Rename to repo and allow custom job name

2023-09-03 21:55:34 +02:00 · 2023-09-03 21:55:34 +02:00 · a4c1a8dd13
parent 211c5d74ec
commit a4c1a8dd13
11 changed files with 38 additions and 23 deletions
--- a/README.md
+++ b/README.md
@ -5,7 +5,7 @@ This job is made to expose an RPMS (or anything else) repository. It's composed

 To use it, you just need to push the SSH public keys (comma separated) to access the SSH service on vault
 ```
-vault kv put kv/service/rpms-repo ssh_keys="ssh-rsa AAAA.....,ssh-rsa AAAAA"
+vault kv put kv/service/repo ssh_keys="ssh-rsa AAAA.....,ssh-rsa AAAAA"
 ```

 Then just adjust variables.yml to your need
--- a/consul/config/service-intentions/repo-rsync.hcl
+++ b/consul/config/service-intentions/repo-rsync.hcl
@ -0,0 +1,8 @@
+Kind = "service-intentions"
+Name = "repo-rsync[[ .env.suffix ]]"
+Sources = [
+  {
+    Name = [[ .traefik.instance | toJSON ]]
+    Action = "allow"
+  }
+]
--- a/deps/common
+++ b/deps/common
@ -1 +1 @@
-Subproject commit 8cfe263f274b066e8021e5f821ef6fd465f645f9
+Subproject commit a1738a81645748892a34d990c6df07cd1b4815ad
--- a/prep.d/mv_conf.sh
+++ b/prep.d/mv_conf.sh
@ -0,0 +1 @@
+[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "repo-web" printf "%s%s" .repo.job_name "-web" "repo-rsync" .repo.job_name "-rsync" ]]
--- a/rpms-repo.nomad.hcl
+++ b/rpms-repo.nomad.hcl
@ -1,4 +1,4 @@
-job "rpms-repo" {
+job [[ .repo.job_name | toJSON ]]{

 [[- template "common/job_start.tpl" . ]]

@ -11,8 +11,8 @@ job "rpms-repo" {
    }

    volume "repo" {
-      type            = [[ .repo.volumes.rpms.type | toJSON ]]
-      source          = [[ .repo.volumes.rpms.source | toJSON ]]
+      type            = [[ .repo.volumes.repo.type | toJSON ]]
+      source          = [[ .repo.volumes.repo.source | toJSON ]]
      attachment_mode = "file-system"
      access_mode     = "multi-node-single-writer"
      read_only       = true
@ -50,7 +50,7 @@ job "rpms-repo" {

      template {
        data        = <<_EOF
-[[ template "rpms-repo/nginx.conf.tpl" ]]
+[[ template "repo/nginx.conf.tpl" ]]
 _EOF
        destination = "local/nginx.conf"
      }
@ -61,7 +61,7 @@ _EOF
        read_only   = true
      }

-      [[ template "common/resources.tpl" .repo.nginx.resources ]]
+[[ template "common/resources.tpl" .repo.nginx.resources ]]
    }
  }

@ -73,8 +73,8 @@ _EOF
    }

    volume "repo" {
-      type            = [[ .repo.volumes.rpms.type | toJSON ]]
-      source          = [[ .repo.volumes.rpms.source | toJSON ]]
+      type            = [[ .repo.volumes.repo.type | toJSON ]]
+      source          = [[ .repo.volumes.repo.source | toJSON ]]
      attachment_mode = "file-system"
      access_mode     = "multi-node-single-writer"
    }
@ -115,14 +115,14 @@ _EOF
      }

      vault {
-        policies     = ["rpms-repo[[ .env.suffix ]]"]
+        policies     = ["repo[[ .env.suffix ]]"]
        env          = false
        disable_file = true
      }

      template {
        data        = <<-_EOF
-          {{ with secret "[[ .vault.prefix ]]kv/service/rpms-repo" }}
+          {{ with secret "[[ .vault.prefix ]]kv/service/repo" }}
          {{- range $idx, $key := .Data.data.ssh_keys | split "," -}}
          SSH_AUTH_KEY_{{ $idx }}={{ $key }}
          {{ end }}{{ end }}
@ -141,7 +141,7 @@ _EOF
        destination = "/config"
      }

-      [[ template "common/resources.tpl" .repo.rsync.resources ]]
+[[ template "common/resources.tpl" .repo.rsync.resources ]]
    }
  }
 }
--- a/templates/nginx.conf.tpl
+++ b/templates/nginx.conf.tpl
@ -3,6 +3,9 @@ server {
  listen 127.0.0.1:8080;
  server_name _;
  server_tokens off;
+  set_real_ip_from 127.0.0.1;
+  real_ip_header X-Forwarded-For;
+  real_ip_recursive on;
  root /data/repo;
  autoindex on;
  autoindex_localtime on;
--- a/variables.yml
+++ b/variables.yml
@ -1,6 +1,9 @@
 ---

 repo:
+  # Name of the Noamd job
+  job_name: repo
+
  nginx:
    # Image to use
    image: nginxinc/nginx-unprivileged:alpine
@ -14,7 +17,7 @@ repo:
      memory: 40

    # Public URL of the repo
-    public_url: https://rpms.example.org
+    public_url: https://repo.example.org

    # Driver to use for the task (docker or podman)
    driver: docker
@ -53,11 +56,11 @@ repo:
  # Volumes used
  volumes:
    # This on holds the repo itself
-    rpms:
+    repo:
      type: csi
-      source: rpms-repo
+      source: repo

    # This one is a very small volume, just to persist SSH host keys
    ssh:
      type: csi
-      source: rpms-ssh
+      source: repo-ssh
--- a/vault/policies/repo.hcl
+++ b/vault/policies/repo.hcl
@ -0,0 +1,3 @@
+path "[[ .vault.prefix ]]kv/data/service/repo" {
+  capabilities = ["read"]
+}
--- a/vault/policies/rpms-repo.hcl
+++ b/vault/policies/rpms-repo.hcl
@ -1,3 +0,0 @@
-path "[[ .vault.prefix ]]kv/data/service/rpms-repo" {
-  capabilities = ["read"]
-}
--- a/volumes/nfs-repo-ssh.hcl
+++ b/volumes/nfs-repo-ssh.hcl
@ -1,5 +1,5 @@
-id           = "rpms-ssh"
-name         = "rpms-ssh[[ .env.suffix ]]"
+id           = "repo-ssh"
+name         = "repo-ssh[[ .env.suffix ]]"
 type         = "csi"
 plugin_id    = "org.democratic-csi.nfs"
 min_capacity = "1M"
--- a/volumes/nfs-rpms-repo.hcl
+++ b/volumes/nfs-rpms-repo.hcl
@ -1,5 +1,5 @@
-id           = "rpms-repo"
-name         = "rpms-repo[[ .env.suffix ]]"
+id           = "repo"
+name         = "repo[[ .env.suffix ]]"
 type         = "csi"
 plugin_id    = "org.democratic-csi.nfs"
 min_capacity = "15G"
				`@ -0,0 +1 @@`
				`[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "repo-web" printf "%s%s" .repo.job_name "-web" "repo-rsync" .repo.job_name "-rsync" ]]`