vincent/homelab
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: vincent:kubepoc
Branches Tags
vincent:master
vincent:kubepoc
vincent:lldap
vincent:borgmatic
vincent:nas
..
compare: vincent:master
Branches Tags
vincent:master
vincent:kubepoc
vincent:lldap
vincent:borgmatic
vincent:nas

13 Commits
kubepoc ... master

Author SHA1 Message Date
vincent
90dd0ecd9a chore: link makefile
Some checks failed
continuous-integration/drone/push Build is failing
Details
2024-11-09 10:24:15 +01:00
vincent
4f6743db5f perf: tweak mealie and pihole memory
Some checks failed
continuous-integration/drone/push Build is failing
Details
2024-11-09 10:23:42 +01:00
vincent
2452a2ad44 fix (flaresolverr): change image to resolve chalenge issue 2024-11-09 10:23:07 +01:00
vincent
5e2bb57914 rutorrent: resolve issue with docker 2024-11-09 10:22:24 +01:00
vincent
3eb2dbfa08 authelia: custom consent preconfigured time 2024-11-09 10:21:50 +01:00
vincent
1ea094aa6e Revert "perfs: decrease CPU" 
This reverts commit 6ea5de0315.
 2024-10-29 19:21:05 +01:00
vincent
c1e48d4ace add compute parameter to oscar
Some checks failed
continuous-integration/drone/push Build is failing
Details
2024-10-29 19:08:41 +01:00
vincent
b2710aab2f add oauth to gitea 2024-10-19 16:28:25 +02:00
vincent
c000933f66 add paperless-ng SSO
Some checks failed
continuous-integration/drone/push Build is failing
Details
2024-10-12 10:12:38 +02:00
vincent
7948773757 perfs: increase memory-max for some job
Some checks failed
continuous-integration/drone/push Build is failing
Details
2024-09-29 17:51:05 +02:00
vincent
3d90a1f6d7 fix: wrong dns in docker daemon.json 2024-09-29 17:50:31 +02:00
vincent
1f29007172 switch to nfs v4 on share 2024-09-29 17:50:11 +02:00
vincent
af58866882 dns: pdns-admin in dedicated nomad group 2024-09-29 17:38:27 +02:00
32 changed files with 220 additions and 131 deletions
Show Stats Expand all files Collapse all files

2
ansible/group_vars/VPS/mount
View File

@ -4,7 +4,7 @@ systemd_mounts:
mount: /mnt/diskstation/nomad
type: nfs
options:
- " "
- "vers=4"
automount: "{{ env_automount }}"
enabled: true
hetzner_storage:

2
ansible/group_vars/all/docker
View File

@ -1,7 +1,7 @@
docker_daemon_config:
dns:
- 172.17.0.1
- 192.168.1.5
- 192.168.1.6
mtu: 1420
insecure-registries:
- 192.168.1.0/24

1
ansible/group_vars/all/k3s
View File

@ -1 +0,0 @@
k3s_cluster_group: homelab

10
ansible/group_vars/cluster/mount
View File

@ -4,7 +4,7 @@ systemd_mounts:
mount: /mnt/diskstation/photo
type: nfs
options:
- " "
- "vers=4"
automount: "{{ env_automount }}"
enabled: true
diskstation_music:
@ -12,7 +12,7 @@ systemd_mounts:
mount: /mnt/diskstation/music
type: nfs
options:
- " "
- "vers=4"
automount: "{{ env_automount }}"
enabled: true
diskstation_media:
@ -20,7 +20,7 @@ systemd_mounts:
mount: /mnt/diskstation/media
type: nfs
options:
- " "
- "vers=4"
automount: "{{ env_automount }}"
enabled: true
@ -29,7 +29,7 @@ systemd_mounts:
mount: /mnt/diskstation/ebook
type: nfs
options:
- " "
- "vers=4"
automount: "{{ env_automount }}"
enabled: true
diskstation_nomad:
@ -45,6 +45,6 @@ systemd_mounts:
mount: /mnt/diskstation/download
type: nfs
options:
- " "
- "vers=4"
automount: "{{ env_automount }}"
enabled: true

1
ansible/group_vars/homelab/homelab
View File

@ -1,3 +1,2 @@
nomad_datacenter: homelab
k3s_consul_service: true
system_wol_enable: True

2
ansible/group_vars/production
View File

@ -7,7 +7,7 @@ nomad_client_meta:
- name: "env"
value: "production"
vault_unseal_keys_dir_output: "~/vaultUnseal/production"
env_default_nfs_path: "/exports"
env_default_nfs_path: ""
env_media_nfs_path: "/volume1"
env_automount: true
nas_ip: "192.168.1.43"

1
ansible/host_vars/oscar
View File

@ -3,6 +3,7 @@ default_interface: "enp1s0"
consul_iface: "{{ default_interface}}"
vault_iface: "{{ default_interface}}"
nfs_iface: "{{ default_interface}}"
nomad_client_cpu_total_compute: 8000
wireguard_address: "10.0.0.2/24"
wireguard_byhost_allowed_ips:
merlin: 10.0.0.2,192.168.1.40

8
ansible/playbooks/HashicorpStack.yml
View File

@ -1,4 +1,10 @@
---
- name: Consul install
hosts: all
roles:
- role: ansible-consul
become: true
- name: Vault install
hosts: homelab
roles:
@ -40,6 +46,8 @@
- name: nomad
hosts: all
vars:
unseal_keys_dir_output: ~/vaultunseal
roles:
- role: ansible-nomad
become: true

8
ansible/playbooks/consul.yml
View File

@ -1,8 +0,0 @@
---
- name: Consul install
hosts: all
roles:
- role: ansible-consul
become: true

5
ansible/playbooks/kube.yml
View File

@ -1,5 +0,0 @@
---
- name: k3s
hosts: all
roles:
- role: ansible-k3s

2
ansible/roles/requirements.yml
View File

@ -45,7 +45,5 @@ roles:
- src: git@git.ducamps.eu:2222/ansible-roles/ansible-role-pureftpd.git
scm: git
- src: https://github.com/PowerDNS/pdns_recursor-ansible.git
- src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-k3s.git
scm: git
collections:
- name: vladgh.samba

4
ansible/site.yml
View File

@ -2,9 +2,7 @@
- import_playbook: playbooks/server.yml
- import_playbook: playbooks/dhcpd.yml
- import_playbook: playbooks/dns.yml
- import_playbook: playbooks/consul.yml
- import_playbook: playbooks/kube.yml
#- import_playbook: playbooks/HashicorpStack.yml
- import_playbook: playbooks/HashicorpStack.yml
- import_playbook: playbooks/nas.yml
- import_playbook: playbooks/autofs.yml
- import_playbook: playbooks/sssd.yml

3
nomad-job/apps/immich.nomad.hcl
View File

@ -96,7 +96,8 @@ job "immich" {
env = true
}
resources {
memory = 500
memory = 600
memory_max = 1800
}
}

1
nomad-job/apps/jellyfin.nomad
View File

@ -111,6 +111,7 @@ job "jellyfin" {
resources {
memory = 2000
memory_max = 4000
cpu = 3000
}
}

1
nomad-job/apps/makefile Symbolic link
View File

@ -0,0 +1 @@
../makefile

1
nomad-job/apps/mealie.nomad.hcl
View File

@ -81,6 +81,7 @@ job "mealie" {
template {
data = <<EOH
{{ with secret "secrets/data/database/mealie"}}POSTGRES_PASSWORD= "{{ .Data.data.password }}" {{end}}
{{ with secret "secrets/data/authelia/mealie"}}OIDC_CLIENT_SECRET= "{{ .Data.data.password }}" {{end}}
EOH
destination = "secrets/var.env"
env = true

7
nomad-job/apps/paperless-ng.nomad
View File

@ -38,7 +38,6 @@ job "paperless-ng" {
}
resources {
memory = 50
cpu = 50
}
}
task "paperless-ng" {
@ -52,6 +51,7 @@ job "paperless-ng" {
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.eu",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
"traefik.http.routers.${NOMAD_JOB_NAME}.middlewares=authelia",
"homer.enable=true",
"homer.name=Paperless",
"homer.service=Application",
@ -87,6 +87,9 @@ job "paperless-ng" {
PAPERLESS_CONSUMER_POLLING = "60"
PAPERLESS_URL = "https://${NOMAD_JOB_NAME}.ducamps.eu"
PAPERLESS_ALLOWED_HOSTS = "192.168.1.42,192.168.1.40"
PAPERLESS_ENABLE_HTTP_REMOTE_USER = "true"
PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_REMOTE_USER"
PAPERLESS_LOGOUT_REDIRECT_URL= "https://auth.ducamps.eu/logout"
}
template {
@ -99,7 +102,7 @@ job "paperless-ng" {
resources {
memory = 950
memory_max = 1500
cpu = 100
cpu = 2000
}
}

8
nomad-job/apps/rutorrent.nomad
View File

@ -23,7 +23,7 @@ job "torrent" {
}
}
task "bittorent" {
driver = "podman"
driver = "docker"
service {
name = "bittorent"
port = "http"
@ -43,11 +43,11 @@ job "torrent" {
"traefik.http.routers.${NOMAD_JOB_NAME}.middlewares=authelia-basic",
]
}
user = "root"
config {
ulimit {
nofile = "8192:8192"
}
image = "docker.service.consul:5000/crazymax/rtorrent-rutorrent:edge"
privileged = "true"
ports = [
"http",
"torrent",

64
nomad-job/apps/rutorrentlocal.nomad Normal file
View File

@ -0,0 +1,64 @@
job "rutorrentlocal" {
datacenters = ["homelab"]
priority = 80
type = "service"
meta {
forcedeploy = "0"
}
constraint {
attribute = "${node.unique.name}"
operator = "set_contains"
value = "oberon"
}
group "bittorent" {
network {
mode = "host"
port "http" {
to = 8080
}
port "torrent" {
static = 6881
}
port "ecoute" {
static = 50000
}
}
task "bittorent" {
driver = "podman"
service {
name = "bittorentlocal"
port = "http"
address_mode= "host"
tags = [
]
}
user = "root"
config {
image = "docker.service.consul:5000/crazymax/rtorrent-rutorrent:edge"
ports = [
"http",
"torrent",
"ecoute"
]
volumes = [
"/exports/nomad/rutorrent/data:/data",
"/exports/nomad/rutorrent/downloads:/downloads"
]
}
env {
PUID = 100001
PGID = 10
UMASK = 002
WEBUI_PORT = "8080"
}
resources {
memory = 650
}
}
}
}

3
nomad-job/apps/tt-rss.nomad
View File

@ -83,7 +83,6 @@ job "tt-rss" {
env = true
}
resources {
cpu = 50
memory = 150
}
}
@ -116,7 +115,6 @@ job "tt-rss" {
}
resources {
cpu = 50
memory = 150
}
}
@ -201,7 +199,6 @@ job "tt-rss" {
}
resources {
cpu = 50
memory = 50
}
}

1
nomad-job/batch/batch-seedboxsync.nomad
View File

@ -74,6 +74,7 @@ job "batch-seedboxsync" {
}
resources {
memory = 500
memory_max = 1000
}
}

2
nomad-job/batch/torrent_automation.nomad.hcl
View File

@ -35,7 +35,7 @@ job "torrent_automation" {
}
config {
image = "ghcr.io/flaresolverr/flaresolverr:latest"
image = "alexfozor/flaresolverr:pr-1300-experimental"
ports = ["flaresolverr"]
}
env {

24
nomad-job/platform/authelia.nomad.hcl
View File

@ -122,10 +122,11 @@ identity_providers:
- 'https://www.ducamps.eu/tt-rss'
userinfo_signed_response_alg: none
authorization_policy: 'one_factor'
pre_configured_consent_duration: 15d
pre_configured_consent_duration: 3M
- client_id: 'mealie'
client_name: 'mealie'
public: true
client_secret: {{ with secret "secrets/data/authelia/mealie"}} {{ .Data.data.hash }} {{end}}
public: false
require_pkce: true
pkce_challenge_method: 'S256'
scopes:
@ -137,7 +138,7 @@ identity_providers:
- 'https://mealie.ducamps.eu/login'
userinfo_signed_response_alg: none
authorization_policy: 'one_factor'
token_endpoint_auth_method: 'none'
pre_configured_consent_duration: 3M
- client_id: 'immich'
client_name: 'immich'
client_secret: {{ with secret "secrets/data/authelia/immich"}} {{ .Data.data.hash }} {{end}}
@ -152,6 +153,7 @@ identity_providers:
- 'profile'
- 'email'
userinfo_signed_response_alg: 'none'
pre_configured_consent_duration: 3M
- client_id: 'grafana'
client_name: 'Grafana'
client_secret:{{ with secret "secrets/data/authelia/grafana"}} {{ .Data.data.hash }} {{end}}
@ -168,6 +170,7 @@ identity_providers:
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
pre_configured_consent_duration: 3M
- client_id: 'vikunja'
client_name: 'vikunja'
client_secret:{{ with secret "secrets/data/authelia/vikunja"}} {{ .Data.data.hash }} {{end}}
@ -180,7 +183,22 @@ identity_providers:
- 'profile'
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
pre_configured_consent_duration: 3M
- client_id: 'gitea'
client_name: 'gitea'
client_secret:{{ with secret "secrets/data/authelia/gitea"}} {{ .Data.data.hash }} {{end}}
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://git.ducamps.eu/user/oauth2/authelia/callback'
scopes:
- 'openid'
- 'profile'
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
pre_configured_consent_duration: 3M
log:
level: 'trace'

2
nomad-job/platform/dashboard.nomad
View File

@ -45,7 +45,6 @@ job "dashboard" {
}
resources {
cpu = 50
memory = 20
}
}
@ -145,7 +144,6 @@ services:
}
resources {
cpu = 50
memory = 30
}
}

6
nomad-job/platform/gitea.nomad
View File

@ -81,7 +81,11 @@ job "git" {
GITEA__database__HOST = "active.db.service.consul"
GITEA__database__NAME = "gitea"
GITEA__database__USER = "gitea"
GITEA__service__DISABLE_REGISTRATION = "true"
GITEA__service__DISABLE_REGISTRATION = "false"
GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true"
GITEA__service__SHOW_REGISTRATION_BUTTON = "false"
GITEA__openid__ENABLE_OPENID_SIGNIN = "false"
GITEA__openid__ENABLE_OPENID_SIGNUP = "true"
GITEA__repository__ROOT = "/data/gitea-repositories"
GITEA__server__APP_DATA_PATH = "/data"
GITEA__server__LFS_CONTENT_PATH = "/data/lfs"

1
nomad-job/platform/makefile Symbolic link
View File

@ -0,0 +1 @@
../makefile

1
nomad-job/platform/vector.nomad
View File

@ -29,6 +29,7 @@ job "vector" {
}
# resource limits are a good idea because you don't want your log collection to consume all resources available
resources {
cpu = 500 # 500 MHz
memory = 256 # 256MB
}
# template with Vector's configuration

1
nomad-job/system/makefile Symbolic link
View File

@ -0,0 +1 @@
../makefile

171
nomad-job/system/pdns-auth.nomad
View File

@ -12,37 +12,34 @@ job "pdns-auth" {
}
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
operator = "set_contains"
value = "cluster"
}
vault {
policies = ["pdns"]
}
group "pdns-auth" {
network {
port "dns" {
static=5300
static = 5300
}
port "http" {
static = 8081
}
port "pdnsadmin"{
to = 80
}
}
vault {
policies = ["pdns"]
}
task "pdns-auth" {
task "pdns-auth" {
driver = "docker"
service {
driver = "docker"
service {
name = "pdns-auth"
port = "dns"
}
config {
image = "docker.service.consul:5000/powerdns/pdns-auth-master:latest"
image = "docker.service.consul:5000/powerdns/pdns-auth-master:latest"
network_mode = "host"
privileged=true
cap_add= ["net_bind_service"]
privileged = true
cap_add = ["net_bind_service"]
volumes = [
"/mnt/diskstation/nomad/pdns-auth/var:/var/lib/powerdns/",
"local/dnsupdate.conf:/etc/powerdns/pdns.d/dnsupdate.conf",
@ -57,20 +54,20 @@ job "pdns-auth" {
PDNS_AUTH_API_KEY="{{.Data.data.API_KEY}}"
{{ end }}
EOH
env = true
env = true
}
template{
template {
destination = "local/dnsupdate.conf"
data = <<EOH
data = <<EOH
dnsupdate=yes
allow-dnsupdate-from=192.168.1.43/24
local-address=192.168.1.5
local-port=53
EOH
}
template{
template {
destination = "local/pdns.conf"
data = <<EOH
data = <<EOH
launch=gpgsql
gpgsql-host=active.db.service.consul
gpgsql-port=5432
@ -84,61 +81,20 @@ include-dir=/etc/powerdns/pdns.d
EOH
}
resources {
cpu = 50
memory = 100
}
}
task "pnds-admin" {
service {
name = "pdns-admin"
tags = [
"homer.enable=true",
"homer.name=PDNS-ADMIN",
"homer.service=Application",
"homer.logo=http://${NOMAD_ADDR_pdnsadmin}/static/img/favicon.png",
"homer.target=_blank",
"homer.url=http://${NOMAD_ADDR_pdnsadmin}",
]
port = "pdnsadmin"
}
driver = "docker"
config {
image = "docker.service.consul:5000/powerdnsadmin/pda-legacy:latest"
ports= ["pdnsadmin"]
volumes = [
"/mnt/diskstation/nomad/pdns-admin/:/data/node_module/",
]
task "pdns-recursor" {
driver = "docker"
config {
image = "docker.service.consul:5000/powerdns/pdns-recursor-master:latest"
network_mode = "host"
volumes = [
"local/recursor.conf:/etc/powerdns/recursor.conf",
]
}
template{
destination = "secrets/pdns-admin.env"
env = true
data = <<EOH
{{ with secret "secrets/data/nomad/pdns"}}
SECRET_KEY="{{ .Data.data.SECRET_KEY }}"
GUNICORN_WORKERS=2
{{ end }}
{{ with secret "secrets/data/database/pdns"}}
SQLALCHEMY_DATABASE_URI=postgresql://pdns-admin:{{ .Data.data.pdnsadmin }}@active.db.service.consul/pdns-admin
{{end}}
EOH
}
resources {
cpu = 50
memory = 200
}
}
task "pdns-recursor" {
driver = "docker"
config {
image = "docker.service.consul:5000/powerdns/pdns-recursor-master:latest"
network_mode = "host"
volumes = [
"local/recursor.conf:/etc/powerdns/recursor.conf",
]
}
template{
destination = "local/recursor.conf"
data= <<EOH
@ -147,29 +103,29 @@ dnssec=off
forward-zones=consul=127.0.0.1:8600,ducamps.eu=192.168.1.5,1.168.192.in-addr.arpa=192.168.1.5
local-address=192.168.1.6
EOH
}
resources {
cpu = 50
memory = 50
}
}
resources {
cpu = 50
memory = 50
}
}
task "keepalived" {
driver = "docker"
task "keepalived" {
driver = "docker"
lifecycle {
hook = "prestart"
sidecar = true
}
env {
KEEPALIVED_ROUTER_ID = "52"
KEEPALIVED_STATE = "MASTER"
KEEPALIVED_VIRTUAL_IPS = "#PYTHON2BASH:['192.168.1.5','192.168.1.6']"
KEEPALIVED_ROUTER_ID = "52"
KEEPALIVED_STATE = "MASTER"
KEEPALIVED_VIRTUAL_IPS = "#PYTHON2BASH:['192.168.1.5','192.168.1.6']"
}
template{
template {
destination = "local/env.yaml"
change_mode = "restart"
env= true
data = <<EOH
env = true
data = <<EOH
KEEPALIVED_INTERFACE= {{ sockaddr "GetPrivateInterfaces | include \"network\" \"192.168.1.0/24\" | attr \"name\"" }}
EOH
}
@ -188,4 +144,53 @@ local-address=192.168.1.6
}
}
}
group "pdns-admin" {
network {
port "pdnsadmin" {
to = 80
}
}
task "pnds-admin" {
service {
name = "pdns-admin"
tags = [
"homer.enable=true",
"homer.name=PDNS-ADMIN",
"homer.service=Application",
"homer.logo=http://${NOMAD_ADDR_pdnsadmin}/static/img/favicon.png",
"homer.target=_blank",
"homer.url=http://${NOMAD_ADDR_pdnsadmin}",
]
port = "pdnsadmin"
}
driver = "docker"
config {
image = "docker.service.consul:5000/powerdnsadmin/pda-legacy:latest"
ports = ["pdnsadmin"]
volumes = [
"/mnt/diskstation/nomad/pdns-admin/:/data/node_module/",
]
}
template {
destination = "secrets/pdns-admin.env"
env = true
data = <<EOH
{{ with secret "secrets/data/nomad/pdns"}}
SECRET_KEY="{{ .Data.data.SECRET_KEY }}"
GUNICORN_WORKERS=2
{{ end }}
{{ with secret "secrets/data/database/pdns"}}
SQLALCHEMY_DATABASE_URI=postgresql://pdns-admin:{{ .Data.data.pdnsadmin }}@active.db.service.consul/pdns-admin
{{end}}
EOH
}
resources {
cpu = 50
memory = 200
}
}
}
}

1
nomad-job/system/pihole.nomad
View File

@ -90,6 +90,7 @@ local-ttl=2
}
resources {
memory = 100
memory_max =200
}
}

4
nomad-job/system/registry.nomad.hcl
View File

@ -90,7 +90,7 @@ version: '0.1'
}
resources {
memory = 150
memory_max = 400
memory_max = 600
}
}
task "docker-ghcr" {
@ -133,7 +133,7 @@ version: '0.1'
}
resources {
memory = 150
memory_max = 400
memory_max = 600
}
}

3
script/generate-vault-secret
View File

@ -73,7 +73,8 @@ def main() -> None:
"authelia/immich",
"authelia/mealie",
"authelia/grafana",
"authelia/vikunja"
"authelia/vikunja",
"authelia/gitea"
]
token=os.getenv('VAULT_TOKEN',"")