ansible is its own repo now

.drone.star

@@ -0,0 +1,22 @@
+
+def main(ctx):
+    return {
+        "kind": "pipeline",
+        "type": "docker",
+        "name": "nomad-nummer5",
+        "platform": 
+            {
+                "os": "linux",
+                "arch": "arm64"
+            }
+        ,
+        "steps": [
+            {
+                "name": "git log",
+                "image": "cr.wks/debian-stable",
+                "commands": [
+                    "git diff-tree --no-commit-id --name-only HEAD -r"
+                ]
+            }
+        ]
+    }

.drone.yml

@@ -1,10 +0,0 @@
-kind: pipeline
-type: docker
-name: nomad-nummer5 
-
-steps:
-- name: test
-  image: alpine
-  commands:
-  - echo hello
-  - echo world

.project

@@ -5,7 +5,13 @@
 	<projects>
 	</projects>
 	<buildSpec>
+		<buildCommand>
+			<name>org.python.pydev.PyDevBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
 	</buildSpec>
 	<natures>
+		<nature>org.python.pydev.pythonNature</nature>
 	</natures>
 </projectDescription>

.pydevproject

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<?eclipse-pydev version="1.0"?><pydev_project>
+    <pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">Default</pydev_property>
+    <pydev_property name="org.python.pydev.PYTHON_PROJECT_VERSION">python interpreter</pydev_property>
+</pydev_project>

README.md

@@ -1,9 +1,31 @@
 # Datacenter: nummer5
 
-* Packages: podman, kubernetes-cni (from the kubernetes-source)
-
+* Packages: podman, containernetworking-plugins
 
 # Plugins
 
-NFS - https://github.com/thatsk/nfs-csi-nomad/tree/main
-Podman - https://github.com/hashicorp/nomad-driver-podman
+* NFS - https://github.com/thatsk/nfs-csi-nomad/tree/main
+* Podman - https://github.com/hashicorp/nomad-driver-podman
+
+# Hosts:
+## Ebin*
+
+* https://docs.oracle.com/en/learn/ol-linux-bonding/#for-additional-information - Bonding with Networkmanager
+* u-boot-env: https://forum.armbian.com/topic/35780-with-new-uboot-env-esspressobin-v5-does-not-boot/
+
+## adm01
+
+* ``podman run -d --replace --pull=always --expose=5001 -p 127.0.0.1:5001:5001 --mount=type=bind,source=/etc/docker/registry-cache/config.yml,destination=/etc/docker/registry/config.yml --mount=type=bind,source=/data/container-dr-mirror,destination=/var/lib/registry --tz=Europe/Berlin --name=container-docker-mirror docker.io/library/registry:2``
+* ``podman run --restart=always -d --replace --pull=always --expose=5000 -p 5000:5000 --mount=type=bind,source=/etc/docker/registry/config.yml,destination=/etc/docker/registry/config.yml --mount=type=bind,source=/data/container-registry,destination=/var/lib/registry --tz=Europe/Berlin --name=container-registry docker.io/library/registry:2``
+
+
+# Datacenter: ring86
+## Podman tricks
+
+* Get CreateCommand: ``podman inspect <containername> --format "{{.Config.CreateCommand}}"``
+
+### auto.chaos
+podman run -d --replace -e 1883 -p 1883:1883 --mount=type=bind,source=/etc/mosquitto,destination=/mosquitto --tz=Europe/Berlin --name=mosquitto-mqtt cr.wks/mosquitto:latest
+podman run -d --replace -e 9234 -p 0.0.0.0:9234:9234 --tz=Europe/Berlin --name=mosquitto-exporter cr.wks/mosquitto-prometheus-exporter --endpoint "tcp://mqtt:1883"
+
+

_sys/etc_consul.d/acl.hcl

@@ -0,0 +1,5 @@
+acl = {
+  enabled = true
+  default_policy = "allow"
+  enable_token_persistence = true
+}

_sys/nfs-controller.hcl

@@ -7,6 +7,8 @@ variable "datacenters" {
 
 job "plugin-nfs-controller" {
   datacenters = var.datacenters
+  node_pool = "sys"
+  priority = 100
 
   group "controller" {
     task "plugin" {
@@ -30,9 +32,9 @@ job "plugin-nfs-controller" {
       }
 
       resources {
-        cpu    = 250
-        memory = 128
+        cpu    = 50
+        memory = 15
       }
     }
   }
-}
+}

_sys/nfs-nodes.hcl

@@ -7,7 +7,8 @@ variable "datacenters" {
 
 job "plugin-nfs-nodes" {
   datacenters = var.datacenters
-
+  node_pool = "all"
+  priority  = 100
   type = "system"
 
   group "nodes" {
@@ -34,9 +35,9 @@ job "plugin-nfs-nodes" {
       }
 
       resources {
-        cpu    = 250
-        memory = 128
+        cpu    = 50
+        memory = 10
       }
     }
   }
-}
+}

_sys/pool-apps.hcl

@@ -0,0 +1,7 @@
+node_pool "apps" {
+  description = "Application Nodes"
+
+  meta {
+    environment = "apps"
+  }
+}

_sys/pool-sys.hcl

@@ -0,0 +1,7 @@
+node_pool "sys" {
+  description = "essential services"
+
+  meta {
+    environment = "sys"
+  }
+}

_sys/traefik.hcl

@@ -2,6 +2,8 @@ job "traefik" {
   region      = "global"
   datacenters = ["nummer5"]
   type        = "system"
+  node_pool   = "all"
+  priority    = 100
 
   group "traefik" {
     #count = 5
@@ -18,6 +20,7 @@ job "traefik" {
       port "api" {
         static = 81
       }
+      
     }
 
     service {

_sys/vault/role-ssh-signer.json

@@ -0,0 +1,13 @@
+#https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates
+{
+  "algorithm_signer": "rsa-sha2-256",
+  "allow_user_certificates": true,
+  "allowed_users": "*",
+  "allowed_extensions": "permit-pty,permit-port-forwarding",
+  "default_extensions": {
+    "permit-pty": ""
+  },
+  "key_type": "ca",
+  "default_user": "admini",
+  "ttl": "30m0s"
+}

_sys/vault/vault-service-policy.hcl

@@ -0,0 +1,13 @@
+https://developer.hashicorp.com/vault/tutorials/day-one-consul/deployment-guide
+#consul acl policy create -name vault-service -rules @vault-service-policy.hcl
+#consul acl token create \
+#    -description "Vault Service Token" \
+#   -policy-name vault-service
+
+
+service "vault" { policy = "write" }
+key_prefix "vault/" { policy = "write" }
+agent_prefix "" { policy = "read" }
+session_prefix "" { policy = "write" }
+
+

apps/apt-cacher-ng/live.hcl

@@ -1,6 +1,9 @@
+
 job "apt-cacher-ng" {
   datacenters = ["nummer5"]
-  
+  node_pool = "sys"
+  priority  = 90
+
   group "system" {
     count = 1
 
@@ -9,7 +12,10 @@ job "apt-cacher-ng" {
         to = 3142
       }
     }
-
+    spread {
+    	attribute = "${node.unique.id}"
+    	weight = 100
+    }
     service {
       name = "apt-cache"
       port = "http"
@@ -40,6 +46,7 @@ job "apt-cacher-ng" {
       config {
         image = "cr.wks/apt-cacher-ng"
         ports = ["http"]
+        force_pull = true
       }
       
       volume_mount {

apps/apt-cacher-ng/volume.hcl

@@ -10,7 +10,7 @@ capability {
 }
 
 context {
-  server = "ebin02.wks"
+  server = "ebin01.wks"
   share = "/data/raid1-ssd/app-data/apt-cacher-ng"
   mountPermissions = "0"  
 }

apps/dmarc/live.hcl

@@ -0,0 +1,65 @@
+job "dmarc" {
+  datacenters = [
+    "nummer5",
+  ]
+  type = "service"
+  node_pool = "apps"
+  priority = 20  
+  group "apps" {
+    count = 1
+
+    network {
+      mode = "host"
+      port "http" {
+        to = 80
+      }
+    }
+    service {
+        name = "dmarc"
+        port = "http"
+
+        tags = [
+          "traefik.enable=true",
+          "traefik.http.routers.dmarc.rule=Host(`dmarc.service.nr5`)",
+        ]
+        
+    }
+
+    restart {
+      attempts = 5
+      delay    = "30s"
+    }
+
+    task "dmarc" {
+      driver = "podman"
+      
+      config {
+        image = "cr.wks/dmarc-report:latest"
+        ports = ["http"]
+      }
+
+      env {
+        TZ                              = "Europe/Berlin"
+        REPORT_DB_TYPE                  = "pgsql"
+        REPORT_DB_HOST                  = "postgres.service.nr5"
+        REPORT_DB_PORT                  = "5432"
+        REPORT_DB_NAME                  = "dmarc"
+        REPORT_DB_USER                  = "dmarc"
+        REPORT_DB_PASS                  = "4XSS4gKpheSBoMsIs"
+        PARSER_IMAP_PORT                = "143"
+        PARSER_IMAP_SERVER              = "116.202.109.243" #"imap.maketank.net"
+        PARSER_IMAP_USER                = "dmarc-inbox@maketank.net"
+        PARSER_IMAP_PASS                = "j2Kwd6mVPZw2yMLw2gIKwn"
+        PARSER_IMAP_READ_FOLDER         = "Inbox"
+        PARSER_IMAP_MOVE_FOLDER         = "Processed"
+        PARSER_IMAP_MOVE_FOLDER_ERR     = "Error"
+      }
+
+      resources {
+        cpu    = 100
+        memory = 128
+      }
+
+    }
+  }
+}

apps/docker-registry/live-ui.hcl

@@ -3,6 +3,7 @@ job "docker-registry-ui" {
     "nummer5",
   ]
   type = "service"
+  node_pool = "sys"
 
   group "apps" {
     count = 1
@@ -39,8 +40,8 @@ job "docker-registry-ui" {
       env {
         DELETE_IMAGES = "true"
         REGISTRY_TITLE = "Nummer5 Reg"
-        NGINX_PROXY_PASS_URL_DISABLED = "http://cr.wks"
-        REGISTRY_URL = "http://cr.wks:5000"
+        NGINX_PROXY_PASS_URL = "http://cr.wks"
+        XX_REGISTRY_URL = "http://cr.wks:5000"
         URL = "http://cr-ui.service.nr5"
         SINGLE_REGISTRY = "true"
         SHOW_CONTENT_DIGEST = "true"

apps/drone/live-runner-podman-nomad.hcl

@@ -0,0 +1,72 @@
+job "drone-runner" {
+    datacenters = [
+	"nummer5",
+    ]
+	type = "service"
+
+	group "apps" {
+	    count = 1
+
+		network {
+		    mode = "host"
+			port "http" {
+			    to = 3000
+			}
+
+		}
+
+	    service {
+		name = "drone-runner"
+		    port = "http"
+	    }
+
+	    volume "drone-runner" {
+		type      = "csi"
+		    source    = "drone-runner"
+		    read_only = false
+		    access_mode = "single-node-writer"
+		    attachment_mode = "file-system"
+	    }
+
+	    restart {
+		attempts = 5
+		    delay    = "30s"
+	    }
+
+	    task "drone-runner" {
+		driver = "podman"
+		    env {
+# Connection parameters
+			DRONE_RPC_PROTO="http"
+			    DRONE_RPC_HOST="drone.service.nr5"
+			    DRONE_RPC_SECRET="7eb685ed81d0c34bafc5efa7783c20b2"
+# Nomad config
+			    DRONE_JOB_DATACENTER="nummer5"
+			    NOMAD_ADDR="http://nomad.service.nr5"
+# Runner agent settings
+			    DRONE_RUNNER_CAPACITY="1"
+			    DRONE_RUNNER_MAX_PROCS="3"
+			    DRONE_RUNNER_NAME="drone-podman-runner1"
+# Logging
+			    DRONE_DEBUG="true"
+			    DRONE_TRACE="true"
+			    DRONE_RPC_DUMP_HTTP="true"
+			    DRONE_RPC_DUMP_HTTP_BODY="true"
+			    DRONE_TASK_MEMORY="256"
+		    }
+		config {
+		    image = "cr.wks/drone-runner-nomad-podman:latest"
+			volumes = [
+			"/run/podman/podman.sock:/var/run/podman.sock",
+			"/etc/containers:/etc/containers"
+			]
+#network_mode = "slirp4netns"
+			ports = ["http"]
+		}
+		resources {
+		    cpu    = 480
+			memory = 200
+		}
+	}
+}
+}

apps/drone/live-runner-podman.hcl

@@ -0,0 +1,73 @@
+job "drone-runner" {
+  datacenters = [
+    "nummer5",
+  ]
+  type = "service"
+
+  group "apps" {
+    count = 1
+
+    network {
+      mode = "host"
+      port "http" {
+        to = 3000
+      }
+
+    }
+    
+    service {
+        name = "drone-runner"
+        port = "http"
+    }
+
+    volume "drone-runner" {
+      type      = "csi"
+      source    = "drone-runner"
+      read_only = false
+      access_mode = "single-node-writer"
+      attachment_mode = "file-system"
+    }
+
+    restart {
+      attempts = 5
+      delay    = "30s"
+    }
+
+    task "drone-runner" {
+      driver = "podman"
+      volume_mount {
+        volume      = "drone-runner"
+        destination = "/data"
+        read_only   = false
+      }
+
+      config {
+        image = "cr.wks/drone/drone-runner-podman:latest"
+        force_pull = true
+        ports = ["http"]
+        volumes = [
+          "/run/podman/podman.sock:/run/podman/podman.sock",
+          "/run/podman/podman.sock:/var/run/docker.sock",
+          "/etc/containers:/etc/containers"
+        ]
+ 
+      }
+
+      env {
+        TZ                        = "Europe/Berlin"
+        DRONE_RUNNER_NAME         = "drone-runner01"
+        DRONE_RPC_SECRET          = "7eb685ed81d0c34bafc5efa7783c20b2"
+        DRONE_RPC_HOST            = "drone.service.nr5"
+        DRONE_RPC_PROTO           = "http"
+        DRONE_LOGS_DEBUG          = true
+        DRONE_LOGS_TRACE          = true
+      }
+
+      resources {
+        cpu    = 500
+        memory = 128 
+      }
+
+    }
+  }
+}

apps/drone/live-runner.hcl

@@ -3,6 +3,7 @@ job "drone-runner" {
     "nummer5",
   ]
   type = "service"
+  node_pool = "sys"
 
   group "apps" {
     count = 1
@@ -12,14 +13,7 @@ job "drone-runner" {
       port "http" {
         to = 3000
       }
-
     }
-    
-    service {
-        name = "drone-runner"
-        port = "http"
-    }
-
     volume "drone-runner" {
       type      = "csi"
       source    = "drone-runner"
@@ -27,6 +21,16 @@ job "drone-runner" {
       access_mode = "single-node-writer"
       attachment_mode = "file-system"
     }
+    
+    service {
+        name = "drone-runner"
+        port = "http"
+        
+        tags = [
+          "traefik.enable=true",
+          "traefik.http.routers.drone-runner.rule=Host(`drone-runner.service.nr5`)",
+        ]
+    }
 
     restart {
       attempts = 5
@@ -35,36 +39,46 @@ job "drone-runner" {
 
     task "drone-runner" {
       driver = "podman"
-      volume_mount {
-        volume      = "drone-runner"
-        destination = "/data"
-        read_only   = false
-      }
 
       config {
-        image = "docker.io/drone/drone-runner-docker:1"
+        image = "docker.io/drone/drone-runner-docker:latest"
+        force_pull = true 
         ports = ["http"]
+        privileged = true
         volumes = [
           "/var/run/podman/podman.sock:/var/run/docker.sock",
           "/etc/containers:/etc/containers"
         ]
  
       }
+      volume_mount {
+        volume      = "drone-runner"
+        destination = "/drone"
+        read_only   = false
+      }
 
       env {
         TZ                        = "Europe/Berlin"
-        DRONE_GITEA_SERVER        = "http://gitea.service.nr5"
-        DRONE_GITEA_CLIENT_ID     = "6c48da2c-2748-438e-b776-51f41d3fe607"
-        DRONE_GITEA_CLIENT_SECRET = "gto_ewohqwympejkb52veheox6doc4juodojyyvph4yf4gekhgtx7zna"
         DRONE_RUNNER_NAME         = "drone-runner01"
         DRONE_RPC_SECRET          = "7eb685ed81d0c34bafc5efa7783c20b2"
         DRONE_RPC_HOST            = "drone.service.nr5"
         DRONE_RPC_PROTO           = "http"
+        DRONE_RUNNER_CAPACITY     = 1
+        DRONE_LOGS_DEBUG          = true 
+        DRONE_LOGS_TRACE          = true
+        DRONE_TRACE               = true
+        DOCKER_BUILDKIT           = 1
+        DRONE_GIT_ALWAYS_AUTH     = true
+        DRONE_UI_DISABLE          = false
+        DRONE_UI_USERNAME         = "root"
+        DRONE_UI_PASSWORD         = "root"
+        DRONE_RUNNER_CLONE_IMAGE  = "drone/git"
+        DRONE_RUNNER_VOLUMES      = "/etc/resolv.conf:/etc/resolv.conf"
       }
 
       resources {
-        cpu    = 500
-        memory = 128 
+        cpu    = 2000
+        memory = 1024 
       }
 
     }

apps/drone/live.hcl

@@ -3,6 +3,8 @@ job "drone" {
     "nummer5",
   ]
   type = "service"
+  node_pool = "apps"
+  priority = 30
 
   group "apps" {
     count = 1
@@ -12,7 +14,6 @@ job "drone" {
       port "http" {
         to = 80
       }
-
     }
     
     service {
@@ -23,6 +24,13 @@ job "drone" {
           "traefik.enable=true",
           "traefik.http.routers.drone.rule=Host(`drone.service.nr5`)",
         ]
+        
+        check {
+         type     = "http"
+         path     = "/welcome"
+         interval = "120s"
+         timeout  = "5s"
+       }
     }
 
     volume "drone-data" {
@@ -47,7 +55,8 @@ job "drone" {
       }
 
       config {
-        image = "docker.io/drone/drone:2"
+        image = "docker.io/drone/drone:latest"
+	    force_pull = true
         ports = ["http"]
       }
 
@@ -56,10 +65,15 @@ job "drone" {
         DRONE_GIT_ALWAYS_AUTH     = true
         DRONE_GITEA_SERVER        = "http://gitea.service.nr5"
         DRONE_GITEA_CLIENT_ID     = "6c48da2c-2748-438e-b776-51f41d3fe607"
-        DRONE_GITEA_CLIENT_SECRET = "gto_ewohqwympejkb52veheox6doc4juodojyyvph4yf4gekhgtx7zna"
+        DRONE_GITEA_CLIENT_SECRET = "gto_shthxcqiqutd4f3quejnpefgbedaewfqnnkdi3cfmsdoxjq7qfsq"
         DRONE_RPC_SECRET          = "7eb685ed81d0c34bafc5efa7783c20b2"
         DRONE_SERVER_HOST         = "drone.service.nr5"
         DRONE_SERVER_PROTO        = "http"
+        DRONE_JSONNET_ENABLED     = true
+        DRONE_STARLARK_ENABLED    = true
+        DRONE_LOGS_DEBUG          = true 
+        DRONE_LOGS_TRACE          = true
+        DRONE_USER_CREATE         = "username:do,admin:true"
       }
 
       resources {

apps/drone/volume.hcl

@@ -10,7 +10,7 @@ capability {
 }
 
 context {
-  server = "ebin02.wks"
+  server = "ebin01.wks"
   share = "/data/raid1-ssd/app-data/drone-data"
   mountPermissions = "0"  
 }

apps/gitea/live.hcl

@@ -3,6 +3,8 @@ job "gitea" {
     "nummer5",
   ]
   type = "service"
+  node_pool = "apps"
+  priority  = 79
 
   group "apps" {
     count = 1
@@ -27,6 +29,13 @@ job "gitea" {
           "traefik.enable=true",
           "traefik.http.routers.gitea.rule=Host(`gitea.service.nr5`)",
         ]
+        
+        check {
+         type     = "http"
+         path     = "/user/login"
+         interval = "120s"
+         timeout  = "5s"
+       }
     }
 
     volume "gitea-data" {
@@ -38,12 +47,14 @@ job "gitea" {
     }
 
     restart {
+      interval = "10m"
       attempts = 5
       delay    = "30s"
     }
 
     task "gitea" {
       driver = "podman"
+      
       volume_mount {
         volume      = "gitea-data"
         destination = "/data"
@@ -51,8 +62,9 @@ job "gitea" {
       }
 
       config {
-        image = "docker.io/gitea/gitea:latest"
+        image = "docker.io/gitea/gitea"
         ports = ["ssh", "http"]
+        force_pull = true 
       }
 
       env {
@@ -73,14 +85,15 @@ job "gitea" {
         GITEA__packages__ENABLED        = "true"
         GITEA__log__LEVEL               = "warn"
         GITEA__actions__ENABLED         = "true"
+        GITEA__webhook__ALLOWED_HOST_LIST = "private"
         
       }
 
       resources {
-        cpu    = 200
+        cpu    = 500
         memory = 512
       }
 
     }
   }
-}
+}

apps/gitea/volume.hcl

@@ -10,7 +10,7 @@ capability {
 }
 
 context {
-  server = "ebin02.wks"
+  server = "ebin01.wks"
   share = "/data/raid1-ssd/app-data/gitea-data"
   mountPermissions = "0"  
 }

apps/homeassistant/live.hcl

@@ -3,7 +3,7 @@ job "homeassistant" {
     "nummer5",
   ]
   type = "service"
-
+  node_pool = "apps"
   group "apps" {
     count = 1
 

apps/homer/live.hcl

@@ -0,0 +1,53 @@
+job "homer" {
+  datacenters = ["nummer5"]
+  node_pool = "apps"
+  priority = 80
+
+  group "apps" {
+    count = 1
+
+    network {
+      port  "http"{
+        to = 8080
+      }
+    }
+
+    service {
+      name = "homer"
+      port = "http"
+
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.homer.rule=Host(`homer.service.nr5`)",
+      ]
+
+    }
+    
+    volume "homer-assets" {
+        type = "csi"
+        read_only = false
+        source = "homer-assets"
+        access_mode = "single-node-writer"
+        attachment_mode = "file-system"
+    }  
+      
+    task "homer" {
+      driver = "podman"
+
+      config {
+        image = "docker.io/b4bz/homer:latest"
+        ports = ["http"]
+      }
+      
+      volume_mount {
+        volume = "homer-assets"
+        destination = "/www/assets"
+      }
+      
+       resources {
+         cpu    = 10
+         memory = 32
+       }
+    }
+  }
+}

apps/homer/volume.hcl

@@ -0,0 +1,20 @@
+type = "csi"
+id = "homer-assets"
+name = "homer-assets"
+plugin_id = "nfs"
+
+capability {
+    access_mode = "single-node-writer"
+    attachment_mode = "file-system"
+}
+
+context {
+  server = "ebin01.wks"
+  share = "/data/raid1-ssd/app-data/homer-assets"
+  mountPermissions = "0"  
+}
+
+mount_options {
+  fs_type = "nfs"
+  mount_flags = [ "timeo=30", "vers=3", "_netdev" , "nolock" ]
+}

apps/jenkins/live.hcl

@@ -11,6 +11,9 @@ job "jenkins" {
       port "http" {
         to = 8080
       }
+      port "api" {
+        to = 50000
+      }
     }
     
     service {

apps/mosquitto-prometheus-exporter/live.hcl

@@ -0,0 +1,42 @@
+job "mosquitto-prometheus-exporter" {
+  datacenters = ["nummer5"]
+  node_pool = "sys"
+  group "apps" {
+    count = 1
+
+    network {
+      port  "http"{
+        to = 9234
+      }
+    }
+
+    service {
+      name = "mosquitto-prometheus-exporter"
+      port = "http"
+
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.mosquitto-pormetheus-exporter.rule=Host(`mosquitto-prometheus-exporter.service.nr5`)",
+      ]
+
+    }
+    
+    task "server" {
+      driver = "podman"
+
+      config {
+        image = "cr.wks/mosquitto-prometheus-exporter"
+        ports = ["http"]
+        force_pull = true
+        
+        args = [
+            "--endpoint", "tcp://mqtt.wks:1883"
+        ]
+      }
+      resources {
+        cpu    = 50
+        memory = 10
+      }
+    }
+  }
+}

apps/netbox/live.hcl

@@ -0,0 +1,72 @@
+job "netbox" {
+  datacenters = [
+    "nummer5",
+  ]
+  type = "service"
+
+  group "apps" {
+    count = 1
+
+    network {
+      port "http" {
+        to = 8000
+      }
+    }
+    
+    service {
+        name = "netbox"
+        port = "http"
+
+        tags = [
+          "traefik.enable=true",
+          "traefik.http.routers.netbox.rule=Host(`netbox.service.nr5`)",
+        ]
+    }
+
+    volume "netbox" {
+      type      = "csi"
+      source    = "netbox"
+      read_only = false
+      access_mode = "single-node-writer"
+      attachment_mode = "file-system"
+    }
+
+    restart {
+      attempts = 5
+      delay    = "60s"
+    }
+
+    task "netbox" {
+      driver = "podman"
+      volume_mount {
+        volume      = "netbox"
+        destination = "/config"
+        read_only   = false
+      }
+
+      config {
+        image = "docker.io/netboxcommunity/netbox"
+        ports = ["http"]
+      }
+      env {
+          TZ="Europe/Berlin"
+          SUPERUSER_EMAIL="udo@maketank.net"
+          SUPERUSER_PASSWORD="superu"
+          ALLOWED_HOST="netbox.service.nr5"
+          DB_WAIT_DEBUG=1
+          DB_NAME="netbox"
+          DB_USER="netbox"
+          DB_PASSWORD="IK$Wb5TGhphNo:-WktT"
+          DB_HOST="postgres.service.nr5"
+          DB_PORT="5472"
+          REDIS_HOST="redis.service.nr5"
+          REDIS_PORT="6379"
+      }
+      resources {
+        cpu    = 400
+        memory = 128
+      }
+
+    }
+  }
+}

apps/netbox/volume.hcl

@@ -0,0 +1,20 @@
+type = "csi"
+id = "netbox"
+name = "netbox"
+plugin_id = "nfs"
+
+capability {
+    access_mode = "single-node-writer"
+    attachment_mode = "file-system"
+}
+
+context {
+  server = "ebin02.wks"
+  share = "/data/raid1-ssd/app-data/netbox"
+  mountPermissions = "0"  
+}
+
+mount_options {
+  fs_type = "nfs"
+  mount_flags = [ "timeo=30", "vers=3", "_netdev" , "nolock" ]
+}

apps/nodered/live.hcl

@@ -3,6 +3,7 @@ job "nodered" {
     "nummer5",
   ]
   type = "service"
+  node_pool = "apps"
 
   group "apps" {
     count = 1

apps/openwrt/live.hcl

@@ -0,0 +1,58 @@
+job "openwrt" {
+  datacenters = ["nummer5"]
+  node_pool = "sys"
+  priority = 10
+
+  group "apps" {
+    count = 1
+
+    network {
+      port  "http"{
+        to = 9091
+      }
+    }
+
+    service {
+      name = "openwrt"
+      port = "http"
+
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.openwrt.rule=Host(`openwrt.service.nr5`)",
+      ]
+
+    }
+    
+    volume "openwrt" {
+        type = "csi"
+        read_only = false
+        source = "openwrt"
+        access_mode = "single-node-writer"
+        attachment_mode = "file-system"
+    }  
+      
+    task "openwrt" {
+      driver = "podman"
+
+      config {
+        image = "docker.io/jitesoft/lighttpd"
+        ports = ["http"]
+      }
+      env {
+        PORT = 9091
+        SERVER_ROOT = "/www"
+        SERVER_NAME = "openwrt.service.nr5"  
+      }
+      
+      volume_mount {
+        volume = "openwrt"
+        destination = "/www"
+      }
+      
+       resources {
+         cpu    = 10
+         memory = 32
+       }
+    }
+  }
+}

apps/openwrt/volume.hcl

@@ -0,0 +1,20 @@
+type = "csi"
+id = "openwrt"
+name = "openwrt"
+plugin_id = "nfs"
+
+capability {
+    access_mode = "single-node-writer"
+    attachment_mode = "file-system"
+}
+
+context {
+  server = "ebin01.wks"
+  share = "/data/raid1-ssd/app-data/openwrt"
+  mountPermissions = "0"  
+}
+
+mount_options {
+  fs_type = "nfs"
+  mount_flags = [ "timeo=30", "vers=3", "_netdev" , "nolock" ]
+}

apps/postgresql/live.hcl

@@ -1,12 +1,14 @@
-#To Configure vault
-# vault secrets enable database
-# vault write database/config/postgresql  plugin_name=postgresql-database-plugin   connection_url="postgresql://{{username}}:{{password}}@postgres.service.consul:5432/postgres?sslmode=disable"   allowed_roles="*"     username="root"     password="rootpassword"
-# vault write database/roles/readonly db_name=postgresql     creation_statements=@readonly.sql     default_ttl=1h max_ttl=24h
-
 job "postgres" {
   datacenters = ["nummer5"]
   type = "service"
-
+  node_pool = "sys"
+  priority  = 80
+  
+  #constraint {
+  #  attribute = "${attr.unique.hostname}"
+  #  value = "pine01" 
+  #}
+  
   group "service" {
     count = 1
     volume "postgres-data" {
@@ -16,14 +18,26 @@ job "postgres" {
         access_mode = "single-node-writer"
         attachment_mode = "file-system"
     }
+    
+    network {
+        #mode = "host"
+        port "postgres"{
+          static = 5432
+        }
+    }
+    service {
+        name = "postgres"
+        port = "postgres"
+        tags = [
+            "traefik.enable=true",
+            "traefik.tcp.routers.postgres.rule=Host(`postgres.service.nr5`)",
+        ]
+    }
     task "postgres" {
       driver = "podman"
       config {
         image = "docker.io/postgres:13"
-        network_mode = "host"
-        port_map {
-          db = 5432
-        }
+        ports = ["postgres"]
       }
       volume_mount {
         volume = "postgres-data"
@@ -40,26 +54,11 @@ job "postgres" {
       }
       
       resources {
-        cpu = 1000
-        memory = 1024
-        network {
-          port  "db"  {
-            static = 5432
-          }
-        }
-      }
-      service {
-        name = "postgres"
-        tags = ["postgres for vault"]
-        port = "db"
+        cpu = 3500
+        memory = 1500
 
-        check {
-          name     = "alive"
-          type     = "tcp"
-          interval = "60s"
-          timeout  = "2s"
-        }
       }
+    
     }
     restart {
       attempts = 10
@@ -77,4 +76,4 @@ job "postgres" {
     auto_revert = false
     canary = 0
   }
-}
+}

apps/redis/live.hcl

@@ -0,0 +1,55 @@
+
+job "redis" {
+  datacenters = ["nummer5"]
+  node_pool = "apps"
+
+  group "cache" {
+
+    count = 1
+
+    volume "volume0" {
+      type            = "csi"
+      source          = "redis"
+      read_only       = false
+      attachment_mode = "file-system"
+      access_mode     = "single-node-writer"
+    }
+
+    network {
+      port "redis" {
+        static = 6379
+      }
+    }
+    service {
+        name = "redis"
+        port = "redis"
+        tags = [
+           "traefik.enable=true",
+           "traefik.tcp.routers.redis.rule=HostSNI(`redis.service.nr5`)",
+           # "traefik.tcp.routers.redis.entryPoints=redis",
+           # "traefik.tcp.routers.redis.service=redis",
+            # services (needed for TCP)
+           "traefik.tcp.services.redis.loadbalancer.server.port=6379",
+        ]
+    }
+
+    task "redis" {
+      driver = "podman"
+
+      config {
+        image = "redis"
+        ports = ["redis"]
+      }
+
+      volume_mount {
+        volume      = "volume0"
+        destination = "/data"
+      }
+
+      resources {
+        cpu    = 500
+        memory = 256
+      }
+    }
+  }
+}

apps/redis/volume.hcl

@@ -0,0 +1,21 @@
+type = "csi"
+id = "redis"
+name = "redis"
+plugin_id = "nfs"
+external_id = "redis"
+
+capability {
+    access_mode = "single-node-writer"
+    attachment_mode = "file-system"
+}
+
+context {
+  server = "ebin02.wks"
+  share = "/data/raid1-ssd/app-data/redis-data"
+  mountPermissions = "0"  
+}
+
+mount_options {
+  fs_type = "nfs"
+  mount_flags = [ "timeo=30", "vers=3", "_netdev" , "nolock" ]
+}

bin/hosts.conf

@@ -0,0 +1,2 @@
+hosts="adm01.wks pine01.wks pine02.wks pine03.wks pine04.wks pine05.wks ebin01.wks ebin02.wks drucki.wks switch_cloud.wks drucki_switch.wks"
+domain="wks"

bin/nummer5-host-powercycle.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+. hosts.conf
+
+host=$1
+hostname=$(echo ${host} | sed s/\.${domain}//)
+MOSQ="mosquitto_pub -h mqtt.wks -t switch_cloud/switch/${hostname}/command -m"
+echo "${host} turning it off"
+${MOSQ} OFF
+sleep 2
+echo "${host} turning it on"
+${MOSQ} ON
+ping -W 1 ${host}

bin/nummer5-hosts-alive.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+. hosts.conf
+for host in $hosts; do
+    if ping -c 1 -W 1 "$host" >/dev/null; then
+        echo "$host is alive"
+    else
+        echo "$host is pining for the fjords"
+    fi
+done
+echo ''
+nomad server members
+echo ''
+nomad node status

bin/yori-upgrade.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+#
+SNAPS=/.snapshots
+DATE=$(date +%F)
+SNAP="${SNAPS}/${DATE}"
+REL=$(lsb_release -c |awk -F ' ' '{print $2}')
+echo "Cleaning apt..."
+apt clean
+apt autoremove --purge 
+echo ""
+echo ""
+echo ""
+echo ""
+echo ""
+echo "Remove all local apt lists:"
+rm -rvf /var/lib/apt/lists/*
+echo "Prune journalctl.."
+journalctl --vacuum-time 2h
+echo ""
+echo ""
+echo ""
+echo ""
+echo "Creating Snap: ${SNAP}"
+echo "btrfs subvolume snapshot / ${SNAP}"
+echo "Snaps: "
+ls -la ${SNAPS}/
+apt update
+apt dist-upgrade -t ${REL}
+echo "APT: autoremove --purge"
+apt autoremove --purge
+

drone.yml.bak

@@ -0,0 +1,23 @@
+kind: pipeline
+type: docker
+name: nomad-nummer5 
+
+platform:
+  os: linux
+  arch: arm64
+
+
+environment:
+  TARGET_HOST: "test.chaos"
+  
+steps:
+- name: git log
+  image: cr.wks/debian-stable
+  commands:
+    - git diff-tree --no-commit-id --name-only HEAD -r
+- name: test
+  image: alpine
+  commands:
+  - echo hello
+  - echo world
+  - echo $TARGET_HOST