Merge branch 'main' of ssh://gitea.service.nr5:2222/chaos/nomad-nummer5

.drone.yml

@@ -5,6 +5,10 @@ name: nomad-nummer5
 platform:
   os: linux
   arch: arm64
+
+
+environment:
+  TARGET_HOST: "test.chaos"
   
 steps:
 - name: test
@@ -12,3 +16,4 @@ steps:
   commands:
   - echo hello
   - echo world
+  - echo $TARGET_HOST

README.md

@@ -7,3 +7,15 @@
 
 NFS - https://github.com/thatsk/nfs-csi-nomad/tree/main
 Podman - https://github.com/hashicorp/nomad-driver-podman
+
+
+
+
+
+# Datacenter: ring86
+
+# auto.chaos
+podman run -d --replace -e 1883 -p 1883:1883 --mount=type=bind,source=/etc/mosquitto,destination=/mosquitto --tz=Europe/Berlin --name=mosquitto-mqtt cr.wks/mosquitto:latest
+podman run -d --replace -e 9234 -p 0.0.0.0:9234:9234 --tz=Europe/Berlin --name=mosquitto-exporter cr.wks/mosquitto-prometheus-exporter --endpoint "tcp://mqtt:1883"
+
+

_sys/etc_consul.d/acl.hcl

@@ -0,0 +1,5 @@
+acl = {
+  enabled = true
+  default_policy = "allow"
+  enable_token_persistence = true
+}

_sys/nfs-controller.hcl

@@ -30,8 +30,8 @@ job "plugin-nfs-controller" {
       }
 
       resources {
-        cpu    = 250
-        memory = 128
+        cpu    = 50
+        memory = 15
       }
     }
   }

_sys/nfs-nodes.hcl

@@ -34,8 +34,8 @@ job "plugin-nfs-nodes" {
       }
 
       resources {
-        cpu    = 250
-        memory = 128
+        cpu    = 50
+        memory = 10
       }
     }
   }

_sys/traefik.hcl

@@ -18,6 +18,7 @@ job "traefik" {
       port "api" {
         static = 81
       }
+      
     }
 
     service {

_sys/vault/role-ssh-signer.json

@@ -0,0 +1,13 @@
+#https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates
+{
+  "algorithm_signer": "rsa-sha2-256",
+  "allow_user_certificates": true,
+  "allowed_users": "*",
+  "allowed_extensions": "permit-pty,permit-port-forwarding",
+  "default_extensions": {
+    "permit-pty": ""
+  },
+  "key_type": "ca",
+  "default_user": "admini",
+  "ttl": "30m0s"
+}

_sys/vault/vault-service-policy.hcl

@@ -0,0 +1,13 @@
+https://developer.hashicorp.com/vault/tutorials/day-one-consul/deployment-guide
+#consul acl policy create -name vault-service -rules @vault-service-policy.hcl
+#consul acl token create \
+#    -description "Vault Service Token" \
+#   -policy-name vault-service
+
+
+service "vault" { policy = "write" }
+key_prefix "vault/" { policy = "write" }
+agent_prefix "" { policy = "read" }
+session_prefix "" { policy = "write" }
+
+

apps/apt-cacher-ng/live.hcl

@@ -40,6 +40,7 @@ job "apt-cacher-ng" {
       config {
         image = "cr.wks/apt-cacher-ng"
         ports = ["http"]
+        force_pull = true
       }
       
       volume_mount {

apps/dmarc/live.hcl

@@ -0,0 +1,64 @@
+job "dmarc" {
+  datacenters = [
+    "nummer5",
+  ]
+  type = "service"
+
+  group "apps" {
+    count = 1
+
+    network {
+      mode = "host"
+      port "http" {
+        to = 80
+      }
+    }
+    service {
+        name = "dmarc"
+        port = "http"
+
+        tags = [
+          "traefik.enable=true",
+          "traefik.http.routers.dmarc.rule=Host(`dmarc.service.nr5`)",
+        ]
+        
+    }
+
+    restart {
+      attempts = 5
+      delay    = "30s"
+    }
+
+    task "dmarc" {
+      driver = "podman"
+      
+      config {
+        image = "cr.wks/dmarc-report:latest"
+        ports = ["http"]
+      }
+
+      env {
+        TZ                              = "Europe/Berlin"
+        REPORT_DB_TYPE                  = "pgsql"
+        REPORT_DB_HOST                  = "postgres.service.nr5"
+        REPORT_DB_PORT                  = "5432"
+        REPORT_DB_NAME                  = "dmarc-srg"
+        REPORT_DB_USER                  = "dmarc"
+        REPORT_DB_PASS                  = "4XSS4gKpheSBoMsIs"
+        PARSER_IMAP_PORT                = "143"
+        PARSER_IMAP_SERVER              = "116.202.109.243" #"imap.maketank.net"
+        PARSER_IMAP_USER                = "dmarc-inbox@maketank.net"
+        PARSER_IMAP_PASS                = "j2Kwd6mVPZw2yMLw2gIKwn"
+        PARSER_IMAP_READ_FOLDER         = "Inbox"
+        PARSER_IMAP_MOVE_FOLDER         = "Processed"
+        PARSER_IMAP_MOVE_FOLDER_ERR     = "Error"
+      }
+
+      resources {
+        cpu    = 100
+        memory = 128
+      }
+
+    }
+  }
+}

apps/docker-registry/live-ui.hcl

@@ -39,8 +39,8 @@ job "docker-registry-ui" {
       env {
         DELETE_IMAGES = "true"
         REGISTRY_TITLE = "Nummer5 Reg"
-        NGINX_PROXY_PASS_URL_DISABLED = "http://cr.wks"
-        REGISTRY_URL = "http://cr.wks:5000"
+        NGINX_PROXY_PASS_URL = "http://cr.wks"
+        XX_REGISTRY_URL = "http://cr.wks:5000"
         URL = "http://cr-ui.service.nr5"
         SINGLE_REGISTRY = "true"
         SHOW_CONTENT_DIGEST = "true"

apps/drone/live-runner-podman-nomad.hcl

@@ -0,0 +1,72 @@
+job "drone-runner" {
+    datacenters = [
+	"nummer5",
+    ]
+	type = "service"
+
+	group "apps" {
+	    count = 1
+
+		network {
+		    mode = "host"
+			port "http" {
+			    to = 3000
+			}
+
+		}
+
+	    service {
+		name = "drone-runner"
+		    port = "http"
+	    }
+
+	    volume "drone-runner" {
+		type      = "csi"
+		    source    = "drone-runner"
+		    read_only = false
+		    access_mode = "single-node-writer"
+		    attachment_mode = "file-system"
+	    }
+
+	    restart {
+		attempts = 5
+		    delay    = "30s"
+	    }
+
+	    task "drone-runner" {
+		driver = "podman"
+		    env {
+# Connection parameters
+			DRONE_RPC_PROTO="http"
+			    DRONE_RPC_HOST="drone.service.nr5"
+			    DRONE_RPC_SECRET="7eb685ed81d0c34bafc5efa7783c20b2"
+# Nomad config
+			    DRONE_JOB_DATACENTER="nummer5"
+			    NOMAD_ADDR="http://nomad.service.nr5"
+# Runner agent settings
+			    DRONE_RUNNER_CAPACITY="1"
+			    DRONE_RUNNER_MAX_PROCS="3"
+			    DRONE_RUNNER_NAME="drone-podman-runner1"
+# Logging
+			    DRONE_DEBUG="true"
+			    DRONE_TRACE="true"
+			    DRONE_RPC_DUMP_HTTP="true"
+			    DRONE_RPC_DUMP_HTTP_BODY="true"
+			    DRONE_TASK_MEMORY="256"
+		    }
+		config {
+		    image = "cr.wks/drone-runner-nomad-podman:latest"
+			volumes = [
+			"/run/podman/podman.sock:/var/run/podman.sock",
+			"/etc/containers:/etc/containers"
+			]
+#network_mode = "slirp4netns"
+			ports = ["http"]
+		}
+		resources {
+		    cpu    = 480
+			memory = 200
+		}
+	}
+}
+}

apps/drone/live-runner-podman.hcl

@@ -0,0 +1,73 @@
+job "drone-runner" {
+  datacenters = [
+    "nummer5",
+  ]
+  type = "service"
+
+  group "apps" {
+    count = 1
+
+    network {
+      mode = "host"
+      port "http" {
+        to = 3000
+      }
+
+    }
+    
+    service {
+        name = "drone-runner"
+        port = "http"
+    }
+
+    volume "drone-runner" {
+      type      = "csi"
+      source    = "drone-runner"
+      read_only = false
+      access_mode = "single-node-writer"
+      attachment_mode = "file-system"
+    }
+
+    restart {
+      attempts = 5
+      delay    = "30s"
+    }
+
+    task "drone-runner" {
+      driver = "podman"
+      volume_mount {
+        volume      = "drone-runner"
+        destination = "/data"
+        read_only   = false
+      }
+
+      config {
+        image = "cr.wks/drone/drone-runner-podman:latest"
+        force_pull = true
+        ports = ["http"]
+        volumes = [
+          "/run/podman/podman.sock:/run/podman/podman.sock",
+          "/run/podman/podman.sock:/var/run/docker.sock",
+          "/etc/containers:/etc/containers"
+        ]
+ 
+      }
+
+      env {
+        TZ                        = "Europe/Berlin"
+        DRONE_RUNNER_NAME         = "drone-runner01"
+        DRONE_RPC_SECRET          = "7eb685ed81d0c34bafc5efa7783c20b2"
+        DRONE_RPC_HOST            = "drone.service.nr5"
+        DRONE_RPC_PROTO           = "http"
+        DRONE_LOGS_DEBUG          = true
+        DRONE_LOGS_TRACE          = true
+      }
+
+      resources {
+        cpu    = 500
+        memory = 128 
+      }
+
+    }
+  }
+}

apps/drone/live-runner.hcl

@@ -20,14 +20,6 @@ job "drone-runner" {
         port = "http"
     }
 
-    volume "drone-runner" {
-      type      = "csi"
-      source    = "drone-runner"
-      read_only = false
-      access_mode = "single-node-writer"
-      attachment_mode = "file-system"
-    }
-
     restart {
       attempts = 5
       delay    = "30s"
@@ -35,14 +27,10 @@ job "drone-runner" {
 
     task "drone-runner" {
       driver = "podman"
-      volume_mount {
-        volume      = "drone-runner"
-        destination = "/drone"
-        read_only   = false
-      }
 
       config {
         image = "docker.io/drone/drone-runner-docker:latest"
+        force_pull = true
         ports = ["http"]
         privileged = true
         volumes = [
@@ -58,13 +46,15 @@ job "drone-runner" {
         DRONE_RPC_SECRET          = "7eb685ed81d0c34bafc5efa7783c20b2"
         DRONE_RPC_HOST            = "drone.service.nr5"
         DRONE_RPC_PROTO           = "http"
+        DRONE_RUNNER_CAPACITY     = 1
         DRONE_LOGS_DEBUG          = true
         DRONE_LOGS_TRACE          = true
+        DOCKER_BUILDKIT           = 1
       }
 
       resources {
-        cpu    = 500
-        memory = 128 
+        cpu    = 300
+        memory = 1500 
       }
 
     }

apps/drone/live.hcl

@@ -23,6 +23,13 @@ job "drone" {
           "traefik.enable=true",
           "traefik.http.routers.drone.rule=Host(`drone.service.nr5`)",
         ]
+        
+        check {
+         type     = "http"
+         path     = "/welcome"
+         interval = "120s"
+         timeout  = "5s"
+       }
     }
 
     volume "drone-data" {
@@ -60,8 +67,10 @@ job "drone" {
         DRONE_RPC_SECRET          = "7eb685ed81d0c34bafc5efa7783c20b2"
         DRONE_SERVER_HOST         = "drone.service.nr5"
         DRONE_SERVER_PROTO        = "http"
+        DRONE_JSONNET_ENABLED     = true
         DRONE_LOGS_DEBUG          = true 
         DRONE_LOGS_TRACE          = true
+        DRONE_USER_CREATE         = "username:do,admin:true"
       }
 
       resources {

apps/gitea/live.hcl

@@ -27,6 +27,13 @@ job "gitea" {
           "traefik.enable=true",
           "traefik.http.routers.gitea.rule=Host(`gitea.service.nr5`)",
         ]
+        
+        check {
+         type     = "http"
+         path     = "/user/login"
+         interval = "120s"
+         timeout  = "5s"
+       }
     }
 
     volume "gitea-data" {
@@ -44,6 +51,7 @@ job "gitea" {
 
     task "gitea" {
       driver = "podman"
+      
       volume_mount {
         volume      = "gitea-data"
         destination = "/data"
@@ -53,6 +61,7 @@ job "gitea" {
       config {
         image = "docker.io/gitea/gitea:latest"
         ports = ["ssh", "http"]
+        force_pull = true
       }
 
       env {
@@ -73,6 +82,7 @@ job "gitea" {
         GITEA__packages__ENABLED        = "true"
         GITEA__log__LEVEL               = "warn"
         GITEA__actions__ENABLED         = "true"
+        GITEA__webhook__ALLOWED_HOST_LIST = "private"
         
       }
 

apps/homer/live.hcl

@@ -0,0 +1,51 @@
+job "homer" {
+  datacenters = ["nummer5"]
+  
+  group "apps" {
+    count = 1
+
+    network {
+      port  "http"{
+        to = 8080
+      }
+    }
+
+    service {
+      name = "homer"
+      port = "http"
+
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.homer.rule=Host(`homer.service.nr5`)",
+      ]
+
+    }
+    
+    volume "homer-assets" {
+        type = "csi"
+        read_only = false
+        source = "homer-assets"
+        access_mode = "single-node-writer"
+        attachment_mode = "file-system"
+    }  
+      
+    task "homer" {
+      driver = "podman"
+
+      config {
+        image = "b4bz/homer:latest"
+        ports = ["http"]
+      }
+      
+      volume_mount {
+        volume = "homer-assets"
+        destination = "/www/assets"
+      }
+      
+       resources {
+         cpu    = 10
+         memory = 32
+       }
+    }
+  }
+}

apps/homer/volume.hcl

@@ -0,0 +1,20 @@
+type = "csi"
+id = "homer-assets"
+name = "homer-assets"
+plugin_id = "nfs"
+
+capability {
+    access_mode = "single-node-writer"
+    attachment_mode = "file-system"
+}
+
+context {
+  server = "ebin01.wks"
+  share = "/data/raid1-ssd/app-data/homer-assets"
+  mountPermissions = "0"  
+}
+
+mount_options {
+  fs_type = "nfs"
+  mount_flags = [ "timeo=30", "vers=3", "_netdev" , "nolock" ]
+}

apps/mosquitto-prometheus-exporter/live.hcl

@@ -0,0 +1,42 @@
+job "mosquitto-prometheus-exporter" {
+  datacenters = ["nummer5"]
+  
+  group "apps" {
+    count = 1
+
+    network {
+      port  "http"{
+        to = 9234
+      }
+    }
+
+    service {
+      name = "mosquitto-prometheus-exporter"
+      port = "http"
+
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.mosquitto-pormetheus-exporter.rule=Host(`mosquitto-prometheus-exporter.service.nr5`)",
+      ]
+
+    }
+    
+    task "server" {
+      driver = "podman"
+
+      config {
+        image = "cr.wks/mosquitto-prometheus-exporter"
+        ports = ["http"]
+        force_pull = true
+        
+        args = [
+            "--endpoint", "tcp://mqtt.wks:1883"
+        ]
+      }
+      resources {
+        cpu    = 50
+        memory = 10
+      }
+    }
+  }
+}

apps/netbox/live.hcl

@@ -0,0 +1,72 @@
+job "netbox" {
+  datacenters = [
+    "nummer5",
+  ]
+  type = "service"
+
+  group "apps" {
+    count = 1
+
+    network {
+      port "http" {
+        to = 8000
+      }
+    }
+    
+    service {
+        name = "netbox"
+        port = "http"
+
+        tags = [
+          "traefik.enable=true",
+          "traefik.http.routers.netbox.rule=Host(`netbox.service.nr5`)",
+        ]
+    }
+
+    volume "netbox" {
+      type      = "csi"
+      source    = "netbox"
+      read_only = false
+      access_mode = "single-node-writer"
+      attachment_mode = "file-system"
+    }
+
+    restart {
+      attempts = 5
+      delay    = "60s"
+    }
+
+    task "netbox" {
+      driver = "podman"
+      volume_mount {
+        volume      = "netbox"
+        destination = "/config"
+        read_only   = false
+      }
+
+      config {
+        image = "docker.io/netboxcommunity/netbox"
+        ports = ["http"]
+      }
+      env {
+          TZ="Europe/Berlin"
+          SUPERUSER_EMAIL="udo@maketank.net"
+          SUPERUSER_PASSWORD="superu"
+          ALLOWED_HOST="netbox.service.nr5"
+          DB_WAIT_DEBUG=1
+          DB_NAME="netbox"
+          DB_USER="netbox"
+          DB_PASSWORD="IK$Wb5TGhphNo:-WktT"
+          DB_HOST="postgres.service.nr5"
+          DB_PORT="5472"
+          REDIS_HOST="redis.service.nr5"
+          REDIS_PORT="6379"
+      }
+      resources {
+        cpu    = 400
+        memory = 128
+      }
+
+    }
+  }
+}

apps/netbox/volume.hcl

@@ -0,0 +1,20 @@
+type = "csi"
+id = "netbox"
+name = "netbox"
+plugin_id = "nfs"
+
+capability {
+    access_mode = "single-node-writer"
+    attachment_mode = "file-system"
+}
+
+context {
+  server = "ebin02.wks"
+  share = "/data/raid1-ssd/app-data/netbox"
+  mountPermissions = "0"  
+}
+
+mount_options {
+  fs_type = "nfs"
+  mount_flags = [ "timeo=30", "vers=3", "_netdev" , "nolock" ]
+}

apps/postgresql/live.hcl

@@ -1,8 +1,3 @@
-#To Configure vault
-# vault secrets enable database
-# vault write database/config/postgresql  plugin_name=postgresql-database-plugin   connection_url="postgresql://{{username}}:{{password}}@postgres.service.consul:5432/postgres?sslmode=disable"   allowed_roles="*"     username="root"     password="rootpassword"
-# vault write database/roles/readonly db_name=postgresql     creation_statements=@readonly.sql     default_ttl=1h max_ttl=24h
-
 job "postgres" {
   datacenters = ["nummer5"]
   type = "service"
@@ -16,14 +11,26 @@ job "postgres" {
         access_mode = "single-node-writer"
         attachment_mode = "file-system"
     }
+    
+    network {
+        mode = "host"
+        port "postgres"{
+          static = 5432
+        }
+    }
+    service {
+        name = "postgres"
+        port = "postgres"
+        #tags = [
+        #    "traefik.enable=true",
+        #    "traefik.tcp.routers.postgres.rule=Host(`postgres.service.nr5`)",
+        #]
+    }
     task "postgres" {
       driver = "podman"
       config {
         image = "docker.io/postgres:13"
-        network_mode = "host"
-        port_map {
-          db = 5432
-        }
+        ports = ["postgres"]
       }
       volume_mount {
         volume = "postgres-data"
@@ -41,25 +48,10 @@ job "postgres" {
       
       resources {
         cpu = 1000
-        memory = 1024
-        network {
-          port  "db"  {
-            static = 5432
-          }
-        }
-      }
-      service {
-        name = "postgres"
-        tags = ["postgres for vault"]
-        port = "db"
+        memory = 512
 
-        check {
-          name     = "alive"
-          type     = "tcp"
-          interval = "60s"
-          timeout  = "2s"
-        }
       }
+    
     }
     restart {
       attempts = 10

apps/redis/live.hcl

@@ -0,0 +1,54 @@
+
+job "redis" {
+  datacenters = ["nummer5"]
+
+  group "cache" {
+
+    count = 1
+
+    volume "volume0" {
+      type            = "csi"
+      source          = "redis"
+      read_only       = false
+      attachment_mode = "file-system"
+      access_mode     = "single-node-writer"
+    }
+
+    network {
+      port "redis" {
+        static = 6379
+      }
+    }
+    service {
+        name = "redis"
+        port = "redis"
+        tags = [
+           "traefik.enable=true",
+           "traefik.tcp.routers.redis.rule=HostSNI(`redis.service.nr5`)",
+           # "traefik.tcp.routers.redis.entryPoints=redis",
+           # "traefik.tcp.routers.redis.service=redis",
+            # services (needed for TCP)
+           "traefik.tcp.services.redis.loadbalancer.server.port=6379",
+        ]
+    }
+
+    task "redis" {
+      driver = "podman"
+
+      config {
+        image = "redis"
+        ports = ["redis"]
+      }
+
+      volume_mount {
+        volume      = "volume0"
+        destination = "/data"
+      }
+
+      resources {
+        cpu    = 500
+        memory = 256
+      }
+    }
+  }
+}

apps/redis/volume.hcl

@@ -0,0 +1,21 @@
+type = "csi"
+id = "redis"
+name = "redis"
+plugin_id = "nfs"
+external_id = "redis"
+
+capability {
+    access_mode = "single-node-writer"
+    attachment_mode = "file-system"
+}
+
+context {
+  server = "ebin02.wks"
+  share = "/data/raid1-ssd/app-data/redis-data"
+  mountPermissions = "0"  
+}
+
+mount_options {
+  fs_type = "nfs"
+  mount_flags = [ "timeo=30", "vers=3", "_netdev" , "nolock" ]
+}