Merge branch 'trigger-nixos-rebuild-from-deploymentagent' into poc-integration
This commit is contained in:
commit
dfd7567445
12
README.md
12
README.md
|
@ -71,7 +71,6 @@ id\_rsa\_operator_pub is baked into the image generated by Packer (see `nixos/ni
|
||||||
|
|
||||||
### NixOS
|
### NixOS
|
||||||
#### Building NixOS Images (Snapshots) with Packer
|
#### Building NixOS Images (Snapshots) with Packer
|
||||||
The `nixos` target in the `Makefile` wraps around the execution of Packer to build a NixOS image from the default Ubuntu 20.04 image provider by Hetzner Cloud.
|
|
||||||
The `nixos` target in the `Makefile` wraps around the execution of Packer to build a NixOS image from the default Ubuntu 20.04 image provided by Hetzner Cloud.
|
The `nixos` target in the `Makefile` wraps around the execution of Packer to build a NixOS image from the default Ubuntu 20.04 image provided by Hetzner Cloud.
|
||||||
Two arguments may be supplied, `VERSION=` to specify the desired NixOS release (see [NixOS Release Notes](https://nixos.org/manual/nixos/stable/release-notes.html)) and `BUILD=` with which you can track versions of the images that have been created.
|
Two arguments may be supplied, `VERSION=` to specify the desired NixOS release (see [NixOS Release Notes](https://nixos.org/manual/nixos/stable/release-notes.html)) and `BUILD=` with which you can track versions of the images that have been created.
|
||||||
|
|
||||||
|
@ -159,12 +158,13 @@ $ make infra-destroy MODULE=compute
|
||||||
The following sections assume the environment to be called 'production'.
|
The following sections assume the environment to be called 'production'.
|
||||||
|
|
||||||
#### Configure Environment in `config.json` and `secrets.json`
|
#### Configure Environment in `config.json` and `secrets.json`
|
||||||
Set the environment name and desired NixOS image/snapshot ID in `config.json`:
|
|
||||||
Set the environment name, domain names and desired NixOS image/snapshot ID in `config.json`:
|
Set the environment name, domain names and desired NixOS image/snapshot ID in `config.json`:
|
||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
"terraform_packer_environment": "production"
|
"terraform_packer_environment": "production",
|
||||||
tbd
|
"nixos_snapshot_id": "1234567",
|
||||||
|
"domain_name_production": "guidelines.ch",
|
||||||
|
"domain_alternative_names_production": "*.guidelines.ch"
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
Use your personal Gitlab deployment- and Hetzner Cloud tokens.
|
Use your personal Gitlab deployment- and Hetzner Cloud tokens.
|
||||||
|
@ -178,7 +178,7 @@ Use your personal Gitlab deployment- and Hetzner Cloud tokens.
|
||||||
"gitlab_deploy_token_password": "",
|
"gitlab_deploy_token_password": "",
|
||||||
"aws_access_key_id": "",
|
"aws_access_key_id": "",
|
||||||
"aws_secret_access_key": "",
|
"aws_secret_access_key": "",
|
||||||
"kibana_elasticsearch_password_production": "",
|
"elasticsearch_password_production": "",
|
||||||
"hcloud_token_production": "",
|
"hcloud_token_production": "",
|
||||||
"vault_db_password_production": ""
|
"vault_db_password_production": ""
|
||||||
}
|
}
|
||||||
|
@ -263,7 +263,7 @@ If this file exists and contains a valid master key, Vault will be unsealed auto
|
||||||
|
|
||||||
#### Configuring Elasticsearch
|
#### Configuring Elasticsearch
|
||||||
Kibana can be accessed on port 8443 via any hostname behind the load balancer [https://guidelines.ch:8443/](https://guidelines.ch:9443/).
|
Kibana can be accessed on port 8443 via any hostname behind the load balancer [https://guidelines.ch:8443/](https://guidelines.ch:9443/).
|
||||||
Sign in with the user 'elastic' and password 'changeme' and go change the password in 'Management' -> 'Security' -> 'Users'.
|
The password is derieved from the `elasticsearch_password_<env>` key in `secrets.json`
|
||||||
|
|
||||||
#### Configuring Guidelines
|
#### Configuring Guidelines
|
||||||
```
|
```
|
||||||
|
|
|
@ -42,7 +42,6 @@ update_load_balancer() {
|
||||||
case "$1" in
|
case "$1" in
|
||||||
*[0-9]*)
|
*[0-9]*)
|
||||||
_proto=https
|
_proto=https
|
||||||
_redirect_http="true"
|
|
||||||
_certs="[$1]"
|
_certs="[$1]"
|
||||||
;;
|
;;
|
||||||
"")
|
"")
|
||||||
|
@ -58,6 +57,14 @@ update_load_balancer() {
|
||||||
esac
|
esac
|
||||||
|
|
||||||
for sp in $service_ports; do
|
for sp in $service_ports; do
|
||||||
|
case "$sp" in
|
||||||
|
"443")
|
||||||
|
_redirect_http="true"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
_redirect_http="false"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
error=$($curl -s -XPOST -H "Authorization: Bearer $API_TOKEN" -H "Content-Type: application/json" -d "{\"listen_port\": $sp, \"protocol\": \"$_proto\", \"http\":{\"redirect_http\": $_redirect_http, \"certificates\": $_certs}}" "https://api.hetzner.cloud/v1/load_balancers/$lb_id/actions/update_service" | $jq -r '.error')
|
error=$($curl -s -XPOST -H "Authorization: Bearer $API_TOKEN" -H "Content-Type: application/json" -d "{\"listen_port\": $sp, \"protocol\": \"$_proto\", \"http\":{\"redirect_http\": $_redirect_http, \"certificates\": $_certs}}" "https://api.hetzner.cloud/v1/load_balancers/$lb_id/actions/update_service" | $jq -r '.error')
|
||||||
case "$(printf "%s" "$error" | $jq -r '.code')" in
|
case "$(printf "%s" "$error" | $jq -r '.code')" in
|
||||||
"null")
|
"null")
|
||||||
|
|
|
@ -48,6 +48,28 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
oci-containers.containers."deploymentagent" = {
|
||||||
|
image = "registry.gitlab.com/infektweb/glv5/hetzner-cloud-environment/deploymentagent:poc-integration";
|
||||||
|
ports = [
|
||||||
|
"5000:5000"
|
||||||
|
];
|
||||||
|
extraOptions = [
|
||||||
|
"--add-host=host:10.0.1.51"
|
||||||
|
];
|
||||||
|
environment = {
|
||||||
|
"VAULT_SECRET_PATH" = "kv/data/guidelines/${(builtins.readFile /opt/cloud-init-misc-data/environment)}/deploymentagent";
|
||||||
|
"VAULT_URL" = "http://host:8200";
|
||||||
|
"NIXOS_REBUILD_SOCKET_URL" = "host:4444";
|
||||||
|
"DEPLOYMENT_STATE_FILE" = "/guidelines.json";
|
||||||
|
};
|
||||||
|
volumes = [
|
||||||
|
"/mnt/data/vault-deploymentagent-api-token:/vault-token"
|
||||||
|
"/run/podman-containers.sock:/tmp/podman/podman.sock"
|
||||||
|
"/mnt/data/guidelines.json:/guidelines.json"
|
||||||
|
];
|
||||||
|
#extraDockerOptions = [ "--network=foo" ];
|
||||||
|
};
|
||||||
|
|
||||||
#oci-containers.containers."containerapi" = {
|
#oci-containers.containers."containerapi" = {
|
||||||
# image = "alpine";
|
# image = "alpine";
|
||||||
# volumes = [
|
# volumes = [
|
||||||
|
@ -69,5 +91,6 @@ in
|
||||||
|
|
||||||
services.redis.enable = true;
|
services.redis.enable = true;
|
||||||
services.redis.requirePass = "p15c4e6538de2061edd65a52ab216ba071d78b1532a937c1c3d5821d5c571c0cf";
|
services.redis.requirePass = "p15c4e6538de2061edd65a52ab216ba071d78b1532a937c1c3d5821d5c571c0cf";
|
||||||
networking.firewall.allowedTCPPorts = [ 6379 ];
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 6379 5000 4444 ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
{
|
{
|
||||||
services.vault.enable = true;
|
services.vault.enable = true;
|
||||||
services.vault.package = pkgs.vault-bin;
|
services.vault.package = pkgs.vault-bin;
|
||||||
services.vault.address = "0.0.0.0:8200";
|
services.vault.address = "10.0.1.51:8200";
|
||||||
services.vault.storageBackend = "postgresql";
|
services.vault.storageBackend = "postgresql";
|
||||||
services.vault.storageConfig = "
|
services.vault.storageConfig = "
|
||||||
connection_url = \"postgres://vault:" + (builtins.readFile /opt/cloud-init-misc-data/vault_db_password) + "@localhost:5432/vault?sslmode=disable\"
|
connection_url = \"postgres://vault:" + (builtins.readFile /opt/cloud-init-misc-data/vault_db_password) + "@localhost:5432/vault?sslmode=disable\"
|
||||||
|
|
|
@ -35,7 +35,7 @@ resource "hcloud_load_balancer_service" "guidelines-http-to-https-with-terminati
|
||||||
// TODO: Add health check
|
// TODO: Add health check
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "hcloud_load_balancer_service" "guidelines-kibana-http-to-https-with-termination" {
|
resource "hcloud_load_balancer_service" "guidelines-kibana-https-with-termination" {
|
||||||
load_balancer_id = hcloud_load_balancer.guidelines.id
|
load_balancer_id = hcloud_load_balancer.guidelines.id
|
||||||
protocol = "http"
|
protocol = "http"
|
||||||
listen_port = 8443
|
listen_port = 8443
|
||||||
|
@ -49,16 +49,28 @@ resource "hcloud_load_balancer_service" "guidelines-kibana-http-to-https-with-te
|
||||||
// TODO: Add health check
|
// TODO: Add health check
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "hcloud_load_balancer_service" "vault-http-to-https-with-termination" {
|
resource "hcloud_load_balancer_service" "guidelines-deploymentagent-https-with-termination" {
|
||||||
load_balancer_id = hcloud_load_balancer.guidelines.id
|
load_balancer_id = hcloud_load_balancer.guidelines.id
|
||||||
protocol = "http"
|
protocol = "http"
|
||||||
listen_port = 9443
|
listen_port = 9443
|
||||||
destination_port = 8200
|
destination_port = 5000
|
||||||
|
|
||||||
http {
|
http {
|
||||||
sticky_sessions = false
|
sticky_sessions = false
|
||||||
#certificates = []
|
#certificates = []
|
||||||
#redirect_http = true
|
#redirect_http = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
health_check {
|
||||||
|
protocol = "http"
|
||||||
|
port = 5000
|
||||||
|
interval = 15
|
||||||
|
timeout = 10
|
||||||
|
http {
|
||||||
|
path = "/status"
|
||||||
|
status_codes = [ 401 ]
|
||||||
|
tls = false
|
||||||
|
}
|
||||||
|
}
|
||||||
// TODO: Add health check
|
// TODO: Add health check
|
||||||
}
|
}
|
||||||
|
|
|
@ -43,7 +43,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.sockets.socket-nixos-rebuild-trigger = {
|
systemd.sockets.socket-nixos-rebuild-trigger = {
|
||||||
listenStreams = [ "0.0.0.0:4444" ];
|
listenStreams = [ "10.0.1.51:4444" ];
|
||||||
partOf = [ "socket-nixos-rebuild-trigger.service" ];
|
partOf = [ "socket-nixos-rebuild-trigger.service" ];
|
||||||
wantedBy = [ "sockets.target" ];
|
wantedBy = [ "sockets.target" ];
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue