othrayte/infra
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Sort parts of the nomad intra into folders

Browse Source 
This should make finding things easier
This commit is contained in:
Adrian Cowan
2025-10-22 22:02:25 +11:00
parent 8869bd1cb2
commit 92f60a7572
15 changed files with 176 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
2-nomad-config/1-data/csi-smb.nomad.hcl Normal file
View File

@@ -0,0 +1,31 @@
job "csi-smb" {
type = "system"
group "smb" {
task "plugin" {
driver = "docker"
config {
image = "mcr.microsoft.com/k8s/csi/smb-csi:v1.7.0"
args = [
"--v=5",
"--nodeid=${attr.unique.hostname}",
"--endpoint=unix:///csi/csi.sock",
"--drivername=smb.csi.k8s.io"
]
privileged = true
}
csi_plugin {
id = "smb"
type = "node"
mount_dir = "/csi"
}
resources {
cpu = 100
memory = 50
}
}
}
}

5
2-nomad-config/1-data/csi-smb.tf Normal file
View File

@@ -0,0 +1,5 @@
resource "nomad_job" "csi-smb" {
jobspec = file("${path.module}/csi-smb.nomad.hcl")
}

25
2-nomad-config/1-data/main.tf Normal file
View File

@@ -0,0 +1,25 @@
terraform {
required_providers {
sops = {
source = "carlpett/sops"
version = "~> 0.5"
}
postgresql = {
source = "cyrilgdn/postgresql"
}
}
}
provider "nomad" {
address = "http://jaglan-beta-m20.lan:4646"
}
data "sops_file" "secrets" {
source_file = "secrets/secrets.enc.json"
}
data "nomad_plugin" "smb" {
plugin_id = "smb"
wait_for_healthy = true
}

97
2-nomad-config/1-data/pgadmin.nomad.hcl Normal file
View File

@@ -0,0 +1,97 @@
job "pgadmin" {
group "pgadmin" {
service {
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "postgres"
local_bind_port = 5432
}
}
}
}
}
network {
mode = "bridge"
port "http" {
to = 80
}
}
task "pgadmin" {
driver = "docker"
config {
image = "dpage/pgadmin4:latest"
ports = ["http"]
volumes = [
"local/servers.json:/pgadmin4/servers.json",
"secrets/.pgpass:/home/.pgpass"
]
}
env = {
PGADMIN_DEFAULT_EMAIL = "othrayte@gmail.com"
PGADMIN_DEFAULT_PASSWORD = "admin"
PGADMIN_CONFIG_WTF_CSRF_ENABLED = "False"
PGADMIN_CONFIG_WTF_CSRF_CHECK_DEFAULT = "False"
PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION = "False"
PGADMIN_CONFIG_SERVER_MODE = "False"
PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED = "False"
}
resources {
cpu = 500
memory = 256
}
service {
name = "pgadmin"
port = "http"
tags = [
"traefik.enable=true",
"traefik.http.routers.pgadmin.middlewares=auth@file",
]
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
}
template {
data = <<EOF
{
"Servers": {
"1": {
"Group": "Servers",
"Name": "postgres",
"Host": "localhost",
"Port": 5432,
"MaintenanceDB": "postgres",
"Username": "postgres",
"PassFile": "/home/.pgpass"
}
}
}
EOF
destination = "local/servers.json"
}
template {
data = <<EOF
localhost:5432:*:postgres:{{ with nomadVar "nomad/jobs/postgres" }}{{ .postgres_password }}{{ end }}
EOF
destination = "secrets/.pgpass"
perms = "0400"
uid = 5050 # pgadmin
}
}
}
}

77
2-nomad-config/1-data/pgbackup.nomad.hcl Normal file
View File

@@ -0,0 +1,77 @@
job "pgbackup" {
type = "batch"
periodic {
# Note: To avoid issues with daylight savings, avoid scheduling jobs at 2am +/- 1 hour
cron = "0 4 * * *" # Every day at 4am
time_zone = "Australia/Melbourne"
prohibit_overlap = true
}
group "pgbackup" {
service {
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "postgres"
local_bind_port = 5432
}
}
}
}
}
task "pgbackup" {
driver = "docker"
config {
image = "postgres:latest"
command = "/bin/bash"
args = ["-c", "pg_dumpall -h localhost -U postgres > /backup/all_databases.sql"]
volumes = ["secrets/postgres_password:/run/secrets/postgres_password"]
}
user = "1000"
volume_mount {
volume = "unraid_database_dump"
destination = "/backup"
read_only = false
}
env {
PGPASSFILE = "/run/secrets/postgres_password"
}
template {
data = <<EOF
localhost:5432:*:postgres:{{ with nomadVar "nomad/jobs/postgres" }}{{ .postgres_password }}{{ end }}
EOF
destination = "/secrets/postgres_password"
perms = "0400"
uid = 1000
}
resources {
cpu = 250
memory = 128
}
}
volume "unraid_database_dump" {
type = "csi"
read_only = false
source = "unraid_database_dump"
access_mode = "single-node-writer"
attachment_mode = "file-system"
mount_options {
mount_flags = ["uid=1000", "gid=0"]
}
}
network {
mode = "bridge"
}
}
}

67
2-nomad-config/1-data/postgres.nomad.hcl Normal file
View File

@@ -0,0 +1,67 @@
job "postgres" {
group "postgres" {
service {
name = "postgres"
port = "db"
connect {
sidecar_service {}
}
}
task "postgres" {
driver = "docker"
config {
# Temporarily pin to v17 as v18 moved the default data directory and immich doesn't officially support it yet
# immich also needs >= 0.3.0, < 0.5.0. https://docs.immich.app/administration/postgres-standalone/#prerequisites
#image = "postgres:17"
image = "tensorchord/vchord-postgres:pg17-v0.4.3"
ports = ["db"]
volumes = [
"secrets/postgres_password:/run/secrets/postgres_password"
]
}
volume_mount {
volume = "data"
destination = "/var/lib/postgresql/data"
read_only = false
}
env {
POSTGRES_USER = "postgres"
POSTGRES_PASSWORD_FILE = "/run/secrets/postgres_password"
POSTGRES_INITDB_ARGS = "--auth-host=md5"
}
resources {
cpu = 500
memory = 1024
}
template {
# This securely sets the initial password for the postgres user, to change it later
# you need to connect to the database and change it manually
data = <<EOF
{{ with nomadVar "nomad/jobs/postgres" }}{{ .postgres_password }}{{ end }}
EOF
destination = "secrets/postgres_password"
}
}
network {
mode = "bridge"
port "db" {
static = 5432
}
}
volume "data" {
type = "host"
read_only = false
source = "postgres"
}
}
}

44
2-nomad-config/1-data/postgres.tf Normal file
View File

@@ -0,0 +1,44 @@
resource "nomad_job" "postgres" {
jobspec = file("${path.module}/postgres.nomad.hcl")
rerun_if_dead = true
}
resource "nomad_job" "pgadmin" {
jobspec = file("${path.module}/pgadmin.nomad.hcl")
}
resource "nomad_job" "pgbackup" {
jobspec = file("${path.module}/pgbackup.nomad.hcl")
}
resource "nomad_variable" "postgres" {
path = "nomad/jobs/postgres"
items = {
postgres_password = data.sops_file.secrets.data["postgres.postgres"]
}
}
resource "nomad_csi_volume_registration" "unraid_database_dump" {
#Note: Before chaning the definition of this volume you need to stop the jobs that are using it
depends_on = [data.nomad_plugin.smb]
plugin_id = "smb"
volume_id = "unraid_database_dump"
name = "unraid_database_dump"
external_id = "unraid_database_dump"
capability {
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
context = {
source = "//192.168.1.192/database-dump"
}
secrets = {
"username" = "nomad"
"password" = data.sops_file.secrets.data["unraid.nomad"]
}
}