# Listening Domain
locals {
SUBDOMAIN = "penpot." // End with dot or leave blamk for root domain
DOMAIN = "example.local"
TRAEFIK_DOMAIN = "${local.SUBDOMAIN}${local.DOMAIN}"
}
# Application routing environment variables
locals {
PENPOT_PUBLIC_URI = "https://${local.TRAEFIK_DOMAIN}"
PENPOT_BACKEND_URI = "http://127.0.0.1:6060"
PENPOT_EXPORTER_URI = "http://127.0.0.1:6061"
PENPOT_FLAGS = "enable-smtp enable-registration enable-login-with-password enable-demo-users"
PENPOT_SECRET_KEY = "op://InfraSecrets/7hbsxng22unjqc4wkj62qniu2u/credential" # Try running `openssl rand -hex 32` to generate a random secret key
PENPOT_DATABASE_URI = "postgresql://127.0.0.1:5432/penpot"
PENPOT_DATABASE_USERNAME = "op://InfraSecrets/Postgres - Penpot User/username"
PENPOT_DATABASE_PASSWORD = "op://InfraSecrets/Postgres - Penpot User/password"
PENPOT_REDIS_URI = "redis://127.0.0.1:6379/0"
PENPOT_TELEMERY_ENABLED = "false"
}
# Assets storage environment variables (fs or s3)
locals {
// PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs"
PENPOT_STORAGE_ASSETS_FS_DIRECTORY = "/opt/data/assets"
PENPOT_ASSETS_STORAGE_BACKEND = "assets-s3"
AWS_ACCESS_KEY_ID = "op://InfraSecrets/Penpot S3 Key/username"
AWS_SECRET_ACCESS_KEY = "op://InfraSecrets/Penpot S3 Key/credential"
PENPOT_STORAGE_ASSETS_S3_ENDPOINT = "http://127.0.0.1:9000"
PENPOT_STORAGE_ASSETS_S3_BUCKET = "penpot"
}
# SMTP environment variables
locals {
PENPOT_SMTP_DEFAULT_FROM = "no-reply+penpot@${local.DOMAIN}"
PENPOT_SMTP_DEFAULT_REPLY_TO = "no-reply+penpot@${local.DOMAIN}"
PENPOT_SMTP_HOST = "127.0.0.1"
PENPOT_SMTP_PORT = "1025"
PENPOT_SMTP_USERNAME = ""
PENPOT_SMTP_PASSWORD = ""
PENPOT_SMTP_TLS = "false"
PENPOT_SMTP_SSL = "false"
}
job "penpot" {
datacenters = ["dc1"]
group "frontend" {
count = 1
network {
mode = "bridge"
port "ingress" {
to = 80
}
}
# Expose frontend to internet through traefik
service {
name = "penpot"
port = "ingress"
tags = [
"traefik.enable=true",
"traefik.http.routers.penpot.tls=true",
"traefik.http.routers.penpot.entrypoints=websecure",
"traefik.http.routers.penpot.rule=Host(`${local.TRAEFIK_DOMAIN}`)",
]
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "penpot-backend"
local_bind_address = "127.0.0.1"
local_bind_port = 6060
}
upstreams {
destination_name = "penpot-exporter"
local_bind_address = "127.0.0.1"
local_bind_port = 6061
}
upstreams {
destination_name = "minio"
local_bind_address = "127.0.0.1"
local_bind_port = 9000
}
}
tags = ["traefik.enable=false"] # Hide service from traefik
}
}
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
}
task "frontend" {
driver = "docker"
config {
image = "penpotapp/frontend:2.0.1"
ports = ["ingress"]
}
env {
PENPOT_PUBLIC_URI = local.PENPOT_PUBLIC_URI
PENPOT_BACKEND_URI = local.PENPOT_BACKEND_URI
PENPOT_EXPORTER_URI = local.PENPOT_EXPORTER_URI
PENPOT_FLAGS = local.PENPOT_FLAGS
}
}
}
group "backend" {
network {
mode = "bridge"
}
service {
# Make available to other services by the 'penpot-backend' name
name = "penpot-backend"
port = "6060"
tags = ["traefik.enable=false"] # Hide redis from traefik
# Make available through the consul service mesh
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "postgres"
local_bind_address = "127.0.0.1"
local_bind_port = 5432
}
upstreams {
destination_name = "redis-cache"
local_bind_address = "127.0.0.1"
local_bind_port = 6379
}
upstreams {
destination_name = "minio"
local_bind_address = "127.0.0.1"
local_bind_port = 9000
}
upstreams {
destination_name = "fake-smtp"
local_bind_address = "127.0.0.1"
local_bind_port = 1025
}
}
tags = ["traefik.enable=false"] # Hide penpot-backend envoy from traefik
}
}
}
task "backend" {
driver = "docker"
config {
image = "penpotapp/backend:2.0.1"
ports = ["ingress"]
}
env {
PENPOT_PUBLIC_URI = local.PENPOT_PUBLIC_URI
PENPOT_SECRET_KEY = local.PENPOT_SECRET_KEY
PENPOT_DATABASE_URI = local.PENPOT_DATABASE_URI
PENPOT_DATABASE_USERNAME = local.PENPOT_DATABASE_USERNAME
PENPOT_DATABASE_PASSWORD = local.PENPOT_DATABASE_PASSWORD
PENPOT_REDIS_URI = local.PENPOT_REDIS_URI
PENPOT_FLAGS = local.PENPOT_FLAGS
PENPOT_TELEMERY_ENABLED = local.PENPOT_TELEMERY_ENABLED
PENPOT_ASSETS_STORAGE_BACKEND = local.PENPOT_ASSETS_STORAGE_BACKEND
PENPOT_STORAGE_ASSETS_FS_DIRECTORY = local.PENPOT_STORAGE_ASSETS_FS_DIRECTORY
AWS_ACCESS_KEY_ID = local.AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY = local.AWS_SECRET_ACCESS_KEY
PENPOT_STORAGE_ASSETS_S3_ENDPOINT = local.PENPOT_STORAGE_ASSETS_S3_ENDPOINT
PENPOT_STORAGE_ASSETS_S3_BUCKET = local.PENPOT_STORAGE_ASSETS_S3_BUCKET
PENPOT_SMTP_DEFAULT_FROM = local.PENPOT_SMTP_DEFAULT_FROM
PENPOT_SMTP_DEFAULT_REPLY_TO = local.PENPOT_SMTP_DEFAULT_REPLY_TO
PENPOT_SMTP_HOST = local.PENPOT_SMTP_HOST
PENPOT_SMTP_PORT = local.PENPOT_SMTP_PORT
PENPOT_SMTP_USERNAME = local.PENPOT_SMTP_USERNAME
PENPOT_SMTP_PASSWORD = local.PENPOT_SMTP_PASSWORD
PENPOT_SMTP_TLS = local.PENPOT_SMTP_TLS
PENPOT_SMTP_SSL = local.PENPOT_SMTP_SSL
}
resources {
cpu = 8000
memory = 1024
memory_max = 2048
}
}
}
group "exporter" {
network {
mode = "bridge"
}
task "exporter" {
driver = "docker"
config {
image = "penpotapp/exporter:2.0.1"
}
env {
PENPOT_PUBLIC_URI = local.PENPOT_PUBLIC_URI
PENPOT_REDIS_URI = local.PENPOT_REDIS_URI
}
}
service {
name = "penpot-exporter"
port = "6061"
tags = ["traefik.enable=false"] # Hide envoy from traefik
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "redis-cache"
local_bind_address = "127.0.0.1"
local_bind_port = 6379
}
}
tags = ["traefik.enable=false"] # Hide envoy from traefik
}
}
}
}
}