From 18d28f17413485e2366ce194521a67ed8b29f5e3 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Mon, 21 Aug 2023 16:20:30 +0100
Subject: [PATCH] Add a replds2 role and container

---
 roles/float-infra-replds/tasks/main.yml    | 14 +++++++++++
 roles/float-infra-replds/templates/acls.j2 |  2 ++
 services.core.yml                          | 29 ++++++++++++++++++++--
 3 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 roles/float-infra-replds/tasks/main.yml
 create mode 100644 roles/float-infra-replds/templates/acls.j2

diff --git a/roles/float-infra-replds/tasks/main.yml b/roles/float-infra-replds/tasks/main.yml
new file mode 100644
index 00000000..490b984d
--- /dev/null
+++ b/roles/float-infra-replds/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+
+- file:
+    path: "/var/lib/replds"
+    state: directory
+    owner: docker-frontend
+    group: root
+    mode: "0750"
+
+- name: Configure replds ACLs
+  template:
+    src: "acls.j2"
+    dest: "/etc/replds.acls"
+  notify: restart replds
diff --git a/roles/float-infra-replds/templates/acls.j2 b/roles/float-infra-replds/templates/acls.j2
new file mode 100644
index 00000000..e8410b5a
--- /dev/null
+++ b/roles/float-infra-replds/templates/acls.j2
@@ -0,0 +1,2 @@
+replds peer
+nginx credentials/public write
diff --git a/services.core.yml b/services.core.yml
index 74fd7061..1615fe22 100644
--- a/services.core.yml
+++ b/services.core.yml
@@ -7,13 +7,36 @@ frontend:
       enable_server: false
     - name: ssoproxy
       enable_server: false
-    - name: replds-acme
+    - name: replds
   systemd_services:
     - nginx.service
     - haproxy.service
     - sso-proxy.service
-    - replds@acme.service
+    - replds2@frontend.service
+  containers:
+    - name: replds
+      image: registry.git.autistici.org/ai3/tools/replds2:master
+      env:
+        REPLDS_GRPC_ADDR: ":3636"
+        REPLDS_HTTP_ADDR: ":3638"
+        REPLDS_SSL_CERT: "/etc/credentials/x509/replds/server/cert.pem"
+        REPLDS_SSL_KEY: "/etc/credentials/x509/replds/server/private_key.pem"
+        REPLDS_SSL_CLIENT_CERT: "/etc/credentials/x509/replds/client/cert.pem"
+        REPLDS_SSL_CLIENT_KEY: "/etc/credentials/x509/replds/client/private_key.pem"
+        REPLDS_SSL_CA: "/etc/credentials/x509/replds/ca.pem"
+        REPLDS_STORE: "/var/lib/replds"
+        REPLDS_ACLS: "/etc/replds.acls"
+        REPLDS_PEERS: "{{ services['frontend'].hosts | sort | map('regex_replace', '$', '.frontend.' + domain + ':3636') | join(',') }}"
+      volumes:
+        /var/lib/replds: /var/lib/replds
+        /etc/replds/acls: /etc/replds.acls
+      args: "server"
+      ports:
+        - 3636
+        - 3638
   ports:
+    - 3636
+    - 3638
     - 5005
   volumes:
     - name: cache
@@ -22,6 +45,8 @@ frontend:
   monitoring_endpoints:
     - port: 8404
       scheme: http
+    - port: 3638
+      scheme: https
 
 dns:
   scheduling_group: frontend
-- 
GitLab