marco
/
zivildienst
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add notice to README, cleanup

poc-integration
Marco Streich 2022-11-18 12:46:04 +01:00
parent 3b2652a3df
commit 1ddcddf097
5 changed files with 19 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@ -1,3 +1,17 @@
>Between November 2020 and January 2021, I served the remainder of my mandatory national duty as a civil servant, employed by the Kantonsspital St. Gallen (KSSG) at the department of infectious diseases and hospital epidemiology.
>One of the two teams responsible for developing and operating the IT services tasked me to work on a proof of concept for replacing Heroku as the hosting platform with a single virtual machine and an open source infrastructure stack, to serve the web application https://guidelines.ch based on Golang, Express.js, PostgreSQL and Elasticsearch.
>As non-functional requirements, the IT team predetermined that all infrastructure must be provisioned as code and that NixOS must be used as the operating system, while running on Hetzner Cloud.
>
>The primary challenge has been to replace the functionalities built into Heroku, such as
>- Heroku Platform API for deployments -> Instead of manually deploying or polling Docker registry tags for their latest changes, the IT wanted to keep the existing deployment pipelines in Gitlab to schedule replacements of Docker containers via an API call (see `deploymentagent/`)
>- Automated certificates for HTTP/TLS -> At the time, Hetzner Cloud load balancers had no built-in support for Let's Encrypt and Certbot had no support or plugin for Hetzner Cloud either. Instead of trying to write a plugin, a simple wrapper around Certbot has been created (see `infrastructure/modules/compute/certbot.sh`)
>- Secrets management -> Introduction of Hashicorp Vault
>
>I appreciated a lot that I was given time to dig into Go and NixOS, as I had used neither technology before.
>In retrospect and based on the impression I had at the end of my service, I don't think that replacing Heroku in this way would be worth it.
>From a software lifecycle perspective, the web application https://guidelines.ch had already entered the maintenance stage and Heroku did prove itself as a reliable service.
>The only gripe the IT team had with Heroku was the high cost, which in case of self managing a solution based on NixOS simply would have been transferred to the operations side of things.
---
# Hetzner Cloud Environment
## Project Structure
```

8
config.json
View File

@ -1,6 +1,8 @@
{
"terraform_packer_environment": "production",
"nixos_snapshot_id": "27588749",
"domain_name_production": "test.guidelines.ch",
"domain_alternative_names_production": "*.glv5.guidelines.ch *.test-glv5.guidelines.ch *.test.guidelines.ch"
"nixos_snapshot_id": "12345678",
"domain_name_production": "guidelines.ch",
"domain_alternative_names_production": "www.guidelines.ch glv5.guidelines.ch *.glv5.guidelines.ch",
"domain_name_test": "test.poc.guidelines.ch",
"domain_alternative_names_test": "*.test.poc.guidelines.ch"
}

1
deploymentagent/src/deploymentagent/server.go
View File

@ -34,7 +34,6 @@ func init() {
inputQueue = new(DeploymentQueue)
processQueue = new(DeploymentQueue)
}
type DeploymentAgentServer struct {

29
infrastructure/modules/compute/nix/#elasticsearch.nix#
View File

@ -1,29 +0,0 @@
{ pkgs, ... }:
{
nixpkgs.config.allowUnfree = true;
services.elasticsearch.enable = true;
services.elasticsearch.package = pkgs.elasticsearch7;
services.elasticsearch.dataDir = "/mnt/data/elasticsearch";
services.elasticsearch.listenAddress = "10.0.1.51";
services.elasticsearch.extraConf = ''
discovery.type: single-node
xpack.security.enabled: true
'';
services.kibana.enable = true;
services.kibana.package = pkgs.kibana7;
services.kibana.dataDir = "/mnt/data/kibana";
services.kibana.listenAddress = "10.0.1.51";
services.kibana.elasticsearch.hosts = [ "http://10.0.1.51:9200" ];
services.kibana.elasticsearch.username = "kibana";
services.kibana.elasticsearch.password = (builtins.readFile /mnt/data/kibana-elasticsearch-password);
system.activationScripts = {
mnt = {
text = "mkdir -p /mnt/data/{elasticsearch,kibana} && chown -R elasticsearch:elasticsearch /mnt/data/elasticsearch && chown -R kibana:root /mnt/data/kibana";
deps = [];
};
};
networking.firewall.allowedTCPPorts = [ 9200 9300 5601 ];
}

1
infrastructure/modules/compute/nix/.#elasticsearch.nix
View File

@ -1 +0,0 @@
marco@furiosa.local.77847