nomad
/
onlyoffice-docserver
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
onlyoffice-docserver/example/onlyoffice-docserver.nomad.hcl

313 lines
7.3 KiB
HCL
Raw Blame History

job "onlyoffice" {
datacenters = ["dc1"]
region = "global"
group "onlyoffice" {
network {
mode = "bridge"
# This can be used to ensure rabbitmq has a stable hostname
# Even if for now, we do not persist rabbitmq data
hostname = "onlyoffice"
}
volume "data" {
source = "onlyoffice-data"
type = "csi"
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
volume "rabbitmq" {
source = "onlyoffice-rabbitmq"
type = "csi"
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
service {
name = "onlyoffice"
port = 8819
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "postgres"
local_bind_port = 5432
# Work arround, see https://github.com/hashicorp/nomad/issues/18538
destination_type = "service"
}
}
}
sidecar_task {
config {
args = [
"-c",
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
"-l",
"${meta.connect.log_level}",
"--concurrency",
"${meta.connect.proxy_concurrency}",
"--disable-hot-restart"
]
}
resources {
cpu = 50
memory = 64
}
}
}
check {
name = "health"
type = "http"
path = "/healthcheck"
expose = true
interval = "10s"
timeout = "8s"
check_restart {
limit = 30
grace = "2m"
}
}
tags = [
"traefik.enable=true",
"traefik.http.routers.onlyoffice.entrypoints=https",
"traefik.http.routers.onlyoffice.rule=Host(`oods.example.org`)",
"traefik.http.middlewares.csp-onlyoffice.headers.contentsecuritypolicy=connect-src 'self' https://www.zotero.org https://cdn.jsdelivr.net https://cdn.rawgit.com https://translate.googleapis.com https://code.responsivevoice.org https://onlyoffice.github.io;default-src 'self';font-src 'self' data: https://fonts.googleapis.com https://fonts.gstatic.com;frame-src 'self' https://www.youtube.com https://onlyoffice.github.io;img-src 'self' data: https://*;media-src 'self' https://code.responsivevoice.org;script-src 'self' 'wasm-unsafe-eval' 'unsafe-inline' 'unsafe-eval' blob: https://ajax.googleapis.com https://www.youtube.com/ https://*.cloudfront.net https://cdn.rawgit.com https://code.jquery.com https://translate.googleapis.com https://code.responsivevoice.org https://cdn.jsdelivr.net https://onlyoffice.github.io;style-src 'self' 'unsafe-inline' data: https://fonts.googleapis.com https://translate.googleapis.com https://onlyoffice.github.io;",
"traefik.http.routers.onlyoffice.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-onlyoffice",
]
}
task "docserver" {
driver = "docker"
leader = true
config {
image = "danielberteaud/onlyoffice-docserver:8.0.1-2"
pids_limit = 200
readonly_rootfs = true
volumes = [
"local/:/tmp",
"local/metrics.js:/var/www/onlyoffice/documentserver/server/Metrics/config/config.js:ro"
]
}
vault {
policies = ["onlyoffice"]
env = false
disable_file = true
change_mode = "noop"
}
env {
NGINX_LISTEN_IP = "127.0.0.1"
APPLICATION_NAME = "onlyoffice"
WAIT_FOR_TARGETS = "127.0.0.1:5672"
}
# Use a template block instead of env {} so we can fetch values from vault
template {
data = <<_EOT
LANG=fr_FR.utf8
OO_JWT_TOKEN={{ with secret "kv/service/onlyoffice" }}{{ .Data.data.jwt_token }}{{ end }}
OO_STORAGE_SECRET={{ with secret "kv/service/onlyoffice" }}{{ .Data.data.storage_secret }}{{ end }}
TZ=Europe/Paris
_EOT
destination = "secrets/.env"
perms = 400
env = true
}
# Database settings
template {
data = <<_EOT
OO_DB_NAME='onlyoffice'
OO_DB_HOST=127.0.0.1
OO_DB_PORT=5432
OO_DB_USER={{ with secret "database/creds/onlyoffice" }}{{ .Data.username }}{{ end }}
OO_DB_PASS={{ with secret "database/creds/onlyoffice" }}{{ .Data.password }}{{ end }}
_EOT
destination = "secrets/.db.env"
uid = 100000
gid = 100000
perms = 400
env = true
}
template {
data = <<_EOT
{
port: 8125,
address: "127.0.0.1",
mgmt_address: "127.0.0.1",
mgmt_port: 8126,
flushInterval: 600000,
backends: [ "./backends/console" ]
}
_EOT
destination = "local/metrics.js"
}
volume_mount {
volume = "data"
destination = "/var/lib/onlyoffice/documentserver/App_Data/"
}
resources {
cpu = 300
memory = 512
}
}
# wait for required services tp be ready before starting the main task
task "wait-for" {
driver = "docker"
user = 1053
config {
image = "danielberteaud/wait-for:24.3-1"
readonly_rootfs = true
pids_limit = 20
}
lifecycle {
hook = "prestart"
}
env {
SERVICE_0 = "master.postgres.service.consul"
}
resources {
cpu = 10
memory = 10
memory_max = 30
}
}
# Local redis instance
task "redis" {
driver = "docker"
user = 6379
lifecycle {
hook = "prestart"
sidecar = true
}
config {
image = "redis:alpine"
readonly_rootfs = true
force_pull = true
args = ["/local/redis.conf"]
}
template {
data = <<_EOT
bind 127.0.0.1
maxmemory {{ env "NOMAD_MEMORY_LIMIT" | parseInt | subtract 5 }}mb
databases 1
save ""
appendonly no
_EOT
destination = "local/redis.conf"
}
resources {
cpu = 300
memory = 512
}
}
task "rabbitmq" {
driver = "docker"
#user = 100
lifecycle {
hook = "prestart"
sidecar = true
}
config {
image = "rabbitmq:alpine"
pids_limit = 100
readonly_rootfs = true
volumes = [
"local/rabbitmq.conf:/etc/rabbitmq/conf.d/30-oods.conf"
]
}
# Use a template block instead of env {} so we can fetch values from vault
template {
data = <<_EOT
LANG=fr_FR.utf8
TZ=Europe/Paris
_EOT
destination = "secrets/.env"
perms = 400
env = true
}
template {
data = <<_EOT
listeners.tcp.1 = 127.0.0.1:5672
# Set watermark to 95% of the mem allocated to the container
#vm_memory_high_watermark.absolute = 155398932
vm_memory_high_watermark.relative = 0.999
_EOT
destination = "local/rabbitmq.conf"
}
volume_mount {
volume = "rabbitmq"
destination = "/var/lib/rabbitmq"
}
resources {
cpu = 200
memory = 156
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink