Differences

This shows you the differences between two versions of the page.

--- infra:hscloud [2023/10/06 17:21] – [Deploy docker image to hscloud] palid
+++ infra:hscloud [2023/11/11 16:12] (current) – informatic
@@ Line 5: / Line 5: @@
 Our new internal highly-available Infrastructure/Platform-as-a-Service.
-This runs in out datacenter (dcr01 on [[infra:netbox]]). This is different from our [[infra:bgpwtf|ISP services]] or [[infra:machines|internal machines]].
+This runs in our datacenter (dcr01 on [[infra:netbox]]). This is different from our [[infra:bgpwtf|ISP services]] or [[infra:machines|internal machines]].
 ===== Components =====
@@ Line 15: / Line 15: @@
 We are moving services from our old [[infra:machines]] into Kubernetes. Amongst other, currently running on the cluster is:
-  * https://matrix.hackerspace.pl
+  * [[https://matrix.hackerspace.pl]]
-  * https://gerrit.hackerspace.pl
+  * [[https://gerrit.hackerspace.pl]]
-  * https://profile.hackerspace.pl
+  * [[https://profile.hackerspace.pl]]
-  * https://cfp.cebula.camp
+  * [[https://cfp.cebula.camp]]
 With more to come.
 You are also free to host your own personal stuff there within reason. See below for access.
+===== Boston Evacuation Aktion =====
+Here's a list of services that currently live on Boston Packets, but we'd like to migrate to hscloud. Ask on #infra on how to contribute.
+  * [[https://kasownik.hackerspace.pl]]
+  * [[https://owncloud.hackerspace.pl]]
+  * [[https://wiki.hackerspace.pl]] - dokuwiki, as of 2023-10, on [[user>noisersup]]'s todo list
+  * [[https://blog.hackerspace.pl]] - wordpress, not actively maintained
+  * [[https://gallery.hackerspace.pl]] - unmaintained for ages
+  * [[https://webchat.hackerspace.pl]] - just a redirect?
+  * [[https://piwik.hackerspace.pl]] - kill?
+  * [[https://static.hackerspace.pl]] - ???
+  * [[https://api.hackerspace.pl]] - dead? kill?
+  * [[https://tickers.hackerspace.pl]] - dead? kill?
+  * [[https://mail.hackerspace.pl]] - roundcube, fairly easy, but boston nginx would still serve as proxy (analogous to hackerspace.pl site)
+  * mailman ([[https://lists.hackerspace.pl]]) - the web service is already on k8s, but also proxied via boston. Mailman-core and the database (used by both web and core, postgres) are still on boston.
+  * ldap/kerberos - (hard)
+  * email services (exim, dovecot) - (hard)
 ===== Monitoring =====
-https://monitoring-global-dashboard.k0.hswaw.net/
+[[https://monitoring-global-dashboard.k0.hswaw.net/]]
 ===== Documentation, Getting Access and Usage =====
-Self-documenting in hackdoc (hscloud documentation stored within hscloud): https://hackdoc.hackerspace.pl/doc/codelabs/index.md
+Self-documenting in hackdoc (hscloud documentation stored within hscloud): [[https://hackdoc.hackerspace.pl/doc/codelabs/index.md]]
 ===== Deploy docker image to hscloud =====
@@ Line 36: / Line 56: @@
 Build your docker image by running following command:
   docker build --tag registry.k0.hswaw.net/$YOUR_USERNAME/$APP_NAME-$APP_VERSION
@@ Line 44: / Line 65: @@
   docker push registry.k0.hswaw.net/$YOUR_USERNAME/$YOUR_IMAGE_TAG
 ===== Commands with example data =====
@@ Line 51: / Line 71: @@
   docker push registry.k0.hswaw.net/palid/walne-generator:1.0-alpha
+===== Resources/Services =====
+Here is a list of common external/internal services used by apps hosted in hscloud, with guidelines on how to get access to those:
+  * **Persistent storage/Block storage**
+    * Use ''PersistentVolumeClaim'' in ''waw-hdd-redundant-3'' storage class
+  * **S3/Object storage**
+    * Add user object in ''%%//cluster/kube/k0.libsonnet:k0.ceph.clients%%''
+    * Ask hscloud ops to update
+  * **CockroachDB**
+    * Add user object in ''%%//cluster/kube/k0.libsonnet:k0.cockroach.clients%%''
+    * Ask hscloud ops to update
+  * **Docker Container Registry**
+    * Use https://registry.k0.hswaw.net to authenticate
+    * ''registry.k0.hswaw.net/USERNAME/...'' is your personal container namespace
+  * **DNS**
+    * ''*.hackerspace.pl'', ''*.hswaw.net'': Ask hscloud ops to create/update relevant DNS entries in ''ns{1,2}.bytesexual.net'', adjust admitomatic config (see below)
+    * ''*'': create your own DNS CNAME record pointing at ''ingress.k0.hswaw.net''
+    * Adjust ''%%//cluster/kube/k0.libsonnet:k0.admitomatic.cfg.proto.allow_domain%%'' if you want your domain to be secured against hijacking by other cluster users (''*.hackerspace.pl'' is one such domain)
+  * **Postgres**
+    * Use ''%%//kube/postgres.libsonnet%%'' to create local deployment in app namespace
+    * **Alternative:** ask hscloud ops for a database on blessed high-performance ssd node
+  * **Redis**
+    * Use ''%%//kube/redis.libsonnet%%'' to create local deployment in app namespace
+  * **SSO** (OAuth2/OpenID Connect for HSWAW members authentication)
+    * Self-service - create your own app on https://sso.hackerspace.pl
+  * **LDAP** (only very specific cases, when user/group listing is required - otherwise use SSO)
+    * Ask ops to create an LDAP service account
+      * Create ''cn=...,ou=Services,dc=hackerspace,dc=pl'' in LDAP
+      * Add relevant ACL in /etc/openldap/slapd.conf on ''boston-packets.hackerspace.pl''
+  * **Beyondspace** (access to *.waw.hackerspace.pl services from WAN/hscloud)
+    * Ask ops to add specific internal domain to beyondspace (''%%//hswaw/machines/customs.hackerspace.pl/beyondspace.nix%%'') and create a service authentication token on customs
+  * **Mailing (SMTP/IMAP)**
+    * Ask ops to create local mailing user account
+      * Create local service user on ''boston-packets.hackerspace.pl'': ''useradd -rm SERVICE; passwd SERVICE''
+      * Create mailbox on ''boston-packets.hackerspace.pl'': ''mkdir /var/spool/mail/SERVICE; chown SERVICE:mail /var/spool/mail/SERVICE''
+      * **Optionally:** add aliases (and/or incoming exec hook) in ''/etc/mail/aliases''