systemd: merge controller/worker config examples (#3342)

Our systemd setup included both a controller and worker configuration example, and a %i templated config file meant to be used to determine which to use. For ease of use, merge the two config files into a predictably named "boundary.hcl".
3 years ago · f698f2a442
parent 7de0a299e4
commit f698f2a442
4 changed files with 72 additions and 75 deletions
--- a/.release/linux/package/etc/boundary.d/boundary.hcl
+++ b/.release/linux/package/etc/boundary.d/boundary.hcl
@ -1,3 +1,71 @@
-# # Full configuration options can be found at https://www.boundaryproject.io/docs/configuration
+# # Note that this is an example config file and is not intended to be functional as-is.
+# # Full configuration options can be found at https://www.boundaryproject.io/docs/configuration/controller

+# # Disable memory lock: https://www.man7.org/linux/man-pages/man2/mlock.2.html
 # disable_mlock = true
+
+# # Controller configuration block
+# controller {
+#   # This name attr must be unique across all controller instances if running in HA mode
+#   name = "demo-controller-1"
+#   description = "A controller for a demo!"
+
+#   # Database URL for postgres. This can be a direct "postgres://"
+#   # URL, or it can be "file://" to read the contents of a file to
+#   # supply the url, or "env://" to name an environment variable
+#   # that contains the URL.
+#   database {
+#       url = "postgresql://boundary:boundarydemo@postgres.yourdomain.com:5432/boundary"
+#   }
+# }
+
+# # API listener configuration block
+# listener "tcp" {
+#   # Should be the address of the NIC that the controller server will be reached on
+#   address = "10.0.0.1"
+#   # The purpose of this listener block
+#   purpose = "api"
+
+#   tls_disable = false
+
+#   # Uncomment to enable CORS for the Admin UI. Be sure to set the allowed origin(s)
+#   # to appropriate values.
+#   #cors_enabled = true
+#   #cors_allowed_origins = ["https://yourcorp.yourdomain.com", "serve://boundary"]
+# }
+
+# # Data-plane listener configuration block (used for worker coordination)
+# listener "tcp" {
+#   # Should be the IP of the NIC that the worker will connect on
+#   address = "10.0.0.1"
+#   # The purpose of this listener
+#   purpose = "cluster"
+# }
+
+# # Root KMS configuration block: this is the root key for Boundary
+# # Use a production KMS such as AWS KMS in production installs
+# kms "aead" {
+#   purpose = "root"
+#   aead_type = "aes-gcm"
+#   key = "sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung="
+#   key_id = "global_root"
+# }
+
+# # Worker authorization KMS
+# # Use a production KMS such as AWS KMS for production installs
+# # This key is the same key used in the worker configuration
+# kms "aead" {
+#   purpose = "worker-auth"
+#   aead_type = "aes-gcm"
+#   key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
+#   key_id = "global_worker-auth"
+# }
+
+# # Recovery KMS block: configures the recovery key for Boundary
+# # Use a production KMS such as AWS KMS for production installs
+# kms "aead" {
+#   purpose = "recovery"
+#   aead_type = "aes-gcm"
+#   key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
+#   key_id = "global_recovery"
+# }
--- a/.release/linux/package/etc/boundary.d/controller.hcl
+++ b/.release/linux/package/etc/boundary.d/controller.hcl
@ -1,71 +0,0 @@
-# # Note that this is an example systemd file and is not intended to be functional as-is.
-# # Full configuration options can be found at https://www.boundaryproject.io/docs/configuration/controller
-
-# # Disable memory lock: https://www.man7.org/linux/man-pages/man2/mlock.2.html
-# # disable_mlock = true
-
-# # Controller configuration block
-# controller {
-#   # This name attr must be unique across all controller instances if running in HA mode
-#   name = "demo-controller-1"
-#   description = "A controller for a demo!"
-
-#   # Database URL for postgres. This can be a direct "postgres://"
-#   # URL, or it can be "file://" to read the contents of a file to
-#   # supply the url, or "env://" to name an environment variable
-#   # that contains the URL.
-#   database {
-#       url = "postgresql://boundary:boundarydemo@postgres.yourdomain.com:5432/boundary"
-#   }
-# }
-
-# # API listener configuration block
-# listener "tcp" {
-#   # Should be the address of the NIC that the controller server will be reached on
-#   address = "10.0.0.1"
-#   # The purpose of this listener block
-#   purpose = "api"
-
-#   tls_disable = false
-
-#   # Uncomment to enable CORS for the Admin UI. Be sure to set the allowed origin(s)
-#   # to appropriate values.
-#   #cors_enabled = true
-#   #cors_allowed_origins = ["https://yourcorp.yourdomain.com", "serve://boundary"]
-# }
-
-# # Data-plane listener configuration block (used for worker coordination)
-# listener "tcp" {
-#   # Should be the IP of the NIC that the worker will connect on
-#   address = "10.0.0.1"
-#   # The purpose of this listener
-#   purpose = "cluster"
-# }
-
-# # Root KMS configuration block: this is the root key for Boundary
-# # Use a production KMS such as AWS KMS in production installs
-# kms "aead" {
-#   purpose = "root"
-#   aead_type = "aes-gcm"
-#   key = "sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung="
-#   key_id = "global_root"
-# }
-
-# # Worker authorization KMS
-# # Use a production KMS such as AWS KMS for production installs
-# # This key is the same key used in the worker configuration
-# kms "aead" {
-#   purpose = "worker-auth"
-#   aead_type = "aes-gcm"
-#   key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
-#   key_id = "global_worker-auth"
-# }
-
-# # Recovery KMS block: configures the recovery key for Boundary
-# # Use a production KMS such as AWS KMS for production installs
-# kms "aead" {
-#   purpose = "recovery"
-#   aead_type = "aes-gcm"
-#   key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
-#   key_id = "global_recovery"
-# }
--- a/.release/linux/package/etc/boundary.d/worker.hcl
+++ b/.release/linux/package/etc/boundary.d/worker.hcl
@ -1,4 +1,4 @@
-# # Note that this is an example systemd file and is not intended to be functional as-is.
+# # Note that this is an example config file and is not intended to be functional as-is.
 # # Full configuration options can be found at https://www.boundaryproject.io/docs/configuration/worker

 # listener "tcp" {
--- a/.release/linux/package/usr/lib/systemd/system/boundary.service
+++ b/.release/linux/package/usr/lib/systemd/system/boundary.service
@ -10,7 +10,7 @@ User=boundary
 Group=boundary
 ProtectSystem=full
 ProtectHome=read-only
-ExecStart=/usr/bin/boundary server -config=/etc/boundary.d/%i.hcl
+ExecStart=/usr/bin/boundary server -config=/etc/boundary.d/boundary.hcl
 ExecReload=/bin/kill --signal HUP $MAINPID
 KillMode=process
 KillSignal=SIGINT
@ -20,4 +20,4 @@ TimeoutStopSec=30
 LimitMEMLOCK=infinity

 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target