Adrian Cowan
e695485353
- traefik: TCP → HTTP check on /ping (enable ping entrypoint) - gitea: check path → /api/healthz - jellyfin: TCP → HTTP check on /health - glance: TCP → HTTP check on / - sonarr/prowlarr: check path / → /ping (×2 checks each) - ntfy/transfer/deluge/openreader/authelia/pgadmin: add name and port to existing checks - postgres: remove invalid TCP check (Connect-enabled service) - unifi: TCP → script check via curl (macvlan host isolation workaround)
Terraform State
Mount the state on the fileshare to 2-nomad-config/.tfstate/
sudo mount -t cifs //betelgeuse-seven-unraid.lan/appdata/terraform /home/othrayte/Code/infra/2-nomad-config/.tfstate/ -o rw,username=othrayte,password=<pw>,uid=$(id -u),gid=$(id -g)
Tailscale Oauth Client
We use a Tailscale oauth client secret to allow our containers to connect to tailscale. We created an oauth client called nomad with the auth_keys (write) scope for the tag nomad and stored the secret in our secrets file.
Secrets
The secrets file is encrypted using sops and will be automatically decrypted in the terraform provider.
Put the age keys in /home//.config/sops/age/keys.txt
Adding Secrets
Edit the secrets using sops secrets/secrets.enc.json
Bootstrapping (starting without PostgreSQL running)
terraform apply -target=module.data terraform apply -target=module.ingress
Restoring PostgreSQL DBs
psql -h jaglan-beta-m21 -p 5432 -U postgres -f ~/Downloads/all_databases.sql postgres
Deploying and testing changes
Sometimes the nomad job fails but the solution is to fix another job and so we need to tell nomad to retry the unchanged job.
nomad job eval -force-reschedule glance