Ian Fijolek
f5898b0283
Allows required jobs to access shared secrets and auto generates psks for stunnel. Currently supporting MySQL, Postgres, and LDAP.
237 lines
4.9 KiB
HCL
237 lines
4.9 KiB
HCL
variable "config_data" {
|
|
type = string
|
|
description = "Plain text config file for blocky"
|
|
}
|
|
|
|
job "blocky" {
|
|
datacenters = ["dc1"]
|
|
type = "system"
|
|
priority = 100
|
|
|
|
update {
|
|
max_parallel = 1
|
|
# TODO: maybe switch to service job from system so we can use canary and autorollback
|
|
# auto_revert = true
|
|
}
|
|
|
|
group "blocky" {
|
|
|
|
network {
|
|
mode = "bridge"
|
|
|
|
port "dns" {
|
|
static = "53"
|
|
}
|
|
|
|
port "api" {
|
|
%{~ if use_wesher ~}
|
|
host_network = "wesher"
|
|
%{~ endif ~}
|
|
to = "4000"
|
|
}
|
|
|
|
dns {
|
|
# Set expclicit DNS servers because tasks, by default, use this task
|
|
servers = ["1.1.1.1", "1.0.0.1"]
|
|
}
|
|
}
|
|
|
|
service {
|
|
name = "blocky-dns"
|
|
provider = "nomad"
|
|
port = "dns"
|
|
}
|
|
|
|
service {
|
|
name = "blocky-api"
|
|
provider = "nomad"
|
|
port = "api"
|
|
|
|
tags = [
|
|
"prometheus.scrape",
|
|
"traefik.enable=true",
|
|
"traefik.http.routers.blocky-api.entryPoints=websecure",
|
|
]
|
|
|
|
check {
|
|
name = "api-health"
|
|
port = "api"
|
|
type = "http"
|
|
path = "/"
|
|
interval = "10s"
|
|
timeout = "3s"
|
|
}
|
|
}
|
|
|
|
task "blocky" {
|
|
driver = "docker"
|
|
|
|
config {
|
|
image = "ghcr.io/0xerr0r/blocky"
|
|
args = ["-c", "$${NOMAD_TASK_DIR}/config.yml"]
|
|
ports = ["dns", "api"]
|
|
}
|
|
|
|
resources {
|
|
cpu = 50
|
|
memory = 50
|
|
memory_max = 100
|
|
}
|
|
|
|
template {
|
|
data = var.config_data
|
|
destination = "$${NOMAD_TASK_DIR}/config.yml"
|
|
splay = "1m"
|
|
|
|
wait {
|
|
min = "10s"
|
|
max = "20s"
|
|
}
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
{{ range nomadServices }}
|
|
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") .Name -}}
|
|
{{ .Address }} {{ .Name }}.nomad
|
|
{{- end }}
|
|
{{- end }}
|
|
EOF
|
|
destination = "$${NOMAD_TASK_DIR}/nomad.hosts"
|
|
change_mode = "noop"
|
|
|
|
wait {
|
|
min = "10s"
|
|
max = "20s"
|
|
}
|
|
}
|
|
}
|
|
|
|
task "stunnel" {
|
|
driver = "docker"
|
|
|
|
lifecycle {
|
|
hook = "prestart"
|
|
sidecar = true
|
|
}
|
|
|
|
config {
|
|
image = "alpine:3.17"
|
|
ports = ["tls"]
|
|
args = ["/bin/sh", "$${NOMAD_TASK_DIR}/start.sh"]
|
|
}
|
|
|
|
resources {
|
|
cpu = 20
|
|
memory = 100
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
set -e
|
|
apk add stunnel
|
|
exec stunnel {{ env "NOMAD_TASK_DIR" }}/stunnel.conf
|
|
EOF
|
|
destination = "$${NOMAD_TASK_DIR}/start.sh"
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
syslog = no
|
|
foreground = yes
|
|
delay = yes
|
|
|
|
[mysql_client]
|
|
client = yes
|
|
accept = 127.0.0.1:3306
|
|
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-tls" -}}
|
|
connect = {{ .Address }}:{{ .Port }}
|
|
{{- end }}
|
|
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
|
|
|
|
[redis_client]
|
|
client = yes
|
|
accept = 127.0.0.1:6379
|
|
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis-blocky" -}}
|
|
connect = {{ .Address }}:{{ .Port }}
|
|
{{- end }}
|
|
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
|
|
EOF
|
|
destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
{{- with nomadVar "secrets/mysql/allowed_psks/blocky" }}{{ .psk }}{{ end -}}
|
|
EOF
|
|
destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
{{- with nomadVar "nomad/jobs/blocky/blocky/stunnel" -}}{{ .redis_stunnel_psk }}{{ end -}}
|
|
EOF
|
|
destination = "$${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
|
|
}
|
|
}
|
|
|
|
task "blocky-bootstrap" {
|
|
driver = "docker"
|
|
|
|
lifecycle {
|
|
hook = "prestart"
|
|
sidecar = false
|
|
}
|
|
|
|
config {
|
|
image = "mariadb:10"
|
|
args = [
|
|
"/usr/bin/timeout",
|
|
"2m",
|
|
"/bin/bash",
|
|
"-c",
|
|
"until /usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql; do sleep 10; done",
|
|
]
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
[client]
|
|
host=127.0.0.1
|
|
port=3306
|
|
user=root
|
|
{{ with nomadVar "secrets/mysql" }}
|
|
password={{ .mysql_root_password }}
|
|
{{ end }}
|
|
EOF
|
|
destination = "$${NOMAD_SECRETS_DIR}/my.cnf"
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
{{ with nomadVar "nomad/jobs/blocky" }}{{ if .db_name -}}
|
|
{{ $db_name := .db_name }}
|
|
CREATE DATABASE IF NOT EXISTS `{{ $db_name }}`;
|
|
CREATE USER IF NOT EXISTS '{{ .db_user }}'@'%' IDENTIFIED BY '{{ .db_pass }}';
|
|
GRANT ALL ON `{{ $db_name }}`.* to '{{ .db_user }}'@'%';
|
|
|
|
{{ with nomadService "grafana" }}{{ with nomadVar "nomad/jobs" -}}
|
|
-- Grant grafana read_only user access to db
|
|
GRANT SELECT ON `{{ $db_name }}`.* to '{{ .db_user_ro }}'@'%';
|
|
{{ end }}{{ end -}}
|
|
|
|
{{ else -}}
|
|
SELECT 'NOOP';
|
|
{{ end -}}{{ end -}}
|
|
EOF
|
|
destination = "$${NOMAD_SECRETS_DIR}/bootstrap.sql"
|
|
}
|
|
|
|
resources {
|
|
cpu = 50
|
|
memory = 50
|
|
}
|
|
}
|
|
}
|
|
}
|