# Listening Domain locals { TRAEFIK_DOMAIN = "penpot.example.local" } # Application routing environment variables locals { PENPOT_PUBLIC_URI = "https://${local.TRAEFIK_DOMAIN}" PENPOT_BACKEND_URI = "http://127.0.0.1:6060" PENPOT_EXPORTER_URI = "http://127.0.0.1:6061" PENPOT_FLAGS = "enable-smtp enable-registration enable-login-with-password enable-prepl-server enable-demo-users" PENPOT_SECRET_KEY = "op://InfraSecrets/7hbsxng22unjqc4wkj62qniu2u/credential" # Try running `openssl rand -hex 32` to generate a random secret key PENPOT_DATABASE_URI = "postgresql://127.0.0.1:5432/penpot" PENPOT_DATABASE_USERNAME = "op://InfraSecrets/Postgres - Penpot User/username" PENPOT_DATABASE_PASSWORD = "op://InfraSecrets/Postgres - Penpot User/password" PENPOT_REDIS_URI = "redis://127.0.0.1:6379/0" PENPOT_TELEMERY_ENABLED = "false" } # Assets storage environment variables (fs or s3) locals { // PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs" PENPOT_STORAGE_ASSETS_FS_DIRECTORY = "/opt/data/assets" PENPOT_ASSETS_STORAGE_BACKEND = "assets-s3" AWS_ACCESS_KEY_ID = "op://InfraSecrets/Penpot S3 Key/username" AWS_SECRET_ACCESS_KEY = "op://InfraSecrets/Penpot S3 Key/credential" PENPOT_STORAGE_ASSETS_S3_ENDPOINT = "http://127.0.0.1:9000" PENPOT_STORAGE_ASSETS_S3_BUCKET = "penpot" } # SMTP environment variables locals { PENPOT_SMTP_DEFAULT_FROM = "no-reply+penpot@example.local" PENPOT_SMTP_DEFAULT_REPLY_TO = "no-reply+penpot@example.local" PENPOT_SMTP_HOST = "127.0.0.1" PENPOT_SMTP_PORT = "1025" PENPOT_SMTP_USERNAME = "" PENPOT_SMTP_PASSWORD = "" PENPOT_SMTP_TLS = "false" PENPOT_SMTP_SSL = "false" } job "penpot" { datacenters = ["dc1"] group "frontend" { count = 1 network { mode = "bridge" port "ingress" { to = 80 } } # Expose frontend to internet through traefik service { name = "penpot" port = "ingress" tags = [ "traefik.enable=true", "traefik.http.routers.penpot.tls=true", "traefik.http.routers.penpot.entrypoints=websecure", "traefik.http.routers.penpot.rule=Host(`${local.TRAEFIK_DOMAIN}`)", ] connect { sidecar_service { proxy { upstreams { destination_name = "penpot-backend" local_bind_address = "127.0.0.1" local_bind_port = 6060 } upstreams { destination_name = "penpot-exporter" local_bind_address = "127.0.0.1" local_bind_port = 6061 } upstreams { destination_name = "minio" local_bind_address = "127.0.0.1" local_bind_port = 9000 } } tags = ["traefik.enable=false"] # Hide service from traefik } } check { type = "http" path = "/" interval = "10s" timeout = "2s" } } task "frontend" { driver = "docker" config { image = "penpotapp/frontend:1.19.3" ports = ["ingress"] } env { PENPOT_PUBLIC_URI = local.PENPOT_PUBLIC_URI PENPOT_BACKEND_URI = local.PENPOT_BACKEND_URI PENPOT_EXPORTER_URI = local.PENPOT_EXPORTER_URI PENPOT_FLAGS = local.PENPOT_FLAGS } } } group "backend" { network { mode = "bridge" port "ingress" { to = 6060 } } service { # Make available to other services by the 'penpot-backend' name name = "penpot-backend" port = "6060" tags = ["traefik.enable=false"] # Hide redis from traefik # Make available through the consul service mesh connect { sidecar_service { proxy { upstreams { destination_name = "postgres" local_bind_address = "127.0.0.1" local_bind_port = 5432 } upstreams { destination_name = "redis-cache" local_bind_address = "127.0.0.1" local_bind_port = 6379 } upstreams { destination_name = "minio" local_bind_address = "127.0.0.1" local_bind_port = 9000 } upstreams { destination_name = "fake-smtp" local_bind_address = "127.0.0.1" local_bind_port = 1025 } } tags = ["traefik.enable=false"] # Hide penpot-backend envoy from traefik } } } task "backend" { driver = "docker" config { image = "penpotapp/backend:1.19.3" ports = ["ingress"] } env { PENPOT_PUBLIC_URI = local.PENPOT_PUBLIC_URI PENPOT_SECRET_KEY = local.PENPOT_SECRET_KEY PENPOT_DATABASE_URI = local.PENPOT_DATABASE_URI PENPOT_DATABASE_USERNAME = local.PENPOT_DATABASE_USERNAME PENPOT_DATABASE_PASSWORD = local.PENPOT_DATABASE_PASSWORD PENPOT_REDIS_URI = local.PENPOT_REDIS_URI PENPOT_FLAGS = local.PENPOT_FLAGS PENPOT_TELEMERY_ENABLED = local.PENPOT_TELEMERY_ENABLED PENPOT_ASSETS_STORAGE_BACKEND = local.PENPOT_ASSETS_STORAGE_BACKEND PENPOT_STORAGE_ASSETS_FS_DIRECTORY = local.PENPOT_STORAGE_ASSETS_FS_DIRECTORY AWS_ACCESS_KEY_ID = local.AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY = local.AWS_SECRET_ACCESS_KEY PENPOT_STORAGE_ASSETS_S3_ENDPOINT = local.PENPOT_STORAGE_ASSETS_S3_ENDPOINT PENPOT_STORAGE_ASSETS_S3_BUCKET = local.PENPOT_STORAGE_ASSETS_S3_BUCKET PENPOT_SMTP_DEFAULT_FROM = local.PENPOT_SMTP_DEFAULT_FROM PENPOT_SMTP_DEFAULT_REPLY_TO = local.PENPOT_SMTP_DEFAULT_REPLY_TO PENPOT_SMTP_HOST = local.PENPOT_SMTP_HOST PENPOT_SMTP_PORT = local.PENPOT_SMTP_PORT PENPOT_SMTP_USERNAME = local.PENPOT_SMTP_USERNAME PENPOT_SMTP_PASSWORD = local.PENPOT_SMTP_PASSWORD PENPOT_SMTP_TLS = local.PENPOT_SMTP_TLS PENPOT_SMTP_SSL = local.PENPOT_SMTP_SSL } resources { cpu = 8000 memory = 1024 memory_max = 2048 } } } group "exporter" { network { mode = "bridge" port "ingress" { to = 6061 } } task "exporter" { driver = "docker" config { image = "penpotapp/exporter:1.19.3" } env { PENPOT_PUBLIC_URI = local.PENPOT_PUBLIC_URI PENPOT_REDIS_URI = local.PENPOT_REDIS_URI } } service { name = "penpot-exporter" port = "6061" tags = ["traefik.enable=false"] # Hide envoy from traefik connect { sidecar_service { proxy { upstreams { destination_name = "redis-cache" local_bind_address = "127.0.0.1" local_bind_port = 6379 } } tags = ["traefik.enable=false"] # Hide envoy from traefik } } } } }