diff --git a/README.md b/README.md index 57e5c19..a107f16 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,17 @@ +>Between November 2020 and January 2021, I served the remainder of my mandatory national duty as a civil servant, employed by the Kantonsspital St. Gallen (KSSG) at the department of infectious diseases and hospital epidemiology. +>One of the two teams responsible for developing and operating the IT services tasked me to work on a proof of concept for replacing Heroku as the hosting platform with a single virtual machine and an open source infrastructure stack, to serve the web application https://guidelines.ch based on Golang, Express.js, PostgreSQL and Elasticsearch. +>As non-functional requirements, the IT team predetermined that all infrastructure must be provisioned as code and that NixOS must be used as the operating system, while running on Hetzner Cloud. +> +>The primary challenge has been to replace the functionalities built into Heroku, such as +>- Heroku Platform API for deployments -> Instead of manually deploying or polling Docker registry tags for their latest changes, the IT wanted to keep the existing deployment pipelines in Gitlab to schedule replacements of Docker containers via an API call (see `deploymentagent/`) +>- Automated certificates for HTTP/TLS -> At the time, Hetzner Cloud load balancers had no built-in support for Let's Encrypt and Certbot had no support or plugin for Hetzner Cloud either. Instead of trying to write a plugin, a simple wrapper around Certbot has been created (see `infrastructure/modules/compute/certbot.sh`) +>- Secrets management -> Introduction of Hashicorp Vault +> +>I appreciated a lot that I was given time to dig into Go and NixOS, as I had used neither technology before. +>In retrospect and based on the impression I had at the end of my service, I don't think that replacing Heroku in this way would be worth it. +>From a software lifecycle perspective, the web application https://guidelines.ch had already entered the maintenance stage and Heroku did prove itself as a reliable service. +>The only gripe the IT team had with Heroku was the high cost, which in case of self managing a solution based on NixOS simply would have been transferred to the operations side of things. +--- # Hetzner Cloud Environment ## Project Structure ``` diff --git a/config.json b/config.json index b96536c..b9d9611 100644 --- a/config.json +++ b/config.json @@ -1,6 +1,8 @@ { "terraform_packer_environment": "production", - "nixos_snapshot_id": "27588749", - "domain_name_production": "test.guidelines.ch", - "domain_alternative_names_production": "*.glv5.guidelines.ch *.test-glv5.guidelines.ch *.test.guidelines.ch" + "nixos_snapshot_id": "12345678", + "domain_name_production": "guidelines.ch", + "domain_alternative_names_production": "www.guidelines.ch glv5.guidelines.ch *.glv5.guidelines.ch", + "domain_name_test": "test.poc.guidelines.ch", + "domain_alternative_names_test": "*.test.poc.guidelines.ch" } diff --git a/deploymentagent/src/deploymentagent/server.go b/deploymentagent/src/deploymentagent/server.go index d47a970..c404f0e 100644 --- a/deploymentagent/src/deploymentagent/server.go +++ b/deploymentagent/src/deploymentagent/server.go @@ -34,7 +34,6 @@ func init() { inputQueue = new(DeploymentQueue) processQueue = new(DeploymentQueue) - } type DeploymentAgentServer struct { diff --git a/infrastructure/modules/compute/nix/#elasticsearch.nix# b/infrastructure/modules/compute/nix/#elasticsearch.nix# deleted file mode 100644 index c52bd67..0000000 --- a/infrastructure/modules/compute/nix/#elasticsearch.nix# +++ /dev/null @@ -1,29 +0,0 @@ -{ pkgs, ... }: -{ - nixpkgs.config.allowUnfree = true; - services.elasticsearch.enable = true; - services.elasticsearch.package = pkgs.elasticsearch7; - services.elasticsearch.dataDir = "/mnt/data/elasticsearch"; - services.elasticsearch.listenAddress = "10.0.1.51"; - services.elasticsearch.extraConf = '' - discovery.type: single-node - xpack.security.enabled: true - ''; - - services.kibana.enable = true; - services.kibana.package = pkgs.kibana7; - services.kibana.dataDir = "/mnt/data/kibana"; - services.kibana.listenAddress = "10.0.1.51"; - services.kibana.elasticsearch.hosts = [ "http://10.0.1.51:9200" ]; - services.kibana.elasticsearch.username = "kibana"; - services.kibana.elasticsearch.password = (builtins.readFile /mnt/data/kibana-elasticsearch-password); - - system.activationScripts = { - mnt = { - text = "mkdir -p /mnt/data/{elasticsearch,kibana} && chown -R elasticsearch:elasticsearch /mnt/data/elasticsearch && chown -R kibana:root /mnt/data/kibana"; - deps = []; - }; - }; - - networking.firewall.allowedTCPPorts = [ 9200 9300 5601 ]; -} diff --git a/infrastructure/modules/compute/nix/.#elasticsearch.nix b/infrastructure/modules/compute/nix/.#elasticsearch.nix deleted file mode 120000 index 330c640..0000000 --- a/infrastructure/modules/compute/nix/.#elasticsearch.nix +++ /dev/null @@ -1 +0,0 @@ -marco@furiosa.local.77847 \ No newline at end of file