homelab-nomad/core/main.tf

module "blocky" {
  source = "./blocky"

  base_hostname = var.base_hostname
  # Not in this module
  # depends_on = [module.databases]
}

module "traefik" {
  source = "./traefik"

  base_hostname = var.base_hostname
}

module "metrics" {
  source = "./metrics"
  # Not in this module
  # depends_on = [module.databases]
}

resource "nomad_job" "nomad-client-stalker" {
  # Stalker used to allow using Nomad service registry to identify nomad client hosts
  jobspec = file("${path.module}/nomad-client-stalker.nomad")
}

module "loki" {
  source = "../services/service"

  name         = "loki"
  image        = "grafana/loki:2.2.1"
  args         = ["--config.file=$${NOMAD_TASK_DIR}/loki-config.yml"]
  service_port = 3100
  ingress      = true
  sticky_disk  = true
  # healthcheck  = "/ready"
  templates = [
    {
      data  = file("${path.module}/loki-config.yml")
      dest  = "loki-config.yml"
      mount = false
    }
  ]
}

resource "nomad_job" "syslog-ng" {
  jobspec = file("${path.module}/syslogng.nomad")
}

resource "nomad_job" "ddclient" {
  jobspec = file("${path.module}/ddclient.nomad")
}

resource "nomad_job" "lldap" {
  jobspec = file("${path.module}/lldap.nomad")
}

module "authelia" {
  source = "../services/service"

  name         = "authelia"
  priority     = 70
  image        = "authelia/authelia:latest"
  args         = ["--config", "$${NOMAD_TASK_DIR}/authelia.yml"]
  ingress      = true
  service_port = 9091
  # metrics_port = 9959
  env = {
    AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE       = "$${NOMAD_SECRETS_DIR}/ldap_password.txt"
    AUTHELIA_JWT_SECRET_FILE                                 = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
    AUTHELIA_SESSION_SECRET_FILE                             = "$${NOMAD_SECRETS_DIR}/session_secret.txt"
    AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE                     = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt"
    AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE                     = "$${NOMAD_SECRETS_DIR}/mysql_password.txt"
    AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE                     = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
    AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE        = "$${NOMAD_SECRETS_DIR}/oidc_hmac_secret.txt"
    AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_private_key.txt"
    # AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE  = "$${NOMAD_SECRETS_DIR}/oidc_issuer_certificate_chain.txt"
  }

  use_mysql = true
  use_ldap  = true
  mysql_bootstrap = {
    enabled = true
  }

  service_tags = [
    # Configure traefik to add this middleware
    "traefik.http.middlewares.authelia.forwardAuth.address=http://$${NOMAD_IP_main}:$${NOMAD_HOST_PORT_main}/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F",
    "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true",
    "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
    "traefik.http.middlewares.authelia-basic.forwardAuth.address=http://$${NOMAD_IP_main}:$${NOMAD_HOST_PORT_main}/api/verify?auth=basic",
    "traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true",
    "traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
  ]

  templates = [
    {
      data  = file("${path.module}/authelia.yml")
      dest  = "authelia.yml"
      mount = false
    },
    {
      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .lldap_admin_password }}{{ end }}"
      dest_prefix = "$${NOMAD_SECRETS_DIR}"
      dest        = "ldap_password.txt"
      mount       = false
    },
    {
      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .jwt_secret }}{{ end }}"
      dest_prefix = "$${NOMAD_SECRETS_DIR}"
      dest        = "jwt_secret.txt"
      mount       = false
    },
    {
      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .session_secret }}{{ end }}"
      dest_prefix = "$${NOMAD_SECRETS_DIR}"
      dest        = "session_secret.txt"
      mount       = false
    },
    {
      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .storage_encryption_key }}{{ end }}"
      dest_prefix = "$${NOMAD_SECRETS_DIR}"
      dest        = "storage_encryption_key.txt"
      mount       = false
    },
    {
      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .db_pass }}{{ end }}"
      dest_prefix = "$${NOMAD_SECRETS_DIR}"
      dest        = "mysql_password.txt"
      mount       = false
    },
    {
      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_hmac_secret }}{{ end }}"
      dest_prefix = "$${NOMAD_SECRETS_DIR}"
      dest        = "oidc_hmac_secret.txt"
      mount       = false
    },
    {
      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_private_key }}{{ end }}"
      dest_prefix = "$${NOMAD_SECRETS_DIR}"
      dest        = "oidc_issuer_private_key.txt"
      mount       = false
    },
    {
      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_certificate_chain }}{{ end }}"
      dest_prefix = "$${NOMAD_SECRETS_DIR}"
      dest        = "oidc_issuer_certificate_chain.txt"
      mount       = false
    },
    {
      data        = "{{ with nomadVar \"nomad/jobs\" }}{{ .smtp_password }}{{ end }}"
      dest_prefix = "$${NOMAD_SECRETS_DIR}"
      dest        = "smtp_password.txt"
      mount       = false
    },
  ]
}
Big refactor to split core and services for better ordering 2022-10-27 21:28:34 +00:00			`module "blocky" {`
			`source = "./blocky"`

			`base_hostname = var.base_hostname`
			`# Not in this module`
			`# depends_on = [module.databases]`
			`}`

			`module "traefik" {`
			`source = "./traefik"`

			`base_hostname = var.base_hostname`
			`}`

A whole lot of incremental fixes for nomad variables and such Also adds stunnel between redis and clients 2023-03-24 23:32:37 +00:00			`module "metrics" {`
			`source = "./metrics"`
			`# Not in this module`
			`# depends_on = [module.databases]`
Big refactor to split core and services for better ordering 2022-10-27 21:28:34 +00:00			`}`

Get nomad client scraping working 2023-03-25 05:22:11 +00:00			`resource "nomad_job" "nomad-client-stalker" {`
Document what the nomad stalker is for 2023-05-12 17:10:31 +00:00			`# Stalker used to allow using Nomad service registry to identify nomad client hosts`
Get nomad client scraping working 2023-03-25 05:22:11 +00:00			`jobspec = file("${path.module}/nomad-client-stalker.nomad")`
			`}`

Big refactor to split core and services for better ordering 2022-10-27 21:28:34 +00:00			`module "loki" {`
Use stunnel for mysql Doesn't remove wesher or normal mysql service 2023-05-09 20:20:36 +00:00			`source = "../services/service"`

			`name = "loki"`
			`image = "grafana/loki:2.2.1"`
			`args = ["--config.file=$${NOMAD_TASK_DIR}/loki-config.yml"]`
			`service_port = 3100`
			`ingress = true`
			`sticky_disk = true`
			`# healthcheck = "/ready"`
			`templates = [`
			`{`
			`data = file("${path.module}/loki-config.yml")`
			`dest = "loki-config.yml"`
			`mount = false`
			`}`
			`]`
Big refactor to split core and services for better ordering 2022-10-27 21:28:34 +00:00			`}`

			`resource "nomad_job" "syslog-ng" {`
			`jobspec = file("${path.module}/syslogng.nomad")`
			`}`

			`resource "nomad_job" "ddclient" {`
			`jobspec = file("${path.module}/ddclient.nomad")`
			`}`

			`resource "nomad_job" "lldap" {`
			`jobspec = file("${path.module}/lldap.nomad")`
			`}`
Deploy authelia Backed by lldap and mysql and deployed on whoami for now as a forward proxy example Would be good to add oidc for Nomad as well as make policies configurable via Nomad variables. 2022-11-15 19:43:05 +00:00
			`module "authelia" {`
			`source = "../services/service"`

			`name = "authelia"`
			`priority = 70`
			`image = "authelia/authelia:latest"`
			`args = ["--config", "$${NOMAD_TASK_DIR}/authelia.yml"]`
			`ingress = true`
			`service_port = 9091`
			`# metrics_port = 9959`
			`env = {`
Enable Authelia OIDC provider 2023-07-07 07:39:44 +00:00			`AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/ldap_password.txt"`
			`AUTHELIA_JWT_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"`
			`AUTHELIA_SESSION_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/session_secret.txt"`
			`AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt"`
			`AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/mysql_password.txt"`
			`AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"`
			`AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/oidc_hmac_secret.txt"`
			`AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_private_key.txt"`
			`# AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_certificate_chain.txt"`
Deploy authelia Backed by lldap and mysql and deployed on whoami for now as a forward proxy example Would be good to add oidc for Nomad as well as make policies configurable via Nomad variables. 2022-11-15 19:43:05 +00:00			`}`

			`use_mysql = true`
			`use_ldap = true`
			`mysql_bootstrap = {`
			`enabled = true`
			`}`

			`service_tags = [`
			`# Configure traefik to add this middleware`
			`"traefik.http.middlewares.authelia.forwardAuth.address=http://$${NOMAD_IP_main}:$${NOMAD_HOST_PORT_main}/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F",`
			`"traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true",`
			`"traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",`
			`"traefik.http.middlewares.authelia-basic.forwardAuth.address=http://$${NOMAD_IP_main}:$${NOMAD_HOST_PORT_main}/api/verify?auth=basic",`
			`"traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true",`
			`"traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",`
			`]`

			`templates = [`
			`{`
			`data = file("${path.module}/authelia.yml")`
			`dest = "authelia.yml"`
			`mount = false`
			`},`
			`{`
			`data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .lldap_admin_password }}{{ end }}"`
			`dest_prefix = "$${NOMAD_SECRETS_DIR}"`
			`dest = "ldap_password.txt"`
			`mount = false`
			`},`
			`{`
			`data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .jwt_secret }}{{ end }}"`
			`dest_prefix = "$${NOMAD_SECRETS_DIR}"`
			`dest = "jwt_secret.txt"`
			`mount = false`
			`},`
			`{`
			`data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .session_secret }}{{ end }}"`
			`dest_prefix = "$${NOMAD_SECRETS_DIR}"`
			`dest = "session_secret.txt"`
			`mount = false`
			`},`
			`{`
			`data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .storage_encryption_key }}{{ end }}"`
			`dest_prefix = "$${NOMAD_SECRETS_DIR}"`
			`dest = "storage_encryption_key.txt"`
			`mount = false`
			`},`
			`{`
			`data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .db_pass }}{{ end }}"`
			`dest_prefix = "$${NOMAD_SECRETS_DIR}"`
			`dest = "mysql_password.txt"`
			`mount = false`
			`},`
Enable Authelia OIDC provider 2023-07-07 07:39:44 +00:00			`{`
			`data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_hmac_secret }}{{ end }}"`
			`dest_prefix = "$${NOMAD_SECRETS_DIR}"`
			`dest = "oidc_hmac_secret.txt"`
			`mount = false`
			`},`
			`{`
			`data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_private_key }}{{ end }}"`
			`dest_prefix = "$${NOMAD_SECRETS_DIR}"`
			`dest = "oidc_issuer_private_key.txt"`
			`mount = false`
			`},`
			`{`
			`data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_certificate_chain }}{{ end }}"`
			`dest_prefix = "$${NOMAD_SECRETS_DIR}"`
			`dest = "oidc_issuer_certificate_chain.txt"`
			`mount = false`
			`},`
Deploy authelia Backed by lldap and mysql and deployed on whoami for now as a forward proxy example Would be good to add oidc for Nomad as well as make policies configurable via Nomad variables. 2022-11-15 19:43:05 +00:00			`{`
			`data = "{{ with nomadVar \"nomad/jobs\" }}{{ .smtp_password }}{{ end }}"`
			`dest_prefix = "$${NOMAD_SECRETS_DIR}"`
			`dest = "smtp_password.txt"`
			`mount = false`
			`},`
			`]`
			`}`