Clean up and remove some consul and vault stuff

2023-03-24 22:58:44 -07:00 · 2023-03-24 22:58:44 -07:00 · 08d0e93638
parent 74ce30c3c1
commit 08d0e93638
8 changed files with 92 additions and 197 deletions
--- a/core/metrics/metrics.tf
+++ b/core/metrics/metrics.tf
@ -25,28 +25,3 @@ resource "nomad_job" "grafana" {

  depends_on = [nomad_job.prometheus]
 }
-
-# resource "consul_config_entry" "prometheus_intent" {
-#   name = "prometheus"
-#   kind = "service-intentions"
-#
-#   config_json = jsonencode({
-#     Sources = [
-#       {
-#         Action     = "allow"
-#         Name       = "grafana"
-#         Precedence = 9
-#         Type       = "consul"
-#       },
-#     ]
-#   })
-# }
-
-# resource "consul_config_entry" "envoy_prometheus_bind" {
-#   name = "global"
-#   kind = "proxy-defaults"
-#
-#   config_json = jsonencode({
-#     "envoy_prometheus_bind_addr" = "0.0.0.0:9102"
-#   })
-# }
--- a/databases/rediscommander.nomad
+++ b/databases/rediscommander.nomad
@ -52,7 +52,6 @@ job "rediscommander" {

      config {
        image = "alpine:3.17"
-        ports = ["tls"]
        args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
      }

--- a/services/backups/backup.nomad
+++ b/services/backups/backup.nomad
@ -110,65 +110,48 @@ RCLONE_FTP_NO_CHECK_CERTIFICATE=true
        env = true
      }

-      template {
-        data = <<EOH
-CONSUL_HTTP_ADDR={{ env "attr.unique.network.ip-address" }}:8500
-        EOH
-        destination = "local/consul.env"
-        env = true
-      }
-

      template {
        # Build jobs based on node
        data = <<EOF
 # Current node is {{ env "node.unique.name" }}
-{{ if eq (env "node.unique.name") "n2" -}}
-# consul backup
-${file("${module_path}/jobs/consul.hcl")}
-{{ end -}}

-{{ range service "nextcloud" -}}
+{{ range nomadService "nextcloud" -}}
 # nextcloud .Node {{ .Node }}
-{{ if eq .Node (env "node.unique.name") -}}
+{{ if eq .NodeId (env "node.unique.id") -}}
 ${file("${module_path}/jobs/nextcloud.hcl")}
-{{ end -}}
-{{ end -}}
+{{- end }}
+{{- end }}

-{{ range service "grafana" -}}
-# grafana .Node {{ .Node }}
-{{ if eq .Node (env "node.unique.name") -}}
+{{ range nomadService "grafana" -}}
+{{ if eq .NodeId (env "node.unique.id") -}}
 ${file("${module_path}/jobs/grafana.hcl")}
-{{ end -}}
-{{ end -}}
+{{- end }}
+{{- end }}

-{{ range service "photoprism" -}}
-# photoprism .Node {{ .Node }}
-{{ if eq .Node (env "node.unique.name") -}}
+{{ range nomadService "photoprism" -}}
+{{ if eq .NodeId (env "node.unique.id") -}}
 ${file("${module_path}/jobs/photoprism.hcl")}
-{{ end -}}
-{{ end -}}
+{{- end }}
+{{- end }}

 {{ range service "lldap" -}}
-# lldap .Node {{ .Node }}
-{{ if eq .Node (env "node.unique.name") -}}
+{{ if eq .NodeId (env "node.unique.id") -}}
 ${file("${module_path}/jobs/lldap.hcl")}
-{{ end -}}
-{{ end -}}
+{{- end }}
+{{- end }}

 {{ range service "sonarr" -}}
-# sonarr .Node {{ .Node }}
-{{ if eq .Node (env "node.unique.name") -}}
+{{ if eq .NodeId (env "node.unique.id") -}}
 ${file("${module_path}/jobs/sonarr.hcl")}
-{{ end -}}
-{{ end -}}
+{{- end }}
+{{- end }}

 {{ range service "nzbget" -}}
-# nzbget .Node {{ .Node }}
-{{ if eq .Node (env "node.unique.name") -}}
+{{ if eq .NodeId (env "node.unique.id") -}}
 ${file("${module_path}/jobs/nzbget.hcl")}
-{{ end -}}
-{{ end -}}
+{{- end }}
+{{- end }}
        EOF
        destination = "local/node-jobs.hcl"
      }
--- a/services/backups/jobs/consul.hcl
+++ b/services/backups/jobs/consul.hcl
@ -1,38 +0,0 @@
-job "consul" {
-  schedule = "0 * * * *"
-
-  config {
-    repo = "rclone::ftp,env_auth:/nomad/consul"
-    passphrase = env("BACKUP_PASSPHRASE")
-  }
-
-  task "Use consul snapshots" {
-    pre_script {
-      on_backup = "mkdir -p /local/consul"
-    }
-    pre_script {
-      on_backup = "consul snapshot save /local/consul/backup.snap"
-    }
-    post_script {
-      on_restore = "consul snapshot restore /local/consul/backup.snap"
-    }
-  }
-
-  backup {
-    paths = ["/local/consul"]
-    # Because path is absolute
-    restore_opts {
-      Target = "/"
-    }
-  }
-
-  forget {
-    KeepLast = 2
-    KeepHourly = 24
-    KeepDaily = 30
-    KeepWeekly = 8
-    KeepMonthly = 6
-    KeepYearly = 2
-    Prune = true
-  }
-}
--- a/services/main.tf
+++ b/services/main.tf
@ -1,14 +1,5 @@
-# module "nextcloud" {
-#   source = "./nextcloud"
-#
-#   depends_on = [module.databases]
-# }
-
 module "backups" {
  source = "./backups"
-
-  # In parent module
-  # depends_on = [module.databases]
 }

 resource "nomad_job" "whoami" {
@ -16,7 +7,6 @@ resource "nomad_job" "whoami" {
    enabled = true
    vars = {
      "count" = 1,
-      # "count" = "${2 * length(data.consul_service.nomad.service)}",
    }
  }

@ -27,42 +17,6 @@ resource "nomad_job" "ipdvr" {
  jobspec = file("${path.module}/ip-dvr.nomad")
 }

-# resource "consul_config_entry" "sabnzbd_intents" {
-#   depends_on = [nomad_job.ipdvr]
-#
-#   name = "sabnzbd"
-#   kind = "service-intentions"
-#
-#   config_json = jsonencode({
-#     Sources = [
-#       {
-#         Action     = "allow"
-#         Name       = "sonarr"
-#         Precedence = 9
-#         Type       = "consul"
-#       },
-#     ]
-#   })
-# }
-#
-# resource "consul_config_entry" "nzbget_intents" {
-#   depends_on = [nomad_job.ipdvr]
-#
-#   name = "nzbget"
-#   kind = "service-intentions"
-#
-#   config_json = jsonencode({
-#     Sources = [
-#       {
-#         Action     = "allow"
-#         Name       = "sonarr"
-#         Precedence = 9
-#         Type       = "consul"
-#       },
-#     ]
-#   })
-# }
-
 module "media-library" {
  source = "./service"

@ -83,11 +37,11 @@ module "media-library" {
 module "minitor" {
  source = "./service"

-  name              = "minitor"
-  image             = "iamthefij/minitor-go:1.1"
-  args              = ["-metrics", "-config=$${NOMAD_TASK_DIR}/config.yml"]
-  service_port      = 8080
-  metrics_port_name = "main"
+  name         = "minitor"
+  image        = "iamthefij/minitor-go:1.1"
+  args         = ["-metrics", "-config=$${NOMAD_TASK_DIR}/config.yml"]
+  service_port = 8080
+  prometheus   = true

  templates = [
    {
@ -119,7 +73,6 @@ module "photoprism_module" {
  ingress            = true
  service_port       = 2342
  sticky_disk        = true
-  healthcheck_path   = "/library/login"
  env = {
    PHOTOPRISM_DEBUG = true
    # UI
@ -144,8 +97,6 @@ module "photoprism_module" {
    memory     = 3000
    memory_max = 4000
  }
-  use_mysql = true
-  use_vault = true
  host_volumes = [
    {
      name      = "photoprism-storage"
@ -201,8 +152,6 @@ module "diun" {
    DIUN_PROVIDERS_NOMAD = true
  }

-  use_vault = true
-
  templates = [
    {
      data        = <<EOF
--- a/services/service/main.tf
+++ b/services/service/main.tf
@ -15,18 +15,14 @@ resource "nomad_job" "service" {
    ingress             = var.ingress
    ingress_rule        = var.ingress_rule
    ingress_middlewares = var.ingress_middlewares
-    healthcheck_path    = var.healthcheck_path
-    metrics_port_name   = var.metrics_port_name
+    prometheus          = var.prometheus

    templates    = var.templates
    host_volumes = var.host_volumes

-    connect   = anytrue([var.ingress, var.use_mysql, var.use_redis, var.use_ldap, length(var.upstreams) > 0])
-    upstreams = var.upstreams
    use_mysql = var.use_mysql
    use_redis = var.use_redis
    use_ldap  = var.use_ldap
-    use_vault = var.use_vault

    mysql_bootstrap = var.mysql_bootstrap
  })
--- a/services/service/service_template.nomad
+++ b/services/service/service_template.nomad
@ -44,8 +44,7 @@ job "${name}" {
      port = "main"

      tags = [
-        # TODO: Rename metrics_port_name to something like "prometheus_scrape"
-        %{ if metrics_port_name != null }
+        %{ if prometheus == true }
        "prometheus.scrape",
        %{ endif }
        %{ if ingress }
@ -134,6 +133,7 @@ EOF
      }
      %{~ endif }
    }
+
    %{ if mysql_bootstrap != null }
    task "${name}-bootstrap" {
      driver = "docker"
@ -152,13 +152,6 @@ EOF
        ]
      }

-      vault {
-        policies = [
-          "access-tables",
-          "nomad-task",
-        ]
-      }
-
      template {
        data = <<EOF
 [client]
@ -177,7 +170,8 @@ password={{ .mysql_root_password }}

      template {
        data = <<EOF
-{{ with nomadVar "${mysql_bootstrap.vault_key}" -}}
+{{ with nomadVar "nomad/jobs/${name}" -}}
+{{ $db_name := .${mysql_bootstrap.db_name_key} }}
 CREATE DATABASE IF NOT EXISTS `{{ .${mysql_bootstrap.db_name_key} }}`
  CHARACTER SET = 'utf8mb4'
  COLLATE = 'utf8mb4_unicode_ci';
@ -185,7 +179,12 @@ CREATE USER IF NOT EXISTS '{{ .${mysql_bootstrap.db_user_key} }}'@'%'
  IDENTIFIED BY '{{ .${mysql_bootstrap.db_pass_key} }}';
 GRANT ALL ON `{{ .${mysql_bootstrap.db_name_key} }}`.*
  TO '{{ .${mysql_bootstrap.db_user_key} }}'@'%';
-# TODO: Optionally grant ro access to ro user
+%{ if mysql_bootstrap.add_ro ~}
+{{ with nomadService "grafana" }}{{ with nomadVar "nomad/jobs" -}}
+-- Grant grafana read_only user access to db
+GRANT SELECT ON `{{ $db_name }}`.* to '{{ .db_user_ro }}'@'%';
+{{ end }}{{ end }}
+%{~ endif }
 {{ else -}}
 SELECT 'NOOP';
 {{ end -}}
@ -199,5 +198,55 @@ SELECT 'NOOP';
      }
    }
    %{ endif }
+    %{ if use_redis ~}
+    task "redis-stunnel" {
+      driver = "docker"
+
+      config {
+        image = "alpine:3.17"
+        args = ["/bin/sh", "$${NOMAD_TASK_DIR}/start.sh"]
+      }
+
+      resources {
+        cpu = 100
+        memory = 100
+      }
+
+      template {
+        data = <<EOF
+set -e
+apk add stunnel
+exec stunnel {{ env "NOMAD_TASK_DIR" }}/stunnel.conf
+        EOF
+        destination = "$${NOMAD_TASK_DIR}/start.sh"
+      }
+
+      template {
+        data = <<EOF
+syslog = no
+foreground = yes
+delay = yes
+
+[redis_client]
+client = yes
+accept = 127.0.0.1:6379
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis-tls" -}}
+connect = {{ .Address }}:{{ .Port }}
+{{- end }}
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
+        EOF
+        destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
+      }
+
+      template {
+        data = <<EOF
+{{ with nomadVar "nomad/jobs/${name}" -}}
+{{ .redis_stunnel_psk }}
+{{- end }}
+        EOF
+        destination = "$${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
+      }
+    }
+    %{~ endif }
  }
 }
--- a/services/service/vars.tf
+++ b/services/service/vars.tf
@ -32,10 +32,10 @@ variable "service_port" {
  description = "Port number used by the service"
 }

-variable "metrics_port_name" {
-  type        = string
-  default     = null
-  description = "Name of port that /metrics can be scraped from"
+variable "prometheus" {
+  type        = bool
+  default     = false
+  description = "Should metrics be scraped by prometheus"
 }

 variable "ingress" {
@ -113,19 +113,6 @@ variable "host_volumes" {
  default = []
 }

-variable "healthcheck_path" {
-  type    = string
-  default = "/"
-}
-
-variable "upstreams" {
-  type = list(object({
-    destination_name = string
-    local_bind_port  = number
-  }))
-  default = []
-}
-
 variable "use_mysql" {
  type    = bool
  default = false
@ -136,11 +123,6 @@ variable "use_redis" {
  default = false
 }

-variable "use_vault" {
-  type    = bool
-  default = false
-}
-
 variable "use_ldap" {
  type    = bool
  default = false
@ -148,10 +130,10 @@ variable "use_ldap" {

 variable "mysql_bootstrap" {
  type = object({
-    vault_key   = string
    db_name_key = optional(string, "db_name")
    db_user_key = optional(string, "db_user")
    db_pass_key = optional(string, "db_pass")
+    add_ro      = optional(bool, false)
  })
  default = null
 }