Skip to content

feat: create single Nomad server running on DigitalOcean droplet#3

Merged
cdunster merged 54 commits intomainfrom
single-nomad-server-running-on-droplet
Apr 10, 2025
Merged

feat: create single Nomad server running on DigitalOcean droplet#3
cdunster merged 54 commits intomainfrom
single-nomad-server-running-on-droplet

Conversation

@cdunster
Copy link
Copy Markdown
Contributor

@cdunster cdunster commented Apr 4, 2025
edited
Loading

This is the Pulumi definition for the Nomad Server that is required for #holochain/wind-tunnel/issues/132 and can be found at https://nomad-server-01.holochain.org:4646/ui.

cdunster added 18 commits February 5, 2025 19:12
@cdunster
feat: add hashicorp apt repo for latest nomad version
9f6daa2
@cdunster
feat: write nomad config to default location
809448a
@cdunster
feat: start nomad as a service
3e4f2c8
@cdunster
feat: run nomad server as nomad user
ffe1398
@cdunster
feat: enable ACL to restrict access to Nomad server
87138bc
@cdunster
feat: advertise public IPv4 address on server
73b7f83
@cdunster
feat: create reserved IPv4 for nomad server
899e5c4
@cdunster
chore: add nomad package
75959f0
@cdunster
chore: add nomad client config for testing
469f9dc
@cdunster
feat: untie reserved IP from droplet lifecycle
9668ae7 
Before this, changing the droplet replaced the reserved IP address which
changed the actual address.
@cdunster
refactor: don't unnecessarily convert droplet size to string
af968d5
@cdunster
feat: don't advertise serf via public IP
1b81cad
@cdunster
feat: enable TLS and create certs on boot
dc6c708
@cdunster
docs: add section in README for instructions to deploy a server
90149fb
@cdunster
feat: allow clients to connect without TLS
e3fe3fc
@cdunster
feat: add nomad-server-01.holochain.org as DNS name for certificate
45d269d
@cdunster
feat: remove broken verifying server hostname option
48e095c 
It's not working so just remove it for now.
@cdunster
feat: increase job lifetime to 24 hours
e5373e2
@cdunster cdunster requested a review from a team April 4, 2025 15:38
@cdunster cdunster self-assigned this Apr 4, 2025
@holochain-release-automation2
Copy link
Copy Markdown
Collaborator

holochain-release-automation2 commented Apr 4, 2025
edited
Loading

🍹 preview on nomad-server/holochain/nomad-server

Pulumi report

View in Pulumi Cloud

  Previewing update (holochain/nomad-server)

View Live: https://app.pulumi.com/holochain/nomad-server/nomad-server/previews/b1f3a3ca-5570-488c-8047-d17d0b61afac

pulumi:pulumi:Stack: (same)
  [urn=urn:pulumi:nomad-server::nomad-server::pulumi:pulumi:Stack::nomad-server-nomad-server]
  +-command:remote:Command: (replace)
      [id=chown-etc-nomad-dir-before-server-certc71d31ab]
      [urn=urn:pulumi:nomad-server::nomad-server::command:remote:Command::chown-etc-nomad-dir-before-server-cert]
      [provider=urn:pulumi:nomad-server::nomad-server::pulumi:providers:command::default_1_0_2::3d5f4907-5ccd-4d31-8098-9549b40692ec]
    - triggers: [secret]
    + triggers: [
    +     [0]: asset(file:f687a96) { ./nomad-agent-ca.pem }
    +     [1]: [secret]
    +     [2]: asset(file:6775693) { ./nomad.hcl }
      ]
  +-command:remote:Command: (replace)
      [id=create-server-cert1ba48512]
      [urn=urn:pulumi:nomad-server::nomad-server::command:remote:Command::create-server-cert]
      [provider=urn:pulumi:nomad-server::nomad-server::pulumi:providers:command::default_1_0_2::3d5f4907-5ccd-4d31-8098-9549b40692ec]
    - triggers: [secret]
    + triggers: [
    +     [0]: asset(file:f687a96) { ./nomad-agent-ca.pem }
    +     [1]: [secret]
      ]
  +-command:remote:Command: (replace)
      [id=print-server-cert13df651b]
      [urn=urn:pulumi:nomad-server::nomad-server::command:remote:Command::print-server-cert]
      [provider=urn:pulumi:nomad-server::nomad-server::pulumi:providers:command::default_1_0_2::3d5f4907-5ccd-4d31-8098-9549b40692ec]
    - triggers: [secret]
    + triggers: [
    +     [0]: asset(file:f687a96) { ./nomad-agent-ca.pem }
    +     [1]: [secret]
      ]
  +-command:remote:Command: (replace)
      [id=chown-etc-nomad-dir52b48959]
      [urn=urn:pulumi:nomad-server::nomad-server::command:remote:Command::chown-etc-nomad-dir]
      [provider=urn:pulumi:nomad-server::nomad-server::pulumi:providers:command::default_1_0_2::3d5f4907-5ccd-4d31-8098-9549b40692ec]
    - triggers: [secret]
    + triggers: [
    +     [0]: asset(file:f687a96) { ./nomad-agent-ca.pem }
    +     [1]: [secret]
    +     [2]: asset(file:6775693) { ./nomad.hcl }
    +     [3]: asset(file:1289f09) { ./job-runner.policy.hcl }
      ]
  +-command:remote:Command: (replace)
      [id=apply-job-runner-policy8353b57a]
      [urn=urn:pulumi:nomad-server::nomad-server::command:remote:Command::apply-job-runner-policy]
      [provider=urn:pulumi:nomad-server::nomad-server::pulumi:providers:command::default_1_0_2::3d5f4907-5ccd-4d31-8098-9549b40692ec]
    - triggers: [secret]
    + triggers: [
    +     [0]: asset(file:1289f09) { ./job-runner.policy.hcl }
    +     [1]: [secret]
      ]
Resources:
  +-5 to replace
  17 unchanged

ThetaSinner
ThetaSinner reviewed Apr 7, 2025
View reviewed changes
ThetaSinner
ThetaSinner previously approved these changes Apr 7, 2025
View reviewed changes
@cdunster cdunster force-pushed the single-nomad-server-running-on-droplet branch from fa95579 to bf65d61 Compare April 8, 2025 17:13
mattyg
mattyg reviewed Apr 8, 2025
View reviewed changes
@cdunster cdunster force-pushed the single-nomad-server-running-on-droplet branch from 7d2192d to 01418b0 Compare April 9, 2025 08:53
@cdunster
Copy link
Copy Markdown
Contributor Author

cdunster commented Apr 9, 2025

@mattyg, @jost-s, and @ThetaSinner, I've added quite a lot to the Pulumi code since your last reviews. Now, Pulumi performs the Nomad setup for us automatically.

@cdunster cdunster merged commit 0e817dc into main Apr 10, 2025
3 checks passed
@cdunster cdunster deleted the single-nomad-server-running-on-droplet branch April 10, 2025 11:58
jost-s
jost-s reviewed Apr 10, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@jost-s jost-s left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm too late with my review, but anyway. I wanted to run the commands today, so here is my text from yesterday.

You went to town on the go coding there!
I can follow the description of all the certificates and tokens. I trust that it works, I haven't run the commands myself.

README.md

## Changing the TLS certificate authority certificate

Nomad uses TLS for encrypted communications with the server(s) for this to work
Copy link
Copy Markdown
Contributor

@jost-s jost-s Apr 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Nomad uses TLS for encrypted communications with the server(s) for this to work
Nomad uses TLS for encrypted communications with the server(s). For this to work

README.md
Some changes to the definition of the DigitalOcean droplet will require the
droplet to be destroyed and re-created.

If this happens, or if we want to deliberately re-create the server(s), then
Copy link
Copy Markdown
Contributor

@jost-s jost-s Apr 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If this happens, or if we want to deliberately re-create the server(s), then
If this happens, or if we want to deliberately re-create the server(s),

@cdunster
Copy link
Copy Markdown
Contributor Author

cdunster commented Apr 10, 2025

Ah, sorry @jost-s. I thought that it seems to be working, and we can always make changes later in separate PRs, so I just went for it 😁

You went to town on the go coding there!

Yeah, once I found the command to run arbitrary commands and copy files via SSH then I saw no reason to not just automate everything

@jost-s
Copy link
Copy Markdown
Contributor

jost-s commented Apr 10, 2025

Totally agree. I'll come back to this if necessary once I've tried out these steps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jost-s jost-s jost-s left review comments

@mattyg mattyg mattyg approved these changes

@ThetaSinner ThetaSinner Awaiting requested review from ThetaSinner

Assignees

@cdunster cdunster

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@cdunster @holochain-release-automation2 @jost-s @mattyg @ThetaSinner