From b48d04d02a7ad7191e95ea4b7c17ac6060522858 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Wed, 7 Aug 2024 12:53:05 +0200 Subject: [PATCH] rome: move compute to a dedicated server --- .github/workflows/fly.yml | 19 -------------- README.md | 9 ------- rome/Dockerfile | 36 ------------------------- rome/fly.toml | 55 --------------------------------------- rome/litestream.yml | 19 -------------- rome/run.sh | 7 ----- rome/sunlight.service | 13 +++++++++ rome/sunlight.yaml | 46 ++++++++++++++++---------------- 8 files changed, 36 insertions(+), 168 deletions(-) delete mode 100644 .github/workflows/fly.yml delete mode 100644 rome/Dockerfile delete mode 100644 rome/fly.toml delete mode 100644 rome/litestream.yml delete mode 100644 rome/run.sh create mode 100644 rome/sunlight.service diff --git a/.github/workflows/fly.yml b/.github/workflows/fly.yml deleted file mode 100644 index 28e0064..0000000 --- a/.github/workflows/fly.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: Fly Deploy -on: - workflow_dispatch: - push: - branches: - - main -permissions: - contents: read -jobs: - deploy: - name: Deploy app - runs-on: ubuntu-latest - concurrency: deploy-group - steps: - - uses: actions/checkout@v4 - - uses: superfly/flyctl-actions/setup-flyctl@master - - run: flyctl deploy --remote-only -c rome/fly.toml - env: - FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }} diff --git a/README.md b/README.md index 2a4a9d0..df25bac 100644 --- a/README.md +++ b/README.md @@ -76,12 +76,3 @@ stderr in human-readable format, and to stdout in JSON format. A private HTTP debug server is also started on a random port on localhost. It serves the net/http/pprof endpoints, as well as `/debug/logson` and `/debug/logsoff` which enable and disable debug logging, respectively. - -## The Rome prototype logs - -The `rome/` folder contains the configuration for the Rome prototype logs, -deployed on Fly.io and Tigris from the main branch by GitHub Actions. - -To deploy manually, run - - fly -c rome/fly.toml deploy diff --git a/rome/Dockerfile b/rome/Dockerfile deleted file mode 100644 index 2ef4e1d..0000000 --- a/rome/Dockerfile +++ /dev/null @@ -1,36 +0,0 @@ -FROM golang:1.22.0-alpine3.19 as build - -WORKDIR /src - -RUN apk add build-base - -COPY go.mod go.sum ./ -RUN go mod download - -COPY cmd ./cmd -COPY internal ./internal -COPY *.go ./ -RUN CGO_ENABLED=1 go install -trimpath ./cmd/sunlight - -FROM alpine:3.19 as download - -ADD https://github.com/benbjohnson/litestream/releases/download/v0.3.13/litestream-v0.3.13-linux-amd64.tar.gz /tmp/litestream.tar.gz -RUN tar -C /usr/local/bin -xzf /tmp/litestream.tar.gz - -FROM alpine:3.19.1 - -RUN apk add bash curl sqlite - -COPY rome/run.sh /usr/local/bin/sunlight.sh -COPY rome/litestream.yml /etc/litestream.yml - -WORKDIR /etc/sunlight -COPY rome/roots.pem ./ -COPY rome/sunlight.yaml ./ - -COPY --from=build /go/bin/sunlight /usr/local/bin/sunlight -COPY --from=download /usr/local/bin/litestream /usr/local/bin/litestream - -VOLUME /var/db/sunlight - -CMD ["bash", "/usr/local/bin/sunlight.sh"] diff --git a/rome/fly.toml b/rome/fly.toml deleted file mode 100644 index fe8ffbd..0000000 --- a/rome/fly.toml +++ /dev/null @@ -1,55 +0,0 @@ -app = "sunlight-rome" -primary_region = "sjc" - -[build] -dockerfile = "Dockerfile" - -[http_service] -internal_port = 8080 -force_https = true -auto_stop_machines = false -auto_start_machines = false - -[http_service.http_options] -# Disabled because it causes HTTP/2 client requests to fail. -# Looks like a Fly proxy issue. -#h2_backend = true - -[http_service.concurrency] -type = "requests" -hard_limit = 1000 - -[[http_service.checks]] -grace_period = "15m" # high to enable Litestream restores -interval = "30s" -method = "GET" -timeout = "5s" -path = "/health" - -[[mounts]] -source = "sunlight_rome" -destination = "/var/db/sunlight" -initial_size = "5GB" -auto_extend_size_threshold = 95 -auto_extend_size_increment = "5GB" - -[metrics] -port = 8080 -path = "/metrics" - -[[vm]] -memory = "1gb" -cpu_kind = "shared" -cpus = 4 - -[[files]] -guest_path = "/etc/sunlight/rome2024h1.pem" -secret_name = "ROME2024H1_KEY" - -[[files]] -guest_path = "/etc/sunlight/rome2024h2.pem" -secret_name = "ROME2024H2_KEY" - -[[files]] -guest_path = "/etc/sunlight/rome2025h1.pem" -secret_name = "ROME2025H1_KEY" diff --git a/rome/litestream.yml b/rome/litestream.yml deleted file mode 100644 index ba4b2c9..0000000 --- a/rome/litestream.yml +++ /dev/null @@ -1,19 +0,0 @@ -addr: ":9090" -logging: - stderr: true -dbs: - - path: /var/db/sunlight/rome2024h1.db - replicas: - - url: s3://rome2024h1/cache - region: auto - endpoint: https://fly.storage.tigris.dev - - path: /var/db/sunlight/rome2024h2.db - replicas: - - url: s3://rome2024h2/cache - region: auto - endpoint: https://fly.storage.tigris.dev - - path: /var/db/sunlight/rome2025h1.db - replicas: - - url: s3://rome2025h1/cache - region: auto - endpoint: https://fly.storage.tigris.dev diff --git a/rome/run.sh b/rome/run.sh deleted file mode 100644 index 0e7f4f9..0000000 --- a/rome/run.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -set -xeuo pipefail - -litestream restore -if-replica-exists -if-db-not-exists /var/db/sunlight/rome2024h1.db -litestream restore -if-replica-exists -if-db-not-exists /var/db/sunlight/rome2024h2.db -litestream restore -if-replica-exists -if-db-not-exists /var/db/sunlight/rome2025h1.db -exec litestream replicate -exec /usr/local/bin/sunlight >> /var/db/sunlight/sunlight.log diff --git a/rome/sunlight.service b/rome/sunlight.service new file mode 100644 index 0000000..4d43c97 --- /dev/null +++ b/rome/sunlight.service @@ -0,0 +1,13 @@ +[Unit] +Description=Sunlight Certificate Transparency Log +After=network.target + +[Service] +EnvironmentFile=/etc/sunlight/credentials.env +ExecStart=/usr/local/bin/sunlight -c /etc/sunlight/sunlight.yaml +StandardOutput=append:/var/log/sunlight.jsonl +StandardError=journal +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/rome/sunlight.yaml b/rome/sunlight.yaml index 0b0498e..ee5b325 100644 --- a/rome/sunlight.yaml +++ b/rome/sunlight.yaml @@ -1,31 +1,17 @@ -listen: ":8080" +acme: + email: sunlight-acme@filippo.io + host: rome.ct.filippo.io + cache: /var/db/sunlight/autocert/ -etags3: - region: auto - bucket: filippo-sunlight-logs - endpoint: https://fly.storage.tigris.dev +checkpoints: /var/db/sunlight/checkpoints.db logs: - - name: rome.ct.filippo.io/2024h1 - shortname: rome2024h1 - inception: 2024-03-01 - httpprefix: /2024h1 - roots: /etc/sunlight/roots.pem - key: /etc/sunlight/rome2024h1.pem - cache: /var/db/sunlight/rome2024h1.db - poolsize: 750 - s3region: auto - s3bucket: rome2024h1 - s3endpoint: https://fly.storage.tigris.dev - notafterstart: 2024-01-01T00:00:00Z - notafterlimit: 2024-07-01T00:00:00Z - - name: rome.ct.filippo.io/2024h2 shortname: rome2024h2 - inception: 2024-03-01 + inception: 2024-08-07 httpprefix: /2024h2 roots: /etc/sunlight/roots.pem - key: /etc/sunlight/rome2024h2.pem + seed: /etc/sunlight/rome2024h2.key cache: /var/db/sunlight/rome2024h2.db poolsize: 750 s3region: auto @@ -36,10 +22,10 @@ logs: - name: rome.ct.filippo.io/2025h1 shortname: rome2025h1 - inception: 2024-03-01 + inception: 2024-08-07 httpprefix: /2025h1 roots: /etc/sunlight/roots.pem - key: /etc/sunlight/rome2025h1.pem + seed: /etc/sunlight/rome2025h1.key cache: /var/db/sunlight/rome2025h1.db poolsize: 750 s3region: auto @@ -47,3 +33,17 @@ logs: s3endpoint: https://fly.storage.tigris.dev notafterstart: 2025-01-01T00:00:00Z notafterlimit: 2025-07-01T00:00:00Z + + - name: rome.ct.filippo.io/2025h2 + shortname: rome2025h2 + inception: 2024-08-07 + httpprefix: /2025h2 + roots: /etc/sunlight/roots.pem + seed: /etc/sunlight/rome2025h2.key + cache: /var/db/sunlight/rome2025h2.db + poolsize: 750 + s3region: auto + s3bucket: rome2025h2 + s3endpoint: https://fly.storage.tigris.dev + notafterstart: 2025-07-01T00:00:00Z + notafterlimit: 2026-01-01T00:00:00Z