chaos/nomad-nummer5
2
0
Fork 0
Code Issues 2 Pull Requests Activity

Merge branch 'main' of ssh://gitea.service.nr5:2222/chaos/nomad-nummer5
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Udo Waechter
2024-02-22 14:56:55 +01:00
parent a859bf3cfa 91fff0b276
commit 398c27579b
24 changed files with 587 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.drone.yml
View File

@@ -5,6 +5,10 @@ name: nomad-nummer5
platform: platform:
os: linux os: linux
arch: arm64 arch: arm64
environment:
TARGET_HOST: "test.chaos"
steps: steps:
- name: test - name: test
@@ -12,3 +16,4 @@ steps:
commands: commands:
- echo hello - echo hello
- echo world - echo world
- echo $TARGET_HOST

12
README.md
View File

@@ -7,3 +7,15 @@
NFS - https://github.com/thatsk/nfs-csi-nomad/tree/main NFS - https://github.com/thatsk/nfs-csi-nomad/tree/main
Podman - https://github.com/hashicorp/nomad-driver-podman Podman - https://github.com/hashicorp/nomad-driver-podman
# Datacenter: ring86
# auto.chaos
podman run -d --replace -e 1883 -p 1883:1883 --mount=type=bind,source=/etc/mosquitto,destination=/mosquitto --tz=Europe/Berlin --name=mosquitto-mqtt cr.wks/mosquitto:latest
podman run -d --replace -e 9234 -p 0.0.0.0:9234:9234 --tz=Europe/Berlin --name=mosquitto-exporter cr.wks/mosquitto-prometheus-exporter --endpoint "tcp://mqtt:1883"

5
_sys/etc_consul.d/acl.hcl Normal file
View File

@@ -0,0 +1,5 @@
acl = {
enabled = true
default_policy = "allow"
enable_token_persistence = true
}

4
_sys/nfs-controller.hcl
View File

@@ -30,8 +30,8 @@ job "plugin-nfs-controller" {
} }
resources { resources {
cpu = 250 cpu = 50
memory = 128 memory = 15
} }
} }
} }

4
_sys/nfs-nodes.hcl
View File

@@ -34,8 +34,8 @@ job "plugin-nfs-nodes" {
} }
resources { resources {
cpu = 250 cpu = 50
memory = 128 memory = 10
} }
} }
} }

1
_sys/traefik.hcl
View File

@@ -18,6 +18,7 @@ job "traefik" {
port "api" { port "api" {
static = 81 static = 81
} }
} }
service { service {

13
_sys/vault/role-ssh-signer.json Normal file
View File

@@ -0,0 +1,13 @@
#https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates
{
"algorithm_signer": "rsa-sha2-256",
"allow_user_certificates": true,
"allowed_users": "*",
"allowed_extensions": "permit-pty,permit-port-forwarding",
"default_extensions": {
"permit-pty": ""
},
"key_type": "ca",
"default_user": "admini",
"ttl": "30m0s"
}

13
_sys/vault/vault-service-policy.hcl Normal file
View File

@@ -0,0 +1,13 @@
https://developer.hashicorp.com/vault/tutorials/day-one-consul/deployment-guide
#consul acl policy create -name vault-service -rules @vault-service-policy.hcl
#consul acl token create \
# -description "Vault Service Token" \
# -policy-name vault-service
service "vault" { policy = "write" }
key_prefix "vault/" { policy = "write" }
agent_prefix "" { policy = "read" }
session_prefix "" { policy = "write" }

1
apps/apt-cacher-ng/live.hcl
View File

@@ -40,6 +40,7 @@ job "apt-cacher-ng" {
config { config {
image = "cr.wks/apt-cacher-ng" image = "cr.wks/apt-cacher-ng"
ports = ["http"] ports = ["http"]
force_pull = true
} }
volume_mount { volume_mount {

64
apps/dmarc/live.hcl Normal file
View File

@@ -0,0 +1,64 @@
job "dmarc" {
datacenters = [
"nummer5",
]
type = "service"
group "apps" {
count = 1
network {
mode = "host"
port "http" {
to = 80
}
}
service {
name = "dmarc"
port = "http"
tags = [
"traefik.enable=true",
"traefik.http.routers.dmarc.rule=Host(`dmarc.service.nr5`)",
]
}
restart {
attempts = 5
delay = "30s"
}
task "dmarc" {
driver = "podman"
config {
image = "cr.wks/dmarc-report:latest"
ports = ["http"]
}
env {
TZ = "Europe/Berlin"
REPORT_DB_TYPE = "pgsql"
REPORT_DB_HOST = "postgres.service.nr5"
REPORT_DB_PORT = "5432"
REPORT_DB_NAME = "dmarc-srg"
REPORT_DB_USER = "dmarc"
REPORT_DB_PASS = "4XSS4gKpheSBoMsIs"
PARSER_IMAP_PORT = "143"
PARSER_IMAP_SERVER = "116.202.109.243" #"imap.maketank.net"
PARSER_IMAP_USER = "dmarc-inbox@maketank.net"
PARSER_IMAP_PASS = "j2Kwd6mVPZw2yMLw2gIKwn"
PARSER_IMAP_READ_FOLDER = "Inbox"
PARSER_IMAP_MOVE_FOLDER = "Processed"
PARSER_IMAP_MOVE_FOLDER_ERR = "Error"
}
resources {
cpu = 100
memory = 128
}
}
}
}

4
apps/docker-registry/live-ui.hcl
View File

@@ -39,8 +39,8 @@ job "docker-registry-ui" {
env { env {
DELETE_IMAGES = "true" DELETE_IMAGES = "true"
REGISTRY_TITLE = "Nummer5 Reg" REGISTRY_TITLE = "Nummer5 Reg"
NGINX_PROXY_PASS_URL_DISABLED = "http://cr.wks" NGINX_PROXY_PASS_URL = "http://cr.wks"
REGISTRY_URL = "http://cr.wks:5000" XX_REGISTRY_URL = "http://cr.wks:5000"
URL = "http://cr-ui.service.nr5" URL = "http://cr-ui.service.nr5"
SINGLE_REGISTRY = "true" SINGLE_REGISTRY = "true"
SHOW_CONTENT_DIGEST = "true" SHOW_CONTENT_DIGEST = "true"

72
apps/drone/live-runner-podman-nomad.hcl Normal file
View File

@@ -0,0 +1,72 @@
job "drone-runner" {
datacenters = [
"nummer5",
]
type = "service"
group "apps" {
count = 1
network {
mode = "host"
port "http" {
to = 3000
}
}
service {
name = "drone-runner"
port = "http"
}
volume "drone-runner" {
type = "csi"
source = "drone-runner"
read_only = false
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
restart {
attempts = 5
delay = "30s"
}
task "drone-runner" {
driver = "podman"
env {
# Connection parameters
DRONE_RPC_PROTO="http"
DRONE_RPC_HOST="drone.service.nr5"
DRONE_RPC_SECRET="7eb685ed81d0c34bafc5efa7783c20b2"
# Nomad config
DRONE_JOB_DATACENTER="nummer5"
NOMAD_ADDR="http://nomad.service.nr5"
# Runner agent settings
DRONE_RUNNER_CAPACITY="1"
DRONE_RUNNER_MAX_PROCS="3"
DRONE_RUNNER_NAME="drone-podman-runner1"
# Logging
DRONE_DEBUG="true"
DRONE_TRACE="true"
DRONE_RPC_DUMP_HTTP="true"
DRONE_RPC_DUMP_HTTP_BODY="true"
DRONE_TASK_MEMORY="256"
}
config {
image = "cr.wks/drone-runner-nomad-podman:latest"
volumes = [
"/run/podman/podman.sock:/var/run/podman.sock",
"/etc/containers:/etc/containers"
]
#network_mode = "slirp4netns"
ports = ["http"]
}
resources {
cpu = 480
memory = 200
}
}
}
}

73
apps/drone/live-runner-podman.hcl Normal file
View File

@@ -0,0 +1,73 @@
job "drone-runner" {
datacenters = [
"nummer5",
]
type = "service"
group "apps" {
count = 1
network {
mode = "host"
port "http" {
to = 3000
}
}
service {
name = "drone-runner"
port = "http"
}
volume "drone-runner" {
type = "csi"
source = "drone-runner"
read_only = false
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
restart {
attempts = 5
delay = "30s"
}
task "drone-runner" {
driver = "podman"
volume_mount {
volume = "drone-runner"
destination = "/data"
read_only = false
}
config {
image = "cr.wks/drone/drone-runner-podman:latest"
force_pull = true
ports = ["http"]
volumes = [
"/run/podman/podman.sock:/run/podman/podman.sock",
"/run/podman/podman.sock:/var/run/docker.sock",
"/etc/containers:/etc/containers"
]
}
env {
TZ = "Europe/Berlin"
DRONE_RUNNER_NAME = "drone-runner01"
DRONE_RPC_SECRET = "7eb685ed81d0c34bafc5efa7783c20b2"
DRONE_RPC_HOST = "drone.service.nr5"
DRONE_RPC_PROTO = "http"
DRONE_LOGS_DEBUG = true
DRONE_LOGS_TRACE = true
}
resources {
cpu = 500
memory = 128
}
}
}
}

20
apps/drone/live-runner.hcl
View File

@@ -20,14 +20,6 @@ job "drone-runner" {
port = "http" port = "http"
} }
volume "drone-runner" {
type = "csi"
source = "drone-runner"
read_only = false
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
restart { restart {
attempts = 5 attempts = 5
delay = "30s" delay = "30s"
@@ -35,14 +27,10 @@ job "drone-runner" {
task "drone-runner" { task "drone-runner" {
driver = "podman" driver = "podman"
volume_mount {
volume = "drone-runner"
destination = "/drone"
read_only = false
}
config { config {
image = "docker.io/drone/drone-runner-docker:latest" image = "docker.io/drone/drone-runner-docker:latest"
force_pull = true
ports = ["http"] ports = ["http"]
privileged = true privileged = true
volumes = [ volumes = [
@@ -58,13 +46,15 @@ job "drone-runner" {
DRONE_RPC_SECRET = "7eb685ed81d0c34bafc5efa7783c20b2" DRONE_RPC_SECRET = "7eb685ed81d0c34bafc5efa7783c20b2"
DRONE_RPC_HOST = "drone.service.nr5" DRONE_RPC_HOST = "drone.service.nr5"
DRONE_RPC_PROTO = "http" DRONE_RPC_PROTO = "http"
DRONE_RUNNER_CAPACITY = 1
DRONE_LOGS_DEBUG = true DRONE_LOGS_DEBUG = true
DRONE_LOGS_TRACE = true DRONE_LOGS_TRACE = true
DOCKER_BUILDKIT = 1
} }
resources { resources {
cpu = 500 cpu = 300
memory = 128 memory = 1500
} }
} }

9
apps/drone/live.hcl
View File

@@ -23,6 +23,13 @@ job "drone" {
"traefik.enable=true", "traefik.enable=true",
"traefik.http.routers.drone.rule=Host(`drone.service.nr5`)", "traefik.http.routers.drone.rule=Host(`drone.service.nr5`)",
] ]
check {
type = "http"
path = "/welcome"
interval = "120s"
timeout = "5s"
}
} }
volume "drone-data" { volume "drone-data" {
@@ -60,8 +67,10 @@ job "drone" {
DRONE_RPC_SECRET = "7eb685ed81d0c34bafc5efa7783c20b2" DRONE_RPC_SECRET = "7eb685ed81d0c34bafc5efa7783c20b2"
DRONE_SERVER_HOST = "drone.service.nr5" DRONE_SERVER_HOST = "drone.service.nr5"
DRONE_SERVER_PROTO = "http" DRONE_SERVER_PROTO = "http"
DRONE_JSONNET_ENABLED = true
DRONE_LOGS_DEBUG = true DRONE_LOGS_DEBUG = true
DRONE_LOGS_TRACE = true DRONE_LOGS_TRACE = true
DRONE_USER_CREATE = "username:do,admin:true"
} }
resources { resources {

10
apps/gitea/live.hcl
View File

@@ -27,6 +27,13 @@ job "gitea" {
"traefik.enable=true", "traefik.enable=true",
"traefik.http.routers.gitea.rule=Host(`gitea.service.nr5`)", "traefik.http.routers.gitea.rule=Host(`gitea.service.nr5`)",
] ]
check {
type = "http"
path = "/user/login"
interval = "120s"
timeout = "5s"
}
} }
volume "gitea-data" { volume "gitea-data" {
@@ -44,6 +51,7 @@ job "gitea" {
task "gitea" { task "gitea" {
driver = "podman" driver = "podman"
volume_mount { volume_mount {
volume = "gitea-data" volume = "gitea-data"
destination = "/data" destination = "/data"
@@ -53,6 +61,7 @@ job "gitea" {
config { config {
image = "docker.io/gitea/gitea:latest" image = "docker.io/gitea/gitea:latest"
ports = ["ssh", "http"] ports = ["ssh", "http"]
force_pull = true
} }
env { env {
@@ -73,6 +82,7 @@ job "gitea" {
GITEA__packages__ENABLED = "true" GITEA__packages__ENABLED = "true"
GITEA__log__LEVEL = "warn" GITEA__log__LEVEL = "warn"
GITEA__actions__ENABLED = "true" GITEA__actions__ENABLED = "true"
GITEA__webhook__ALLOWED_HOST_LIST = "private"
} }

51
apps/homer/live.hcl Normal file
View File

@@ -0,0 +1,51 @@
job "homer" {
datacenters = ["nummer5"]
group "apps" {
count = 1
network {
port "http"{
to = 8080
}
}
service {
name = "homer"
port = "http"
tags = [
"traefik.enable=true",
"traefik.http.routers.homer.rule=Host(`homer.service.nr5`)",
]
}
volume "homer-assets" {
type = "csi"
read_only = false
source = "homer-assets"
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
task "homer" {
driver = "podman"
config {
image = "b4bz/homer:latest"
ports = ["http"]
}
volume_mount {
volume = "homer-assets"
destination = "/www/assets"
}
resources {
cpu = 10
memory = 32
}
}
}
}

20
apps/homer/volume.hcl Normal file
View File

@@ -0,0 +1,20 @@
type = "csi"
id = "homer-assets"
name = "homer-assets"
plugin_id = "nfs"
capability {
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
context {
server = "ebin01.wks"
share = "/data/raid1-ssd/app-data/homer-assets"
mountPermissions = "0"
}
mount_options {
fs_type = "nfs"
mount_flags = [ "timeo=30", "vers=3", "_netdev" , "nolock" ]
}

42
apps/mosquitto-prometheus-exporter/live.hcl Normal file
View File

@@ -0,0 +1,42 @@
job "mosquitto-prometheus-exporter" {
datacenters = ["nummer5"]
group "apps" {
count = 1
network {
port "http"{
to = 9234
}
}
service {
name = "mosquitto-prometheus-exporter"
port = "http"
tags = [
"traefik.enable=true",
"traefik.http.routers.mosquitto-pormetheus-exporter.rule=Host(`mosquitto-prometheus-exporter.service.nr5`)",
]
}
task "server" {
driver = "podman"
config {
image = "cr.wks/mosquitto-prometheus-exporter"
ports = ["http"]
force_pull = true
args = [
"--endpoint", "tcp://mqtt.wks:1883"
]
}
resources {
cpu = 50
memory = 10
}
}
}
}

72
apps/netbox/live.hcl Normal file
View File

@@ -0,0 +1,72 @@
job "netbox" {
datacenters = [
"nummer5",
]
type = "service"
group "apps" {
count = 1
network {
port "http" {
to = 8000
}
}
service {
name = "netbox"
port = "http"
tags = [
"traefik.enable=true",
"traefik.http.routers.netbox.rule=Host(`netbox.service.nr5`)",
]
}
volume "netbox" {
type = "csi"
source = "netbox"
read_only = false
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
restart {
attempts = 5
delay = "60s"
}
task "netbox" {
driver = "podman"
volume_mount {
volume = "netbox"
destination = "/config"
read_only = false
}
config {
image = "docker.io/netboxcommunity/netbox"
ports = ["http"]
}
env {
TZ="Europe/Berlin"
SUPERUSER_EMAIL="udo@maketank.net"
SUPERUSER_PASSWORD="superu"
ALLOWED_HOST="netbox.service.nr5"
DB_WAIT_DEBUG=1
DB_NAME="netbox"
DB_USER="netbox"
DB_PASSWORD="IK$Wb5TGhphNo:-WktT"
DB_HOST="postgres.service.nr5"
DB_PORT="5472"
REDIS_HOST="redis.service.nr5"
REDIS_PORT="6379"
}
resources {
cpu = 400
memory = 128
}
}
}
}

20
apps/netbox/volume.hcl Normal file
View File

@@ -0,0 +1,20 @@
type = "csi"
id = "netbox"
name = "netbox"
plugin_id = "nfs"
capability {
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
context {
server = "ebin02.wks"
share = "/data/raid1-ssd/app-data/netbox"
mountPermissions = "0"
}
mount_options {
fs_type = "nfs"
mount_flags = [ "timeo=30", "vers=3", "_netdev" , "nolock" ]
}

44
apps/postgresql/live.hcl
View File

@@ -1,8 +1,3 @@
#To Configure vault
# vault secrets enable database
# vault write database/config/postgresql plugin_name=postgresql-database-plugin connection_url="postgresql://{{username}}:{{password}}@postgres.service.consul:5432/postgres?sslmode=disable" allowed_roles="*" username="root" password="rootpassword"
# vault write database/roles/readonly db_name=postgresql creation_statements=@readonly.sql default_ttl=1h max_ttl=24h
job "postgres" { job "postgres" {
datacenters = ["nummer5"] datacenters = ["nummer5"]
type = "service" type = "service"
@@ -16,14 +11,26 @@ job "postgres" {
access_mode = "single-node-writer" access_mode = "single-node-writer"
attachment_mode = "file-system" attachment_mode = "file-system"
} }
network {
mode = "host"
port "postgres"{
static = 5432
}
}
service {
name = "postgres"
port = "postgres"
#tags = [
# "traefik.enable=true",
# "traefik.tcp.routers.postgres.rule=Host(`postgres.service.nr5`)",
#]
}
task "postgres" { task "postgres" {
driver = "podman" driver = "podman"
config { config {
image = "docker.io/postgres:13" image = "docker.io/postgres:13"
network_mode = "host" ports = ["postgres"]
port_map {
db = 5432
}
} }
volume_mount { volume_mount {
volume = "postgres-data" volume = "postgres-data"
@@ -41,25 +48,10 @@ job "postgres" {
resources { resources {
cpu = 1000 cpu = 1000
memory = 1024 memory = 512
network {
port "db" {
static = 5432
}
}
}
service {
name = "postgres"
tags = ["postgres for vault"]
port = "db"
check {
name = "alive"
type = "tcp"
interval = "60s"
timeout = "2s"
}
} }
} }
restart { restart {
attempts = 10 attempts = 10

54
apps/redis/live.hcl Normal file
View File

@@ -0,0 +1,54 @@
job "redis" {
datacenters = ["nummer5"]
group "cache" {
count = 1
volume "volume0" {
type = "csi"
source = "redis"
read_only = false
attachment_mode = "file-system"
access_mode = "single-node-writer"
}
network {
port "redis" {
static = 6379
}
}
service {
name = "redis"
port = "redis"
tags = [
"traefik.enable=true",
"traefik.tcp.routers.redis.rule=HostSNI(`redis.service.nr5`)",
# "traefik.tcp.routers.redis.entryPoints=redis",
# "traefik.tcp.routers.redis.service=redis",
# services (needed for TCP)
"traefik.tcp.services.redis.loadbalancer.server.port=6379",
]
}
task "redis" {
driver = "podman"
config {
image = "redis"
ports = ["redis"]
}
volume_mount {
volume = "volume0"
destination = "/data"
}
resources {
cpu = 500
memory = 256
}
}
}
}

21
apps/redis/volume.hcl Normal file
View File

@@ -0,0 +1,21 @@
type = "csi"
id = "redis"
name = "redis"
plugin_id = "nfs"
external_id = "redis"
capability {
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
context {
server = "ebin02.wks"
share = "/data/raid1-ssd/app-data/redis-data"
mountPermissions = "0"
}
mount_options {
fs_type = "nfs"
mount_flags = [ "timeo=30", "vers=3", "_netdev" , "nolock" ]
}