iamthefij/homelab-nomad
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

A whole lot of incremental fixes for nomad variables and such

Browse Source 
Also adds stunnel between redis and clients
This commit is contained in:
IamTheFij 2023-03-24 16:32:37 -07:00
parent 9204f3c7f0
commit 98ea2a1ca0
28 changed files with 251 additions and 243 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
.terraform.lock.hcl generated
View File

@ -1,25 +1,6 @@
# This file is maintained automatically by "terraform init". # This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates. # Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/consul" {
version = "2.17.0"
hashes = [
"h1:k+8ptRn/iiCnE7mC0LVA8FvnukzKnlD3KAcquPFbtN8=",
"zh:1cca5e144b4696900d2410e26499a00c9666e5777b657e9844a4b6d198164a09",
"zh:4fe59329ae4a4fc13751cde4a1044427ca591ecefbaa8dde2ce828f660fbddb1",
"zh:55c42cec7dd10ee1f03eca03d5b8e3bcba7bf281bcd250ac220458aba735ba1f",
"zh:625a0481d0b2599d0e6ac609d9efc151f1c9cad53091e2ee3bfcedc34ccacb34",
"zh:7e9a08b19491f26aa685311a9211bacd7b7027d9cf6eaee16949435221a5f688",
"zh:9d92816f609367204c4df20c29c57ee631f5a65cf6bb782d9d9b3f945ba21353",
"zh:a332ef65a6ba829dc335ade1a3e69ae14e162dc6ca1a991d9d6ad4e596f4c2d7",
"zh:ce7ffac8d852342e9fe25053383613934c8b81d8c2ba2c9d10626b71e329fed7",
"zh:d384a1ef35c766362e8ae3131d00c05e1c0904d8b4b1d964548b91e1025f324b",
"zh:d85067f345b663e8e59fb02705918d3618ce56887a472665bec7f1aeddbc9ea4",
"zh:ddff8512e8181efae6d0d259abcd457d9a394a4a6f99d6bb0b180cabee373097",
"zh:f3d3efac504c9484a025beb919d22b290aa6dbff256f6e86c1f8ce7817e077e5",
]
}
provider "registry.terraform.io/hashicorp/external" { provider "registry.terraform.io/hashicorp/external" {
version = "2.3.1" version = "2.3.1"
hashes = [ hashes = [
@ -57,22 +38,3 @@ provider "registry.terraform.io/hashicorp/nomad" {
"zh:ffd1e096c1cc35de879c740a91918e9f06b627818a3cb4b1d87b829b54a6985f", "zh:ffd1e096c1cc35de879c740a91918e9f06b627818a3cb4b1d87b829b54a6985f",
] ]
} }
provider "registry.terraform.io/hashicorp/vault" {
version = "3.14.0"
hashes = [
"h1:/0pqMLODukJUiVpBdxXbb8vwp0HCtbTXWFq0BaNkcZM=",
"zh:07e797c3b14cc45f1a3fa3adb6269f28f182630b9af9403a2a447919d4e9992a",
"zh:0d88c6c50f7975f60c84d446bf95b26652c9457e62f2d5b24221b769d6daf809",
"zh:1670c513f85788308d317e45038234ac367f52f7bd0ea8f527f0a6291dd23659",
"zh:1b5a07fd053a0d7d1da80cb3e929b44c000c614d3738bb7ff82b4d56ed854017",
"zh:34a43de7f3d3749cbc50b81b84fe38961c3dfbda819708a814c2206045ecf69b",
"zh:416f710365d060c8239522363257e162a267c01463ac95ad2c2dd0acf05b6d35",
"zh:73956090e0e9b69adbcfe1bcaad20ec45779f2e7f3f2fb3a5f865402a2cd2485",
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
"zh:e2df6077e925a8438cfd2deb3bce5f1029a2e3edd2a635b12636d426390600dd",
"zh:e3e2797ae1cfc6aff66329ee81baaf780e1f5f295ad887ac7ff4c1e2754a8c8c",
"zh:f34ec435d16244ecf0f909872850070428aeadd352b6a21ab1f787d81f8bae9f",
"zh:f3a930e64b2c10d2ece5acc856d3438cdd375ccfc5ac10fc4a8fe163f74af93a",
]
}

2
ansible_playbooks/setup-cluster.yml
View File

@ -189,7 +189,7 @@
interface: lo interface: lo
reserved_ports: "22" reserved_ports: "22"
- name: wesher - name: wesher
interface: wgoverlay interface: wesher
reserved_ports: "22" reserved_ports: "22"
# Enable ACLs # Enable ACLs

52
core/blocky/blocky.nomad
View File

@ -24,7 +24,7 @@ job "blocky" {
} }
port "api" { port "api" {
host_network = "wgoverlay" host_network = "wesher"
to = "4000" to = "4000"
} }
@ -93,6 +93,56 @@ job "blocky" {
} }
} }
task "redis-stunnel" {
driver = "docker"
config {
image = "alpine:3.17"
ports = ["tls"]
args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
}
resources {
cpu = 20
memory = 100
}
template {
data = <<EOF
set -e
apk add stunnel
exec stunnel {{ env "NOMAD_TASK_DIR" }}/stunnel.conf
EOF
destination = "${NOMAD_TASK_DIR}/start.sh"
}
template {
data = <<EOF
syslog = no
foreground = yes
delay = yes
[redis_client]
client = yes
accept = 127.0.0.1:6379
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis-tls" -}}
connect = {{ .Address }}:{{ .Port }}
{{- end }}
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
EOF
destination = "${NOMAD_TASK_DIR}/stunnel.conf"
}
template {
data = <<EOF
{{ with nomadVar "nomad/jobs/blocky" -}}
{{ .redis_stunnel_psk }}
{{- end }}
EOF
destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
}
}
task "blocky-bootstrap" { task "blocky-bootstrap" {
driver = "docker" driver = "docker"

2
core/blocky/config.yml
View File

@ -94,7 +94,7 @@ prometheus:
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis" -}} {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis" -}}
redis: redis:
address: {{ .Address }}:{{ .Port }} address: 127.0.0.1:6379
# password: "" # password: ""
# database: 0 # database: 0
connectionAttempts: 10 connectionAttempts: 10

18
core/lldap.nomad
View File

@ -8,10 +8,12 @@ job "lldap" {
mode = "bridge" mode = "bridge"
port "web" { port "web" {
host_network = "wesher"
to = 17170 to = 17170
} }
port "ldap" { port "ldap" {
host_network = "wesher"
to = 3890 to = 3890
} }
} }
@ -51,13 +53,7 @@ job "lldap" {
config { config {
image = "nitnelave/lldap:v0.4" image = "nitnelave/lldap:v0.4"
ports = ["ldap", "web"] ports = ["ldap", "web"]
args = ["run", "--config-file", "/lldap_config.toml"] args = ["run", "--config-file", "${NOMAD_SECRETS_DIR}/lldap_config.toml"]
mount {
type = "bind"
source = "secrets/lldap_config.toml"
target = "/lldap_config.toml"
}
} }
env = { env = {
@ -70,18 +66,18 @@ job "lldap" {
database_url = "sqlite:///data/users.db?mode=rwc" database_url = "sqlite:///data/users.db?mode=rwc"
key_file = "/data/private_key" key_file = "/data/private_key"
ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .base_dn }}{{ end }}" ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .base_dn }}{{ end }}"
{{ with nomadVar "nomad/jobs/lldap" }} {{ with nomadVar "nomad/jobs/lldap" -}}
jwt_secret = "{{ .jwt_secret }}" jwt_secret = "{{ .jwt_secret }}"
ldap_user_dn = "{{ .admin_user }}" ldap_user_dn = "{{ .admin_user }}"
ldap_user_email = "{{ .admin_email }}" ldap_user_email = "{{ .admin_email }}"
ldap_user_pass = "{{ .admin_password }}" ldap_user_pass = "{{ .admin_password }}"
{{ end -}} {{- end }}
{{ with nomadVar "nomad/jobs" -}} {{ with nomadVar "nomad/jobs" -}}
[smtp_options] [smtp_options]
enable_password_reset = true enable_password_reset = true
server = "{{ .smtp_server }}" server = "{{ .smtp_server }}"
port = {{ .smtp_port }} port = {{ .smtp_port }}
tls_required = {{ .smtp_tls }} tls_required = {{ .smtp_tls.Value | toLower }}
user = "{{ .smtp_user }}" user = "{{ .smtp_user }}"
password = "{{ .smtp_password }}" password = "{{ .smtp_password }}"
{{ end -}} {{ end -}}
@ -90,7 +86,7 @@ from = "{{ .smtp_from }}"
reply_to = "{{ .smtp_reply_to }}" reply_to = "{{ .smtp_reply_to }}"
{{ end -}} {{ end -}}
EOH EOH
destination = "secrets/lldap_config.toml" destination = "${NOMAD_SECRETS_DIR}/lldap_config.toml"
change_mode = "restart" change_mode = "restart"
} }

25
core/main.tf
View File

@ -12,29 +12,12 @@ module "traefik" {
base_hostname = var.base_hostname base_hostname = var.base_hostname
} }
module "nomad_login" { module "metrics" {
source = "IamTheFij/levant/nomad" source = "./metrics"
version = "0.1.0" # Not in this module
# depends_on = [module.databases]
template_path = "service.nomad"
variables = {
name = "nomad-login"
image = "iamthefij/nomad-vault-login"
service_port = 5000
ingress = true
ingress_rule = "Host(`nomad.thefij.rocks`) && PathPrefix(`/login`)"
env = jsonencode({
VAULT_ADDR = "http://$${attr.unique.network.ip-address}:8200",
})
}
} }
# module "metrics" {
# source = "./metrics"
# # Not in this module
# # depends_on = [module.databases]
# }
module "loki" { module "loki" {
source = "IamTheFij/levant/nomad" source = "IamTheFij/levant/nomad"
version = "0.1.0" version = "0.1.0"

2
core/metrics/exporters.nomad
View File

@ -24,7 +24,7 @@ job "metrics" {
tags = [ tags = [
"prometheus.scrape", "prometheus.scrape",
} ]
} }
task "promtail" { task "promtail" {

6
core/metrics/grafana.nomad
View File

@ -8,7 +8,7 @@ job "grafana" {
mode = "bridge" mode = "bridge"
port "web" { port "web" {
host_network = "wgoverlay" host_network = "wesher"
to = 3000 to = 3000
} }
@ -123,8 +123,8 @@ GF_SMTP_USER={{ .smtp_user }}
GF_SMTP_PASSWORD={{ .smtp_password }} GF_SMTP_PASSWORD={{ .smtp_password }}
GF_EXTERNAL_IMAGE_STORAGE_S3_ACCESS_KEY={{ .minio_access_key }} GF_EXTERNAL_IMAGE_STORAGE_S3_ACCESS_KEY={{ .minio_access_key }}
GF_EXTERNAL_IMAGE_STORAGE_S3_SECRET_KEY={{ .minio_secret_key }} GF_EXTERNAL_IMAGE_STORAGE_S3_SECRET_KEY={{ .minio_secret_key }}
GRAFANA_ALERT_EMAIL_ADDRESSES={{ .Data.data.alert_email_addresses }} GRAFANA_ALERT_EMAIL_ADDRESSES={{ .alert_email_addresses }}
{{ if .Data.data.db_name -}} {{ if .db_name -}}
# Database storage # Database storage
GF_DATABASE_TYPE=mysql GF_DATABASE_TYPE=mysql
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-server" -}} {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-server" -}}

6
core/metrics/grafana/provisioning/datasources/loki.yml
View File

@ -2,11 +2,11 @@
apiVersion: 1 apiVersion: 1
datasources: datasources:
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "loki" -}} {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "loki" }}
- name: Loki - name: Loki
url: http://{{ .Address }}:{{ .Port }} url: "http://{{ .Address }}:{{ .Port }}"
type: loki type: loki
access: proxy access: proxy
isDefault: false isDefault: false
version: 1 version: 1
{{- end }} {{ end }}

6
core/metrics/grafana/provisioning/datasources/prometheus.yml
View File

@ -2,11 +2,11 @@
apiVersion: 1 apiVersion: 1
datasources: datasources:
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "prometheus" -}} {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "prometheus" }}
- name: Prometheus - name: Prometheus
url: http://{{ .Address }}:{{ .Port }} url: "http://{{ .Address }}:{{ .Port }}"
type: prometheus type: prometheus
access: proxy access: proxy
isDefault: true isDefault: true
version: 1 version: 1
{{- end }} {{ end }}

9
core/metrics/prometheus.nomad
View File

@ -8,7 +8,7 @@ job "prometheus" {
mode = "bridge" mode = "bridge"
port "web" { port "web" {
host_network = "wgoverlay" host_network = "wesher"
to = 9090 to = 9090
} }
} }
@ -34,7 +34,7 @@ job "prometheus" {
driver = "docker" driver = "docker"
config { config {
image = "prom/prometheus:v2.30.2" image = "prom/prometheus:v2.43.0"
ports = ["web"] ports = ["web"]
args = [ args = [
"--config.file=/etc/prometheus/config/prometheus.yml", "--config.file=/etc/prometheus/config/prometheus.yml",
@ -91,12 +91,13 @@ scrape_configs:
- job_name: "nomad_services" - job_name: "nomad_services"
metrics_path: "/metrics" metrics_path: "/metrics"
nomad_sd_configs: nomad_sd_configs:
- server: "http://{{env "attr.unique.network.ip-address"}}:8500" - server: "http://{{env "attr.unique.network.ip-address"}}:4646"
relabel_configs: relabel_configs:
- source_labels: [__meta_nomad_tags] - source_labels: [__meta_nomad_tags]
regex: .*(prometheus.scrape).* regex: .*(prometheus.scrape).*
action: keep action: keep
- source_labels: [__meta_nomad_address] - source_labels: [__meta_nomad_service_address,__meta_nomad_service_port]
separator: ":"
target_label: __address__ target_label: __address__
- source_labels: [__meta_nomad_service] - source_labels: [__meta_nomad_service]
target_label: nomad_service target_label: nomad_service

27
core/traefik/traefik.nomad
View File

@ -158,6 +158,7 @@ job "traefik" {
provider = "cloudflare" provider = "cloudflare"
resolvers = ["1.1.1.1:53", "8.8.8.8:53"] resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
delayBeforeCheck = 0 delayBeforeCheck = 0
<<- end >>
EOH EOH
destination = "local/config/traefik.toml" destination = "local/config/traefik.toml"
} }
@ -181,16 +182,20 @@ CF_ZONE_API_TOKEN={{ .domain_lego_dns }}
entryPoints = ["websecure"] entryPoints = ["websecure"]
service = "nomad" service = "nomad"
rule = "Host(`nomad.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}`)" rule = "Host(`nomad.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}`)"
[http.routers.hass]
entryPoints = ["websecure"]
service = "hass"
rule = "Host(`hass.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}`)"
[http.services] [http.services]
{{ with nomadService "nomad-client" -}}
[http.services.nomad] [http.services.nomad]
[http.services.nomad.loadBalancer] [http.services.nomad.loadBalancer]
{{ range . -}}
[[http.services.nomad.loadBalancer.servers]] [[http.services.nomad.loadBalancer.servers]]
url = "http://{{ .Address }}:{{ .Port }}" url = "http://127.0.0.1:4646"
{{ end }} [http.services.hass]
{{- end }} [http.services.hass.loadBalancer]
[[http.services.hass.loadBalancer.servers]]
url = "http://192.168.3.65:8123"
EOH EOH
destination = "local/config/conf/route-hashi.toml" destination = "local/config/conf/route-hashi.toml"
change_mode = "noop" change_mode = "noop"
@ -212,7 +217,7 @@ CF_ZONE_API_TOKEN={{ .domain_lego_dns }}
[[tcp.services.syslogngtcp.loadBalancer.servers]] [[tcp.services.syslogngtcp.loadBalancer.servers]]
address = "{{ .Address }}:{{ .Port }}" address = "{{ .Address }}:{{ .Port }}"
{{ end -}} {{ end -}}
{{ end }} {{- end }}
{{ with nomadService "syslogng" -}} {{ with nomadService "syslogng" -}}
[udp.routers] [udp.routers]
@ -227,7 +232,7 @@ CF_ZONE_API_TOKEN={{ .domain_lego_dns }}
[[udp.services.syslogngudp.loadBalancer.servers]] [[udp.services.syslogngudp.loadBalancer.servers]]
address = "{{ .Address }}:{{ .Port }}" address = "{{ .Address }}:{{ .Port }}"
{{ end -}} {{ end -}}
{{ end }} {{- end }}
EOH EOH
destination = "local/config/conf/route-syslog-ng.toml" destination = "local/config/conf/route-syslog-ng.toml"
change_mode = "noop" change_mode = "noop"
@ -241,8 +246,8 @@ CF_ZONE_API_TOKEN={{ .domain_lego_dns }}
[http.middlewares.basic-auth.basicAuth] [http.middlewares.basic-auth.basicAuth]
# TODO: Reference secrets mount # TODO: Reference secrets mount
usersFile = "/etc/traefik/usersfile" usersFile = "/etc/traefik/usersfile"
{{ end }} {{- end }}
{{ end }} {{- end }}
EOH EOH
destination = "local/config/conf/middlewares.toml" destination = "local/config/conf/middlewares.toml"
change_mode = "noop" change_mode = "noop"
@ -250,9 +255,9 @@ CF_ZONE_API_TOKEN={{ .domain_lego_dns }}
template { template {
data = <<EOH data = <<EOH
{{ with nomadVar "nomad/jobs/traefik" }} {{ with nomadVar "nomad/jobs/traefik" -}}
{{ .usersfile }} {{ .usersfile }}
{{ end }} {{- end }}
EOH EOH
destination = "secrets/usersfile" destination = "secrets/usersfile"
change_mode = "noop" change_mode = "noop"

4
databases/mysql.nomad
View File

@ -18,9 +18,7 @@ job "mysql-server" {
port "db" { port "db" {
to = 3306 to = 3306
} host_network = "wesher"
port "envoy_metrics" {
to = 9123
} }
} }

55
databases/redis.nomad
View File

@ -15,15 +15,15 @@ job "redis" {
network { network {
mode = "bridge" mode = "bridge"
port "main" { port "tls" {
to = 6379 host_network = "wesher"
} }
} }
service { service {
name = "redis" name = "redis-tls"
provider = "nomad" provider = "nomad"
port = "main" port = "tls"
} }
task "redis" { task "redis" {
@ -41,5 +41,52 @@ job "redis" {
memory_max = 512 memory_max = 512
} }
} }
task "stunnel" {
driver = "docker"
config {
image = "alpine:3.17"
ports = ["tls"]
args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
}
resources {
cpu = 100
memory = 100
}
template {
data = <<EOF
set -e
apk add stunnel
exec stunnel ${NOMAD_TASK_DIR}/stunnel.conf
EOF
destination = "${NOMAD_TASK_DIR}/start.sh"
}
template {
data = <<EOF
syslog = no
foreground = yes
delay = yes
[redis_server]
accept = {{ env "NOMAD_PORT_tls" }}
connect = 127.0.0.1:6379
ciphers = PSK
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
EOF
destination = "${NOMAD_TASK_DIR}/stunnel.conf"
}
template {
data = <<EOF
test1:oaP4EishaeSaishei6rio6xeeph3az
EOF
destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
}
}
} }
} }

56
databases/rediscommander.nomad
View File

@ -9,12 +9,14 @@ job "rediscommander" {
mode = "bridge" mode = "bridge"
port "main" { port "main" {
host_network = "wesher"
to = 8081 to = 8081
} }
} }
service { service {
name = "rediscommander" name = "rediscommander"
provider = "nomad"
port = "main" port = "main"
tags = [ tags = [
@ -33,9 +35,7 @@ job "rediscommander" {
template { template {
data = <<EOH data = <<EOH
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis" -}} REDIS_HOSTS=stunnel:127.0.0.1:6379
REDIS_HOSTS=local:{{ .Address }}:{{ .Port }}
{{- end }}
EOH EOH
env = true env = true
destination = "env" destination = "env"
@ -46,5 +46,55 @@ job "rediscommander" {
memory = 50 memory = 50
} }
} }
task "redis-stunnel" {
driver = "docker"
config {
image = "alpine:3.17"
ports = ["tls"]
args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
}
resources {
cpu = 100
memory = 100
}
template {
data = <<EOF
set -e
apk add stunnel
exec stunnel {{ env "NOMAD_TASK_DIR" }}/stunnel.conf
EOF
destination = "${NOMAD_TASK_DIR}/start.sh"
}
template {
data = <<EOF
syslog = no
foreground = yes
delay = yes
[redis_client]
client = yes
accept = 127.0.0.1:6379
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis-tls" -}}
connect = {{ .Address }}:{{ .Port }}
{{- end }}
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
EOF
destination = "${NOMAD_TASK_DIR}/stunnel.conf"
}
template {
data = <<EOF
{{ with nomadVar "nomad/jobs/rediscommander" -}}
{{ .redis_stunnel_psk }}
{{- end }}
EOF
destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
}
}
} }
} }

2
nomad_vars.py
View File

@ -30,7 +30,7 @@ def nomad_req(method: str, path: str, json: dict|None = None) -> dict:
def write_var(path: str, items: dict[str, str | float | int]) -> dict: def write_var(path: str, items: dict[str, str | float | int]) -> dict:
return nomad_req("GET", f"var/{path}", return nomad_req("PUT", f"var/{path}",
json={ json={
"Path": path, "Path": path,
"Items": {k: str(v) for k, v in items.items()}, "Items": {k: str(v) for k, v in items.items()},

43
providers.tf
View File

@ -1,46 +1,7 @@
# Configure Consul provider
provider "consul" {
address = var.consul_address
}
# Get Nomad client from Consul
data "consul_service" "nomad" {
name = "nomad-client"
}
# Get Vault client from Consul
data "consul_service" "vault" {
name = "vault"
tag = "active"
}
locals {
# Get Nomad address from Consul
nomad_node = data.consul_service.nomad.service[0]
nomad_node_address = "http://${local.nomad_node.node_address}:${local.nomad_node.port}"
# Get Vault address from Consul
vault_node = data.consul_service.vault.service[0]
vault_node_address = "http://${local.vault_node.node_address}:${local.vault_node.port}"
}
# Configure the Vault provider
provider "vault" {
address = length(var.vault_address) == 0 ? local.vault_node_address : var.vault_address
token = var.vault_token
}
# Something that should exist in a post bootstrap module, right now module includes bootstrapping
# which requries Admin
# data "vault_nomad_access_token" "deploy" {
# backend = "nomad"
# role = "deploy"
# }
# Configure the Nomad provider # Configure the Nomad provider
provider "nomad" { provider "nomad" {
address = length(var.nomad_address) == 0 ? local.nomad_node_address : var.nomad_address address = var.nomad_address
secret_id = var.nomad_secret_id secret_id = var.nomad_secret_id
# secret_id = length(var.nomad_secret_id) == 0 ? data.vault_nomad_access_token.admin.secret_id : var.nomad_secret_id region = "global"
region = "global"
} }

1
service.nomad
View File

@ -51,6 +51,7 @@ job "[[.name]]" {
mode = "bridge" mode = "bridge"
[[ if not (empty .service_port) -]] [[ if not (empty .service_port) -]]
port "main" { port "main" {
host_network = "wesher"
to = [[ .service_port ]] to = [[ .service_port ]]
} }
[[ end -]] [[ end -]]

10
services.tf
View File

@ -1,5 +1,5 @@
# module "services" { module "services" {
# source = "./services" source = "./services"
#
# depends_on = [module.databases, module.core] depends_on = [module.databases, module.core]
# } }

4
services/backups/backup.nomad
View File

@ -49,7 +49,7 @@ job "backup%{ if batch_node != null }-oneoff-${batch_node}%{ endif }" {
} }
service { service {
name = "backups" name = "backup"
provider = "nomad" provider = "nomad"
port = "metrics" port = "metrics"
@ -97,7 +97,7 @@ MYSQL_PORT={{ .Port }}
MYSQL_USER=root MYSQL_USER=root
MYSQL_PASSWORD={{ .mysql_root_password }} MYSQL_PASSWORD={{ .mysql_root_password }}
{{ end -}} {{ end -}}
{{ with nomadVar "nomad/jobs/backups" -}} {{ with nomadVar "nomad/jobs/backup" -}}
BACKUP_PASSPHRASE={{ .backup_passphrase }} BACKUP_PASSPHRASE={{ .backup_passphrase }}
RCLONE_FTP_HOST={{ .nas_ftp_host }} RCLONE_FTP_HOST={{ .nas_ftp_host }}
RCLONE_FTP_USER={{ .nas_ftp_user }} RCLONE_FTP_USER={{ .nas_ftp_user }}

4
services/backups/backups.tf
View File

@ -1,4 +1,4 @@
resource "nomad_job" "backups" { resource "nomad_job" "backup" {
jobspec = templatefile("${path.module}/backup.nomad", { jobspec = templatefile("${path.module}/backup.nomad", {
module_path = path.module, module_path = path.module,
batch_node = null, batch_node = null,
@ -10,7 +10,7 @@ resource "nomad_job" "backups" {
# name = "nomad-client" # name = "nomad-client"
# } # }
resource "nomad_job" "backups-oneoff" { resource "nomad_job" "backup-oneoff" {
# TODO: Get list of nomad hosts dynamically # TODO: Get list of nomad hosts dynamically
for_each = toset(["n1", "n2"]) for_each = toset(["n1", "n2"])
# for_each = toset([ # for_each = toset([

58
services/external.tf
View File

@ -1,29 +1,29 @@
resource "consul_service" "homeassistant" { # resource "consul_service" "homeassistant" {
name = "hass" # name = "hass"
node = consul_node.homeassistant.name # node = consul_node.homeassistant.name
port = 8123 # port = 8123
tags = [ # tags = [
"traefik.enable=true", # "traefik.enable=true",
"traefik.consulcatalog.connect=false", # "traefik.consulcatalog.connect=false",
"traefik.http.routers.hass.entryPoints=websecure", # "traefik.http.routers.hass.entryPoints=websecure",
] # ]
#
check { # check {
check_id = "homeassistant:hass" # check_id = "homeassistant:hass"
status = "passing" # status = "passing"
name = "Home Assistant Health Check" # name = "Home Assistant Health Check"
http = "192.168.3.65:8123" # http = "192.168.3.65:8123"
interval = "30s" # interval = "30s"
timeout = "10s" # timeout = "10s"
} # }
} # }
#
resource "consul_node" "homeassistant" { # resource "consul_node" "homeassistant" {
name = "homeassistant" # name = "homeassistant"
address = "192.168.3.65" # address = "192.168.3.65"
#
meta = { # meta = {
"external-node" = "true" # "external-node" = "true"
"external-probe" = "true" # "external-probe" = "true"
} # }
} # }

6
services/ip-dvr.nomad
View File

@ -9,7 +9,7 @@ job "ipdvr" {
mode = "bridge" mode = "bridge"
port "main" { port "main" {
host_network = "wgoverlay" host_network = "wesher"
to = 8080 to = 8080
} }
} }
@ -75,7 +75,7 @@ job "ipdvr" {
network { network {
mode = "bridge" mode = "bridge"
port "main" { port "main" {
host_network = "wgoverlay" host_network = "wesher"
to = 6789 to = 6789
} }
} }
@ -142,7 +142,7 @@ job "ipdvr" {
network { network {
mode = "bridge" mode = "bridge"
port "main" { port "main" {
host_network = "wgoverlay" host_network = "wesher"
to = 8989 to = 8989
} }
} }

5
services/main.tf
View File

@ -172,8 +172,9 @@ module "photoprism_module" {
PHOTOPRISM_DATABASE_USER={{ .db_user }} PHOTOPRISM_DATABASE_USER={{ .db_user }}
PHOTOPRISM_DATABASE_PASSWORD={{ .db_pass }} PHOTOPRISM_DATABASE_PASSWORD={{ .db_pass }}
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-server" -}} {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-server" -}}
PHOTOPRISM_DATABASE_SERVER="{{ .Address" }}:{{ .Port }}" PHOTOPRISM_DATABASE_SERVER="{{ .Address }}:{{ .Port }}"
{{ end -}} {{- end }}
{{- end }}
EOF EOF
dest_prefix = "$${NOMAD_SECRETS_DIR}/" dest_prefix = "$${NOMAD_SECRETS_DIR}/"
dest = "env" dest = "env"

2
services/media/caddy.nomad
View File

@ -8,7 +8,7 @@ job "multimedia" {
network { network {
mode = "bridge" mode = "bridge"
port "web" { port "web" {
host_network = "wgoverlay" host_network = "wesher"
to = 80 to = 80
} }
} }

2
services/service/service_template.nomad
View File

@ -10,7 +10,7 @@ job "${name}" {
%{ if service_port != null ~} %{ if service_port != null ~}
port "main" { port "main" {
%{ if ingress } %{ if ingress }
host_network = "wgoverlay" host_network = "wesher"
%{~ endif } %{~ endif }
to = ${service_port} to = ${service_port}
} }

45
services/whoami.nomad
View File

@ -9,56 +9,13 @@ job "whoami" {
type = "service" type = "service"
group "whoami-nomad" {
count = var.count
network {
mode = "bridge"
port "web" {
host_network = "wesher"
to = 80
}
}
service {
name = "whoami-nomad"
provider = "nomad"
port = "web"
tags = [
"traefik.enable=true",
"traefik.http.routers.whoami-nomad.entryPoints=websecure",
"traefik.http.routers.whoami-nomad.middlewares=basic-auth@file",
]
}
task "whoami" {
driver = "docker"
meta = {
"diun.enable" = false
}
config {
image = "containous/whoami:latest"
ports = ["web"]
args = ["--port", "${NOMAD_PORT_web}"]
}
resources {
cpu = 50
memory = 20
}
}
}
group "whoami" { group "whoami" {
count = var.count count = var.count
network { network {
mode = "bridge" mode = "bridge"
port "web" { port "web" {
host_network = "wgoverlay" host_network = "wesher"
to = 80 to = 80
} }
} }

4
vars.tf
View File

@ -1,7 +1,3 @@
variable "consul_address" {
type = string
default = "http://n1.thefij:8500"
}
variable "nomad_address" { variable "nomad_address" {
type = string type = string