Small adjustments

onlyoffice-docserver.nomad.hcl

@@ -41,7 +41,7 @@ job [[ .oo.instance | toJSON ]] {
         timeout  = "8s"
 
         check_restart {
-          limit = 90
+          limit = 30
           grace = "2m"
         }
       }
@@ -74,10 +74,9 @@ job [[ .oo.instance | toJSON ]] {
         pids_limit      = 200
         readonly_rootfs = true
         volumes         = [
+          "local/:/tmp",
           "local/metrics.js:/var/www/onlyoffice/documentserver/server/Metrics/config/config.js:ro"
         ]
-[[ template "common/tmpfs.tpl" dict "target" "/tmp" "size" 3000000 ]]
-
       }
 
       vault {

variables.yml

@@ -1,14 +1,25 @@
 ---
 
 oo:
+
+  # Name of this instance. Will control the name of the service and of various default settings (like DB name etc.)
+  # You must use different instance names if you want to run several copies on the same cluster
   instance: onlyoffice
 
+  # Document Services
   ds:
+    # Docker image to use
     image: danielberteaud/onlyoffice-docserver:latest
+
+    # Resource allocation for OnlyOffice itself
     resources:
       cpu: 200
       memory: 512
+
+    # The URL where OnlyOffice is available
     public_url: https://oods.example.org
+
+    # Additional env vars to set in the container
     env:
       OO_STORAGE_SECRET: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .oo.instance ]]" }}{{ .Data.data.storage_secret }}{{ end }}'
       OO_JWT_TOKEN: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .oo.instance ]]" }}{{ .Data.data.jwt_token }}{{ end }}'
@@ -17,42 +28,62 @@ oo:
       OO_DB_NAME: '[[ .oo.instance ]]'
       OO_DB_USER: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .oo.instance ]]" }}{{ .Data.username }}{{ end }}'
       OO_DB_PASS: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .oo.instance ]]" }}{{ .Data.password }}{{ end }}'
+
+    # Controls how the service will be exposed with Traefik
     traefik:
       enabled: true
+
+      # OnlyOffice needs some specific CSP rules
       csp:
         default-src: "'self'"
         img-src: "'self' data: https://*"
-        script-src: "'self' 'wasm-unsafe-eval' 'unsafe-inline' 'unsafe-eval' blob: https://ajax.googleapis.com https://www.youtube.com/ https://*.cloudfront.net https://cdn.rawgit.com https://code.jquery.com https://translate.googleapis.com https://code.responsivevoice.org https://cdn.jsdelivr.net"
-        style-src: "'self' 'unsafe-inline' data: https://fonts.googleapis.com https://translate.googleapis.com"
+        script-src: "'self' 'wasm-unsafe-eval' 'unsafe-inline' 'unsafe-eval' blob: https://ajax.googleapis.com https://www.youtube.com/ https://*.cloudfront.net https://cdn.rawgit.com https://code.jquery.com https://translate.googleapis.com https://code.responsivevoice.org https://cdn.jsdelivr.net https://onlyoffice.github.io"
+        style-src: "'self' 'unsafe-inline' data: https://fonts.googleapis.com https://translate.googleapis.com https://onlyoffice.github.io"
         font-src: "'self' data: https://fonts.googleapis.com https://fonts.gstatic.com"
         connect-src: "'self' https://www.zotero.org https://cdn.jsdelivr.net https://cdn.rawgit.com https://translate.googleapis.com https://code.responsivevoice.org https://onlyoffice.github.io"
         media-src: "'self' https://code.responsivevoice.org"
         frame-src: "'self' https://www.youtube.com https://onlyoffice.github.io"
+
+      # Override base_middlewares to remove csp-relaxed@file
       base_middlewares:
-        - rate-limit-std@file
-        - inflight-std@file
+        - rate-limit-high@file
+        - inflight-high@file
         - security-headers@file
         - hsts@file
         - compression@file
+
+    # Wait for the database server to be ready before starting
     wait_for:
       - service: 'master.postgres[[ .consul.suffix ]]'
+
+    # Connect to the database server with the mesh
     consul:
       connect:
         upstreams:
           - destination_name: 'postgres[[ .consul.suffix ]]'
             local_bind_port: 5432
 
+  # Rabbitmq service
   rabbitmq:
+    # Docker image to use
     image: rabbitmq:alpine
+
+    # Additional env vars to set in the container
     env: {}
+
+    # Resource allocation
     resources:
       cpu: 80
       memory: 156
 
+  # Volume used
   volumes:
+    # This is for DocumentServer Data
     data:
       type: csi
       source: '[[ .oo.instance ]]-data'
+
+    # This is for RabbitMQ
     rabbitmq:
       type: csi
       source: '[[ .oo.instance ]]-rabbitmq'