Compare commits
1 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
d2a8106fb1 |
15
Vagrantfile
vendored
15
Vagrantfile
vendored
@ -1,10 +1,9 @@
|
||||
Vagrant.configure('2') do |config|
|
||||
if Vagrant.has_plugin?('vagrant-cachier')
|
||||
config.cache.scope = 'machine'
|
||||
config.cache.enable :pacman
|
||||
end
|
||||
config.vm.provider :libvirt do |libvirt|
|
||||
libvirt.management_network_domain = "lan.ducamps.dev"
|
||||
libvirt.management_network_domain = "ducamps-dev.eu"
|
||||
|
||||
end
|
||||
config.vm.define "oscar-dev" do |c|
|
||||
@ -20,7 +19,7 @@ Vagrant.configure('2') do |config|
|
||||
# Provider
|
||||
c.vm.provider "libvirt" do |libvirt, override|
|
||||
|
||||
libvirt.memory = 2048
|
||||
libvirt.memory = 1024
|
||||
libvirt.cpus = 2
|
||||
end
|
||||
c.vm.provision "ansible" do |bootstrap|
|
||||
@ -33,7 +32,7 @@ Vagrant.configure('2') do |config|
|
||||
|
||||
config.vm.define "merlin-dev" do |c|
|
||||
# Box definition
|
||||
c.vm.box = "archlinux/archlinux"
|
||||
c.vm.box = "generic/rocky9"
|
||||
# Config options
|
||||
c.vm.synced_folder ".", "/vagrant", disabled: true
|
||||
c.ssh.insert_key = true
|
||||
@ -43,7 +42,7 @@ Vagrant.configure('2') do |config|
|
||||
# Provider
|
||||
c.vm.provider "libvirt" do |libvirt, override|
|
||||
|
||||
libvirt.memory = 512
|
||||
libvirt.memory = 1024
|
||||
libvirt.cpus = 2
|
||||
|
||||
end
|
||||
@ -57,7 +56,7 @@ Vagrant.configure('2') do |config|
|
||||
|
||||
config.vm.define "gerard-dev" do |c|
|
||||
# Box definition
|
||||
c.vm.box = "archlinux/archlinux"
|
||||
c.vm.box = "generic/debian12"
|
||||
# Config options
|
||||
|
||||
c.vm.synced_folder ".", "/vagrant", disabled: true
|
||||
@ -67,7 +66,7 @@ Vagrant.configure('2') do |config|
|
||||
# instance_raw_config_args
|
||||
# Provider
|
||||
c.vm.provider "libvirt" do |libvirt, override|
|
||||
libvirt.memory = 2048
|
||||
libvirt.memory = 1024
|
||||
libvirt.cpus = 2
|
||||
end
|
||||
c.vm.provision "ansible" do |bootstrap|
|
||||
@ -90,7 +89,7 @@ Vagrant.configure('2') do |config|
|
||||
# Provider
|
||||
c.vm.provider "libvirt" do |libvirt, override|
|
||||
|
||||
libvirt.memory = 2048
|
||||
libvirt.memory = 1024
|
||||
libvirt.cpus = 2
|
||||
end
|
||||
|
||||
|
@ -15,10 +15,7 @@ pdns_rec_config:
|
||||
forward-zones:
|
||||
- "{{ consul_domain }}=127.0.0.1:8600"
|
||||
- "ducamps.win=192.168.1.10"
|
||||
- "{{ domain.name }}=192.168.1.5"
|
||||
- "lan.{{ domain.name }}=192.168.1.5"
|
||||
- "ducamps.eu=192.168.1.5"
|
||||
- "1.168.192.in-addr.arpa=192.168.1.5:5300"
|
||||
|
||||
local-address: "{{ hostvars[inventory_hostname]['ansible_'+ default_interface].ipv4.address|default(ansible_default_ipv4.address) }}"
|
||||
local-address: "{{ ansible_default_ipv4.address }}"
|
||||
dnssec: "off"
|
||||
|
||||
|
@ -1,90 +0,0 @@
|
||||
NAS_nomad_folder:
|
||||
- name: actualbudget
|
||||
- name: archiso
|
||||
owner: 1000001
|
||||
- name: backup
|
||||
owner: 1000001
|
||||
- name: borgmatic
|
||||
- name: crowdsec
|
||||
owner: 1000001
|
||||
- name: dms
|
||||
owner: 1000001
|
||||
- name: filestash
|
||||
owner: 1000
|
||||
- name: gitea
|
||||
owner: 1000000
|
||||
- name: grafana
|
||||
owner: 472
|
||||
- name: hass
|
||||
owner: 1000001
|
||||
- name: homer
|
||||
owner: 1000001
|
||||
- name: immich/cache
|
||||
- name: immich/upload
|
||||
- name: jellyfin
|
||||
owner: 1000001
|
||||
- name: loki
|
||||
owner: 10001
|
||||
- name: mealie
|
||||
owner: 1000001
|
||||
- name: mosquito
|
||||
owner: 1883
|
||||
- name: pacoloco
|
||||
owner: 1000001
|
||||
- name: pdns-auth
|
||||
owner: 1000001
|
||||
- name: pdns-admin
|
||||
owner: 1000001
|
||||
- name: pihole
|
||||
owner: 999
|
||||
- name: prometheus
|
||||
owner: 65534
|
||||
- name: prowlarr
|
||||
owner: 1000001
|
||||
- name: radicale
|
||||
owner: 1000001
|
||||
- name: openldap
|
||||
owner: 1001
|
||||
- name: registry/ghcr
|
||||
- name: registry/docker
|
||||
- name: syncthing
|
||||
owner: 1000001
|
||||
- name: traefik
|
||||
owner: 1000001
|
||||
- name: tt-rss
|
||||
owner: 1000001
|
||||
- name: vaultwarden
|
||||
owner: 1000001
|
||||
- name: zigbee2mqtt
|
||||
owner: 1000001
|
||||
nas_bind_target: "/exports"
|
||||
|
||||
nas_bind_source:
|
||||
- dest: "{{ nas_bind_target }}/nomad"
|
||||
source: /data/data1/nomad
|
||||
- dest: "{{ nas_bind_target }}/music"
|
||||
source: /data/data1/music
|
||||
- dest: "{{ nas_bind_target }}/download"
|
||||
source: /data/data1/download
|
||||
- dest: "{{ nas_bind_target }}/media/serie"
|
||||
source: /data/data2/serie
|
||||
- dest: "{{ nas_bind_target }}/media/film"
|
||||
source: /data/data3/film
|
||||
- dest: "{{ nas_bind_target }}/photo"
|
||||
source: /data/data1/photo
|
||||
- dest: "{{ nas_bind_target }}/homes"
|
||||
source: /data/data1/homes
|
||||
- dest: "{{ nas_bind_target }}/ebook"
|
||||
source: /data/data1/ebook
|
||||
- dest: "{{ nas_bind_target }}/media/download/serie"
|
||||
source: /data/data1/download/serie
|
||||
- dest: "{{ nas_bind_target }}/media/download/film"
|
||||
source: /data/data1/download/film
|
||||
- dest: "{{ nas_bind_target }}/music/download/"
|
||||
source: /data/data1/download/music
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -1 +1,3 @@
|
||||
vsftpd_config: {}
|
||||
vsftpd_config:
|
||||
local_root: "/var/local/volume1"
|
||||
seccomp_sandbox: False
|
||||
|
@ -1,15 +1,15 @@
|
||||
nfs_cluster_list: "{% for server in groups['all']%} {% if hostvars[server]['ansible_default_ipv4']['address'] is defined %} {{hostvars[server]['ansible_' + hostvars[server]['nfs_iface']|default('')].ipv4.address|default(hostvars[server]['ansible_default_ipv4']['address'],true)}}{{ nfs_options }} {% endif %} {%endfor%}"
|
||||
nfs_options: "(rw,no_root_squash,crossmnt,async,insecure_locks,sec=sys)"
|
||||
nfs_consul_service: true
|
||||
nfs_bind_target: "/exports"
|
||||
nfs_cluster_list: "{% for server in groups['all']%}{{ hostvars[server]['ansible_default_ipv4']['address'] }}(rw,no_root_squash,async,insecure_locks,sec=sys) {%endfor%}"
|
||||
|
||||
|
||||
nfs_exports:
|
||||
- "{{ nas_bind_target }} *(fsid=0,insecure,no_subtree_check)"
|
||||
- "{{ nas_bind_target }}/nomad {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
|
||||
- "{{ nas_bind_target }}/download {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
|
||||
- "{{ nas_bind_target }}/music {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
|
||||
- "{{ nas_bind_target }}/media {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
|
||||
- "{{ nas_bind_target }}/photo {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
|
||||
- "{{ nas_bind_target }}/homes {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
|
||||
- "{{ nas_bind_target }}/ebook {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
|
||||
- "/var/local/volume1/nomad {{nfs_cluster_list}}"
|
||||
- "/var/local/volume1/music {{nfs_cluster_list}}"
|
||||
- "/var/local/volume1/media {{nfs_cluster_list}}"
|
||||
- "/var/local/volume1/photo {{nfs_cluster_list}}"
|
||||
- "/var/local/volume1/ebook {{nfs_cluster_list}}"
|
||||
- "/var/local/volume1/git {{nfs_cluster_list}}"
|
||||
- "/var/local/volume1/archMirror {{nfs_cluster_list}}"
|
||||
- "/var/local/volume1/homes/admin {{nfs_cluster_list}}"
|
||||
- "/var/local/volume1/CardDav {{nfs_cluster_list}}"
|
||||
|
||||
|
||||
|
@ -1,25 +0,0 @@
|
||||
samba_passdb_backend: tdbsam
|
||||
samba_shares_root: /exports
|
||||
samba_shares:
|
||||
- name: media
|
||||
comment: "media"
|
||||
write_list: "@NAS_media"
|
||||
browseable: true
|
||||
- name: ebook
|
||||
comment: "ebook"
|
||||
write_list: "@NAS_ebook"
|
||||
browseable: true
|
||||
- name: music
|
||||
comment: "music"
|
||||
write_list: "@NAS_music"
|
||||
browseable: true
|
||||
- name: photo
|
||||
comment: "photo"
|
||||
write_list: "@NAS_photo"
|
||||
browseable: true
|
||||
- name: download
|
||||
comment: "downlaod"
|
||||
write_list: "@NAS_download"
|
||||
browseable: true
|
||||
samba_load_homes: True
|
||||
samba_homes_include: samba_homes_include.conf
|
@ -4,7 +4,7 @@ systemd_mounts:
|
||||
mount: /mnt/diskstation/nomad
|
||||
type: nfs
|
||||
options:
|
||||
- "vers=4"
|
||||
- " "
|
||||
automount: "{{ env_automount }}"
|
||||
enabled: true
|
||||
hetzner_storage:
|
||||
@ -13,8 +13,8 @@ systemd_mounts:
|
||||
type: cifs
|
||||
options:
|
||||
- credentials=/etc/creds/hetzner_credentials
|
||||
- uid=100001
|
||||
- gid=10
|
||||
- uid= 100001
|
||||
- gid= 10
|
||||
- vers=3.0
|
||||
- mfsymlinks
|
||||
automount: "{{ env_automount }}"
|
||||
|
@ -4,4 +4,4 @@ system_arch_local_mirror: "https://arch.{{domain.name}}/repo/archlinux_$arch"
|
||||
system_sudoers_group: "serverAdmin"
|
||||
system_ipV6_disable: True
|
||||
system_ip_unprivileged_port_start: 0
|
||||
wireguard_mtu: 1420
|
||||
nas_ip: "{{ hostvars[groups['NAS'][0]]['ansible_facts']['default_ipv4']['address']|default('192.168.1.10')}}"
|
||||
|
@ -1,8 +1,4 @@
|
||||
docker_daemon_config:
|
||||
dns:
|
||||
- 172.17.0.1
|
||||
- 192.168.1.6
|
||||
mtu: 1420
|
||||
insecure-registries:
|
||||
- 192.168.1.0/24
|
||||
- 192.168.121.0/24
|
||||
- 192.168.1.5
|
||||
|
@ -2,7 +2,6 @@ nomad_docker_allow_caps:
|
||||
- NET_ADMIN
|
||||
- NET_BROADCAST
|
||||
- NET_RAW
|
||||
nomad_allow_privileged: True
|
||||
nomad_vault_enabled: true
|
||||
nomad_vault_address: "http://active.vault.service.{{consul_domain}}:8200"
|
||||
nomad_vault_role: "nomad-cluster"
|
||||
|
42
ansible/group_vars/all/server
Normal file
42
ansible/group_vars/all/server
Normal file
@ -0,0 +1,42 @@
|
||||
consul_client_addr: "0.0.0.0"
|
||||
consul_datacenter: "homelab"
|
||||
consul_backup_location: "/mnt/diskstation/git/backup/consul"
|
||||
consul_ansible_group: all
|
||||
consul_bootstrap_expect: 3
|
||||
nomad_docker_allow_caps:
|
||||
- NET_ADMIN
|
||||
- NET_BROADCAST
|
||||
- NET_RAW
|
||||
nomad_vault_enabled: true
|
||||
nomad_vault_address: "http://active.vault.service.consul:8200"
|
||||
nomad_vault_role: "nomad-cluster"
|
||||
nomad_vault_token: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:nomad_vault_token') }}"
|
||||
nomad_bootstrap_expect: 3
|
||||
notification_mail: "{{inventory_hostname}}@{{ domain_name }}"
|
||||
msmtp_mailhub: smtp.{{ domain_name }}
|
||||
msmtp_auth_user: "{{ user.mail }}"
|
||||
msmtp_auth_pass: "{{ lookup('hashi_vault','secret=secrets/data/ansible/other:email') }}"
|
||||
|
||||
system_user:
|
||||
- name: drone-deploy
|
||||
home: /home/drone-deploy
|
||||
shell: /bin/bash
|
||||
privatekey:
|
||||
- keyname: id_gitea
|
||||
key: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}"
|
||||
|
||||
|
||||
authorized_keys:
|
||||
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUaK+pQlosmopbZfucll9UdqDOTaODOBwoxRwkJEk1i drone@oscar
|
||||
|
||||
- name: ansible
|
||||
home: /home/ansible
|
||||
shell: /bin/bash
|
||||
|
||||
- name: root
|
||||
home: /root
|
||||
privatekey:
|
||||
- keyname: id_gitea
|
||||
key: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}"
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
sssd_configure: true
|
||||
# sssd_configure is False by default - by default nothing is done by this role.
|
||||
ldap_search_base: "dc=ducamps,dc=eu"
|
||||
ldap_uri: "ldaps://ldaps.service.consul"
|
||||
ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=eu"
|
||||
ldap_search_base: "dc=ducamps,dc=win"
|
||||
ldap_uri: "ldaps://ldap.ducamps.eu"
|
||||
ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=win"
|
||||
|
@ -39,4 +39,4 @@ user_custom_host:
|
||||
user: "git"
|
||||
keyfile: "~/.ssh/id_gitea"
|
||||
|
||||
user_config_repo: "ssh://git@git.ducamps.eu:2222/vincent/conf2.git"
|
||||
user_config_repo: "ssh://git@git.{{ domain.name }}:2222/vincent/conf2.git"
|
||||
|
@ -1,12 +1,11 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
61326233336236343231396231306638373837653661313334313261313539316532373437346132
|
||||
3931306637303530373032663236363466383433316161310a396439393564643731656664663639
|
||||
32386130663837303663376432633930393663386436666263313939326631616466643237333138
|
||||
3365346131636333330a376436323964656563363664336638653564656231636136663635303439
|
||||
35346461356337303064623861326331346263373539336335393566623462343464323065366237
|
||||
61346637326336613232643462323733366530656439626234663335633965376335623733336162
|
||||
37323739376237323534613361333831396531663637666161666366656237353563626164626632
|
||||
33326336353663356235373835666166643465666562616663336539316233373430633862613133
|
||||
36363831623361393230653161626131353264366634326233363232336635306266376363363739
|
||||
66373434343330633337633436316135656533613465613963363931383266323466653762623365
|
||||
363332393662393532313063613066653964
|
||||
34356264306639303930393736376562653636383538623131343939323563653938616534623163
|
||||
6536366261666662376533393836626664373766313439660a363331326231303638626165393164
|
||||
63323063623365393566643230653964393565636430303365653233323931646236366664346430
|
||||
3162383233656139320a323133323262386638363738346336613862626539386538633864613131
|
||||
30306539376639303365323665613732616138346530346162633761386466626238373065316230
|
||||
38396662363364336134306130616661643835616161313535613331303133383334393333653335
|
||||
66363538313631373736396333363837376664616166663665343030336232346237333965303861
|
||||
36613763666135393531653637616463333461343232366137656336383239623166633338646561
|
||||
39336563636665396666663339306534643661366264623061626661343762373037383037373561
|
||||
3431656130306133323436616531343034366665636434333362
|
||||
|
@ -1,10 +1,42 @@
|
||||
systemd_mounts:
|
||||
diskstation_git:
|
||||
share: "{{ nas_ip }}:{{ env_default_nfs_path }}//git"
|
||||
mount: /mnt/diskstation/git
|
||||
type: nfs
|
||||
options:
|
||||
- " "
|
||||
automount: "{{ env_automount }}"
|
||||
enabled: true
|
||||
diskstation_CardDav:
|
||||
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/CardDav"
|
||||
mount: /mnt/diskstation/CardDav
|
||||
type: nfs
|
||||
options:
|
||||
- " "
|
||||
automount: "{{ env_automount }}"
|
||||
enabled: true
|
||||
backup_disk:
|
||||
share: /dev/sdb1
|
||||
mount: /mnt/backup
|
||||
type: ntfs-3g
|
||||
options:
|
||||
- " "
|
||||
automount: "{{ env_automount }}"
|
||||
enabled: "{%if inventory_hostname in groups['staging'] %} false {% else %} true {% endif %}"
|
||||
diskstation_home:
|
||||
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/homes/admin"
|
||||
mount: /mnt/diskstation/home
|
||||
type: nfs
|
||||
options:
|
||||
- " "
|
||||
automount: "{{ env_automount }}"
|
||||
enabled: true
|
||||
diskstation_photo:
|
||||
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/photo"
|
||||
mount: /mnt/diskstation/photo
|
||||
type: nfs
|
||||
options:
|
||||
- "vers=4"
|
||||
- " "
|
||||
automount: "{{ env_automount }}"
|
||||
enabled: true
|
||||
diskstation_music:
|
||||
@ -12,7 +44,7 @@ systemd_mounts:
|
||||
mount: /mnt/diskstation/music
|
||||
type: nfs
|
||||
options:
|
||||
- "vers=4"
|
||||
- " "
|
||||
automount: "{{ env_automount }}"
|
||||
enabled: true
|
||||
diskstation_media:
|
||||
@ -20,16 +52,23 @@ systemd_mounts:
|
||||
mount: /mnt/diskstation/media
|
||||
type: nfs
|
||||
options:
|
||||
- "vers=4"
|
||||
- " "
|
||||
automount: "{{ env_automount }}"
|
||||
enabled: true
|
||||
|
||||
diskstation_ebook:
|
||||
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/ebook"
|
||||
mount: /mnt/diskstation/ebook
|
||||
type: nfs
|
||||
options:
|
||||
- "vers=4"
|
||||
- " "
|
||||
automount: "{{ env_automount }}"
|
||||
enabled: true
|
||||
diskstation_archMirror:
|
||||
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/archMirror"
|
||||
mount: /mnt/diskstation/archMirror
|
||||
type: nfs
|
||||
options:
|
||||
- " "
|
||||
automount: "{{ env_automount }}"
|
||||
enabled: true
|
||||
diskstation_nomad:
|
||||
@ -40,11 +79,3 @@ systemd_mounts:
|
||||
- " "
|
||||
automount: "{{ env_automount }}"
|
||||
enabled: true
|
||||
diskstation_download:
|
||||
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/download"
|
||||
mount: /mnt/diskstation/download
|
||||
type: nfs
|
||||
options:
|
||||
- "vers=4"
|
||||
automount: "{{ env_automount }}"
|
||||
enabled: true
|
||||
|
@ -24,10 +24,6 @@ postgresql_databases:
|
||||
owner: pdns-auth
|
||||
- name: pdns-admin
|
||||
owner: pdns-admin
|
||||
- name: mealie
|
||||
owner: mealie
|
||||
- name: immich
|
||||
owner: immich
|
||||
|
||||
postgresql_hba_entries:
|
||||
- {type: local, database: all, user: postgres, auth_method: peer}
|
||||
@ -36,11 +32,5 @@ postgresql_hba_entries:
|
||||
- {type: host, database: all, user: all, address: '::1/128', auth_method: md5}
|
||||
- {type: host, database: all, user: all, address: '::0/128', auth_method: md5}
|
||||
- {type: host, database: all, user: all, address: '0.0.0.0/0', auth_method: md5}
|
||||
|
||||
postgresql_global_config_options:
|
||||
- option: unix_socket_directories
|
||||
value: '{{ postgresql_unix_socket_directories | join(",") }}'
|
||||
- option: listen_addresses
|
||||
value: '*'
|
||||
- option: wal_keep_size
|
||||
value: 200
|
||||
- {type: host, database: replication, user: repli, address:192.168.1.42/32, auth_method: md5}
|
||||
- {type: host, database: replication, user: repli, address:192.168.1.40/32, auth_method: md5}
|
||||
|
@ -1,54 +1,45 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
39363436643831373861376361613830316334613939346338616636393462663033393261633838
|
||||
6337336161393063646136613538396366653538656435360a303062636463383739653730346639
|
||||
61323634306265613336313634653039313639663836363032353261383566393865613166613032
|
||||
3837313634633466610a313062646237396138316361303361663565353862363139343566306539
|
||||
38303161303163323265376539323939393938373965353934303535613962653534363362346563
|
||||
61643638353138623162353364353736396162613735333063633739346132613161303564356437
|
||||
62343535363263646463306466663536613937393463666336396332646533343439613433626566
|
||||
38643363343065393165646134343935386461626166316662356365366666363737653336626631
|
||||
64643230616431396666666462303366343164323233303139643939346635353730316234386163
|
||||
35613235643034643833393233373536383863333763393066373564353535353463363336316335
|
||||
63363537643432663266386438316563656663656462333039303861393364333966383430643263
|
||||
63356435373064633861343137616637393161383361306135373864386235653034323732316663
|
||||
65336465386135663532356433386562666639333464633362663131646237613034646563396133
|
||||
33303464633635636233626633353038656230373266666132323561383866343632333561323363
|
||||
61346664623338376436373332646232646235323639633262666166346535663238653563363239
|
||||
34663365633363313433376333653534333364393635316235333965383262313563373161663065
|
||||
36393565396534353235623238303835343334646632306638306332336539616463393966653538
|
||||
35336462623031326539633139636533633632623137393463333531663935323765663139306361
|
||||
66643434393533313039356434326438626265323066613966323634306632653765363834613034
|
||||
30373039336536393865383265643335396232643537343363313338383838383030386665303237
|
||||
64363666346535633237353462333232623132353031323231623338356136656261303662656465
|
||||
31313039643561623635643435333133663032313964323061393231666336343233363038616231
|
||||
36356262326530383233336130326361613431623866633832663361633937646461343731343938
|
||||
33306262346463623935663466356264393837626239313739356431653163376563333234346566
|
||||
38373663643532313635333131663239383736343930623735323861663037356136353433633865
|
||||
63626435613936303661366637623338633961643137613933303735366265663933396130363039
|
||||
34396637643638613839306639343765393539653164616536653661373264376436626639316666
|
||||
61303835323761643531326438363035343539383464376433363534623934366534373631353364
|
||||
61383866323737316430303736366533643939313637393631303833363431613562303639323939
|
||||
66313434613963656464383964313734383938353366306462666537653563336465376464303538
|
||||
34336531663334303938333739313638636363623562613536333736386137363139653164626261
|
||||
62663662316365663563646164303935323866633336633939323837393962393130626330666233
|
||||
63663661303565646236623130663034636264353235376561306630376365613966663536303963
|
||||
63643161386435633831393334333035653761393863373731616239313235383033633439376166
|
||||
39613762376162386231633938393036633461303732323337656430373430636435313337303365
|
||||
37646461336339623339316663616636373036656564383462356562306465623762653162633963
|
||||
35636466386138333564666564323034393162633965386133643235303938616439333130353637
|
||||
61343536323034366464653138353665326436396133313432666563353335383733363335613562
|
||||
61646365346665383866623364396138323666326338313530353663323938613362653038313339
|
||||
32613663616535313661386538366330373364366637386634633437646362383764346263636434
|
||||
35616166393065343038643861636333373738363335353164326435303961326662356230323262
|
||||
35656531653535643630376330393731643532353132366662636664626132646632306361323035
|
||||
31373136616435336362633439356339336466313337623538383763386132396135653864386638
|
||||
31393864363466653137643565306462616238333435343036613331653866393532313861376331
|
||||
33646636623666343439616332386363373664346164313963623861393134666463383366633539
|
||||
35313761333564303635656364303566643436393130356163623137313530653539656537653139
|
||||
38336636623732313630303933303962303561376436623737633139643564343166326335386639
|
||||
31373437336139326562613339393235393065396538333566323864643639303132313733396132
|
||||
35613532396363326166313061353136373965303964623534653634613639303764393038333037
|
||||
63656131616463663565653134363336326139303736313138366262616338643339316231663631
|
||||
30656132386462393433313261313466303239346138623433643634616465656139343764353338
|
||||
62616139613731363665333438383861623837643432643134626461643631323034383262656439
|
||||
33653563323434343964633236353434643739333863636630636363633639373630
|
||||
64656332666561346439636331396439333566646361333031613764376634363061623635356630
|
||||
3832326235316435316264653637396130383465323234630a653138393161316232323236323366
|
||||
32363661633631623132323864663366633766396266623630636135396165663062353434613231
|
||||
6363646665626439610a313233313639333232393035633139326561316431393837616231313933
|
||||
38646532613665666136316635376533653161616630313532333330393364636662653331336637
|
||||
39353462336130333933383033656634633461333461393730633333343330306432623466623062
|
||||
32353962623338356630393935646537313335313335323464666265303732653633396332363965
|
||||
36356338386330653863646134623234623230356232643535643763303162626132333530626639
|
||||
39316166613862356264336362303833343236616635613136356433663766383861333832656261
|
||||
35613662653266396461383162303230613865373232353437646131633063633634346633383563
|
||||
31323736303537643433633235613464376230373332613331623439643462313362356437623463
|
||||
65326335653938626461353332356434303962376630626666666631386334316261653639623633
|
||||
34326633393330313064326562363838316366316361626662393435363262333264626333396136
|
||||
66353936623763323865656632373763303365316131663064343830663330323566346535316436
|
||||
63623931383461363364613632363661613734306535373536643236656161393634633435653862
|
||||
34316666353234646633633635653934373335396635343035663238323636323662346632303865
|
||||
35326333366439646661303437626238326435313032373031636535353963666263636635366234
|
||||
36336562633666623932653465376237366232306262386565646631346432346631353566326535
|
||||
32356337333762653161376439353035323633363833633862336134366132623963326231643461
|
||||
35623863373730313935393631626266336465613261636364353533666233613831323031643035
|
||||
32663630316264633932643132633061303438613339646264666334306630643038323632366330
|
||||
31366365333039636434613537386436313539396632613766333136663638393462653263613165
|
||||
33323937313031626233623237616464323939303131613465326362346632346538323161343362
|
||||
65353839386133326233356561363864336261663135343865323861623330613736333835396261
|
||||
64653361333530326630363633383836396565646463396239616261646635303535316135306537
|
||||
64343830616566663633323531383464383834373539646637633465616533383238346565303337
|
||||
34386561626266303833353665306335326264343533386263626562373633303135313735643733
|
||||
37333766373465326133663663303166316134643732343938343930616631383137356137373564
|
||||
31633831663264653762326534343635323364313632353661323330646638363062346137646337
|
||||
61323334623434613333613038633637666131393338653839373835633062396661653537343138
|
||||
61643961623366393735393438356461333731326265313937613066323038313163353835363135
|
||||
33323932353264313536393865373232333930613636343661613033656165616237373439383531
|
||||
38393932366633616639303964386333386462353935646432663330313137306465386634633931
|
||||
33656533306665653836363830363164303039356463386130663536636330396138643363383838
|
||||
35393966646630663535623836303262353739353063303763333530383630353838623939376535
|
||||
34343239373831623232343530396561393730303066323236306539333263656133366363396534
|
||||
30666662336435313561666536643231633562663037353837303936326164353366333032656431
|
||||
39303063343536336431336637323239356432616562656565306561666664663930303232313464
|
||||
34333236613239656562323037656137376135396636323361383565336636303338663138396238
|
||||
65396130303931393266636630656637333464346361303763653931383464326365333232623437
|
||||
61623263316562643636386637303531626238333131656130306236636230626362653935353331
|
||||
34366663303235653431616135343963643935303336313231343562376430343564393832343335
|
||||
36363130313533373137383738346438666634303537633232636535303835636333653636303937
|
||||
39356339656234303432
|
||||
|
@ -3,7 +3,7 @@ dhcpd_lease_time: '72'
|
||||
dhcpd_domain_name: "lan.{{ domain.name }}"
|
||||
dhcpd_nameservers:
|
||||
- '192.168.1.4'
|
||||
- '192.168.1.40'
|
||||
- '192.168.1.41'
|
||||
|
||||
dhcpd_zones:
|
||||
- zone: "lan.{{ domain.name }}."
|
||||
@ -41,10 +41,18 @@ dhcpd_hosts:
|
||||
|
||||
- hostname: 'oscar'
|
||||
address: '192.168.1.40'
|
||||
ethernet: '68:1D:EF:3C:F0:44'
|
||||
ethernet: '7C:83:34:B3:49:9A'
|
||||
- hostname: 'bleys'
|
||||
address: '192.168.1.42'
|
||||
ethernet: '14:B3:1F:14:C0:D2'
|
||||
ethernet: '68:1d:ef:2b:3d:24'
|
||||
- hostname: 'VMAS-HML'
|
||||
address: '192.168.1.50'
|
||||
ethernet: '52:54:00:02:74:ed'
|
||||
|
||||
- hostname: 'VMAS-BUILD'
|
||||
address: '192.168.1.53'
|
||||
ethernet: '52:54:13:1e:93'
|
||||
|
||||
|
||||
- hostname: 'xiaomi-chambre-gateway'
|
||||
address: '192.168.1.61'
|
||||
@ -61,7 +69,4 @@ dhcpd_hosts:
|
||||
- hostname: 'shelly-chambre-ventilo'
|
||||
address: '192.168.1.65'
|
||||
ethernet: 'e0:98:06:97:78:0b'
|
||||
- hostname: 'shelly-Bureau-chauffeau'
|
||||
address: '192.168.1.66'
|
||||
ethernet: '8c:aa:b5:42:b9:b9'
|
||||
|
||||
|
@ -1,2 +1,3 @@
|
||||
nomad_datacenter: homelab
|
||||
nomad_allow_privileged: True
|
||||
system_wol_enable: True
|
||||
|
@ -7,7 +7,6 @@ nomad_client_meta:
|
||||
- name: "env"
|
||||
value: "production"
|
||||
vault_unseal_keys_dir_output: "~/vaultUnseal/production"
|
||||
env_default_nfs_path: ""
|
||||
env_default_nfs_path: "/volume2"
|
||||
env_media_nfs_path: "/volume1"
|
||||
env_automount: true
|
||||
nas_ip: "192.168.1.43"
|
||||
|
@ -1,5 +1,5 @@
|
||||
domain:
|
||||
name: ducamps.dev
|
||||
name: ducamps-dev.eu
|
||||
#systemd_mounts: []
|
||||
#systemd_mounts_enabled: []
|
||||
consul_bootstrap_expect: 2
|
||||
@ -14,8 +14,6 @@ hosts_entries:
|
||||
- ip: "{{ hostvars['nas-dev']['ansible_default_ipv4']['address'] }}"
|
||||
name: diskstation.ducamps.eu
|
||||
|
||||
env_default_nfs_path: ""
|
||||
env_automount: true
|
||||
nas_ip: "nfs.service.consul"
|
||||
|
||||
|
||||
env_default_nfs_path: "/var/local/volume1"
|
||||
env_media_nfs_path: "{{ env_default_nfs_path }}"
|
||||
env_automount: false
|
||||
|
@ -1,10 +1,6 @@
|
||||
---
|
||||
ansible_host: "192.168.1.42"
|
||||
ansible_python_interpreter: "/usr/bin/python3"
|
||||
default_interface: "enp0s31f6"
|
||||
consul_iface: "{{ default_interface}}"
|
||||
vault_iface: "{{ default_interface}}"
|
||||
nfs_iface: "{{ default_interface}}"
|
||||
wireguard_address: "10.0.0.7/24"
|
||||
wireguard_byhost_allowed_ips:
|
||||
merlin: 10.0.0.7,192.168.1.42,192.168.1.0/24
|
||||
@ -15,13 +11,13 @@ wireguard_endpoint: ""
|
||||
wireguard_postup:
|
||||
- iptables -A FORWARD -i wg0 -j ACCEPT
|
||||
- iptables -A FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -A POSTROUTING -o {{default_interface}} -j MASQUERADE
|
||||
- iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
|
||||
- sysctl -w net.ipv4.ip_forward=1
|
||||
|
||||
wireguard_postdown:
|
||||
- iptables -D FORWARD -i wg0 -j ACCEPT
|
||||
- iptables -D FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -D POSTROUTING -o {default_interface} -j MASQUERADE
|
||||
- iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE
|
||||
- sysctl -w net.ipv4.ip_forward=0
|
||||
|
||||
partition_table:
|
||||
|
@ -1,23 +1,22 @@
|
||||
---
|
||||
ansible_host: 10.0.0.1
|
||||
#ansible_host: 135.181.150.203
|
||||
default_interface: "eth0"
|
||||
|
||||
wireguard_address: "10.0.0.1/24"
|
||||
wireguard_endpoint: "135.181.150.203"
|
||||
wireguard_persistent_keepalive: "20"
|
||||
wireguard_allowed_ips: 10.0.0.1
|
||||
wireguard_allowed_ips: "10.0.0.1/32,10.0.0.3/32,10.0.0.5/32"
|
||||
|
||||
wireguard_postup:
|
||||
- iptables -A FORWARD -o %i -j ACCEPT
|
||||
- iptables -A FORWARD -i %i -j ACCEPT
|
||||
- iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
||||
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
- sysctl -w net.ipv4.ip_forward=1
|
||||
- resolvectl dns %i 192.168.1.4 192.168.1.41; resolvectl domain %i '~ducamps.win' '~ducamps.eu' '~{{ consul_domain }}'
|
||||
|
||||
wireguard_postdown:
|
||||
- iptables -D FORWARD -i %i -j ACCEPT
|
||||
- iptables -D FORWARD -o %i -j ACCEPT
|
||||
- iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
||||
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
||||
- sysctl -w net.ipv4.ip_forward=0
|
||||
|
||||
wireguard_unmanaged_peers:
|
||||
|
@ -1,10 +1,6 @@
|
||||
---
|
||||
ansible_host: "192.168.1.41"
|
||||
ansible_python_interpreter: "/usr/bin/python3"
|
||||
default_interface: "enu1u1"
|
||||
consul_iface: "{{ default_interface }}"
|
||||
vault_iface: "{{ default_interface }}"
|
||||
|
||||
wireguard_address: "10.0.0.6/24"
|
||||
wireguard_byhost_allowed_ips:
|
||||
merlin: 10.0.0.6,192.168.1.41
|
||||
@ -15,10 +11,10 @@ wireguard_endpoint: ""
|
||||
wireguard_postup:
|
||||
- iptables -A FORWARD -i wg0 -j ACCEPT
|
||||
- iptables -A FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
||||
- iptables -t nat -A POSTROUTING -o enu1u1 -j MASQUERADE
|
||||
|
||||
wireguard_postdown:
|
||||
- iptables -D FORWARD -i wg0 -j ACCEPT
|
||||
- iptables -D FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
||||
- iptables -t nat -D POSTROUTING -o enu1u1 -j MASQUERADE
|
||||
|
||||
|
@ -1,8 +1,4 @@
|
||||
---
|
||||
|
||||
default_interface: eth0
|
||||
vault_iface: "{{ default_interface}}"
|
||||
ansible_host: gerard-dev.lan.ducamps.dev
|
||||
wireguard_address: "10.0.1.6/24"
|
||||
perrsistent_keepalive: "20"
|
||||
wireguard_endpoint: ""
|
||||
@ -10,10 +6,10 @@ wireguard_endpoint: ""
|
||||
wireguard_postup:
|
||||
- iptables -A FORWARD -i wg0 -j ACCEPT
|
||||
- iptables -A FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
||||
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
wireguard_postdown:
|
||||
- iptables -D FORWARD -i wg0 -j ACCEPT
|
||||
- iptables -D FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -D POSTROUTING -o {{ default_interface}} -j MASQUERADE
|
||||
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
|
@ -1,39 +1,31 @@
|
||||
---
|
||||
ansible_host: 10.0.0.4
|
||||
#ansible_host: 65.21.2.14
|
||||
default_interface: "ens3"
|
||||
nfs_iface: "wg0"
|
||||
|
||||
wireguard_address: "10.0.0.4/24"
|
||||
wireguard_endpoint: "65.21.2.14"
|
||||
wireguard_persistent_keepalive: "20"
|
||||
wireguard_byhost_allowed_ips:
|
||||
oscar: "0.0.0.0/0"
|
||||
bleys: "0.0.0.0/0"
|
||||
wireguard_allowed_ips: "10.0.0.4/32,10.0.0.3,10.0.0.5"
|
||||
wireguard_endpoint: "95.216.217.5"
|
||||
wireguard_persistent_keepalive: "30"
|
||||
wireguard_allowed_ips: "10.0.0.4/32,10.0.0.3/32,10.0.0.5/32"
|
||||
|
||||
wireguard_postup:
|
||||
- iptables -A FORWARD -o %i -j ACCEPT
|
||||
- iptables -A FORWARD -i %i -j ACCEPT
|
||||
- iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
||||
- sysctl -w net.ipv4.ip_forward=1
|
||||
- resolvectl dns %i 192.168.1.4 192.168.1.41; resolvectl domain %i '~ducamps.win' '~ducamps.eu' '~{{ consul_domain }}'
|
||||
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
wireguard_postdown:
|
||||
- iptables -D FORWARD -i %i -j ACCEPT
|
||||
- iptables -D FORWARD -o %i -j ACCEPT
|
||||
- iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
||||
- sysctl -w net.ipv4.ip_forward=0
|
||||
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
wireguard_unmanaged_peers:
|
||||
phone:
|
||||
public_key: IYKgrQ2VJUbOnupSqedOfIilsbmBBABZUTRF9ZoTrkc=
|
||||
public_key: ioG35kDFTtip+Acfq+je9qDHYbZij+J6+Pg3T6Z4N0w=
|
||||
allowed_ips: 10.0.0.3/32
|
||||
persistent_keepalive: 0
|
||||
zen:
|
||||
public_key: rYYljQw8InmM95pxCP9KyZ8R+kcicgnjr6E9qtkI1Ag=
|
||||
allowed_ips: 10.0.0.5/32
|
||||
persistent_keepalive: 0
|
||||
wireguard_dns: "192.168.1.4,192.168.1.41"
|
||||
wireguard_dns: "192.168.1.41,192.168.1.4"
|
||||
consul_client_addr: "127.0.0.1 10.0.0.4"
|
||||
consul_bind_address: "10.0.0.4"
|
||||
consul_ui: True
|
||||
@ -43,7 +35,7 @@ nomad_host_networks:
|
||||
- name: "private"
|
||||
interface: wg0
|
||||
- name: "public"
|
||||
interface: ens3
|
||||
interface: eth0
|
||||
- name: "default"
|
||||
interface: wg0
|
||||
vault_listener_address: 10.0.0.4
|
||||
|
@ -1,8 +1,4 @@
|
||||
---
|
||||
|
||||
ansible_host: merlin-dev.lan.ducamps.dev
|
||||
default_interface: eth0
|
||||
vault_iface: "{{ default_interface}}"
|
||||
wireguard_address: "10.0.1.4/24"
|
||||
wireguard_endpoint: "{{ ansible_default_ipv4.address }}"
|
||||
wireguard_persistent_keepalive: "30"
|
||||
@ -10,12 +6,12 @@ wireguard_persistent_keepalive: "30"
|
||||
wireguard_postup:
|
||||
- iptables -A FORWARD -o %i -j ACCEPT
|
||||
- iptables -A FORWARD -i %i -j ACCEPT
|
||||
- iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
||||
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
wireguard_postdown:
|
||||
- iptables -D FORWARD -i %i -j ACCEPT
|
||||
- iptables -D FORWARD -o %i -j ACCEPT
|
||||
- iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
||||
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
wireguard_unmanaged_peers:
|
||||
phone:
|
||||
|
16
ansible/host_vars/nas
Normal file
16
ansible/host_vars/nas
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
wireguard_address: "10.0.1.8/24"
|
||||
perrsistent_keepalive: "30"
|
||||
wireguard_endpoint: ""
|
||||
wireguard_byhost_allowed_ips:
|
||||
merlin: 10.0.0.8,192.168.1.10
|
||||
corwin: 10.0.0.8,192.168.1.10
|
||||
wireguard_postup:
|
||||
- iptables -A FORWARD -i wg0 -j ACCEPT
|
||||
- iptables -A FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
wireguard_postdown:
|
||||
- iptables -D FORWARD -i wg0 -j ACCEPT
|
||||
- iptables -D FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
@ -1,7 +1,4 @@
|
||||
---
|
||||
ansible_host: nas-dev.lan.ducamps.dev
|
||||
default_interface: eth0
|
||||
vault_iface: "{{ default_interface}}"
|
||||
wireguard_address: "10.0.1.8/24"
|
||||
perrsistent_keepalive: "30"
|
||||
wireguard_endpoint: ""
|
||||
@ -9,9 +6,9 @@ wireguard_endpoint: ""
|
||||
wireguard_postup:
|
||||
- iptables -A FORWARD -i wg0 -j ACCEPT
|
||||
- iptables -A FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
||||
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
wireguard_postdown:
|
||||
- iptables -D FORWARD -i wg0 -j ACCEPT
|
||||
- iptables -D FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
||||
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
@ -1,19 +0,0 @@
|
||||
---
|
||||
wireguard_address: "10.0.0.8/24"
|
||||
default_interface: "enp2s0"
|
||||
consul_iface: "{{ default_interface}}"
|
||||
vault_iface: "{{ default_interface}}"
|
||||
perrsistent_keepalive: "30"
|
||||
wireguard_endpoint: ""
|
||||
wireguard_byhost_allowed_ips:
|
||||
merlin: 10.0.0.8,192.168.1.43
|
||||
corwin: 10.0.0.8,192.168.1.43
|
||||
wireguard_postup:
|
||||
- iptables -A FORWARD -i wg0 -j ACCEPT
|
||||
- iptables -A FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
||||
|
||||
wireguard_postdown:
|
||||
- iptables -D FORWARD -i wg0 -j ACCEPT
|
||||
- iptables -D FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
@ -1,9 +1,4 @@
|
||||
---
|
||||
default_interface: "enp1s0"
|
||||
consul_iface: "{{ default_interface}}"
|
||||
vault_iface: "{{ default_interface}}"
|
||||
nfs_iface: "{{ default_interface}}"
|
||||
nomad_client_cpu_total_compute: 8000
|
||||
wireguard_address: "10.0.0.2/24"
|
||||
wireguard_byhost_allowed_ips:
|
||||
merlin: 10.0.0.2,192.168.1.40
|
||||
@ -14,12 +9,12 @@ wireguard_endpoint: ""
|
||||
wireguard_postup:
|
||||
- iptables -A FORWARD -i wg0 -j ACCEPT
|
||||
- iptables -A FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
||||
- iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
|
||||
|
||||
wireguard_postdown:
|
||||
- iptables -D FORWARD -i wg0 -j ACCEPT
|
||||
- iptables -D FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
||||
- iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE
|
||||
|
||||
partition_table:
|
||||
- device: "/dev/sda"
|
||||
|
@ -1,7 +1,4 @@
|
||||
---
|
||||
ansible_host: oscar-dev.lan.ducamps.dev
|
||||
default_interface: eth0
|
||||
vault_iface: "{{ default_interface}}"
|
||||
wireguard_address: "10.0.1.2/24"
|
||||
perrsistent_keepalive: "30"
|
||||
wireguard_endpoint: ""
|
||||
@ -9,9 +6,9 @@ wireguard_endpoint: ""
|
||||
wireguard_postup:
|
||||
- iptables -A FORWARD -i wg0 -j ACCEPT
|
||||
- iptables -A FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
||||
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
wireguard_postdown:
|
||||
- iptables -D FORWARD -i wg0 -j ACCEPT
|
||||
- iptables -D FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE
|
||||
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
@ -5,11 +5,7 @@ requirements:
|
||||
deploy_production:
|
||||
ansible-playbook site.yml -i production -u ansible
|
||||
|
||||
deploy_production_wiregard:
|
||||
ansible-playbook playbooks/wireguard.yml -i production -u ansible
|
||||
|
||||
deploy_staging:
|
||||
ansible-playbook playbooks/wireguard.yml -i staging -u ansible
|
||||
ansible-playbook site.yml -i staging -u ansible
|
||||
|
||||
|
||||
|
@ -1,26 +1,14 @@
|
||||
---
|
||||
- name: Consul install
|
||||
hosts: all
|
||||
roles:
|
||||
- role: ansible-consul
|
||||
become: true
|
||||
|
||||
- name: Vault install
|
||||
hosts: homelab
|
||||
roles:
|
||||
- role: ansible-hashicorp-vault
|
||||
become: true
|
||||
post_tasks:
|
||||
- name: Stat root file
|
||||
ansible.builtin.stat:
|
||||
path: "{{ vault_unseal_keys_dir_output }}/rootkey"
|
||||
register: rootkey_exist
|
||||
delegate_to: localhost
|
||||
- name: Reading root contents
|
||||
ansible.builtin.command: cat "{{ vault_unseal_keys_dir_output }}/rootkey"
|
||||
register: root_token
|
||||
delegate_to: localhost
|
||||
when: rootkey_exist.stat.exists
|
||||
changed_when: false
|
||||
- name: debug
|
||||
ansible.builtin.debug:
|
||||
@ -32,7 +20,7 @@
|
||||
period: 72h
|
||||
no_parent: true
|
||||
token: "{{ root_token.stdout }}"
|
||||
url: "http://active.vault.service.consul:8200"
|
||||
url: http://{{ ansible_default_ipv4.address }}:8200
|
||||
retries: 4
|
||||
run_once: true
|
||||
delegate_to: localhost
|
||||
@ -44,11 +32,13 @@
|
||||
nomad_vault_token: "{{ nomad_token_data.login.auth.client_token }}"
|
||||
when: nomad_token_data.login is defined
|
||||
|
||||
- name: nomad
|
||||
- name: Hashicorp stack
|
||||
hosts: all
|
||||
vars:
|
||||
unseal_keys_dir_output: ~/vaultunseal
|
||||
roles:
|
||||
- role: ansible-consul
|
||||
become: true
|
||||
- role: ansible-nomad
|
||||
become: true
|
||||
- role: docker
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
- hosts: all
|
||||
gather_facts: false
|
||||
become: true
|
||||
gather_facts: false
|
||||
roles:
|
||||
- ansible_bootstrap
|
||||
|
@ -14,15 +14,3 @@
|
||||
- docker
|
||||
become: true
|
||||
become_user: '{{ user.name }}'
|
||||
|
||||
- hosts: all
|
||||
roles:
|
||||
- role: user_config
|
||||
vars:
|
||||
user_config_username: "{{ user.name }}"
|
||||
become_user: "{{ user.name }}"
|
||||
become: true
|
||||
- role: user_config
|
||||
vars:
|
||||
user_config_username: root
|
||||
become: true
|
||||
|
@ -1,54 +1,16 @@
|
||||
---
|
||||
- name: Database playbook
|
||||
hosts: database
|
||||
- hosts: database
|
||||
vars:
|
||||
# certbot_force: true
|
||||
pre_tasks:
|
||||
- name: Install Pg vertors (immich)
|
||||
aur:
|
||||
name: pgvecto.rs-bin
|
||||
state: present
|
||||
become: true
|
||||
become_user: aur_builder
|
||||
- name: Add database member to pg_hba replication
|
||||
ansible.builtin.set_fact:
|
||||
postgresql_hba_entries: "{{ postgresql_hba_entries + [\
|
||||
{'type':'host', \
|
||||
'database': 'replication',\
|
||||
'user':'repli',\
|
||||
'address':hostvars[item]['ansible_'+hostvars[item]['default_interface']]['ipv4']['address']+'/32',\
|
||||
'auth_method':'trust'}] }}"
|
||||
loop: '{{ groups.database }}'
|
||||
roles:
|
||||
- role: ansible-role-postgresql
|
||||
become: true
|
||||
tasks:
|
||||
- name: Launch replication
|
||||
ansible.builtin.command: pg_basebackup -D /var/lib/postgres/data -h {{groups["database_active"]|first}} -U repli -Fp -Xs -P -R -w
|
||||
args:
|
||||
creates: /var/lib/postgres/data/postgresql.conf
|
||||
- name: add pg_read_all_data to dump
|
||||
community.postgresql.postgresql_membership:
|
||||
target_roles:
|
||||
- dump
|
||||
groups:
|
||||
- pg_read_all_data
|
||||
become: true
|
||||
become_user: postgres
|
||||
when: inventory_hostname in groups["database_standby"]
|
||||
- name: Ensure PostgreSQL is started and enabled on boot.
|
||||
ansible.builtin.service:
|
||||
name: '{{ postgresql_daemon }}'
|
||||
state: '{{ postgresql_service_state }}'
|
||||
enabled: '{{ postgresql_service_enabled }}'
|
||||
become: true
|
||||
|
||||
- name: Set Postgress shared libraries
|
||||
community.postgresql.postgresql_set:
|
||||
name: shared_preload_libraries
|
||||
value: vectors.so
|
||||
become: true
|
||||
become_user: postgres
|
||||
when: inventory_hostname in groups["database_active"]
|
||||
notify: Restart postgresql
|
||||
- name: Set Postgress shared libraries
|
||||
community.postgresql.postgresql_set:
|
||||
name: search_path
|
||||
value: '$user, public, vectors'
|
||||
become: true
|
||||
become_user: postgres
|
||||
when: inventory_hostname in groups["database_active"]
|
||||
become_user: "{{ postgresql_user }}"
|
||||
|
@ -1,28 +1,10 @@
|
||||
---
|
||||
- name: gather all
|
||||
hosts: all
|
||||
- name: NAS playbook
|
||||
hosts: NAS
|
||||
- hosts: NAS
|
||||
vars:
|
||||
# certbot_force: true
|
||||
pre_tasks:
|
||||
- name: include task NasBind
|
||||
ansible.builtin.include_tasks:
|
||||
file: tasks/NasBind.yml
|
||||
loop: "{{ nas_bind_source }}"
|
||||
- name: create nomad folder
|
||||
ansible.builtin.file:
|
||||
path: "{{ nas_bind_target }}/nomad/{{ item.name }}"
|
||||
owner: "{{ item.owner|default('root') }}"
|
||||
state: directory
|
||||
become: true
|
||||
loop: "{{ NAS_nomad_folder }}"
|
||||
roles:
|
||||
- role: ansible-role-nut
|
||||
- role: ansible-role-nfs
|
||||
become: true
|
||||
- role: ansible-role-nfs
|
||||
become: true
|
||||
- role: ansible-role-pureftpd
|
||||
become: true
|
||||
- role: vladgh.samba.server
|
||||
- role: ansible-role-vsftpd
|
||||
become: true
|
||||
#- samba
|
||||
|
@ -1,18 +0,0 @@
|
||||
- name: Ensure base NFS directory exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ item.dest }}"
|
||||
state: directory
|
||||
become: true
|
||||
- name: Ensure source NFS directory exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ item.source }}"
|
||||
state: directory
|
||||
become: true
|
||||
- name: Bind NAS export
|
||||
ansible.posix.mount:
|
||||
path: "{{ item.dest }}"
|
||||
src: "{{ item.source }}"
|
||||
opts: bind
|
||||
fstype: none
|
||||
state: mounted
|
||||
become: true
|
@ -1 +0,0 @@
|
||||
path = /exports/homes/%S
|
12
ansible/playbooks/user_config.yml
Normal file
12
ansible/playbooks/user_config.yml
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
- hosts: all
|
||||
roles:
|
||||
- role: user_config
|
||||
vars:
|
||||
user_config_username: "{{ user.name }}"
|
||||
become_user: "{{ user.name }}"
|
||||
become: true
|
||||
- role: user_config
|
||||
vars:
|
||||
user_config_username: root
|
||||
become: true
|
@ -1,8 +1,8 @@
|
||||
[DNS]
|
||||
oscar
|
||||
gerard
|
||||
|
||||
[dhcp]
|
||||
oberon
|
||||
gerard
|
||||
|
||||
[database_active]
|
||||
bleys
|
||||
@ -22,11 +22,11 @@ bleys
|
||||
production
|
||||
|
||||
[NAS]
|
||||
oberon
|
||||
nas
|
||||
|
||||
[cluster]
|
||||
oscar
|
||||
#gerard
|
||||
gerard
|
||||
bleys
|
||||
|
||||
|
||||
@ -35,6 +35,7 @@ NAS
|
||||
cluster
|
||||
|
||||
[VPS]
|
||||
corwin
|
||||
merlin
|
||||
|
||||
[region:children]
|
||||
@ -43,10 +44,8 @@ VPS
|
||||
production
|
||||
|
||||
[production]
|
||||
corwin
|
||||
oscar
|
||||
merlin
|
||||
#gerard
|
||||
gerard
|
||||
bleys
|
||||
oberon
|
||||
|
||||
[staging]
|
||||
|
@ -1,5 +1,4 @@
|
||||
---
|
||||
roles:
|
||||
- src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-arch-provissionning.git
|
||||
scm: git
|
||||
- src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-role-postgresql.git
|
||||
@ -40,10 +39,6 @@ roles:
|
||||
scm: git
|
||||
- src: git@github.com:vincentDcmps/ansible-role-nfs.git
|
||||
scm: git
|
||||
- src: git@github.com:vincentDcmps/ansible-role-nut.git
|
||||
scm: git
|
||||
- src: git@git.ducamps.eu:2222/ansible-roles/ansible-role-pureftpd.git
|
||||
scm: git
|
||||
- src: https://github.com/PowerDNS/pdns_recursor-ansible.git
|
||||
collections:
|
||||
- name: vladgh.samba
|
||||
- src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-role-samba.git
|
||||
scm: git
|
||||
|
@ -1,10 +1,12 @@
|
||||
---
|
||||
- import_playbook: playbooks/server.yml
|
||||
- import_playbook: playbooks/dhcpd.yml
|
||||
- import_playbook: playbooks/dns.yml
|
||||
- import_playbook: playbooks/HashicorpStack.yml
|
||||
- import_playbook: playbooks/nas.yml
|
||||
- import_playbook: playbooks/autofs.yml
|
||||
- import_playbook: playbooks/sssd.yml
|
||||
- import_playbook: playbooks/wireguard.yml
|
||||
- import_playbook: playbooks/dhcpd.yml
|
||||
- import_playbook: playbooks/dns.yml
|
||||
- import_playbook: playbooks/HashicorpStack.yml
|
||||
- import_playbook: playbooks/database.yml
|
||||
- import_playbook: playbooks/rsyncd.yml
|
||||
- import_playbook: playbooks/create_user.yml
|
||||
|
@ -5,7 +5,6 @@ oscar-dev
|
||||
oscar-dev
|
||||
|
||||
[database_standby]
|
||||
gerard-dev
|
||||
|
||||
[database:children]
|
||||
database_active
|
||||
@ -40,5 +39,3 @@ oscar-dev
|
||||
gerard-dev
|
||||
merlin-dev
|
||||
nas-dev
|
||||
|
||||
[production]
|
||||
|
@ -100,18 +100,3 @@ agains:
|
||||
put one recursor on cluster over authority server and keep the recursor on gerard for better recundancy
|
||||
|
||||
### Consequences
|
||||
|
||||
|
||||
## 005 physical Recursor location
|
||||
|
||||
### Status
|
||||
|
||||
done
|
||||
|
||||
### Context
|
||||
|
||||
following NAS migration physical DNS Recursor was install directly on NAS this bring a SPOF when NAS failed Recursor on Nomad cluster are stopped because of volume dependance
|
||||
|
||||
### Decision
|
||||
|
||||
Put physical Recursor on a cluster node like that to have a DNS issue we need to have NAS and this nomad down on same Time
|
||||
|
@ -16,27 +16,11 @@ Storage:
|
||||
- hot Data (nomad, document,fresh download file,music?) on SSD cold DATA on HDD (film, serie photo)
|
||||
- at least 2 HDD and 2 SSD
|
||||
|
||||
|
||||
|
||||
Hardware:
|
||||
|
||||
- network 2.5 gpbs will be good for evolve
|
||||
- at least 4go ram (expansive will be appreciable)
|
||||
- at least 4go ram
|
||||
|
||||
Software:
|
||||
|
||||
be able to install custom linux distrib
|
||||
|
||||
### Decision
|
||||
|
||||
- Due to form factor/consumption and SSD capability my choise is on ASUSTOR Nimbustor 2 Gen 2 AS5402, he corresponding to need and less expensive than a DIY NAS
|
||||
- buy only a new ssd of 2to in more to store system and hot data
|
||||
|
||||
### Cosequence
|
||||
|
||||
need to migrate Data and keep same disk
|
||||
|
||||
- install system
|
||||
- copy all data from 2to HDD to SSD then format 2to HDD
|
||||
- copy download data to FROM 4 to HDD to SSD
|
||||
- copy serie to 2to HDD and copy film on external harddrive
|
||||
|
@ -1,25 +0,0 @@
|
||||
# Docker Pull throught
|
||||
|
||||
# 001 architecture consideration
|
||||
|
||||
## Status
|
||||
|
||||
Accepted
|
||||
|
||||
## Context
|
||||
|
||||
docker hub get a pull limit if somebody go wrong on our infrastructure we can get quickyly this limit solution will be to implement a pull throught proxy.
|
||||
|
||||
|
||||
### Decision
|
||||
|
||||
create two container task to create a dockerhub pull through and a ghcr one
|
||||
|
||||
we can add these registry to traefick to have both under the port 5000 but this will add a traefik dependancy on rebuild
|
||||
|
||||
so to begin we will use one trafick service on two diferent static port
|
||||
|
||||
## Consequences
|
||||
|
||||
- this registry need to be start first on cluster creation
|
||||
- need to update all job image with local proxy url
|
@ -1,8 +0,0 @@
|
||||
# Troubleshooting
|
||||
|
||||
## issue with SMTP traefik port
|
||||
|
||||
ensure that no other traefik router (httt or TCP) listening on smtp or
|
||||
all entrypoint this can pertuubate smtp TLS connection
|
||||
see [https://doc.traefik.io/traefik/routing/routers/#entrypoints_1](here)
|
||||
|
19
makefile
19
makefile
@ -10,15 +10,12 @@ vault-dev:
|
||||
./vault/standalone_vault.sh $(FILE);\
|
||||
fi
|
||||
|
||||
vagranup:
|
||||
create-dev:
|
||||
vagrant up
|
||||
|
||||
create-dev: vagranup DNS-stagging
|
||||
make -C ansible deploy_staging
|
||||
make -C terraform deploy_vault env=staging
|
||||
VAULT_TOKEN=$(shell cat ~/vaultUnseal/staging/rootkey) python ./script/generate-vault-secret
|
||||
|
||||
create-dev-base: vagranup DNS-stagging
|
||||
create-dev-base:
|
||||
vagrant up
|
||||
make -C ansible deploy_staging_base
|
||||
|
||||
|
||||
@ -27,13 +24,3 @@ destroy-dev:
|
||||
|
||||
serve:
|
||||
mkdocs serve
|
||||
|
||||
DNS-stagging:
|
||||
$(eval dns := $(shell dig oscar-dev.lan.ducamps.dev +short))
|
||||
$(eval dns1 := $(shell dig nas-dev.lan.ducamps.dev +short))
|
||||
sudo resolvectl dns virbr2 "$(dns)" "$(dns1)";sudo resolvectl domain virbr2 "~consul";sudo systemctl restart systemd-resolved.service
|
||||
|
||||
|
||||
DNS-production:
|
||||
sudo resolvectl dns virbr2 "";sudo resolvectl domain virbr2 "";sudo systemctl restart systemd-resolved.service
|
||||
|
||||
|
@ -35,7 +35,7 @@ job "MQTT" {
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/library/eclipse-mosquitto"
|
||||
image = "eclipse-mosquitto"
|
||||
ports = ["mosquittoWS", "mosquittoMQTT"]
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/mosquitto:/mosquitto/data",
|
@ -8,11 +8,6 @@ job "alertmanager" {
|
||||
vault {
|
||||
policies = ["alertmanager"]
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
group "alertmanager" {
|
||||
network {
|
||||
mode = "host"
|
||||
@ -30,7 +25,7 @@ job "alertmanager" {
|
||||
"homer.enable=true",
|
||||
"homer.name=AlertManager",
|
||||
"homer.service=Monitoring",
|
||||
"homer.logo=http://${NOMAD_ADDR_http}/favicon.ico",
|
||||
"homer.logo=https://camo.githubusercontent.com/13ff7fc7ea6d8a6d98d856da8e3220501b9e6a89620f017d1db039007138e062/687474703a2f2f6465766f70792e696f2f77702d636f6e74656e742f75706c6f6164732f323031392f30322f7a616c2d3230302e706e67",
|
||||
"homer.target=_blank",
|
||||
"homer.url=http://${NOMAD_ADDR_http}",
|
||||
|
||||
@ -45,7 +40,7 @@ job "alertmanager" {
|
||||
}
|
||||
|
||||
config {
|
||||
image = "docker.service.consul:5000/prom/alertmanager"
|
||||
image = "prom/alertmanager"
|
||||
args= ["--log.level=debug", "--config.file=/etc/alertmanager/alertmanager.yml"]
|
||||
ports = ["http"]
|
||||
volumes = [
|
||||
@ -58,7 +53,7 @@ job "alertmanager" {
|
||||
global:
|
||||
smtp_from: alert@ducamps.eu
|
||||
smtp_smarthost: mail.ducamps.eu:465
|
||||
smtp_hello: "mail.ducamps.eu"
|
||||
smtp_hello: "mail.ducamps.win"
|
||||
smtp_require_tls: false
|
||||
{{with secret "secrets/data/nomad/alertmanager/mail"}}
|
||||
smtp_auth_username: {{.Data.data.username}}
|
@ -1,62 +0,0 @@
|
||||
|
||||
job "actualbudget" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 50
|
||||
type = "service"
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
group "actualbudget"{
|
||||
network {
|
||||
mode = "host"
|
||||
port "http" {
|
||||
to = 5006
|
||||
}
|
||||
}
|
||||
task "actualbudget-server" {
|
||||
driver = "docker"
|
||||
service {
|
||||
name = "actualbudget"
|
||||
port = "http"
|
||||
tags = [
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`budget.ducamps.eu`)",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=budget.ducamps.eu",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
|
||||
"homer.enable=true",
|
||||
"homer.name=${NOMAD_TASK_NAME}",
|
||||
"homer.service=Application",
|
||||
"homer.target=_blank",
|
||||
"homer.logo=https://budget.ducamps.eu/apple-touch-icon.png",
|
||||
"homer.url=https://budget.ducamps.eu",
|
||||
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "ghcr.service.consul:5000/actualbudget/actual-server:latest"
|
||||
ports = ["http"]
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/actualbudget:/data"
|
||||
]
|
||||
|
||||
}
|
||||
env {
|
||||
}
|
||||
|
||||
resources {
|
||||
memory = 300
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
@ -1,241 +0,0 @@
|
||||
|
||||
job "borgmatic" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 50
|
||||
type = "service"
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "NAS"
|
||||
}
|
||||
|
||||
group "borgmatic"{
|
||||
vault{
|
||||
policies= ["borgmatic"]
|
||||
|
||||
}
|
||||
task "borgmatic" {
|
||||
action "manual-backup" {
|
||||
command = "/usr/local/bin/borgmatic"
|
||||
args = ["create",
|
||||
"prune",
|
||||
"--verbosity",
|
||||
"1"
|
||||
|
||||
]
|
||||
}
|
||||
action "list-backup" {
|
||||
command = "/usr/local/bin/borgmatic"
|
||||
args = ["rlist"]
|
||||
}
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "ghcr.service.consul:5000/borgmatic-collective/borgmatic"
|
||||
volumes = [
|
||||
"/exports:/exports",
|
||||
"local/borgmatic.d:/etc/borgmatic.d",
|
||||
"secret/id_rsa:/root/.ssh/id_rsa",
|
||||
"secret/known_hosts:/root/.ssh/known_hosts",
|
||||
"/exports/nomad/borgmatic:/root/.cache/borg",
|
||||
]
|
||||
|
||||
}
|
||||
env {
|
||||
}
|
||||
|
||||
template {
|
||||
data= <<EOH
|
||||
BORG_RSH="ssh -i /root/.ssh/id_rsa -p 23"
|
||||
{{ with secret "secrets/data/nomad/borgmatic"}}
|
||||
BORG_PASSPHRASE= {{.Data.data.passphrase}}
|
||||
{{end}}
|
||||
EOH
|
||||
destination = "secrets/sample.env"
|
||||
env = true
|
||||
}
|
||||
template {
|
||||
data= <<EOH
|
||||
0 2 * * * PATH=$PATH:/usr/local/bin /usr/local/bin/borgmatic create prune --verbosity 1
|
||||
0 23 1 * * PATH=$PATH:/usr/local/bin /usr/local/bin/borgmatic check
|
||||
EOH
|
||||
destination = "local/borgmatic.d/crontab.txt"
|
||||
}
|
||||
template {
|
||||
data= <<EOH
|
||||
# List of source directories to backup (required). Globs and
|
||||
# tildes are expanded. Do not backslash spaces in path names.
|
||||
source_directories:
|
||||
- /exports/ebook
|
||||
- /exports/homes
|
||||
- /exports/music
|
||||
- /exports/nomad
|
||||
- /exports/photo
|
||||
|
||||
repositories:
|
||||
- path: ssh://u304977@u304977.your-storagebox.de/./{{if eq "production" (env "meta.env") }}backup_hamelab{{else}}backup_homelab_dev{{end}}
|
||||
label: {{if eq "production" (env "meta.env") }}backup_hamelab{{else}}backup_homelab_dev{{end}}
|
||||
|
||||
exclude_patterns:
|
||||
- '*/nomad/jellyfin/cache'
|
||||
- '*nomad/loki/'
|
||||
- '*nomad/prometheus'
|
||||
- '*nomad/registry'
|
||||
- '*nomad/pacoloco'
|
||||
- '*nomad/pihole'
|
||||
- '*nomad/jellyfin/*'
|
||||
- '*.log*'
|
||||
- '*/nomad/prowlarr/Definitions/'
|
||||
|
||||
match_archives: '*'
|
||||
archive_name_format: '{{ env "node.datacenter" }}-{now:%Y-%m-%dT%H:%M:%S.%f}'
|
||||
extra_borg_options:
|
||||
# Extra command-line options to pass to "borg init".
|
||||
# init: --extra-option
|
||||
|
||||
# Extra command-line options to pass to "borg prune".
|
||||
# prune: --extra-option
|
||||
|
||||
# Extra command-line options to pass to "borg compact".
|
||||
# compact: --extra-option
|
||||
|
||||
# Extra command-line options to pass to "borg create".
|
||||
create: --progress --stats
|
||||
|
||||
# Extra command-line options to pass to "borg check".
|
||||
# check: --extra-option
|
||||
|
||||
# Keep all archives within this time interval.
|
||||
# keep_within: 3H
|
||||
|
||||
# Number of secondly archives to keep.
|
||||
# keep_secondly: 60
|
||||
|
||||
# Number of minutely archives to keep.
|
||||
# keep_minutely: 60
|
||||
|
||||
# Number of hourly archives to keep.
|
||||
# keep_hourly: 24
|
||||
|
||||
# Number of daily archives to keep.
|
||||
keep_daily: 7
|
||||
|
||||
# Number of weekly archives to keep.
|
||||
keep_weekly: 4
|
||||
|
||||
# Number of monthly archives to keep.
|
||||
# keep_monthly: 6
|
||||
|
||||
# Number of yearly archives to keep.
|
||||
# keep_yearly: 1
|
||||
|
||||
checks:
|
||||
- name: repository
|
||||
# - archives
|
||||
# check_repositories:
|
||||
# - user@backupserver:sourcehostname.borg
|
||||
# check_last: 3
|
||||
# output:
|
||||
# color: false
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# before creating a backup, run once per configuration file.
|
||||
# before_backup:
|
||||
# - echo "Starting a backup."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# before pruning, run once per configuration file.
|
||||
# before_prune:
|
||||
# - echo "Starting pruning."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# before compaction, run once per configuration file.
|
||||
# before_compact:
|
||||
# - echo "Starting compaction."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# before consistency checks, run once per configuration file.
|
||||
# before_check:
|
||||
# - echo "Starting checks."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# before extracting a backup, run once per configuration file.
|
||||
# before_extract:
|
||||
# - echo "Starting extracting."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# after creating a backup, run once per configuration file.
|
||||
# after_backup:
|
||||
# - echo "Finished a backup."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# after compaction, run once per configuration file.
|
||||
# after_compact:
|
||||
# - echo "Finished compaction."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# after pruning, run once per configuration file.
|
||||
# after_prune:
|
||||
# - echo "Finished pruning."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# after consistency checks, run once per configuration file.
|
||||
# after_check:
|
||||
# - echo "Finished checks."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# after extracting a backup, run once per configuration file.
|
||||
# after_extract:
|
||||
# - echo "Finished extracting."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# when an exception occurs during a "prune", "compact",
|
||||
# "create", or "check" action or an associated before/after
|
||||
# hook.
|
||||
# on_error:
|
||||
# - echo "Error during prune/compact/create/check."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# before running all actions (if one of them is "create").
|
||||
# These are collected from all configuration files and then
|
||||
# run once before all of them (prior to all actions).
|
||||
# before_everything:
|
||||
# - echo "Starting actions."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# after running all actions (if one of them is "create").
|
||||
# These are collected from all configuration files and then
|
||||
# run once after all of them (after any action).
|
||||
# after_everything:
|
||||
# - echo "Completed actions."
|
||||
EOH
|
||||
destination = "local/borgmatic.d/config.yaml"
|
||||
}
|
||||
template {
|
||||
data= <<EOH
|
||||
{{ with secret "secrets/data/nomad/borgmatic"}}
|
||||
{{.Data.data.privatekey}}
|
||||
{{end}}
|
||||
EOH
|
||||
destination = "secret/id_rsa"
|
||||
perms= "700"
|
||||
}
|
||||
template {
|
||||
data= <<EOH
|
||||
[u304977.your-storagebox.de]:23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs
|
||||
[u304977.your-storagebox.de]:23 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==
|
||||
[u304977.your-storagebox.de]:23 ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGK0po6usux4Qv2d8zKZN1dDvbWjxKkGsx7XwFdSUCnF19Q8psHEUWR7C/LtSQ5crU/g+tQVRBtSgoUcE8T+FWp5wBxKvWG2X9gD+s9/4zRmDeSJR77W6gSA/+hpOZoSE+4KgNdnbYSNtbZH/dN74EG7GLb/gcIpbUUzPNXpfKl7mQitw==
|
||||
EOH
|
||||
destination = "secret/known_hosts"
|
||||
perms="700"
|
||||
}
|
||||
resources {
|
||||
memory = 300
|
||||
memory_max = 1000
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
@ -1,147 +0,0 @@
|
||||
job "immich" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 50
|
||||
type = "service"
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
|
||||
group "immich" {
|
||||
network {
|
||||
mode = "host"
|
||||
port "http" {
|
||||
to = 2283
|
||||
}
|
||||
port "redis" {
|
||||
to = 6379
|
||||
}
|
||||
port "machinelearning" {
|
||||
to = 3003
|
||||
}
|
||||
}
|
||||
volume "immich-upload" {
|
||||
type = "csi"
|
||||
source = "immich-upload"
|
||||
access_mode = "multi-node-multi-writer"
|
||||
attachment_mode = "file-system"
|
||||
}
|
||||
volume "immich-cache" {
|
||||
type = "csi"
|
||||
source = "immich-cache"
|
||||
access_mode = "multi-node-multi-writer"
|
||||
attachment_mode = "file-system"
|
||||
}
|
||||
volume "photo" {
|
||||
type = "csi"
|
||||
source = "photo"
|
||||
access_mode = "multi-node-multi-writer"
|
||||
attachment_mode = "file-system"
|
||||
}
|
||||
vault {
|
||||
policies = ["immich"]
|
||||
}
|
||||
task "immich-server" {
|
||||
driver = "docker"
|
||||
service {
|
||||
name = "immich"
|
||||
port = "http"
|
||||
tags = [
|
||||
"homer.enable=true",
|
||||
"homer.name=immich",
|
||||
"homer.service=Application",
|
||||
"homer.logo=https://immich.ducamps.eu/favicon-144.png",
|
||||
"homer.target=_blank",
|
||||
"homer.url=https://immich.ducamps.eu",
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`${NOMAD_JOB_NAME}.ducamps.eu`)",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.eu",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
|
||||
]
|
||||
}
|
||||
volume_mount {
|
||||
volume = "immich-upload"
|
||||
destination = "/usr/src/app/upload"
|
||||
}
|
||||
volume_mount {
|
||||
volume = "photo"
|
||||
destination = "/photo"
|
||||
}
|
||||
config {
|
||||
image = "ghcr.service.consul:5000/immich-app/immich-server:release"
|
||||
ports = ["http"]
|
||||
volumes = [
|
||||
"/etc/localtime:/etc/localtime"
|
||||
]
|
||||
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/database/immich"}}
|
||||
DB_PASSWORD= {{ .Data.data.password }}
|
||||
{{end}}
|
||||
DB_DATABASE_NAME= immich
|
||||
DB_USERNAME= immich
|
||||
DB_HOSTNAME= active.db.service.consul
|
||||
REDIS_HOSTNAME = {{env "NOMAD_IP_redis"}}
|
||||
REDIS_PORT = {{env "NOMAD_HOST_PORT_redis"}}
|
||||
IMMICH_MACHINE_LEARNING_URL = http://{{ env "NOMAD_ADDR_machinelearning"}}
|
||||
IMMICH_HOST=0.0.0.0
|
||||
EOH
|
||||
destination = "secrets/immich.env"
|
||||
env = true
|
||||
}
|
||||
resources {
|
||||
memory = 600
|
||||
memory_max = 1800
|
||||
}
|
||||
}
|
||||
|
||||
task "immich-machine-learning" {
|
||||
driver = "docker"
|
||||
volume_mount {
|
||||
volume = "immich-cache"
|
||||
destination = "/cache"
|
||||
}
|
||||
config {
|
||||
image = "ghcr.service.consul:5000/immich-app/immich-machine-learning:main"
|
||||
ports = ["machinelearning"]
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/database/immich"}}
|
||||
DB_PASSWORD= {{ .Data.data.password }}
|
||||
{{end}}
|
||||
DB_DATABASE_NAME= immich
|
||||
DB_USERNAME= immich
|
||||
DB_HOSTNAME= active.db.service.consul
|
||||
REDIS_HOSTNAME = {{env "NOMAD_IP_redis"}}
|
||||
REDIS_PORT = {{env "NOMAD_HOST_PORT_redis"}}
|
||||
EOH
|
||||
destination = "secrets/immich.env"
|
||||
env = true
|
||||
}
|
||||
resources {
|
||||
memory = 200
|
||||
memory_max = 1800
|
||||
}
|
||||
}
|
||||
|
||||
task "redis" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image="docker.service.consul:5000/library/redis:6.2-alpine"
|
||||
ports = ["redis"]
|
||||
}
|
||||
resources {
|
||||
memory = 50
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
@ -1 +0,0 @@
|
||||
../makefile
|
@ -1,95 +0,0 @@
|
||||
|
||||
job "mealie" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 50
|
||||
type = "service"
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
|
||||
group "mealie" {
|
||||
network {
|
||||
mode = "host"
|
||||
port "http" {
|
||||
to = 9000
|
||||
}
|
||||
}
|
||||
volume "mealie-data" {
|
||||
type = "csi"
|
||||
source = "mealie-data"
|
||||
access_mode = "multi-node-multi-writer"
|
||||
attachment_mode = "file-system"
|
||||
}
|
||||
vault {
|
||||
policies = ["mealie"]
|
||||
|
||||
}
|
||||
task "mealie-server" {
|
||||
driver = "docker"
|
||||
service {
|
||||
name = "mealie"
|
||||
port = "http"
|
||||
tags = [
|
||||
"homer.enable=true",
|
||||
"homer.name=Mealie",
|
||||
"homer.service=Application",
|
||||
"homer.subtitle=Mealie",
|
||||
"homer.logo=https://mealie.ducamps.eu/favicon.ico",
|
||||
"homer.target=_blank",
|
||||
"homer.url=https://${NOMAD_JOB_NAME}.ducamps.eu",
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`${NOMAD_JOB_NAME}.ducamps.eu`)",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.eu",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "ghcr.io/mealie-recipes/mealie"
|
||||
ports = ["http"]
|
||||
}
|
||||
volume_mount {
|
||||
volume = "mealie-data"
|
||||
destination = "/app/data"
|
||||
}
|
||||
env {
|
||||
PUID = "1000001"
|
||||
PGID = "1000001"
|
||||
TZ = "Europe/Paris"
|
||||
MAX_WORKERS = 1
|
||||
WEB_CONCURRENCY = 1
|
||||
BASE_URL = "https://mealie.ducamps.eu"
|
||||
OIDC_USER_GROUP = "MealieUsers"
|
||||
OIDC_ADMIN_GROUP = "MealieAdmins"
|
||||
OIDC_AUTH_ENABLED = "True"
|
||||
OIDC_SIGNUP_ENABLED = "true"
|
||||
OIDC_CONFIGURATION_URL = "https://auth.ducamps.eu/.well-known/openid-configuration"
|
||||
OIDC_CLIENT_ID = "mealie"
|
||||
OIDC_AUTO_REDIRECT = "false"
|
||||
OIDC_PROVIDER_NAME = "authelia"
|
||||
DB_ENGINE = "postgres"
|
||||
POSTGRES_USER = "mealie"
|
||||
POSTGRES_SERVER = "active.db.service.consul"
|
||||
POSTGRES_PORT = 5432
|
||||
POSTGRES_DB = "mealie"
|
||||
LOG_LEVEL = "DEBUG"
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/database/mealie"}}POSTGRES_PASSWORD= "{{ .Data.data.password }}" {{end}}
|
||||
{{ with secret "secrets/data/authelia/mealie"}}OIDC_CLIENT_SECRET= "{{ .Data.data.password }}" {{end}}
|
||||
EOH
|
||||
destination = "secrets/var.env"
|
||||
env = true
|
||||
}
|
||||
resources {
|
||||
memory = 400
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
@ -1,89 +0,0 @@
|
||||
|
||||
job "vikunja" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 70
|
||||
type = "service"
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
|
||||
group "vikunja" {
|
||||
network {
|
||||
mode = "host"
|
||||
port "front" {
|
||||
to = 80
|
||||
}
|
||||
port "api" {
|
||||
to = 3456
|
||||
}
|
||||
}
|
||||
vault {
|
||||
policies = ["vikunja"]
|
||||
|
||||
}
|
||||
task "api" {
|
||||
driver = "docker"
|
||||
service {
|
||||
name = "vikunja-api"
|
||||
port = "api"
|
||||
tags = [
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}-${NOMAD_TASK_NAME}.rule=Host(`${NOMAD_JOB_NAME}.ducamps.eu`)",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}-${NOMAD_TASK_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.eu",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}-${NOMAD_TASK_NAME}.tls.certresolver=myresolver",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}-${NOMAD_TASK_NAME}.entrypoints=web,websecure",
|
||||
"homer.enable=true",
|
||||
"homer.name=vikunka",
|
||||
"homer.service=Application",
|
||||
"homer.logo=https://${NOMAD_JOB_NAME}.ducamps.eu/images/icons/apple-touch-icon-180x180.png",
|
||||
"homer.target=_blank",
|
||||
"homer.url=https://${NOMAD_JOB_NAME}.ducamps.eu",
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/vikunja/vikunja"
|
||||
ports = ["api", "front"]
|
||||
volumes = ["local/config.yml:/etc/vikunja/config.yml"]
|
||||
}
|
||||
env {
|
||||
VIKUNJA_DATABASE_HOST = "active.db.service.consul"
|
||||
VIKUNJA_DATABASE_TYPE = "postgres"
|
||||
VIKUNJA_DATABASE_USER = "vikunja"
|
||||
VIKUNJA_DATABASE_DATABASE = "vikunja"
|
||||
VIKUNJA_SERVICE_JWTSECRET = uuidv4()
|
||||
VIKUNJA_SERVICE_FRONTENDURL = "https://${NOMAD_JOB_NAME}.ducamps.eu/"
|
||||
VIKUNJA_AUTH_LOCAL = False
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/database/vikunja"}}
|
||||
VIKUNJA_DATABASE_PASSWORD= "{{ .Data.data.password }}"
|
||||
{{end}}
|
||||
EOH
|
||||
destination = "secrets/sample.env"
|
||||
env = true
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
auth:
|
||||
openid:
|
||||
enabled: true
|
||||
redirecturl: https://vikunja.ducamps.eu/auth/openid/
|
||||
providers:
|
||||
- name: Authelia
|
||||
authurl: https://auth.ducamps.eu
|
||||
clientid: vikunja
|
||||
clientsecret: {{ with secret "secrets/data/authelia/vikunja"}} {{ .Data.data.password }} {{end}}
|
||||
scope: openid profile email
|
||||
EOH
|
||||
destination = "local/config.yml"
|
||||
}
|
||||
resources {
|
||||
memory = 100
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
}
|
@ -6,11 +6,7 @@ job "backup-consul" {
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
@ -26,9 +22,9 @@ job "backup-consul" {
|
||||
task "consul-backup" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "docker.service.consul:5000/ducampsv/docker-consul-backup:latest"
|
||||
image = "ducampsv/docker-consul-backup:latest"
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/backup/consul:/backup"
|
||||
"/mnt/diskstation/git/backup/consul:/backup"
|
||||
]
|
||||
}
|
||||
resources {
|
@ -6,11 +6,7 @@ job "backup-postgress" {
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
@ -32,9 +28,9 @@ job "backup-postgress" {
|
||||
name = "backup-postgress"
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/ducampsv/docker-backup-postgres:latest"
|
||||
image = "ducampsv/docker-backup-postgres:latest"
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/backup/postgres:/backup"
|
||||
"/mnt/diskstation/git/backup/postgres:/backup"
|
||||
]
|
||||
}
|
||||
template {
|
||||
@ -49,8 +45,7 @@ job "backup-postgress" {
|
||||
env = true
|
||||
}
|
||||
resources {
|
||||
memory = 180
|
||||
memory_max = 400
|
||||
memory = 125
|
||||
}
|
||||
}
|
||||
|
@ -6,11 +6,7 @@ job "backup-vault" {
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
@ -29,9 +25,9 @@ job "backup-vault" {
|
||||
task "backup-vault" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "docker.service.consul:5000/ducampsv/docker-vault-backup:latest"
|
||||
image = "ducampsv/docker-vault-backup:latest"
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/backup/vault:/backup"
|
||||
"/mnt/diskstation/git/backup/vault:/backup"
|
||||
]
|
||||
}
|
||||
template {
|
@ -13,7 +13,7 @@ job "batch-rutorrent" {
|
||||
task "cleanForwardFolder" {
|
||||
driver= "docker"
|
||||
config {
|
||||
image = "docker.service.consul:5000/library/alpine"
|
||||
image = "alpine"
|
||||
volumes = [
|
||||
"/mnt/hetzner/storagebox/file/forward:/file"
|
||||
]
|
@ -6,11 +6,7 @@ job "batch-seedboxsync" {
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
@ -32,9 +28,9 @@ job "batch-seedboxsync" {
|
||||
name = "seedboxsync"
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/ducampsv/rsync:latest"
|
||||
image = "ducampsv/rsync:latest"
|
||||
volumes = [
|
||||
"/mnt/diskstation/download:/media",
|
||||
"/mnt/diskstation/media/download:/media",
|
||||
"local/id_rsa:/home/rsyncuser/.ssh/id_rsa"
|
||||
]
|
||||
command = "rsync"
|
||||
@ -74,7 +70,6 @@ job "batch-seedboxsync" {
|
||||
}
|
||||
resources {
|
||||
memory = 500
|
||||
memory_max = 1000
|
||||
}
|
||||
}
|
||||
|
@ -1,87 +0,0 @@
|
||||
job "torrent_automation" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 50
|
||||
type = "service"
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
group "prowlarr"{
|
||||
network {
|
||||
mode = "host"
|
||||
port "prowlarr" {
|
||||
static = 9696
|
||||
to = 9696
|
||||
}
|
||||
port "flaresolverr" {
|
||||
static = 8191
|
||||
to = 8191
|
||||
}
|
||||
|
||||
}
|
||||
task "flaresolverr" {
|
||||
driver = "docker"
|
||||
service {
|
||||
name = "flaresolverr"
|
||||
port = "flaresolverr"
|
||||
|
||||
}
|
||||
config {
|
||||
image = "alexfozor/flaresolverr:pr-1300-experimental"
|
||||
ports = ["flaresolverr"]
|
||||
}
|
||||
env {
|
||||
}
|
||||
|
||||
resources {
|
||||
memory = 300
|
||||
memory_max = 500
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
task "prowlarr" {
|
||||
driver = "docker"
|
||||
service {
|
||||
name = "prowlarr"
|
||||
port = "prowlarr"
|
||||
tags = [
|
||||
"homer.enable=true",
|
||||
"homer.name=Prowlarr",
|
||||
"homer.service=Application",
|
||||
"homer.logo=http://${NOMAD_ADDR_prowlarr}/Content/Images/logo.png",
|
||||
"homer.target=_blank",
|
||||
"homer.url=http://${NOMAD_ADDR_prowlarr}",
|
||||
|
||||
]
|
||||
|
||||
}
|
||||
config {
|
||||
image = "ghcr.io/linuxserver/prowlarr:latest"
|
||||
ports = ["prowlarr"]
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/prowlarr:/config"
|
||||
]
|
||||
|
||||
}
|
||||
env {
|
||||
PUID=1000001
|
||||
PGID=1000001
|
||||
TZ="Europe/Paris"
|
||||
}
|
||||
|
||||
resources {
|
||||
memory = 150
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
219
nomad-job/borgmatic.nomad
Normal file
219
nomad-job/borgmatic.nomad
Normal file
@ -0,0 +1,219 @@
|
||||
|
||||
job "borgmatic" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 50
|
||||
type = "service"
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "NAS"
|
||||
}
|
||||
|
||||
group "borgmatic"{
|
||||
vault{
|
||||
policies= ["borgmatic"]
|
||||
|
||||
}
|
||||
task "borgmatic" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "ghcr.io/borgmatic-collective/borgmatic"
|
||||
volumes = [
|
||||
"/var/local/volume1:/var/local/volume1",
|
||||
"local/borgmatic.d:/etc/borgmatic.d",
|
||||
"secret/id_rsa:/root/.ssh/id_rsa",
|
||||
"/mnt/diskstation/nomad/borgmatic:/root/.cache/borg",
|
||||
]
|
||||
|
||||
}
|
||||
env {
|
||||
}
|
||||
|
||||
template {
|
||||
data= <<EOH
|
||||
BORG_RSH="ssh -i /root/.ssh/id_rsa -p 23"
|
||||
{{ with secret "secrets/data/nomad/borgmatic"}}
|
||||
BORG_PASSPHRASE= {{.Data.data.passphrase}}
|
||||
{{end}}
|
||||
EOH
|
||||
destination = "secrets/sample.env"
|
||||
env = true
|
||||
}
|
||||
template {
|
||||
data= <<EOH
|
||||
0 2 * * * PATH=$PATH:/usr/local/bin /usr/local/bin/borgmatic --create --prune -v 1
|
||||
0 23 1 * * PATH=$PATH:/usr/local/bin /usr/local/bin/borgmatic -check
|
||||
EOH
|
||||
destination = "local/borgmatic.d/crontab.txt"
|
||||
}
|
||||
template {
|
||||
data= <<EOH
|
||||
location:
|
||||
# List of source directories to backup (required). Globs and
|
||||
# tildes are expanded. Do not backslash spaces in path names.
|
||||
source_directories:
|
||||
- /volume1/CardDav
|
||||
- /volume1/ebook
|
||||
- /volume1/git
|
||||
- /volume1/homes
|
||||
- /volume1/hubert
|
||||
- /volume1/music
|
||||
- /volume1/nomad
|
||||
- /volume1/photo
|
||||
|
||||
repositories:
|
||||
- u304977@u304977.your-storagebox.de:{{if eq "production" (env "meta.env") }}backup_hamelab{{else}}backup_homelab_dev{{end}}
|
||||
|
||||
exclude_patterns:
|
||||
- '*/nomad/jellyfin/cache'
|
||||
- '*/loki/chunks'
|
||||
# - /home/*/.cache
|
||||
# - '*/.vim*.tmp'
|
||||
# - /etc/ssl
|
||||
# - /home/user/path with spaces
|
||||
|
||||
storage:
|
||||
extra_borg_options:
|
||||
# Extra command-line options to pass to "borg init".
|
||||
# init: --extra-option
|
||||
|
||||
# Extra command-line options to pass to "borg prune".
|
||||
# prune: --extra-option
|
||||
|
||||
# Extra command-line options to pass to "borg compact".
|
||||
# compact: --extra-option
|
||||
|
||||
# Extra command-line options to pass to "borg create".
|
||||
create: --progress --stats
|
||||
|
||||
# Extra command-line options to pass to "borg check".
|
||||
# check: --extra-option
|
||||
|
||||
retention:
|
||||
# Keep all archives within this time interval.
|
||||
# keep_within: 3H
|
||||
|
||||
# Number of secondly archives to keep.
|
||||
# keep_secondly: 60
|
||||
|
||||
# Number of minutely archives to keep.
|
||||
# keep_minutely: 60
|
||||
|
||||
# Number of hourly archives to keep.
|
||||
# keep_hourly: 24
|
||||
|
||||
# Number of daily archives to keep.
|
||||
keep_daily: 7
|
||||
|
||||
# Number of weekly archives to keep.
|
||||
keep_weekly: 4
|
||||
|
||||
# Number of monthly archives to keep.
|
||||
# keep_monthly: 6
|
||||
|
||||
# Number of yearly archives to keep.
|
||||
# keep_yearly: 1
|
||||
|
||||
consistency:
|
||||
checks:
|
||||
- repository
|
||||
# - archives
|
||||
# check_repositories:
|
||||
# - user@backupserver:sourcehostname.borg
|
||||
# check_last: 3
|
||||
# output:
|
||||
# color: false
|
||||
|
||||
# hooks:
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# before creating a backup, run once per configuration file.
|
||||
# before_backup:
|
||||
# - echo "Starting a backup."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# before pruning, run once per configuration file.
|
||||
# before_prune:
|
||||
# - echo "Starting pruning."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# before compaction, run once per configuration file.
|
||||
# before_compact:
|
||||
# - echo "Starting compaction."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# before consistency checks, run once per configuration file.
|
||||
# before_check:
|
||||
# - echo "Starting checks."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# before extracting a backup, run once per configuration file.
|
||||
# before_extract:
|
||||
# - echo "Starting extracting."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# after creating a backup, run once per configuration file.
|
||||
# after_backup:
|
||||
# - echo "Finished a backup."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# after compaction, run once per configuration file.
|
||||
# after_compact:
|
||||
# - echo "Finished compaction."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# after pruning, run once per configuration file.
|
||||
# after_prune:
|
||||
# - echo "Finished pruning."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# after consistency checks, run once per configuration file.
|
||||
# after_check:
|
||||
# - echo "Finished checks."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# after extracting a backup, run once per configuration file.
|
||||
# after_extract:
|
||||
# - echo "Finished extracting."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# when an exception occurs during a "prune", "compact",
|
||||
# "create", or "check" action or an associated before/after
|
||||
# hook.
|
||||
# on_error:
|
||||
# - echo "Error during prune/compact/create/check."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# before running all actions (if one of them is "create").
|
||||
# These are collected from all configuration files and then
|
||||
# run once before all of them (prior to all actions).
|
||||
# before_everything:
|
||||
# - echo "Starting actions."
|
||||
|
||||
# List of one or more shell commands or scripts to execute
|
||||
# after running all actions (if one of them is "create").
|
||||
# These are collected from all configuration files and then
|
||||
# run once after all of them (after any action).
|
||||
# after_everything:
|
||||
# - echo "Completed actions."
|
||||
EOH
|
||||
destination = "local/borgmatic.d/config.yaml"
|
||||
}
|
||||
template {
|
||||
data= <<EOH
|
||||
{{ with secret "secrets/data/nomad/borgmatic"}}
|
||||
{{.Data.data.privatekey}}
|
||||
{{end}}
|
||||
EOH
|
||||
destination = "secret/id_rsa"
|
||||
perms= "700"
|
||||
}
|
||||
resources {
|
||||
memory = 300
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
@ -39,7 +39,7 @@ job "chainetv" {
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/ducampsv/chainetv:latest"
|
||||
image = "ducampsv/chainetv:latest"
|
||||
ports = ["http"]
|
||||
}
|
||||
resources {
|
@ -27,7 +27,7 @@ job "crowdsec-agent" {
|
||||
}
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "docker.service.consul:5000/crowdsecurity/crowdsec"
|
||||
image = "crowdsecurity/crowdsec"
|
||||
ports = ["metric"]
|
||||
volumes = [
|
||||
"/var/run/docker.sock:/var/run/docker.sock",
|
@ -5,15 +5,9 @@ job "crowdsec-api" {
|
||||
meta {
|
||||
forcedeploy = "-1"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
vault {
|
||||
policies = ["crowdsec"]
|
||||
}
|
||||
|
||||
group "crowdsec-api" {
|
||||
network {
|
||||
mode = "host"
|
||||
@ -41,11 +35,11 @@ job "crowdsec-api" {
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/crowdsecurity/crowdsec"
|
||||
image = "crowdsecurity/crowdsec"
|
||||
ports = ["http", "metric"]
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/crowdsec/db:/var/lib/crowdsec/data",
|
||||
"/mnt/diskstation/nomad/crowdsec/data:/etc/crowdsec",
|
||||
"/mnt/diskstation/nomad/crowdsec/data:/etc/crowdsec_data",
|
||||
]
|
||||
|
||||
}
|
@ -6,11 +6,7 @@ job "dashboard" {
|
||||
meta {
|
||||
forcedeploy = "1"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
|
||||
group "dashboard" {
|
||||
network {
|
||||
mode = "host"
|
||||
@ -33,7 +29,7 @@ job "dashboard" {
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/b4bz/homer"
|
||||
image = "b4bz/homer"
|
||||
ports = ["http"]
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/homer:/www/assets"
|
@ -1,69 +0,0 @@
|
||||
|
||||
job "lldap" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 50
|
||||
type = "service"
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
|
||||
group "lldap"{
|
||||
network {
|
||||
mode = "host"
|
||||
port "ldap" {
|
||||
to = 3890
|
||||
static = 3890
|
||||
}
|
||||
port "http" {
|
||||
to = 17170
|
||||
}
|
||||
}
|
||||
# vault{
|
||||
# policies= ["lldap"]
|
||||
#
|
||||
# }
|
||||
service {
|
||||
name = "lldapHttp"
|
||||
port = "http"
|
||||
tags = [
|
||||
]
|
||||
}
|
||||
service {
|
||||
name = "lldapLDAP"
|
||||
port = "ldap"
|
||||
tags = [
|
||||
]
|
||||
}
|
||||
task "lldap" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "docker.service.consul:5000/ducampsv/lldap:latest"
|
||||
ports = ["ldap","http"]
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/lldap:/data"
|
||||
]
|
||||
}
|
||||
|
||||
template {
|
||||
data= <<EOH
|
||||
UID=1000000
|
||||
GID=1000
|
||||
LLDAP_JWT_SECRET=
|
||||
LLDAP_LDAP_USER_PASS=REPLACE_WITH_PASSWORD
|
||||
LLDAP_LDAP_BASE_DN=dc=ducamps,dc=eu
|
||||
|
||||
EOH
|
||||
destination = "secrets/env"
|
||||
env = true
|
||||
}
|
||||
resources {
|
||||
memory = 300
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
@ -1,64 +0,0 @@
|
||||
|
||||
job "rutorrentlocal" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 80
|
||||
type = "service"
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.unique.name}"
|
||||
operator = "set_contains"
|
||||
value = "oberon"
|
||||
}
|
||||
group "bittorent" {
|
||||
network {
|
||||
mode = "host"
|
||||
port "http" {
|
||||
to = 8080
|
||||
}
|
||||
port "torrent" {
|
||||
static = 6881
|
||||
}
|
||||
port "ecoute" {
|
||||
static = 50000
|
||||
}
|
||||
}
|
||||
task "bittorent" {
|
||||
driver = "podman"
|
||||
service {
|
||||
name = "bittorentlocal"
|
||||
port = "http"
|
||||
address_mode= "host"
|
||||
tags = [
|
||||
]
|
||||
}
|
||||
user = "root"
|
||||
config {
|
||||
|
||||
image = "docker.service.consul:5000/crazymax/rtorrent-rutorrent:edge"
|
||||
ports = [
|
||||
"http",
|
||||
"torrent",
|
||||
"ecoute"
|
||||
]
|
||||
volumes = [
|
||||
"/exports/nomad/rutorrent/data:/data",
|
||||
"/exports/nomad/rutorrent/downloads:/downloads"
|
||||
]
|
||||
|
||||
}
|
||||
env {
|
||||
PUID = 100001
|
||||
PGID = 10
|
||||
UMASK = 002
|
||||
WEBUI_PORT = "8080"
|
||||
}
|
||||
|
||||
resources {
|
||||
memory = 650
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
@ -1,5 +1,5 @@
|
||||
job "dockermailserver" {
|
||||
datacenters = ["homelab"]
|
||||
datacenters = ["hetzner"]
|
||||
priority = 90
|
||||
type = "service"
|
||||
meta {
|
||||
@ -9,11 +9,7 @@ job "dockermailserver" {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
|
||||
group "dockermailserver" {
|
||||
network {
|
||||
mode = "host"
|
||||
@ -119,7 +115,7 @@ job "dockermailserver" {
|
||||
task "docker-mailserver" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "ghcr.service.consul:5000/docker-mailserver/docker-mailserver:latest"
|
||||
image = "ghcr.io/docker-mailserver/docker-mailserver:latest"
|
||||
ports = ["smtp", "esmtp", "imap","rspamd"]
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/dms/mail-data:/var/mail",
|
||||
@ -137,7 +133,7 @@ job "dockermailserver" {
|
||||
env {
|
||||
OVERRIDE_HOSTNAME = "mail.ducamps.eu"
|
||||
DMS_VMAIL_UID = 1000000
|
||||
DMS_VMAIL_GID = 984
|
||||
DMS_VMAIL_GID = 100
|
||||
SSL_TYPE= "letsencrypt"
|
||||
LOG_LEVEL="info"
|
||||
POSTMASTER_ADDRESS="vincent@ducamps.eu"
|
||||
@ -173,7 +169,7 @@ submissions/inet/smtpd_upstream_proxy_protocol=haproxy
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
haproxy_trusted_networks = 10.0.0.0/24, 127.0.0.0/8, 172.17.0.1, 192.168.1.0/24
|
||||
haproxy_trusted_networks = 10.0.0.0/24, 127.0.0.0/8, 172.17.0.1
|
||||
haproxy_timeout = 3 secs
|
||||
service imap-login {
|
||||
inet_listener imaps {
|
@ -16,7 +16,7 @@ job "drone-runner" {
|
||||
task "drone-runner" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "docker.service.consul:5000/drone/drone-runner-docker:latest"
|
||||
image = "drone/drone-runner-docker:latest"
|
||||
volumes = [
|
||||
"/var/run/docker.sock:/var/run/docker.sock",
|
||||
]
|
@ -45,7 +45,7 @@ job "drone" {
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/drone/drone:latest"
|
||||
image = "drone/drone:latest"
|
||||
ports = [
|
||||
"http"
|
||||
]
|
@ -1,6 +1,6 @@
|
||||
|
||||
job "filestash" {
|
||||
datacenters = ["homelab"]
|
||||
datacenters = ["hetzner"]
|
||||
priority = 50
|
||||
type = "service"
|
||||
meta {
|
||||
@ -10,11 +10,7 @@ job "filestash" {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
|
||||
|
||||
group "filestash" {
|
||||
network {
|
||||
@ -48,7 +44,7 @@ job "filestash" {
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/machines/filestash"
|
||||
image = "machines/filestash"
|
||||
ports = ["http"]
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/filestash:/app/data/state"
|
@ -27,7 +27,7 @@ job "ghostfolio" {
|
||||
task "redis" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "docker.service.consul:5000/library/redis"
|
||||
image = "redis"
|
||||
ports = ["redis"]
|
||||
}
|
||||
resources {
|
||||
@ -51,7 +51,7 @@ job "ghostfolio" {
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/ghostfolio/ghostfolio:latest"
|
||||
image = "ghostfolio/ghostfolio:latest"
|
||||
ports = ["http"]
|
||||
volumes = [
|
||||
]
|
||||
@ -80,7 +80,6 @@ job "ghostfolio" {
|
||||
}
|
||||
resources {
|
||||
memory = 400
|
||||
memory_max = 600
|
||||
}
|
||||
}
|
||||
|
@ -8,11 +8,6 @@ job "git" {
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
group "gitea" {
|
||||
network {
|
||||
@ -59,12 +54,13 @@ job "git" {
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/gitea/gitea:latest"
|
||||
image = "gitea/gitea:latest"
|
||||
ports = [
|
||||
"http",
|
||||
"ssh"
|
||||
]
|
||||
volumes = [
|
||||
"/mnt/diskstation/git:/repo",
|
||||
"/mnt/diskstation/nomad/gitea:/data"
|
||||
]
|
||||
}
|
||||
@ -81,14 +77,10 @@ job "git" {
|
||||
GITEA__database__HOST = "active.db.service.consul"
|
||||
GITEA__database__NAME = "gitea"
|
||||
GITEA__database__USER = "gitea"
|
||||
GITEA__service__DISABLE_REGISTRATION = "false"
|
||||
GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true"
|
||||
GITEA__service__SHOW_REGISTRATION_BUTTON = "false"
|
||||
GITEA__openid__ENABLE_OPENID_SIGNIN = "false"
|
||||
GITEA__openid__ENABLE_OPENID_SIGNUP = "true"
|
||||
GITEA__repository__ROOT = "/data/gitea-repositories"
|
||||
GITEA__service__DISABLE_REGISTRATION = "true"
|
||||
GITEA__repository__ROOT = "/repo"
|
||||
GITEA__server__APP_DATA_PATH = "/data"
|
||||
GITEA__server__LFS_CONTENT_PATH = "/data/lfs"
|
||||
GITEA__server__LFS_CONTENT_PATH = "/repo/LFS"
|
||||
GITEA__webhook__ALLOWED_HOST_LIST = "drone.ducamps.eu"
|
||||
GITEA__webhook__DELIVER_TIMEOUT = "30"
|
||||
}
|
@ -2,17 +2,8 @@ job "grafana" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 50
|
||||
type = "service"
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
meta {
|
||||
forcedeploiement = 2
|
||||
}
|
||||
|
||||
vault {
|
||||
policies = ["grafana"]
|
||||
forcedeploiement = 1
|
||||
}
|
||||
group "grafana" {
|
||||
network {
|
||||
@ -20,6 +11,7 @@ job "grafana" {
|
||||
to = 3000
|
||||
}
|
||||
}
|
||||
|
||||
service {
|
||||
name = "grafana"
|
||||
port = "http"
|
||||
@ -44,37 +36,13 @@ job "grafana" {
|
||||
task "dashboard" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "docker.service.consul:5000/grafana/grafana"
|
||||
image = "grafana/grafana"
|
||||
ports = ["http"]
|
||||
volumes = [
|
||||
"local/grafana.ini:/etc/grafana/grafana.ini",
|
||||
"/mnt/diskstation/nomad/grafana/config:/etc/grafana",
|
||||
"/mnt/diskstation/nomad/grafana/lib:/var/lib/grafana"
|
||||
]
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
force_migration=true
|
||||
[server]
|
||||
root_url = https://grafana.ducamps.eu
|
||||
[auth.generic_oauth]
|
||||
enabled = true
|
||||
name = Authelia
|
||||
icon = signin
|
||||
client_id = grafana
|
||||
client_secret = {{ with secret "secrets/data/authelia/grafana"}} {{ .Data.data.password }} {{end}}
|
||||
scopes = openid profile email groups
|
||||
empty_scopes = false
|
||||
auth_url = https://auth.ducamps.eu/api/oidc/authorization
|
||||
token_url = https://auth.ducamps.eu/api/oidc/token
|
||||
api_url = https://auth.ducamps.eu/api/oidc/userinfo
|
||||
login_attribute_path = preferred_username
|
||||
groups_attribute_path = groups
|
||||
name_attribute_path = name
|
||||
use_pkce = true
|
||||
role_attribute_path=contains(groups[*], 'GrafanaAdmins') && 'Admin' || contains(groups[*], 'GrafanaUsers') && 'Viewer'
|
||||
EOH
|
||||
destination = "local/grafana.ini"
|
||||
}
|
||||
resources {
|
||||
memory = 250
|
||||
}
|
@ -3,11 +3,6 @@ job "homeassistant" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 90
|
||||
type = "service"
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
@ -57,7 +52,7 @@ job "homeassistant" {
|
||||
}
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/homeassistant/home-assistant:stable"
|
||||
image = "homeassistant/home-assistant:stable"
|
||||
ports = ["http", "coap"]
|
||||
privileged = "true"
|
||||
network_mode = "host"
|
@ -2,7 +2,6 @@ job "jellyfin" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 30
|
||||
type = "service"
|
||||
|
||||
meta {
|
||||
forcedeploy = "1"
|
||||
}
|
||||
@ -10,11 +9,6 @@ job "jellyfin" {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
group jellyfin-vue {
|
||||
network {
|
||||
mode = "host"
|
||||
@ -43,7 +37,7 @@ job "jellyfin" {
|
||||
|
||||
}
|
||||
config {
|
||||
image = "ghcr.service.consul:5000/jellyfin/jellyfin-vue:unstable"
|
||||
image = "ghcr.io/jellyfin/jellyfin-vue:unstable"
|
||||
ports = ["http"]
|
||||
}
|
||||
env {
|
||||
@ -88,13 +82,13 @@ job "jellyfin" {
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/jellyfin/jellyfin"
|
||||
image = "jellyfin/jellyfin"
|
||||
ports = ["http"]
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/jellyfin/config:/config",
|
||||
"/mnt/diskstation/nomad/jellyfin/cache:/cache",
|
||||
"/mnt/diskstation/media:/media",
|
||||
"/mnt/diskstation/music:/music",
|
||||
"/mnt/diskstation/media/:/media",
|
||||
"/mnt/diskstation/music/:/media2"
|
||||
]
|
||||
devices = [
|
||||
{
|
@ -6,11 +6,7 @@ job "loki" {
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
|
||||
group "loki" {
|
||||
network {
|
||||
mode = "host"
|
||||
@ -38,7 +34,7 @@ job "loki" {
|
||||
}
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/grafana/loki"
|
||||
image = "grafana/loki"
|
||||
ports = ["http"]
|
||||
args = [
|
||||
"-config.file",
|
||||
@ -53,58 +49,56 @@ job "loki" {
|
||||
auth_enabled: false
|
||||
server:
|
||||
http_listen_port: 3100
|
||||
|
||||
common:
|
||||
instance_addr: 127.0.0.1
|
||||
path_prefix: /loki
|
||||
storage:
|
||||
filesystem:
|
||||
chunks_directory: /loki/chunks
|
||||
rules_directory: /loki/rules
|
||||
replication_factor: 1
|
||||
ring:
|
||||
kvstore:
|
||||
store: inmemory
|
||||
|
||||
ingester:
|
||||
lifecycler:
|
||||
address: 127.0.0.1
|
||||
ring:
|
||||
kvstore:
|
||||
store: inmemory
|
||||
replication_factor: 1
|
||||
final_sleep: 0s
|
||||
# Any chunk not receiving new logs in this time will be flushed
|
||||
chunk_idle_period: 1h
|
||||
# All chunks will be flushed when they hit this age, default is 1h
|
||||
max_chunk_age: 1h
|
||||
# Loki will attempt to build chunks up to 1.5MB, flushing if chunk_idle_period or max_chunk_age is reached first
|
||||
chunk_target_size: 1048576
|
||||
# Must be greater than index read cache TTL if using an index cache (Default index read cache TTL is 5m)
|
||||
chunk_retain_period: 30s
|
||||
max_transfer_retries: 0 # Chunk transfers disabled
|
||||
schema_config:
|
||||
configs:
|
||||
- from: "2023-04-08" # <---- A date in the future
|
||||
index:
|
||||
period: 24h
|
||||
prefix: index_
|
||||
- from: 2020-10-24
|
||||
store: boltdb-shipper
|
||||
object_store: filesystem
|
||||
schema: v13
|
||||
store: tsdb
|
||||
schema: v11
|
||||
index:
|
||||
prefix: index_
|
||||
period: 24h
|
||||
storage_config:
|
||||
boltdb_shipper:
|
||||
active_index_directory: /loki/boltdb-shipper-active
|
||||
cache_location: /loki/boltdb-shipper-cache
|
||||
cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space
|
||||
shared_store: filesystem
|
||||
filesystem:
|
||||
directory: /loki/chunks
|
||||
compactor:
|
||||
retention_enabled: true
|
||||
working_directory: /loki/tsdb-shipper-compactor
|
||||
working_directory: /tmp/loki/boltdb-shipper-compactor
|
||||
shared_store: filesystem
|
||||
limits_config:
|
||||
split_queries_by_interval: 24h
|
||||
max_query_parallelism: 100
|
||||
max_entries_limit_per_query: 10000
|
||||
injection_rate_strategy: local
|
||||
retention_period: 90d
|
||||
reject_old_samples: true
|
||||
reject_old_samples_max_age: 168h
|
||||
query_scheduler:
|
||||
max_outstanding_requests_per_tenant: 4096
|
||||
querier:
|
||||
max_concurrent: 4096
|
||||
frontend:
|
||||
max_outstanding_per_tenant: 4096
|
||||
query_range:
|
||||
results_cache:
|
||||
cache:
|
||||
embedded_cache:
|
||||
enabled: true
|
||||
max_size_mb: 100
|
||||
chunk_store_config:
|
||||
max_look_back_period: 0s
|
||||
table_manager:
|
||||
retention_deletes_enabled: false
|
||||
retention_period: 0s
|
||||
EOH
|
||||
destination = "local/loki/local-config.yaml"
|
||||
}
|
||||
resources {
|
||||
memory = 300
|
||||
memory_max = 1000
|
||||
}
|
||||
}
|
||||
|
@ -32,7 +32,7 @@ job "node-exporter" {
|
||||
task "node-exporter" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "docker.service.consul:5000/prom/node-exporter"
|
||||
image = "prom/node-exporter"
|
||||
ports = ["http"]
|
||||
args = [
|
||||
"--web.listen-address=:${NOMAD_PORT_http}",
|
@ -18,12 +18,6 @@ job "sample" {
|
||||
to = 0000
|
||||
}
|
||||
}
|
||||
volume "sample-data" {
|
||||
type = "csi"
|
||||
source = "sapmle-data"
|
||||
access_mode = "multi-node-multi-writer"
|
||||
attachment_mode = "file-system"
|
||||
}
|
||||
vault{
|
||||
policies= ["policy_name"]
|
||||
|
||||
@ -35,18 +29,13 @@ job "sample" {
|
||||
port = "http"
|
||||
tags = [
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`${NOMAD_JOB_NAME}.ducamps.eu`)",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.eu",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`${NOMAD_JOB_NAME}.ducamps.win`)",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.win",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
|
||||
|
||||
|
||||
]
|
||||
}
|
||||
volume_mount {
|
||||
volume = "sample-data"
|
||||
destination = "/app/data"
|
||||
}
|
||||
config {
|
||||
image = "sample"
|
||||
ports = ["http"]
|
||||
|
@ -29,11 +29,11 @@ job "nut_exporter" {
|
||||
task "nut_exporter" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "ghcr.service.consul:5000/druggeri/nut_exporter"
|
||||
image = "ghcr.io/druggeri/nut_exporter"
|
||||
ports = ["http"]
|
||||
}
|
||||
env {
|
||||
NUT_EXPORTER_SERVER= "192.168.1.43"
|
||||
NUT_EXPORTER_SERVER= "192.168.1.10"
|
||||
NUT_EXPORTER_VARIABLES = "battery.runtime,battery.charge,input.voltage,output.voltage,output.voltage.nominal,ups.load,ups.status,ups.realpower"
|
||||
}
|
||||
|
@ -6,11 +6,7 @@ job "pacoloco" {
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
|
||||
group "pacoloco" {
|
||||
network {
|
||||
mode = "host"
|
||||
@ -32,10 +28,10 @@ job "pacoloco" {
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/ducampsv/pacoloco"
|
||||
image = "ducampsv/pacoloco"
|
||||
ports = ["http"]
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/pacoloco:/var/cache/pacoloco",
|
||||
"/mnt/diskstation/archMirror:/var/cache/pacoloco",
|
||||
"local/pacoloco.yaml:/etc/pacoloco.yaml"
|
||||
]
|
||||
|
@ -6,11 +6,7 @@ job "paperless-ng" {
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
@ -33,7 +29,7 @@ job "paperless-ng" {
|
||||
task "redis" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "docker.service.consul:5000/library/redis"
|
||||
image = "redis"
|
||||
ports = ["redis"]
|
||||
}
|
||||
resources {
|
||||
@ -51,7 +47,6 @@ job "paperless-ng" {
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.eu",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.middlewares=authelia",
|
||||
"homer.enable=true",
|
||||
"homer.name=Paperless",
|
||||
"homer.service=Application",
|
||||
@ -68,7 +63,7 @@ job "paperless-ng" {
|
||||
}
|
||||
}
|
||||
config {
|
||||
image = "ghcr.service.consul:5000/paperless-ngx/paperless-ngx"
|
||||
image = "ghcr.io/paperless-ngx/paperless-ngx"
|
||||
ports = ["http"]
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/paperless-ng/media:/usr/src/paperless/media",
|
||||
@ -87,9 +82,6 @@ job "paperless-ng" {
|
||||
PAPERLESS_CONSUMER_POLLING = "60"
|
||||
PAPERLESS_URL = "https://${NOMAD_JOB_NAME}.ducamps.eu"
|
||||
PAPERLESS_ALLOWED_HOSTS = "192.168.1.42,192.168.1.40"
|
||||
PAPERLESS_ENABLE_HTTP_REMOTE_USER = "true"
|
||||
PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_REMOTE_USER"
|
||||
PAPERLESS_LOGOUT_REDIRECT_URL= "https://auth.ducamps.eu/logout"
|
||||
}
|
||||
|
||||
template {
|
||||
@ -101,7 +93,6 @@ job "paperless-ng" {
|
||||
}
|
||||
resources {
|
||||
memory = 950
|
||||
memory_max = 1500
|
||||
cpu = 2000
|
||||
}
|
||||
}
|
182
nomad-job/pdns-auth.nomad
Normal file
182
nomad-job/pdns-auth.nomad
Normal file
@ -0,0 +1,182 @@
|
||||
|
||||
job "pdns-auth" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 100
|
||||
meta {
|
||||
force = 2
|
||||
}
|
||||
type = "service"
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
group "pdns-auth" {
|
||||
network {
|
||||
port "dns" {
|
||||
static=5300
|
||||
}
|
||||
port "http" {
|
||||
static = 8081
|
||||
}
|
||||
port "pdnsadmin"{
|
||||
to = 80
|
||||
}
|
||||
}
|
||||
vault {
|
||||
policies = ["pdns"]
|
||||
}
|
||||
task "pdns-auth" {
|
||||
|
||||
driver = "docker"
|
||||
service {
|
||||
name = "pdns-auth"
|
||||
port = "dns"
|
||||
|
||||
}
|
||||
config {
|
||||
image = "powerdns/pdns-auth-master:latest"
|
||||
network_mode = "host"
|
||||
privileged=true
|
||||
cap_add= ["net_bind_service"]
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/pdns-auth/var:/var/lib/powerdns/",
|
||||
"local/dnsupdate.conf:/etc/powerdns/pdns.d/dnsupdate.conf",
|
||||
"local/pdns.conf:/etc/powerdns/pdns.conf"
|
||||
]
|
||||
}
|
||||
template {
|
||||
destination = "secrets/env"
|
||||
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/nomad/pdns"}}
|
||||
PDNS_AUTH_API_KEY="{{.Data.data.API_KEY}}"
|
||||
{{ end }}
|
||||
EOH
|
||||
env = true
|
||||
}
|
||||
template{
|
||||
destination = "local/dnsupdate.conf"
|
||||
data = <<EOH
|
||||
dnsupdate=yes
|
||||
allow-dnsupdate-from=192.168.1.41/24
|
||||
local-address=192.168.1.5
|
||||
local-port=53
|
||||
EOH
|
||||
}
|
||||
template{
|
||||
destination = "local/pdns.conf"
|
||||
data = <<EOH
|
||||
launch=gpgsql
|
||||
gpgsql-host=active.db.service.consul
|
||||
gpgsql-port=5432
|
||||
gpgsql-user=pdns-auth
|
||||
{{ with secret "secrets/data/database/pdns"}}
|
||||
gpgsql-password={{ .Data.data.pdnsauth }}
|
||||
{{ end }}
|
||||
include-dir=/etc/powerdns/pdns.d
|
||||
EOH
|
||||
}
|
||||
resources {
|
||||
memory = 100
|
||||
}
|
||||
}
|
||||
task "pnds-admin" {
|
||||
service {
|
||||
name = "pdns-admin"
|
||||
tags = [
|
||||
"homer.enable=true",
|
||||
"homer.name=PDNS-ADMIN",
|
||||
"homer.service=Application",
|
||||
"homer.target=_blank",
|
||||
"homer.url=http://${NOMAD_ADDR_pdnsadmin}",
|
||||
|
||||
]
|
||||
port = "pdnsadmin"
|
||||
}
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "powerdnsadmin/pda-legacy:latest"
|
||||
ports= ["pdnsadmin"]
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/pdns-admin/:/data/node_module/",
|
||||
]
|
||||
}
|
||||
template{
|
||||
destination = "secrets/pdns-admin.env"
|
||||
env = true
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/nomad/pdns"}}
|
||||
SECRET_KEY="{{ .Data.data.SECRET_KEY }}"
|
||||
GUNICORN_WORKERS=2
|
||||
{{ end }}
|
||||
{{ with secret "secrets/data/database/pdns"}}
|
||||
SQLALCHEMY_DATABASE_URI=postgresql://pdns-admin:{{ .Data.data.pdnsadmin }}@active.db.service.consul/pdns-admin
|
||||
{{end}}
|
||||
EOH
|
||||
}
|
||||
resources {
|
||||
cpu = 100
|
||||
memory = 200
|
||||
}
|
||||
|
||||
}
|
||||
task "pdns-recursor" {
|
||||
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "powerdns/pdns-recursor-master:latest"
|
||||
network_mode = "host"
|
||||
volumes = [
|
||||
"local/recursor.conf:/etc/powerdns/recursor.conf",
|
||||
]
|
||||
}
|
||||
template{
|
||||
destination = "local/recursor.conf"
|
||||
data= <<EOH
|
||||
config-dir=/etc/powerdns
|
||||
dnssec=off
|
||||
forward-zones=consul=127.0.0.1:8600,ducamps.eu=192.168.1.5,1.168.192.in-addr.arpa=192.168.1.5
|
||||
local-address=192.168.1.6
|
||||
EOH
|
||||
}
|
||||
resources {
|
||||
cpu = 100
|
||||
memory = 50
|
||||
}
|
||||
}
|
||||
task "keepalived" {
|
||||
driver = "docker"
|
||||
lifecycle {
|
||||
hook = "prestart"
|
||||
sidecar = true
|
||||
}
|
||||
|
||||
env {
|
||||
KEEPALIVED_ROUTER_ID = "52"
|
||||
KEEPALIVED_STATE = "MASTER"
|
||||
KEEPALIVED_VIRTUAL_IPS = "#PYTHON2BASH:['192.168.1.5','192.168.1.6']"
|
||||
}
|
||||
template{
|
||||
destination = "local/env.yaml"
|
||||
change_mode = "restart"
|
||||
env= true
|
||||
data = <<EOH
|
||||
KEEPALIVED_INTERFACE= {{ sockaddr "GetPrivateInterfaces | include \"network\" \"192.168.1.0/24\" | attr \"name\"" }}
|
||||
EOH
|
||||
}
|
||||
config {
|
||||
image = "osixia/keepalived:2.0.20"
|
||||
network_mode = "host"
|
||||
cap_add = [
|
||||
"NET_ADMIN",
|
||||
"NET_BROADCAST",
|
||||
"NET_RAW"
|
||||
]
|
||||
}
|
||||
resources {
|
||||
cpu = 20
|
||||
memory = 20
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
@ -9,11 +9,6 @@ job "pihole" {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
group "pi-hole" {
|
||||
network {
|
||||
port "dns" {
|
||||
@ -43,9 +38,22 @@ job "pihole" {
|
||||
name = "dns"
|
||||
port = "dns"
|
||||
|
||||
check {
|
||||
name = "service: dns dig check"
|
||||
type = "script"
|
||||
command = "/usr/bin/dig"
|
||||
args = ["+short", "@192.168.1.4"]
|
||||
interval = "10s"
|
||||
timeout = "2s"
|
||||
|
||||
check_restart {
|
||||
limit = 3
|
||||
grace = "60s"
|
||||
}
|
||||
}
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/pihole/pihole:2023.10.0"
|
||||
image = "pihole/pihole:2023.10.0"
|
||||
network_mode = "host"
|
||||
volumes = [
|
||||
"local/dnsmasq.d/02-localresolver.conf:/etc/dnsmasq.d/02-localresolver.conf",
|
||||
@ -60,7 +68,7 @@ job "pihole" {
|
||||
env {
|
||||
TZ = "Europe/Paris"
|
||||
DNS1 = "192.168.1.5"
|
||||
DNS2 = "192.168.1.40"
|
||||
DNS2 = "192.168.1.41"
|
||||
WEB_PORT = "${NOMAD_PORT_http}"
|
||||
|
||||
}
|
||||
@ -90,7 +98,6 @@ local-ttl=2
|
||||
}
|
||||
resources {
|
||||
memory = 100
|
||||
memory_max =200
|
||||
}
|
||||
}
|
||||
|
@ -1,285 +0,0 @@
|
||||
|
||||
job "authelia" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 80
|
||||
type = "service"
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
|
||||
group "authelia" {
|
||||
network {
|
||||
mode = "host"
|
||||
port "authelia" {
|
||||
to = 9091
|
||||
}
|
||||
}
|
||||
volume "authelia-config" {
|
||||
type = "csi"
|
||||
source = "authelia-config"
|
||||
access_mode = "multi-node-multi-writer"
|
||||
attachment_mode = "file-system"
|
||||
}
|
||||
vault {
|
||||
policies = ["authelia"]
|
||||
|
||||
}
|
||||
task "authelia" {
|
||||
driver = "docker"
|
||||
service {
|
||||
name = "authelia"
|
||||
port = "authelia"
|
||||
tags = [
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`auth.ducamps.eu`)",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=auth.ducamps.eu",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
|
||||
|
||||
|
||||
]
|
||||
}
|
||||
action "generate-client-secret" {
|
||||
command = "authelia"
|
||||
args = ["crypto",
|
||||
"hash",
|
||||
"generate",
|
||||
"pbkdf2",
|
||||
"--random",
|
||||
"--random.length",
|
||||
"72",
|
||||
"--random.charset",
|
||||
"rfc3986"
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "authelia/authelia"
|
||||
ports = ["authelia"]
|
||||
args = [
|
||||
"--config",
|
||||
"/local/configuration.yml",
|
||||
]
|
||||
|
||||
|
||||
}
|
||||
volume_mount {
|
||||
volume = "authelia-config"
|
||||
destination = "/config"
|
||||
}
|
||||
env {
|
||||
AUTHELIA_SESSION_SECRET = uuidv4()
|
||||
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET = uuidv4()
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOH
|
||||
|
||||
---
|
||||
###############################################################
|
||||
# Authelia configuration #
|
||||
###############################################################
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
endpoints:
|
||||
authz:
|
||||
forward-auth:
|
||||
implementation: 'ForwardAuth'
|
||||
legacy:
|
||||
implementation: 'Legacy'
|
||||
|
||||
identity_providers:
|
||||
oidc:
|
||||
hmac_secret: {{ with secret "secrets/data/nomad/authelia"}}{{ .Data.data.hmac}}{{end}}
|
||||
jwks:
|
||||
- key_id: 'key'
|
||||
key: |
|
||||
{{ with secret "secrets/data/nomad/authelia"}}{{ .Data.data.rsakey|indent 8 }}{{end}}
|
||||
cors:
|
||||
endpoints:
|
||||
- userinfo
|
||||
- authorization
|
||||
- token
|
||||
- revocation
|
||||
- introspection
|
||||
allowed_origins:
|
||||
- https://mealie.ducamps.eu
|
||||
allowed_origins_from_client_redirect_uris: true
|
||||
clients:
|
||||
- client_id: 'ttrss'
|
||||
client_name: 'ttrss'
|
||||
client_secret: {{ with secret "secrets/data/authelia/ttrss"}} {{ .Data.data.hash }} {{end}}
|
||||
public: false
|
||||
scopes:
|
||||
- openid
|
||||
- email
|
||||
- profile
|
||||
redirect_uris:
|
||||
- 'https://www.ducamps.eu/tt-rss'
|
||||
userinfo_signed_response_alg: none
|
||||
authorization_policy: 'one_factor'
|
||||
pre_configured_consent_duration: 3M
|
||||
- client_id: 'mealie'
|
||||
client_name: 'mealie'
|
||||
client_secret: {{ with secret "secrets/data/authelia/mealie"}} {{ .Data.data.hash }} {{end}}
|
||||
public: false
|
||||
require_pkce: true
|
||||
pkce_challenge_method: 'S256'
|
||||
scopes:
|
||||
- openid
|
||||
- email
|
||||
- profile
|
||||
- groups
|
||||
redirect_uris:
|
||||
- 'https://mealie.ducamps.eu/login'
|
||||
userinfo_signed_response_alg: none
|
||||
authorization_policy: 'one_factor'
|
||||
pre_configured_consent_duration: 3M
|
||||
- client_id: 'immich'
|
||||
client_name: 'immich'
|
||||
client_secret: {{ with secret "secrets/data/authelia/immich"}} {{ .Data.data.hash }} {{end}}
|
||||
public: false
|
||||
authorization_policy: 'one_factor'
|
||||
redirect_uris:
|
||||
- 'https://immich.ducamps.eu/auth/login'
|
||||
- 'https://immich.ducamps.eu/user-settings'
|
||||
- 'app.immich:/'
|
||||
scopes:
|
||||
- 'openid'
|
||||
- 'profile'
|
||||
- 'email'
|
||||
userinfo_signed_response_alg: 'none'
|
||||
pre_configured_consent_duration: 3M
|
||||
- client_id: 'grafana'
|
||||
client_name: 'Grafana'
|
||||
client_secret:{{ with secret "secrets/data/authelia/grafana"}} {{ .Data.data.hash }} {{end}}
|
||||
public: false
|
||||
authorization_policy: 'one_factor'
|
||||
require_pkce: true
|
||||
pkce_challenge_method: 'S256'
|
||||
redirect_uris:
|
||||
- 'https://grafana.ducamps.eu/login/generic_oauth'
|
||||
scopes:
|
||||
- 'openid'
|
||||
- 'profile'
|
||||
- 'groups'
|
||||
- 'email'
|
||||
userinfo_signed_response_alg: 'none'
|
||||
token_endpoint_auth_method: 'client_secret_basic'
|
||||
pre_configured_consent_duration: 3M
|
||||
- client_id: 'vikunja'
|
||||
client_name: 'vikunja'
|
||||
client_secret:{{ with secret "secrets/data/authelia/vikunja"}} {{ .Data.data.hash }} {{end}}
|
||||
public: false
|
||||
authorization_policy: 'one_factor'
|
||||
redirect_uris:
|
||||
- 'https://vikunja.ducamps.eu/auth/openid/authelia'
|
||||
scopes:
|
||||
- 'openid'
|
||||
- 'profile'
|
||||
- 'email'
|
||||
userinfo_signed_response_alg: 'none'
|
||||
token_endpoint_auth_method: 'client_secret_basic'
|
||||
pre_configured_consent_duration: 3M
|
||||
- client_id: 'gitea'
|
||||
client_name: 'gitea'
|
||||
client_secret:{{ with secret "secrets/data/authelia/gitea"}} {{ .Data.data.hash }} {{end}}
|
||||
public: false
|
||||
authorization_policy: 'one_factor'
|
||||
redirect_uris:
|
||||
- 'https://git.ducamps.eu/user/oauth2/authelia/callback'
|
||||
scopes:
|
||||
- 'openid'
|
||||
- 'profile'
|
||||
- 'email'
|
||||
userinfo_signed_response_alg: 'none'
|
||||
token_endpoint_auth_method: 'client_secret_basic'
|
||||
pre_configured_consent_duration: 3M
|
||||
|
||||
log:
|
||||
level: 'trace'
|
||||
|
||||
totp:
|
||||
issuer: 'authelia.com'
|
||||
|
||||
|
||||
authentication_backend:
|
||||
ldap:
|
||||
address: 'ldaps://ldap.service.consul'
|
||||
implementation: 'custom'
|
||||
timeout: '5s'
|
||||
start_tls: false
|
||||
tls:
|
||||
skip_verify: true
|
||||
minimum_version: 'TLS1.2'
|
||||
base_dn: 'DC=ducamps,DC=eu'
|
||||
additional_users_dn: 'OU=users'
|
||||
users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))'
|
||||
additional_groups_dn: 'OU=groups'
|
||||
#groups_filter: '(&(member=UID={input},OU=users,DC=ducamps,DC=eu)(objectClass=groupOfNames))'
|
||||
groups_filter: '(&(|{memberof:rdn})(objectClass=groupOfNames))'
|
||||
group_search_mode: 'memberof'
|
||||
user: 'uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu'
|
||||
password:{{ with secret "secrets/data/nomad/authelia"}} '{{ .Data.data.ldapPassword }}'{{ end }}
|
||||
attributes:
|
||||
distinguished_name: ''
|
||||
username: 'uid'
|
||||
mail: 'mail'
|
||||
member_of: 'memberOf'
|
||||
group_name: 'cn'
|
||||
|
||||
access_control:
|
||||
default_policy: 'deny'
|
||||
rules:
|
||||
# Rules applied to everyone
|
||||
- domain: '*.ducamps.eu'
|
||||
policy: 'one_factor'
|
||||
|
||||
session:
|
||||
cookies:
|
||||
- name: 'authelia_session'
|
||||
domain: 'ducamps.eu' # Should match whatever your root protected domain is
|
||||
authelia_url: 'https://auth.ducamps.eu'
|
||||
expiration: '12 hour'
|
||||
inactivity: '5 minutes'
|
||||
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: '2 minutes'
|
||||
ban_time: '5 minutes'
|
||||
|
||||
storage:
|
||||
{{ with secret "secrets/data/nomad/authelia"}}
|
||||
encryption_key: '{{.Data.data.encryptionKeys }}'
|
||||
{{end}}
|
||||
local:
|
||||
path: '/config/db.sqlite3'
|
||||
|
||||
notifier:
|
||||
disable_startup_check: true
|
||||
smtp:
|
||||
username: 'authelia@ducamps.eu'
|
||||
{{ with secret "secrets/data/nomad/authelia"}}
|
||||
password: '{{ .Data.data.mailPassword}}'
|
||||
{{end}}
|
||||
address: submissions://mail.ducamps.eu:465
|
||||
disable_require_tls: true
|
||||
sender: 'authelia@ducamps.eu'
|
||||
tls:
|
||||
server_name: 'mail.ducamps.eu'
|
||||
skip_verify: true
|
||||
EOH
|
||||
destination = "local/configuration.yml"
|
||||
}
|
||||
resources {
|
||||
memory = 100
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
@ -1 +0,0 @@
|
||||
../makefile
|
@ -9,11 +9,7 @@ job "prometheus" {
|
||||
meta{
|
||||
force_deploy= 1
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
|
||||
group "prometheus" {
|
||||
count = 1
|
||||
|
||||
@ -250,7 +246,7 @@ EOH
|
||||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "docker.service.consul:5000/prom/prometheus:latest"
|
||||
image = "prom/prometheus:latest"
|
||||
args = [
|
||||
"--config.file=/etc/prometheus/prometheus.yml",
|
||||
"--storage.tsdb.path=/prometheus",
|
||||
@ -289,7 +285,6 @@ EOH
|
||||
}
|
||||
resources {
|
||||
memory = 350
|
||||
memory_max = 500
|
||||
}
|
||||
}
|
||||
}
|
@ -6,11 +6,6 @@ job "radicale" {
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
group "radicale" {
|
||||
network {
|
||||
mode = "host"
|
||||
@ -44,11 +39,11 @@ job "radicale" {
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/tomsquest/docker-radicale"
|
||||
image = "tomsquest/docker-radicale"
|
||||
ports = ["http"]
|
||||
volumes = [
|
||||
"local/config:/config/config",
|
||||
"/mnt/diskstation/nomad/radicale:/data"
|
||||
"/mnt/diskstation/CardDav:/data"
|
||||
]
|
||||
|
||||
}
|
@ -6,6 +6,9 @@ job "torrent" {
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
vault {
|
||||
policies= ["torrent"]
|
||||
}
|
||||
group "bittorent" {
|
||||
network {
|
||||
mode = "host"
|
||||
@ -23,7 +26,7 @@ job "torrent" {
|
||||
}
|
||||
}
|
||||
task "bittorent" {
|
||||
driver = "docker"
|
||||
driver = "podman"
|
||||
service {
|
||||
name = "bittorent"
|
||||
port = "http"
|
||||
@ -33,36 +36,43 @@ job "torrent" {
|
||||
"homer.name=torrent",
|
||||
"homer.url=https://torrent.ducamps.eu",
|
||||
"homer.service=Application",
|
||||
"homer.logo=https://fleet.linuxserver.io/images/linuxserver_rutorrent.png",
|
||||
"homer.logo=https://${NOMAD_JOB_NAME}.ducamps.eu/images/favicon-196x196.png",
|
||||
"homer.target=_blank",
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`${NOMAD_JOB_NAME}.ducamps.eu`)",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.eu",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.middlewares=authelia-basic",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.middlewares=torrentauth",
|
||||
"traefik.http.middlewares.torrentauth.basicauth.users=admin:${ADMIN_HASHED_PWD}"
|
||||
]
|
||||
}
|
||||
template {
|
||||
data = <<-EOF
|
||||
ADMIN_HASHED_PWD={{ with secret "secrets/nomad/torrent" }}{{.Data.data.hashed_pwd}}{{ end }}
|
||||
EOF
|
||||
destination = "secrets/env"
|
||||
env = true
|
||||
}
|
||||
user = "root"
|
||||
config {
|
||||
ulimit {
|
||||
nproc=65535
|
||||
nofile = "32000:40000"
|
||||
}
|
||||
image = "docker.service.consul:5000/crazymax/rtorrent-rutorrent:edge"
|
||||
|
||||
image = "docker.io/crazymax/rtorrent-rutorrent:latest"
|
||||
privileged = "true"
|
||||
ports = [
|
||||
"http",
|
||||
"torrent",
|
||||
"ecoute"
|
||||
]
|
||||
volumes = [
|
||||
"/opt/rutorrentConfig:/data",
|
||||
"/mnt/hetzner/storagebox/rutorrentConfig:/data",
|
||||
"/mnt/hetzner/storagebox/file:/downloads"
|
||||
]
|
||||
|
||||
}
|
||||
env {
|
||||
PUID = 100001
|
||||
PGID = 10
|
||||
PGID = 984
|
||||
UMASK = 002
|
||||
WEBUI_PORT = "8080"
|
||||
}
|
@ -10,11 +10,7 @@ job "supysonic" {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
|
||||
group "supysonic" {
|
||||
network {
|
||||
mode = "host"
|
||||
@ -53,7 +49,7 @@ job "supysonic" {
|
||||
task "supysonic-frontend" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "docker.service.consul:5000/library/nginx:alpine"
|
||||
image = "nginx:alpine"
|
||||
ports = [
|
||||
"http"
|
||||
]
|
||||
@ -96,7 +92,7 @@ http {
|
||||
task "supysonic-server" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "docker.service.consul:5000/ducampsv/supysonic:latest"
|
||||
image = "ducampsv/supysonic:latest"
|
||||
ports = ["fcgi"]
|
||||
force_pull = true
|
||||
volumes = [
|
||||
@ -109,10 +105,10 @@ http {
|
||||
SUPYSONIC_DAEMON_ENABLED = "true"
|
||||
SUPYSONIC_WEBAPP_LOG_LEVEL = "DEBUG"
|
||||
SUPYSONIC_DAEMON_LOG_LEVEL = "INFO"
|
||||
SUPYSONIC_LDAP_SERVER = "LDAPS://ldaps.service.consul"
|
||||
SUPYSONIC_LDAP_BASE_DN = "dc=ducamps,dc=eu"
|
||||
SUPYSONIC_LDAP_USER_FILTER = "(&(memberOf=cn=SupysonicUsers,ou=groups,dc=ducamps,dc=eu))"
|
||||
SUPYSONIC_LDAP_ADMIN_FILTER= "(&(memberOf=cn=SupysonicAdmins,ou=groups,dc=ducamps,dc=eu))"
|
||||
SUPYSONIC_LDAP_SERVER = "LDAP://ldap.ducamps.eu"
|
||||
SUPYSONIC_LDAP_BASE_DN = "dc=ducamps,dc=win"
|
||||
SUPYSONIC_LDAP_USER_FILTER = "(&(memberOf=CN=SupysonicUsers,cn=groups,dc=ducamps,dc=win))"
|
||||
SUPYSONIC_LDAP_ADMIN_FILTER= "(&(memberOf=CN=SupysonicAdmins,cn=groups,dc=ducamps,dc=win))"
|
||||
}
|
||||
|
||||
template {
|
@ -10,11 +10,7 @@ job "syncthing" {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
|
||||
|
||||
group "syncthing" {
|
||||
network {
|
||||
@ -44,7 +40,7 @@ job "syncthing" {
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "docker.service.consul:5000/linuxserver/syncthing"
|
||||
image = "linuxserver/syncthing"
|
||||
ports = ["http"]
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/syncthing/config:/config",
|
||||
@ -52,11 +48,6 @@ job "syncthing" {
|
||||
]
|
||||
|
||||
}
|
||||
|
||||
env{
|
||||
PUID = 1000001
|
||||
GUID = 1000001
|
||||
}
|
||||
resources {
|
||||
memory = 200
|
||||
}
|
@ -1,26 +0,0 @@
|
||||
job "csi-nfs-controller" {
|
||||
datacenters = ["homelab"]
|
||||
group "controller" {
|
||||
task "csi-nfs-controller" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "registry.k8s.io/sig-storage/nfsplugin:v4.7.0"
|
||||
args = [
|
||||
"--v=5",
|
||||
"--nodeid=${attr.unique.hostname}",
|
||||
"--endpoint=unix:///csi/csi.sock",
|
||||
"--drivername=nfs.csi.k8s.io"
|
||||
]
|
||||
}
|
||||
csi_plugin {
|
||||
id = "nfs"
|
||||
type = "controller"
|
||||
mount_dir = "/csi"
|
||||
}
|
||||
resources {
|
||||
memory = 32
|
||||
cpu = 100
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
@ -1,29 +0,0 @@
|
||||
job "csi-nfs-nodes" {
|
||||
datacenters = ["homelab","hetzner"]
|
||||
type = "system"
|
||||
group "csi-nfs-nodes" {
|
||||
task "plugin" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "registry.k8s.io/sig-storage/nfsplugin:v4.7.0"
|
||||
args = [
|
||||
"--v=5",
|
||||
"--nodeid=${attr.unique.hostname}",
|
||||
"--endpoint=unix:///csi/csi.sock",
|
||||
"--drivername=nfs.csi.k8s.io"
|
||||
]
|
||||
# node plugins must run as privileged jobs because they
|
||||
# mount disks to the host
|
||||
privileged = true
|
||||
}
|
||||
csi_plugin {
|
||||
id = "nfs"
|
||||
type = "node"
|
||||
mount_dir = "/csi"
|
||||
}
|
||||
resources {
|
||||
memory = 50
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
@ -1 +0,0 @@
|
||||
../makefile
|
@ -1,31 +0,0 @@
|
||||
dn: cn=module,cn=config
|
||||
cn: module
|
||||
objectClass: olcModuleList
|
||||
olcModuleLoad: memberof
|
||||
olcModuleLoad: refint
|
||||
olcModulePath: /opt/bitnami/openldap/lib/openldap
|
||||
|
||||
dn: olcOverlay={0}memberof,olcDatabase={2}mdb,cn=config
|
||||
objectClass: olcConfig
|
||||
objectClass: olcMemberOf
|
||||
objectClass: olcOverlayConfig
|
||||
objectClass: top
|
||||
olcOverlay: memberof
|
||||
olcMemberOfDangling: ignore
|
||||
olcMemberOfRefInt: TRUE
|
||||
olcMemberOfGroupOC: groupOfNames
|
||||
olcMemberOfMemberAD: member
|
||||
olcMemberOfMemberOfAD: memberOf
|
||||
|
||||
|
||||
dn: olcOverlay={1}refint,olcDatabase={2}mdb,cn=config
|
||||
objectClass: olcConfig
|
||||
objectClass: olcOverlayConfig
|
||||
objectClass: olcRefintConfig
|
||||
objectClass: top
|
||||
olcOverlay: {1}refint
|
||||
olcRefintAttribute: memberof
|
||||
olcRefintAttribute: member
|
||||
olcRefintAttribute: manager
|
||||
olcRefintAttribute: owner
|
||||
|
@ -1,194 +0,0 @@
|
||||
|
||||
job "openldap" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 90
|
||||
type = "service"
|
||||
meta {
|
||||
forcedeploy = "1"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${node.class}"
|
||||
operator = "set_contains"
|
||||
value = "cluster"
|
||||
}
|
||||
|
||||
vault {
|
||||
policies = ["ldap"]
|
||||
}
|
||||
group "openldap" {
|
||||
network {
|
||||
mode = "host"
|
||||
port "ldap" {
|
||||
static = 389
|
||||
to = 1389
|
||||
}
|
||||
port "ldaps" {
|
||||
static = 636
|
||||
to = 1636
|
||||
}
|
||||
|
||||
}
|
||||
task "selfsignedCertificate" {
|
||||
lifecycle {
|
||||
hook= "prestart"
|
||||
sidecar = false
|
||||
}
|
||||
driver= "docker"
|
||||
config{
|
||||
image= "stakater/ssl-certs-generator"
|
||||
mount {
|
||||
type = "bind"
|
||||
source = "..${NOMAD_ALLOC_DIR}/data"
|
||||
target = "/certs"
|
||||
}
|
||||
}
|
||||
env {
|
||||
SSL_DNS="ldaps.service.consul,ldap.service.consul"
|
||||
}
|
||||
resources {
|
||||
memory = 50
|
||||
}
|
||||
}
|
||||
task "openldap" {
|
||||
driver = "docker"
|
||||
service {
|
||||
name = "ldap"
|
||||
port = "ldap"
|
||||
tags = [
|
||||
]
|
||||
}
|
||||
service {
|
||||
name = "ldaps"
|
||||
port = "ldaps"
|
||||
tags = [
|
||||
]
|
||||
}
|
||||
|
||||
config {
|
||||
image = "bitnami/openldap"
|
||||
ports = ["ldap", "ldaps"]
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/openldap:/bitnami/openldap",
|
||||
]
|
||||
|
||||
}
|
||||
env {
|
||||
LDAP_ADMIN_USERNAME = "admin"
|
||||
LDAP_ROOT = "dc=ducamps,dc=eu"
|
||||
LDAP_EXTRA_SCHEMAS = "cosine, inetorgperson"
|
||||
LDAP_CUSTOM_SCHEMA_DIR = "/local/schema"
|
||||
LDAP_CUSTOM_LDIF_DIR = "/local/ldif"
|
||||
LDAP_CONFIGURE_PPOLICY = "yes"
|
||||
LDAP_ALLOW_ANON_BINDING = "no"
|
||||
LDAP_LOGLEVEL = 64
|
||||
LDAP_ENABLE_TLS = "yes"
|
||||
LDAP_TLS_CERT_FILE = "${NOMAD_ALLOC_DIR}/data/cert.pem"
|
||||
LDAP_TLS_KEY_FILE = "${NOMAD_ALLOC_DIR}/data/key.pem"
|
||||
LDAP_TLS_CA_FILE = "${NOMAD_ALLOC_DIR}/data/ca.pem"
|
||||
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/nomad/ldap"}}
|
||||
LDAP_ADMIN_PASSWORD="{{ .Data.data.admin}}"
|
||||
{{end}}
|
||||
EOH
|
||||
env=true
|
||||
destination= "secrets/env"
|
||||
}
|
||||
#memberOf issue
|
||||
#https://github.com/bitnami/containers/issues/28335
|
||||
# https://tylersguides.com/guides/openldap-memberof-overlay
|
||||
|
||||
|
||||
template {
|
||||
data = file("memberofOverlay.ldif")
|
||||
destination = "local/schema/memberofOverlay.ldif"
|
||||
}
|
||||
template {
|
||||
data = file("smbkrb5pwd.ldif")
|
||||
destination = "local/smbkrb5pwd.ldif"
|
||||
}
|
||||
template {
|
||||
data = file("rfc2307bis.ldif")
|
||||
destination = "local/schema/rfc2307bis.ldif"
|
||||
}
|
||||
template {
|
||||
data = file("samba.ldif")
|
||||
destination = "local/schema/samba.ldif"
|
||||
}
|
||||
template {
|
||||
data = file("tree.ldif")
|
||||
destination = "local/ldif/tree.ldif"
|
||||
}
|
||||
resources {
|
||||
memory = 150
|
||||
}
|
||||
}
|
||||
}
|
||||
group ldpp-user-manager{
|
||||
network{
|
||||
mode = "host"
|
||||
port "http" {
|
||||
to = 80
|
||||
}
|
||||
}
|
||||
task ldap-user-manager {
|
||||
driver = "docker"
|
||||
service {
|
||||
name = "ldap-user-manager"
|
||||
port = "http"
|
||||
tags = [
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`ldap.ducamps.eu`)",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=ldap.ducamps.eu",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "wheelybird/ldap-user-manager"
|
||||
ports = ["http"]
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
SERVER_HOSTNAME="ldap.ducamps.eu"
|
||||
LDAP_URI="ldaps://ldaps.service.consul"
|
||||
LDAP_BASE_DN="dc=ducamps,dc=eu"
|
||||
LDAP_ADMIN_BIND_DN="cn=admin,dc=ducamps,dc=eu"
|
||||
LDAP_GROUP_MEMBERSHIP_ATTRIBUTE = "member"
|
||||
{{ with secret "secrets/data/nomad/ldap"}}
|
||||
LDAP_ADMIN_BIND_PWD="{{ .Data.data.admin}}"
|
||||
{{end}}
|
||||
LDAP_IGNORE_CERT_ERRORS="true"
|
||||
LDAP_REQUIRE_STARTTLS="false"
|
||||
LDAP_ADMINS_GROUP="LDAP Operators"
|
||||
LDAP_USER_OU="users"
|
||||
NO_HTTPS="true"
|
||||
EMAIL_DOMAIN="ducamps.eu"
|
||||
DEFAULT_USER_GROUP="users"
|
||||
DEFAULT_USER_SHELL="/bin/sh"
|
||||
USERNAME_FORMAT="{first_name}"
|
||||
LDAP_RFC2307BIS_SCHEMA="TRUE"
|
||||
USERNAME_REGEX="^[a-zA-Z][a-zA-Z0-9._-]{3,32}$"
|
||||
LDAP_GROUP_ADDITIONAL_OBJECTCLASSES="groupOfNames,posixGroup,top"
|
||||
SHOW_POSIX_ATTRIBUTES="TRUE"
|
||||
|
||||
EOH
|
||||
destination = "secrets/env"
|
||||
env = true
|
||||
}
|
||||
resources {
|
||||
memory = 70
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user