first commit
This commit is contained in:
commit
36180489a7
66
pihole.nomad
Normal file
66
pihole.nomad
Normal file
@ -0,0 +1,66 @@
|
||||
|
||||
job "pihole" {
|
||||
datacenters = ["homelab"]
|
||||
type = "service"
|
||||
constraint {
|
||||
attribute = "${attr.unique.hostname}"
|
||||
value = "oscar"
|
||||
}
|
||||
group "pi-hole" {
|
||||
network {
|
||||
mode = "host"
|
||||
port "dns" {
|
||||
static = 53
|
||||
}
|
||||
port "http" {
|
||||
static = 8090
|
||||
to = 80
|
||||
}
|
||||
}
|
||||
service {
|
||||
name = "pihole-gui"
|
||||
tags = ["pihole", "admin"]
|
||||
port = "http"
|
||||
}
|
||||
task "server" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "pihole/pihole:latest"
|
||||
ports = [
|
||||
"dns",
|
||||
"http",
|
||||
]
|
||||
volumes =[
|
||||
"local/dnsmasq.d/02-localresolver.conf:/etc/dnsmasq.d/02-localresolver.conf",
|
||||
"/mnt/diskstation/nomad/pihole:/etc/pihole"
|
||||
]
|
||||
|
||||
}
|
||||
vault{
|
||||
policies= ["access-tables"]
|
||||
|
||||
}
|
||||
env {
|
||||
TZ= "Europe/Paris"
|
||||
DNS1= "1.1.1.1"
|
||||
DNS2= "80.67.169.40"
|
||||
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
WEBPASSWORD="{{with secret "secrets/data/pihole"}}{{.Data.data.WEBPASSWORD}}{{end}}"
|
||||
EOH
|
||||
destination = "local/file.env"
|
||||
env = true
|
||||
}
|
||||
template{
|
||||
data= <<EOH
|
||||
server=/ducamps.win/192.168.1.10
|
||||
server=/consul/172.17.0.1#8600
|
||||
EOH
|
||||
destination="local/dnsmasq.d/02-localresolver.conf"
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
9
vault/nomad-cluster-role.json
Normal file
9
vault/nomad-cluster-role.json
Normal file
@ -0,0 +1,9 @@
|
||||
{
|
||||
"allowed_policies": "acces-tables",
|
||||
"disallowed_policies": "",
|
||||
"token_explicit_max_ttl": 0,
|
||||
"name": "nomad-cluster",
|
||||
"orphan": true,
|
||||
"token_period": 259200,
|
||||
"renewable": true
|
||||
}
|
41
vault/nomad-server-policy.hcl
Normal file
41
vault/nomad-server-policy.hcl
Normal file
@ -0,0 +1,41 @@
|
||||
# Allow creating tokens under "nomad-cluster" token role. The token role name
|
||||
# should be updated if "nomad-cluster" is not used.
|
||||
path "auth/token/create/nomad-cluster" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow looking up "nomad-cluster" token role. The token role name should be
|
||||
# updated if "nomad-cluster" is not used.
|
||||
path "auth/token/roles/nomad-cluster" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Allow looking up the token passed to Nomad to validate # the token has the
|
||||
# proper capabilities. This is provided by the "default" policy.
|
||||
path "auth/token/lookup-self" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Allow looking up incoming tokens to validate they have permissions to access
|
||||
# the tokens they are requesting. This is only required if
|
||||
# `allow_unauthenticated` is set to false.
|
||||
path "auth/token/lookup" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow revoking tokens that should no longer exist. This allows revoking
|
||||
# tokens for dead tasks.
|
||||
path "auth/token/revoke-accessor" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow checking the capabilities of our own token. This is used to validate the
|
||||
# token upon startup.
|
||||
path "sys/capabilities-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow our own token to be renewed.
|
||||
path "auth/token/renew-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
Loading…
Reference in New Issue
Block a user