various: nomad managed mirrors

Author: the-maldridge

services/nomad/build/buildsync-dist.nomad

@@ -4,15 +4,10 @@ job "buildsync-dist" {
   namespace = "build"
 
   group "rsync" {
-    count = 2
+    count = 1
 
     network { mode = "bridge" }
 
-    constraint {
-      operator  = "distinct_hosts"
-      value     = "true"
-    }
-
     volume "dist-pkgs" {
       type = "host"
       source = "dist_pkgs"

services/nomad/infrastructure/traefik.nomad

@@ -1,5 +1,5 @@
 job "traefik" {
-  datacenters = ["VOID-PROXY", "VOID"]
+  datacenters = ["VOID-PROXY", "VOID-MIRROR"]
   namespace = "infrastructure"
   type = "system"
   group "lb" {
@@ -20,11 +20,12 @@ job "traefik" {
     }
 
     service {
+      name = "traefik-${node.unique.name}"
       port = "http"
       tags = [
         "traefik.enable=true",
-        "traefik.http.routers.proxy-lb.service=api@internal",
-        "traefik.http.routers.proxy-lb.tls=true",
+        "traefik.http.routers.traefik-${node.unique.name}.service=api@internal",
+        "traefik.http.routers.traefik-${node.unique.name}.tls=true",
       ]
     }
 

services/nomad/mirror/mirror.nomad

@@ -0,0 +1,41 @@
+job "mirror" {
+  type = "system"
+  datacenters = ["VOID-MIRROR"]
+  namespace = "mirror"
+
+  group "http" {
+    network {
+      mode = "bridge"
+      port "http" { to = 80 }
+    }
+
+    volume "root-mirror" {
+      type = "host"
+      source = "root_mirror"
+      read_only = true
+    }
+
+    service {
+      name = "mirror-${node.unique.name}"
+      port = "http"
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.mirror-${node.unique.name}.tls=true",
+        "traefik.http.routers.mirror-${node.unique.name}.rule=HostRegexp(`repo.voidlinux.org`, `{subdomain:repo-[a-z]{2}}.voidlinux.org`)",
+      ]
+    }
+
+    task "nginx" {
+      driver = "docker"
+
+      config {
+        image = "ghcr.io/void-linux/infra-nginx:v20210926rc01"
+      }
+
+      volume_mount {
+        volume = "root-mirror"
+        destination = "/srv/www"
+      }
+    }
+  }
+}

services/nomad/mirror/sync.nomad

@@ -0,0 +1,61 @@
+job "sync" {
+  type = "system"
+  datacenters = ["VOID-MIRROR"]
+  namespace = "mirror"
+
+  group "rsync" {
+    count = 1
+
+    network { mode = "bridge" }
+
+    volume "root-mirror" {
+      type = "host"
+      source = "root_mirror"
+      read_only = false
+    }
+
+    task "rsync" {
+      leader = true
+      driver = "docker"
+
+      vault {
+        policies = ["void-secrets-buildsync"]
+      }
+
+      config {
+        image = "eeacms/rsync"
+        args = ["client"]
+      }
+
+      env {
+        CRON_TASK_1="* * * * * flock -n /run/sync.lock rsync -vurk --filter '- .*' --delete-after -e 'ssh -i /secrets/id_rsa -o UserKnownHostsFile=/local/known_hosts' void-buildsync@a-hel-fi.node.consul:/srv/www/void-repo/ /mirror/"
+      }
+
+      resources {
+        memory = 1000
+      }
+
+      volume_mount {
+        volume = "root-mirror"
+        destination = "/mirror"
+      }
+
+      template {
+        data = <<EOF
+{{- with secret "secret/buildsync/ssh" -}}
+{{.Data.private_key}}
+{{- end -}}
+EOF
+        destination = "secrets/id_rsa"
+        perms = "0400"
+      }
+
+      template {
+        data = <<EOF
+a-hel-fi.node.consul ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIW8voCZh9nQpdx3fAsvfZO4mCYv0/OUVNPF9A/GsHtX
+EOF
+        destination = "local/known_hosts"
+      }
+    }
+  }
+}

terraform/do/.terraform.lock.hcl

@@ -236,6 +236,20 @@ resource "digitalocean_record" "catchall" {
 # We have a few mirrors that get special names, those go here. #
 ################################################################
 
+resource "digitalocean_record" "repo_fi" {
+  domain = digitalocean_domain.voidlinux_org.name
+  type = "CNAME"
+  name = "repo-fi.${digitalocean_domain.voidlinux_org.name}."
+  value = "b-hel-fi.m.${digitalocean_domain.voidlinux_org.name}."
+}
+
+resource "digitalocean_record" "repo_us" {
+  domain = digitalocean_domain.voidlinux_org.name
+  type = "CNAME"
+  name = "repo-us.${digitalocean_domain.voidlinux_org.name}."
+  value = "a-mci-us.m.${digitalocean_domain.voidlinux_org.name}."
+}
+
 resource "digitalocean_record" "repo_alpha_de" {
   domain = digitalocean_domain.voidlinux_org.name
   type   = "CNAME"

terraform/do/dns.tf

@@ -2,6 +2,7 @@ terraform {
   required_providers {
     digitalocean = {
       source = "digitalocean/digitalocean"
+      version = ">= 2.12.0"
     }
   }
   required_version = ">= 0.13"

terraform/do/versions.tf

@@ -22,3 +22,8 @@ resource "nomad_namespace" "build" {
   name        = "build"
   description = "Home of build related tasks"
 }
+
+resource "nomad_namespace" "mirror" {
+  name        = "mirror"
+  description = "Home of mirror related tasks"
+}