Move sudosci to nomad

README.md

@@ -6,5 +6,4 @@ Mah Infra
 ## Todo
 1. get a working wallabag instance
     https://github.com/wallabag/docker/issues/242
-2. Proper networking so i'm not manually updating nginx like a chump
+2. Fix up the user permissions and work towards rootless
-3. Fix up the user permissions and work towards rootless

ansible/host_vars/ivyking.minhas.io/haproxy.yml

@@ -5,5 +5,5 @@ haproxy_domains:
     - { name: "radicale", url: "dav.minhas.io" }
     - { name: "wallabag", url: "wallabag.minhas.io" }
     - { name: "kanban", url: "kanban.minhas.io" }
-    - { name: "api", url: "api.sudoscientist.com" }
+    - { name: "sudoscientist-go-backend", url: "api.sudoscientist.com" }
 ...

ansible/roles/haproxy/templates/haproxy.cfg.j2

@@ -46,17 +46,11 @@ frontend fe_default
 {% endfor %}
 
 {% for domain in haproxy_domains %}
-{% if domain.name != 'api' %}
 backend be_{{ domain.name }}
     balance leastconn
     server-template {{ domain.name }} 1 _{{ domain.name }}._tcp.service.masked.name resolvers consul resolve-opts allow-dup-ip resolve-prefer ipv4 check
 
-{% endif %}
 {% endfor %}
-backend be_api
-    balance leastconn
-    server server1 192.168.122.77:8080
-
 resolvers consul
     nameserver consul 127.0.0.1:8600
     accepted_payload_size 8192

docker/sudoscientist-go-backend/Dockerfile

@@ -0,0 +1,21 @@
+FROM golang:alpine
+
+# add ca-certificates package
+RUN apk add --no-cache ca-certificates git && \
+    go get -u -d github.com/mattes/migrate/cli github.com/lib/pq && \
+    go build -tags 'postgres' -o ${GOPATH}/bin/migrate github.com/mattes/migrate/cli && \
+    mkdir -p ${GOPATH}/src/git.minhas.io/asara && \
+    cd ${GOPATH}/src/git.minhas.io/asara && \
+    git clone https://git.minhas.io/asara/sudoscientist-go-backend && \
+    cd ${GOPATH}/src/git.minhas.io/asara/sudoscientist-go-backend && \
+    go get && go build main.go && \
+    mv /go/bin/* /usr/local/bin/ && \
+    rm -rf /go/src && \
+    apk del git
+
+# Copy masked.name root cert
+COPY files/MaskedName_Root_CA.crt /usr/local/share/ca-certificates/MaskedName_Root_CA.crt
+
+# update ca certs
+RUN update-ca-certificates 2>/dev/null
+CMD ["/usr/local/bin/sudoscientist-go-backend"]

docker/sudoscientist-go-backend/files/MaskedName_Root_CA.crt

@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUYp8xo5t2lJFP3SiD1fJirgGUQJ0wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLbWFza2VkLm5hbWUwHhcNMjAwODI5MTkyMzEyWhcNMzAw
+ODI3MTkyMzQyWjAWMRQwEgYDVQQDEwttYXNrZWQubmFtZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMI7oR+KHvvznfnaAXDMO5qpSTCAYCyfjFEohYJf
+lOcnLONXb3f6sP5d1eltL+UTq0RVU5UP0aNW7hqDTa41MRw0JCDtB68yKdYq2hZf
+97gA+lj3MEJU6RTAKLrg75GRh/AbNEIgwvPuHKW6hMbtwOyM9DFU//W3xpusalXy
+RMFzAHfSDj9ci+UygUt9HINWd/SmMGG/8PghaRhfE44wRFMqYezeliIt2JIs43BV
+7HqG0Oev9WPeXmiaZUYKQetHiQqR14Mxiv1IGzCmwwN+9b4tZtZTa58oM5dPXfbb
+lrELQE5OsPaNtMtER3MgxovDN3VSCGH/O/GyaEWVanY5UF8CAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBY8jW3fDVUp
+URt1prhmDMjkVikgMB8GA1UdIwQYMBaAFBY8jW3fDVUpURt1prhmDMjkVikgMBYG
+A1UdEQQPMA2CC21hc2tlZC5uYW1lMA0GCSqGSIb3DQEBCwUAA4IBAQAWQz4d3QzE
+W8NGA16ZPamlVubOLB5DtZz2qrSrn3DeObLIDShInV3qtRlDx9HYJLTCA75Ket0J
+NTsyMcTy2txd4I8hgdF30XJeEciN9wZ0mKEeP/YKDwe8V2XwWq4XYkDechlWHpZo
+PfWcoLprKwVUI4HzaqkNmwcmMUI4xAsC+SLe1mrebseKm49oOwdQs/oPVLK+0nEp
+RvD0aOvohILIa/2ZtKczvhB/L3fo5pg9Ex/0JDBdDHIedMabD3qn8Idse+P5Dfwa
+Ju2Ctyb+n1TTPxRDMxs2cFbA5irr+2ARJd8jtGS+1fyxogjOWS1RR523F+qIS3su
+KibGel+gFPpq
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIID0zCCArugAwIBAgIUM52uhXSeTCim1pmzucm/cnIgNp8wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLbWFza2VkLm5hbWUwHhcNMjAwODI5MTkyNzAwWhcNMjUw
+ODI4MTkyNzMwWjAtMSswKQYDVQQDEyJtYXNrZWQubmFtZSBJbnRlcm1lZGlhdGUg
+QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8LuGo+As
+ICYWdJjBCY0snF/X+jF1tdcrQzNiRKESEb5dsDiy979bugCblPQDQ+g5WGqXX4pj
+UyZZE3ZwhOufISlGK0ow1aMjqS+pFlQ85KRD/jUtLPRUJuQF+m2YwId/Mg6/B7Qk
+d166uJkNxS+MGZCi2OYXeoivnOY7Q0Kj/0vIbc5Vt3kCRVg2ljLSQhoBd+85AHMR
+jeRjZMeYEYF2HTVwrg4DrC/r00MVtDcNqs6+M7YZ/rzny73GvfJWfWoB1C4piZlg
+fvUcSDL5HAhjiu5cSeIR7DTuVx7t4PoK6AqUkPygDtq1ZaLybXT7X6d072dR5AXO
+nWFLPaaGJ979iwIDAQABo4IBADCB/TAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUIkhVYBaK9CcvXG8FM2jKVZ16oZAwHwYDVR0jBBgw
+FoAUFjyNbd8NVSlRG3WmuGYMyORWKSAwUQYIKwYBBQUHAQEERTBDMEEGCCsGAQUF
+BzAChjVodHRwOi8vdmF1bHQuY29sdW1iaWEubWFza2VkLm5hbWU6ODIwMC92MS9w
+a2lfcm9vdC9jYTBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vdmF1bHQuY29sdW1i
+aWEubWFza2VkLm5hbWU6ODIwMC92MS9wa2lfcm9vdC9jcmwwDQYJKoZIhvcNAQEL
+BQADggEBAK6HMgR+hpwjZCmf5NszDSHr7dYKZXP4LrcHPWs94nLM33UZ572ubGHs
+dKjRw8YD0cncrsypsYmEgR57U+DHkys394wkb7UOwy1Zvd5IIRXdP0cDylz0QzqM
+APnQYN+ismkoljhk9ey0Qbo3CmPjM+UQcAxuZQtA4M+riC1+jkude1uYL0szC6Y9
+4KetfvbNkedSaV5yJaRKCBhRcC4/GjpBG/odQ/5AfBPAFjZqhcIJWBrVYbTQVC79
+hMA1iwWJPmT9LsjMSUfxFTPzxRnNXQiKFz5kT2OiS1nqh8aOcyU9YC928pkifNJV
+KokuDezJFM7ie3d+EcBk1V9lHwOWdto=
+-----END CERTIFICATE-----

nomad/sudoscientist-go-backend.nomad

@@ -0,0 +1,93 @@
+job "sudoscientist-go-backend" {
+  datacenters = ["columbia"]
+  region      = "global"
+  type        = "service"
+
+  update {
+    stagger      = "30s"
+    max_parallel = 1
+  }
+
+  group "sudoscientist-go-backend" {
+    count = 1
+
+    task "sudoscientist-go-backend" {
+      vault {
+        policies    = ["default", "ansible"]
+        change_mode = "restart"
+      }
+      driver = "docker"
+      config {
+        image   = "docker.service.masked.name:8082/sudoscientist-go-backend"
+        ports   = ["http"]
+      }
+
+      service {
+        name = "sudoscientist-go-backend"
+        port = "http"
+
+        check {
+          name     = "sudoscientist-go-backend"
+          type     = "tcp"
+          interval = "10s"
+          timeout  = "2s"
+          address_mode = "driver"
+        }
+      }
+
+      template {
+        data = <<EOH
+            {{- with secret "pki_int/issue/masked-dot-name" "common_name=sudoscientist-go-backend.service.masked.name" "alt_names=sudoscientist-go-backend.service.columbia.masked.name" -}}
+            {{- .Data.certificate -}}
+            {{- end -}}
+        EOH
+        destination   = "${NOMAD_SECRETS_DIR}/sudoscientist-go-backend.crt"
+        change_mode   = "restart"
+      }
+
+      template {
+        data = <<EOH
+            {{- with secret "pki_int/issue/masked-dot-name" "common_name=sudoscientist-go-backend.service.masked.name" "alt_names=sudoscientist-go-backend.service.columbia.masked.name" -}}
+            {{- .Data.private_key -}}
+            {{- end -}}
+        EOH
+        destination   = "${NOMAD_SECRETS_DIR}/sudoscientist-go-backend.key"
+        change_mode   = "restart"
+      }
+
+      template {
+        data = <<EOH
+API_ADDR            = https://api.sudoscientist.com
+API_PORT            = 8080
+DB_HOST             = ivyking.node.masked.name
+DB_NAME             = sudosci
+DB_PORT             = 5432
+DB_PW               = "{{ with secret "kv/data/sudoscientist/go-backend" }}{{ .Data.data.db_pw }}{{ end }}"
+DB_SSL              = disable
+DB_USER             = sudosci
+EMAIL_SECRET        = "{{ with secret "kv/data/sudoscientist/go-backend" }}{{ .Data.data.email_secret }}{{ end }}"
+JWT_SECRET          = "{{ with secret "kv/data/sudoscientist/go-backend" }}{{ .Data.data.jwt_secret }}{{ end }}"
+POSTAL_API          = https://postal.sudoscientist.com
+POSTAL_KEY          = "{{ with secret "kv/data/sudoscientist/go-backend" }}{{ .Data.data.jwt_secret }}{{ end }}"
+POSTAL_SRC_EMAIL    = send-mail@postal.sudoscientist.com
+UI_ADDR             = sudoscientist.com
+UI_PROTO            = https://
+        EOH
+        destination = "secrets/sudoscientist-go-backend.env"
+        env         = true
+      }
+
+      resources {
+        cpu    = 2000
+        memory = 2560
+      }
+    }
+
+    network {
+      port "http" {
+        to = 8080
+       }
+    }
+
+  }
+}