Asara/infra
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

add radicale, update readme with some todos

Browse source
This commit is contained in:
Amarpreet Minhas 2021-01-08 23:59:03 -05:00
parent 8e8362cf0b
commit 4e292cc6fa
4 changed files with 188 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
README.md
View file

@ -1,3 +1,12 @@
# infra # infra
Mah Infra Mah Infra
## Todo
1. get a working wallabag instance
https://github.com/wallabag/docker/issues/242
2. fix up freshrss once this is addressed
https://github.com/FreshRSS/FreshRSS/issues/3349
3. Proper networking so i'm not manually updating nginx like a chump
4. Fix up the user permissions and work towards rootless

16
docker/radicale/Dockerfile Normal file
View file

@ -0,0 +1,16 @@
FROM alpine:edge
RUN adduser --uid 1009 --system radicale && \
addgroup --gid 1011 --system radicale && \
apk update && \
apk add --update --no-cache ca-certificates radicale
# Copy masked.name root cert
COPY files/MaskedName_Root_CA.crt /usr/local/share/ca-certificates/MaskedName_Root_CA.crt
COPY files/logging /etc/radicale/logging
# update ca certs
RUN update-ca-certificates 2>/dev/null
EXPOSE 5232
CMD ["radicale"]

43
docker/radicale/files/MaskedName_Root_CA.crt Executable file
View file

@ -0,0 +1,43 @@
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIUYp8xo5t2lJFP3SiD1fJirgGUQJ0wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLbWFza2VkLm5hbWUwHhcNMjAwODI5MTkyMzEyWhcNMzAw
ODI3MTkyMzQyWjAWMRQwEgYDVQQDEwttYXNrZWQubmFtZTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMI7oR+KHvvznfnaAXDMO5qpSTCAYCyfjFEohYJf
lOcnLONXb3f6sP5d1eltL+UTq0RVU5UP0aNW7hqDTa41MRw0JCDtB68yKdYq2hZf
97gA+lj3MEJU6RTAKLrg75GRh/AbNEIgwvPuHKW6hMbtwOyM9DFU//W3xpusalXy
RMFzAHfSDj9ci+UygUt9HINWd/SmMGG/8PghaRhfE44wRFMqYezeliIt2JIs43BV
7HqG0Oev9WPeXmiaZUYKQetHiQqR14Mxiv1IGzCmwwN+9b4tZtZTa58oM5dPXfbb
lrELQE5OsPaNtMtER3MgxovDN3VSCGH/O/GyaEWVanY5UF8CAwEAAaN7MHkwDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBY8jW3fDVUp
URt1prhmDMjkVikgMB8GA1UdIwQYMBaAFBY8jW3fDVUpURt1prhmDMjkVikgMBYG
A1UdEQQPMA2CC21hc2tlZC5uYW1lMA0GCSqGSIb3DQEBCwUAA4IBAQAWQz4d3QzE
W8NGA16ZPamlVubOLB5DtZz2qrSrn3DeObLIDShInV3qtRlDx9HYJLTCA75Ket0J
NTsyMcTy2txd4I8hgdF30XJeEciN9wZ0mKEeP/YKDwe8V2XwWq4XYkDechlWHpZo
PfWcoLprKwVUI4HzaqkNmwcmMUI4xAsC+SLe1mrebseKm49oOwdQs/oPVLK+0nEp
RvD0aOvohILIa/2ZtKczvhB/L3fo5pg9Ex/0JDBdDHIedMabD3qn8Idse+P5Dfwa
Ju2Ctyb+n1TTPxRDMxs2cFbA5irr+2ARJd8jtGS+1fyxogjOWS1RR523F+qIS3su
KibGel+gFPpq
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIUM52uhXSeTCim1pmzucm/cnIgNp8wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLbWFza2VkLm5hbWUwHhcNMjAwODI5MTkyNzAwWhcNMjUw
ODI4MTkyNzMwWjAtMSswKQYDVQQDEyJtYXNrZWQubmFtZSBJbnRlcm1lZGlhdGUg
QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8LuGo+As
ICYWdJjBCY0snF/X+jF1tdcrQzNiRKESEb5dsDiy979bugCblPQDQ+g5WGqXX4pj
UyZZE3ZwhOufISlGK0ow1aMjqS+pFlQ85KRD/jUtLPRUJuQF+m2YwId/Mg6/B7Qk
d166uJkNxS+MGZCi2OYXeoivnOY7Q0Kj/0vIbc5Vt3kCRVg2ljLSQhoBd+85AHMR
jeRjZMeYEYF2HTVwrg4DrC/r00MVtDcNqs6+M7YZ/rzny73GvfJWfWoB1C4piZlg
fvUcSDL5HAhjiu5cSeIR7DTuVx7t4PoK6AqUkPygDtq1ZaLybXT7X6d072dR5AXO
nWFLPaaGJ979iwIDAQABo4IBADCB/TAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
BAUwAwEB/zAdBgNVHQ4EFgQUIkhVYBaK9CcvXG8FM2jKVZ16oZAwHwYDVR0jBBgw
FoAUFjyNbd8NVSlRG3WmuGYMyORWKSAwUQYIKwYBBQUHAQEERTBDMEEGCCsGAQUF
BzAChjVodHRwOi8vdmF1bHQuY29sdW1iaWEubWFza2VkLm5hbWU6ODIwMC92MS9w
a2lfcm9vdC9jYTBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vdmF1bHQuY29sdW1i
aWEubWFza2VkLm5hbWU6ODIwMC92MS9wa2lfcm9vdC9jcmwwDQYJKoZIhvcNAQEL
BQADggEBAK6HMgR+hpwjZCmf5NszDSHr7dYKZXP4LrcHPWs94nLM33UZ572ubGHs
dKjRw8YD0cncrsypsYmEgR57U+DHkys394wkb7UOwy1Zvd5IIRXdP0cDylz0QzqM
APnQYN+ismkoljhk9ey0Qbo3CmPjM+UQcAxuZQtA4M+riC1+jkude1uYL0szC6Y9
4KetfvbNkedSaV5yJaRKCBhRcC4/GjpBG/odQ/5AfBPAFjZqhcIJWBrVYbTQVC79
hMA1iwWJPmT9LsjMSUfxFTPzxRnNXQiKFz5kT2OiS1nqh8aOcyU9YC928pkifNJV
KokuDezJFM7ie3d+EcBk1V9lHwOWdto=
-----END CERTIFICATE-----

119
nomad/radicale/radicale.nomad Normal file
View file

@ -0,0 +1,119 @@
job "radicale" {
datacenters = ["columbia"]
region = "global"
type = "service"
update {
stagger = "30s"
max_parallel = 1
}
group "radicale" {
count = 1
task "radicale" {
vault {
policies = ["default", "ansible"]
change_mode = "restart"
}
driver = "docker"
config {
image = "docker.service.masked.name:8082/radicale"
ports = ["http"]
volumes = [
"/mnt/raid/radicale/collections:/collections"
]
}
service {
name = "radicale"
port = "http"
check {
name = "radicale"
type = "tcp"
interval = "10s"
timeout = "2s"
address_mode = "driver"
}
}
template {
data = <<EOH
{{- with secret "pki_int/issue/masked-dot-name" "common_name=radicale.service.masked.name" "alt_names=radicale.service.columbia.masked.name" -}}
{{- .Data.certificate -}}
{{- end -}}
EOH
destination = "${NOMAD_SECRETS_DIR}/radicale.crt"
change_mode = "restart"
}
template {
data = <<EOH
{{- with secret "pki_int/issue/masked-dot-name" "common_name=radicale.service.masked.name" "alt_names=radicale.service.columbia.masked.name" -}}
{{- .Data.private_key -}}
{{- end -}}
EOH
destination = "${NOMAD_SECRETS_DIR}/radicale.key"
change_mode = "restart"
}
template {
data = <<EOH
[server]
hosts = 0.0.0.0:5232
max_connections = 20
max_content_length = 10000000
timeout = 60
ssl = False
[encoding]
request = utf-8
stock = utf-8
[auth]
type = htpasswd
htpasswd_filename = /secrets/users
htpasswd_encryption = bcrypt
delay = 1
realm = Radicale - Password Required
[storage]
type = multifilesystem
filesystem_folder = /collections
[logging]
mask_passwords = True
[headers]
Access-Control-Allow-Origin = *
EOH
destination = "local/config"
}
template {
data = <<EOH
amarpreet:{{ with secret "kv/data/radicale" }}{{ .Data.data.amarpreet }}{{ end }}
EOH
destination = "secrets/users"
}
env {
RADICALE_CONFIG = "/local/config"
}
resources {
cpu = 2000
memory = 2560
}
}
network {
port "http" {
to = 5232
}
}
}
}