diff --git a/.drone.yml b/.drone.yml index 72582ac..75d49a3 100644 --- a/.drone.yml +++ b/.drone.yml @@ -5,6 +5,10 @@ name: nomad-nummer5 platform: os: linux arch: arm64 + + +environment: + TARGET_HOST: "test.chaos" steps: - name: test @@ -12,3 +16,4 @@ steps: commands: - echo hello - echo world + - echo $TARGET_HOST diff --git a/README.md b/README.md index 9cd1546..3a165c2 100644 --- a/README.md +++ b/README.md @@ -7,3 +7,15 @@ NFS - https://github.com/thatsk/nfs-csi-nomad/tree/main Podman - https://github.com/hashicorp/nomad-driver-podman + + + + + +# Datacenter: ring86 + +# auto.chaos +podman run -d --replace -e 1883 -p 1883:1883 --mount=type=bind,source=/etc/mosquitto,destination=/mosquitto --tz=Europe/Berlin --name=mosquitto-mqtt cr.wks/mosquitto:latest +podman run -d --replace -e 9234 -p 0.0.0.0:9234:9234 --tz=Europe/Berlin --name=mosquitto-exporter cr.wks/mosquitto-prometheus-exporter --endpoint "tcp://mqtt:1883" + + diff --git a/_sys/etc_consul.d/acl.hcl b/_sys/etc_consul.d/acl.hcl new file mode 100644 index 0000000..2b4bf85 --- /dev/null +++ b/_sys/etc_consul.d/acl.hcl @@ -0,0 +1,5 @@ +acl = { + enabled = true + default_policy = "allow" + enable_token_persistence = true +} \ No newline at end of file diff --git a/_sys/nfs-controller.hcl b/_sys/nfs-controller.hcl index df19ecb..a5fe5a2 100644 --- a/_sys/nfs-controller.hcl +++ b/_sys/nfs-controller.hcl @@ -30,8 +30,8 @@ job "plugin-nfs-controller" { } resources { - cpu = 250 - memory = 128 + cpu = 50 + memory = 15 } } } diff --git a/_sys/nfs-nodes.hcl b/_sys/nfs-nodes.hcl index 0723589..9316be5 100644 --- a/_sys/nfs-nodes.hcl +++ b/_sys/nfs-nodes.hcl @@ -34,8 +34,8 @@ job "plugin-nfs-nodes" { } resources { - cpu = 250 - memory = 128 + cpu = 50 + memory = 10 } } } diff --git a/_sys/traefik.hcl b/_sys/traefik.hcl index 0c1e330..4c6b99a 100644 --- a/_sys/traefik.hcl +++ b/_sys/traefik.hcl @@ -18,6 +18,7 @@ job "traefik" { port "api" { static = 81 } + } service { diff --git a/_sys/vault/role-ssh-signer.json b/_sys/vault/role-ssh-signer.json new file mode 100644 index 0000000..65c6f2e --- /dev/null +++ b/_sys/vault/role-ssh-signer.json @@ -0,0 +1,13 @@ +#https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates +{ + "algorithm_signer": "rsa-sha2-256", + "allow_user_certificates": true, + "allowed_users": "*", + "allowed_extensions": "permit-pty,permit-port-forwarding", + "default_extensions": { + "permit-pty": "" + }, + "key_type": "ca", + "default_user": "admini", + "ttl": "30m0s" +} diff --git a/_sys/vault/vault-service-policy.hcl b/_sys/vault/vault-service-policy.hcl new file mode 100644 index 0000000..302fe60 --- /dev/null +++ b/_sys/vault/vault-service-policy.hcl @@ -0,0 +1,13 @@ +https://developer.hashicorp.com/vault/tutorials/day-one-consul/deployment-guide +#consul acl policy create -name vault-service -rules @vault-service-policy.hcl +#consul acl token create \ +# -description "Vault Service Token" \ +# -policy-name vault-service + + +service "vault" { policy = "write" } +key_prefix "vault/" { policy = "write" } +agent_prefix "" { policy = "read" } +session_prefix "" { policy = "write" } + + diff --git a/apps/apt-cacher-ng/live.hcl b/apps/apt-cacher-ng/live.hcl index 28e2fc1..43e12a2 100644 --- a/apps/apt-cacher-ng/live.hcl +++ b/apps/apt-cacher-ng/live.hcl @@ -40,6 +40,7 @@ job "apt-cacher-ng" { config { image = "cr.wks/apt-cacher-ng" ports = ["http"] + force_pull = true } volume_mount { diff --git a/apps/dmarc/live.hcl b/apps/dmarc/live.hcl new file mode 100644 index 0000000..fed3ef7 --- /dev/null +++ b/apps/dmarc/live.hcl @@ -0,0 +1,64 @@ +job "dmarc" { + datacenters = [ + "nummer5", + ] + type = "service" + + group "apps" { + count = 1 + + network { + mode = "host" + port "http" { + to = 80 + } + } + service { + name = "dmarc" + port = "http" + + tags = [ + "traefik.enable=true", + "traefik.http.routers.dmarc.rule=Host(`dmarc.service.nr5`)", + ] + + } + + restart { + attempts = 5 + delay = "30s" + } + + task "dmarc" { + driver = "podman" + + config { + image = "cr.wks/dmarc-report:latest" + ports = ["http"] + } + + env { + TZ = "Europe/Berlin" + REPORT_DB_TYPE = "pgsql" + REPORT_DB_HOST = "postgres.service.nr5" + REPORT_DB_PORT = "5432" + REPORT_DB_NAME = "dmarc-srg" + REPORT_DB_USER = "dmarc" + REPORT_DB_PASS = "4XSS4gKpheSBoMsIs" + PARSER_IMAP_PORT = "143" + PARSER_IMAP_SERVER = "116.202.109.243" #"imap.maketank.net" + PARSER_IMAP_USER = "dmarc-inbox@maketank.net" + PARSER_IMAP_PASS = "j2Kwd6mVPZw2yMLw2gIKwn" + PARSER_IMAP_READ_FOLDER = "Inbox" + PARSER_IMAP_MOVE_FOLDER = "Processed" + PARSER_IMAP_MOVE_FOLDER_ERR = "Error" + } + + resources { + cpu = 100 + memory = 128 + } + + } + } +} \ No newline at end of file diff --git a/apps/docker-registry/live-ui.hcl b/apps/docker-registry/live-ui.hcl index 4354496..98d0719 100644 --- a/apps/docker-registry/live-ui.hcl +++ b/apps/docker-registry/live-ui.hcl @@ -39,8 +39,8 @@ job "docker-registry-ui" { env { DELETE_IMAGES = "true" REGISTRY_TITLE = "Nummer5 Reg" - NGINX_PROXY_PASS_URL_DISABLED = "http://cr.wks" - REGISTRY_URL = "http://cr.wks:5000" + NGINX_PROXY_PASS_URL = "http://cr.wks" + XX_REGISTRY_URL = "http://cr.wks:5000" URL = "http://cr-ui.service.nr5" SINGLE_REGISTRY = "true" SHOW_CONTENT_DIGEST = "true" diff --git a/apps/drone/live-runner-podman-nomad.hcl b/apps/drone/live-runner-podman-nomad.hcl new file mode 100644 index 0000000..5601a10 --- /dev/null +++ b/apps/drone/live-runner-podman-nomad.hcl @@ -0,0 +1,72 @@ +job "drone-runner" { + datacenters = [ + "nummer5", + ] + type = "service" + + group "apps" { + count = 1 + + network { + mode = "host" + port "http" { + to = 3000 + } + + } + + service { + name = "drone-runner" + port = "http" + } + + volume "drone-runner" { + type = "csi" + source = "drone-runner" + read_only = false + access_mode = "single-node-writer" + attachment_mode = "file-system" + } + + restart { + attempts = 5 + delay = "30s" + } + + task "drone-runner" { + driver = "podman" + env { +# Connection parameters + DRONE_RPC_PROTO="http" + DRONE_RPC_HOST="drone.service.nr5" + DRONE_RPC_SECRET="7eb685ed81d0c34bafc5efa7783c20b2" +# Nomad config + DRONE_JOB_DATACENTER="nummer5" + NOMAD_ADDR="http://nomad.service.nr5" +# Runner agent settings + DRONE_RUNNER_CAPACITY="1" + DRONE_RUNNER_MAX_PROCS="3" + DRONE_RUNNER_NAME="drone-podman-runner1" +# Logging + DRONE_DEBUG="true" + DRONE_TRACE="true" + DRONE_RPC_DUMP_HTTP="true" + DRONE_RPC_DUMP_HTTP_BODY="true" + DRONE_TASK_MEMORY="256" + } + config { + image = "cr.wks/drone-runner-nomad-podman:latest" + volumes = [ + "/run/podman/podman.sock:/var/run/podman.sock", + "/etc/containers:/etc/containers" + ] +#network_mode = "slirp4netns" + ports = ["http"] + } + resources { + cpu = 480 + memory = 200 + } + } +} +} \ No newline at end of file diff --git a/apps/drone/live-runner-podman.hcl b/apps/drone/live-runner-podman.hcl new file mode 100644 index 0000000..4b07917 --- /dev/null +++ b/apps/drone/live-runner-podman.hcl @@ -0,0 +1,73 @@ +job "drone-runner" { + datacenters = [ + "nummer5", + ] + type = "service" + + group "apps" { + count = 1 + + network { + mode = "host" + port "http" { + to = 3000 + } + + } + + service { + name = "drone-runner" + port = "http" + } + + volume "drone-runner" { + type = "csi" + source = "drone-runner" + read_only = false + access_mode = "single-node-writer" + attachment_mode = "file-system" + } + + restart { + attempts = 5 + delay = "30s" + } + + task "drone-runner" { + driver = "podman" + volume_mount { + volume = "drone-runner" + destination = "/data" + read_only = false + } + + config { + image = "cr.wks/drone/drone-runner-podman:latest" + force_pull = true + ports = ["http"] + volumes = [ + "/run/podman/podman.sock:/run/podman/podman.sock", + "/run/podman/podman.sock:/var/run/docker.sock", + "/etc/containers:/etc/containers" + ] + + } + + env { + TZ = "Europe/Berlin" + DRONE_RUNNER_NAME = "drone-runner01" + DRONE_RPC_SECRET = "7eb685ed81d0c34bafc5efa7783c20b2" + DRONE_RPC_HOST = "drone.service.nr5" + DRONE_RPC_PROTO = "http" + DRONE_LOGS_DEBUG = true + DRONE_LOGS_TRACE = true + } + + resources { + cpu = 500 + memory = 128 + } + + } + } +} diff --git a/apps/drone/live-runner.hcl b/apps/drone/live-runner.hcl index b05fcea..eaf1bb6 100644 --- a/apps/drone/live-runner.hcl +++ b/apps/drone/live-runner.hcl @@ -20,14 +20,6 @@ job "drone-runner" { port = "http" } - volume "drone-runner" { - type = "csi" - source = "drone-runner" - read_only = false - access_mode = "single-node-writer" - attachment_mode = "file-system" - } - restart { attempts = 5 delay = "30s" @@ -35,14 +27,10 @@ job "drone-runner" { task "drone-runner" { driver = "podman" - volume_mount { - volume = "drone-runner" - destination = "/drone" - read_only = false - } config { image = "docker.io/drone/drone-runner-docker:latest" + force_pull = true ports = ["http"] privileged = true volumes = [ @@ -58,13 +46,15 @@ job "drone-runner" { DRONE_RPC_SECRET = "7eb685ed81d0c34bafc5efa7783c20b2" DRONE_RPC_HOST = "drone.service.nr5" DRONE_RPC_PROTO = "http" + DRONE_RUNNER_CAPACITY = 1 DRONE_LOGS_DEBUG = true DRONE_LOGS_TRACE = true + DOCKER_BUILDKIT = 1 } resources { - cpu = 500 - memory = 128 + cpu = 300 + memory = 1500 } } diff --git a/apps/drone/live.hcl b/apps/drone/live.hcl index 55585fb..42f2ac1 100644 --- a/apps/drone/live.hcl +++ b/apps/drone/live.hcl @@ -23,6 +23,13 @@ job "drone" { "traefik.enable=true", "traefik.http.routers.drone.rule=Host(`drone.service.nr5`)", ] + + check { + type = "http" + path = "/welcome" + interval = "120s" + timeout = "5s" + } } volume "drone-data" { @@ -60,8 +67,10 @@ job "drone" { DRONE_RPC_SECRET = "7eb685ed81d0c34bafc5efa7783c20b2" DRONE_SERVER_HOST = "drone.service.nr5" DRONE_SERVER_PROTO = "http" + DRONE_JSONNET_ENABLED = true DRONE_LOGS_DEBUG = true DRONE_LOGS_TRACE = true + DRONE_USER_CREATE = "username:do,admin:true" } resources { diff --git a/apps/gitea/live.hcl b/apps/gitea/live.hcl index 5b24d0a..86c4cc4 100644 --- a/apps/gitea/live.hcl +++ b/apps/gitea/live.hcl @@ -27,6 +27,13 @@ job "gitea" { "traefik.enable=true", "traefik.http.routers.gitea.rule=Host(`gitea.service.nr5`)", ] + + check { + type = "http" + path = "/user/login" + interval = "120s" + timeout = "5s" + } } volume "gitea-data" { @@ -44,6 +51,7 @@ job "gitea" { task "gitea" { driver = "podman" + volume_mount { volume = "gitea-data" destination = "/data" @@ -53,6 +61,7 @@ job "gitea" { config { image = "docker.io/gitea/gitea:latest" ports = ["ssh", "http"] + force_pull = true } env { @@ -73,6 +82,7 @@ job "gitea" { GITEA__packages__ENABLED = "true" GITEA__log__LEVEL = "warn" GITEA__actions__ENABLED = "true" + GITEA__webhook__ALLOWED_HOST_LIST = "private" } diff --git a/apps/homer/live.hcl b/apps/homer/live.hcl new file mode 100644 index 0000000..f0f59bd --- /dev/null +++ b/apps/homer/live.hcl @@ -0,0 +1,51 @@ +job "homer" { + datacenters = ["nummer5"] + + group "apps" { + count = 1 + + network { + port "http"{ + to = 8080 + } + } + + service { + name = "homer" + port = "http" + + tags = [ + "traefik.enable=true", + "traefik.http.routers.homer.rule=Host(`homer.service.nr5`)", + ] + + } + + volume "homer-assets" { + type = "csi" + read_only = false + source = "homer-assets" + access_mode = "single-node-writer" + attachment_mode = "file-system" + } + + task "homer" { + driver = "podman" + + config { + image = "b4bz/homer:latest" + ports = ["http"] + } + + volume_mount { + volume = "homer-assets" + destination = "/www/assets" + } + + resources { + cpu = 10 + memory = 32 + } + } + } +} diff --git a/apps/homer/volume.hcl b/apps/homer/volume.hcl new file mode 100644 index 0000000..2cd7ba5 --- /dev/null +++ b/apps/homer/volume.hcl @@ -0,0 +1,20 @@ +type = "csi" +id = "homer-assets" +name = "homer-assets" +plugin_id = "nfs" + +capability { + access_mode = "single-node-writer" + attachment_mode = "file-system" +} + +context { + server = "ebin01.wks" + share = "/data/raid1-ssd/app-data/homer-assets" + mountPermissions = "0" +} + +mount_options { + fs_type = "nfs" + mount_flags = [ "timeo=30", "vers=3", "_netdev" , "nolock" ] +} \ No newline at end of file diff --git a/apps/mosquitto-prometheus-exporter/live.hcl b/apps/mosquitto-prometheus-exporter/live.hcl new file mode 100644 index 0000000..e1eb208 --- /dev/null +++ b/apps/mosquitto-prometheus-exporter/live.hcl @@ -0,0 +1,42 @@ +job "mosquitto-prometheus-exporter" { + datacenters = ["nummer5"] + + group "apps" { + count = 1 + + network { + port "http"{ + to = 9234 + } + } + + service { + name = "mosquitto-prometheus-exporter" + port = "http" + + tags = [ + "traefik.enable=true", + "traefik.http.routers.mosquitto-pormetheus-exporter.rule=Host(`mosquitto-prometheus-exporter.service.nr5`)", + ] + + } + + task "server" { + driver = "podman" + + config { + image = "cr.wks/mosquitto-prometheus-exporter" + ports = ["http"] + force_pull = true + + args = [ + "--endpoint", "tcp://mqtt.wks:1883" + ] + } + resources { + cpu = 50 + memory = 10 + } + } + } +} diff --git a/apps/netbox/live.hcl b/apps/netbox/live.hcl new file mode 100644 index 0000000..8b6f73d --- /dev/null +++ b/apps/netbox/live.hcl @@ -0,0 +1,72 @@ +job "netbox" { + datacenters = [ + "nummer5", + ] + type = "service" + + group "apps" { + count = 1 + + network { + port "http" { + to = 8000 + } + } + + service { + name = "netbox" + port = "http" + + tags = [ + "traefik.enable=true", + "traefik.http.routers.netbox.rule=Host(`netbox.service.nr5`)", + ] + } + + volume "netbox" { + type = "csi" + source = "netbox" + read_only = false + access_mode = "single-node-writer" + attachment_mode = "file-system" + } + + restart { + attempts = 5 + delay = "60s" + } + + task "netbox" { + driver = "podman" + volume_mount { + volume = "netbox" + destination = "/config" + read_only = false + } + + config { + image = "docker.io/netboxcommunity/netbox" + ports = ["http"] + } + env { + TZ="Europe/Berlin" + SUPERUSER_EMAIL="udo@maketank.net" + SUPERUSER_PASSWORD="superu" + ALLOWED_HOST="netbox.service.nr5" + DB_WAIT_DEBUG=1 + DB_NAME="netbox" + DB_USER="netbox" + DB_PASSWORD="IK$Wb5TGhphNo:-WktT" + DB_HOST="postgres.service.nr5" + DB_PORT="5472" + REDIS_HOST="redis.service.nr5" + REDIS_PORT="6379" + } + resources { + cpu = 400 + memory = 128 + } + + } + } +} \ No newline at end of file diff --git a/apps/netbox/volume.hcl b/apps/netbox/volume.hcl new file mode 100644 index 0000000..64c09ea --- /dev/null +++ b/apps/netbox/volume.hcl @@ -0,0 +1,20 @@ +type = "csi" +id = "netbox" +name = "netbox" +plugin_id = "nfs" + +capability { + access_mode = "single-node-writer" + attachment_mode = "file-system" +} + +context { + server = "ebin02.wks" + share = "/data/raid1-ssd/app-data/netbox" + mountPermissions = "0" +} + +mount_options { + fs_type = "nfs" + mount_flags = [ "timeo=30", "vers=3", "_netdev" , "nolock" ] +} \ No newline at end of file diff --git a/apps/postgresql/live.hcl b/apps/postgresql/live.hcl index a56ef6b..4042bb9 100644 --- a/apps/postgresql/live.hcl +++ b/apps/postgresql/live.hcl @@ -1,8 +1,3 @@ -#To Configure vault -# vault secrets enable database -# vault write database/config/postgresql plugin_name=postgresql-database-plugin connection_url="postgresql://{{username}}:{{password}}@postgres.service.consul:5432/postgres?sslmode=disable" allowed_roles="*" username="root" password="rootpassword" -# vault write database/roles/readonly db_name=postgresql creation_statements=@readonly.sql default_ttl=1h max_ttl=24h - job "postgres" { datacenters = ["nummer5"] type = "service" @@ -16,14 +11,26 @@ job "postgres" { access_mode = "single-node-writer" attachment_mode = "file-system" } + + network { + mode = "host" + port "postgres"{ + static = 5432 + } + } + service { + name = "postgres" + port = "postgres" + #tags = [ + # "traefik.enable=true", + # "traefik.tcp.routers.postgres.rule=Host(`postgres.service.nr5`)", + #] + } task "postgres" { driver = "podman" config { image = "docker.io/postgres:13" - network_mode = "host" - port_map { - db = 5432 - } + ports = ["postgres"] } volume_mount { volume = "postgres-data" @@ -41,25 +48,10 @@ job "postgres" { resources { cpu = 1000 - memory = 1024 - network { - port "db" { - static = 5432 - } - } - } - service { - name = "postgres" - tags = ["postgres for vault"] - port = "db" + memory = 512 - check { - name = "alive" - type = "tcp" - interval = "60s" - timeout = "2s" - } } + } restart { attempts = 10 diff --git a/apps/redis/live.hcl b/apps/redis/live.hcl new file mode 100644 index 0000000..580663d --- /dev/null +++ b/apps/redis/live.hcl @@ -0,0 +1,54 @@ + +job "redis" { + datacenters = ["nummer5"] + + group "cache" { + + count = 1 + + volume "volume0" { + type = "csi" + source = "redis" + read_only = false + attachment_mode = "file-system" + access_mode = "single-node-writer" + } + + network { + port "redis" { + static = 6379 + } + } + service { + name = "redis" + port = "redis" + tags = [ + "traefik.enable=true", + "traefik.tcp.routers.redis.rule=HostSNI(`redis.service.nr5`)", + # "traefik.tcp.routers.redis.entryPoints=redis", + # "traefik.tcp.routers.redis.service=redis", + # services (needed for TCP) + "traefik.tcp.services.redis.loadbalancer.server.port=6379", + ] + } + + task "redis" { + driver = "podman" + + config { + image = "redis" + ports = ["redis"] + } + + volume_mount { + volume = "volume0" + destination = "/data" + } + + resources { + cpu = 500 + memory = 256 + } + } + } +} \ No newline at end of file diff --git a/apps/redis/volume.hcl b/apps/redis/volume.hcl new file mode 100644 index 0000000..33d7ce9 --- /dev/null +++ b/apps/redis/volume.hcl @@ -0,0 +1,21 @@ +type = "csi" +id = "redis" +name = "redis" +plugin_id = "nfs" +external_id = "redis" + +capability { + access_mode = "single-node-writer" + attachment_mode = "file-system" +} + +context { + server = "ebin02.wks" + share = "/data/raid1-ssd/app-data/redis-data" + mountPermissions = "0" +} + +mount_options { + fs_type = "nfs" + mount_flags = [ "timeo=30", "vers=3", "_netdev" , "nolock" ] +} \ No newline at end of file