.suffix ]]"
|
hostname = "[[ .instance ]][[ $c.consul.suffix ]]"
|
||||||
}
|
}
|
||||||
|
|
||||||
volume "data" {
|
[[ template "common/volumes" .oo.volumes ]]
|
||||||
type = [[ .oo.volumes.data.type | toJSON ]]
|
|
||||||
source = [[ .oo.volumes.data.source | toJSON ]]
|
|
||||||
[[- if ne .oo.volumes.data.type "host" ]]
|
|
||||||
access_mode = "single-node-writer"
|
|
||||||
attachment_mode = "file-system"
|
|
||||||
[[- end ]]
|
|
||||||
}
|
|
||||||
|
|
||||||
volume "rabbitmq" {
|
|
||||||
type = [[ .oo.volumes.rabbitmq.type | toJSON ]]
|
|
||||||
source = [[ .oo.volumes.rabbitmq.source | toJSON ]]
|
|
||||||
[[- if ne .oo.volumes.rabbitmq.type "host" ]]
|
|
||||||
access_mode = "single-node-writer"
|
|
||||||
attachment_mode = "file-system"
|
|
||||||
[[- end ]]
|
|
||||||
}
|
|
||||||
|
|
||||||
service {
|
service {
|
||||||
name = "[[ .oo.instance ]][[ $c.consul.suffix ]]"
|
name = "[[ .instance ]][[ $c.consul.suffix ]]"
|
||||||
port = 8819
|
port = 8819
|
||||||
|
|
||||||
[[ template "common/connect.tpl" $c ]]
|
[[ template "common/connect" $c ]]
|
||||||
|
|
||||||
check {
|
check {
|
||||||
name = "health"
|
name = "health"
|
||||||
|
@ -53,16 +37,16 @@ job [[ .oo.instance | toJSON ]] {
|
||||||
tags = [
|
tags = [
|
||||||
[[- if $c.traefik.enabled ]]
|
[[- if $c.traefik.enabled ]]
|
||||||
"[[ $c.traefik.instance ]].enable=true",
|
"[[ $c.traefik.instance ]].enable=true",
|
||||||
"[[ $c.traefik.instance ]].http.routers.[[ .oo.instance ]][[ $c.consul.suffix ]].rule=Host(`[[ (urlParse .oo.ds.public_url).Hostname ]]`)
|
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ $c.consul.suffix ]].rule=Host(`[[ (urlParse .oo.ds.public_url).Hostname ]]`)
|
||||||
[[- if not (regexp.Match "^/?$" (urlParse .oo.ds.public_url).Path) ]] && PathPrefix(`[[ (urlParse .oo.ds.public_url).Path ]]`)[[ end ]]",
|
[[- if not (regexp.Match "^/?$" (urlParse .oo.ds.public_url).Path) ]] && PathPrefix(`[[ (urlParse .oo.ds.public_url).Path ]]`)[[ end ]]",
|
||||||
"[[ $c.traefik.instance ]].http.routers.[[ .oo.instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
||||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .oo.instance ]]-headers[[ $c.consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $c.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",
|
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ $c.consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $c.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",
|
||||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .oo.instance ]]-headers[[ $c.consul.suffix ]].headers.customrequestheaders.X-Forwarded-Proto=https",
|
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ $c.consul.suffix ]].headers.customrequestheaders.X-Forwarded-Proto=https",
|
||||||
[[- if not (regexp.Match "^/?$" (urlParse .oo.ds.public_url).Path) ]]
|
[[- if not (regexp.Match "^/?$" (urlParse .oo.ds.public_url).Path) ]]
|
||||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .oo.instance ]][[ $c.consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse .oo.ds.public_url).Path ]]",
|
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]][[ $c.consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse .oo.ds.public_url).Path ]]",
|
||||||
"[[ $c.traefik.instance ]].http.routers.[[ .oo.instance ]][[ $c.consul.suffix ]].middlewares=[[ .oo.instance ]]-headers[[ $c.consul.suffix ]],[[ .oo.instance ]][[ $c.consul.suffix ]]-prefix,[[ template "common/traefik_middlewares.tpl" $c.traefik ]]",
|
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ $c.consul.suffix ]].middlewares=[[ .instance ]]-headers[[ $c.consul.suffix ]],[[ .instance ]][[ $c.consul.suffix ]]-prefix,[[ template "common/traefik_middlewares" $c.traefik ]]",
|
||||||
[[- else ]]
|
[[- else ]]
|
||||||
"[[ $c.traefik.instance ]].http.routers.[[ .oo.instance ]][[ $c.consul.suffix ]].middlewares=[[ .oo.instance ]]-headers[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares.tpl" $c.traefik ]]",
|
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ $c.consul.suffix ]].middlewares=[[ .instance ]]-headers[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]]",
|
||||||
[[- end ]]
|
[[- end ]]
|
||||||
[[- end ]]
|
[[- end ]]
|
||||||
]
|
]
|
||||||
|
@ -84,18 +68,18 @@ job [[ .oo.instance | toJSON ]] {
|
||||||
}
|
}
|
||||||
|
|
||||||
vault {
|
vault {
|
||||||
policies = ["[[ .oo.instance ]][[ $c.consul.suffix ]]"]
|
policies = ["[[ .instance ]][[ $c.consul.suffix ]]"]
|
||||||
disable_file = true
|
disable_file = true
|
||||||
env = false
|
env = false
|
||||||
}
|
}
|
||||||
|
|
||||||
env {
|
env {
|
||||||
NGINX_LISTEN_IP = "127.0.0.1"
|
NGINX_LISTEN_IP = "127.0.0.1"
|
||||||
APPLICATION_NAME = "[[ .oo.instance ]][[ .consul.suffix ]]"
|
APPLICATION_NAME = "[[ .instance ]][[ .consul.suffix ]]"
|
||||||
[[ template "common/proxy_env.tpl" $c ]]
|
[[ template "common/proxy_env" $c ]]
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ template "common/file_env.tpl" $c.env ]]
|
[[ template "common/file_env" $c.env ]]
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data =<<_EOT
|
data =<<_EOT
|
||||||
|
@ -109,11 +93,11 @@ _EOT
|
||||||
destination = "/var/lib/onlyoffice/documentserver/App_Data/"
|
destination = "/var/lib/onlyoffice/documentserver/App_Data/"
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ template "common/resources.tpl" $c.resources ]]
|
[[ template "common/resources" $c.resources ]]
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ template "common/task.wait_for.tpl" $c ]]
|
[[ template "common/task.wait_for" $c ]]
|
||||||
|
|
||||||
task "redis" {
|
task "redis" {
|
||||||
driver = [[ $c.nomad.driver | toJSON ]]
|
driver = [[ $c.nomad.driver | toJSON ]]
|
||||||
|
@ -168,7 +152,7 @@ _EOT
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ template "common/file_env.tpl" $c.env ]]
|
[[ template "common/file_env" $c.env ]]
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
|
@ -185,7 +169,7 @@ _EOT
|
||||||
destination = "/var/lib/rabbitmq"
|
destination = "/var/lib/rabbitmq"
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ template "common/resources.tpl" $c.resources ]]
|
[[ template "common/resources" $c.resources ]]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "onlyoffice" .oo.instance) ]]
|
[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "onlyoffice" .instance) ]]
|
||||||
|
|
|
@ -4,15 +4,15 @@ set -euo pipefail
|
||||||
|
|
||||||
# Initialize random passwords if needed
|
# Initialize random passwords if needed
|
||||||
|
|
||||||
if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .oo.instance ]]$'; then
|
if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then
|
||||||
vault kv put [[ .vault.prefix ]]kv/service/[[ .oo.instance ]] \
|
vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \
|
||||||
jwt_token=$(pwgen -s -n 50 1) \
|
jwt_token=$(pwgen -s -n 50 1) \
|
||||||
storage_secret=$(pwgen -s -n 50 1)
|
storage_secret=$(pwgen -s -n 50 1)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
for PWD in jwt_token storage_secret; do
|
for PWD in jwt_token storage_secret; do
|
||||||
if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .oo.instance ]] >/dev/null 2>&1; then
|
if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then
|
||||||
vault kv patch [[ .vault.prefix ]]kv/service/[[ .oo.instance ]] \
|
vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \
|
||||||
${PWD}=$(pwgen -s -n 50 1)
|
${PWD}=$(pwgen -s -n 50 1)
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
|
@ -1,15 +1,15 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
oo:
|
# Name of this instance. Will control the name of the service and of various default settings (like DB name etc.)
|
||||||
|
# You must use different instance names if you want to run several copies on the same cluster
|
||||||
|
instance: onlyoffice
|
||||||
|
|
||||||
# Name of this instance. Will control the name of the service and of various default settings (like DB name etc.)
|
oo:
|
||||||
# You must use different instance names if you want to run several copies on the same cluster
|
|
||||||
instance: onlyoffice
|
|
||||||
|
|
||||||
# Document Services
|
# Document Services
|
||||||
ds:
|
ds:
|
||||||
# Docker image to use
|
# Docker image to use
|
||||||
image: danielberteaud/onlyoffice-docserver:7.5.1-5
|
image: '[[ .docker.repo ]]onlyoffice-docserver:7.5.1-5'
|
||||||
|
|
||||||
# Resource allocation for OnlyOffice itself
|
# Resource allocation for OnlyOffice itself
|
||||||
resources:
|
resources:
|
||||||
|
@ -21,13 +21,13 @@ oo:
|
||||||
|
|
||||||
# Additional env vars to set in the container
|
# Additional env vars to set in the container
|
||||||
env:
|
env:
|
||||||
OO_STORAGE_SECRET: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .oo.instance ]]" }}{{ .Data.data.storage_secret }}{{ end }}'
|
OO_STORAGE_SECRET: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.storage_secret }}{{ end }}'
|
||||||
OO_JWT_TOKEN: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .oo.instance ]]" }}{{ .Data.data.jwt_token }}{{ end }}'
|
OO_JWT_TOKEN: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.jwt_token }}{{ end }}'
|
||||||
OO_DB_HOST: 127.0.0.1
|
OO_DB_HOST: 127.0.0.1
|
||||||
OO_DB_PORT: 5432
|
OO_DB_PORT: 5432
|
||||||
OO_DB_NAME: '[[ .oo.instance ]]'
|
OO_DB_NAME: '[[ .instance ]]'
|
||||||
OO_DB_USER: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .oo.instance ]]" }}{{ .Data.username }}{{ end }}'
|
OO_DB_USER: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
|
||||||
OO_DB_PASS: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .oo.instance ]]" }}{{ .Data.password }}{{ end }}'
|
OO_DB_PASS: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
|
||||||
|
|
||||||
# Controls how the service will be exposed with Traefik
|
# Controls how the service will be exposed with Traefik
|
||||||
traefik:
|
traefik:
|
||||||
|
@ -81,9 +81,9 @@ oo:
|
||||||
# This is for DocumentServer Data
|
# This is for DocumentServer Data
|
||||||
data:
|
data:
|
||||||
type: csi
|
type: csi
|
||||||
source: '[[ .oo.instance ]]-data'
|
source: '[[ .instance ]]-data'
|
||||||
|
|
||||||
# This is for RabbitMQ
|
# This is for RabbitMQ
|
||||||
rabbitmq:
|
rabbitmq:
|
||||||
type: csi
|
type: csi
|
||||||
source: '[[ .oo.instance ]]-rabbitmq'
|
source: '[[ .instance ]]-rabbitmq'
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
path "[[ .vault.prefix ]]kv/data/service/[[ .oo.instance ]]" {
|
path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
||||||
path "[[ .vault.prefix ]]database/creds/[[ .oo.instance ]]" {
|
path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue