Move services to their own tf files for easier locating

This commit is contained in:
IamTheFij 2023-08-07 11:37:19 -07:00
parent 41c9d3d6f6
commit ddeb8fffbc
11 changed files with 414 additions and 423 deletions

146
core/authelia.tf Normal file
View File

@ -0,0 +1,146 @@
module "authelia" {
source = "../services/service"
name = "authelia"
instance_count = 2
priority = 70
image = "authelia/authelia:latest"
args = ["--config", "$${NOMAD_TASK_DIR}/authelia.yml"]
ingress = true
service_port = 9999
service_port_static = true
# metrics_port = 9959
env = {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/ldap_password.txt"
AUTHELIA_JWT_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
AUTHELIA_SESSION_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/session_secret.txt"
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt"
AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/mysql_password.txt"
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/oidc_hmac_secret.txt"
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_private_key.txt"
# AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_certificate_chain.txt"
}
use_mysql = true
use_ldap = true
use_redis = true
mysql_bootstrap = {
enabled = true
}
service_tags = [
# Configure traefik to add this middleware
"traefik.http.middlewares.authelia.forwardAuth.address=http://authelia.nomad:$${NOMAD_PORT_main}/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F",
"traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true",
"traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
"traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia.nomad:$${NOMAD_PORT_main}/api/verify?auth=basic",
"traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true",
"traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
]
templates = [
{
data = file("${path.module}/authelia.yml")
dest = "authelia.yml"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .lldap_admin_password }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "ldap_password.txt"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .jwt_secret }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "jwt_secret.txt"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .session_secret }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "session_secret.txt"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .storage_encryption_key }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "storage_encryption_key.txt"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .db_pass }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "mysql_password.txt"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_hmac_secret }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "oidc_hmac_secret.txt"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_private_key }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "oidc_issuer_private_key.txt"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_certificate_chain }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "oidc_issuer_certificate_chain.txt"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs\" }}{{ .smtp_password }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "smtp_password.txt"
mount = false
},
]
}
resource "nomad_acl_auth_method" "nomad_authelia" {
name = "authelia"
type = "OIDC"
token_locality = "global"
max_token_ttl = "1h0m0s"
default = true
config {
oidc_discovery_url = "https://authelia.thefij.rocks"
oidc_client_id = "nomad"
oidc_client_secret = yamldecode(file("${path.module}/../ansible_playbooks/vars/nomad_vars.yml"))["nomad/oidc"]["secret"]
bound_audiences = ["nomad"]
oidc_scopes = [
"groups",
"openid",
]
allowed_redirect_uris = [
"https://nomad.thefij.rocks/oidc/callback",
"https://nomad.thefij.rocks/ui/settings/tokens",
]
list_claim_mappings = {
"groups" : "roles"
}
}
}
resource "nomad_acl_binding_rule" "nomad_authelia_admin" {
description = "engineering rule"
auth_method = nomad_acl_auth_method.nomad_authelia.name
selector = "\"nomad-deploy\" in list.roles"
bind_type = "role"
bind_name = "admin" # acls.nomad_acl_role.admin.name
}
resource "nomad_acl_binding_rule" "nomad_authelia_deploy" {
description = "engineering rule"
auth_method = nomad_acl_auth_method.nomad_authelia.name
selector = "\"nomad-deploy\" in list.roles"
bind_type = "role"
bind_name = "deploy" # acls.nomad_acl_role.deploy.name
}

18
core/loki.tf Normal file
View File

@ -0,0 +1,18 @@
module "loki" {
source = "../services/service"
name = "loki"
image = "grafana/loki:2.2.1"
args = ["--config.file=$${NOMAD_TASK_DIR}/loki-config.yml"]
service_port = 3100
ingress = true
sticky_disk = true
# healthcheck = "/ready"
templates = [
{
data = file("${path.module}/loki-config.yml")
dest = "loki-config.yml"
mount = false
}
]
}

View File

@ -23,25 +23,6 @@ resource "nomad_job" "nomad-client-stalker" {
jobspec = file("${path.module}/nomad-client-stalker.nomad") jobspec = file("${path.module}/nomad-client-stalker.nomad")
} }
module "loki" {
source = "../services/service"
name = "loki"
image = "grafana/loki:2.2.1"
args = ["--config.file=$${NOMAD_TASK_DIR}/loki-config.yml"]
service_port = 3100
ingress = true
sticky_disk = true
# healthcheck = "/ready"
templates = [
{
data = file("${path.module}/loki-config.yml")
dest = "loki-config.yml"
mount = false
}
]
}
resource "nomad_job" "syslog-ng" { resource "nomad_job" "syslog-ng" {
jobspec = file("${path.module}/syslogng.nomad") jobspec = file("${path.module}/syslogng.nomad")
} }
@ -53,150 +34,3 @@ resource "nomad_job" "ddclient" {
resource "nomad_job" "lldap" { resource "nomad_job" "lldap" {
jobspec = file("${path.module}/lldap.nomad") jobspec = file("${path.module}/lldap.nomad")
} }
module "authelia" {
source = "../services/service"
name = "authelia"
instance_count = 2
priority = 70
image = "authelia/authelia:latest"
args = ["--config", "$${NOMAD_TASK_DIR}/authelia.yml"]
ingress = true
service_port = 9999
service_port_static = true
# metrics_port = 9959
env = {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/ldap_password.txt"
AUTHELIA_JWT_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
AUTHELIA_SESSION_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/session_secret.txt"
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt"
AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/mysql_password.txt"
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/oidc_hmac_secret.txt"
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_private_key.txt"
# AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_certificate_chain.txt"
}
use_mysql = true
use_ldap = true
use_redis = true
mysql_bootstrap = {
enabled = true
}
service_tags = [
# Configure traefik to add this middleware
"traefik.http.middlewares.authelia.forwardAuth.address=http://authelia.nomad:$${NOMAD_PORT_main}/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F",
"traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true",
"traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
"traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia.nomad:$${NOMAD_PORT_main}/api/verify?auth=basic",
"traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true",
"traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
]
templates = [
{
data = file("${path.module}/authelia.yml")
dest = "authelia.yml"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .lldap_admin_password }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "ldap_password.txt"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .jwt_secret }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "jwt_secret.txt"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .session_secret }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "session_secret.txt"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .storage_encryption_key }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "storage_encryption_key.txt"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .db_pass }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "mysql_password.txt"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_hmac_secret }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "oidc_hmac_secret.txt"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_private_key }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "oidc_issuer_private_key.txt"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_certificate_chain }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "oidc_issuer_certificate_chain.txt"
mount = false
},
{
data = "{{ with nomadVar \"nomad/jobs\" }}{{ .smtp_password }}{{ end }}"
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "smtp_password.txt"
mount = false
},
]
}
resource "nomad_acl_auth_method" "nomad_authelia" {
name = "authelia"
type = "OIDC"
token_locality = "global"
max_token_ttl = "1h0m0s"
default = true
config {
oidc_discovery_url = "https://authelia.thefij.rocks"
oidc_client_id = "nomad"
oidc_client_secret = yamldecode(file("${path.module}/../ansible_playbooks/vars/nomad_vars.yml"))["nomad/oidc"]["secret"]
bound_audiences = ["nomad"]
oidc_scopes = [
"groups",
"openid",
]
allowed_redirect_uris = [
"https://nomad.thefij.rocks/oidc/callback",
"https://nomad.thefij.rocks/ui/settings/tokens",
]
list_claim_mappings = {
"groups" : "roles"
}
}
}
resource "nomad_acl_binding_rule" "nomad_authelia_admin" {
description = "engineering rule"
auth_method = nomad_acl_auth_method.nomad_authelia.name
selector = "\"nomad-deploy\" in list.roles"
bind_type = "role"
bind_name = "admin" # acls.nomad_acl_role.admin.name
}
resource "nomad_acl_binding_rule" "nomad_authelia_deploy" {
description = "engineering rule"
auth_method = nomad_acl_auth_method.nomad_authelia.name
selector = "\"nomad-deploy\" in list.roles"
bind_type = "role"
bind_name = "deploy" # acls.nomad_acl_role.deploy.name
}

17
services/adminer.tf Normal file
View File

@ -0,0 +1,17 @@
module "adminer" {
source = "./service"
name = "adminer"
image = "adminer"
ingress = true
service_port = 8080
use_mysql = true
use_postgres = true
resources = {
cpu = 50
memory = 50
}
}

33
services/diun.tf Normal file
View File

@ -0,0 +1,33 @@
module "diun" {
source = "./service"
name = "diun"
image = "crazymax/diun:4.24"
args = ["serve", "--log-level=debug"]
env = {
DIUN_DB_PATH = "$${NOMAD_TASK_DIR}/diun.db"
DIUN_WATCH_SCHEDULE = "0 */6 * * *"
DIUN_PROVIDERS_NOMAD_WATCHBYDEFAULT = true
# Nomad API
# TODO: Use socket in $NOMAD_SECRETS_DIR/api.sock when we can assign workload ACLs with Terraform to
# allow read access. Will need to update template to allow passing token by env
NOMAD_ADDR = "http://$${attr.unique.network.ip-address}:4646/"
DIUN_PROVIDERS_NOMAD = true
}
templates = [
{
data = <<EOF
{{ with nomadVar "nomad/jobs/diun" -}}
DIUN_NOTIF_SLACK_WEBHOOKURL={{ .slack_hook_url }}
{{- end }}
EOF
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "env"
env = true
mount = false
},
]
}

47
services/lidarr.tf Normal file
View File

@ -0,0 +1,47 @@
module "lidarr" {
source = "./service"
name = "lidarr"
image = "linuxserver/lidarr"
ingress = true
service_port = 8686
use_postgres = true
postgres_bootstrap = {
enabled = true
databases = [
"lidarr",
"lidarr-logs",
]
}
env = {
PGID = 100
PUID = 1001
TZ = "America/Los_Angeles"
}
host_volumes = [
{
name = "lidarr-config"
dest = "/config"
read_only = false
},
{
name = "media-write"
dest = "/media"
read_only = false
},
]
resources = {
cpu = 500
memory = 1500
}
stunnel_resources = {
cpu = 100
memory = 100
}
}

View File

@ -2,263 +2,6 @@ module "backups" {
source = "./backups" source = "./backups"
} }
resource "nomad_job" "whoami" {
hcl2 {
enabled = true
vars = {
"count" = 4,
}
}
jobspec = file("${path.module}/whoami.nomad")
}
resource "nomad_job" "ipdvr" { resource "nomad_job" "ipdvr" {
jobspec = file("${path.module}/ip-dvr.nomad") jobspec = file("${path.module}/ip-dvr.nomad")
} }
module "media-library" {
source = "./service"
name = "media-library"
image = "caddy"
args = ["caddy", "file-server", "--root", "/mnt/media", "--browse"]
ingress = true
service_port = 80
host_volumes = [
{
name = "media-read"
dest = "/mnt/media"
read_only = true
},
]
}
module "minitor" {
source = "./service"
name = "minitor"
image = "iamthefij/minitor-go:1.2"
args = ["-metrics", "-config=$${NOMAD_TASK_DIR}/config.yml"]
service_port = 8080
prometheus = true
templates = [
{
data = <<EOF
{{ with nomadVar "nomad/jobs/minitor" -}}
MAILGUN_API_KEY={{ .mailgun_api_key }}
{{ end -}}
EOF
dest = "env"
dest_prefix = "$${NOMAD_SECRETS_DIR}/"
env = true
},
{
data = file("${path.module}/minitor-config.yml")
left_delimiter = "[["
right_delimiter = "]]"
dest = "config.yml"
mount = false
},
]
}
module "photoprism_module" {
source = "./service"
name = "photoprism"
image = "photoprism/photoprism:221118-jammy"
image_pull_timeout = "10m"
constraints = [{
attribute = "$${meta.hw_transcode.type}"
# operator = "is_set"
value = "raspberry"
}]
docker_devices = [{
host_path = "$${meta.hw_transcode.device}"
container_path = "$${meta.hw_transcode.device}"
}]
resources = {
cpu = 2000
memory = 3000
memory_max = 4000
}
stunnel_resources = {
cpu = 100
memory = 100
}
sticky_disk = true
host_volumes = [
{
name = "photoprism-storage"
dest = "/photoprism-storage"
read_only = false
},
{
name = "photoprism-media"
dest = "/photoprism-media"
read_only = false
},
]
ingress = true
service_port = 2342
ingress_middlewares = [
"authelia@nomad"
]
mysql_bootstrap = {
enabled = true
}
env = {
PHOTOPRISM_DEBUG = true
# Make public since we added Authelia at the proxy level
PHOTOPRISM_AUTH_MODE = "public"
# UI
PHOTOPRISM_SITE_CAPTION = "AI-Powered Photos App"
PHOTOPRISM_SITE_DESCRIPTION = "Fijolek home photos"
PHOTOPRISM_SITE_TITLE = "PhotoPrism"
PHOTOPRISM_SITE_URL = "https://photoprism.thefij.rocks/"
PHOTOPRISM_SPONSOR = "true"
# Worker config
PHOTOPRISM_WORKERS = 2
# Paths
PHOTOPRISM_ORIGINALS_PATH = "/photoprism-media/Library"
PHOTOPRISM_IMPORT_PATH = "/photoprism-media/Import"
PHOTOPRISM_STORAGE_PATH = "/photoprism-storage" # Storage PATH for generated files like cache and thumbnails
# Unix permissions
PHOTOPRISM_UID = 500
PHOTOPRISM_GID = 100
PHOTOPRISM_UMASK = 0000
}
templates = [
{
data = <<EOF
{{ with nomadVar "nomad/jobs/photoprism" -}}
PHOTOPRISM_ADMIN_USER={{ .admin_user }}
PHOTOPRISM_ADMIN_PASSWORD={{ .admin_password }}
PHOTOPRISM_DATABASE_DRIVER=mysql
PHOTOPRISM_DATABASE_NAME={{ .db_name }}
PHOTOPRISM_DATABASE_USER={{ .db_user }}
PHOTOPRISM_DATABASE_PASSWORD={{ .db_pass }}
PHOTOPRISM_DATABASE_SERVER=127.0.0.1:3306
{{- end }}
{{ if eq (env "meta.hw_transcode.type") "raspberry" -}}
PHOTOPRISM_FFMPEG_ENCODER=raspberry
PHOTOPRISM_FFMPEG_BUFFERS=64
{{ else if eq (env "meta.hw_transcode.type") "intel" -}}
PHOTOPRISM_FFMPEG_ENCODER=intel
PHOTOPRISM_INIT="intel tensorflow"
{{- end }}
EOF
dest_prefix = "$${NOMAD_SECRETS_DIR}/"
dest = "env"
env = true
mount = false
},
]
}
module "diun" {
source = "./service"
name = "diun"
image = "crazymax/diun:4.24"
args = ["serve", "--log-level=debug"]
env = {
DIUN_DB_PATH = "$${NOMAD_TASK_DIR}/diun.db"
DIUN_WATCH_SCHEDULE = "0 */6 * * *"
DIUN_PROVIDERS_NOMAD_WATCHBYDEFAULT = true
# Nomad API
# TODO: Use socket in $NOMAD_SECRETS_DIR/api.sock when we can assign workload ACLs with Terraform to
# allow read access. Will need to update template to allow passing token by env
NOMAD_ADDR = "http://$${attr.unique.network.ip-address}:4646/"
DIUN_PROVIDERS_NOMAD = true
}
templates = [
{
data = <<EOF
{{ with nomadVar "nomad/jobs/diun" -}}
DIUN_NOTIF_SLACK_WEBHOOKURL={{ .slack_hook_url }}
{{- end }}
EOF
dest_prefix = "$${NOMAD_SECRETS_DIR}"
dest = "env"
env = true
mount = false
},
]
}
module "adminer" {
source = "./service"
name = "adminer"
image = "adminer"
ingress = true
service_port = 8080
use_mysql = true
use_postgres = true
resources = {
cpu = 50
memory = 50
}
}
module "lidarr" {
source = "./service"
name = "lidarr"
image = "linuxserver/lidarr"
ingress = true
service_port = 8686
use_postgres = true
postgres_bootstrap = {
enabled = true
databases = [
"lidarr",
"lidarr-logs",
]
}
env = {
PGID = 100
PUID = 1001
TZ = "America/Los_Angeles"
}
host_volumes = [
{
name = "lidarr-config"
dest = "/config"
read_only = false
},
{
name = "media-write"
dest = "/media"
read_only = false
},
]
resources = {
cpu = 500
memory = 1500
}
stunnel_resources = {
cpu = 100
memory = 100
}
}

16
services/media-library.tf Normal file
View File

@ -0,0 +1,16 @@
module "media-library" {
source = "./service"
name = "media-library"
image = "caddy"
args = ["caddy", "file-server", "--root", "/mnt/media", "--browse"]
ingress = true
service_port = 80
host_volumes = [
{
name = "media-read"
dest = "/mnt/media"
read_only = true
},
]
}

29
services/minitor.tf Normal file
View File

@ -0,0 +1,29 @@
module "minitor" {
source = "./service"
name = "minitor"
image = "iamthefij/minitor-go:1.2"
args = ["-metrics", "-config=$${NOMAD_TASK_DIR}/config.yml"]
service_port = 8080
prometheus = true
templates = [
{
data = <<EOF
{{ with nomadVar "nomad/jobs/minitor" -}}
MAILGUN_API_KEY={{ .mailgun_api_key }}
{{ end -}}
EOF
dest = "env"
dest_prefix = "$${NOMAD_SECRETS_DIR}/"
env = true
},
{
data = file("${path.module}/minitor-config.yml")
left_delimiter = "[["
right_delimiter = "]]"
dest = "config.yml"
mount = false
},
]
}

98
services/photoprism.tf Normal file
View File

@ -0,0 +1,98 @@
module "photoprism_module" {
source = "./service"
name = "photoprism"
image = "photoprism/photoprism:221118-jammy"
image_pull_timeout = "10m"
constraints = [{
attribute = "$${meta.hw_transcode.type}"
# operator = "is_set"
value = "raspberry"
}]
docker_devices = [{
host_path = "$${meta.hw_transcode.device}"
container_path = "$${meta.hw_transcode.device}"
}]
resources = {
cpu = 2000
memory = 3000
memory_max = 4000
}
stunnel_resources = {
cpu = 100
memory = 100
}
sticky_disk = true
host_volumes = [
{
name = "photoprism-storage"
dest = "/photoprism-storage"
read_only = false
},
{
name = "photoprism-media"
dest = "/photoprism-media"
read_only = false
},
]
ingress = true
service_port = 2342
ingress_middlewares = [
"authelia@nomad"
]
mysql_bootstrap = {
enabled = true
}
env = {
PHOTOPRISM_DEBUG = true
# Make public since we added Authelia at the proxy level
PHOTOPRISM_AUTH_MODE = "public"
# UI
PHOTOPRISM_SITE_CAPTION = "AI-Powered Photos App"
PHOTOPRISM_SITE_DESCRIPTION = "Fijolek home photos"
PHOTOPRISM_SITE_TITLE = "PhotoPrism"
PHOTOPRISM_SITE_URL = "https://photoprism.thefij.rocks/"
PHOTOPRISM_SPONSOR = "true"
# Worker config
PHOTOPRISM_WORKERS = 2
# Paths
PHOTOPRISM_ORIGINALS_PATH = "/photoprism-media/Library"
PHOTOPRISM_IMPORT_PATH = "/photoprism-media/Import"
PHOTOPRISM_STORAGE_PATH = "/photoprism-storage" # Storage PATH for generated files like cache and thumbnails
# Unix permissions
PHOTOPRISM_UID = 500
PHOTOPRISM_GID = 100
PHOTOPRISM_UMASK = 0000
}
templates = [
{
data = <<EOF
{{ with nomadVar "nomad/jobs/photoprism" -}}
PHOTOPRISM_ADMIN_USER={{ .admin_user }}
PHOTOPRISM_ADMIN_PASSWORD={{ .admin_password }}
PHOTOPRISM_DATABASE_DRIVER=mysql
PHOTOPRISM_DATABASE_NAME={{ .db_name }}
PHOTOPRISM_DATABASE_USER={{ .db_user }}
PHOTOPRISM_DATABASE_PASSWORD={{ .db_pass }}
PHOTOPRISM_DATABASE_SERVER=127.0.0.1:3306
{{- end }}
{{ if eq (env "meta.hw_transcode.type") "raspberry" -}}
PHOTOPRISM_FFMPEG_ENCODER=raspberry
PHOTOPRISM_FFMPEG_BUFFERS=64
{{ else if eq (env "meta.hw_transcode.type") "intel" -}}
PHOTOPRISM_FFMPEG_ENCODER=intel
PHOTOPRISM_INIT="intel tensorflow"
{{- end }}
EOF
dest_prefix = "$${NOMAD_SECRETS_DIR}/"
dest = "env"
env = true
mount = false
},
]
}

10
services/whoami.tf Normal file
View File

@ -0,0 +1,10 @@
resource "nomad_job" "whoami" {
hcl2 {
enabled = true
vars = {
"count" = 4,
}
}
jobspec = file("${path.module}/whoami.nomad")
}