Compare commits
1 Commits
main
...
add-server
Author | SHA1 | Date | |
---|---|---|---|
d1884e2715 |
@ -132,7 +132,7 @@
|
||||
"filename": "core/authelia.yml",
|
||||
"hashed_secret": "a32b08d97b1615dc27f58b6b17f67624c04e2c4f",
|
||||
"is_verified": false,
|
||||
"line_number": 201,
|
||||
"line_number": 189,
|
||||
"is_secret": false
|
||||
}
|
||||
],
|
||||
@ -187,5 +187,5 @@
|
||||
}
|
||||
]
|
||||
},
|
||||
"generated_at": "2024-08-30T18:12:43Z"
|
||||
"generated_at": "2024-02-20T18:04:29Z"
|
||||
}
|
||||
|
@ -1,6 +1,6 @@
|
||||
resource "nomad_acl_policy" "anon_policy" {
|
||||
name = "anonymous"
|
||||
description = "Anon read only"
|
||||
description = "Anon RO"
|
||||
rules_hcl = file("${path.module}/nomad-anon-policy.hcl")
|
||||
}
|
||||
|
||||
|
@ -24,20 +24,20 @@ all:
|
||||
group: "999"
|
||||
mode: "0755"
|
||||
read_only: false
|
||||
# n2.thefij:
|
||||
# nomad_node_class: ingress
|
||||
# nomad_reserved_memory: 1024
|
||||
# nfs_mounts:
|
||||
# - src: 10.50.250.2:/srv/volumes
|
||||
# path: /srv/volumes/moxy
|
||||
# opts: proto=tcp,rw
|
||||
# nomad_unique_host_volumes:
|
||||
# - name: nextcloud-data
|
||||
# path: /srv/volumes/nextcloud
|
||||
# owner: "root"
|
||||
# group: "bin"
|
||||
# mode: "0755"
|
||||
# read_only: false
|
||||
n2.thefij:
|
||||
nomad_node_class: ingress
|
||||
nomad_reserved_memory: 1024
|
||||
nfs_mounts:
|
||||
- src: 10.50.250.2:/srv/volumes
|
||||
path: /srv/volumes/moxy
|
||||
opts: proto=tcp,rw
|
||||
nomad_unique_host_volumes:
|
||||
- name: nextcloud-data
|
||||
path: /srv/volumes/nextcloud
|
||||
owner: "root"
|
||||
group: "bin"
|
||||
mode: "0755"
|
||||
read_only: false
|
||||
pi4:
|
||||
nomad_node_class: ingress
|
||||
nomad_reserved_memory: 512
|
||||
@ -58,15 +58,12 @@ nomad_instances:
|
||||
nomad_clients: {}
|
||||
nomad_servers:
|
||||
hosts:
|
||||
nonopi.thefij:
|
||||
ansible_host: 192.168.2.170
|
||||
n1.thefij: {}
|
||||
# n2.thefij: {}
|
||||
pi4: {}
|
||||
# qnomad.thefij: {}
|
||||
nonopi.thefij: {}
|
||||
children:
|
||||
all: {}
|
||||
nomad_clients:
|
||||
hosts:
|
||||
n1.thefij: {}
|
||||
# n2.thefij: {}
|
||||
n2.thefij: {}
|
||||
pi4: {}
|
||||
# qnomad.thefij: {}
|
||||
qnomad.thefij: {}
|
||||
|
@ -56,10 +56,6 @@
|
||||
path: /srv/volumes/media-write
|
||||
opts: proto=tcp,port=2049,rw
|
||||
|
||||
- src: 192.168.2.10:/Overflow
|
||||
path: /srv/volumes/nas-overflow
|
||||
opts: proto=tcp,port=2049,rw
|
||||
|
||||
- src: 192.168.2.10:/Photos
|
||||
path: /srv/volumes/photos
|
||||
opts: proto=tcp,port=2049,rw
|
||||
@ -101,12 +97,6 @@
|
||||
group: "root"
|
||||
mode: "0755"
|
||||
read_only: false
|
||||
- name: media-overflow-write
|
||||
path: /srv/volumes/nas-overflow/Media
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0755"
|
||||
read_only: false
|
||||
- name: media-downloads
|
||||
path: /srv/volumes/media-write/Downloads
|
||||
read_only: false
|
||||
@ -137,12 +127,6 @@
|
||||
- name: gitea-data
|
||||
path: /srv/volumes/nas-container/gitea
|
||||
read_only: false
|
||||
- name: ytdl-web
|
||||
path: /srv/volumes/nas-container/ytdl-web
|
||||
read_only: false
|
||||
- name: christmas-community
|
||||
path: /srv/volumes/nas-container/christmas-community
|
||||
read_only: false
|
||||
- name: all-volumes
|
||||
path: /srv/volumes
|
||||
owner: "root"
|
||||
@ -153,10 +137,10 @@
|
||||
roles:
|
||||
- name: ansible-nomad
|
||||
vars:
|
||||
nomad_version: "1.9.3-1"
|
||||
nomad_version: "1.7.6-1"
|
||||
nomad_install_upgrade: true
|
||||
nomad_allow_purge_config: true
|
||||
nomad_node_role: "{% if 'nomad_clients' in group_names %}{% if 'nomad_servers' in group_names %}both{% else %}client{% endif %}{% else %}server{% endif %}"
|
||||
nomad_node_role: "{% if 'nomad_clients' in group_names %}{% if 'nomad_servers' in group_names %}both{% else %}client{% endif %}{% else %}server{% endif %}
|
||||
|
||||
# Where nomad gets installed to
|
||||
nomad_bin_dir: /usr/bin
|
||||
@ -311,7 +295,7 @@
|
||||
- acl
|
||||
- policy
|
||||
- apply
|
||||
- -description=Anon read only
|
||||
- -description="Anon read only"
|
||||
- anonymous
|
||||
- /tmp/anonymous.policy.hcl
|
||||
environment:
|
||||
|
@ -116,7 +116,6 @@ nomad/jobs/photoprism:
|
||||
db_name: VALUE
|
||||
db_pass: VALUE
|
||||
db_user: VALUE
|
||||
oidc_secret: VALUE
|
||||
nomad/jobs/postgres-server:
|
||||
superuser: VALUE
|
||||
superuser_pass: VALUE
|
||||
@ -140,8 +139,6 @@ nomad/jobs/traefik:
|
||||
nomad/jobs/unifi-traffic-route-ips:
|
||||
unifi_password: VALUE
|
||||
unifi_username: VALUE
|
||||
nomad/jobs/wishlist:
|
||||
guest_password: VALUE
|
||||
nomad/oidc:
|
||||
secret: VALUE
|
||||
secrets/ldap:
|
||||
|
@ -71,17 +71,17 @@ job "backup%{ if batch_node != null }-oneoff-${batch_node}%{ endif }" {
|
||||
}
|
||||
|
||||
config {
|
||||
image = "iamthefij/restic-scheduler:0.4.2"
|
||||
image = "iamthefij/resticscheduler:0.4.0"
|
||||
ports = ["metrics"]
|
||||
args = [
|
||||
"--push-gateway",
|
||||
"http://pushgateway.nomad:9091",
|
||||
%{ if batch_node != null ~}
|
||||
"-once",
|
||||
"-$${NOMAD_META_task}",
|
||||
"$${NOMAD_META_job_name}",
|
||||
"--snapshot",
|
||||
"$${NOMAD_META_snapshot}",
|
||||
"--push-gateway",
|
||||
"http://pushgateway.nomad:9091",
|
||||
%{ endif ~}
|
||||
"$${NOMAD_TASK_DIR}/node-jobs.hcl",
|
||||
]
|
||||
@ -89,29 +89,19 @@ job "backup%{ if batch_node != null }-oneoff-${batch_node}%{ endif }" {
|
||||
|
||||
action "unlockenv" {
|
||||
command = "sh"
|
||||
args = ["-c", "/bin/restic-scheduler -once -unlock all $${NOMAD_TASK_DIR}/node-jobs.hcl"]
|
||||
args = ["-c", "/bin/resticscheduler -once -unlock all $${NOMAD_TASK_DIR}/node-jobs.hcl"]
|
||||
}
|
||||
|
||||
action "unlocktmpl" {
|
||||
command = "/bin/restic-scheduler"
|
||||
command = "/bin/resticscheduler"
|
||||
args = ["-once", "-unlock", "all", "{{ env 'NOMAD_TASK_DIR' }}/node-jobs.hcl"]
|
||||
}
|
||||
|
||||
action "unlockhc" {
|
||||
command = "/bin/restic-scheduler"
|
||||
command = "/bin/resticscheduler"
|
||||
args = ["-once", "-unlock", "all", "/local/node-jobs.hcl"]
|
||||
}
|
||||
|
||||
action "backupall" {
|
||||
command = "/bin/restic-scheduler"
|
||||
args = ["-once", "-backup", "all", "/local/node-jobs.hcl"]
|
||||
}
|
||||
|
||||
action "backupallenv" {
|
||||
command = "sh"
|
||||
args = ["-c", "/bin/restic-scheduler -once -backup all $${NOMAD_TASK_DIR}/node-jobs.hcl"]
|
||||
}
|
||||
|
||||
env = {
|
||||
RCLONE_CHECKERS = "2"
|
||||
RCLONE_TRANSFERS = "2"
|
||||
@ -200,7 +190,7 @@ job "Dummy" {
|
||||
}
|
||||
|
||||
config {
|
||||
image = "iamthefij/stunnel:1.0.0"
|
||||
image = "iamthefij/stunnel:latest"
|
||||
args = ["$${NOMAD_TASK_DIR}/stunnel.conf"]
|
||||
}
|
||||
|
||||
|
@ -8,7 +8,7 @@ resource "nomad_job" "backup" {
|
||||
|
||||
resource "nomad_job" "backup-oneoff" {
|
||||
# TODO: Get list of nomad hosts dynamically
|
||||
for_each = toset(["n1", "pi4"])
|
||||
for_each = toset(["n1", "n2", "pi4"])
|
||||
# for_each = toset([
|
||||
# for node in data.consul_service.nomad.service :
|
||||
# node.node_name
|
||||
@ -24,7 +24,7 @@ resource "nomad_job" "backup-oneoff" {
|
||||
locals {
|
||||
# NOTE: This can't be dynamic in first deploy since these values are not known
|
||||
# all_job_ids = toset(flatten([[for job in resource.nomad_job.backup-oneoff : job.id], [resource.nomad_job.backup.id]]))
|
||||
all_job_ids = toset(["backup", "backup-oneoff-n1", "backup-oneoff-pi4"])
|
||||
all_job_ids = toset(["backup", "backup-oneoff-n1", "backup-oneoff-n2", "backup-oneoff-pi4"])
|
||||
}
|
||||
|
||||
resource "nomad_acl_policy" "secrets_mysql" {
|
||||
|
@ -4,7 +4,7 @@ module "authelia" {
|
||||
name = "authelia"
|
||||
instance_count = 2
|
||||
priority = 70
|
||||
image = "authelia/authelia:4.38"
|
||||
image = "authelia/authelia:4.37"
|
||||
args = ["--config", "$${NOMAD_TASK_DIR}/authelia.yml"]
|
||||
ingress = true
|
||||
service_port = 9999
|
||||
@ -114,9 +114,6 @@ namespace "default" {
|
||||
path "authelia/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
path "secrets/authelia/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
}
|
||||
}
|
||||
EOH
|
||||
@ -145,22 +142,6 @@ EOH
|
||||
}
|
||||
}
|
||||
|
||||
# Enable oidc for nomad clients
|
||||
module "nomad_oidc_client" {
|
||||
source = "./oidc_client"
|
||||
|
||||
name = "nomad"
|
||||
oidc_client_config = {
|
||||
description = "Nomad"
|
||||
authorization_policy = "two_factor"
|
||||
redirect_uris = [
|
||||
"https://nomad.${var.base_hostname}/oidc/callback",
|
||||
"https://nomad.${var.base_hostname}/ui/settings/tokens",
|
||||
]
|
||||
scopes = ["openid", "groups"]
|
||||
}
|
||||
}
|
||||
|
||||
resource "nomad_acl_auth_method" "nomad_authelia" {
|
||||
name = "authelia"
|
||||
type = "OIDC"
|
||||
@ -170,9 +151,9 @@ resource "nomad_acl_auth_method" "nomad_authelia" {
|
||||
|
||||
config {
|
||||
oidc_discovery_url = "https://authelia.${var.base_hostname}"
|
||||
oidc_client_id = module.nomad_oidc_client.client_id
|
||||
oidc_client_secret = module.nomad_oidc_client.secret
|
||||
bound_audiences = [module.nomad_oidc_client.client_id]
|
||||
oidc_client_id = "nomad"
|
||||
oidc_client_secret = yamldecode(file("${path.module}/../ansible_playbooks/vars/nomad_vars.yml"))["nomad/oidc"]["secret"]
|
||||
bound_audiences = ["nomad"]
|
||||
oidc_scopes = [
|
||||
"groups",
|
||||
"openid",
|
||||
@ -190,7 +171,7 @@ resource "nomad_acl_auth_method" "nomad_authelia" {
|
||||
resource "nomad_acl_binding_rule" "nomad_authelia_admin" {
|
||||
description = "engineering rule"
|
||||
auth_method = nomad_acl_auth_method.nomad_authelia.name
|
||||
selector = "\"nomad-admin\" in list.roles"
|
||||
selector = "\"nomad-deploy\" in list.roles"
|
||||
bind_type = "role"
|
||||
bind_name = "admin" # acls.nomad_acl_role.admin.name
|
||||
}
|
||||
|
@ -151,18 +151,6 @@ access_control:
|
||||
networks: 192.168.5.0/24
|
||||
|
||||
rules:
|
||||
## Allow favicons on internal network
|
||||
- domain: '*.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
|
||||
resources:
|
||||
- '^/apple-touch-icon-precomposed\.png$'
|
||||
- '^/assets/safari-pinned-tab\.svg$'
|
||||
- '^/apple-touch-icon-180x180\.png$'
|
||||
- '^/apple-touch-icon\.png$'
|
||||
- '^/favicon\.ico$'
|
||||
networks:
|
||||
- internal
|
||||
policy: bypass
|
||||
|
||||
{{ range nomadVarList "authelia/access_control/service_rules" }}{{ with nomadVar .Path }}
|
||||
- domain: '{{ .name }}.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
|
||||
{{ .rule.Value | indent 6 }}
|
||||
@ -235,7 +223,7 @@ storage:
|
||||
## The available providers are: filesystem, smtp. You must use only one of these providers.
|
||||
notifier:
|
||||
## You can disable the notifier startup check by setting this to true.
|
||||
disable_startup_check: true
|
||||
disable_startup_check: false
|
||||
|
||||
{{ with nomadVar "secrets/smtp" }}
|
||||
smtp:
|
||||
@ -261,18 +249,4 @@ identity_providers:
|
||||
# hmac_secret: <file>
|
||||
# issuer_private_key: <file>
|
||||
|
||||
clients:
|
||||
{{ range nomadVarList "authelia/access_control/oidc_clients" -}}
|
||||
{{- $name := (sprig_last (sprig_splitList "/" .Path)) -}}
|
||||
{{ "-" | indent 6 }}
|
||||
{{ with nomadVar .Path }}
|
||||
|
||||
{{- $im := .ItemsMap -}}
|
||||
{{- $im = sprig_set $im "redirect_uris" (.redirect_uris.Value | parseYAML) -}}
|
||||
{{- $im = sprig_set $im "scopes" (.scopes.Value | parseYAML) -}}
|
||||
{{- with nomadVar (printf "secrets/authelia/%s" $name) -}}
|
||||
{{- $im = sprig_set $im "secret" .secret_hash.Value -}}
|
||||
{{- end -}}
|
||||
{{ $im | toYAML | indent 8 }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
clients: {{ with nomadVar "nomad/jobs/authelia" }}{{ .oidc_clients.Value }}{{ end }}
|
||||
|
@ -1,23 +1,20 @@
|
||||
variable "config_data" {
|
||||
type = string
|
||||
description = "Plain text config file for blocky"
|
||||
}
|
||||
|
||||
job "blocky" {
|
||||
datacenters = ["dc1"]
|
||||
type = "service"
|
||||
type = "system"
|
||||
priority = 100
|
||||
|
||||
constraint {
|
||||
distinct_hosts = true
|
||||
}
|
||||
|
||||
update {
|
||||
max_parallel = 1
|
||||
auto_revert = true
|
||||
min_healthy_time = "60s"
|
||||
healthy_deadline = "5m"
|
||||
# TODO: maybe switch to service job from system so we can use canary and autorollback
|
||||
# auto_revert = true
|
||||
}
|
||||
|
||||
group "blocky" {
|
||||
# TODO: This must be updated to match the nubmer of servers (possibly grabbed from TF)
|
||||
# I am moving away from `system` jobs because of https://github.com/hashicorp/nomad/issues/12023
|
||||
count = 2
|
||||
|
||||
network {
|
||||
mode = "bridge"
|
||||
@ -65,11 +62,6 @@ job "blocky" {
|
||||
path = "/"
|
||||
interval = "10s"
|
||||
timeout = "3s"
|
||||
|
||||
check_restart {
|
||||
limit = 3
|
||||
grace = "5m"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -77,21 +69,11 @@ job "blocky" {
|
||||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "ghcr.io/0xerr0r/blocky:v0.24"
|
||||
image = "ghcr.io/0xerr0r/blocky:v0.22"
|
||||
args = ["-c", "$${NOMAD_TASK_DIR}/config.yml"]
|
||||
ports = ["dns", "api"]
|
||||
}
|
||||
|
||||
action "refresh-lists" {
|
||||
command = "/app/blocky"
|
||||
args = ["lists", "refresh"]
|
||||
}
|
||||
|
||||
action "healthcheck" {
|
||||
command = "/app/blocky"
|
||||
args = ["healthcheck"]
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = 50
|
||||
memory = 75
|
||||
@ -99,9 +81,7 @@ job "blocky" {
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOF
|
||||
${file("${module_path}/config.yml")}
|
||||
EOF
|
||||
data = var.config_data
|
||||
destination = "$${NOMAD_TASK_DIR}/config.yml"
|
||||
splay = "1m"
|
||||
|
||||
@ -127,121 +107,6 @@ EOF
|
||||
max = "20s"
|
||||
}
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOF
|
||||
{{ if nomadVarExists "blocky_lists/user" }}
|
||||
{{ with nomadVar "blocky_lists/user" -}}
|
||||
{{ .block_list.Value }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
EOF
|
||||
destination = "$${NOMAD_TASK_DIR}/block"
|
||||
change_mode = "script"
|
||||
|
||||
change_script {
|
||||
command = "/app/blocky"
|
||||
args = ["lists", "refresh"]
|
||||
timeout = "20s"
|
||||
}
|
||||
|
||||
wait {
|
||||
min = "30s"
|
||||
max = "1m"
|
||||
}
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOF
|
||||
{{ if nomadVarExists "blocky_lists/user" }}
|
||||
{{ with nomadVar "blocky_lists/user" -}}
|
||||
{{ .allow_list.Value }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
EOF
|
||||
destination = "$${NOMAD_TASK_DIR}/allow"
|
||||
change_mode = "script"
|
||||
|
||||
change_script {
|
||||
command = "/app/blocky"
|
||||
args = ["lists", "refresh"]
|
||||
timeout = "20s"
|
||||
}
|
||||
|
||||
wait {
|
||||
min = "30s"
|
||||
max = "1m"
|
||||
}
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOF
|
||||
{{ if nomadVarExists "blocky_lists/terraform" }}
|
||||
{{ with nomadVar "blocky_lists/terraform" -}}
|
||||
{{ .smarttv_regex.Value }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
EOF
|
||||
destination = "$${NOMAD_TASK_DIR}/smarttv-regex.txt"
|
||||
change_mode = "script"
|
||||
|
||||
change_script {
|
||||
command = "/app/blocky"
|
||||
args = ["lists", "refresh"]
|
||||
timeout = "20s"
|
||||
}
|
||||
|
||||
wait {
|
||||
min = "10s"
|
||||
max = "20s"
|
||||
}
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOF
|
||||
{{ if nomadVarExists "blocky_lists/terraform" }}
|
||||
{{ with nomadVar "blocky_lists/terraform" -}}
|
||||
{{ .wemo.Value }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
EOF
|
||||
destination = "$${NOMAD_TASK_DIR}/wemo.txt"
|
||||
change_mode = "script"
|
||||
|
||||
change_script {
|
||||
command = "/app/blocky"
|
||||
args = ["lists", "refresh"]
|
||||
timeout = "20s"
|
||||
}
|
||||
|
||||
wait {
|
||||
min = "10s"
|
||||
max = "20s"
|
||||
}
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOF
|
||||
{{ if nomadVarExists "blocky_lists/terraform" }}
|
||||
{{ with nomadVar "blocky_lists/terraform" -}}
|
||||
{{ .sonos.Value }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
EOF
|
||||
destination = "$${NOMAD_TASK_DIR}/sonos.txt"
|
||||
change_mode = "script"
|
||||
|
||||
change_script {
|
||||
command = "/app/blocky"
|
||||
args = ["lists", "refresh"]
|
||||
timeout = "20s"
|
||||
}
|
||||
|
||||
wait {
|
||||
min = "10s"
|
||||
max = "20s"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
task "stunnel" {
|
||||
@ -253,7 +118,7 @@ EOF
|
||||
}
|
||||
|
||||
config {
|
||||
image = "iamthefij/stunnel:1.0.0"
|
||||
image = "iamthefij/stunnel:latest"
|
||||
args = ["$${NOMAD_TASK_DIR}/stunnel.conf"]
|
||||
ports = ["tls"]
|
||||
}
|
||||
@ -269,13 +134,6 @@ syslog = no
|
||||
foreground = yes
|
||||
delay = yes
|
||||
|
||||
[dns_server]
|
||||
# Dummy server to keep stunnel running if no mysql is present
|
||||
accept = 8053
|
||||
connect = 127.0.0.1:53
|
||||
ciphers = PSK
|
||||
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
|
||||
|
||||
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-tls" -}}
|
||||
[mysql_client]
|
||||
client = yes
|
||||
@ -321,9 +179,11 @@ EOF
|
||||
config {
|
||||
image = "mariadb:10"
|
||||
args = [
|
||||
"/usr/bin/timeout",
|
||||
"2m",
|
||||
"/bin/bash",
|
||||
"-c",
|
||||
"/usr/bin/timeout 2m /bin/bash -c \"until /usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql; do echo 'Retry in 10s'; sleep 10; done\" || true",
|
||||
"until /usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql; do sleep 10; done",
|
||||
]
|
||||
}
|
||||
|
||||
|
@ -1,7 +1,16 @@
|
||||
locals {
|
||||
config_data = file("${path.module}/config.yml")
|
||||
}
|
||||
|
||||
resource "nomad_job" "blocky" {
|
||||
hcl2 {
|
||||
vars = {
|
||||
"config_data" = local.config_data,
|
||||
}
|
||||
}
|
||||
|
||||
jobspec = templatefile("${path.module}/blocky.nomad", {
|
||||
use_wesher = var.use_wesher,
|
||||
module_path = path.module,
|
||||
use_wesher = var.use_wesher,
|
||||
})
|
||||
}
|
||||
|
||||
@ -57,32 +66,3 @@ EOH
|
||||
task = "stunnel"
|
||||
}
|
||||
}
|
||||
|
||||
resource "nomad_variable" "blocky_lists_terraform" {
|
||||
path = "blocky_lists/terraform"
|
||||
items = {
|
||||
smarttv_regex = file("${path.module}/list-smarttv-regex.txt")
|
||||
wemo = file("${path.module}/list-wemo.txt")
|
||||
sonos = file("${path.module}/list-sonos.txt")
|
||||
}
|
||||
}
|
||||
|
||||
resource "nomad_acl_policy" "blocky_lists" {
|
||||
name = "blocky-lists"
|
||||
description = "Give access Blocky lists"
|
||||
rules_hcl = <<EOH
|
||||
namespace "default" {
|
||||
variables {
|
||||
path "blocky_lists/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
}
|
||||
}
|
||||
EOH
|
||||
|
||||
job_acl {
|
||||
job_id = "blocky"
|
||||
group = "blocky"
|
||||
task = "blocky"
|
||||
}
|
||||
}
|
||||
|
@ -2,9 +2,6 @@ ports:
|
||||
dns: 53
|
||||
http: 4000
|
||||
|
||||
# I must have ip v6 blocked or something
|
||||
connectIPVersion: v4
|
||||
|
||||
bootstrapDns:
|
||||
- upstream: 1.1.1.1
|
||||
- upstream: 1.0.0.1
|
||||
@ -13,42 +10,40 @@ bootstrapDns:
|
||||
|
||||
|
||||
upstreams:
|
||||
init:
|
||||
strategy: fast
|
||||
groups:
|
||||
default:
|
||||
- https://dns.quad9.net/dns-query
|
||||
- tcp-tls:dns.quad9.net
|
||||
- https://one.one.one.one/dns-query
|
||||
- tcp-tls:one.one.one.one
|
||||
# cloudflare:
|
||||
# - 1.1.1.1
|
||||
# - 1.0.0.1
|
||||
# - 2606:4700:4700::1111
|
||||
# - 2606:4700:4700::1001
|
||||
# - https://one.one.one.one/dns-query
|
||||
# - tcp-tls:one.one.one.one
|
||||
# quad9:
|
||||
# - 9.9.9.9
|
||||
# - 149.112.112.112
|
||||
# - 2620:fe::fe
|
||||
# - 2620:fe::9
|
||||
# - https://dns.quad9.net/dns-query
|
||||
# - tcp-tls:dns.quad9.net
|
||||
# quad9-secured:
|
||||
# - 9.9.9.11
|
||||
# - 149.112.112.11
|
||||
# - 2620:fe::11
|
||||
# - 2620:fe::fe:11
|
||||
# - https://dns11.quad9.net/dns-query
|
||||
# - tcp-tls:dns11.quad9.net
|
||||
# quad9-unsecured:
|
||||
# - 9.9.9.10
|
||||
# - 149.112.112.10
|
||||
# - 2620:fe::10
|
||||
# - 2620:fe::fe:10
|
||||
# - https://dns10.quad9.net/dns-query
|
||||
# - tcp-tls:dns10.quad9.net
|
||||
cloudflare:
|
||||
- 1.1.1.1
|
||||
- 1.0.0.1
|
||||
- 2606:4700:4700::1111
|
||||
- 2606:4700:4700::1001
|
||||
- https://one.one.one.one/dns-query
|
||||
- tcp-tls:one.one.one.one
|
||||
quad9:
|
||||
- 9.9.9.9
|
||||
- 149.112.112.112
|
||||
- 2620:fe::fe
|
||||
- 2620:fe::9
|
||||
- https://dns.quad9.net/dns-query
|
||||
- tcp-tls:dns.quad9.net
|
||||
quad9-secured:
|
||||
- 9.9.9.11
|
||||
- 149.112.112.11
|
||||
- 2620:fe::11
|
||||
- 2620:fe::fe:11
|
||||
- https://dns11.quad9.net/dns-query
|
||||
- tcp-tls:dns11.quad9.net
|
||||
quad9-unsecured:
|
||||
- 9.9.9.10
|
||||
- 149.112.112.10
|
||||
- 2620:fe::10
|
||||
- 2620:fe::fe:10
|
||||
- https://dns10.quad9.net/dns-query
|
||||
- tcp-tls:dns10.quad9.net
|
||||
|
||||
conditional:
|
||||
fallbackUpstream: false
|
||||
@ -78,11 +73,19 @@ blocking:
|
||||
- https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
|
||||
- https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
|
||||
# - https://hosts-file.net/ad_servers.txt
|
||||
iot:
|
||||
- https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt
|
||||
- {{ env "NOMAD_TASK_DIR" }}/smarttv-regex.txt
|
||||
- {{ env "NOMAD_TASK_DIR" }}/wemo.txt
|
||||
- {{ env "NOMAD_TASK_DIR" }}/sonos.txt
|
||||
smarttv:
|
||||
- https://perflyst.github.io/PiHoleBlocklist/SmartTV.txt
|
||||
# - https://perflyst.github.io/PiHoleBlocklist/regex.list
|
||||
wemo:
|
||||
- |
|
||||
# Remote commands
|
||||
api.xbcs.net
|
||||
# Firmware updates
|
||||
fw.xbcs.net
|
||||
# TURN service
|
||||
nat.wemo2.com
|
||||
# Connectivity checks
|
||||
heartbeat.xwemo.com
|
||||
antisocial:
|
||||
- |
|
||||
facebook.com
|
||||
@ -91,20 +94,22 @@ blocking:
|
||||
twitter.com
|
||||
youtube.com
|
||||
custom:
|
||||
- {{ env "NOMAD_TASK_DIR" }}/block
|
||||
- https://git.thefij.rocks/iamthefij/blocklists/raw/branch/main/block
|
||||
|
||||
whiteLists:
|
||||
ads:
|
||||
{{ with nomadVar "nomad/jobs/blocky" -}}
|
||||
{{ .whitelists_ads.Value | indent 6 }}
|
||||
{{- end }}
|
||||
custom:
|
||||
- {{ env "NOMAD_TASK_DIR" }}/allow
|
||||
- https://git.thefij.rocks/iamthefij/blocklists/raw/branch/main/allow
|
||||
|
||||
clientGroupsBlock:
|
||||
default:
|
||||
- ads
|
||||
- custom
|
||||
192.168.3.1/24:
|
||||
- ads
|
||||
- iot
|
||||
- custom
|
||||
- smarttv
|
||||
- wemo
|
||||
|
||||
customDNS:
|
||||
customTTL: 1h
|
||||
@ -132,6 +137,7 @@ redis:
|
||||
connectionCooldown: 3s
|
||||
{{ end -}}
|
||||
|
||||
|
||||
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-tls" -}}
|
||||
{{ with nomadVar "nomad/jobs/blocky" -}}
|
||||
queryLog:
|
||||
|
@ -1,13 +0,0 @@
|
||||
# From: https://perflyst.github.io/PiHoleBlocklist/regex.list
|
||||
# Title: Perflyst's SmartTV Blocklist for Pi-hole - RegEx extension
|
||||
# Version: 13July2023v1
|
||||
# Samsung
|
||||
/(^|\.)giraffic\.com$/
|
||||
/(^|\.)internetat\.tv$/
|
||||
/(^|\.)pavv\.co\.kr$/
|
||||
/(^|\.)samsungcloudsolution\.net$/
|
||||
/(^|\.)samsungelectronics\.com$/
|
||||
/(^|\.)samsungrm\.net$/
|
||||
# /(^|\.)samsungotn\.net$/ # prevents updates
|
||||
# /(^|\.)samsungcloudcdn\.com$/ # prevents updates
|
||||
# /(^|\.)samsungcloudsolution\.com$/ # prevents internet connection
|
@ -1,2 +0,0 @@
|
||||
# Block Sonos devices from phoning home and allowing remote access
|
||||
/(^|\.)sonos\.com$/
|
@ -1,8 +0,0 @@
|
||||
# Remote commands
|
||||
api.xbcs.net
|
||||
# Firmware updates
|
||||
fw.xbcs.net
|
||||
# TURN service
|
||||
nat.wemo2.com
|
||||
# Connectivity checks
|
||||
heartbeat.xwemo.com
|
@ -1,16 +1,8 @@
|
||||
job "exporters" {
|
||||
datacenters = ["dc1"]
|
||||
type = "service"
|
||||
priority = 55
|
||||
|
||||
constraint {
|
||||
distinct_hosts = true
|
||||
}
|
||||
type = "system"
|
||||
|
||||
group "promtail" {
|
||||
# TODO: This must be updated to match the nubmer of servers (possibly grabbed from TF)
|
||||
# I am moving away from `system` jobs because of https://github.com/hashicorp/nomad/issues/1202
|
||||
count = 2
|
||||
|
||||
network {
|
||||
mode = "bridge"
|
||||
@ -41,8 +33,14 @@ job "exporters" {
|
||||
task "promtail" {
|
||||
driver = "docker"
|
||||
|
||||
meta = {
|
||||
"diun.sort_tags" = "semver"
|
||||
"diun.watch_repo" = true
|
||||
"diun.include_tags" = "^[0-9]+\\.[0-9]+\\.[0-9]+$"
|
||||
}
|
||||
|
||||
config {
|
||||
image = "grafana/promtail:3.3.0"
|
||||
image = "grafana/promtail:2.9.1"
|
||||
args = ["-config.file=$${NOMAD_TASK_DIR}/promtail.yml"]
|
||||
ports = ["promtail"]
|
||||
|
||||
|
@ -1,5 +0,0 @@
|
||||
resource "nomad_job" "exporters" {
|
||||
jobspec = templatefile("${path.module}/exporters.nomad", {
|
||||
use_wesher = var.use_wesher,
|
||||
})
|
||||
}
|
@ -40,7 +40,7 @@ job "grafana" {
|
||||
}
|
||||
|
||||
config {
|
||||
image = "iamthefij/stunnel:1.0.0"
|
||||
image = "iamthefij/stunnel:latest"
|
||||
args = ["$${NOMAD_TASK_DIR}/stunnel.conf"]
|
||||
}
|
||||
|
||||
@ -86,10 +86,10 @@ EOF
|
||||
image = "mariadb:10"
|
||||
args = [
|
||||
"/usr/bin/timeout",
|
||||
"20m",
|
||||
"2m",
|
||||
"/bin/bash",
|
||||
"-c",
|
||||
"until /usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql; do echo 'Retry in 10s'; sleep 10; done",
|
||||
"until /usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql; do sleep 10; done",
|
||||
]
|
||||
}
|
||||
|
||||
@ -155,6 +155,7 @@ GF_SECURITY_ADMIN_PASSWORD={{ .admin_pw }}
|
||||
GF_EXTERNAL_IMAGE_STORAGE_S3_ACCESS_KEY={{ .minio_access_key }}
|
||||
GF_EXTERNAL_IMAGE_STORAGE_S3_SECRET_KEY={{ .minio_secret_key }}
|
||||
GRAFANA_ALERT_EMAIL_ADDRESSES={{ .alert_email_addresses }}
|
||||
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ .oidc_secret }}
|
||||
{{ if .db_name -}}
|
||||
# Database storage
|
||||
GF_DATABASE_TYPE=mysql
|
||||
@ -166,10 +167,6 @@ GF_DATABASE_PASSWORD={{ .db_pass }}
|
||||
SLACK_BOT_URL={{ .slack_bot_url }}
|
||||
SLACK_BOT_TOKEN={{ .slack_bot_token }}
|
||||
SLACK_HOOK_URL={{ .slack_hook_url }}
|
||||
{{ end -}}
|
||||
{{ with nomadVar "secrets/authelia/grafana" -}}
|
||||
GF_AUTH_GENERIC_OAUTH_CLIENT_ID={{ .client_id }}
|
||||
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ .secret }}
|
||||
{{ end -}}
|
||||
EOF
|
||||
env = true
|
||||
@ -196,12 +193,8 @@ GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ .secret }}
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = 50
|
||||
memory = 50
|
||||
}
|
||||
|
||||
action "reloadnow" {
|
||||
command = "/local/reload_config.sh"
|
||||
cpu = 100
|
||||
memory = 100
|
||||
}
|
||||
|
||||
env = {
|
||||
|
@ -261,7 +261,7 @@ log_queries =
|
||||
enabled = true
|
||||
name = Authelia
|
||||
;allow_sign_up = true
|
||||
client_id = from_env
|
||||
client_id = grafana
|
||||
client_secret = from_env
|
||||
scopes = openid profile email groups
|
||||
auth_url = https://authelia.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}/api/oidc/authorization
|
||||
|
@ -29,6 +29,7 @@ job "lego" {
|
||||
driver = "exec"
|
||||
|
||||
config {
|
||||
# image = "alpine:3"
|
||||
command = "/bin/bash"
|
||||
args = ["${NOMAD_TASK_DIR}/start.sh"]
|
||||
}
|
||||
|
@ -1,3 +1,17 @@
|
||||
resource "nomad_job" "exporters" {
|
||||
jobspec = templatefile("${path.module}/exporters.nomad", {
|
||||
use_wesher = var.use_wesher,
|
||||
})
|
||||
}
|
||||
|
||||
resource "nomad_job" "prometheus" {
|
||||
jobspec = templatefile("${path.module}/prometheus.nomad", {
|
||||
use_wesher = var.use_wesher,
|
||||
})
|
||||
|
||||
detach = false
|
||||
}
|
||||
|
||||
resource "nomad_job" "grafana" {
|
||||
jobspec = templatefile("${path.module}/grafana.nomad", {
|
||||
module_path = path.module
|
||||
@ -79,39 +93,3 @@ EOH
|
||||
task = "stunnel"
|
||||
}
|
||||
}
|
||||
|
||||
module "grafana_oidc" {
|
||||
source = "./oidc_client"
|
||||
|
||||
name = "grafana"
|
||||
oidc_client_config = {
|
||||
description = "Grafana"
|
||||
scopes = [
|
||||
"openid",
|
||||
"groups",
|
||||
"email",
|
||||
"profile",
|
||||
]
|
||||
redirect_uris = [
|
||||
"https://grafana.thefij.rocks/login/generic_oauth",
|
||||
]
|
||||
}
|
||||
|
||||
job_acl = {
|
||||
job_id = "grafana"
|
||||
group = "grafana"
|
||||
task = "grafana"
|
||||
}
|
||||
}
|
||||
|
||||
# resource "nomad_variable" "grafana_config" {
|
||||
# for_each = fileset("${path.module}/grafana", "**")
|
||||
#
|
||||
# path = "nomad/jobs/grafana/${replace(each.key, ".", "_")}"
|
||||
# items = {
|
||||
# path = "${each.key}"
|
||||
# value = file("${path.module}/grafana/${each.key}")
|
||||
# left_delimiter = endswith(each.key, ".json") ? "<<<<" : "{{"
|
||||
# right_delimiter = endswith(each.key, ".json") ? ">>>>" : "}}"
|
||||
# }
|
||||
# }
|
40
core/oidc_client/.terraform.lock.hcl
generated
40
core/oidc_client/.terraform.lock.hcl
generated
@ -1,40 +0,0 @@
|
||||
# This file is maintained automatically by "terraform init".
|
||||
# Manual edits may be lost in future updates.
|
||||
|
||||
provider "registry.terraform.io/hashicorp/nomad" {
|
||||
version = "2.3.1"
|
||||
hashes = [
|
||||
"h1:lMueBNB2GJ/a5rweL9NPybwVfDH/Q1s+rQvt5Y+kuYs=",
|
||||
"zh:1e7893a3fbebff171bcc5581b70a16eea33193c7e9dd73402ba5c04b7202f0bb",
|
||||
"zh:252cfd3fee4811c83bc74406ba1bc1bbb83d6de20e50a86f93737f8f86864171",
|
||||
"zh:387a7140be6dfa3f8d27f09d1eb2b9f3b84900328fe5a0478e9b3bd91a845808",
|
||||
"zh:49848fa491ac26b0568b112a57d14cc49772607c7cf405e2f74dd537407214b1",
|
||||
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||
"zh:7b9f345f5bb5f17c5d0bc3d373c25828934a3cbcdb331e0eab54eb47f1355fb2",
|
||||
"zh:8e276f4de508a86e725fffc02ee891db73397c35dbd591d8918af427eeec93a1",
|
||||
"zh:90b349933d2fd28f822a36128be4625bb816aa9f20ec314c79c77306f632ae87",
|
||||
"zh:a0ca6fd6cd94a52684e432104d3dc170a74075f47d9d4ba725cc340a438ed75a",
|
||||
"zh:a6cffc45535a0ff8206782538b3eeaef17dc93d0e1fd58bc1e6f7d5aa0f6ba1a",
|
||||
"zh:c010807b5d3e03d769419787b0e5d4efa6963134e1873a413102af6bf3dd1c49",
|
||||
"zh:faf962ee1981e897e99f7e528642c7e74beed37afd8eaf743e6ede24df812d80",
|
||||
]
|
||||
}
|
||||
|
||||
provider "registry.terraform.io/hashicorp/random" {
|
||||
version = "3.6.2"
|
||||
hashes = [
|
||||
"h1:wmG0QFjQ2OfyPy6BB7mQ57WtoZZGGV07uAPQeDmIrAE=",
|
||||
"zh:0ef01a4f81147b32c1bea3429974d4d104bbc4be2ba3cfa667031a8183ef88ec",
|
||||
"zh:1bcd2d8161e89e39886119965ef0f37fcce2da9c1aca34263dd3002ba05fcb53",
|
||||
"zh:37c75d15e9514556a5f4ed02e1548aaa95c0ecd6ff9af1119ac905144c70c114",
|
||||
"zh:4210550a767226976bc7e57d988b9ce48f4411fa8a60cd74a6b246baf7589dad",
|
||||
"zh:562007382520cd4baa7320f35e1370ffe84e46ed4e2071fdc7e4b1a9b1f8ae9b",
|
||||
"zh:5efb9da90f665e43f22c2e13e0ce48e86cae2d960aaf1abf721b497f32025916",
|
||||
"zh:6f71257a6b1218d02a573fc9bff0657410404fb2ef23bc66ae8cd968f98d5ff6",
|
||||
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||
"zh:9647e18f221380a85f2f0ab387c68fdafd58af6193a932417299cdcae4710150",
|
||||
"zh:bb6297ce412c3c2fa9fec726114e5e0508dd2638cad6a0cb433194930c97a544",
|
||||
"zh:f83e925ed73ff8a5ef6e3608ad9225baa5376446349572c2449c0c0b3cf184b7",
|
||||
"zh:fbef0781cb64de76b1df1ca11078aecba7800d82fd4a956302734999cfd9a4af",
|
||||
]
|
||||
}
|
@ -1,50 +0,0 @@
|
||||
resource "random_password" "oidc_client_id" {
|
||||
length = 72
|
||||
override_special = "-._~"
|
||||
}
|
||||
|
||||
resource "random_password" "oidc_secret" {
|
||||
length = 72
|
||||
override_special = "-._~"
|
||||
}
|
||||
|
||||
resource "nomad_variable" "authelia_oidc_secret" {
|
||||
path = "secrets/authelia/${var.name}"
|
||||
items = {
|
||||
client_id = resource.random_password.oidc_client_id.result
|
||||
secret = resource.random_password.oidc_secret.result
|
||||
secret_hash = resource.random_password.oidc_secret.bcrypt_hash
|
||||
}
|
||||
}
|
||||
|
||||
resource "nomad_variable" "authelia_access_control_oidc" {
|
||||
path = "authelia/access_control/oidc_clients/${var.name}"
|
||||
items = {
|
||||
id = resource.random_password.oidc_client_id.result
|
||||
description = var.oidc_client_config.description
|
||||
authorization_policy = var.oidc_client_config.authorization_policy
|
||||
redirect_uris = yamlencode(var.oidc_client_config.redirect_uris)
|
||||
scopes = yamlencode(var.oidc_client_config.scopes)
|
||||
}
|
||||
}
|
||||
|
||||
resource "nomad_acl_policy" "oidc_authelia" {
|
||||
count = var.job_acl != null ? 1 : 0
|
||||
name = "${var.name}-authelia"
|
||||
description = "Give access to shared authelia variables"
|
||||
rules_hcl = <<EOH
|
||||
namespace "default" {
|
||||
variables {
|
||||
path "secrets/authelia/${var.name}" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
}
|
||||
}
|
||||
EOH
|
||||
|
||||
job_acl {
|
||||
job_id = var.job_acl.job_id
|
||||
group = var.job_acl.group
|
||||
task = var.job_acl.task
|
||||
}
|
||||
}
|
@ -1,11 +0,0 @@
|
||||
output "client_id" {
|
||||
value = resource.random_password.oidc_client_id.result
|
||||
}
|
||||
|
||||
output "secret" {
|
||||
value = resource.random_password.oidc_secret.result
|
||||
}
|
||||
|
||||
output "secret_hash" {
|
||||
value = resource.random_password.oidc_secret.bcrypt_hash
|
||||
}
|
@ -1,25 +0,0 @@
|
||||
variable "name" {
|
||||
description = "Name of service"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "oidc_client_config" {
|
||||
description = "Authelia oidc client configuration to enable oidc authentication"
|
||||
type = object({
|
||||
description = string
|
||||
authorization_policy = optional(string, "one_factor")
|
||||
redirect_uris = list(string)
|
||||
scopes = list(string)
|
||||
})
|
||||
}
|
||||
|
||||
variable "job_acl" {
|
||||
description = "Job ACL that should be given to the secrets"
|
||||
type = object({
|
||||
job_id = string
|
||||
group = optional(string)
|
||||
task = optional(string)
|
||||
})
|
||||
|
||||
default = null
|
||||
}
|
@ -37,36 +37,12 @@ job "prometheus" {
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.prometheus.entryPoints=websecure",
|
||||
]
|
||||
|
||||
check {
|
||||
type = "http"
|
||||
path = "/-/healthy"
|
||||
interval = "10s"
|
||||
timeout = "3s"
|
||||
|
||||
check_restart {
|
||||
limit = 3
|
||||
grace = "5m"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
service {
|
||||
name = "pushgateway"
|
||||
provider = "nomad"
|
||||
port = "pushgateway"
|
||||
|
||||
check {
|
||||
type = "http"
|
||||
path = "/-/healthy"
|
||||
interval = "10s"
|
||||
timeout = "3s"
|
||||
|
||||
check_restart {
|
||||
limit = 3
|
||||
grace = "5m"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
task "prometheus" {
|
||||
|
@ -1,7 +0,0 @@
|
||||
resource "nomad_job" "prometheus" {
|
||||
jobspec = templatefile("${path.module}/prometheus.nomad", {
|
||||
use_wesher = var.use_wesher,
|
||||
})
|
||||
|
||||
detach = false
|
||||
}
|
@ -26,8 +26,12 @@ job "syslogng" {
|
||||
task "promtail" {
|
||||
driver = "docker"
|
||||
|
||||
meta = {
|
||||
"diun.watch_repo" = true
|
||||
}
|
||||
|
||||
config {
|
||||
image = "grafana/promtail:3.3.0"
|
||||
image = "grafana/promtail:2.9.1"
|
||||
ports = ["main", "metrics"]
|
||||
args = ["--config.file=/etc/promtail/promtail.yml"]
|
||||
|
||||
@ -66,7 +70,7 @@ EOF
|
||||
|
||||
resources {
|
||||
cpu = 50
|
||||
memory = 50
|
||||
memory = 20
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -130,7 +134,7 @@ EOF
|
||||
|
||||
resources {
|
||||
cpu = 50
|
||||
memory = 50
|
||||
memory = 10
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -14,11 +14,9 @@ job "traefik" {
|
||||
|
||||
update {
|
||||
max_parallel = 1
|
||||
canary = 1
|
||||
auto_promote = false
|
||||
# canary = 1
|
||||
# auto_promote = true
|
||||
auto_revert = true
|
||||
min_healthy_time = "30s"
|
||||
healthy_deadline = "5m"
|
||||
}
|
||||
|
||||
group "traefik" {
|
||||
@ -90,7 +88,7 @@ job "traefik" {
|
||||
}
|
||||
|
||||
config {
|
||||
image = "traefik:3.0"
|
||||
image = "traefik:2.10"
|
||||
|
||||
ports = ["web", "websecure", "syslog", "gitssh", "metrics"]
|
||||
network_mode = "host"
|
||||
@ -114,14 +112,6 @@ job "traefik" {
|
||||
}
|
||||
}
|
||||
|
||||
env = {
|
||||
TRAEFIK_PROVIDERS_NOMAD_ENDPOINT_TOKEN = "${NOMAD_TOKEN}"
|
||||
}
|
||||
|
||||
identity {
|
||||
env = true
|
||||
}
|
||||
|
||||
template {
|
||||
# Avoid conflict with TOML lists [[ ]] and Go templates {{ }}
|
||||
left_delimiter = "<<"
|
||||
@ -174,7 +164,7 @@ job "traefik" {
|
||||
exposedByDefault = false
|
||||
defaultRule = "Host(`{{normalize .Name}}.<< with nomadVar "nomad/jobs" >><< .base_hostname >><< end >>`)"
|
||||
[providers.nomad.endpoint]
|
||||
address = "unix:///secrets/api.sock"
|
||||
address = "http://127.0.0.1:4646"
|
||||
EOH
|
||||
destination = "${NOMAD_TASK_DIR}/config/traefik.toml"
|
||||
}
|
||||
@ -188,25 +178,14 @@ job "traefik" {
|
||||
service = "nomad"
|
||||
rule = "Host(`nomad.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}`)"
|
||||
|
||||
{{ range nomadVarList "traefik_external" }}{{ with nomadVar .Path }}
|
||||
[http.routers.{{ .name }}]
|
||||
{{ with nomadVar "nomad/jobs/traefik" }}{{ with .external }}{{ with .Value | parseYAML -}}
|
||||
{{ range $service, $url := . }}
|
||||
[http.routers.{{ $service }}]
|
||||
entryPoints = ["websecure"]
|
||||
service = "{{ .name }}"
|
||||
rule = "Host(`{{ .subdomain }}.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}`){{ with .path_prefix.Value }}&&PathPrefix(`{{ . }}`){{ end }}"
|
||||
{{ $name := .name -}}
|
||||
{{ with .path_prefix.Value -}}
|
||||
middlewares = ["{{ $name }}@file"]
|
||||
{{ end }}
|
||||
{{- end }}{{ end }}
|
||||
|
||||
#[http.middlewares]
|
||||
# {{ range nomadVarList "traefik_external" }}{{ with nomadVar .Path -}}
|
||||
# {{ $name := .name -}}
|
||||
# {{ with .path_prefix.Value -}}
|
||||
# [http.middlewares.{{ $name }}.stripPrefix]
|
||||
# prefixes = ["{{ . }}"]
|
||||
# {{ end }}
|
||||
# {{- end }}{{ end }}
|
||||
service = "{{ $service }}"
|
||||
rule = "Host(`{{ $service }}.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}`)"
|
||||
{{ end }}
|
||||
{{- end }}{{ end }}{{ end }}
|
||||
|
||||
[http.services]
|
||||
[http.services.nomad]
|
||||
@ -214,12 +193,14 @@ job "traefik" {
|
||||
[[http.services.nomad.loadBalancer.servers]]
|
||||
url = "http://127.0.0.1:4646"
|
||||
|
||||
{{ range nomadVarList "traefik_external" }}{{ with nomadVar .Path }}
|
||||
[http.services.{{ .name }}]
|
||||
[http.services.{{ .name }}.loadBalancer]
|
||||
[[http.services.{{ .name }}.loadBalancer.servers]]
|
||||
url = "{{ .url }}"
|
||||
{{- end }}{{ end }}
|
||||
{{ with nomadVar "nomad/jobs/traefik" }}{{ with .external }}{{ with .Value | parseYAML -}}
|
||||
{{ range $service, $url := . }}
|
||||
[http.services.{{ $service }}]
|
||||
[http.services.{{ $service }}.loadBalancer]
|
||||
[[http.services.{{ $service }}.loadBalancer.servers]]
|
||||
url = "{{ $url }}"
|
||||
{{ end }}
|
||||
{{- end }}{{ end }}{{ end }}
|
||||
EOH
|
||||
destination = "${NOMAD_TASK_DIR}/config/conf/route-hashi.toml"
|
||||
change_mode = "noop"
|
||||
|
@ -21,70 +21,3 @@ EOH
|
||||
job_id = resource.nomad_job.traefik.id
|
||||
}
|
||||
}
|
||||
|
||||
resource "nomad_acl_policy" "traefik_query_jobs" {
|
||||
name = "traefik-query-jobs"
|
||||
description = "Allow traefik to query jobs"
|
||||
rules_hcl = <<EOH
|
||||
namespace "default" {
|
||||
capabilities = ["list-jobs", "read-job"]
|
||||
}
|
||||
EOH
|
||||
job_acl {
|
||||
job_id = resource.nomad_job.traefik.id
|
||||
}
|
||||
}
|
||||
|
||||
resource "nomad_acl_policy" "treafik_external" {
|
||||
name = "traefik-exernal"
|
||||
description = "Read external services"
|
||||
rules_hcl = <<EOH
|
||||
namespace "default" {
|
||||
variables {
|
||||
path "traefik_external/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
}
|
||||
}
|
||||
EOH
|
||||
job_acl {
|
||||
job_id = "traefik"
|
||||
}
|
||||
}
|
||||
|
||||
resource "nomad_variable" "traefik_external_hass" {
|
||||
path = "traefik_external/hass"
|
||||
items = {
|
||||
name = "hass"
|
||||
subdomain = "hass",
|
||||
url = "http://192.168.3.65:8123"
|
||||
}
|
||||
}
|
||||
|
||||
resource "nomad_variable" "traefik_external_plex" {
|
||||
path = "traefik_external/plex"
|
||||
items = {
|
||||
name = "plex"
|
||||
subdomain = "plex",
|
||||
url = "http://agnosticfront.thefij:32400"
|
||||
}
|
||||
}
|
||||
|
||||
resource "nomad_variable" "traefik_external_appdaemon" {
|
||||
path = "traefik_external/appdaemon"
|
||||
items = {
|
||||
name = "appdaemon"
|
||||
subdomain = "appdash",
|
||||
url = "http://192.168.3.65:5050"
|
||||
# path_prefix = "/add"
|
||||
}
|
||||
}
|
||||
|
||||
resource "nomad_variable" "traefik_external_jellyfin" {
|
||||
path = "traefik_external/jellyfin"
|
||||
items = {
|
||||
name = "jellyfin"
|
||||
subdomain = "jellyfin",
|
||||
url = "http://agnosticfront.thefij:8096"
|
||||
}
|
||||
}
|
||||
|
@ -3,10 +3,6 @@ job "lldap" {
|
||||
type = "service"
|
||||
priority = 80
|
||||
|
||||
update {
|
||||
auto_revert = true
|
||||
}
|
||||
|
||||
group "lldap" {
|
||||
|
||||
network {
|
||||
@ -145,7 +141,7 @@ user = "{{ .user }}"
|
||||
image = "mariadb:10"
|
||||
args = [
|
||||
"/usr/bin/timeout",
|
||||
"20m",
|
||||
"2m",
|
||||
"/bin/bash",
|
||||
"-c",
|
||||
"until /usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql; do sleep 10; done",
|
||||
@ -199,7 +195,7 @@ SELECT 'NOOP';
|
||||
}
|
||||
|
||||
config {
|
||||
image = "iamthefij/stunnel:1.0.0"
|
||||
image = "iamthefij/stunnel:latest"
|
||||
args = ["$${NOMAD_TASK_DIR}/stunnel.conf"]
|
||||
ports = ["tls"]
|
||||
}
|
||||
|
@ -3,10 +3,6 @@ job "mysql-server" {
|
||||
type = "service"
|
||||
priority = 80
|
||||
|
||||
update {
|
||||
auto_revert = true
|
||||
}
|
||||
|
||||
group "mysql-server" {
|
||||
count = 1
|
||||
|
||||
@ -77,7 +73,7 @@ MYSQL_ROOT_PASSWORD={{ .mysql_root_password }}
|
||||
|
||||
resources {
|
||||
cpu = 300
|
||||
memory = 1600
|
||||
memory = 1536
|
||||
}
|
||||
}
|
||||
|
||||
@ -85,7 +81,7 @@ MYSQL_ROOT_PASSWORD={{ .mysql_root_password }}
|
||||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "iamthefij/stunnel:1.0.0"
|
||||
image = "iamthefij/stunnel:latest"
|
||||
args = ["${NOMAD_TASK_DIR}/stunnel.conf"]
|
||||
ports = ["tls"]
|
||||
}
|
||||
|
@ -3,10 +3,6 @@ job "postgres-server" {
|
||||
type = "service"
|
||||
priority = 80
|
||||
|
||||
update {
|
||||
auto_revert = true
|
||||
}
|
||||
|
||||
group "postgres-server" {
|
||||
count = 1
|
||||
|
||||
@ -77,8 +73,8 @@ POSTGRES_PASSWORD={{ .superuser_pass }}
|
||||
|
||||
resources {
|
||||
cpu = 500
|
||||
memory = 800
|
||||
memory_max = 1500
|
||||
memory = 700
|
||||
memory_max = 1200
|
||||
}
|
||||
}
|
||||
|
||||
@ -86,7 +82,7 @@ POSTGRES_PASSWORD={{ .superuser_pass }}
|
||||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "iamthefij/stunnel:1.0.0"
|
||||
image = "iamthefij/stunnel:latest"
|
||||
args = ["${NOMAD_TASK_DIR}/stunnel.conf"]
|
||||
ports = ["tls"]
|
||||
}
|
||||
|
@ -3,10 +3,6 @@ job "redis-${name}" {
|
||||
type = "service"
|
||||
priority = 80
|
||||
|
||||
update {
|
||||
auto_revert = true
|
||||
}
|
||||
|
||||
group "cache" {
|
||||
count = 1
|
||||
|
||||
@ -48,7 +44,7 @@ job "redis-${name}" {
|
||||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "iamthefij/stunnel:1.0.0"
|
||||
image = "iamthefij/stunnel:latest"
|
||||
args = ["$${NOMAD_TASK_DIR}/stunnel.conf"]
|
||||
ports = ["tls"]
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
pre-commit
|
||||
detect-secrets==1.4.0 # This should match what is in .pre-commit-config.yaml
|
||||
ansible
|
||||
python-nomad
|
||||
netaddr
|
||||
python-consul
|
||||
hvac
|
||||
|
@ -1,44 +0,0 @@
|
||||
module "wishlist" {
|
||||
source = "./service"
|
||||
|
||||
name = "wishlist"
|
||||
image = "wingysam/christmas-community:latest"
|
||||
|
||||
ingress = true
|
||||
service_port = 80
|
||||
use_wesher = var.use_wesher
|
||||
|
||||
host_volumes = [
|
||||
{
|
||||
name = "christmas-community"
|
||||
dest = "/data"
|
||||
read_only = false
|
||||
},
|
||||
]
|
||||
|
||||
templates = [
|
||||
{
|
||||
data = <<EOF
|
||||
{{ with nomadVar "nomad/jobs/wishlist" -}}
|
||||
GUEST_PASSWORD={{ .guest_password }}
|
||||
{{ end -}}
|
||||
{{ with nomadService "traefik" -}}
|
||||
{{- $last := len . | subtract 1 -}}
|
||||
{{- $services := . -}}
|
||||
TRUST_PROXY={{ range $i := loop $last -}}
|
||||
{{- with index $services $i }}{{ .Address }},{{ end -}}
|
||||
{{- end -}}
|
||||
{{- with index . $last }}{{ .Address }}{{ end -}}
|
||||
{{- end }}
|
||||
EOF
|
||||
dest = "env"
|
||||
dest_prefix = "$${NOMAD_SECRETS_DIR}/"
|
||||
env = true
|
||||
},
|
||||
]
|
||||
|
||||
resources = {
|
||||
cpu = 100
|
||||
memory = 200
|
||||
}
|
||||
}
|
@ -2,7 +2,7 @@ module "diun" {
|
||||
source = "./service"
|
||||
|
||||
name = "diun"
|
||||
image = "crazymax/diun:4.28"
|
||||
image = "crazymax/diun:4.27"
|
||||
args = ["serve", "--log-level=debug"]
|
||||
|
||||
sticky_disk = true
|
||||
@ -16,13 +16,10 @@ module "diun" {
|
||||
DIUN_DEFAULTS_INCLUDETAGS = "^\\d+(\\.\\d+){0,2}$"
|
||||
|
||||
# Nomad API
|
||||
NOMAD_ADDR = "unix:///secrets/api.sock"
|
||||
DIUN_PROVIDERS_NOMAD = true
|
||||
DIUN_PROVIDERS_NOMAD_SECRETID = "$${NOMAD_TOKEN}"
|
||||
}
|
||||
|
||||
task_identity = {
|
||||
env = true
|
||||
# TODO: Use socket in $NOMAD_SECRETS_DIR/api.sock when we can assign workload ACLs with Terraform to
|
||||
# allow read access. Will need to update template to allow passing token by env
|
||||
NOMAD_ADDR = "http://$${attr.unique.network.ip-address}:4646/"
|
||||
DIUN_PROVIDERS_NOMAD = true
|
||||
}
|
||||
|
||||
templates = [
|
||||
@ -39,16 +36,3 @@ module "diun" {
|
||||
},
|
||||
]
|
||||
}
|
||||
|
||||
resource "nomad_acl_policy" "diun_query_jobs" {
|
||||
name = "diun-query-jobs"
|
||||
description = "Allow diun to query jobs"
|
||||
rules_hcl = <<EOH
|
||||
namespace "default" {
|
||||
capabilities = ["list-jobs", "read-job"]
|
||||
}
|
||||
EOH
|
||||
job_acl {
|
||||
job_id = module.diun.job_id
|
||||
}
|
||||
}
|
||||
|
@ -42,19 +42,10 @@ module "gitea" {
|
||||
]
|
||||
|
||||
use_smtp = true
|
||||
|
||||
mysql_bootstrap = {
|
||||
enabled = true
|
||||
}
|
||||
|
||||
oidc_client_config = {
|
||||
description = "Gitea"
|
||||
redirect_uris = [
|
||||
"https://git.thefij.rocks/user/oauth2/authelia/callback",
|
||||
]
|
||||
scopes = ["openid", "email", "profile"]
|
||||
}
|
||||
|
||||
host_volumes = [
|
||||
{
|
||||
name = "gitea-data"
|
||||
@ -120,49 +111,6 @@ GITEA__mailer__PASSWD={{ .password }}
|
||||
mount = false
|
||||
dest = "env"
|
||||
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
||||
},
|
||||
{
|
||||
data = <<EOF
|
||||
{{ with nomadVar "secrets/authelia/git" -}}
|
||||
CLIENT_ID={{ .client_id }}
|
||||
SECRET={{ .secret }}
|
||||
{{- end }}
|
||||
EOF
|
||||
dest = "oauth.env"
|
||||
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
||||
mount = false
|
||||
change_mode = "script"
|
||||
change_script = {
|
||||
command = "/local/bootstrap_auth.sh"
|
||||
}
|
||||
},
|
||||
{
|
||||
data = <<EOF
|
||||
#! /bin/bash
|
||||
source {{ env "NOMAD_SECRETS_DIR" }}/oauth.env
|
||||
auth_provider_id=$(su -- git gitea admin auth list | awk '/authelia/ { print $1 }')
|
||||
|
||||
if [ -z "$auth_provider_id" ]; then
|
||||
echo "Creating Authelia OAuth provider"
|
||||
su -- git gitea admin auth add-oauth \
|
||||
--name authelia \
|
||||
--provider openidConnect \
|
||||
--key "$CLIENT_ID" \
|
||||
--secret "$SECRET" \
|
||||
--auto-discover-url https://authelia.thefij.rocks/.well-known/openid-configuration \
|
||||
--skip-local-2fa
|
||||
else
|
||||
echo "Updating Authelia OAuth provider"
|
||||
su -- git gitea admin auth update-oauth \
|
||||
--id $auth_provider_id \
|
||||
--key "$CLIENT_ID" \
|
||||
--secret "$SECRET"
|
||||
fi
|
||||
EOF
|
||||
dest = "bootstrap_auth.sh"
|
||||
perms = "777"
|
||||
change_mode = "noop"
|
||||
mount = false
|
||||
},
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -1,25 +0,0 @@
|
||||
module "languagetool" {
|
||||
source = "./service"
|
||||
|
||||
name = "languagetool"
|
||||
image = "ghcr.io/erikvl87/docker-languagetool/languagetool:4.8"
|
||||
ingress = true
|
||||
service_port = 8010
|
||||
use_wesher = var.use_wesher
|
||||
|
||||
env = {
|
||||
Java_Xmx = "512m"
|
||||
}
|
||||
|
||||
service_check = {
|
||||
path = "/v2/healthcheck"
|
||||
}
|
||||
|
||||
# Possibility to use a volume over nfs to host n-gram datasets
|
||||
# https://github.com/Erikvl87/docker-languagetool/pkgs/container/docker-languagetool%2Flanguagetool#using-n-gram-datasets
|
||||
|
||||
resources = {
|
||||
cpu = 100
|
||||
memory = 512
|
||||
}
|
||||
}
|
@ -11,11 +11,25 @@ monitors:
|
||||
- '/app/scripts/curl_ok.sh'
|
||||
- 'https://my.iamthefij.com'
|
||||
|
||||
- name: Grafana (public)
|
||||
command:
|
||||
- '/app/scripts/curl_ok.sh'
|
||||
- 'https://grafana.iamthefij.com'
|
||||
|
||||
- name: Grafana (internal)
|
||||
command:
|
||||
- '/app/scripts/curl_ok.sh'
|
||||
- 'https://grafana.thefij.rocks'
|
||||
|
||||
- name: Plex
|
||||
command:
|
||||
- 'curl'
|
||||
- '--silent'
|
||||
- '--show-error'
|
||||
- '-o'
|
||||
- '/dev/null'
|
||||
- 'http://192.168.2.10:32400'
|
||||
|
||||
- name: NZBget
|
||||
command:
|
||||
- '/app/scripts/curl_ok.sh'
|
||||
@ -31,11 +45,6 @@ monitors:
|
||||
- '/app/scripts/curl_ok.sh'
|
||||
- 'https://lidarr.thefij.rocks'
|
||||
|
||||
- name: Radarr
|
||||
command:
|
||||
- '/app/scripts/curl_ok.sh'
|
||||
- 'https://radarr.thefij.rocks'
|
||||
|
||||
- name: Authelia
|
||||
command:
|
||||
- '/app/scripts/curl_ok.sh'
|
||||
@ -46,20 +55,6 @@ monitors:
|
||||
- '/app/scripts/curl_ok.sh'
|
||||
- 'https://photoprism.thefij.rocks'
|
||||
|
||||
- name: Prometheus
|
||||
command:
|
||||
- '/app/scripts/curl_ok.sh'
|
||||
- 'https://prometheus.thefij.rocks'
|
||||
|
||||
- name: Plex
|
||||
command:
|
||||
- 'curl'
|
||||
- '--silent'
|
||||
- '--show-error'
|
||||
- '-o'
|
||||
- '/dev/null'
|
||||
- 'http://192.168.2.10:32400'
|
||||
|
||||
alerts:
|
||||
log:
|
||||
command:
|
||||
|
@ -7,10 +7,6 @@ job "fixers" {
|
||||
prohibit_overlap = true
|
||||
}
|
||||
|
||||
meta = {
|
||||
"diun.enable" = false
|
||||
}
|
||||
|
||||
group "orphaned_services" {
|
||||
task "orphaned_services" {
|
||||
driver = "docker"
|
||||
@ -41,7 +37,7 @@ job "fixers" {
|
||||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "iamthefij/nomad-service-fixers:0.1.1"
|
||||
image = "iamthefij/nomad-service-fixers:0.1.0"
|
||||
command = "/scripts/nomad_missing_services.py"
|
||||
args = ["--restart"]
|
||||
}
|
||||
|
@ -1,8 +1,8 @@
|
||||
module "photoprism" {
|
||||
module "photoprism_module" {
|
||||
source = "./service"
|
||||
|
||||
name = "photoprism"
|
||||
image = "photoprism/photoprism:240711"
|
||||
image = "photoprism/photoprism:231128"
|
||||
image_pull_timeout = "10m"
|
||||
# constraints = [{
|
||||
# attribute = "$${meta.hw_transcode.type}"
|
||||
@ -37,21 +37,18 @@ module "photoprism" {
|
||||
ingress = true
|
||||
service_port = 2342
|
||||
use_wesher = var.use_wesher
|
||||
ingress_middlewares = [
|
||||
"authelia@nomad"
|
||||
]
|
||||
|
||||
mysql_bootstrap = {
|
||||
enabled = true
|
||||
}
|
||||
|
||||
oidc_client_config = {
|
||||
description = "Photoprism"
|
||||
redirect_uris = [
|
||||
"https://photoprism.thefij.rocks/api/v1/oidc/redirect",
|
||||
]
|
||||
scopes = ["openid", "email", "profile"]
|
||||
}
|
||||
|
||||
env = {
|
||||
PHOTOPRISM_DEBUG = true
|
||||
# Make public since we added Authelia at the proxy level
|
||||
PHOTOPRISM_AUTH_MODE = "public"
|
||||
# UI
|
||||
PHOTOPRISM_SITE_CAPTION = "AI-Powered Photos App"
|
||||
PHOTOPRISM_SITE_DESCRIPTION = "Fijolek home photos"
|
||||
@ -59,8 +56,7 @@ module "photoprism" {
|
||||
PHOTOPRISM_SITE_URL = "https://photoprism.${var.base_hostname}/"
|
||||
PHOTOPRISM_SPONSOR = "true"
|
||||
# Worker config
|
||||
PHOTOPRISM_WORKERS = 2
|
||||
PHOTOPRISM_BACKUP_DATABASE = false
|
||||
PHOTOPRISM_WORKERS = 2
|
||||
# Paths
|
||||
PHOTOPRISM_ORIGINALS_PATH = "/photoprism-media/Library"
|
||||
PHOTOPRISM_IMPORT_PATH = "/photoprism-media/Import"
|
||||
@ -69,12 +65,6 @@ module "photoprism" {
|
||||
PHOTOPRISM_UID = 500
|
||||
PHOTOPRISM_GID = 100
|
||||
PHOTOPRISM_UMASK = 0000
|
||||
# OIDC
|
||||
PHOTOPRISM_OIDC_URI = "https://authelia.thefij.rocks"
|
||||
PHOTOPRISM_OIDC_PROVIDER = "Authelia"
|
||||
PHOTOPRISM_OIDC_REGISTER = true
|
||||
PHOTOPRISM_OIDC_REDIRECT = true
|
||||
PHOTOPRISM_OIDC_SCOPES = "openid email profile"
|
||||
}
|
||||
|
||||
templates = [
|
||||
@ -96,10 +86,6 @@ module "photoprism" {
|
||||
PHOTOPRISM_FFMPEG_ENCODER=intel
|
||||
PHOTOPRISM_INIT="intel tensorflow"
|
||||
{{- end }}
|
||||
{{ with nomadVar "secrets/authelia/photoprism" -}}
|
||||
PHOTOPRISM_OIDC_CLIENT={{ .client_id }}
|
||||
PHOTOPRISM_OIDC_SECRET={{ .secret }}
|
||||
{{- end }}
|
||||
EOF
|
||||
dest_prefix = "$${NOMAD_SECRETS_DIR}/"
|
||||
dest = "env"
|
||||
@ -107,13 +93,4 @@ module "photoprism" {
|
||||
mount = false
|
||||
},
|
||||
]
|
||||
|
||||
actions = [
|
||||
{
|
||||
name = "import"
|
||||
command = "photoprism"
|
||||
args = ["import", "/photoprism-media/Import"]
|
||||
cron = "0 0 3 * * * *"
|
||||
},
|
||||
]
|
||||
}
|
||||
|
@ -1,10 +1,3 @@
|
||||
locals {
|
||||
port_names = concat(
|
||||
var.service_port != null ? ["main"] : [],
|
||||
[for port in var.ports : port.name if port.task_config],
|
||||
)
|
||||
}
|
||||
|
||||
resource "nomad_job" "service" {
|
||||
jobspec = templatefile("${path.module}/service_template.nomad", {
|
||||
name = var.name
|
||||
@ -15,19 +8,15 @@ resource "nomad_job" "service" {
|
||||
args = var.args
|
||||
env = var.env
|
||||
task_meta = var.task_meta
|
||||
task_identity = var.task_identity
|
||||
group_meta = var.group_meta
|
||||
job_meta = var.job_meta
|
||||
constraints = var.constraints
|
||||
docker_devices = var.docker_devices
|
||||
user = var.user
|
||||
actions = var.actions
|
||||
|
||||
service_port = var.service_port
|
||||
service_port_static = var.service_port_static
|
||||
service_check = var.service_check
|
||||
ports = var.ports
|
||||
port_names = local.port_names
|
||||
sticky_disk = var.sticky_disk
|
||||
resources = var.resources
|
||||
stunnel_resources = var.stunnel_resources
|
||||
@ -234,53 +223,3 @@ EOH
|
||||
task = var.name
|
||||
}
|
||||
}
|
||||
|
||||
module "oidc_client" {
|
||||
count = var.oidc_client_config != null ? 1 : 0
|
||||
|
||||
source = "../../core/oidc_client"
|
||||
name = var.name
|
||||
|
||||
oidc_client_config = {
|
||||
description = var.oidc_client_config.description
|
||||
authorization_policy = var.oidc_client_config.authorization_policy
|
||||
redirect_uris = var.oidc_client_config.redirect_uris
|
||||
scopes = var.oidc_client_config.scopes
|
||||
}
|
||||
|
||||
job_acl = {
|
||||
job_id = resource.nomad_job.service.id
|
||||
group = var.name
|
||||
task = var.name
|
||||
}
|
||||
}
|
||||
|
||||
# Action cron jobs
|
||||
resource "nomad_job" "action_cron" {
|
||||
for_each = tomap({ for action in var.actions : action.name => action if action.cron != null })
|
||||
jobspec = templatefile("${path.module}/service_scheduled.nomad", {
|
||||
name = var.name
|
||||
action_name = each.value.name
|
||||
action_cron = each.value.cron
|
||||
})
|
||||
}
|
||||
|
||||
resource "nomad_acl_policy" "action_cron_workload_policy" {
|
||||
for_each = resource.nomad_job.action_cron
|
||||
|
||||
name = "service-action-${each.value.id}"
|
||||
description = "Give custom service cron actions access to execute actions."
|
||||
rules_hcl = <<EOH
|
||||
namespace "default" {
|
||||
capabilities = [
|
||||
"list-jobs",
|
||||
"read-job",
|
||||
"alloc-exec",
|
||||
]
|
||||
}
|
||||
EOH
|
||||
|
||||
job_acl {
|
||||
job_id = each.value.id
|
||||
}
|
||||
}
|
||||
|
@ -1,39 +0,0 @@
|
||||
job "${name}-${action_name}" {
|
||||
region = "global"
|
||||
datacenters = ["dc1"]
|
||||
|
||||
type = "batch"
|
||||
|
||||
periodic {
|
||||
cron = "${action_cron}"
|
||||
}
|
||||
|
||||
group "main" {
|
||||
task "${action_name}" {
|
||||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "hashicorp/nomad:$${attr.nomad.version}"
|
||||
args = [
|
||||
"job",
|
||||
"action",
|
||||
"-job",
|
||||
"${name}",
|
||||
"-group",
|
||||
"${name}",
|
||||
"-task",
|
||||
"${name}",
|
||||
"${action_name}"
|
||||
]
|
||||
}
|
||||
|
||||
env = {
|
||||
NOMAD_ADDR = "unix:///secrets/api.sock"
|
||||
}
|
||||
|
||||
identity {
|
||||
env = true
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
@ -5,10 +5,6 @@ job "${name}" {
|
||||
type = "service"
|
||||
priority = ${priority}
|
||||
|
||||
update {
|
||||
auto_revert = true
|
||||
}
|
||||
|
||||
group "${name}" {
|
||||
count = ${count}
|
||||
%{~ if length(job_meta) > 0 }
|
||||
@ -80,9 +76,6 @@ job "${name}" {
|
||||
|
||||
task "${name}" {
|
||||
driver = "docker"
|
||||
%{~ if user != null }
|
||||
user = "${user}"
|
||||
%{~ endif ~}
|
||||
%{~ if length(task_meta) > 0 }
|
||||
meta = {
|
||||
%{ for k, v in task_meta ~}
|
||||
@ -152,8 +145,8 @@ job "${name}" {
|
||||
%{~if image_pull_timeout != null ~}
|
||||
image_pull_timeout = "${image_pull_timeout}"
|
||||
%{~ endif ~}
|
||||
%{~ if length(try(port_names, [])) > 0 ~}
|
||||
ports = ${jsonencode(port_names)}
|
||||
%{~ if service_port != null ~}
|
||||
ports = ["main"]
|
||||
%{~ endif ~}
|
||||
%{~ if length(try(args, [])) > 0 ~}
|
||||
args = ${jsonencode(args)}
|
||||
@ -185,14 +178,6 @@ job "${name}" {
|
||||
%{~ endfor ~}
|
||||
}
|
||||
%{~ endif ~}
|
||||
%{~ for action in actions }
|
||||
action "${action.name}" {
|
||||
command = "${action.command}"
|
||||
%{~ if length(action.args) > 0 ~}
|
||||
args = ${jsonencode(action.args)}
|
||||
%{~ endif ~}
|
||||
}
|
||||
%{~ endfor ~}
|
||||
%{~ for volume in host_volumes }
|
||||
volume_mount {
|
||||
volume = "${volume.name}"
|
||||
@ -212,9 +197,6 @@ EOF
|
||||
%{~ if template.right_delimiter != null }
|
||||
right_delimiter = "${template.right_delimiter}"
|
||||
%{~ endif ~}
|
||||
%{~ if template.perms != null }
|
||||
perms = "${template.perms}"
|
||||
%{~ endif ~}
|
||||
%{~ if template.change_mode != null }
|
||||
change_mode = "${template.change_mode}"
|
||||
%{~ endif ~}
|
||||
@ -243,12 +225,6 @@ EOF
|
||||
%{~ endif ~}
|
||||
}
|
||||
%{~ endif ~}
|
||||
%{~ if task_identity != null }
|
||||
identity {
|
||||
env = ${task_identity.env}
|
||||
file = ${task_identity.file}
|
||||
}
|
||||
%{~ endif ~}
|
||||
}
|
||||
%{~ if mysql_bootstrap != null }
|
||||
task "mysql-bootstrap" {
|
||||
@ -263,10 +239,10 @@ EOF
|
||||
image = "mariadb:10"
|
||||
args = [
|
||||
"/usr/bin/timeout",
|
||||
"20m",
|
||||
"2m",
|
||||
"/bin/bash",
|
||||
"-c",
|
||||
"until /usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql; do echo 'Retry in 10s'; sleep 10; done",
|
||||
"until /usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql; do sleep 10; done",
|
||||
]
|
||||
}
|
||||
|
||||
@ -326,10 +302,10 @@ SELECT 'NOOP';
|
||||
image = "postgres:14"
|
||||
args = [
|
||||
"/usr/bin/timeout",
|
||||
"20m",
|
||||
"2m",
|
||||
"/bin/bash",
|
||||
"-c",
|
||||
"until /bin/bash $${NOMAD_TASK_DIR}/bootstrap.sh; do echo 'Retry in 10s'; sleep 10; done",
|
||||
"until /bin/bash $${NOMAD_TASK_DIR}/bootstrap.sh; do sleep 10; done",
|
||||
]
|
||||
}
|
||||
|
||||
@ -398,7 +374,7 @@ $$;
|
||||
}
|
||||
|
||||
config {
|
||||
image = "iamthefij/stunnel:1.0.0"
|
||||
image = "iamthefij/stunnel:latest"
|
||||
args = ["$${NOMAD_TASK_DIR}/stunnel.conf"]
|
||||
}
|
||||
|
||||
|
@ -21,6 +21,7 @@ variable "priority" {
|
||||
description = "Scheduler priority of the service"
|
||||
}
|
||||
|
||||
|
||||
variable "image" {
|
||||
type = string
|
||||
description = "Image that should be run"
|
||||
@ -32,27 +33,12 @@ variable "image_pull_timeout" {
|
||||
description = "A time duration that controls how long Nomad will wait before cancelling an in-progress pull of the Docker image"
|
||||
}
|
||||
|
||||
variable "user" {
|
||||
type = string
|
||||
default = null
|
||||
description = "User to be passed to the task driver for execution. [ user | user:group | uid | uid:gid | user:gid | uid:group ]"
|
||||
}
|
||||
|
||||
variable "task_meta" {
|
||||
type = map(string)
|
||||
default = {}
|
||||
description = "Meta attributes to attach to the task"
|
||||
}
|
||||
|
||||
variable "task_identity" {
|
||||
description = "Task workload identity"
|
||||
type = object({
|
||||
env = optional(bool, false)
|
||||
file = optional(bool, false)
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "group_meta" {
|
||||
type = map(string)
|
||||
default = {}
|
||||
@ -77,19 +63,6 @@ variable "service_port_static" {
|
||||
description = "Should the port assigned be static"
|
||||
}
|
||||
|
||||
variable "ports" {
|
||||
type = list(object({
|
||||
name = string
|
||||
host_network = optional(string)
|
||||
from = optional(number)
|
||||
to = optional(number)
|
||||
static = optional(number)
|
||||
task_config = optional(bool, false)
|
||||
}))
|
||||
default = []
|
||||
description = "Additional ports (not service_port) to be bound."
|
||||
}
|
||||
|
||||
variable "prometheus" {
|
||||
type = bool
|
||||
default = false
|
||||
@ -168,6 +141,18 @@ variable "service_tags" {
|
||||
description = "Additional tags to be added to the service."
|
||||
}
|
||||
|
||||
variable "ports" {
|
||||
type = list(object({
|
||||
name = string
|
||||
host_network = optional(string)
|
||||
from = optional(number)
|
||||
to = optional(number)
|
||||
static = optional(number)
|
||||
}))
|
||||
default = []
|
||||
description = "Additional ports (not service_port) to be bound."
|
||||
}
|
||||
|
||||
variable "templates" {
|
||||
type = list(object({
|
||||
data = string
|
||||
@ -177,7 +162,6 @@ variable "templates" {
|
||||
right_delimiter = optional(string)
|
||||
mount = optional(bool, true)
|
||||
env = optional(bool, false)
|
||||
perms = optional(string)
|
||||
change_mode = optional(string)
|
||||
change_signal = optional(string)
|
||||
change_script = optional(object({
|
||||
@ -285,17 +269,6 @@ variable "use_wesher" {
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "actions" {
|
||||
description = "Nomad actions that should be part of the main task"
|
||||
type = list(object({
|
||||
name = string
|
||||
command = string
|
||||
args = optional(list(string))
|
||||
cron = optional(string)
|
||||
}))
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "service_check" {
|
||||
description = "Health check for main ingress service"
|
||||
type = object({
|
||||
@ -309,15 +282,3 @@ variable "service_check" {
|
||||
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "oidc_client_config" {
|
||||
description = "Authelia oidc client configuration to enable oidc authentication"
|
||||
type = object({
|
||||
description = string
|
||||
authorization_policy = optional(string, "one_factor")
|
||||
redirect_uris = list(string)
|
||||
scopes = list(string)
|
||||
})
|
||||
|
||||
default = null
|
||||
}
|
||||
|
@ -39,11 +39,6 @@ module "sonarr" {
|
||||
dest = "/media"
|
||||
read_only = false
|
||||
},
|
||||
{
|
||||
name = "media-overflow-write"
|
||||
dest = "/media-overflow"
|
||||
read_only = false
|
||||
},
|
||||
]
|
||||
|
||||
resources = {
|
||||
|
@ -7,17 +7,13 @@ job "unifi-traffic-route-ips" {
|
||||
prohibit_overlap = true
|
||||
}
|
||||
|
||||
meta = {
|
||||
"diun.enable" = false
|
||||
}
|
||||
|
||||
group "main" {
|
||||
|
||||
task "main" {
|
||||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "iamthefij/unifi-traffic-routes:0.0.4"
|
||||
image = "iamthefij/unifi-traffic-routes:0.0.2"
|
||||
}
|
||||
|
||||
env = {
|
||||
|
@ -1,35 +0,0 @@
|
||||
module "ytdl-web" {
|
||||
source = "./service"
|
||||
|
||||
name = "ytdl-web"
|
||||
image = "iamthefij/ytdl-web:0.1.4"
|
||||
args = ["poetry", "run", "python", "-m", "ytdl_web.web", "--downloader"]
|
||||
ingress = true
|
||||
service_port = 5000
|
||||
use_wesher = var.use_wesher
|
||||
# service_check = null
|
||||
user = "1001:100"
|
||||
|
||||
env = {
|
||||
QUEUE_DIR = "/data/queue"
|
||||
OUTPUT_TMPL = "/media/RomeTube/%(uploader)s%(channel)s/%(title)s.%(ext)s"
|
||||
}
|
||||
|
||||
resources = {
|
||||
cpu = 50
|
||||
memory = 150
|
||||
}
|
||||
|
||||
host_volumes = [
|
||||
{
|
||||
name = "ytdl-web"
|
||||
dest = "/data"
|
||||
read_only = false
|
||||
},
|
||||
{
|
||||
name = "media-write"
|
||||
dest = "/media"
|
||||
read_only = false
|
||||
},
|
||||
]
|
||||
}
|
Loading…
Reference in New Issue
Block a user