Initial version of instance control and snapshot triggering

all-apps/docker-compose.yaml

@@ -7,6 +7,7 @@ services:
       - ./lb/:/etc/caddy
       - /nassella/lb/config:/config
       - /nassella/lb/data:/data
+      - /app/maintenance:/maintenance
     networks:
       - lb
     restart: unless-stopped

all-apps/instance-control-webhooks/docker-compose.yaml

@@ -0,0 +1,25 @@
+version: '3'
+
+secrets:
+  instance_control_webhooks_secret:
+    file: ./instance-control-webhooks/webhook_secret
+
+services:
+  node_webhooks:
+    image: almir/webhook
+    volumes:
+      - ./instance-control-webhooks/hooks/:/etc/webhook
+      - /tmp/restic:/tmp/restic
+    secrets:
+      - instance_control_webhooks_secret
+    command:
+      - -template
+      - "-hooks=/etc/webhook/hooks.yaml"
+      - -verbose
+    networks:
+      - lb
+    restart: unless-stopped
+    ports:
+      - 9000:9000
+networks:
+  lb:

all-apps/instance-control-webhooks/hooks/hooks.yaml

@@ -0,0 +1,33 @@
+- id: queue-restic-snapshot
+  pass-environment-to-command:
+    - source: payload
+      name: version
+    - source: payload
+      name: path
+    - source: payload
+      name: tag
+    - source: payload
+      name: request_id
+  trigger-rule:
+    # - match:
+    #     type: payload-hmac-sha256
+    #     secret: '{{ cat "/run/secrets/instance_control_webhooks_secret" }}'
+    #     parameter:
+    #       source: header
+    #       name: X-Nassella-Signature
+  execute-command: "/etc/webhook/queue-restic-snapshot.sh"
+- id: restic-snapshot-status
+  include-command-output-in-response: true
+  pass-environment-to-command:
+    - source: payload
+      name: version
+    - source: payload
+      name: request_id
+  # trigger-rule:
+  #   - match:
+  #       type: payload-hmac-sha256
+  #       secret: '{{ cat "/run/secrets/instance_control_webhooks_secret" }}'
+  #       parameter:
+  #         source: header
+  #         name: X-Nassella-Signature
+  execute-command: "/etc/webhook/restic-snapshot-status.sh"

all-apps/instance-control-webhooks/hooks/queue-restic-snapshot.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# TODO the systemd unit should actually do this
+# touch /maintenance/maintenance.on
+# rm /maintenance/maintenance.on
+
+# for instance-control-webhooks docker compose setup:
+# make a directory in /tmp for these pipes and mount that as a volume
+# into the container
+
+# TODO read 'version' arg from request and make sure it
+# matches the version of this script
+
+# use a named pipe
+printf "%s\t%s\t%s\n" "$HOOK_tag" "$HOOK_request_id" "$HOOK_path" > /tmp/restic/snapshot_trigger_pipe

all-apps/instance-control-webhooks/hooks/restic-snapshot-status.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+# TODO read 'version' arg from request and make sure it
+# matches the version of this script
+
+status=`cat /tmp/restic/snapshot_status_$HOOK_request_id`
+
+echo "{\"status\":\"$status\"}"

all-apps/restic-snapshot.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Restic Snapshotter
+After=app.service
+Requires=docker.service app.service
+[Service]
+EnvironmentFile=/restic-env
+TimeoutStartSec=0
+ExecStart=/restic-snapshot.sh
+Restart=always
+RestartSec=5s
+[Install]
+WantedBy=multi-user.target