Migrations infra & working instance-control + commands

all-apps/instance-control/docker-compose.yaml

@@ -0,0 +1,22 @@
+version: '3'
+
+secrets:
+  instance_control_webhooks_secret:
+    file: ./instance-control/webhook_secret
+
+services:
+  instance_control:
+    image: almir/webhook
+    volumes:
+      - ./instance-control/hooks/:/etc/webhook
+      - /tmp/restic:/tmp/restic
+    secrets:
+      - instance_control_webhooks_secret
+    command:
+      - "-hooks=/etc/webhook/hooks.json"
+      - -verbose
+    networks:
+      - lb
+    restart: unless-stopped
+networks:
+  lb:

all-apps/instance-control/hooks/hooks.json.tmpl

@@ -0,0 +1,43 @@
+[
+    {
+        "id": "queue-restic-snapshot",
+        "pass-environment-to-command": [
+            {"source": "payload", "name": "version"},
+            {"source": "payload", "name": "path"},
+            {"source": "payload", "name": "tag"},
+            {"source": "payload", "name": "request_id"}
+        ],
+        "trigger-rule":
+            {
+                "match": {
+                    "type": "payload-hmac-sha256",
+                    "secret": "$INSTANCE_CONTROL_WEBHOOKS_SECRET",
+                    "parameter": {
+                        "source": "header",
+                        "name": "X-Nassella-Signature"
+                    }
+                }
+            },
+        "execute-command": "/etc/webhook/queue-restic-snapshot.sh"
+    },
+    {
+        "id": "restic-snapshot-status",
+        "include-command-output-in-response": true,
+        "pass-environment-to-command": [
+            {"source": "payload", "name": "version"},
+            {"source": "payload", "name": "request_id"}
+        ],
+        "trigger-rule":
+            {
+                "match": {
+                    "type": "payload-hmac-sha256",
+                    "secret": "$INSTANCE_CONTROL_WEBHOOKS_SECRET",
+                    "parameter": {
+                        "source": "header",
+                        "name": "X-Nassella-Signature"
+                    }
+                }
+            },
+        "execute-command": "/etc/webhook/restic-snapshot-status.sh"
+    }
+]

all-apps/instance-control/hooks/queue-restic-snapshot.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# TODO the systemd unit should actually do this
+# touch /maintenance/maintenance.on
+# rm /maintenance/maintenance.on
+
+# for instance-control docker compose setup:
+# make a directory in /tmp for these pipes and mount that as a volume
+# into the container
+
+# TODO read 'version' arg from request and make sure it
+# matches the version of this script
+
+# use a named pipe
+printf "%s\t%s\t%s\n" "$HOOK_tag" "$HOOK_request_id" "$HOOK_path" > /tmp/restic/snapshot_trigger_pipe

all-apps/instance-control/hooks/restic-snapshot-status.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+# TODO read 'version' arg from request and make sure it
+# matches the version of this script
+
+status=`cat /tmp/restic/snapshot_status_$HOOK_request_id`
+
+echo "{\"status\":\"$status\"}"