Adrian Cowan
e695485353
All checks were successful
CI / Terraform fmt + validate (pull_request) Successful in 27s
CI / Nomad job spec validate (pull_request) Successful in 22s
CI / Docker image pull validation (pull_request) Successful in 16s
CI / Terraform fmt + validate (push) Successful in 23s
CI / Nomad job spec validate (push) Successful in 22s
CI / Docker image pull validation (push) Has been skipped
- traefik: TCP → HTTP check on /ping (enable ping entrypoint) - gitea: check path → /api/healthz - jellyfin: TCP → HTTP check on /health - glance: TCP → HTTP check on / - sonarr/prowlarr: check path / → /ping (×2 checks each) - ntfy/transfer/deluge/openreader/authelia/pgadmin: add name and port to existing checks - postgres: remove invalid TCP check (Connect-enabled service) - unifi: TCP → script check via curl (macvlan host isolation workaround)
159 lines
3.1 KiB
HCL
159 lines
3.1 KiB
HCL
job "gitea" {
|
|
group "gitea" {
|
|
network {
|
|
mode = "bridge"
|
|
port "http" {
|
|
to = 3000
|
|
}
|
|
}
|
|
|
|
service {
|
|
connect {
|
|
sidecar_service {
|
|
proxy {
|
|
upstreams {
|
|
destination_name = "postgres"
|
|
local_bind_port = 5432
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
service {
|
|
name = "code"
|
|
port = "http"
|
|
|
|
tags = [
|
|
"traefik.enable=true",
|
|
"traefik.http.routers.gitea.middlewares=auth@file",
|
|
# Token subdomain — no auth middleware — used by act_runner step containers for git checkout
|
|
"traefik.http.routers.gitea-token.rule=Host(`gitea-1ef0bea6b75a4fd3e9393a9f7f7e4b02.othrayte.one`)",
|
|
]
|
|
|
|
check {
|
|
name = "alive"
|
|
type = "http"
|
|
path = "/api/healthz"
|
|
port = "http"
|
|
interval = "10s"
|
|
timeout = "2s"
|
|
}
|
|
}
|
|
|
|
# Separate service for Consul Connect ingress (address_mode=alloc avoids hairpin NAT issue)
|
|
service {
|
|
name = "code-connect"
|
|
port = "http"
|
|
address_mode = "alloc"
|
|
|
|
connect {
|
|
sidecar_service {}
|
|
}
|
|
}
|
|
|
|
task "gitea" {
|
|
driver = "docker"
|
|
|
|
config {
|
|
image = "gitea/gitea:latest"
|
|
|
|
ports = ["http"]
|
|
|
|
volumes = ["local/app.ini:/data/gitea/conf/app.ini"]
|
|
}
|
|
|
|
env = {
|
|
USER_UID = "1000"
|
|
USER_GID = "1000"
|
|
}
|
|
|
|
resources {
|
|
cpu = 500
|
|
memory = 512
|
|
}
|
|
|
|
volume_mount {
|
|
volume = "unraid_appdata_gitea"
|
|
destination = "/data"
|
|
read_only = false
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
# Gitea configuration file
|
|
WORK_PATH = /data/
|
|
|
|
[database]
|
|
DB_TYPE = postgres
|
|
HOST = localhost:5432
|
|
NAME = gitea
|
|
USER = gitea
|
|
PASSWD = {{ with nomadVar "nomad/jobs/gitea" }}{{ .database_pw }}{{ end }}
|
|
|
|
[repository]
|
|
ROOT = /data/git/repositories
|
|
|
|
[server]
|
|
DOMAIN = code.othrayte.one
|
|
SSH_DOMAIN = git.othrayte.one
|
|
ROOT_URL = https://code.othrayte.one/
|
|
|
|
[lfs]
|
|
PATH = /data/git/lfs
|
|
|
|
[log]
|
|
MODE = console
|
|
LEVEL = info
|
|
ROOT_PATH = /data/gitea/log
|
|
|
|
[security]
|
|
INSTALL_LOCK = true
|
|
INTERNAL_TOKEN = {{ with nomadVar "nomad/jobs/gitea" }}{{ .internal_token }}{{ end }}
|
|
PASSWORD_HASH_ALGO = pbkdf2
|
|
|
|
[oauth2]
|
|
JWT_SECRET = {{ with nomadVar "nomad/jobs/gitea" }}{{ .jwt_secret }}{{ end }}
|
|
EOF
|
|
destination = "local/app.ini"
|
|
}
|
|
}
|
|
|
|
task "tailscale" {
|
|
driver = "docker"
|
|
|
|
config {
|
|
image = "tailscale/tailscale:latest"
|
|
}
|
|
|
|
env = {
|
|
TS_HOSTNAME = "git"
|
|
TS_AUTHKEY = "${ts_oauthsecret}?ephemeral=true"
|
|
TS_EXTRA_ARGS = "--advertise-tags=tag:nomad"
|
|
}
|
|
|
|
resources {
|
|
cpu = 100
|
|
memory = 64
|
|
}
|
|
|
|
lifecycle {
|
|
hook = "prestart"
|
|
sidecar = true
|
|
}
|
|
}
|
|
|
|
volume "unraid_appdata_gitea" {
|
|
type = "csi"
|
|
read_only = false
|
|
source = "unraid_appdata_gitea"
|
|
access_mode = "single-node-writer"
|
|
attachment_mode = "file-system"
|
|
|
|
mount_options {
|
|
mount_flags = ["uid=1000", "gid=1000"]
|
|
}
|
|
}
|
|
}
|
|
}
|