nomad
/
onlyoffice-docserver
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Cleanup

This commit is contained in:
Daniel Berteaud 2023-12-21 23:06:48 +01:00
parent 53b5ede01d
commit 4d53b13d4a
8 changed files with 45 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
consul/config/service-defaults/onlyoffice.hcl
View File

@ -1,3 +1,3 @@
Kind = "service-defaults" Kind = "service-defaults"
Name = "[[ .oo.instance ]][[ .consul.suffix ]]" Name = "[[ .instance ]][[ .consul.suffix ]]"
Protocol = "http" Protocol = "http"

4
consul/config/service-intentions/onlyoffice.hcl
View File

@ -1,8 +1,8 @@
Kind = "service-intentions" Kind = "service-intentions"
Name = "[[ .oo.instance ]][[ .consul.suffix ]]" Name = "[[ .instance ]][[ .consul.suffix ]]"
Sources = [ Sources = [
{ {
Name = "[[ .traefik.instance ]]" Name = "[[ (merge .oo .).traefik.instance ]]"
Permissions = [ Permissions = [
{ {
Action = "deny" Action = "deny"

4
init/vault-onlyoffice-docserver
View File

@ -2,7 +2,7 @@
set -euo pipefail set -euo pipefail
[[- template "common/vault.mkpgrole.sh.tpl" [[- template "common/vault.mkpgrole.sh"
dict "ctx" . dict "ctx" .
"config" (dict "role" .oo.instance "database" "postgres") "config" (dict "role" .instance "database" "postgres")
]] ]]

58
onlyoffice-docserver.nomad.hcl
View File

@ -1,40 +1,24 @@
[[ $c := merge .oo.ds . -]] [[ $c := merge .oo.ds . -]]
job [[ .oo.instance | toJSON ]] { job [[ .instance | toJSON ]] {
[[ template "common/job_start.tpl" $c ]] [[ template "common/job_start" $c ]]
group "onlyoffice" { group "onlyoffice" {
network { network {
mode = "bridge" mode = "bridge"
# This can be used to ensure rabbitmq has a stable hostname # This can be used to ensure rabbitmq has a stable hostname
# Even if for now, we do not persist rabbitmq data # Even if for now, we do not persist rabbitmq data
hostname = "[[ .oo.instance ]][[ $c.consul.suffix ]]" hostname = "[[ .instance ]][[ $c.consul.suffix ]]"
} }
volume "data" { [[ template "common/volumes" .oo.volumes ]]
type = [[ .oo.volumes.data.type | toJSON ]]
source = [[ .oo.volumes.data.source | toJSON ]]
[[- if ne .oo.volumes.data.type "host" ]]
access_mode = "single-node-writer"
attachment_mode = "file-system"
[[- end ]]
}
volume "rabbitmq" {
type = [[ .oo.volumes.rabbitmq.type | toJSON ]]
source = [[ .oo.volumes.rabbitmq.source | toJSON ]]
[[- if ne .oo.volumes.rabbitmq.type "host" ]]
access_mode = "single-node-writer"
attachment_mode = "file-system"
[[- end ]]
}
service { service {
name = "[[ .oo.instance ]][[ $c.consul.suffix ]]" name = "[[ .instance ]][[ $c.consul.suffix ]]"
port = 8819 port = 8819
[[ template "common/connect.tpl" $c ]] [[ template "common/connect" $c ]]
check { check {
name = "health" name = "health"
@ -53,16 +37,16 @@ job [[ .oo.instance | toJSON ]] {
tags = [ tags = [
[[- if $c.traefik.enabled ]] [[- if $c.traefik.enabled ]]
"[[ $c.traefik.instance ]].enable=true", "[[ $c.traefik.instance ]].enable=true",
"[[ $c.traefik.instance ]].http.routers.[[ .oo.instance ]][[ $c.consul.suffix ]].rule=Host(`[[ (urlParse .oo.ds.public_url).Hostname ]]`) "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ $c.consul.suffix ]].rule=Host(`[[ (urlParse .oo.ds.public_url).Hostname ]]`)
[[- if not (regexp.Match "^/?$" (urlParse .oo.ds.public_url).Path) ]] && PathPrefix(`[[ (urlParse .oo.ds.public_url).Path ]]`)[[ end ]]", [[- if not (regexp.Match "^/?$" (urlParse .oo.ds.public_url).Path) ]] && PathPrefix(`[[ (urlParse .oo.ds.public_url).Path ]]`)[[ end ]]",
"[[ $c.traefik.instance ]].http.routers.[[ .oo.instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]", "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
"[[ $c.traefik.instance ]].http.middlewares.[[ .oo.instance ]]-headers[[ $c.consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $c.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]", "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ $c.consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $c.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",
"[[ $c.traefik.instance ]].http.middlewares.[[ .oo.instance ]]-headers[[ $c.consul.suffix ]].headers.customrequestheaders.X-Forwarded-Proto=https", "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ $c.consul.suffix ]].headers.customrequestheaders.X-Forwarded-Proto=https",
[[- if not (regexp.Match "^/?$" (urlParse .oo.ds.public_url).Path) ]] [[- if not (regexp.Match "^/?$" (urlParse .oo.ds.public_url).Path) ]]
"[[ $c.traefik.instance ]].http.middlewares.[[ .oo.instance ]][[ $c.consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse .oo.ds.public_url).Path ]]", "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]][[ $c.consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse .oo.ds.public_url).Path ]]",
"[[ $c.traefik.instance ]].http.routers.[[ .oo.instance ]][[ $c.consul.suffix ]].middlewares=[[ .oo.instance ]]-headers[[ $c.consul.suffix ]],[[ .oo.instance ]][[ $c.consul.suffix ]]-prefix,[[ template "common/traefik_middlewares.tpl" $c.traefik ]]", "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ $c.consul.suffix ]].middlewares=[[ .instance ]]-headers[[ $c.consul.suffix ]],[[ .instance ]][[ $c.consul.suffix ]]-prefix,[[ template "common/traefik_middlewares" $c.traefik ]]",
[[- else ]] [[- else ]]
"[[ $c.traefik.instance ]].http.routers.[[ .oo.instance ]][[ $c.consul.suffix ]].middlewares=[[ .oo.instance ]]-headers[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares.tpl" $c.traefik ]]", "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ $c.consul.suffix ]].middlewares=[[ .instance ]]-headers[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]]",
[[- end ]] [[- end ]]
[[- end ]] [[- end ]]
] ]
@ -84,18 +68,18 @@ job [[ .oo.instance | toJSON ]] {
} }
vault { vault {
policies = ["[[ .oo.instance ]][[ $c.consul.suffix ]]"] policies = ["[[ .instance ]][[ $c.consul.suffix ]]"]
disable_file = true disable_file = true
env = false env = false
} }
env { env {
NGINX_LISTEN_IP = "127.0.0.1" NGINX_LISTEN_IP = "127.0.0.1"
APPLICATION_NAME = "[[ .oo.instance ]][[ .consul.suffix ]]" APPLICATION_NAME = "[[ .instance ]][[ .consul.suffix ]]"
[[ template "common/proxy_env.tpl" $c ]] [[ template "common/proxy_env" $c ]]
} }
[[ template "common/file_env.tpl" $c.env ]] [[ template "common/file_env" $c.env ]]
template { template {
data =<<_EOT data =<<_EOT
@ -109,11 +93,11 @@ _EOT
destination = "/var/lib/onlyoffice/documentserver/App_Data/" destination = "/var/lib/onlyoffice/documentserver/App_Data/"
} }
[[ template "common/resources.tpl" $c.resources ]] [[ template "common/resources" $c.resources ]]
} }
[[ template "common/task.wait_for.tpl" $c ]] [[ template "common/task.wait_for" $c ]]
task "redis" { task "redis" {
driver = [[ $c.nomad.driver | toJSON ]] driver = [[ $c.nomad.driver | toJSON ]]
@ -168,7 +152,7 @@ _EOT
] ]
} }
[[ template "common/file_env.tpl" $c.env ]] [[ template "common/file_env" $c.env ]]
template { template {
data = <<_EOT data = <<_EOT
@ -185,7 +169,7 @@ _EOT
destination = "/var/lib/rabbitmq" destination = "/var/lib/rabbitmq"
} }
[[ template "common/resources.tpl" $c.resources ]] [[ template "common/resources" $c.resources ]]
} }
} }
} }

2
prep.d/10-mv_conf.sh
View File

@ -1 +1 @@
[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "onlyoffice" .oo.instance) ]] [[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "onlyoffice" .instance) ]]

8
prep.d/20-rand-keys.sh
View File

@ -4,15 +4,15 @@ set -euo pipefail
# Initialize random passwords if needed # Initialize random passwords if needed
if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .oo.instance ]]$'; then if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then
vault kv put [[ .vault.prefix ]]kv/service/[[ .oo.instance ]] \ vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \
jwt_token=$(pwgen -s -n 50 1) \ jwt_token=$(pwgen -s -n 50 1) \
storage_secret=$(pwgen -s -n 50 1) storage_secret=$(pwgen -s -n 50 1)
fi fi
for PWD in jwt_token storage_secret; do for PWD in jwt_token storage_secret; do
if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .oo.instance ]] >/dev/null 2>&1; then if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then
vault kv patch [[ .vault.prefix ]]kv/service/[[ .oo.instance ]] \ vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \
${PWD}=$(pwgen -s -n 50 1) ${PWD}=$(pwgen -s -n 50 1)
fi fi
done done

24
variables.yml
View File

@ -1,15 +1,15 @@
--- ---
oo: # Name of this instance. Will control the name of the service and of various default settings (like DB name etc.)
# You must use different instance names if you want to run several copies on the same cluster
instance: onlyoffice
# Name of this instance. Will control the name of the service and of various default settings (like DB name etc.) oo:
# You must use different instance names if you want to run several copies on the same cluster
instance: onlyoffice
# Document Services # Document Services
ds: ds:
# Docker image to use # Docker image to use
image: danielberteaud/onlyoffice-docserver:7.5.1-5 image: '[[ .docker.repo ]]onlyoffice-docserver:7.5.1-5'
# Resource allocation for OnlyOffice itself # Resource allocation for OnlyOffice itself
resources: resources:
@ -21,13 +21,13 @@ oo:
# Additional env vars to set in the container # Additional env vars to set in the container
env: env:
OO_STORAGE_SECRET: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .oo.instance ]]" }}{{ .Data.data.storage_secret }}{{ end }}' OO_STORAGE_SECRET: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.storage_secret }}{{ end }}'
OO_JWT_TOKEN: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .oo.instance ]]" }}{{ .Data.data.jwt_token }}{{ end }}' OO_JWT_TOKEN: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.jwt_token }}{{ end }}'
OO_DB_HOST: 127.0.0.1 OO_DB_HOST: 127.0.0.1
OO_DB_PORT: 5432 OO_DB_PORT: 5432
OO_DB_NAME: '[[ .oo.instance ]]' OO_DB_NAME: '[[ .instance ]]'
OO_DB_USER: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .oo.instance ]]" }}{{ .Data.username }}{{ end }}' OO_DB_USER: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
OO_DB_PASS: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .oo.instance ]]" }}{{ .Data.password }}{{ end }}' OO_DB_PASS: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
# Controls how the service will be exposed with Traefik # Controls how the service will be exposed with Traefik
traefik: traefik:
@ -81,9 +81,9 @@ oo:
# This is for DocumentServer Data # This is for DocumentServer Data
data: data:
type: csi type: csi
source: '[[ .oo.instance ]]-data' source: '[[ .instance ]]-data'
# This is for RabbitMQ # This is for RabbitMQ
rabbitmq: rabbitmq:
type: csi type: csi
source: '[[ .oo.instance ]]-rabbitmq' source: '[[ .instance ]]-rabbitmq'

4
vault/policies/onlyoffice.hcl
View File

@ -1,8 +1,8 @@
path "[[ .vault.prefix ]]kv/data/service/[[ .oo.instance ]]" { path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
capabilities = ["read"] capabilities = ["read"]
} }
path "[[ .vault.prefix ]]database/creds/[[ .oo.instance ]]" { path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" {
capabilities = ["read"] capabilities = ["read"]
} }