Compare commits

..

1 Commits

Author SHA1 Message Date
vincent
2161f22ef8 feat: K3S cluster instalation.
Some checks failed
continuous-integration/drone/push Build is failing
2024-08-04 11:56:11 +02:00
32 changed files with 131 additions and 220 deletions

View File

@ -4,7 +4,7 @@ systemd_mounts:
mount: /mnt/diskstation/nomad
type: nfs
options:
- "vers=4"
- " "
automount: "{{ env_automount }}"
enabled: true
hetzner_storage:

View File

@ -1,7 +1,7 @@
docker_daemon_config:
dns:
- 172.17.0.1
- 192.168.1.6
- 192.168.1.5
mtu: 1420
insecure-registries:
- 192.168.1.0/24

View File

@ -0,0 +1 @@
k3s_cluster_group: homelab

View File

@ -4,7 +4,7 @@ systemd_mounts:
mount: /mnt/diskstation/photo
type: nfs
options:
- "vers=4"
- " "
automount: "{{ env_automount }}"
enabled: true
diskstation_music:
@ -12,7 +12,7 @@ systemd_mounts:
mount: /mnt/diskstation/music
type: nfs
options:
- "vers=4"
- " "
automount: "{{ env_automount }}"
enabled: true
diskstation_media:
@ -20,7 +20,7 @@ systemd_mounts:
mount: /mnt/diskstation/media
type: nfs
options:
- "vers=4"
- " "
automount: "{{ env_automount }}"
enabled: true
@ -29,7 +29,7 @@ systemd_mounts:
mount: /mnt/diskstation/ebook
type: nfs
options:
- "vers=4"
- " "
automount: "{{ env_automount }}"
enabled: true
diskstation_nomad:
@ -45,6 +45,6 @@ systemd_mounts:
mount: /mnt/diskstation/download
type: nfs
options:
- "vers=4"
- " "
automount: "{{ env_automount }}"
enabled: true

View File

@ -1,2 +1,3 @@
nomad_datacenter: homelab
k3s_consul_service: true
system_wol_enable: True

View File

@ -7,7 +7,7 @@ nomad_client_meta:
- name: "env"
value: "production"
vault_unseal_keys_dir_output: "~/vaultUnseal/production"
env_default_nfs_path: ""
env_default_nfs_path: "/exports"
env_media_nfs_path: "/volume1"
env_automount: true
nas_ip: "192.168.1.43"

View File

@ -3,7 +3,6 @@ default_interface: "enp1s0"
consul_iface: "{{ default_interface}}"
vault_iface: "{{ default_interface}}"
nfs_iface: "{{ default_interface}}"
nomad_client_cpu_total_compute: 8000
wireguard_address: "10.0.0.2/24"
wireguard_byhost_allowed_ips:
merlin: 10.0.0.2,192.168.1.40

View File

@ -1,10 +1,4 @@
---
- name: Consul install
hosts: all
roles:
- role: ansible-consul
become: true
- name: Vault install
hosts: homelab
roles:
@ -46,8 +40,6 @@
- name: nomad
hosts: all
vars:
unseal_keys_dir_output: ~/vaultunseal
roles:
- role: ansible-nomad
become: true

View File

@ -0,0 +1,8 @@
---
- name: Consul install
hosts: all
roles:
- role: ansible-consul
become: true

View File

@ -0,0 +1,5 @@
---
- name: k3s
hosts: all
roles:
- role: ansible-k3s

View File

@ -45,5 +45,7 @@ roles:
- src: git@git.ducamps.eu:2222/ansible-roles/ansible-role-pureftpd.git
scm: git
- src: https://github.com/PowerDNS/pdns_recursor-ansible.git
- src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-k3s.git
scm: git
collections:
- name: vladgh.samba

View File

@ -2,7 +2,9 @@
- import_playbook: playbooks/server.yml
- import_playbook: playbooks/dhcpd.yml
- import_playbook: playbooks/dns.yml
- import_playbook: playbooks/HashicorpStack.yml
- import_playbook: playbooks/consul.yml
- import_playbook: playbooks/kube.yml
#- import_playbook: playbooks/HashicorpStack.yml
- import_playbook: playbooks/nas.yml
- import_playbook: playbooks/autofs.yml
- import_playbook: playbooks/sssd.yml

View File

@ -96,8 +96,7 @@ job "immich" {
env = true
}
resources {
memory = 600
memory_max = 1800
memory = 500
}
}

View File

@ -111,7 +111,6 @@ job "jellyfin" {
resources {
memory = 2000
memory_max = 4000
cpu = 3000
}
}

View File

@ -1 +0,0 @@
../makefile

View File

@ -81,7 +81,6 @@ job "mealie" {
template {
data = <<EOH
{{ with secret "secrets/data/database/mealie"}}POSTGRES_PASSWORD= "{{ .Data.data.password }}" {{end}}
{{ with secret "secrets/data/authelia/mealie"}}OIDC_CLIENT_SECRET= "{{ .Data.data.password }}" {{end}}
EOH
destination = "secrets/var.env"
env = true

View File

@ -38,6 +38,7 @@ job "paperless-ng" {
}
resources {
memory = 50
cpu = 50
}
}
task "paperless-ng" {
@ -51,7 +52,6 @@ job "paperless-ng" {
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.eu",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
"traefik.http.routers.${NOMAD_JOB_NAME}.middlewares=authelia",
"homer.enable=true",
"homer.name=Paperless",
"homer.service=Application",
@ -87,9 +87,6 @@ job "paperless-ng" {
PAPERLESS_CONSUMER_POLLING = "60"
PAPERLESS_URL = "https://${NOMAD_JOB_NAME}.ducamps.eu"
PAPERLESS_ALLOWED_HOSTS = "192.168.1.42,192.168.1.40"
PAPERLESS_ENABLE_HTTP_REMOTE_USER = "true"
PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_REMOTE_USER"
PAPERLESS_LOGOUT_REDIRECT_URL= "https://auth.ducamps.eu/logout"
}
template {
@ -102,7 +99,7 @@ job "paperless-ng" {
resources {
memory = 950
memory_max = 1500
cpu = 2000
cpu = 100
}
}

View File

@ -23,7 +23,7 @@ job "torrent" {
}
}
task "bittorent" {
driver = "docker"
driver = "podman"
service {
name = "bittorent"
port = "http"
@ -43,11 +43,11 @@ job "torrent" {
"traefik.http.routers.${NOMAD_JOB_NAME}.middlewares=authelia-basic",
]
}
user = "root"
config {
ulimit {
nofile = "8192:8192"
}
image = "docker.service.consul:5000/crazymax/rtorrent-rutorrent:edge"
privileged = "true"
ports = [
"http",
"torrent",

View File

@ -1,64 +0,0 @@
job "rutorrentlocal" {
datacenters = ["homelab"]
priority = 80
type = "service"
meta {
forcedeploy = "0"
}
constraint {
attribute = "${node.unique.name}"
operator = "set_contains"
value = "oberon"
}
group "bittorent" {
network {
mode = "host"
port "http" {
to = 8080
}
port "torrent" {
static = 6881
}
port "ecoute" {
static = 50000
}
}
task "bittorent" {
driver = "podman"
service {
name = "bittorentlocal"
port = "http"
address_mode= "host"
tags = [
]
}
user = "root"
config {
image = "docker.service.consul:5000/crazymax/rtorrent-rutorrent:edge"
ports = [
"http",
"torrent",
"ecoute"
]
volumes = [
"/exports/nomad/rutorrent/data:/data",
"/exports/nomad/rutorrent/downloads:/downloads"
]
}
env {
PUID = 100001
PGID = 10
UMASK = 002
WEBUI_PORT = "8080"
}
resources {
memory = 650
}
}
}
}

View File

@ -83,6 +83,7 @@ job "tt-rss" {
env = true
}
resources {
cpu = 50
memory = 150
}
}
@ -115,6 +116,7 @@ job "tt-rss" {
}
resources {
cpu = 50
memory = 150
}
}
@ -199,6 +201,7 @@ job "tt-rss" {
}
resources {
cpu = 50
memory = 50
}
}

View File

@ -74,7 +74,6 @@ job "batch-seedboxsync" {
}
resources {
memory = 500
memory_max = 1000
}
}

View File

@ -35,7 +35,7 @@ job "torrent_automation" {
}
config {
image = "alexfozor/flaresolverr:pr-1300-experimental"
image = "ghcr.io/flaresolverr/flaresolverr:latest"
ports = ["flaresolverr"]
}
env {

View File

@ -122,11 +122,10 @@ identity_providers:
- 'https://www.ducamps.eu/tt-rss'
userinfo_signed_response_alg: none
authorization_policy: 'one_factor'
pre_configured_consent_duration: 3M
pre_configured_consent_duration: 15d
- client_id: 'mealie'
client_name: 'mealie'
client_secret: {{ with secret "secrets/data/authelia/mealie"}} {{ .Data.data.hash }} {{end}}
public: false
public: true
require_pkce: true
pkce_challenge_method: 'S256'
scopes:
@ -138,7 +137,7 @@ identity_providers:
- 'https://mealie.ducamps.eu/login'
userinfo_signed_response_alg: none
authorization_policy: 'one_factor'
pre_configured_consent_duration: 3M
token_endpoint_auth_method: 'none'
- client_id: 'immich'
client_name: 'immich'
client_secret: {{ with secret "secrets/data/authelia/immich"}} {{ .Data.data.hash }} {{end}}
@ -153,7 +152,6 @@ identity_providers:
- 'profile'
- 'email'
userinfo_signed_response_alg: 'none'
pre_configured_consent_duration: 3M
- client_id: 'grafana'
client_name: 'Grafana'
client_secret:{{ with secret "secrets/data/authelia/grafana"}} {{ .Data.data.hash }} {{end}}
@ -170,7 +168,6 @@ identity_providers:
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
pre_configured_consent_duration: 3M
- client_id: 'vikunja'
client_name: 'vikunja'
client_secret:{{ with secret "secrets/data/authelia/vikunja"}} {{ .Data.data.hash }} {{end}}
@ -183,22 +180,7 @@ identity_providers:
- 'profile'
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
pre_configured_consent_duration: 3M
- client_id: 'gitea'
client_name: 'gitea'
client_secret:{{ with secret "secrets/data/authelia/gitea"}} {{ .Data.data.hash }} {{end}}
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://git.ducamps.eu/user/oauth2/authelia/callback'
scopes:
- 'openid'
- 'profile'
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
pre_configured_consent_duration: 3M
log:
level: 'trace'

View File

@ -45,6 +45,7 @@ job "dashboard" {
}
resources {
cpu = 50
memory = 20
}
}
@ -144,6 +145,7 @@ services:
}
resources {
cpu = 50
memory = 30
}
}

View File

@ -81,11 +81,7 @@ job "git" {
GITEA__database__HOST = "active.db.service.consul"
GITEA__database__NAME = "gitea"
GITEA__database__USER = "gitea"
GITEA__service__DISABLE_REGISTRATION = "false"
GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true"
GITEA__service__SHOW_REGISTRATION_BUTTON = "false"
GITEA__openid__ENABLE_OPENID_SIGNIN = "false"
GITEA__openid__ENABLE_OPENID_SIGNUP = "true"
GITEA__service__DISABLE_REGISTRATION = "true"
GITEA__repository__ROOT = "/data/gitea-repositories"
GITEA__server__APP_DATA_PATH = "/data"
GITEA__server__LFS_CONTENT_PATH = "/data/lfs"

View File

@ -1 +0,0 @@
../makefile

View File

@ -29,7 +29,6 @@ job "vector" {
}
# resource limits are a good idea because you don't want your log collection to consume all resources available
resources {
cpu = 500 # 500 MHz
memory = 256 # 256MB
}
# template with Vector's configuration

View File

@ -1 +0,0 @@
../makefile

View File

@ -12,34 +12,37 @@ job "pdns-auth" {
}
constraint {
attribute = "${node.class}"
operator = "set_contains"
value = "cluster"
}
vault {
policies = ["pdns"]
operator = "set_contains"
value = "cluster"
}
group "pdns-auth" {
network {
port "dns" {
static = 5300
static=5300
}
port "http" {
static = 8081
}
port "pdnsadmin"{
to = 80
}
}
task "pdns-auth" {
vault {
policies = ["pdns"]
}
task "pdns-auth" {
driver = "docker"
service {
driver = "docker"
service {
name = "pdns-auth"
port = "dns"
}
config {
image = "docker.service.consul:5000/powerdns/pdns-auth-master:latest"
image = "docker.service.consul:5000/powerdns/pdns-auth-master:latest"
network_mode = "host"
privileged = true
cap_add = ["net_bind_service"]
privileged=true
cap_add= ["net_bind_service"]
volumes = [
"/mnt/diskstation/nomad/pdns-auth/var:/var/lib/powerdns/",
"local/dnsupdate.conf:/etc/powerdns/pdns.d/dnsupdate.conf",
@ -54,20 +57,20 @@ job "pdns-auth" {
PDNS_AUTH_API_KEY="{{.Data.data.API_KEY}}"
{{ end }}
EOH
env = true
env = true
}
template {
template{
destination = "local/dnsupdate.conf"
data = <<EOH
data = <<EOH
dnsupdate=yes
allow-dnsupdate-from=192.168.1.43/24
local-address=192.168.1.5
local-port=53
EOH
}
template {
template{
destination = "local/pdns.conf"
data = <<EOH
data = <<EOH
launch=gpgsql
gpgsql-host=active.db.service.consul
gpgsql-port=5432
@ -81,20 +84,61 @@ include-dir=/etc/powerdns/pdns.d
EOH
}
resources {
cpu = 50
memory = 100
}
}
task "pnds-admin" {
service {
name = "pdns-admin"
tags = [
"homer.enable=true",
"homer.name=PDNS-ADMIN",
"homer.service=Application",
"homer.logo=http://${NOMAD_ADDR_pdnsadmin}/static/img/favicon.png",
"homer.target=_blank",
"homer.url=http://${NOMAD_ADDR_pdnsadmin}",
task "pdns-recursor" {
driver = "docker"
config {
image = "docker.service.consul:5000/powerdns/pdns-recursor-master:latest"
network_mode = "host"
volumes = [
"local/recursor.conf:/etc/powerdns/recursor.conf",
]
]
port = "pdnsadmin"
}
driver = "docker"
config {
image = "docker.service.consul:5000/powerdnsadmin/pda-legacy:latest"
ports= ["pdnsadmin"]
volumes = [
"/mnt/diskstation/nomad/pdns-admin/:/data/node_module/",
]
}
template{
destination = "secrets/pdns-admin.env"
env = true
data = <<EOH
{{ with secret "secrets/data/nomad/pdns"}}
SECRET_KEY="{{ .Data.data.SECRET_KEY }}"
GUNICORN_WORKERS=2
{{ end }}
{{ with secret "secrets/data/database/pdns"}}
SQLALCHEMY_DATABASE_URI=postgresql://pdns-admin:{{ .Data.data.pdnsadmin }}@active.db.service.consul/pdns-admin
{{end}}
EOH
}
resources {
cpu = 50
memory = 200
}
}
task "pdns-recursor" {
driver = "docker"
config {
image = "docker.service.consul:5000/powerdns/pdns-recursor-master:latest"
network_mode = "host"
volumes = [
"local/recursor.conf:/etc/powerdns/recursor.conf",
]
}
template{
destination = "local/recursor.conf"
data= <<EOH
@ -103,29 +147,29 @@ dnssec=off
forward-zones=consul=127.0.0.1:8600,ducamps.eu=192.168.1.5,1.168.192.in-addr.arpa=192.168.1.5
local-address=192.168.1.6
EOH
}
resources {
cpu = 50
memory = 50
}
}
task "keepalived" {
driver = "docker"
resources {
cpu = 50
memory = 50
}
}
task "keepalived" {
driver = "docker"
lifecycle {
hook = "prestart"
sidecar = true
}
env {
KEEPALIVED_ROUTER_ID = "52"
KEEPALIVED_STATE = "MASTER"
KEEPALIVED_VIRTUAL_IPS = "#PYTHON2BASH:['192.168.1.5','192.168.1.6']"
KEEPALIVED_ROUTER_ID = "52"
KEEPALIVED_STATE = "MASTER"
KEEPALIVED_VIRTUAL_IPS = "#PYTHON2BASH:['192.168.1.5','192.168.1.6']"
}
template {
template{
destination = "local/env.yaml"
change_mode = "restart"
env = true
data = <<EOH
env= true
data = <<EOH
KEEPALIVED_INTERFACE= {{ sockaddr "GetPrivateInterfaces | include \"network\" \"192.168.1.0/24\" | attr \"name\"" }}
EOH
}
@ -144,53 +188,4 @@ local-address=192.168.1.6
}
}
}
group "pdns-admin" {
network {
port "pdnsadmin" {
to = 80
}
}
task "pnds-admin" {
service {
name = "pdns-admin"
tags = [
"homer.enable=true",
"homer.name=PDNS-ADMIN",
"homer.service=Application",
"homer.logo=http://${NOMAD_ADDR_pdnsadmin}/static/img/favicon.png",
"homer.target=_blank",
"homer.url=http://${NOMAD_ADDR_pdnsadmin}",
]
port = "pdnsadmin"
}
driver = "docker"
config {
image = "docker.service.consul:5000/powerdnsadmin/pda-legacy:latest"
ports = ["pdnsadmin"]
volumes = [
"/mnt/diskstation/nomad/pdns-admin/:/data/node_module/",
]
}
template {
destination = "secrets/pdns-admin.env"
env = true
data = <<EOH
{{ with secret "secrets/data/nomad/pdns"}}
SECRET_KEY="{{ .Data.data.SECRET_KEY }}"
GUNICORN_WORKERS=2
{{ end }}
{{ with secret "secrets/data/database/pdns"}}
SQLALCHEMY_DATABASE_URI=postgresql://pdns-admin:{{ .Data.data.pdnsadmin }}@active.db.service.consul/pdns-admin
{{end}}
EOH
}
resources {
cpu = 50
memory = 200
}
}
}
}

View File

@ -90,7 +90,6 @@ local-ttl=2
}
resources {
memory = 100
memory_max =200
}
}

View File

@ -90,7 +90,7 @@ version: '0.1'
}
resources {
memory = 150
memory_max = 600
memory_max = 400
}
}
task "docker-ghcr" {
@ -133,7 +133,7 @@ version: '0.1'
}
resources {
memory = 150
memory_max = 600
memory_max = 400
}
}

View File

@ -73,8 +73,7 @@ def main() -> None:
"authelia/immich",
"authelia/mealie",
"authelia/grafana",
"authelia/vikunja",
"authelia/gitea"
"authelia/vikunja"
]
token=os.getenv('VAULT_TOKEN',"")