Compare commits

..

168 Commits

Author SHA1 Message Date
vincent
d9cf7cb297 borgmatic: add exclusion
Some checks failed
continuous-integration/drone/push Build is failing
2024-11-17 16:28:20 +01:00
vincent
90dd0ecd9a chore: link makefile
Some checks failed
continuous-integration/drone/push Build is failing
2024-11-09 10:24:15 +01:00
vincent
4f6743db5f perf: tweak mealie and pihole memory
Some checks failed
continuous-integration/drone/push Build is failing
2024-11-09 10:23:42 +01:00
vincent
2452a2ad44 fix (flaresolverr): change image to resolve chalenge issue 2024-11-09 10:23:07 +01:00
vincent
5e2bb57914 rutorrent: resolve issue with docker 2024-11-09 10:22:24 +01:00
vincent
3eb2dbfa08 authelia: custom consent preconfigured time 2024-11-09 10:21:50 +01:00
vincent
1ea094aa6e Revert "perfs: decrease CPU"
This reverts commit 6ea5de0315.
2024-10-29 19:21:05 +01:00
vincent
c1e48d4ace add compute parameter to oscar
Some checks failed
continuous-integration/drone/push Build is failing
2024-10-29 19:08:41 +01:00
vincent
b2710aab2f add oauth to gitea 2024-10-19 16:28:25 +02:00
vincent
c000933f66 add paperless-ng SSO
Some checks failed
continuous-integration/drone/push Build is failing
2024-10-12 10:12:38 +02:00
vincent
7948773757 perfs: increase memory-max for some job
Some checks failed
continuous-integration/drone/push Build is failing
2024-09-29 17:51:05 +02:00
vincent
3d90a1f6d7 fix: wrong dns in docker daemon.json 2024-09-29 17:50:31 +02:00
vincent
1f29007172 switch to nfs v4 on share 2024-09-29 17:50:11 +02:00
vincent
af58866882 dns: pdns-admin in dedicated nomad group 2024-09-29 17:38:27 +02:00
vincent
374a62c304 fix: aur call in database playbook
Some checks failed
continuous-integration/drone/push Build is failing
2024-08-04 11:49:40 +02:00
vincent
9451443266 refactor: split job in role folder
Some checks failed
continuous-integration/drone/push Build is failing
2024-08-03 15:06:36 +02:00
vincent
dacd187f7b fix: loki config
Some checks failed
continuous-integration/drone/push Build is failing
2024-08-03 14:47:27 +02:00
vincent
e48a879c43 fix: torrent PUID 2024-08-03 14:46:47 +02:00
vincent
6ea5de0315 perfs: decrease CPU 2024-08-03 14:46:05 +02:00
vincent
984b712c78 update: nfs csi nfs plugins 4.7 2024-08-03 14:45:22 +02:00
vincent
293fddd81c remove backup disk mount 2024-08-03 14:45:04 +02:00
vincent
0952c4bf42 fix: change media mount path 2024-08-03 14:43:30 +02:00
vincent
3228054172 oscar hardware replacement
Some checks failed
continuous-integration/drone/push Build is failing
2024-06-29 10:21:44 +02:00
vincent
ee7cd0c12e fix: wrong interface variable call 2024-06-29 10:20:25 +02:00
vincent
22a60b42d4 add vikunja to generate vault 2024-06-25 18:45:46 +02:00
vincent
d578fefbce perfs (registry): add memory 2024-06-25 18:45:16 +02:00
vincent
cae4ceb623 update: remove immich microservice 2024-06-25 18:44:51 +02:00
vincent
ddc4320fe9 feat (vikunja): implemant oauth
Some checks reported errors
continuous-integration/drone/push Build was killed
2024-05-20 12:15:56 +02:00
vincent
d1b475d651 fix: add cluster consraint to prowalar and tt-rss 2024-05-20 11:21:45 +02:00
vincent
d817f3a7f8 perfs (immich): increase memory 2024-05-20 11:21:21 +02:00
vincent
18a78f6fd2 chore (immich): fix logo 2024-05-20 11:20:32 +02:00
vincent
f22e3406be borgmatic: modify jellyfin backup exeption 2024-05-16 19:19:00 +02:00
vincent
1520ec0dcc disable authelia notifier check 2024-05-16 19:18:18 +02:00
vincent
275435664c feat: grafanna sso
Some checks failed
continuous-integration/drone/push Build is failing
2024-05-10 15:50:45 +02:00
vincent
f9ff70a9d9 feat: immich sso
Some checks failed
continuous-integration/drone/push Build is failing
2024-05-10 14:49:50 +02:00
vincent
8915ff52dd fix: wrong array character 2024-05-10 14:49:20 +02:00
vincent
74794f866a feat: improve database playbook 2024-05-10 08:35:14 +02:00
vincent
7244ceb5b1 feat: manage all nomad folder creation on build 2024-05-10 08:35:14 +02:00
vincent
49a8a427f7 perf: adjust openldap ram 2024-05-10 08:35:14 +02:00
vincent
f4f77fc55a fix: add dev network to docker insecure registry 2024-05-10 08:35:14 +02:00
vincent
351d7c287f fix: increase VM ram among 2024-05-10 08:35:14 +02:00
vincent
598896ad5f feat: implement immich job 2024-05-10 08:20:01 +02:00
vincent
6e00668840 add terrform immich variable for vault and dns 2024-05-10 08:18:53 +02:00
vincent
24eb640c60 configure db for immich 2024-05-09 09:25:23 +02:00
vincent
9b6ed6cc6e switch to opentofu 2024-05-09 09:14:25 +02:00
vincent
2f1de5dcd5 fix vault dn
Some checks failed
continuous-integration/drone/push Build is failing
Signed-off-by: vincent <vincent@ducamps.win>
2024-05-08 21:38:10 +02:00
vincent
78692be3fd add vector.rs to database playbook 2024-05-08 21:37:27 +02:00
vincent
272efbb844 update openldap default tree 2024-05-08 21:14:37 +02:00
vincent
c9f4656470 switch gerard-dev to archlinux 2024-05-08 21:07:57 +02:00
vincent
6e679c82a0 fix: add missing argument to ldap manager
Some checks failed
continuous-integration/drone/push Build is failing
2024-05-08 09:11:28 +02:00
vincent
9d0c513787 chore: update nomad template 2024-04-28 16:11:37 +02:00
vincent
69a2ad4efd feat: implement mealie
Some checks failed
continuous-integration/drone/push Build is failing
2024-04-28 16:10:43 +02:00
vincent
2f6c814fb1 CI: terraform makefile command parameter
Some checks failed
continuous-integration/drone/push Build is failing
2024-04-27 14:29:38 +02:00
vincent
ab3c42cf8b feat: add authelia oidc authent
Some checks failed
continuous-integration/drone/push Build is failing
2024-04-24 21:23:39 +02:00
vincent
992937c011 feat: migrate rutorrent on authelia for authent
Some checks failed
continuous-integration/drone/push Build is failing
2024-04-12 08:59:40 +02:00
vincent
5fe61223c3 feat: create authelia job 2024-04-12 08:59:20 +02:00
vincent
452ab3611a fix (syncthing): change UID to match to folder 2024-04-12 08:58:02 +02:00
vincent
1ee5e21f84 ldap: remove login shell for service acount 2024-04-12 08:57:38 +02:00
vincent
92befa7ea4 chore: update alertmanager smtp hello url 2024-04-12 08:56:50 +02:00
vincent
4be6af919d refactor: mmove lldap to decom job 2024-04-12 08:56:34 +02:00
vincent
77e7cd4f88 style: update missing icon 2024-04-12 08:56:12 +02:00
vincent
fe9bc8dbab feat: add torrent automation job (prawlarr + flareresolver) 2024-04-11 10:16:20 +02:00
vincent
60cfe75e47 perfs (prometheus): add memory_max
Some checks failed
continuous-integration/drone/push Build is failing
2024-04-09 08:41:06 +02:00
vincent
4fcf862279 borgmatic: add exclusion 2024-04-09 08:40:53 +02:00
vincent
98c1d63962 borgmatic: add action 2024-04-09 08:40:38 +02:00
vincent
0b067cabca loki: review config 2024-04-09 08:39:37 +02:00
vincent
4ef30222f7 fix: memory_max
Some checks failed
continuous-integration/drone/push Build is failing
2024-03-29 21:15:39 +01:00
vincent
117e9397a3 switch volume to nfsv4 2024-03-29 21:14:24 +01:00
vincent
0b25eb194e feat: add authorization for local docker in nfs
Some checks failed
continuous-integration/drone/push Build is failing
2024-03-17 19:07:51 +01:00
vincent
74dc3a0c89 chore: clean gerard from inventory 2024-03-17 19:01:52 +01:00
vincent
9bc0e24357 fix: pureftpd variable 2024-03-17 19:01:32 +01:00
vincent
e0f9190b76 feat: docker pull througt mirror
Some checks failed
continuous-integration/drone/push Build is failing
2024-03-17 18:58:24 +01:00
vincent
f0676ec3f7 fix: change rutorrent tag 2024-03-17 11:07:59 +01:00
vincent
8b895fee06 docs: update ADR 2024-03-17 11:07:59 +01:00
vincent
aeed90ea34 perfs: adjust max mermory 2024-03-17 11:07:59 +01:00
vincent
a89109e1ff feat: add actual budget 2024-03-17 11:07:59 +01:00
vincent
d748beb6a4 feat: switxh from vsftp to pure-ftpd 2024-03-17 11:07:59 +01:00
vincent
3a80c47b56 add service account ou in ldap default tree 2024-03-17 11:07:59 +01:00
vincent
c75e9e707a fix: staging nas bind 2024-03-17 11:07:59 +01:00
vincent
4926b4eb06 perfs: increase backup postgress memory 2024-03-17 11:07:59 +01:00
vincent
0ebd087544 fix: move binding dn 2024-03-17 11:07:59 +01:00
vincent
b7dc26cc27 borgmatic: fix config 2024-03-17 11:07:59 +01:00
vincent
012c448c73 improve share binding 2024-03-17 11:07:59 +01:00
vincent
1b79fe4cb0 Borgmatic: add know host 2024-03-17 11:07:59 +01:00
vincent
6848ffa05b fix: become on nut role 2024-03-17 11:07:59 +01:00
vincent
aec7230f11 feat: ftp local user iss chroot 2024-03-17 11:07:58 +01:00
vincent
da3b290d4a feat: enable crossmount in nfs share 2024-03-17 11:07:58 +01:00
vincent
5718968407 fix:hard DNS on oscar instead Nas (if NAS is shutdown cluster DNS will
shutdown )
2024-03-17 11:07:58 +01:00
vincent
0db8555fe8 change rutorrent group 2024-03-17 11:07:58 +01:00
vincent
2fee8293dc feat: add role for nut 2024-03-17 11:07:58 +01:00
vincent
3dae6adb33 switch dns on oberon 2024-03-17 11:07:58 +01:00
vincent
f207be7d7d finalize Nas data migration 2024-03-17 11:07:58 +01:00
vincent
f32c0d1e40 fix: no issue on nfs cluster if one device is down 2024-03-17 11:07:58 +01:00
vincent
d37fe78e39 feat: enable vsftp user session 2024-03-17 11:07:58 +01:00
vincent
586e6101ca feat: correct homedir for samba 2024-03-17 11:07:58 +01:00
vincent
e470b204a5 feat: add constrainst to limit nas job 2024-03-17 11:07:58 +01:00
vincent
c4d10aacfe fix: change path 2024-03-17 11:07:58 +01:00
vincent
e10830e028 fix: path issue 2024-03-17 11:07:58 +01:00
vincent
c37083b5c9 feat: isolate wireguard playbook 2024-03-17 11:07:58 +01:00
vincent
c7e6270c3a fix: remove separator from create user 2024-03-17 11:07:58 +01:00
vincent
625bda7fda feat: deploy NAS on oberon 2024-03-17 11:07:58 +01:00
vincent
d1cc5ff299 fix: add lan dns redirection to pdns recursor 2024-03-17 11:07:58 +01:00
vincent
0a57c5659c fix: upgrade vikunka 2024-03-17 11:07:58 +01:00
vincent
7191cb7216 rename nas to oberon 2024-03-17 11:07:58 +01:00
vincent
b3488061da dns: decrease local ttl 2024-03-17 11:07:58 +01:00
vincent
c08032052d fix: terraform dns makefile secret 2024-03-17 11:07:58 +01:00
vincent
25780828cc job: add borgmatic 2024-03-17 11:07:58 +01:00
vincent
46b4a51935 CI: improve consul stagging switch 2024-03-17 11:07:58 +01:00
vincent
993753f284 feat: intergrate SAMBA Nas role 2024-03-17 11:07:58 +01:00
vincent
5188d865d8 fix: get ldap admin password in vault 2024-03-17 11:07:58 +01:00
vincent
2a731201a1 add default crypt password for vault service account 2024-03-17 11:07:58 +01:00
vincent
70e0d6011b CI: autoapprove for terraform apply 2024-03-17 11:07:58 +01:00
vincent
2c0da4bd15 feat: enable automoint for staging 2024-03-17 11:07:58 +01:00
vincent
547ce05466 chore: complete generate-vault-secret 2024-03-17 11:07:58 +01:00
vincent
bfb3ec3d34 fix: modify vault endpoint for create nomad token 2024-03-17 11:07:58 +01:00
vincent
9756939f8e fix: create nomad dir in playbook with correct right 2024-03-17 11:07:58 +01:00
vincent
f420f17929 feat: modify staging domain name 2024-03-17 11:07:58 +01:00
vincent
2bae64c40b create script to bootstrap vault secret 2024-03-17 11:07:58 +01:00
vincent
c8f7d7f8c3 ordo: improve makefile for terraform 2024-03-17 11:07:58 +01:00
vincent
2632c6d2b0 dns: switch cname to alias 2024-03-17 11:07:58 +01:00
vincent
f61008b570 fix: bootstrap become 2024-03-17 11:07:58 +01:00
vincent
73df5fa582 refactor: consul in first of hashicorp stack 2024-03-17 11:07:58 +01:00
vincent
e3d76630c3 feat: replace rocky by arch in vagrant 2024-03-17 11:07:58 +01:00
vincent
41b1a71c76 feat: switch consul DNS in makefile 2024-03-17 11:07:58 +01:00
vincent
e9ad317436 feat ensure nfs share folder exist 2024-03-17 11:07:58 +01:00
vincent
2db6061516 fix: declare main interface variable for stagging 2024-03-17 11:07:58 +01:00
vincent
3367c78314 feat: merge user create and config playbook 2024-03-17 11:07:58 +01:00
vincent
08ea604028 feat: create home share ans delete home mont on cluster 2024-03-17 11:07:58 +01:00
vincent
29ab70a1d5 fix: samba mount option issue 2024-03-17 11:07:58 +01:00
vincent
e083f4da7a terraform: remove corwin 2024-03-17 11:07:58 +01:00
vincent
2ea4992f57 fix dockermailserver: add privae network to ha proxy auth 2024-03-17 11:07:58 +01:00
vincent
49de33bbdb calc docket mtu on wireguard MTU 2024-03-17 11:07:58 +01:00
vincent
2b678b7786 remove bootstap become 2024-03-17 11:07:58 +01:00
vincent
fc2dcd7b33 fix: add empty env group to avoid issue 2024-03-17 11:07:58 +01:00
vincent
29d70cac0e migrate to merlin 2024-03-17 11:07:58 +01:00
vincent
4117bd80c5 fix: www specific location for archiso 2024-03-17 11:07:58 +01:00
vincent
da6f04e42e fix: database pg_hba 2024-03-17 11:07:58 +01:00
vincent
13bda4cd34 fix: case where vault root file not exist 2024-03-17 11:07:58 +01:00
vincent
63cd352fff archiso on web server 2024-03-17 11:07:58 +01:00
vincent
a65e3484b5 implement default interface variable 2024-03-17 11:07:58 +01:00
vincent
2b9e034232 delete old var file 2024-03-17 11:07:58 +01:00
vincent
527d2f2345 add packer to build arch image on hetzner 2024-03-17 11:07:58 +01:00
vincent
2da18e9c12 docs: add smtp case troubleshoot 2024-03-17 11:07:58 +01:00
vincent
49f639cb15 delete old dns terraform file 2024-03-17 11:07:58 +01:00
vincent
abc88f0074 add packer for hetzner image 2024-03-17 11:07:58 +01:00
vincent
394dbaf6cb move filestash on homelab 2024-03-17 11:07:58 +01:00
vincent
78762b477e move mail on homelab 2024-03-17 11:07:58 +01:00
vincent
2c00b9be59 feat: redirect all cluster traffic on wirequard 2024-03-17 11:07:58 +01:00
vincent
acc6cdc5fa fix crowsec: rename data file 2024-03-17 11:07:58 +01:00
vincent
43b6cf9158 fix www: change redirection method 2024-03-17 11:07:58 +01:00
vincent
015a89b27e fix: port 25 entrypoint conflict 2024-03-17 11:07:58 +01:00
vincent
68434f3e92 fix: switch ldap user manager traefik router 2024-03-17 11:07:58 +01:00
vincent
fe6d1c5e26 add user group to tree ldif 2024-03-17 11:07:58 +01:00
vincent
f8bc026165 feat: implemant openldap and migration 2024-03-17 11:07:58 +01:00
vincent
80f489422a change docker repo for testing 2024-03-17 11:07:58 +01:00
vincent
4207b1fc75 init lldap job 2024-03-17 11:07:58 +01:00
vincent
ea30fce975 feat: move backup in dedicated folder 2024-03-17 11:07:58 +01:00
vincent
5b23006e97 feat: move last application data folder in nomad share 2024-03-17 11:07:58 +01:00
vincent
9370a92518 put hashicorpstack before nas role 2024-03-17 11:07:58 +01:00
vincent
9fcf2d78e6 config repo on prod 2024-03-17 11:07:58 +01:00
vincent
f82c99c2ba fix: typo 2024-03-17 11:07:58 +01:00
vincent
cecad8b785 feat: change nas if by consul service for stagging 2024-03-17 11:07:58 +01:00
vincent
28fc2bf6a7 init csi 2024-01-13 18:37:11 +01:00
vincent
a0214d0d74 allow nomad privileged on all
All checks were successful
continuous-integration/drone/push Build is passing
2024-01-13 18:36:27 +01:00
vincent
9812376a1d gather all device before nas playbook 2024-01-13 18:36:27 +01:00
vincent
6ddcc4736e put nfs share in export bind 2024-01-13 18:32:02 +01:00
vincent
11fe5fb5dc conf dhcp: add ip for shelly
All checks were successful
continuous-integration/drone/push Build is passing
2024-01-13 16:49:47 +01:00
vincent
ec2ecd08cd perfs backup-postgress: increse memory
All checks were successful
continuous-integration/drone/push Build is passing
2024-01-13 10:20:53 +01:00
148 changed files with 4718 additions and 1127 deletions

15
Vagrantfile vendored
View File

@ -1,9 +1,10 @@
Vagrant.configure('2') do |config| Vagrant.configure('2') do |config|
if Vagrant.has_plugin?('vagrant-cachier') if Vagrant.has_plugin?('vagrant-cachier')
config.cache.scope = 'machine' config.cache.scope = 'machine'
config.cache.enable :pacman
end end
config.vm.provider :libvirt do |libvirt| config.vm.provider :libvirt do |libvirt|
libvirt.management_network_domain = "ducamps-dev.eu" libvirt.management_network_domain = "lan.ducamps.dev"
end end
config.vm.define "oscar-dev" do |c| config.vm.define "oscar-dev" do |c|
@ -19,7 +20,7 @@ Vagrant.configure('2') do |config|
# Provider # Provider
c.vm.provider "libvirt" do |libvirt, override| c.vm.provider "libvirt" do |libvirt, override|
libvirt.memory = 1024 libvirt.memory = 2048
libvirt.cpus = 2 libvirt.cpus = 2
end end
c.vm.provision "ansible" do |bootstrap| c.vm.provision "ansible" do |bootstrap|
@ -32,7 +33,7 @@ Vagrant.configure('2') do |config|
config.vm.define "merlin-dev" do |c| config.vm.define "merlin-dev" do |c|
# Box definition # Box definition
c.vm.box = "generic/rocky9" c.vm.box = "archlinux/archlinux"
# Config options # Config options
c.vm.synced_folder ".", "/vagrant", disabled: true c.vm.synced_folder ".", "/vagrant", disabled: true
c.ssh.insert_key = true c.ssh.insert_key = true
@ -42,7 +43,7 @@ Vagrant.configure('2') do |config|
# Provider # Provider
c.vm.provider "libvirt" do |libvirt, override| c.vm.provider "libvirt" do |libvirt, override|
libvirt.memory = 1024 libvirt.memory = 512
libvirt.cpus = 2 libvirt.cpus = 2
end end
@ -56,7 +57,7 @@ Vagrant.configure('2') do |config|
config.vm.define "gerard-dev" do |c| config.vm.define "gerard-dev" do |c|
# Box definition # Box definition
c.vm.box = "generic/debian12" c.vm.box = "archlinux/archlinux"
# Config options # Config options
c.vm.synced_folder ".", "/vagrant", disabled: true c.vm.synced_folder ".", "/vagrant", disabled: true
@ -66,7 +67,7 @@ Vagrant.configure('2') do |config|
# instance_raw_config_args # instance_raw_config_args
# Provider # Provider
c.vm.provider "libvirt" do |libvirt, override| c.vm.provider "libvirt" do |libvirt, override|
libvirt.memory = 1024 libvirt.memory = 2048
libvirt.cpus = 2 libvirt.cpus = 2
end end
c.vm.provision "ansible" do |bootstrap| c.vm.provision "ansible" do |bootstrap|
@ -89,7 +90,7 @@ Vagrant.configure('2') do |config|
# Provider # Provider
c.vm.provider "libvirt" do |libvirt, override| c.vm.provider "libvirt" do |libvirt, override|
libvirt.memory = 1024 libvirt.memory = 2048
libvirt.cpus = 2 libvirt.cpus = 2
end end

View File

@ -15,7 +15,10 @@ pdns_rec_config:
forward-zones: forward-zones:
- "{{ consul_domain }}=127.0.0.1:8600" - "{{ consul_domain }}=127.0.0.1:8600"
- "ducamps.win=192.168.1.10" - "ducamps.win=192.168.1.10"
- "ducamps.eu=192.168.1.5" - "{{ domain.name }}=192.168.1.5"
- "lan.{{ domain.name }}=192.168.1.5"
- "1.168.192.in-addr.arpa=192.168.1.5:5300" - "1.168.192.in-addr.arpa=192.168.1.5:5300"
local-address: "{{ ansible_default_ipv4.address }}"
local-address: "{{ hostvars[inventory_hostname]['ansible_'+ default_interface].ipv4.address|default(ansible_default_ipv4.address) }}"
dnssec: "off" dnssec: "off"

View File

@ -0,0 +1,90 @@
NAS_nomad_folder:
- name: actualbudget
- name: archiso
owner: 1000001
- name: backup
owner: 1000001
- name: borgmatic
- name: crowdsec
owner: 1000001
- name: dms
owner: 1000001
- name: filestash
owner: 1000
- name: gitea
owner: 1000000
- name: grafana
owner: 472
- name: hass
owner: 1000001
- name: homer
owner: 1000001
- name: immich/cache
- name: immich/upload
- name: jellyfin
owner: 1000001
- name: loki
owner: 10001
- name: mealie
owner: 1000001
- name: mosquito
owner: 1883
- name: pacoloco
owner: 1000001
- name: pdns-auth
owner: 1000001
- name: pdns-admin
owner: 1000001
- name: pihole
owner: 999
- name: prometheus
owner: 65534
- name: prowlarr
owner: 1000001
- name: radicale
owner: 1000001
- name: openldap
owner: 1001
- name: registry/ghcr
- name: registry/docker
- name: syncthing
owner: 1000001
- name: traefik
owner: 1000001
- name: tt-rss
owner: 1000001
- name: vaultwarden
owner: 1000001
- name: zigbee2mqtt
owner: 1000001
nas_bind_target: "/exports"
nas_bind_source:
- dest: "{{ nas_bind_target }}/nomad"
source: /data/data1/nomad
- dest: "{{ nas_bind_target }}/music"
source: /data/data1/music
- dest: "{{ nas_bind_target }}/download"
source: /data/data1/download
- dest: "{{ nas_bind_target }}/media/serie"
source: /data/data2/serie
- dest: "{{ nas_bind_target }}/media/film"
source: /data/data3/film
- dest: "{{ nas_bind_target }}/photo"
source: /data/data1/photo
- dest: "{{ nas_bind_target }}/homes"
source: /data/data1/homes
- dest: "{{ nas_bind_target }}/ebook"
source: /data/data1/ebook
- dest: "{{ nas_bind_target }}/media/download/serie"
source: /data/data1/download/serie
- dest: "{{ nas_bind_target }}/media/download/film"
source: /data/data1/download/film
- dest: "{{ nas_bind_target }}/music/download/"
source: /data/data1/download/music

View File

@ -1,3 +1 @@
vsftpd_config: vsftpd_config: {}
local_root: "/var/local/volume1"
seccomp_sandbox: False

View File

@ -1,15 +1,15 @@
nfs_cluster_list: "{% for server in groups['all']%}{{ hostvars[server]['ansible_default_ipv4']['address'] }}(rw,no_root_squash,async,insecure_locks,sec=sys) {%endfor%}" nfs_cluster_list: "{% for server in groups['all']%} {% if hostvars[server]['ansible_default_ipv4']['address'] is defined %} {{hostvars[server]['ansible_' + hostvars[server]['nfs_iface']|default('')].ipv4.address|default(hostvars[server]['ansible_default_ipv4']['address'],true)}}{{ nfs_options }} {% endif %} {%endfor%}"
nfs_options: "(rw,no_root_squash,crossmnt,async,insecure_locks,sec=sys)"
nfs_consul_service: true
nfs_bind_target: "/exports"
nfs_exports: nfs_exports:
- "/var/local/volume1/nomad {{nfs_cluster_list}}" - "{{ nas_bind_target }} *(fsid=0,insecure,no_subtree_check)"
- "/var/local/volume1/music {{nfs_cluster_list}}" - "{{ nas_bind_target }}/nomad {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
- "/var/local/volume1/media {{nfs_cluster_list}}" - "{{ nas_bind_target }}/download {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
- "/var/local/volume1/photo {{nfs_cluster_list}}" - "{{ nas_bind_target }}/music {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
- "/var/local/volume1/ebook {{nfs_cluster_list}}" - "{{ nas_bind_target }}/media {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
- "/var/local/volume1/git {{nfs_cluster_list}}" - "{{ nas_bind_target }}/photo {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
- "/var/local/volume1/archMirror {{nfs_cluster_list}}" - "{{ nas_bind_target }}/homes {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
- "/var/local/volume1/homes/admin {{nfs_cluster_list}}" - "{{ nas_bind_target }}/ebook {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
- "/var/local/volume1/CardDav {{nfs_cluster_list}}"

View File

@ -0,0 +1,25 @@
samba_passdb_backend: tdbsam
samba_shares_root: /exports
samba_shares:
- name: media
comment: "media"
write_list: "@NAS_media"
browseable: true
- name: ebook
comment: "ebook"
write_list: "@NAS_ebook"
browseable: true
- name: music
comment: "music"
write_list: "@NAS_music"
browseable: true
- name: photo
comment: "photo"
write_list: "@NAS_photo"
browseable: true
- name: download
comment: "downlaod"
write_list: "@NAS_download"
browseable: true
samba_load_homes: True
samba_homes_include: samba_homes_include.conf

View File

@ -4,7 +4,7 @@ systemd_mounts:
mount: /mnt/diskstation/nomad mount: /mnt/diskstation/nomad
type: nfs type: nfs
options: options:
- " " - "vers=4"
automount: "{{ env_automount }}" automount: "{{ env_automount }}"
enabled: true enabled: true
hetzner_storage: hetzner_storage:
@ -13,8 +13,8 @@ systemd_mounts:
type: cifs type: cifs
options: options:
- credentials=/etc/creds/hetzner_credentials - credentials=/etc/creds/hetzner_credentials
- uid= 100001 - uid=100001
- gid= 10 - gid=10
- vers=3.0 - vers=3.0
- mfsymlinks - mfsymlinks
automount: "{{ env_automount }}" automount: "{{ env_automount }}"

View File

@ -4,4 +4,4 @@ system_arch_local_mirror: "https://arch.{{domain.name}}/repo/archlinux_$arch"
system_sudoers_group: "serverAdmin" system_sudoers_group: "serverAdmin"
system_ipV6_disable: True system_ipV6_disable: True
system_ip_unprivileged_port_start: 0 system_ip_unprivileged_port_start: 0
nas_ip: "{{ hostvars[groups['NAS'][0]]['ansible_facts']['default_ipv4']['address']|default('192.168.1.10')}}" wireguard_mtu: 1420

View File

@ -1,4 +1,8 @@
docker_daemon_config: docker_daemon_config:
dns: dns:
- 172.17.0.1 - 172.17.0.1
- 192.168.1.5 - 192.168.1.6
mtu: 1420
insecure-registries:
- 192.168.1.0/24
- 192.168.121.0/24

View File

@ -2,6 +2,7 @@ nomad_docker_allow_caps:
- NET_ADMIN - NET_ADMIN
- NET_BROADCAST - NET_BROADCAST
- NET_RAW - NET_RAW
nomad_allow_privileged: True
nomad_vault_enabled: true nomad_vault_enabled: true
nomad_vault_address: "http://active.vault.service.{{consul_domain}}:8200" nomad_vault_address: "http://active.vault.service.{{consul_domain}}:8200"
nomad_vault_role: "nomad-cluster" nomad_vault_role: "nomad-cluster"

View File

@ -1,42 +0,0 @@
consul_client_addr: "0.0.0.0"
consul_datacenter: "homelab"
consul_backup_location: "/mnt/diskstation/git/backup/consul"
consul_ansible_group: all
consul_bootstrap_expect: 3
nomad_docker_allow_caps:
- NET_ADMIN
- NET_BROADCAST
- NET_RAW
nomad_vault_enabled: true
nomad_vault_address: "http://active.vault.service.consul:8200"
nomad_vault_role: "nomad-cluster"
nomad_vault_token: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:nomad_vault_token') }}"
nomad_bootstrap_expect: 3
notification_mail: "{{inventory_hostname}}@{{ domain_name }}"
msmtp_mailhub: smtp.{{ domain_name }}
msmtp_auth_user: "{{ user.mail }}"
msmtp_auth_pass: "{{ lookup('hashi_vault','secret=secrets/data/ansible/other:email') }}"
system_user:
- name: drone-deploy
home: /home/drone-deploy
shell: /bin/bash
privatekey:
- keyname: id_gitea
key: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}"
authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUaK+pQlosmopbZfucll9UdqDOTaODOBwoxRwkJEk1i drone@oscar
- name: ansible
home: /home/ansible
shell: /bin/bash
- name: root
home: /root
privatekey:
- keyname: id_gitea
key: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}"

View File

@ -1,5 +1,5 @@
sssd_configure: true sssd_configure: true
# sssd_configure is False by default - by default nothing is done by this role. # sssd_configure is False by default - by default nothing is done by this role.
ldap_search_base: "dc=ducamps,dc=win" ldap_search_base: "dc=ducamps,dc=eu"
ldap_uri: "ldaps://ldap.ducamps.eu" ldap_uri: "ldaps://ldaps.service.consul"
ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=win" ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=eu"

View File

@ -39,4 +39,4 @@ user_custom_host:
user: "git" user: "git"
keyfile: "~/.ssh/id_gitea" keyfile: "~/.ssh/id_gitea"
user_config_repo: "ssh://git@git.{{ domain.name }}:2222/vincent/conf2.git" user_config_repo: "ssh://git@git.ducamps.eu:2222/vincent/conf2.git"

View File

@ -1,11 +1,12 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
34356264306639303930393736376562653636383538623131343939323563653938616534623163 61326233336236343231396231306638373837653661313334313261313539316532373437346132
6536366261666662376533393836626664373766313439660a363331326231303638626165393164 3931306637303530373032663236363466383433316161310a396439393564643731656664663639
63323063623365393566643230653964393565636430303365653233323931646236366664346430 32386130663837303663376432633930393663386436666263313939326631616466643237333138
3162383233656139320a323133323262386638363738346336613862626539386538633864613131 3365346131636333330a376436323964656563363664336638653564656231636136663635303439
30306539376639303365323665613732616138346530346162633761386466626238373065316230 35346461356337303064623861326331346263373539336335393566623462343464323065366237
38396662363364336134306130616661643835616161313535613331303133383334393333653335 61346637326336613232643462323733366530656439626234663335633965376335623733336162
66363538313631373736396333363837376664616166663665343030336232346237333965303861 37323739376237323534613361333831396531663637666161666366656237353563626164626632
36613763666135393531653637616463333461343232366137656336383239623166633338646561 33326336353663356235373835666166643465666562616663336539316233373430633862613133
39336563636665396666663339306534643661366264623061626661343762373037383037373561 36363831623361393230653161626131353264366634326233363232336635306266376363363739
3431656130306133323436616531343034366665636434333362 66373434343330633337633436316135656533613465613963363931383266323466653762623365
363332393662393532313063613066653964

View File

@ -1,42 +1,10 @@
systemd_mounts: systemd_mounts:
diskstation_git:
share: "{{ nas_ip }}:{{ env_default_nfs_path }}//git"
mount: /mnt/diskstation/git
type: nfs
options:
- " "
automount: "{{ env_automount }}"
enabled: true
diskstation_CardDav:
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/CardDav"
mount: /mnt/diskstation/CardDav
type: nfs
options:
- " "
automount: "{{ env_automount }}"
enabled: true
backup_disk:
share: /dev/sdb1
mount: /mnt/backup
type: ntfs-3g
options:
- " "
automount: "{{ env_automount }}"
enabled: "{%if inventory_hostname in groups['staging'] %} false {% else %} true {% endif %}"
diskstation_home:
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/homes/admin"
mount: /mnt/diskstation/home
type: nfs
options:
- " "
automount: "{{ env_automount }}"
enabled: true
diskstation_photo: diskstation_photo:
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/photo" share: "{{ nas_ip }}:{{ env_default_nfs_path }}/photo"
mount: /mnt/diskstation/photo mount: /mnt/diskstation/photo
type: nfs type: nfs
options: options:
- " " - "vers=4"
automount: "{{ env_automount }}" automount: "{{ env_automount }}"
enabled: true enabled: true
diskstation_music: diskstation_music:
@ -44,7 +12,7 @@ systemd_mounts:
mount: /mnt/diskstation/music mount: /mnt/diskstation/music
type: nfs type: nfs
options: options:
- " " - "vers=4"
automount: "{{ env_automount }}" automount: "{{ env_automount }}"
enabled: true enabled: true
diskstation_media: diskstation_media:
@ -52,23 +20,16 @@ systemd_mounts:
mount: /mnt/diskstation/media mount: /mnt/diskstation/media
type: nfs type: nfs
options: options:
- " " - "vers=4"
automount: "{{ env_automount }}" automount: "{{ env_automount }}"
enabled: true enabled: true
diskstation_ebook: diskstation_ebook:
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/ebook" share: "{{ nas_ip }}:{{ env_default_nfs_path }}/ebook"
mount: /mnt/diskstation/ebook mount: /mnt/diskstation/ebook
type: nfs type: nfs
options: options:
- " " - "vers=4"
automount: "{{ env_automount }}"
enabled: true
diskstation_archMirror:
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/archMirror"
mount: /mnt/diskstation/archMirror
type: nfs
options:
- " "
automount: "{{ env_automount }}" automount: "{{ env_automount }}"
enabled: true enabled: true
diskstation_nomad: diskstation_nomad:
@ -79,3 +40,11 @@ systemd_mounts:
- " " - " "
automount: "{{ env_automount }}" automount: "{{ env_automount }}"
enabled: true enabled: true
diskstation_download:
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/download"
mount: /mnt/diskstation/download
type: nfs
options:
- "vers=4"
automount: "{{ env_automount }}"
enabled: true

View File

@ -24,6 +24,10 @@ postgresql_databases:
owner: pdns-auth owner: pdns-auth
- name: pdns-admin - name: pdns-admin
owner: pdns-admin owner: pdns-admin
- name: mealie
owner: mealie
- name: immich
owner: immich
postgresql_hba_entries: postgresql_hba_entries:
- {type: local, database: all, user: postgres, auth_method: peer} - {type: local, database: all, user: postgres, auth_method: peer}
@ -32,5 +36,3 @@ postgresql_hba_entries:
- {type: host, database: all, user: all, address: '::1/128', auth_method: md5} - {type: host, database: all, user: all, address: '::1/128', auth_method: md5}
- {type: host, database: all, user: all, address: '::0/128', auth_method: md5} - {type: host, database: all, user: all, address: '::0/128', auth_method: md5}
- {type: host, database: all, user: all, address: '0.0.0.0/0', auth_method: md5} - {type: host, database: all, user: all, address: '0.0.0.0/0', auth_method: md5}
- {type: host, database: replication, user: repli, address:192.168.1.42/32, auth_method: md5}
- {type: host, database: replication, user: repli, address:192.168.1.40/32, auth_method: md5}

View File

@ -1,45 +1,54 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
64656332666561346439636331396439333566646361333031613764376634363061623635356630 39363436643831373861376361613830316334613939346338616636393462663033393261633838
3832326235316435316264653637396130383465323234630a653138393161316232323236323366 6337336161393063646136613538396366653538656435360a303062636463383739653730346639
32363661633631623132323864663366633766396266623630636135396165663062353434613231 61323634306265613336313634653039313639663836363032353261383566393865613166613032
6363646665626439610a313233313639333232393035633139326561316431393837616231313933 3837313634633466610a313062646237396138316361303361663565353862363139343566306539
38646532613665666136316635376533653161616630313532333330393364636662653331336637 38303161303163323265376539323939393938373965353934303535613962653534363362346563
39353462336130333933383033656634633461333461393730633333343330306432623466623062 61643638353138623162353364353736396162613735333063633739346132613161303564356437
32353962623338356630393935646537313335313335323464666265303732653633396332363965 62343535363263646463306466663536613937393463666336396332646533343439613433626566
36356338386330653863646134623234623230356232643535643763303162626132333530626639 38643363343065393165646134343935386461626166316662356365366666363737653336626631
39316166613862356264336362303833343236616635613136356433663766383861333832656261 64643230616431396666666462303366343164323233303139643939346635353730316234386163
35613662653266396461383162303230613865373232353437646131633063633634346633383563 35613235643034643833393233373536383863333763393066373564353535353463363336316335
31323736303537643433633235613464376230373332613331623439643462313362356437623463 63363537643432663266386438316563656663656462333039303861393364333966383430643263
65326335653938626461353332356434303962376630626666666631386334316261653639623633 63356435373064633861343137616637393161383361306135373864386235653034323732316663
34326633393330313064326562363838316366316361626662393435363262333264626333396136 65336465386135663532356433386562666639333464633362663131646237613034646563396133
66353936623763323865656632373763303365316131663064343830663330323566346535316436 33303464633635636233626633353038656230373266666132323561383866343632333561323363
63623931383461363364613632363661613734306535373536643236656161393634633435653862 61346664623338376436373332646232646235323639633262666166346535663238653563363239
34316666353234646633633635653934373335396635343035663238323636323662346632303865 34663365633363313433376333653534333364393635316235333965383262313563373161663065
35326333366439646661303437626238326435313032373031636535353963666263636635366234 36393565396534353235623238303835343334646632306638306332336539616463393966653538
36336562633666623932653465376237366232306262386565646631346432346631353566326535 35336462623031326539633139636533633632623137393463333531663935323765663139306361
32356337333762653161376439353035323633363833633862336134366132623963326231643461 66643434393533313039356434326438626265323066613966323634306632653765363834613034
35623863373730313935393631626266336465613261636364353533666233613831323031643035 30373039336536393865383265643335396232643537343363313338383838383030386665303237
32663630316264633932643132633061303438613339646264666334306630643038323632366330 64363666346535633237353462333232623132353031323231623338356136656261303662656465
31366365333039636434613537386436313539396632613766333136663638393462653263613165 31313039643561623635643435333133663032313964323061393231666336343233363038616231
33323937313031626233623237616464323939303131613465326362346632346538323161343362 36356262326530383233336130326361613431623866633832663361633937646461343731343938
65353839386133326233356561363864336261663135343865323861623330613736333835396261 33306262346463623935663466356264393837626239313739356431653163376563333234346566
64653361333530326630363633383836396565646463396239616261646635303535316135306537 38373663643532313635333131663239383736343930623735323861663037356136353433633865
64343830616566663633323531383464383834373539646637633465616533383238346565303337 63626435613936303661366637623338633961643137613933303735366265663933396130363039
34386561626266303833353665306335326264343533386263626562373633303135313735643733 34396637643638613839306639343765393539653164616536653661373264376436626639316666
37333766373465326133663663303166316134643732343938343930616631383137356137373564 61303835323761643531326438363035343539383464376433363534623934366534373631353364
31633831663264653762326534343635323364313632353661323330646638363062346137646337 61383866323737316430303736366533643939313637393631303833363431613562303639323939
61323334623434613333613038633637666131393338653839373835633062396661653537343138 66313434613963656464383964313734383938353366306462666537653563336465376464303538
61643961623366393735393438356461333731326265313937613066323038313163353835363135 34336531663334303938333739313638636363623562613536333736386137363139653164626261
33323932353264313536393865373232333930613636343661613033656165616237373439383531 62663662316365663563646164303935323866633336633939323837393962393130626330666233
38393932366633616639303964386333386462353935646432663330313137306465386634633931 63663661303565646236623130663034636264353235376561306630376365613966663536303963
33656533306665653836363830363164303039356463386130663536636330396138643363383838 63643161386435633831393334333035653761393863373731616239313235383033633439376166
35393966646630663535623836303262353739353063303763333530383630353838623939376535 39613762376162386231633938393036633461303732323337656430373430636435313337303365
34343239373831623232343530396561393730303066323236306539333263656133366363396534 37646461336339623339316663616636373036656564383462356562306465623762653162633963
30666662336435313561666536643231633562663037353837303936326164353366333032656431 35636466386138333564666564323034393162633965386133643235303938616439333130353637
39303063343536336431336637323239356432616562656565306561666664663930303232313464 61343536323034366464653138353665326436396133313432666563353335383733363335613562
34333236613239656562323037656137376135396636323361383565336636303338663138396238 61646365346665383866623364396138323666326338313530353663323938613362653038313339
65396130303931393266636630656637333464346361303763653931383464326365333232623437 32613663616535313661386538366330373364366637386634633437646362383764346263636434
61623263316562643636386637303531626238333131656130306236636230626362653935353331 35616166393065343038643861636333373738363335353164326435303961326662356230323262
34366663303235653431616135343963643935303336313231343562376430343564393832343335 35656531653535643630376330393731643532353132366662636664626132646632306361323035
36363130313533373137383738346438666634303537633232636535303835636333653636303937 31373136616435336362633439356339336466313337623538383763386132396135653864386638
39356339656234303432 31393864363466653137643565306462616238333435343036613331653866393532313861376331
33646636623666343439616332386363373664346164313963623861393134666463383366633539
35313761333564303635656364303566643436393130356163623137313530653539656537653139
38336636623732313630303933303962303561376436623737633139643564343166326335386639
31373437336139326562613339393235393065396538333566323864643639303132313733396132
35613532396363326166313061353136373965303964623534653634613639303764393038333037
63656131616463663565653134363336326139303736313138366262616338643339316231663631
30656132386462393433313261313466303239346138623433643634616465656139343764353338
62616139613731363665333438383861623837643432643134626461643631323034383262656439
33653563323434343964633236353434643739333863636630636363633639373630

View File

@ -3,7 +3,7 @@ dhcpd_lease_time: '72'
dhcpd_domain_name: "lan.{{ domain.name }}" dhcpd_domain_name: "lan.{{ domain.name }}"
dhcpd_nameservers: dhcpd_nameservers:
- '192.168.1.4' - '192.168.1.4'
- '192.168.1.41' - '192.168.1.40'
dhcpd_zones: dhcpd_zones:
- zone: "lan.{{ domain.name }}." - zone: "lan.{{ domain.name }}."
@ -41,17 +41,10 @@ dhcpd_hosts:
- hostname: 'oscar' - hostname: 'oscar'
address: '192.168.1.40' address: '192.168.1.40'
ethernet: '7C:83:34:B3:49:9A' ethernet: '68:1D:EF:3C:F0:44'
- hostname: 'bleys' - hostname: 'bleys'
address: '192.168.1.42' address: '192.168.1.42'
ethernet: '68:1d:ef:2b:3d:24' ethernet: '68:1d:ef:2b:3d:24'
- hostname: 'VMAS-HML'
address: '192.168.1.50'
ethernet: '52:54:00:02:74:ed'
- hostname: 'VMAS-BUILD'
address: '192.168.1.53'
ethernet: '52:54:13:1e:93'
- hostname: 'xiaomi-chambre-gateway' - hostname: 'xiaomi-chambre-gateway'
@ -69,4 +62,7 @@ dhcpd_hosts:
- hostname: 'shelly-chambre-ventilo' - hostname: 'shelly-chambre-ventilo'
address: '192.168.1.65' address: '192.168.1.65'
ethernet: 'e0:98:06:97:78:0b' ethernet: 'e0:98:06:97:78:0b'
- hostname: 'shelly-Bureau-chauffeau'
address: '192.168.1.66'
ethernet: '8c:aa:b5:42:b9:b9'

View File

@ -1,3 +1,2 @@
nomad_datacenter: homelab nomad_datacenter: homelab
nomad_allow_privileged: True
system_wol_enable: True system_wol_enable: True

View File

@ -7,6 +7,7 @@ nomad_client_meta:
- name: "env" - name: "env"
value: "production" value: "production"
vault_unseal_keys_dir_output: "~/vaultUnseal/production" vault_unseal_keys_dir_output: "~/vaultUnseal/production"
env_default_nfs_path: "/volume2" env_default_nfs_path: ""
env_media_nfs_path: "/volume1" env_media_nfs_path: "/volume1"
env_automount: true env_automount: true
nas_ip: "192.168.1.43"

View File

@ -1,5 +1,5 @@
domain: domain:
name: ducamps-dev.eu name: ducamps.dev
#systemd_mounts: [] #systemd_mounts: []
#systemd_mounts_enabled: [] #systemd_mounts_enabled: []
consul_bootstrap_expect: 2 consul_bootstrap_expect: 2
@ -14,6 +14,8 @@ hosts_entries:
- ip: "{{ hostvars['nas-dev']['ansible_default_ipv4']['address'] }}" - ip: "{{ hostvars['nas-dev']['ansible_default_ipv4']['address'] }}"
name: diskstation.ducamps.eu name: diskstation.ducamps.eu
env_default_nfs_path: "/var/local/volume1" env_default_nfs_path: ""
env_media_nfs_path: "{{ env_default_nfs_path }}" env_automount: true
env_automount: false nas_ip: "nfs.service.consul"

View File

@ -1,6 +1,10 @@
--- ---
ansible_host: "192.168.1.42" ansible_host: "192.168.1.42"
ansible_python_interpreter: "/usr/bin/python3" ansible_python_interpreter: "/usr/bin/python3"
default_interface: "enp2s0"
consul_iface: "{{ default_interface}}"
vault_iface: "{{ default_interface}}"
nfs_iface: "{{ default_interface}}"
wireguard_address: "10.0.0.7/24" wireguard_address: "10.0.0.7/24"
wireguard_byhost_allowed_ips: wireguard_byhost_allowed_ips:
merlin: 10.0.0.7,192.168.1.42,192.168.1.0/24 merlin: 10.0.0.7,192.168.1.42,192.168.1.0/24
@ -11,13 +15,13 @@ wireguard_endpoint: ""
wireguard_postup: wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT - iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT - iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE - iptables -t nat -A POSTROUTING -o {{default_interface}} -j MASQUERADE
- sysctl -w net.ipv4.ip_forward=1 - sysctl -w net.ipv4.ip_forward=1
wireguard_postdown: wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT - iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT - iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE - iptables -t nat -D POSTROUTING -o {default_interface} -j MASQUERADE
- sysctl -w net.ipv4.ip_forward=0 - sysctl -w net.ipv4.ip_forward=0
partition_table: partition_table:

View File

@ -1,22 +1,23 @@
--- ---
ansible_host: 10.0.0.1 ansible_host: 10.0.0.1
#ansible_host: 135.181.150.203
default_interface: "eth0"
wireguard_address: "10.0.0.1/24" wireguard_address: "10.0.0.1/24"
wireguard_endpoint: "135.181.150.203" wireguard_endpoint: "135.181.150.203"
wireguard_persistent_keepalive: "20" wireguard_persistent_keepalive: "20"
wireguard_allowed_ips: "10.0.0.1/32,10.0.0.3/32,10.0.0.5/32" wireguard_allowed_ips: 10.0.0.1
wireguard_postup: wireguard_postup:
- iptables -A FORWARD -o %i -j ACCEPT - iptables -A FORWARD -o %i -j ACCEPT
- iptables -A FORWARD -i %i -j ACCEPT - iptables -A FORWARD -i %i -j ACCEPT
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
- sysctl -w net.ipv4.ip_forward=1 - sysctl -w net.ipv4.ip_forward=1
- resolvectl dns %i 192.168.1.4 192.168.1.41; resolvectl domain %i '~ducamps.win' '~ducamps.eu' '~{{ consul_domain }}' - resolvectl dns %i 192.168.1.4 192.168.1.41; resolvectl domain %i '~ducamps.win' '~ducamps.eu' '~{{ consul_domain }}'
wireguard_postdown: wireguard_postdown:
- iptables -D FORWARD -i %i -j ACCEPT - iptables -D FORWARD -i %i -j ACCEPT
- iptables -D FORWARD -o %i -j ACCEPT - iptables -D FORWARD -o %i -j ACCEPT
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE
- sysctl -w net.ipv4.ip_forward=0 - sysctl -w net.ipv4.ip_forward=0
wireguard_unmanaged_peers: wireguard_unmanaged_peers:

View File

@ -1,6 +1,10 @@
--- ---
ansible_host: "192.168.1.41" ansible_host: "192.168.1.41"
ansible_python_interpreter: "/usr/bin/python3" ansible_python_interpreter: "/usr/bin/python3"
default_interface: "enu1u1"
consul_iface: "{{ default_interface }}"
vault_iface: "{{ default_interface }}"
wireguard_address: "10.0.0.6/24" wireguard_address: "10.0.0.6/24"
wireguard_byhost_allowed_ips: wireguard_byhost_allowed_ips:
merlin: 10.0.0.6,192.168.1.41 merlin: 10.0.0.6,192.168.1.41
@ -11,10 +15,10 @@ wireguard_endpoint: ""
wireguard_postup: wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT - iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT - iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o enu1u1 -j MASQUERADE - iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
wireguard_postdown: wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT - iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT - iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o enu1u1 -j MASQUERADE - iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE

View File

@ -1,4 +1,8 @@
--- ---
default_interface: eth0
vault_iface: "{{ default_interface}}"
ansible_host: gerard-dev.lan.ducamps.dev
wireguard_address: "10.0.1.6/24" wireguard_address: "10.0.1.6/24"
perrsistent_keepalive: "20" perrsistent_keepalive: "20"
wireguard_endpoint: "" wireguard_endpoint: ""
@ -6,10 +10,10 @@ wireguard_endpoint: ""
wireguard_postup: wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT - iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT - iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
wireguard_postdown: wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT - iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT - iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -D POSTROUTING -o {{ default_interface}} -j MASQUERADE

View File

@ -1,31 +1,39 @@
--- ---
ansible_host: 10.0.0.4 ansible_host: 10.0.0.4
#ansible_host: 65.21.2.14
default_interface: "ens3"
nfs_iface: "wg0"
wireguard_address: "10.0.0.4/24" wireguard_address: "10.0.0.4/24"
wireguard_endpoint: "95.216.217.5" wireguard_endpoint: "65.21.2.14"
wireguard_persistent_keepalive: "30" wireguard_persistent_keepalive: "20"
wireguard_allowed_ips: "10.0.0.4/32,10.0.0.3/32,10.0.0.5/32" wireguard_byhost_allowed_ips:
oscar: "0.0.0.0/0"
bleys: "0.0.0.0/0"
wireguard_allowed_ips: "10.0.0.4/32,10.0.0.3,10.0.0.5"
wireguard_postup: wireguard_postup:
- iptables -A FORWARD -o %i -j ACCEPT - iptables -A FORWARD -o %i -j ACCEPT
- iptables -A FORWARD -i %i -j ACCEPT - iptables -A FORWARD -i %i -j ACCEPT
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
- sysctl -w net.ipv4.ip_forward=1
- resolvectl dns %i 192.168.1.4 192.168.1.41; resolvectl domain %i '~ducamps.win' '~ducamps.eu' '~{{ consul_domain }}'
wireguard_postdown: wireguard_postdown:
- iptables -D FORWARD -i %i -j ACCEPT - iptables -D FORWARD -i %i -j ACCEPT
- iptables -D FORWARD -o %i -j ACCEPT - iptables -D FORWARD -o %i -j ACCEPT
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE
- sysctl -w net.ipv4.ip_forward=0
wireguard_unmanaged_peers: wireguard_unmanaged_peers:
phone: phone:
public_key: ioG35kDFTtip+Acfq+je9qDHYbZij+J6+Pg3T6Z4N0w= public_key: IYKgrQ2VJUbOnupSqedOfIilsbmBBABZUTRF9ZoTrkc=
allowed_ips: 10.0.0.3/32 allowed_ips: 10.0.0.3/32
persistent_keepalive: 0 persistent_keepalive: 0
zen: zen:
public_key: rYYljQw8InmM95pxCP9KyZ8R+kcicgnjr6E9qtkI1Ag= public_key: rYYljQw8InmM95pxCP9KyZ8R+kcicgnjr6E9qtkI1Ag=
allowed_ips: 10.0.0.5/32 allowed_ips: 10.0.0.5/32
persistent_keepalive: 0 persistent_keepalive: 0
wireguard_dns: "192.168.1.41,192.168.1.4" wireguard_dns: "192.168.1.4,192.168.1.41"
consul_client_addr: "127.0.0.1 10.0.0.4" consul_client_addr: "127.0.0.1 10.0.0.4"
consul_bind_address: "10.0.0.4" consul_bind_address: "10.0.0.4"
consul_ui: True consul_ui: True
@ -35,7 +43,8 @@ nomad_host_networks:
- name: "private" - name: "private"
interface: wg0 interface: wg0
- name: "public" - name: "public"
interface: eth0 interface: ens3
- name: "default" - name: "default"
interface: wg0 interface: wg0
vault_listener_address: 10.0.0.4 vault_listener_address: 10.0.0.4
nomad_plugins_podman: True

View File

@ -1,4 +1,8 @@
--- ---
ansible_host: merlin-dev.lan.ducamps.dev
default_interface: eth0
vault_iface: "{{ default_interface}}"
wireguard_address: "10.0.1.4/24" wireguard_address: "10.0.1.4/24"
wireguard_endpoint: "{{ ansible_default_ipv4.address }}" wireguard_endpoint: "{{ ansible_default_ipv4.address }}"
wireguard_persistent_keepalive: "30" wireguard_persistent_keepalive: "30"
@ -6,12 +10,12 @@ wireguard_persistent_keepalive: "30"
wireguard_postup: wireguard_postup:
- iptables -A FORWARD -o %i -j ACCEPT - iptables -A FORWARD -o %i -j ACCEPT
- iptables -A FORWARD -i %i -j ACCEPT - iptables -A FORWARD -i %i -j ACCEPT
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
wireguard_postdown: wireguard_postdown:
- iptables -D FORWARD -i %i -j ACCEPT - iptables -D FORWARD -i %i -j ACCEPT
- iptables -D FORWARD -o %i -j ACCEPT - iptables -D FORWARD -o %i -j ACCEPT
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE
wireguard_unmanaged_peers: wireguard_unmanaged_peers:
phone: phone:

View File

@ -1,16 +0,0 @@
---
wireguard_address: "10.0.1.8/24"
perrsistent_keepalive: "30"
wireguard_endpoint: ""
wireguard_byhost_allowed_ips:
merlin: 10.0.0.8,192.168.1.10
corwin: 10.0.0.8,192.168.1.10
wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

View File

@ -1,4 +1,7 @@
--- ---
ansible_host: nas-dev.lan.ducamps.dev
default_interface: eth0
vault_iface: "{{ default_interface}}"
wireguard_address: "10.0.1.8/24" wireguard_address: "10.0.1.8/24"
perrsistent_keepalive: "30" perrsistent_keepalive: "30"
wireguard_endpoint: "" wireguard_endpoint: ""
@ -6,9 +9,9 @@ wireguard_endpoint: ""
wireguard_postup: wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT - iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT - iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
wireguard_postdown: wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT - iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT - iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE

19
ansible/host_vars/oberon Normal file
View File

@ -0,0 +1,19 @@
---
wireguard_address: "10.0.0.8/24"
default_interface: "enp2s0"
consul_iface: "{{ default_interface}}"
vault_iface: "{{ default_interface}}"
perrsistent_keepalive: "30"
wireguard_endpoint: ""
wireguard_byhost_allowed_ips:
merlin: 10.0.0.8,192.168.1.43
corwin: 10.0.0.8,192.168.1.43
wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE

View File

@ -1,4 +1,9 @@
--- ---
default_interface: "enp1s0"
consul_iface: "{{ default_interface}}"
vault_iface: "{{ default_interface}}"
nfs_iface: "{{ default_interface}}"
nomad_client_cpu_total_compute: 8000
wireguard_address: "10.0.0.2/24" wireguard_address: "10.0.0.2/24"
wireguard_byhost_allowed_ips: wireguard_byhost_allowed_ips:
merlin: 10.0.0.2,192.168.1.40 merlin: 10.0.0.2,192.168.1.40
@ -9,12 +14,12 @@ wireguard_endpoint: ""
wireguard_postup: wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT - iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT - iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE - iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
wireguard_postdown: wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT - iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT - iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE - iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE
partition_table: partition_table:
- device: "/dev/sda" - device: "/dev/sda"

View File

@ -1,4 +1,7 @@
--- ---
ansible_host: oscar-dev.lan.ducamps.dev
default_interface: eth0
vault_iface: "{{ default_interface}}"
wireguard_address: "10.0.1.2/24" wireguard_address: "10.0.1.2/24"
perrsistent_keepalive: "30" perrsistent_keepalive: "30"
wireguard_endpoint: "" wireguard_endpoint: ""
@ -6,9 +9,9 @@ wireguard_endpoint: ""
wireguard_postup: wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT - iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT - iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
wireguard_postdown: wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT - iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT - iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE

View File

@ -5,7 +5,11 @@ requirements:
deploy_production: deploy_production:
ansible-playbook site.yml -i production -u ansible ansible-playbook site.yml -i production -u ansible
deploy_production_wiregard:
ansible-playbook playbooks/wireguard.yml -i production -u ansible
deploy_staging: deploy_staging:
ansible-playbook playbooks/wireguard.yml -i staging -u ansible
ansible-playbook site.yml -i staging -u ansible ansible-playbook site.yml -i staging -u ansible

View File

@ -1,14 +1,26 @@
--- ---
- name: Consul install
hosts: all
roles:
- role: ansible-consul
become: true
- name: Vault install - name: Vault install
hosts: homelab hosts: homelab
roles: roles:
- role: ansible-hashicorp-vault - role: ansible-hashicorp-vault
become: true become: true
post_tasks: post_tasks:
- name: Stat root file
ansible.builtin.stat:
path: "{{ vault_unseal_keys_dir_output }}/rootkey"
register: rootkey_exist
delegate_to: localhost
- name: Reading root contents - name: Reading root contents
ansible.builtin.command: cat "{{ vault_unseal_keys_dir_output }}/rootkey" ansible.builtin.command: cat "{{ vault_unseal_keys_dir_output }}/rootkey"
register: root_token register: root_token
delegate_to: localhost delegate_to: localhost
when: rootkey_exist.stat.exists
changed_when: false changed_when: false
- name: debug - name: debug
ansible.builtin.debug: ansible.builtin.debug:
@ -20,7 +32,7 @@
period: 72h period: 72h
no_parent: true no_parent: true
token: "{{ root_token.stdout }}" token: "{{ root_token.stdout }}"
url: http://{{ ansible_default_ipv4.address }}:8200 url: "http://active.vault.service.consul:8200"
retries: 4 retries: 4
run_once: true run_once: true
delegate_to: localhost delegate_to: localhost
@ -32,13 +44,11 @@
nomad_vault_token: "{{ nomad_token_data.login.auth.client_token }}" nomad_vault_token: "{{ nomad_token_data.login.auth.client_token }}"
when: nomad_token_data.login is defined when: nomad_token_data.login is defined
- name: Hashicorp stack - name: nomad
hosts: all hosts: all
vars: vars:
unseal_keys_dir_output: ~/vaultunseal unseal_keys_dir_output: ~/vaultunseal
roles: roles:
- role: ansible-consul
become: true
- role: ansible-nomad - role: ansible-nomad
become: true become: true
- role: docker - role: docker

View File

@ -1,6 +1,6 @@
--- ---
- hosts: all - hosts: all
become: true
gather_facts: false gather_facts: false
become: true
roles: roles:
- ansible_bootstrap - ansible_bootstrap

View File

@ -14,3 +14,15 @@
- docker - docker
become: true become: true
become_user: '{{ user.name }}' become_user: '{{ user.name }}'
- hosts: all
roles:
- role: user_config
vars:
user_config_username: "{{ user.name }}"
become_user: "{{ user.name }}"
become: true
- role: user_config
vars:
user_config_username: root
become: true

View File

@ -1,16 +1,54 @@
--- ---
- hosts: database - name: Database playbook
hosts: database
vars: vars:
# certbot_force: true # certbot_force: true
pre_tasks:
- name: Install Pg vertors (immich)
aur:
name: pgvecto.rs-bin
state: present
become: true
become_user: aur_builder
- name: Add database member to pg_hba replication
ansible.builtin.set_fact:
postgresql_hba_entries: "{{ postgresql_hba_entries + [\
{'type':'host', \
'database': 'replication',\
'user':'repli',\
'address':hostvars[item]['ansible_'+hostvars[item]['default_interface']]['ipv4']['address']+'/32',\
'auth_method':'trust'}] }}"
loop: '{{ groups.database }}'
roles: roles:
- role: ansible-role-postgresql - role: ansible-role-postgresql
become: true become: true
tasks: tasks:
- name: add pg_read_all_data to dump - name: Launch replication
community.postgresql.postgresql_membership: ansible.builtin.command: pg_basebackup -D /var/lib/postgres/data -h {{groups["database_active"]|first}} -U repli -Fp -Xs -P -R -w
target_roles: args:
- dump creates: /var/lib/postgres/data/postgresql.conf
groups:
- pg_read_all_data
become: true become: true
become_user: "{{ postgresql_user }}" become_user: postgres
when: inventory_hostname in groups["database_standby"]
- name: Ensure PostgreSQL is started and enabled on boot.
ansible.builtin.service:
name: '{{ postgresql_daemon }}'
state: '{{ postgresql_service_state }}'
enabled: '{{ postgresql_service_enabled }}'
become: true
- name: Set Postgress shared libraries
community.postgresql.postgresql_set:
name: shared_preload_libraries
value: vectors.so
become: true
become_user: postgres
when: inventory_hostname in groups["database_active"]
notify: Restart postgresql
- name: Set Postgress shared libraries
community.postgresql.postgresql_set:
name: search_path
value: '$user, public, vectors'
become: true
become_user: postgres
when: inventory_hostname in groups["database_active"]

View File

@ -1,10 +1,28 @@
--- ---
- hosts: NAS - name: gather all
hosts: all
- name: NAS playbook
hosts: NAS
vars: vars:
# certbot_force: true # certbot_force: true
pre_tasks:
- name: include task NasBind
ansible.builtin.include_tasks:
file: tasks/NasBind.yml
loop: "{{ nas_bind_source }}"
- name: create nomad folder
ansible.builtin.file:
path: "{{ nas_bind_target }}/nomad/{{ item.name }}"
owner: "{{ item.owner|default('root') }}"
state: directory
become: true
loop: "{{ NAS_nomad_folder }}"
roles: roles:
- role: ansible-role-nut
become: true
- role: ansible-role-nfs - role: ansible-role-nfs
become: true become: true
- role: ansible-role-vsftpd - role: ansible-role-pureftpd
become: true
- role: vladgh.samba.server
become: true become: true
#- samba

View File

@ -0,0 +1,18 @@
- name: Ensure base NFS directory exist
ansible.builtin.file:
path: "{{ item.dest }}"
state: directory
become: true
- name: Ensure source NFS directory exist
ansible.builtin.file:
path: "{{ item.source }}"
state: directory
become: true
- name: Bind NAS export
ansible.posix.mount:
path: "{{ item.dest }}"
src: "{{ item.source }}"
opts: bind
fstype: none
state: mounted
become: true

View File

@ -0,0 +1 @@
path = /exports/homes/%S

View File

@ -1,12 +0,0 @@
---
- hosts: all
roles:
- role: user_config
vars:
user_config_username: "{{ user.name }}"
become_user: "{{ user.name }}"
become: true
- role: user_config
vars:
user_config_username: root
become: true

View File

@ -1,8 +1,8 @@
[DNS] [DNS]
gerard oscar
[dhcp] [dhcp]
gerard oberon
[database_active] [database_active]
bleys bleys
@ -22,11 +22,11 @@ bleys
production production
[NAS] [NAS]
nas oberon
[cluster] [cluster]
oscar oscar
gerard #gerard
bleys bleys
@ -35,7 +35,6 @@ NAS
cluster cluster
[VPS] [VPS]
corwin
merlin merlin
[region:children] [region:children]
@ -44,8 +43,10 @@ VPS
production production
[production] [production]
corwin
oscar oscar
merlin merlin
gerard #gerard
bleys bleys
oberon
[staging]

View File

@ -1,4 +1,5 @@
--- ---
roles:
- src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-arch-provissionning.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-arch-provissionning.git
scm: git scm: git
- src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-role-postgresql.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-role-postgresql.git
@ -39,6 +40,10 @@
scm: git scm: git
- src: git@github.com:vincentDcmps/ansible-role-nfs.git - src: git@github.com:vincentDcmps/ansible-role-nfs.git
scm: git scm: git
- src: https://github.com/PowerDNS/pdns_recursor-ansible.git - src: git@github.com:vincentDcmps/ansible-role-nut.git
- src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-role-samba.git
scm: git scm: git
- src: git@git.ducamps.eu:2222/ansible-roles/ansible-role-pureftpd.git
scm: git
- src: https://github.com/PowerDNS/pdns_recursor-ansible.git
collections:
- name: vladgh.samba

View File

@ -1,12 +1,10 @@
--- ---
- import_playbook: playbooks/server.yml - import_playbook: playbooks/server.yml
- import_playbook: playbooks/nas.yml
- import_playbook: playbooks/autofs.yml
- import_playbook: playbooks/sssd.yml
- import_playbook: playbooks/wireguard.yml
- import_playbook: playbooks/dhcpd.yml - import_playbook: playbooks/dhcpd.yml
- import_playbook: playbooks/dns.yml - import_playbook: playbooks/dns.yml
- import_playbook: playbooks/HashicorpStack.yml - import_playbook: playbooks/HashicorpStack.yml
- import_playbook: playbooks/nas.yml
- import_playbook: playbooks/autofs.yml
- import_playbook: playbooks/sssd.yml
- import_playbook: playbooks/database.yml - import_playbook: playbooks/database.yml
- import_playbook: playbooks/rsyncd.yml - import_playbook: playbooks/rsyncd.yml
- import_playbook: playbooks/create_user.yml

View File

@ -5,6 +5,7 @@ oscar-dev
oscar-dev oscar-dev
[database_standby] [database_standby]
gerard-dev
[database:children] [database:children]
database_active database_active
@ -39,3 +40,5 @@ oscar-dev
gerard-dev gerard-dev
merlin-dev merlin-dev
nas-dev nas-dev
[production]

View File

@ -100,3 +100,18 @@ agains:
put one recursor on cluster over authority server and keep the recursor on gerard for better recundancy put one recursor on cluster over authority server and keep the recursor on gerard for better recundancy
### Consequences ### Consequences
## 005 physical Recursor location
### Status
done
### Context
following NAS migration physical DNS Recursor was install directly on NAS this bring a SPOF when NAS failed Recursor on Nomad cluster are stopped because of volume dependance
### Decision
Put physical Recursor on a cluster node like that to have a DNS issue we need to have NAS and this nomad down on same Time

View File

@ -16,11 +16,27 @@ Storage:
- hot Data (nomad, document,fresh download file,music?) on SSD cold DATA on HDD (film, serie photo) - hot Data (nomad, document,fresh download file,music?) on SSD cold DATA on HDD (film, serie photo)
- at least 2 HDD and 2 SSD - at least 2 HDD and 2 SSD
Hardware: Hardware:
- network 2.5 gpbs will be good for evolve - network 2.5 gpbs will be good for evolve
- at least 4go ram - at least 4go ram (expansive will be appreciable)
Software: Software:
be able to install custom linux distrib be able to install custom linux distrib
### Decision
- Due to form factor/consumption and SSD capability my choise is on ASUSTOR Nimbustor 2 Gen 2 AS5402, he corresponding to need and less expensive than a DIY NAS
- buy only a new ssd of 2to in more to store system and hot data
### Cosequence
need to migrate Data and keep same disk
- install system
- copy all data from 2to HDD to SSD then format 2to HDD
- copy download data to FROM 4 to HDD to SSD
- copy serie to 2to HDD and copy film on external harddrive

View File

@ -0,0 +1,25 @@
# Docker Pull throught
# 001 architecture consideration
## Status
Accepted
## Context
docker hub get a pull limit if somebody go wrong on our infrastructure we can get quickyly this limit solution will be to implement a pull throught proxy.
### Decision
create two container task to create a dockerhub pull through and a ghcr one
we can add these registry to traefick to have both under the port 5000 but this will add a traefik dependancy on rebuild
so to begin we will use one trafick service on two diferent static port
## Consequences
- this registry need to be start first on cluster creation
- need to update all job image with local proxy url

View File

@ -0,0 +1,8 @@
# Troubleshooting
## issue with SMTP traefik port
ensure that no other traefik router (httt or TCP) listening on smtp or
all entrypoint this can pertuubate smtp TLS connection
see [https://doc.traefik.io/traefik/routing/routers/#entrypoints_1](here)

View File

@ -10,12 +10,15 @@ vault-dev:
./vault/standalone_vault.sh $(FILE);\ ./vault/standalone_vault.sh $(FILE);\
fi fi
create-dev: vagranup:
vagrant up vagrant up
make -C ansible deploy_staging
create-dev-base: create-dev: vagranup DNS-stagging
vagrant up make -C ansible deploy_staging
make -C terraform deploy_vault env=staging
VAULT_TOKEN=$(shell cat ~/vaultUnseal/staging/rootkey) python ./script/generate-vault-secret
create-dev-base: vagranup DNS-stagging
make -C ansible deploy_staging_base make -C ansible deploy_staging_base
@ -24,3 +27,13 @@ destroy-dev:
serve: serve:
mkdocs serve mkdocs serve
DNS-stagging:
$(eval dns := $(shell dig oscar-dev.lan.ducamps.dev +short))
$(eval dns1 := $(shell dig nas-dev.lan.ducamps.dev +short))
sudo resolvectl dns virbr2 "$(dns)" "$(dns1)";sudo resolvectl domain virbr2 "~consul";sudo systemctl restart systemd-resolved.service
DNS-production:
sudo resolvectl dns virbr2 "";sudo resolvectl domain virbr2 "";sudo systemctl restart systemd-resolved.service

View File

@ -35,7 +35,7 @@ job "MQTT" {
] ]
} }
config { config {
image = "eclipse-mosquitto" image = "docker.service.consul:5000/library/eclipse-mosquitto"
ports = ["mosquittoWS", "mosquittoMQTT"] ports = ["mosquittoWS", "mosquittoMQTT"]
volumes = [ volumes = [
"/mnt/diskstation/nomad/mosquitto:/mosquitto/data", "/mnt/diskstation/nomad/mosquitto:/mosquitto/data",

View File

@ -0,0 +1,62 @@
job "actualbudget" {
datacenters = ["homelab"]
priority = 50
type = "service"
meta {
forcedeploy = "0"
}
constraint {
attribute = "${attr.cpu.arch}"
value = "amd64"
}
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
group "actualbudget"{
network {
mode = "host"
port "http" {
to = 5006
}
}
task "actualbudget-server" {
driver = "docker"
service {
name = "actualbudget"
port = "http"
tags = [
"traefik.enable=true",
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`budget.ducamps.eu`)",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=budget.ducamps.eu",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
"homer.enable=true",
"homer.name=${NOMAD_TASK_NAME}",
"homer.service=Application",
"homer.target=_blank",
"homer.logo=https://budget.ducamps.eu/apple-touch-icon.png",
"homer.url=https://budget.ducamps.eu",
]
}
config {
image = "ghcr.service.consul:5000/actualbudget/actual-server:latest"
ports = ["http"]
volumes = [
"/mnt/diskstation/nomad/actualbudget:/data"
]
}
env {
}
resources {
memory = 300
}
}
}
}

View File

@ -0,0 +1,240 @@
job "borgmatic" {
datacenters = ["homelab"]
priority = 50
type = "service"
meta {
forcedeploy = "0"
}
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "NAS"
}
group "borgmatic"{
vault{
policies= ["borgmatic"]
}
task "borgmatic" {
action "manual-backup" {
command = "/usr/local/bin/borgmatic"
args = ["create",
"prune",
"--verbosity",
"1"
]
}
action "list-backup" {
command = "/usr/local/bin/borgmatic"
args = ["rlist"]
}
driver = "docker"
config {
image = "ghcr.service.consul:5000/borgmatic-collective/borgmatic"
volumes = [
"/exports:/exports",
"local/borgmatic.d:/etc/borgmatic.d",
"secret/id_rsa:/root/.ssh/id_rsa",
"secret/known_hosts:/root/.ssh/known_hosts",
"/exports/nomad/borgmatic:/root/.cache/borg",
]
}
env {
}
template {
data= <<EOH
BORG_RSH="ssh -i /root/.ssh/id_rsa -p 23"
{{ with secret "secrets/data/nomad/borgmatic"}}
BORG_PASSPHRASE= {{.Data.data.passphrase}}
{{end}}
EOH
destination = "secrets/sample.env"
env = true
}
template {
data= <<EOH
0 2 * * * PATH=$PATH:/usr/local/bin /usr/local/bin/borgmatic create prune --verbosity 1
0 23 1 * * PATH=$PATH:/usr/local/bin /usr/local/bin/borgmatic check
EOH
destination = "local/borgmatic.d/crontab.txt"
}
template {
data= <<EOH
# List of source directories to backup (required). Globs and
# tildes are expanded. Do not backslash spaces in path names.
source_directories:
- /exports/ebook
- /exports/homes
- /exports/music
- /exports/nomad
- /exports/photo
repositories:
- path: ssh://u304977@u304977.your-storagebox.de/./{{if eq "production" (env "meta.env") }}backup_hamelab{{else}}backup_homelab_dev{{end}}
label: {{if eq "production" (env "meta.env") }}backup_hamelab{{else}}backup_homelab_dev{{end}}
exclude_patterns:
- '*/nomad/jellyfin/cache'
- '*nomad/loki/'
- '*nomad/prometheus'
- '*nomad/registry'
- '*nomad/pacoloco'
- '*nomad/pihole'
- '*nomad/jellyfin/*'
- '*.log*'
match_archives: '*'
archive_name_format: '{{ env "node.datacenter" }}-{now:%Y-%m-%dT%H:%M:%S.%f}'
extra_borg_options:
# Extra command-line options to pass to "borg init".
# init: --extra-option
# Extra command-line options to pass to "borg prune".
# prune: --extra-option
# Extra command-line options to pass to "borg compact".
# compact: --extra-option
# Extra command-line options to pass to "borg create".
create: --progress --stats
# Extra command-line options to pass to "borg check".
# check: --extra-option
# Keep all archives within this time interval.
# keep_within: 3H
# Number of secondly archives to keep.
# keep_secondly: 60
# Number of minutely archives to keep.
# keep_minutely: 60
# Number of hourly archives to keep.
# keep_hourly: 24
# Number of daily archives to keep.
keep_daily: 7
# Number of weekly archives to keep.
keep_weekly: 4
# Number of monthly archives to keep.
# keep_monthly: 6
# Number of yearly archives to keep.
# keep_yearly: 1
checks:
- name: repository
# - archives
# check_repositories:
# - user@backupserver:sourcehostname.borg
# check_last: 3
# output:
# color: false
# List of one or more shell commands or scripts to execute
# before creating a backup, run once per configuration file.
# before_backup:
# - echo "Starting a backup."
# List of one or more shell commands or scripts to execute
# before pruning, run once per configuration file.
# before_prune:
# - echo "Starting pruning."
# List of one or more shell commands or scripts to execute
# before compaction, run once per configuration file.
# before_compact:
# - echo "Starting compaction."
# List of one or more shell commands or scripts to execute
# before consistency checks, run once per configuration file.
# before_check:
# - echo "Starting checks."
# List of one or more shell commands or scripts to execute
# before extracting a backup, run once per configuration file.
# before_extract:
# - echo "Starting extracting."
# List of one or more shell commands or scripts to execute
# after creating a backup, run once per configuration file.
# after_backup:
# - echo "Finished a backup."
# List of one or more shell commands or scripts to execute
# after compaction, run once per configuration file.
# after_compact:
# - echo "Finished compaction."
# List of one or more shell commands or scripts to execute
# after pruning, run once per configuration file.
# after_prune:
# - echo "Finished pruning."
# List of one or more shell commands or scripts to execute
# after consistency checks, run once per configuration file.
# after_check:
# - echo "Finished checks."
# List of one or more shell commands or scripts to execute
# after extracting a backup, run once per configuration file.
# after_extract:
# - echo "Finished extracting."
# List of one or more shell commands or scripts to execute
# when an exception occurs during a "prune", "compact",
# "create", or "check" action or an associated before/after
# hook.
# on_error:
# - echo "Error during prune/compact/create/check."
# List of one or more shell commands or scripts to execute
# before running all actions (if one of them is "create").
# These are collected from all configuration files and then
# run once before all of them (prior to all actions).
# before_everything:
# - echo "Starting actions."
# List of one or more shell commands or scripts to execute
# after running all actions (if one of them is "create").
# These are collected from all configuration files and then
# run once after all of them (after any action).
# after_everything:
# - echo "Completed actions."
EOH
destination = "local/borgmatic.d/config.yaml"
}
template {
data= <<EOH
{{ with secret "secrets/data/nomad/borgmatic"}}
{{.Data.data.privatekey}}
{{end}}
EOH
destination = "secret/id_rsa"
perms= "700"
}
template {
data= <<EOH
[u304977.your-storagebox.de]:23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs
[u304977.your-storagebox.de]:23 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==
[u304977.your-storagebox.de]:23 ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGK0po6usux4Qv2d8zKZN1dDvbWjxKkGsx7XwFdSUCnF19Q8psHEUWR7C/LtSQ5crU/g+tQVRBtSgoUcE8T+FWp5wBxKvWG2X9gD+s9/4zRmDeSJR77W6gSA/+hpOZoSE+4KgNdnbYSNtbZH/dN74EG7GLb/gcIpbUUzPNXpfKl7mQitw==
EOH
destination = "secret/known_hosts"
perms="700"
}
resources {
memory = 300
memory_max = 1000
}
}
}
}

View File

@ -39,7 +39,7 @@ job "chainetv" {
] ]
} }
config { config {
image = "ducampsv/chainetv:latest" image = "docker.service.consul:5000/ducampsv/chainetv:latest"
ports = ["http"] ports = ["http"]
} }
resources { resources {

View File

@ -1,5 +1,5 @@
job "dockermailserver" { job "dockermailserver" {
datacenters = ["hetzner"] datacenters = ["homelab"]
priority = 90 priority = 90
type = "service" type = "service"
meta { meta {
@ -9,7 +9,11 @@ job "dockermailserver" {
attribute = "${attr.cpu.arch}" attribute = "${attr.cpu.arch}"
value = "amd64" value = "amd64"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
group "dockermailserver" { group "dockermailserver" {
network { network {
mode = "host" mode = "host"
@ -115,7 +119,7 @@ job "dockermailserver" {
task "docker-mailserver" { task "docker-mailserver" {
driver = "docker" driver = "docker"
config { config {
image = "ghcr.io/docker-mailserver/docker-mailserver:latest" image = "ghcr.service.consul:5000/docker-mailserver/docker-mailserver:latest"
ports = ["smtp", "esmtp", "imap","rspamd"] ports = ["smtp", "esmtp", "imap","rspamd"]
volumes = [ volumes = [
"/mnt/diskstation/nomad/dms/mail-data:/var/mail", "/mnt/diskstation/nomad/dms/mail-data:/var/mail",
@ -133,7 +137,7 @@ job "dockermailserver" {
env { env {
OVERRIDE_HOSTNAME = "mail.ducamps.eu" OVERRIDE_HOSTNAME = "mail.ducamps.eu"
DMS_VMAIL_UID = 1000000 DMS_VMAIL_UID = 1000000
DMS_VMAIL_GID = 100 DMS_VMAIL_GID = 984
SSL_TYPE= "letsencrypt" SSL_TYPE= "letsencrypt"
LOG_LEVEL="info" LOG_LEVEL="info"
POSTMASTER_ADDRESS="vincent@ducamps.eu" POSTMASTER_ADDRESS="vincent@ducamps.eu"
@ -169,7 +173,7 @@ submissions/inet/smtpd_upstream_proxy_protocol=haproxy
} }
template { template {
data = <<EOH data = <<EOH
haproxy_trusted_networks = 10.0.0.0/24, 127.0.0.0/8, 172.17.0.1 haproxy_trusted_networks = 10.0.0.0/24, 127.0.0.0/8, 172.17.0.1, 192.168.1.0/24
haproxy_timeout = 3 secs haproxy_timeout = 3 secs
service imap-login { service imap-login {
inet_listener imaps { inet_listener imaps {

View File

@ -1,6 +1,6 @@
job "filestash" { job "filestash" {
datacenters = ["hetzner"] datacenters = ["homelab"]
priority = 50 priority = 50
type = "service" type = "service"
meta { meta {
@ -10,7 +10,11 @@ job "filestash" {
attribute = "${attr.cpu.arch}" attribute = "${attr.cpu.arch}"
value = "amd64" value = "amd64"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
group "filestash" { group "filestash" {
network { network {
@ -44,7 +48,7 @@ job "filestash" {
] ]
} }
config { config {
image = "machines/filestash" image = "docker.service.consul:5000/machines/filestash"
ports = ["http"] ports = ["http"]
volumes = [ volumes = [
"/mnt/diskstation/nomad/filestash:/app/data/state" "/mnt/diskstation/nomad/filestash:/app/data/state"

View File

@ -27,7 +27,7 @@ job "ghostfolio" {
task "redis" { task "redis" {
driver = "docker" driver = "docker"
config { config {
image = "redis" image = "docker.service.consul:5000/library/redis"
ports = ["redis"] ports = ["redis"]
} }
resources { resources {
@ -51,7 +51,7 @@ job "ghostfolio" {
] ]
} }
config { config {
image = "ghostfolio/ghostfolio:latest" image = "docker.service.consul:5000/ghostfolio/ghostfolio:latest"
ports = ["http"] ports = ["http"]
volumes = [ volumes = [
] ]
@ -80,6 +80,7 @@ job "ghostfolio" {
} }
resources { resources {
memory = 400 memory = 400
memory_max = 600
} }
} }

View File

@ -3,6 +3,11 @@ job "homeassistant" {
datacenters = ["homelab"] datacenters = ["homelab"]
priority = 90 priority = 90
type = "service" type = "service"
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
meta { meta {
forcedeploy = "0" forcedeploy = "0"
} }
@ -52,7 +57,7 @@ job "homeassistant" {
} }
} }
config { config {
image = "homeassistant/home-assistant:stable" image = "docker.service.consul:5000/homeassistant/home-assistant:stable"
ports = ["http", "coap"] ports = ["http", "coap"]
privileged = "true" privileged = "true"
network_mode = "host" network_mode = "host"

View File

@ -0,0 +1,146 @@
job "immich" {
datacenters = ["homelab"]
priority = 50
type = "service"
meta {
forcedeploy = "0"
}
constraint {
attribute = "${attr.cpu.arch}"
value = "amd64"
}
group "immich" {
network {
mode = "host"
port "http" {
to = 3001
}
port "redis" {
to = 6379
}
port "machinelearning" {
to = 3003
}
}
volume "immich-upload" {
type = "csi"
source = "immich-upload"
access_mode = "multi-node-multi-writer"
attachment_mode = "file-system"
}
volume "immich-cache" {
type = "csi"
source = "immich-cache"
access_mode = "multi-node-multi-writer"
attachment_mode = "file-system"
}
volume "photo" {
type = "csi"
source = "photo"
access_mode = "multi-node-multi-writer"
attachment_mode = "file-system"
}
vault {
policies = ["immich"]
}
task "immich-server" {
driver = "docker"
service {
name = "immich"
port = "http"
tags = [
"homer.enable=true",
"homer.name=immich",
"homer.service=Application",
"homer.logo=https://immich.ducamps.eu/favicon-144.png",
"homer.target=_blank",
"homer.url=https://immich.ducamps.eu",
"traefik.enable=true",
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`${NOMAD_JOB_NAME}.ducamps.eu`)",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.eu",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
]
}
volume_mount {
volume = "immich-upload"
destination = "/usr/src/app/upload"
}
volume_mount {
volume = "photo"
destination = "/photo"
}
config {
image = "ghcr.service.consul:5000/immich-app/immich-server:release"
ports = ["http"]
volumes = [
"/etc/localtime:/etc/localtime"
]
}
template {
data = <<EOH
{{ with secret "secrets/data/database/immich"}}
DB_PASSWORD= {{ .Data.data.password }}
{{end}}
DB_DATABASE_NAME= immich
DB_USERNAME= immich
DB_HOSTNAME= active.db.service.consul
REDIS_HOSTNAME = {{env "NOMAD_IP_redis"}}
REDIS_PORT = {{env "NOMAD_HOST_PORT_redis"}}
IMMICH_MACHINE_LEARNING_URL = http://{{ env "NOMAD_ADDR_machinelearning"}}
EOH
destination = "secrets/immich.env"
env = true
}
resources {
memory = 600
memory_max = 1800
}
}
task "immich-machine-learning" {
driver = "docker"
volume_mount {
volume = "immich-cache"
destination = "/cache"
}
config {
image = "ghcr.service.consul:5000/immich-app/immich-machine-learning:main"
ports = ["machinelearning"]
}
template {
data = <<EOH
{{ with secret "secrets/data/database/immich"}}
DB_PASSWORD= {{ .Data.data.password }}
{{end}}
DB_DATABASE_NAME= immich
DB_USERNAME= immich
DB_HOSTNAME= active.db.service.consul
REDIS_HOSTNAME = {{env "NOMAD_IP_redis"}}
REDIS_PORT = {{env "NOMAD_HOST_PORT_redis"}}
EOH
destination = "secrets/immich.env"
env = true
}
resources {
memory = 200
memory_max = 1800
}
}
task "redis" {
driver = "docker"
config {
image="docker.service.consul:5000/library/redis:6.2-alpine"
ports = ["redis"]
}
resources {
memory = 50
}
}
}
}

View File

@ -2,6 +2,7 @@ job "jellyfin" {
datacenters = ["homelab"] datacenters = ["homelab"]
priority = 30 priority = 30
type = "service" type = "service"
meta { meta {
forcedeploy = "1" forcedeploy = "1"
} }
@ -9,6 +10,11 @@ job "jellyfin" {
attribute = "${attr.cpu.arch}" attribute = "${attr.cpu.arch}"
value = "amd64" value = "amd64"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
group jellyfin-vue { group jellyfin-vue {
network { network {
mode = "host" mode = "host"
@ -37,7 +43,7 @@ job "jellyfin" {
} }
config { config {
image = "ghcr.io/jellyfin/jellyfin-vue:unstable" image = "ghcr.service.consul:5000/jellyfin/jellyfin-vue:unstable"
ports = ["http"] ports = ["http"]
} }
env { env {
@ -82,13 +88,13 @@ job "jellyfin" {
] ]
} }
config { config {
image = "jellyfin/jellyfin" image = "docker.service.consul:5000/jellyfin/jellyfin"
ports = ["http"] ports = ["http"]
volumes = [ volumes = [
"/mnt/diskstation/nomad/jellyfin/config:/config", "/mnt/diskstation/nomad/jellyfin/config:/config",
"/mnt/diskstation/nomad/jellyfin/cache:/cache", "/mnt/diskstation/nomad/jellyfin/cache:/cache",
"/mnt/diskstation/media/:/media", "/mnt/diskstation/media:/media",
"/mnt/diskstation/music/:/media2" "/mnt/diskstation/music:/music",
] ]
devices = [ devices = [
{ {

1
nomad-job/apps/makefile Symbolic link
View File

@ -0,0 +1 @@
../makefile

View File

@ -0,0 +1,95 @@
job "mealie" {
datacenters = ["homelab"]
priority = 50
type = "service"
meta {
forcedeploy = "0"
}
constraint {
attribute = "${attr.cpu.arch}"
value = "amd64"
}
group "mealie" {
network {
mode = "host"
port "http" {
to = 9000
}
}
volume "mealie-data" {
type = "csi"
source = "mealie-data"
access_mode = "multi-node-multi-writer"
attachment_mode = "file-system"
}
vault {
policies = ["mealie"]
}
task "mealie-server" {
driver = "docker"
service {
name = "mealie"
port = "http"
tags = [
"homer.enable=true",
"homer.name=Mealie",
"homer.service=Application",
"homer.subtitle=Mealie",
"homer.logo=https://mealie.ducamps.eu/favicon.ico",
"homer.target=_blank",
"homer.url=https://${NOMAD_JOB_NAME}.ducamps.eu",
"traefik.enable=true",
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`${NOMAD_JOB_NAME}.ducamps.eu`)",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.eu",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
]
}
config {
image = "ghcr.io/mealie-recipes/mealie"
ports = ["http"]
}
volume_mount {
volume = "mealie-data"
destination = "/app/data"
}
env {
PUID = "1000001"
PGID = "1000001"
TZ = "Europe/Paris"
MAX_WORKERS = 1
WEB_CONCURRENCY = 1
BASE_URL = "https://mealie.ducamps.eu"
OIDC_USER_GROUP = "MealieUsers"
OIDC_ADMIN_GROUP = "MealieAdmins"
OIDC_AUTH_ENABLED = "True"
OIDC_SIGNUP_ENABLED = "true"
OIDC_CONFIGURATION_URL = "https://auth.ducamps.eu/.well-known/openid-configuration"
OIDC_CLIENT_ID = "mealie"
OIDC_AUTO_REDIRECT = "false"
OIDC_PROVIDER_NAME = "authelia"
DB_ENGINE = "postgres"
POSTGRES_USER = "mealie"
POSTGRES_SERVER = "active.db.service.consul"
POSTGRES_PORT = 5432
POSTGRES_DB = "mealie"
LOG_LEVEL = "DEBUG"
}
template {
data = <<EOH
{{ with secret "secrets/data/database/mealie"}}POSTGRES_PASSWORD= "{{ .Data.data.password }}" {{end}}
{{ with secret "secrets/data/authelia/mealie"}}OIDC_CLIENT_SECRET= "{{ .Data.data.password }}" {{end}}
EOH
destination = "secrets/var.env"
env = true
}
resources {
memory = 400
}
}
}
}

View File

@ -6,7 +6,11 @@ job "pacoloco" {
meta { meta {
forcedeploy = "0" forcedeploy = "0"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
group "pacoloco" { group "pacoloco" {
network { network {
mode = "host" mode = "host"
@ -28,10 +32,10 @@ job "pacoloco" {
] ]
} }
config { config {
image = "ducampsv/pacoloco" image = "docker.service.consul:5000/ducampsv/pacoloco"
ports = ["http"] ports = ["http"]
volumes = [ volumes = [
"/mnt/diskstation/archMirror:/var/cache/pacoloco", "/mnt/diskstation/nomad/pacoloco:/var/cache/pacoloco",
"local/pacoloco.yaml:/etc/pacoloco.yaml" "local/pacoloco.yaml:/etc/pacoloco.yaml"
] ]

View File

@ -6,7 +6,11 @@ job "paperless-ng" {
meta { meta {
forcedeploy = "0" forcedeploy = "0"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
constraint { constraint {
attribute = "${attr.cpu.arch}" attribute = "${attr.cpu.arch}"
value = "amd64" value = "amd64"
@ -29,7 +33,7 @@ job "paperless-ng" {
task "redis" { task "redis" {
driver = "docker" driver = "docker"
config { config {
image = "redis" image = "docker.service.consul:5000/library/redis"
ports = ["redis"] ports = ["redis"]
} }
resources { resources {
@ -47,6 +51,7 @@ job "paperless-ng" {
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.eu", "traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.eu",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver", "traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure", "traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
"traefik.http.routers.${NOMAD_JOB_NAME}.middlewares=authelia",
"homer.enable=true", "homer.enable=true",
"homer.name=Paperless", "homer.name=Paperless",
"homer.service=Application", "homer.service=Application",
@ -63,7 +68,7 @@ job "paperless-ng" {
} }
} }
config { config {
image = "ghcr.io/paperless-ngx/paperless-ngx" image = "ghcr.service.consul:5000/paperless-ngx/paperless-ngx"
ports = ["http"] ports = ["http"]
volumes = [ volumes = [
"/mnt/diskstation/nomad/paperless-ng/media:/usr/src/paperless/media", "/mnt/diskstation/nomad/paperless-ng/media:/usr/src/paperless/media",
@ -82,6 +87,9 @@ job "paperless-ng" {
PAPERLESS_CONSUMER_POLLING = "60" PAPERLESS_CONSUMER_POLLING = "60"
PAPERLESS_URL = "https://${NOMAD_JOB_NAME}.ducamps.eu" PAPERLESS_URL = "https://${NOMAD_JOB_NAME}.ducamps.eu"
PAPERLESS_ALLOWED_HOSTS = "192.168.1.42,192.168.1.40" PAPERLESS_ALLOWED_HOSTS = "192.168.1.42,192.168.1.40"
PAPERLESS_ENABLE_HTTP_REMOTE_USER = "true"
PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_REMOTE_USER"
PAPERLESS_LOGOUT_REDIRECT_URL= "https://auth.ducamps.eu/logout"
} }
template { template {
@ -93,6 +101,7 @@ job "paperless-ng" {
} }
resources { resources {
memory = 950 memory = 950
memory_max = 1500
cpu = 2000 cpu = 2000
} }
} }

View File

@ -6,6 +6,11 @@ job "radicale" {
meta { meta {
forcedeploy = "0" forcedeploy = "0"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
group "radicale" { group "radicale" {
network { network {
mode = "host" mode = "host"
@ -39,11 +44,11 @@ job "radicale" {
] ]
} }
config { config {
image = "tomsquest/docker-radicale" image = "docker.service.consul:5000/tomsquest/docker-radicale"
ports = ["http"] ports = ["http"]
volumes = [ volumes = [
"local/config:/config/config", "local/config:/config/config",
"/mnt/diskstation/CardDav:/data" "/mnt/diskstation/nomad/radicale:/data"
] ]
} }

View File

@ -6,9 +6,6 @@ job "torrent" {
meta { meta {
forcedeploy = "0" forcedeploy = "0"
} }
vault {
policies= ["torrent"]
}
group "bittorent" { group "bittorent" {
network { network {
mode = "host" mode = "host"
@ -26,7 +23,7 @@ job "torrent" {
} }
} }
task "bittorent" { task "bittorent" {
driver = "podman" driver = "docker"
service { service {
name = "bittorent" name = "bittorent"
port = "http" port = "http"
@ -36,43 +33,35 @@ job "torrent" {
"homer.name=torrent", "homer.name=torrent",
"homer.url=https://torrent.ducamps.eu", "homer.url=https://torrent.ducamps.eu",
"homer.service=Application", "homer.service=Application",
"homer.logo=https://${NOMAD_JOB_NAME}.ducamps.eu/images/favicon-196x196.png", "homer.logo=https://fleet.linuxserver.io/images/linuxserver_rutorrent.png",
"homer.target=_blank", "homer.target=_blank",
"traefik.enable=true", "traefik.enable=true",
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`${NOMAD_JOB_NAME}.ducamps.eu`)", "traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`${NOMAD_JOB_NAME}.ducamps.eu`)",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.eu", "traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.eu",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver", "traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure", "traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
"traefik.http.routers.${NOMAD_JOB_NAME}.middlewares=torrentauth", "traefik.http.routers.${NOMAD_JOB_NAME}.middlewares=authelia-basic",
"traefik.http.middlewares.torrentauth.basicauth.users=admin:${ADMIN_HASHED_PWD}"
] ]
} }
template {
data = <<-EOF
ADMIN_HASHED_PWD={{ with secret "secrets/nomad/torrent" }}{{.Data.data.hashed_pwd}}{{ end }}
EOF
destination = "secrets/env"
env = true
}
user = "root"
config { config {
ulimit {
image = "docker.io/crazymax/rtorrent-rutorrent:latest" nofile = "8192:8192"
privileged = "true" }
image = "docker.service.consul:5000/crazymax/rtorrent-rutorrent:edge"
ports = [ ports = [
"http", "http",
"torrent", "torrent",
"ecoute" "ecoute"
] ]
volumes = [ volumes = [
"/mnt/hetzner/storagebox/rutorrentConfig:/data", "/opt/rutorrentConfig:/data",
"/mnt/hetzner/storagebox/file:/downloads" "/mnt/hetzner/storagebox/file:/downloads"
] ]
} }
env { env {
PUID = 100001 PUID = 100001
PGID = 984 PGID = 10
UMASK = 002 UMASK = 002
WEBUI_PORT = "8080" WEBUI_PORT = "8080"
} }

View File

@ -0,0 +1,64 @@
job "rutorrentlocal" {
datacenters = ["homelab"]
priority = 80
type = "service"
meta {
forcedeploy = "0"
}
constraint {
attribute = "${node.unique.name}"
operator = "set_contains"
value = "oberon"
}
group "bittorent" {
network {
mode = "host"
port "http" {
to = 8080
}
port "torrent" {
static = 6881
}
port "ecoute" {
static = 50000
}
}
task "bittorent" {
driver = "podman"
service {
name = "bittorentlocal"
port = "http"
address_mode= "host"
tags = [
]
}
user = "root"
config {
image = "docker.service.consul:5000/crazymax/rtorrent-rutorrent:edge"
ports = [
"http",
"torrent",
"ecoute"
]
volumes = [
"/exports/nomad/rutorrent/data:/data",
"/exports/nomad/rutorrent/downloads:/downloads"
]
}
env {
PUID = 100001
PGID = 10
UMASK = 002
WEBUI_PORT = "8080"
}
resources {
memory = 650
}
}
}
}

View File

@ -10,7 +10,11 @@ job "supysonic" {
attribute = "${attr.cpu.arch}" attribute = "${attr.cpu.arch}"
value = "amd64" value = "amd64"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
group "supysonic" { group "supysonic" {
network { network {
mode = "host" mode = "host"
@ -49,7 +53,7 @@ job "supysonic" {
task "supysonic-frontend" { task "supysonic-frontend" {
driver = "docker" driver = "docker"
config { config {
image = "nginx:alpine" image = "docker.service.consul:5000/library/nginx:alpine"
ports = [ ports = [
"http" "http"
] ]
@ -92,7 +96,7 @@ http {
task "supysonic-server" { task "supysonic-server" {
driver = "docker" driver = "docker"
config { config {
image = "ducampsv/supysonic:latest" image = "docker.service.consul:5000/ducampsv/supysonic:latest"
ports = ["fcgi"] ports = ["fcgi"]
force_pull = true force_pull = true
volumes = [ volumes = [
@ -105,10 +109,10 @@ http {
SUPYSONIC_DAEMON_ENABLED = "true" SUPYSONIC_DAEMON_ENABLED = "true"
SUPYSONIC_WEBAPP_LOG_LEVEL = "DEBUG" SUPYSONIC_WEBAPP_LOG_LEVEL = "DEBUG"
SUPYSONIC_DAEMON_LOG_LEVEL = "INFO" SUPYSONIC_DAEMON_LOG_LEVEL = "INFO"
SUPYSONIC_LDAP_SERVER = "LDAP://ldap.ducamps.eu" SUPYSONIC_LDAP_SERVER = "LDAPS://ldaps.service.consul"
SUPYSONIC_LDAP_BASE_DN = "dc=ducamps,dc=win" SUPYSONIC_LDAP_BASE_DN = "dc=ducamps,dc=eu"
SUPYSONIC_LDAP_USER_FILTER = "(&(memberOf=CN=SupysonicUsers,cn=groups,dc=ducamps,dc=win))" SUPYSONIC_LDAP_USER_FILTER = "(&(memberOf=cn=SupysonicUsers,ou=groups,dc=ducamps,dc=eu))"
SUPYSONIC_LDAP_ADMIN_FILTER= "(&(memberOf=CN=SupysonicAdmins,cn=groups,dc=ducamps,dc=win))" SUPYSONIC_LDAP_ADMIN_FILTER= "(&(memberOf=cn=SupysonicAdmins,ou=groups,dc=ducamps,dc=eu))"
} }
template { template {

View File

@ -10,7 +10,11 @@ job "syncthing" {
attribute = "${attr.cpu.arch}" attribute = "${attr.cpu.arch}"
value = "amd64" value = "amd64"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
group "syncthing" { group "syncthing" {
network { network {
@ -40,7 +44,7 @@ job "syncthing" {
] ]
} }
config { config {
image = "linuxserver/syncthing" image = "docker.service.consul:5000/linuxserver/syncthing"
ports = ["http"] ports = ["http"]
volumes = [ volumes = [
"/mnt/diskstation/nomad/syncthing/config:/config", "/mnt/diskstation/nomad/syncthing/config:/config",
@ -48,6 +52,11 @@ job "syncthing" {
] ]
} }
env{
PUID = 1000001
GUID = 1000001
}
resources { resources {
memory = 200 memory = 200
} }

View File

@ -7,7 +7,11 @@ job "tt-rss" {
attribute = "${attr.cpu.arch}" attribute = "${attr.cpu.arch}"
value = "amd64" value = "amd64"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
group "ttrss" { group "ttrss" {
ephemeral_disk { ephemeral_disk {
@ -34,7 +38,7 @@ job "tt-rss" {
"homer.enable=true", "homer.enable=true",
"homer.name=TT-RSS", "homer.name=TT-RSS",
"homer.service=Application", "homer.service=Application",
"homer.logo=https://framalibre.org/sites/default/files/styles/thumbnail/public/leslogos/ic_launcher_1.png", "homer.logo=https://www.ducamps.eu/tt-rss/images/favicon-72px.png",
"homer.target=_blank", "homer.target=_blank",
"homer.url=https://www.ducamps.eu/tt-rss", "homer.url=https://www.ducamps.eu/tt-rss",
@ -50,12 +54,13 @@ job "tt-rss" {
task "ttrss-app" { task "ttrss-app" {
driver = "docker" driver = "docker"
config { config {
image = "cthulhoo/ttrss-fpm-pgsql-static" image = "docker.service.consul:5000/cthulhoo/ttrss-fpm-pgsql-static"
ports = [ ports = [
"appPort" "appPort"
] ]
volumes = [ volumes = [
"${NOMAD_ALLOC_DIR}/data:/var/www/html" "${NOMAD_ALLOC_DIR}/data:/var/www/html",
"/mnt/diskstation/nomad/tt-rss/ttrss-auth-oidc:/var/www/html/tt-rss/plugins.local/auth_oidc"
] ]
} }
env { env {
@ -64,16 +69,18 @@ job "tt-rss" {
TTRSS_DB_NAME = "ttrss" TTRSS_DB_NAME = "ttrss"
TTRSS_DB_USER = "ttrss" TTRSS_DB_USER = "ttrss"
TTRSS_SELF_URL_PATH = "https://www.ducamps.eu/tt-rss" TTRSS_SELF_URL_PATH = "https://www.ducamps.eu/tt-rss"
TTRSS_PLUGINS = "auth_oidc, auth_internal"
TTRSS_AUTH_OIDC_NAME= "Authelia"
TTRSS_AUTH_OIDC_URL = "https://auth.ducamps.eu"
TTRSS_AUTH_OIDC_CLIENT_ID = "ttrss"
} }
template { template {
data = <<EOH data = <<EOH
{{ with secret "secrets/data/database/ttrss"}} {{ with secret "secrets/data/database/ttrss"}}TTRSS_DB_PASS = "{{ .Data.data.password }}"{{end}}
TTRSS_DB_PASS = "{{ .Data.data.password }}" TTRSS_AUTH_OIDC_CLIENT_SECRET = {{ with secret "secrets/data/authelia/ttrss"}}"{{ .Data.data.password }}"{{end}}
{{end}}
EOH EOH
destination = "secrets/tt-rss.env" destination = "secret/tt-rss.env"
env = true env = true
} }
resources { resources {
memory = 150 memory = 150
@ -83,7 +90,7 @@ job "tt-rss" {
task "ttrss-updater" { task "ttrss-updater" {
driver = "docker" driver = "docker"
config { config {
image = "cthulhoo/ttrss-fpm-pgsql-static" image = "docker.service.consul:5000/cthulhoo/ttrss-fpm-pgsql-static"
volumes = [ volumes = [
"${NOMAD_ALLOC_DIR}/data:/var/www/html" "${NOMAD_ALLOC_DIR}/data:/var/www/html"
] ]
@ -115,7 +122,7 @@ job "tt-rss" {
task "ttrss-frontend" { task "ttrss-frontend" {
driver = "docker" driver = "docker"
config { config {
image = "nginx:alpine" image = "docker.service.consul:5000/library/nginx:alpine"
ports = [ ports = [
"http" "http"
] ]

View File

@ -6,7 +6,11 @@ job "vaultwarden" {
meta { meta {
forcedeploy = "0" forcedeploy = "0"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
group "vaultwarden" { group "vaultwarden" {
network { network {
mode = "host" mode = "host"
@ -50,7 +54,7 @@ job "vaultwarden" {
} }
} }
config { config {
image = "vaultwarden/server" image = "docker.service.consul:5000/vaultwarden/server"
ports = ["http"] ports = ["http"]
volumes = [ volumes = [
"/mnt/diskstation/nomad/vaultwarden:/data" "/mnt/diskstation/nomad/vaultwarden:/data"

View File

@ -0,0 +1,89 @@
job "vikunja" {
datacenters = ["homelab"]
priority = 70
type = "service"
meta {
forcedeploy = "0"
}
group "vikunja" {
network {
mode = "host"
port "front" {
to = 80
}
port "api" {
to = 3456
}
}
vault {
policies = ["vikunja"]
}
task "api" {
driver = "docker"
service {
name = "vikunja-api"
port = "api"
tags = [
"traefik.enable=true",
"traefik.http.routers.${NOMAD_JOB_NAME}-${NOMAD_TASK_NAME}.rule=Host(`${NOMAD_JOB_NAME}.ducamps.eu`)",
"traefik.http.routers.${NOMAD_JOB_NAME}-${NOMAD_TASK_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.eu",
"traefik.http.routers.${NOMAD_JOB_NAME}-${NOMAD_TASK_NAME}.tls.certresolver=myresolver",
"traefik.http.routers.${NOMAD_JOB_NAME}-${NOMAD_TASK_NAME}.entrypoints=web,websecure",
"homer.enable=true",
"homer.name=vikunka",
"homer.service=Application",
"homer.logo=https://${NOMAD_JOB_NAME}.ducamps.eu/images/icons/apple-touch-icon-180x180.png",
"homer.target=_blank",
"homer.url=https://${NOMAD_JOB_NAME}.ducamps.eu",
]
}
config {
image = "docker.service.consul:5000/vikunja/vikunja"
ports = ["api", "front"]
volumes = ["local/config.yml:/etc/vikunja/config.yml"]
}
env {
VIKUNJA_DATABASE_HOST = "active.db.service.consul"
VIKUNJA_DATABASE_TYPE = "postgres"
VIKUNJA_DATABASE_USER = "vikunja"
VIKUNJA_DATABASE_DATABASE = "vikunja"
VIKUNJA_SERVICE_JWTSECRET = uuidv4()
VIKUNJA_SERVICE_FRONTENDURL = "https://${NOMAD_JOB_NAME}.ducamps.eu/"
VIKUNJA_AUTH_LOCAL = False
}
template {
data = <<EOH
{{ with secret "secrets/data/database/vikunja"}}
VIKUNJA_DATABASE_PASSWORD= "{{ .Data.data.password }}"
{{end}}
EOH
destination = "secrets/sample.env"
env = true
}
template {
data = <<EOH
auth:
openid:
enabled: true
redirecturl: https://vikunja.ducamps.eu/auth/openid/
providers:
- name: Authelia
authurl: https://auth.ducamps.eu
clientid: vikunja
clientsecret: {{ with secret "secrets/data/authelia/vikunja"}} {{ .Data.data.password }} {{end}}
scope: openid profile email
EOH
destination = "local/config.yml"
}
resources {
memory = 100
}
}
}
}

View File

@ -36,13 +36,14 @@ job "www" {
task "server" { task "server" {
driver = "docker" driver = "docker"
config { config {
image = "nginx" image = "docker.service.consul:5000/library/nginx"
ports = [ ports = [
"http" "http"
] ]
volumes = [ volumes = [
"local/nginx.conf:/etc/nginx/nginx.conf", "local/nginx.conf:/etc/nginx/nginx.conf",
"/srv/http:/usr/share/nginx/html" "/srv/http/:/usr/share/nginx/html/",
"/mnt/diskstation/nomad/archiso:/usr/share/nginx/archiso"
] ]
} }
@ -70,7 +71,12 @@ http {
default_type text/html; default_type text/html;
} }
location =/ { location =/ {
rewrite ^ /welcome; rewrite ^ /welcome redirect;
#return 301 https://$host/welcome
}
location /archiso {
alias /usr/share/nginx/archiso/;
} }
} }

View File

@ -6,7 +6,11 @@ job "backup-consul" {
meta { meta {
forcedeploy = "0" forcedeploy = "0"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
constraint { constraint {
attribute = "${attr.cpu.arch}" attribute = "${attr.cpu.arch}"
value = "amd64" value = "amd64"
@ -22,9 +26,9 @@ job "backup-consul" {
task "consul-backup" { task "consul-backup" {
driver = "docker" driver = "docker"
config { config {
image = "ducampsv/docker-consul-backup:latest" image = "docker.service.consul:5000/ducampsv/docker-consul-backup:latest"
volumes = [ volumes = [
"/mnt/diskstation/git/backup/consul:/backup" "/mnt/diskstation/nomad/backup/consul:/backup"
] ]
} }
resources { resources {

View File

@ -6,7 +6,11 @@ job "backup-postgress" {
meta { meta {
forcedeploy = "0" forcedeploy = "0"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
constraint { constraint {
attribute = "${attr.cpu.arch}" attribute = "${attr.cpu.arch}"
value = "amd64" value = "amd64"
@ -28,9 +32,9 @@ job "backup-postgress" {
name = "backup-postgress" name = "backup-postgress"
} }
config { config {
image = "ducampsv/docker-backup-postgres:latest" image = "docker.service.consul:5000/ducampsv/docker-backup-postgres:latest"
volumes = [ volumes = [
"/mnt/diskstation/git/backup/postgres:/backup" "/mnt/diskstation/nomad/backup/postgres:/backup"
] ]
} }
template { template {
@ -45,7 +49,8 @@ job "backup-postgress" {
env = true env = true
} }
resources { resources {
memory = 125 memory = 180
memory_max = 400
} }
} }

View File

@ -6,7 +6,11 @@ job "backup-vault" {
meta { meta {
forcedeploy = "0" forcedeploy = "0"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
constraint { constraint {
attribute = "${attr.cpu.arch}" attribute = "${attr.cpu.arch}"
value = "amd64" value = "amd64"
@ -25,9 +29,9 @@ job "backup-vault" {
task "backup-vault" { task "backup-vault" {
driver = "docker" driver = "docker"
config { config {
image = "ducampsv/docker-vault-backup:latest" image = "docker.service.consul:5000/ducampsv/docker-vault-backup:latest"
volumes = [ volumes = [
"/mnt/diskstation/git/backup/vault:/backup" "/mnt/diskstation/nomad/backup/vault:/backup"
] ]
} }
template { template {

View File

@ -13,7 +13,7 @@ job "batch-rutorrent" {
task "cleanForwardFolder" { task "cleanForwardFolder" {
driver= "docker" driver= "docker"
config { config {
image = "alpine" image = "docker.service.consul:5000/library/alpine"
volumes = [ volumes = [
"/mnt/hetzner/storagebox/file/forward:/file" "/mnt/hetzner/storagebox/file/forward:/file"
] ]

View File

@ -6,7 +6,11 @@ job "batch-seedboxsync" {
meta { meta {
forcedeploy = "0" forcedeploy = "0"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
constraint { constraint {
attribute = "${attr.cpu.arch}" attribute = "${attr.cpu.arch}"
value = "amd64" value = "amd64"
@ -28,9 +32,9 @@ job "batch-seedboxsync" {
name = "seedboxsync" name = "seedboxsync"
} }
config { config {
image = "ducampsv/rsync:latest" image = "docker.service.consul:5000/ducampsv/rsync:latest"
volumes = [ volumes = [
"/mnt/diskstation/media/download:/media", "/mnt/diskstation/download:/media",
"local/id_rsa:/home/rsyncuser/.ssh/id_rsa" "local/id_rsa:/home/rsyncuser/.ssh/id_rsa"
] ]
command = "rsync" command = "rsync"
@ -70,6 +74,7 @@ job "batch-seedboxsync" {
} }
resources { resources {
memory = 500 memory = 500
memory_max = 1000
} }
} }

View File

@ -0,0 +1,87 @@
job "torrent_automation" {
datacenters = ["homelab"]
priority = 50
type = "service"
meta {
forcedeploy = "0"
}
constraint {
attribute = "${attr.cpu.arch}"
value = "amd64"
}
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
group "prowlarr"{
network {
mode = "host"
port "prowlarr" {
static = 9696
to = 9696
}
port "flaresolverr" {
static = 8191
to = 8191
}
}
task "flaresolverr" {
driver = "docker"
service {
name = "flaresolverr"
port = "flaresolverr"
}
config {
image = "alexfozor/flaresolverr:pr-1300-experimental"
ports = ["flaresolverr"]
}
env {
}
resources {
memory = 300
memory_max = 500
}
}
task "prowlarr" {
driver = "docker"
service {
name = "prowlarr"
port = "prowlarr"
tags = [
"homer.enable=true",
"homer.name=Prowlarr",
"homer.service=Application",
"homer.logo=http://${NOMAD_ADDR_prowlarr}/Content/Images/logo.png",
"homer.target=_blank",
"homer.url=http://${NOMAD_ADDR_prowlarr}",
]
}
config {
image = "ghcr.io/linuxserver/prowlarr:latest"
ports = ["prowlarr"]
volumes = [
"/mnt/diskstation/nomad/prowlarr:/config"
]
}
env {
PUID=1000001
PGID=1000001
TZ="Europe/Paris"
}
resources {
memory = 150
}
}
}
}

View File

@ -1,219 +0,0 @@
job "borgmatic" {
datacenters = ["homelab"]
priority = 50
type = "service"
meta {
forcedeploy = "0"
}
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "NAS"
}
group "borgmatic"{
vault{
policies= ["borgmatic"]
}
task "borgmatic" {
driver = "docker"
config {
image = "ghcr.io/borgmatic-collective/borgmatic"
volumes = [
"/var/local/volume1:/var/local/volume1",
"local/borgmatic.d:/etc/borgmatic.d",
"secret/id_rsa:/root/.ssh/id_rsa",
"/mnt/diskstation/nomad/borgmatic:/root/.cache/borg",
]
}
env {
}
template {
data= <<EOH
BORG_RSH="ssh -i /root/.ssh/id_rsa -p 23"
{{ with secret "secrets/data/nomad/borgmatic"}}
BORG_PASSPHRASE= {{.Data.data.passphrase}}
{{end}}
EOH
destination = "secrets/sample.env"
env = true
}
template {
data= <<EOH
0 2 * * * PATH=$PATH:/usr/local/bin /usr/local/bin/borgmatic --create --prune -v 1
0 23 1 * * PATH=$PATH:/usr/local/bin /usr/local/bin/borgmatic -check
EOH
destination = "local/borgmatic.d/crontab.txt"
}
template {
data= <<EOH
location:
# List of source directories to backup (required). Globs and
# tildes are expanded. Do not backslash spaces in path names.
source_directories:
- /volume1/CardDav
- /volume1/ebook
- /volume1/git
- /volume1/homes
- /volume1/hubert
- /volume1/music
- /volume1/nomad
- /volume1/photo
repositories:
- u304977@u304977.your-storagebox.de:{{if eq "production" (env "meta.env") }}backup_hamelab{{else}}backup_homelab_dev{{end}}
exclude_patterns:
- '*/nomad/jellyfin/cache'
- '*/loki/chunks'
# - /home/*/.cache
# - '*/.vim*.tmp'
# - /etc/ssl
# - /home/user/path with spaces
storage:
extra_borg_options:
# Extra command-line options to pass to "borg init".
# init: --extra-option
# Extra command-line options to pass to "borg prune".
# prune: --extra-option
# Extra command-line options to pass to "borg compact".
# compact: --extra-option
# Extra command-line options to pass to "borg create".
create: --progress --stats
# Extra command-line options to pass to "borg check".
# check: --extra-option
retention:
# Keep all archives within this time interval.
# keep_within: 3H
# Number of secondly archives to keep.
# keep_secondly: 60
# Number of minutely archives to keep.
# keep_minutely: 60
# Number of hourly archives to keep.
# keep_hourly: 24
# Number of daily archives to keep.
keep_daily: 7
# Number of weekly archives to keep.
keep_weekly: 4
# Number of monthly archives to keep.
# keep_monthly: 6
# Number of yearly archives to keep.
# keep_yearly: 1
consistency:
checks:
- repository
# - archives
# check_repositories:
# - user@backupserver:sourcehostname.borg
# check_last: 3
# output:
# color: false
# hooks:
# List of one or more shell commands or scripts to execute
# before creating a backup, run once per configuration file.
# before_backup:
# - echo "Starting a backup."
# List of one or more shell commands or scripts to execute
# before pruning, run once per configuration file.
# before_prune:
# - echo "Starting pruning."
# List of one or more shell commands or scripts to execute
# before compaction, run once per configuration file.
# before_compact:
# - echo "Starting compaction."
# List of one or more shell commands or scripts to execute
# before consistency checks, run once per configuration file.
# before_check:
# - echo "Starting checks."
# List of one or more shell commands or scripts to execute
# before extracting a backup, run once per configuration file.
# before_extract:
# - echo "Starting extracting."
# List of one or more shell commands or scripts to execute
# after creating a backup, run once per configuration file.
# after_backup:
# - echo "Finished a backup."
# List of one or more shell commands or scripts to execute
# after compaction, run once per configuration file.
# after_compact:
# - echo "Finished compaction."
# List of one or more shell commands or scripts to execute
# after pruning, run once per configuration file.
# after_prune:
# - echo "Finished pruning."
# List of one or more shell commands or scripts to execute
# after consistency checks, run once per configuration file.
# after_check:
# - echo "Finished checks."
# List of one or more shell commands or scripts to execute
# after extracting a backup, run once per configuration file.
# after_extract:
# - echo "Finished extracting."
# List of one or more shell commands or scripts to execute
# when an exception occurs during a "prune", "compact",
# "create", or "check" action or an associated before/after
# hook.
# on_error:
# - echo "Error during prune/compact/create/check."
# List of one or more shell commands or scripts to execute
# before running all actions (if one of them is "create").
# These are collected from all configuration files and then
# run once before all of them (prior to all actions).
# before_everything:
# - echo "Starting actions."
# List of one or more shell commands or scripts to execute
# after running all actions (if one of them is "create").
# These are collected from all configuration files and then
# run once after all of them (after any action).
# after_everything:
# - echo "Completed actions."
EOH
destination = "local/borgmatic.d/config.yaml"
}
template {
data= <<EOH
{{ with secret "secrets/data/nomad/borgmatic"}}
{{.Data.data.privatekey}}
{{end}}
EOH
destination = "secret/id_rsa"
perms= "700"
}
resources {
memory = 300
}
}
}
}

View File

@ -0,0 +1,69 @@
job "lldap" {
datacenters = ["homelab"]
priority = 50
type = "service"
meta {
forcedeploy = "0"
}
constraint {
attribute = "${attr.cpu.arch}"
value = "amd64"
}
group "lldap"{
network {
mode = "host"
port "ldap" {
to = 3890
static = 3890
}
port "http" {
to = 17170
}
}
# vault{
# policies= ["lldap"]
#
# }
service {
name = "lldapHttp"
port = "http"
tags = [
]
}
service {
name = "lldapLDAP"
port = "ldap"
tags = [
]
}
task "lldap" {
driver = "docker"
config {
image = "docker.service.consul:5000/ducampsv/lldap:latest"
ports = ["ldap","http"]
volumes = [
"/mnt/diskstation/nomad/lldap:/data"
]
}
template {
data= <<EOH
UID=1000000
GID=1000
LLDAP_JWT_SECRET=
LLDAP_LDAP_USER_PASS=REPLACE_WITH_PASSWORD
LLDAP_LDAP_BASE_DN=dc=ducamps,dc=eu
EOH
destination = "secrets/env"
env = true
}
resources {
memory = 300
}
}
}
}

View File

@ -18,6 +18,12 @@ job "sample" {
to = 0000 to = 0000
} }
} }
volume "sample-data" {
type = "csi"
source = "sapmle-data"
access_mode = "multi-node-multi-writer"
attachment_mode = "file-system"
}
vault{ vault{
policies= ["policy_name"] policies= ["policy_name"]
@ -32,10 +38,15 @@ job "sample" {
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`${NOMAD_JOB_NAME}.ducamps.win`)", "traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`${NOMAD_JOB_NAME}.ducamps.win`)",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.win", "traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.win",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver", "traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
] ]
} }
volume_mount {
volume = "sample-data"
destination = "/app/data"
}
config { config {
image = "sample" image = "sample"
ports = ["http"] ports = ["http"]

View File

@ -8,6 +8,11 @@ job "alertmanager" {
vault { vault {
policies = ["alertmanager"] policies = ["alertmanager"]
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
group "alertmanager" { group "alertmanager" {
network { network {
mode = "host" mode = "host"
@ -25,7 +30,7 @@ job "alertmanager" {
"homer.enable=true", "homer.enable=true",
"homer.name=AlertManager", "homer.name=AlertManager",
"homer.service=Monitoring", "homer.service=Monitoring",
"homer.logo=https://camo.githubusercontent.com/13ff7fc7ea6d8a6d98d856da8e3220501b9e6a89620f017d1db039007138e062/687474703a2f2f6465766f70792e696f2f77702d636f6e74656e742f75706c6f6164732f323031392f30322f7a616c2d3230302e706e67", "homer.logo=http://${NOMAD_ADDR_http}/favicon.ico",
"homer.target=_blank", "homer.target=_blank",
"homer.url=http://${NOMAD_ADDR_http}", "homer.url=http://${NOMAD_ADDR_http}",
@ -40,7 +45,7 @@ job "alertmanager" {
} }
config { config {
image = "prom/alertmanager" image = "docker.service.consul:5000/prom/alertmanager"
args= ["--log.level=debug", "--config.file=/etc/alertmanager/alertmanager.yml"] args= ["--log.level=debug", "--config.file=/etc/alertmanager/alertmanager.yml"]
ports = ["http"] ports = ["http"]
volumes = [ volumes = [
@ -53,7 +58,7 @@ job "alertmanager" {
global: global:
smtp_from: alert@ducamps.eu smtp_from: alert@ducamps.eu
smtp_smarthost: mail.ducamps.eu:465 smtp_smarthost: mail.ducamps.eu:465
smtp_hello: "mail.ducamps.win" smtp_hello: "mail.ducamps.eu"
smtp_require_tls: false smtp_require_tls: false
{{with secret "secrets/data/nomad/alertmanager/mail"}} {{with secret "secrets/data/nomad/alertmanager/mail"}}
smtp_auth_username: {{.Data.data.username}} smtp_auth_username: {{.Data.data.username}}

View File

@ -0,0 +1,285 @@
job "authelia" {
datacenters = ["homelab"]
priority = 80
type = "service"
meta {
forcedeploy = "0"
}
constraint {
attribute = "${attr.cpu.arch}"
value = "amd64"
}
group "authelia" {
network {
mode = "host"
port "authelia" {
to = 9091
}
}
volume "authelia-config" {
type = "csi"
source = "authelia-config"
access_mode = "multi-node-multi-writer"
attachment_mode = "file-system"
}
vault {
policies = ["authelia"]
}
task "authelia" {
driver = "docker"
service {
name = "authelia"
port = "authelia"
tags = [
"traefik.enable=true",
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`auth.ducamps.eu`)",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=auth.ducamps.eu",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
]
}
action "generate-client-secret" {
command = "authelia"
args = ["crypto",
"hash",
"generate",
"pbkdf2",
"--random",
"--random.length",
"72",
"--random.charset",
"rfc3986"
]
}
config {
image = "authelia/authelia"
ports = ["authelia"]
args = [
"--config",
"/local/configuration.yml",
]
}
volume_mount {
volume = "authelia-config"
destination = "/config"
}
env {
AUTHELIA_SESSION_SECRET = uuidv4()
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET = uuidv4()
}
template {
data = <<EOH
---
###############################################################
# Authelia configuration #
###############################################################
server:
address: 'tcp://:9091'
endpoints:
authz:
forward-auth:
implementation: 'ForwardAuth'
legacy:
implementation: 'Legacy'
identity_providers:
oidc:
hmac_secret: {{ with secret "secrets/data/nomad/authelia"}}{{ .Data.data.hmac}}{{end}}
jwks:
- key_id: 'key'
key: |
{{ with secret "secrets/data/nomad/authelia"}}{{ .Data.data.rsakey|indent 8 }}{{end}}
cors:
endpoints:
- userinfo
- authorization
- token
- revocation
- introspection
allowed_origins:
- https://mealie.ducamps.eu
allowed_origins_from_client_redirect_uris: true
clients:
- client_id: 'ttrss'
client_name: 'ttrss'
client_secret: {{ with secret "secrets/data/authelia/ttrss"}} {{ .Data.data.hash }} {{end}}
public: false
scopes:
- openid
- email
- profile
redirect_uris:
- 'https://www.ducamps.eu/tt-rss'
userinfo_signed_response_alg: none
authorization_policy: 'one_factor'
pre_configured_consent_duration: 3M
- client_id: 'mealie'
client_name: 'mealie'
client_secret: {{ with secret "secrets/data/authelia/mealie"}} {{ .Data.data.hash }} {{end}}
public: false
require_pkce: true
pkce_challenge_method: 'S256'
scopes:
- openid
- email
- profile
- groups
redirect_uris:
- 'https://mealie.ducamps.eu/login'
userinfo_signed_response_alg: none
authorization_policy: 'one_factor'
pre_configured_consent_duration: 3M
- client_id: 'immich'
client_name: 'immich'
client_secret: {{ with secret "secrets/data/authelia/immich"}} {{ .Data.data.hash }} {{end}}
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://immich.ducamps.eu/auth/login'
- 'https://immich.ducamps.eu/user-settings'
- 'app.immich:/'
scopes:
- 'openid'
- 'profile'
- 'email'
userinfo_signed_response_alg: 'none'
pre_configured_consent_duration: 3M
- client_id: 'grafana'
client_name: 'Grafana'
client_secret:{{ with secret "secrets/data/authelia/grafana"}} {{ .Data.data.hash }} {{end}}
public: false
authorization_policy: 'one_factor'
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'https://grafana.ducamps.eu/login/generic_oauth'
scopes:
- 'openid'
- 'profile'
- 'groups'
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
pre_configured_consent_duration: 3M
- client_id: 'vikunja'
client_name: 'vikunja'
client_secret:{{ with secret "secrets/data/authelia/vikunja"}} {{ .Data.data.hash }} {{end}}
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://vikunja.ducamps.eu/auth/openid/authelia'
scopes:
- 'openid'
- 'profile'
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
pre_configured_consent_duration: 3M
- client_id: 'gitea'
client_name: 'gitea'
client_secret:{{ with secret "secrets/data/authelia/gitea"}} {{ .Data.data.hash }} {{end}}
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://git.ducamps.eu/user/oauth2/authelia/callback'
scopes:
- 'openid'
- 'profile'
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
pre_configured_consent_duration: 3M
log:
level: 'trace'
totp:
issuer: 'authelia.com'
authentication_backend:
ldap:
address: 'ldaps://ldap.service.consul'
implementation: 'custom'
timeout: '5s'
start_tls: false
tls:
skip_verify: true
minimum_version: 'TLS1.2'
base_dn: 'DC=ducamps,DC=eu'
additional_users_dn: 'OU=users'
users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))'
additional_groups_dn: 'OU=groups'
#groups_filter: '(&(member=UID={input},OU=users,DC=ducamps,DC=eu)(objectClass=groupOfNames))'
groups_filter: '(&(|{memberof:rdn})(objectClass=groupOfNames))'
group_search_mode: 'memberof'
user: 'uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu'
password:{{ with secret "secrets/data/nomad/authelia"}} '{{ .Data.data.ldapPassword }}'{{ end }}
attributes:
distinguished_name: ''
username: 'uid'
mail: 'mail'
member_of: 'memberOf'
group_name: 'cn'
access_control:
default_policy: 'deny'
rules:
# Rules applied to everyone
- domain: '*.ducamps.eu'
policy: 'one_factor'
session:
cookies:
- name: 'authelia_session'
domain: 'ducamps.eu' # Should match whatever your root protected domain is
authelia_url: 'https://auth.ducamps.eu'
expiration: '12 hour'
inactivity: '5 minutes'
regulation:
max_retries: 3
find_time: '2 minutes'
ban_time: '5 minutes'
storage:
{{ with secret "secrets/data/nomad/authelia"}}
encryption_key: '{{.Data.data.encryptionKeys }}'
{{end}}
local:
path: '/config/db.sqlite3'
notifier:
disable_startup_check: true
smtp:
username: 'authelia@ducamps.eu'
{{ with secret "secrets/data/nomad/authelia"}}
password: '{{ .Data.data.mailPassword}}'
{{end}}
address: submissions://mail.ducamps.eu:465
disable_require_tls: true
sender: 'authelia@ducamps.eu'
tls:
server_name: 'mail.ducamps.eu'
skip_verify: true
EOH
destination = "local/configuration.yml"
}
resources {
memory = 100
}
}
}
}

View File

@ -27,7 +27,7 @@ job "crowdsec-agent" {
} }
driver = "docker" driver = "docker"
config { config {
image = "crowdsecurity/crowdsec" image = "docker.service.consul:5000/crowdsecurity/crowdsec"
ports = ["metric"] ports = ["metric"]
volumes = [ volumes = [
"/var/run/docker.sock:/var/run/docker.sock", "/var/run/docker.sock:/var/run/docker.sock",

View File

@ -5,9 +5,15 @@ job "crowdsec-api" {
meta { meta {
forcedeploy = "-1" forcedeploy = "-1"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
vault { vault {
policies = ["crowdsec"] policies = ["crowdsec"]
} }
group "crowdsec-api" { group "crowdsec-api" {
network { network {
mode = "host" mode = "host"
@ -35,11 +41,11 @@ job "crowdsec-api" {
] ]
} }
config { config {
image = "crowdsecurity/crowdsec" image = "docker.service.consul:5000/crowdsecurity/crowdsec"
ports = ["http", "metric"] ports = ["http", "metric"]
volumes = [ volumes = [
"/mnt/diskstation/nomad/crowdsec/db:/var/lib/crowdsec/data", "/mnt/diskstation/nomad/crowdsec/db:/var/lib/crowdsec/data",
"/mnt/diskstation/nomad/crowdsec/data:/etc/crowdsec_data", "/mnt/diskstation/nomad/crowdsec/data:/etc/crowdsec",
] ]
} }

View File

@ -6,7 +6,11 @@ job "dashboard" {
meta { meta {
forcedeploy = "1" forcedeploy = "1"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
group "dashboard" { group "dashboard" {
network { network {
mode = "host" mode = "host"
@ -29,7 +33,7 @@ job "dashboard" {
] ]
} }
config { config {
image = "b4bz/homer" image = "docker.service.consul:5000/b4bz/homer"
ports = ["http"] ports = ["http"]
volumes = [ volumes = [
"/mnt/diskstation/nomad/homer:/www/assets" "/mnt/diskstation/nomad/homer:/www/assets"

View File

@ -16,7 +16,7 @@ job "drone-runner" {
task "drone-runner" { task "drone-runner" {
driver = "docker" driver = "docker"
config { config {
image = "drone/drone-runner-docker:latest" image = "docker.service.consul:5000/drone/drone-runner-docker:latest"
volumes = [ volumes = [
"/var/run/docker.sock:/var/run/docker.sock", "/var/run/docker.sock:/var/run/docker.sock",
] ]

View File

@ -45,7 +45,7 @@ job "drone" {
] ]
} }
config { config {
image = "drone/drone:latest" image = "docker.service.consul:5000/drone/drone:latest"
ports = [ ports = [
"http" "http"
] ]

View File

@ -9,6 +9,11 @@ job "git" {
attribute = "${attr.cpu.arch}" attribute = "${attr.cpu.arch}"
value = "amd64" value = "amd64"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
group "gitea" { group "gitea" {
network { network {
mode = "host" mode = "host"
@ -54,13 +59,12 @@ job "git" {
] ]
} }
config { config {
image = "gitea/gitea:latest" image = "docker.service.consul:5000/gitea/gitea:latest"
ports = [ ports = [
"http", "http",
"ssh" "ssh"
] ]
volumes = [ volumes = [
"/mnt/diskstation/git:/repo",
"/mnt/diskstation/nomad/gitea:/data" "/mnt/diskstation/nomad/gitea:/data"
] ]
} }
@ -77,10 +81,14 @@ job "git" {
GITEA__database__HOST = "active.db.service.consul" GITEA__database__HOST = "active.db.service.consul"
GITEA__database__NAME = "gitea" GITEA__database__NAME = "gitea"
GITEA__database__USER = "gitea" GITEA__database__USER = "gitea"
GITEA__service__DISABLE_REGISTRATION = "true" GITEA__service__DISABLE_REGISTRATION = "false"
GITEA__repository__ROOT = "/repo" GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true"
GITEA__service__SHOW_REGISTRATION_BUTTON = "false"
GITEA__openid__ENABLE_OPENID_SIGNIN = "false"
GITEA__openid__ENABLE_OPENID_SIGNUP = "true"
GITEA__repository__ROOT = "/data/gitea-repositories"
GITEA__server__APP_DATA_PATH = "/data" GITEA__server__APP_DATA_PATH = "/data"
GITEA__server__LFS_CONTENT_PATH = "/repo/LFS" GITEA__server__LFS_CONTENT_PATH = "/data/lfs"
GITEA__webhook__ALLOWED_HOST_LIST = "drone.ducamps.eu" GITEA__webhook__ALLOWED_HOST_LIST = "drone.ducamps.eu"
GITEA__webhook__DELIVER_TIMEOUT = "30" GITEA__webhook__DELIVER_TIMEOUT = "30"
} }

View File

@ -2,8 +2,17 @@ job "grafana" {
datacenters = ["homelab"] datacenters = ["homelab"]
priority = 50 priority = 50
type = "service" type = "service"
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
meta { meta {
forcedeploiement = 1 forcedeploiement = 2
}
vault {
policies = ["grafana"]
} }
group "grafana" { group "grafana" {
network { network {
@ -11,7 +20,6 @@ job "grafana" {
to = 3000 to = 3000
} }
} }
service { service {
name = "grafana" name = "grafana"
port = "http" port = "http"
@ -36,13 +44,37 @@ job "grafana" {
task "dashboard" { task "dashboard" {
driver = "docker" driver = "docker"
config { config {
image = "grafana/grafana" image = "docker.service.consul:5000/grafana/grafana"
ports = ["http"] ports = ["http"]
volumes = [ volumes = [
"/mnt/diskstation/nomad/grafana/config:/etc/grafana", "local/grafana.ini:/etc/grafana/grafana.ini",
"/mnt/diskstation/nomad/grafana/lib:/var/lib/grafana" "/mnt/diskstation/nomad/grafana/lib:/var/lib/grafana"
] ]
} }
template {
data = <<EOH
force_migration=true
[server]
root_url = https://grafana.ducamps.eu
[auth.generic_oauth]
enabled = true
name = Authelia
icon = signin
client_id = grafana
client_secret = {{ with secret "secrets/data/authelia/grafana"}} {{ .Data.data.password }} {{end}}
scopes = openid profile email groups
empty_scopes = false
auth_url = https://auth.ducamps.eu/api/oidc/authorization
token_url = https://auth.ducamps.eu/api/oidc/token
api_url = https://auth.ducamps.eu/api/oidc/userinfo
login_attribute_path = preferred_username
groups_attribute_path = groups
name_attribute_path = name
use_pkce = true
role_attribute_path=contains(groups[*], 'GrafanaAdmins') && 'Admin' || contains(groups[*], 'GrafanaUsers') && 'Viewer'
EOH
destination = "local/grafana.ini"
}
resources { resources {
memory = 250 memory = 250
} }

View File

@ -6,7 +6,11 @@ job "loki" {
meta { meta {
forcedeploy = "0" forcedeploy = "0"
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
group "loki" { group "loki" {
network { network {
mode = "host" mode = "host"
@ -34,7 +38,7 @@ job "loki" {
} }
} }
config { config {
image = "grafana/loki" image = "docker.service.consul:5000/grafana/loki"
ports = ["http"] ports = ["http"]
args = [ args = [
"-config.file", "-config.file",
@ -49,56 +53,58 @@ job "loki" {
auth_enabled: false auth_enabled: false
server: server:
http_listen_port: 3100 http_listen_port: 3100
ingester:
lifecycler: common:
address: 127.0.0.1 instance_addr: 127.0.0.1
path_prefix: /loki
storage:
filesystem:
chunks_directory: /loki/chunks
rules_directory: /loki/rules
replication_factor: 1
ring: ring:
kvstore: kvstore:
store: inmemory store: inmemory
replication_factor: 1
final_sleep: 0s
# Any chunk not receiving new logs in this time will be flushed
chunk_idle_period: 1h
# All chunks will be flushed when they hit this age, default is 1h
max_chunk_age: 1h
# Loki will attempt to build chunks up to 1.5MB, flushing if chunk_idle_period or max_chunk_age is reached first
chunk_target_size: 1048576
# Must be greater than index read cache TTL if using an index cache (Default index read cache TTL is 5m)
chunk_retain_period: 30s
max_transfer_retries: 0 # Chunk transfers disabled
schema_config: schema_config:
configs: configs:
- from: 2020-10-24 - from: "2023-04-08" # <---- A date in the future
store: boltdb-shipper
object_store: filesystem
schema: v11
index: index:
prefix: index_
period: 24h period: 24h
storage_config: prefix: index_
boltdb_shipper: object_store: filesystem
active_index_directory: /loki/boltdb-shipper-active schema: v13
cache_location: /loki/boltdb-shipper-cache store: tsdb
cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space
shared_store: filesystem
filesystem:
directory: /loki/chunks
compactor: compactor:
working_directory: /tmp/loki/boltdb-shipper-compactor retention_enabled: true
working_directory: /loki/tsdb-shipper-compactor
shared_store: filesystem shared_store: filesystem
limits_config: limits_config:
split_queries_by_interval: 24h
max_query_parallelism: 100
max_entries_limit_per_query: 10000
injection_rate_strategy: local
retention_period: 90d
reject_old_samples: true reject_old_samples: true
reject_old_samples_max_age: 168h reject_old_samples_max_age: 168h
chunk_store_config: query_scheduler:
max_look_back_period: 0s max_outstanding_requests_per_tenant: 4096
table_manager: querier:
retention_deletes_enabled: false max_concurrent: 4096
retention_period: 0s frontend:
max_outstanding_per_tenant: 4096
query_range:
results_cache:
cache:
embedded_cache:
enabled: true
max_size_mb: 100
EOH EOH
destination = "local/loki/local-config.yaml" destination = "local/loki/local-config.yaml"
} }
resources { resources {
memory = 300 memory = 300
memory_max = 1000
} }
} }

1
nomad-job/platform/makefile Symbolic link
View File

@ -0,0 +1 @@
../makefile

View File

@ -32,7 +32,7 @@ job "node-exporter" {
task "node-exporter" { task "node-exporter" {
driver = "docker" driver = "docker"
config { config {
image = "prom/node-exporter" image = "docker.service.consul:5000/prom/node-exporter"
ports = ["http"] ports = ["http"]
args = [ args = [
"--web.listen-address=:${NOMAD_PORT_http}", "--web.listen-address=:${NOMAD_PORT_http}",

View File

@ -29,11 +29,11 @@ job "nut_exporter" {
task "nut_exporter" { task "nut_exporter" {
driver = "docker" driver = "docker"
config { config {
image = "ghcr.io/druggeri/nut_exporter" image = "ghcr.service.consul:5000/druggeri/nut_exporter"
ports = ["http"] ports = ["http"]
} }
env { env {
NUT_EXPORTER_SERVER= "192.168.1.10" NUT_EXPORTER_SERVER= "192.168.1.43"
NUT_EXPORTER_VARIABLES = "battery.runtime,battery.charge,input.voltage,output.voltage,output.voltage.nominal,ups.load,ups.status,ups.realpower" NUT_EXPORTER_VARIABLES = "battery.runtime,battery.charge,input.voltage,output.voltage,output.voltage.nominal,ups.load,ups.status,ups.realpower"
} }

View File

@ -9,7 +9,11 @@ job "prometheus" {
meta{ meta{
force_deploy= 1 force_deploy= 1
} }
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
group "prometheus" { group "prometheus" {
count = 1 count = 1
@ -246,7 +250,7 @@ EOH
driver = "docker" driver = "docker"
config { config {
image = "prom/prometheus:latest" image = "docker.service.consul:5000/prom/prometheus:latest"
args = [ args = [
"--config.file=/etc/prometheus/prometheus.yml", "--config.file=/etc/prometheus/prometheus.yml",
"--storage.tsdb.path=/prometheus", "--storage.tsdb.path=/prometheus",
@ -285,6 +289,7 @@ EOH
} }
resources { resources {
memory = 350 memory = 350
memory_max = 500
} }
} }
} }

View File

@ -15,7 +15,7 @@ job "vector" {
task "vector" { task "vector" {
driver = "docker" driver = "docker"
config { config {
image = "timberio/vector:0.34.1-alpine" image = "docker.service.consul:5000/timberio/vector:0.34.1-alpine"
ports = ["api"] ports = ["api"]
volumes = [ volumes = [
"/var/run/docker.sock:/var/run/docker.sock", "/var/run/docker.sock:/var/run/docker.sock",

View File

@ -0,0 +1,26 @@
job "csi-nfs-controller" {
datacenters = ["homelab"]
group "controller" {
task "csi-nfs-controller" {
driver = "docker"
config {
image = "registry.k8s.io/sig-storage/nfsplugin:v4.7.0"
args = [
"--v=5",
"--nodeid=${attr.unique.hostname}",
"--endpoint=unix:///csi/csi.sock",
"--drivername=nfs.csi.k8s.io"
]
}
csi_plugin {
id = "nfs"
type = "controller"
mount_dir = "/csi"
}
resources {
memory = 32
cpu = 100
}
}
}
}

View File

@ -0,0 +1,29 @@
job "csi-nfs-nodes" {
datacenters = ["homelab","hetzner"]
type = "system"
group "csi-nfs-nodes" {
task "plugin" {
driver = "docker"
config {
image = "registry.k8s.io/sig-storage/nfsplugin:v4.7.0"
args = [
"--v=5",
"--nodeid=${attr.unique.hostname}",
"--endpoint=unix:///csi/csi.sock",
"--drivername=nfs.csi.k8s.io"
]
# node plugins must run as privileged jobs because they
# mount disks to the host
privileged = true
}
csi_plugin {
id = "nfs"
type = "node"
mount_dir = "/csi"
}
resources {
memory = 50
}
}
}
}

1
nomad-job/system/makefile Symbolic link
View File

@ -0,0 +1 @@
../makefile

Some files were not shown because too many files have changed in this diff Show More