redbrick/nomad
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: redbrick:master
Branches Tags
redbrick:master
redbrick:monitoring
redbrick:mixpost
redbrick:listmonk
redbrick:add-nessus
redbrick:rally
redbrick:blockbot
redbrick:mail
redbrick:ams-v2
..
compare: redbrick:add-nessus
Branches Tags
redbrick:master
redbrick:monitoring
redbrick:mixpost
redbrick:listmonk
redbrick:add-nessus
redbrick:rally
redbrick:blockbot
redbrick:mail
redbrick:ams-v2

2 commits
master ... add-nessus

Author SHA1 Message Date
wizzdom
f40d37e6de
nessus: add credentials, increase memory allocation 2024-12-12 01:46:05 +00:00
James Hackett
2a0f414dcc
Add nessus for internal security scans 2023-12-09 18:19:32 +00:00
71 changed files with 412 additions and 4865 deletions
Show stats Expand all files Collapse all files

2
.gitignore vendored
View file

@ -1,5 +1,3 @@
ansible/hosts ansible/hosts
ansible/group_vars/all.yml ansible/group_vars/all.yml
.vscode/ .vscode/
**/*.ovpn
**/*.sql

52
ansible/roles/configure-consul/tasks/main.yml
View file

@ -51,45 +51,6 @@
DNSSEC=false DNSSEC=false
Domains=~consul node.consul service.consul Domains=~consul node.consul service.consul
- name: Configure Docker to use systemd-resolved
become: true
copy:
dest: /etc/systemd/resolved.conf.d/docker.conf
content: |
[Resolve]
DNSStubListener=yes
DNSStubListenerExtra=172.17.0.1
- name: Configure Docker to use systemd-resolved
become: true
copy:
dest: /etc/docker/daemon.json
content: |
{
"dns": ["172.17.0.1"]
}
- name: Restart docker daemon
become: true
systemd:
name: docker
enabled: yes
state: restarted
when: ansible_check_mode == false
# this is to stop bind9 and pdns from conflicting with systemd-resolved
- name: Remove bind9 and pdns
become: true
ansible.builtin.apt:
name:
- bind9
- pdns-backend-bind
- pdns-recursor
- pdns-server
state: absent
purge: true
when: ansible_os_family == "Debian"
- name: Restart systemd-resolved - name: Restart systemd-resolved
become: true become: true
systemd: systemd:
@ -97,3 +58,16 @@
enabled: yes enabled: yes
state: restarted state: restarted
when: ansible_check_mode == false when: ansible_check_mode == false
- name: Remove resolv.conf symlink
become: true
file:
path: /etc/resolv.conf
state: absent
- name: Create resolv.conf symlink
become: true
file:
src: /run/systemd/resolve/stub-resolv.conf
dest: /etc/resolv.conf
state: link

11
ansible/roles/configure-nfs-client/tasks/main.yml
View file

@ -6,7 +6,7 @@
- nfs-common - nfs-common
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
- name: create /storage mount point - name: create mount point
become: true become: true
ansible.builtin.file: ansible.builtin.file:
path: /storage path: /storage
@ -14,14 +14,6 @@
mode: "0755" mode: "0755"
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
- name: create /oldstorage mount directory
become: true
ansible.builtin.file:
path: /oldstorage
state: directory
mode: "0755"
when: ansible_os_family == "Debian"
- name: add nfs entry to fstab - name: add nfs entry to fstab
become: true become: true
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@ -31,7 +23,6 @@
create: yes create: yes
with_items: with_items:
- "10.10.0.7:/storage /storage nfs defaults 0 0" - "10.10.0.7:/storage /storage nfs defaults 0 0"
- "192.168.0.150:/zbackup /oldstorage nfs defaults 0 0"
- name: mount nfs - name: mount nfs
become: true become: true

8
ansible/templates/nomad-client.hcl
View file

@ -1,11 +1,5 @@
client { client {
enabled = true enabled = true
# for minecraft modpack zip bombing allowance
artifact {
decompression_size_limit = "0"
decompression_file_count_limit = 12000
}
bridge_network_hairpin_mode = true
} }
plugin "raw_exec" { plugin "raw_exec" {
@ -21,4 +15,4 @@ plugin "docker" {
enabled = true enabled = true
} }
} }
} }

11
cluster-config/README.md
View file

@ -1,11 +0,0 @@
# Nomad Cluster Configuration
This directory contains configuration relating to the configuration of the cluster including:
- node pools
- agent config
## Node Pools
[Node pools](https://developer.hashicorp.com/nomad/docs/concepts/node-pools) are a way to group nodes together into logical groups which jobs can target that can be used to enforce where allocations are placed.
e.g. [`ingress-pool.hcl`](./ingress-pool.hcl) is a node pool that is used for ingress nodes such as the [bastion-vm](https://docs.redbrick.dcu.ie/aperture/bastion-vm/). Any jobs that are defined to use `node_pool = "ingress"` such as `traefik.hcl` and `gate-proxy.hcl` will only be assigned to one of the nodes in the `ingress` node pool (i.e. the [bastion VM](https://docs.redbrick.dcu.ie/aperture/bastion-vm/))

3
cluster-config/ingress-pool.hcl
View file

@ -1,3 +0,0 @@
node_pool "ingress" {
description = "Nodes for ingress to aperture. e.g. bastion-vm"
}

2
fixperms.sh
View file

@ -1,7 +1,5 @@
#!/bin/bash #!/bin/bash
sudo chown -R root:nomad ./
sudo find . -type d -exec chmod 775 {} \; sudo find . -type d -exec chmod 775 {} \;
sudo find . -type f -exec chmod 664 {} \; sudo find . -type f -exec chmod 664 {} \;

0
jobs/socs/dcufm.hcl → jobs/dcufm.hcl
View file

61
jobs/games/minecraft/cjaran.hcl
View file

@ -1,61 +0,0 @@
job "minecraft-cjaran" {
datacenters = ["aperture"]
type = "service"
group "cjaran-mc" {
count = 1
network {
port "mc" {
to = 25565
}
port "rcon" {
to = 25575
}
}
service {
name = "cjaran-mc"
port = "mc"
}
service {
name = "cjaran-mc-rcon"
port = "rcon"
}
task "minecraft-cjaran" {
driver = "docker"
config {
image = "itzg/minecraft-server"
ports = ["mc", "rcon"]
volumes = [
"/storage/nomad/${NOMAD_TASK_NAME}:/data"
]
}
resources {
cpu = 3000 # 3000 MHz
memory = 4096 # 4GB
}
template {
data = <<EOF
EULA = "TRUE"
TYPE = "PAPER"
VERSION = "1.20.4"
USE_AIKAR_FLAGS = true
OPS = "BloThen"
MAX_PLAYERS = "10"
ENABLE_RCON = true
RCON_PASSWORD = {{ key "games/mc/cjaran-mc/rcon/password" }}
EOF
destination = "local/.env"
env = true
}
}
}
}

64
jobs/games/minecraft/esports.hcl
View file

@ -1,64 +0,0 @@
job "esports-minecraft" {
datacenters = ["aperture"]
type = "service"
group "esports-mc" {
count = 1
network {
port "mc" {
to = 25565
}
port "rcon" {
to = 25575
}
}
service {
name = "esports-mc"
port = "mc"
}
service {
name = "esports-mc-rcon"
port = "rcon"
}
task "esports-minecraft" {
driver = "docker"
config {
image = "itzg/minecraft-server"
ports = ["mc", "rcon"]
volumes = [
"/storage/nomad/${NOMAD_TASK_NAME}:/data"
]
}
resources {
cpu = 5000 # 5000 MHz
memory = 20480 # 20 GB
}
template {
data = <<EOF
EULA = "TRUE"
TYPE = "PAPER"
VERSION = "1.21.4"
ICON = "https://liquipedia.net/commons/images/thumb/5/53/DCU_Esports_allmode.png/37px-DCU_Esports_allmode.png"
USE_AIKAR_FLAGS = true
MAX_MEMORY = 18G
MOTD = "Powered by Redbrick"
MAX_PLAYERS = "32"
VIEW_DISTANCE = "32"
ENABLE_RCON = true
RCON_PASSWORD = {{ key "games/mc/esports-mc/rcon/password" }}
# Auto-download plugins
SPIGET_RESOURCES=83581,62325,118271,28140,102931 # RHLeafDecay, GSit, GravesX, Luckperms, NoChatReport
MODRINTH_PROJECTS=datapack:no-enderman-grief,thizzyz-tree-feller,imageframe,bmarker,datapack:players-drop-heads,viaversion,viabackwards
EOF
destination = "local/.env"
env = true
}
}
}
}

58
jobs/games/minecraft/fugitives.hcl
View file

@ -1,58 +0,0 @@
job "minecraft-fugitives" {
datacenters = ["aperture"]
type = "service"
group "fugitives-mc" {
count = 1
network {
port "mc" {
to = 25565
}
port "rcon" {
to = 25575
}
}
service {
name = "fugitives-mc"
port = "mc"
}
service {
name = "fugitives-mc-rcon"
port = "rcon"
}
task "minecraft-fugitives" {
driver = "docker"
config {
image = "itzg/minecraft-server"
ports = ["mc", "rcon"]
volumes = [
"/storage/nomad/${NOMAD_TASK_NAME}:/data"
]
}
resources {
cpu = 3000 # 3000 MHz
memory = 8192 # 8GB
}
template {
data = <<EOF
EULA = "TRUE"
TYPE = "PAPER"
USE_AIKAR_FLAGS = true
MOTD = "Fugitives"
MAX_PLAYERS = "20"
MEMORY = "6G"
ENABLE_RCON = true
RCON_PASSWORD = {{ key "games/mc/fugitives-mc/rcon/password" }}
EOF
destination = "local/.env"
env = true
}
}
}
}

62
jobs/games/minecraft/games.hcl
View file

@ -1,62 +0,0 @@
job "minecraft-games" {
datacenters = ["aperture"]
type = "service"
group "games-mc" {
count = 1
network {
port "mc" {
to = 25565
}
port "rcon" {
to = 25575
}
}
service {
name = "games-mc"
port = "mc"
}
service {
name = "games-mc-rcon"
port = "rcon"
}
task "minecraft-games" {
driver = "docker"
config {
image = "itzg/minecraft-server"
ports = ["mc", "rcon"]
volumes = [
"/storage/nomad/${NOMAD_TASK_NAME}:/data"
]
}
resources {
cpu = 3000 # 3000 MHz
memory = 8192 # 8GB
}
template {
data = <<EOF
EULA = "TRUE"
TYPE = "PURPUR"
VERSION = "1.20.1"
MOTD = "DCU Games Soc Minecraft Server"
USE_AIKAR_FLAGS = true
OPS = ""
MAX_PLAYERS = "20"
ENABLE_RCON = true
RCON_PASSWORD = {{ key "games/mc/games-mc/rcon/password" }}
EOF
destination = "local/.env"
env = true
}
}
}
}

70
jobs/games/minecraft/magma.hcl
View file

@ -1,70 +0,0 @@
job "minecraft-magma" {
datacenters = ["aperture"]
type = "service"
group "fabric-server" {
count = 1
network {
port "mc" {
to = 25565
}
port "rcon" {
to = 25575
}
}
service {
name = "magma-mc"
port = "mc"
}
service {
name = "magma-mc-rcon"
port = "rcon"
}
service {
name = "magma-mc-voice"
port = "voice"
tags = [
"traefik.enable=true",
"traefik.tcp.routers.magma-mc-voice.rule=HostSNI(`magma-mc.rb.dcu.ie`)",
"traefik.tcp.routers.magma-mc-voice.tls.passthrough=true",
"traefik.udp.routers.magma-mc-voice.entrypoints=voice-udp",
]
}
task "minecraft-magma" {
driver = "docker"
config {
image = "itzg/minecraft-server:java17-alpine"
ports = ["mc", "rcon", "voice"]
volumes = [
"/storage/nomad/${NOMAD_TASK_NAME}:/data"
]
}
resources {
cpu = 3000 # 3GHz
memory = 10240 # 10GB
}
template {
data = <<EOF
EULA = "TRUE"
TYPE = "FABRIC"
VERSION = "1.20.4"
ICON = "https://raw.githubusercontent.com/redbrick/design-system/main/assets/logos/logo.png"
MEMORY = "8G"
USE_AIKAR_FLAGS = true
JVM_XX_OPTS = "-XX:+AlwaysPreTouch -XX:+DisableExplicitGC -XX:+ParallelRefProcEnabled -XX:+PerfDisableSharedMem -XX:+UnlockExperimentalVMOptions -XX:+UseG1GC -XX:G1HeapRegionSize=8M -XX:G1HeapWastePercent=5 -XX:G1MaxNewSizePercent=40 -XX:G1MixedGCCountTarget=4 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1NewSizePercent=30 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:G1ReservePercent=20 -XX:InitiatingHeapOccupancyPercent=15 -XX:MaxGCPauseMillis=200 -XX:MaxTenuringThreshold=1 -XX:SurvivorRatio=32"
ENABLE_RCON=true
RCON_PASSWORD = {{{ key "games/mc/magma-mc/rcon/password" }}
EOF
destination = "local/.env"
env = true
}
}
}
}

78
jobs/games/minecraft/vanilla.hcl
View file

@ -1,78 +0,0 @@
job "minecraft-vanilla" {
datacenters = ["aperture"]
type = "service"
group "vanilla-mc" {
count = 1
network {
port "mc" {
to = 25565
}
port "rcon" {
to = 25575
}
port "bluemap" {
to = 8100
}
}
service {
name = "vanilla-mc"
port = "mc"
}
service {
name = "vanilla-mc-rcon"
port = "rcon"
}
service {
name = "vanilla-mc-bluemap"
port = "bluemap"
tags = [
"traefik.enable=true",
"traefik.http.routers.vanilla-mc-bluemap.rule=Host(`vanilla-mc.rb.dcu.ie`)",
"traefik.http.routers.vanilla-mc-bluemap.entrypoints=web,websecure",
"traefik.http.routers.vanilla-mc-bluemap.tls.certresolver=lets-encrypt",
]
}
task "minecraft-vanilla" {
driver = "docker"
config {
image = "itzg/minecraft-server"
ports = ["mc", "rcon", "bluemap"]
volumes = [
"/storage/nomad/${NOMAD_TASK_NAME}:/data"
]
}
resources {
cpu = 5000 # 5000 MHz
memory = 20480 # 20 GB
}
template {
data = <<EOF
EULA = "TRUE"
TYPE = "PAPER"
VERSION = "1.21.3"
ICON = "https://docs.redbrick.dcu.ie/assets/logo.png"
USE_AIKAR_FLAGS = true
MAX_MEMORY = 18G
MOTD = "LONG LIVE THE REDBRICK"
MAX_PLAYERS = "32"
VIEW_DISTANCE = "32"
ENABLE_RCON = true
RCON_PASSWORD = {{ key "games/mc/vanilla-mc/rcon/password" }}
# Auto-download plugins
SPIGET_RESOURCES=83581,62325,118271,28140,102931 # RHLeafDecay, GSit, GravesX, Luckperms, NoChatReport
MODRINTH_PROJECTS=datapack:no-enderman-grief,thizzyz-tree-feller,imageframe,bluemap,bmarker,datapack:players-drop-heads,viaversion,viabackwards
EOF
destination = "local/.env"
env = true
}
}
}
}

78
jobs/ingress/gate-proxy.hcl
View file

@ -1,78 +0,0 @@
job "gate-proxy" {
datacenters = ["aperture"]
node_pool = "ingress"
type = "service"
group "gate-proxy" {
count = 1
network {
port "mc" {
static = 25565
}
}
service {
port = "mc"
check {
type = "tcp"
interval = "10s"
timeout = "2s"
}
}
task "gate-proxy" {
driver = "docker"
config {
image = "ghcr.io/minekube/gate"
ports = ["mc"]
volumes = [
"local/config.yaml:/config.yaml"
]
}
template {
data = <<EOH
# This is a simplified config where the rest of the
# settings are omitted and will be set by default.
# See config.yml for the full configuration options.
config:
bind: 0.0.0.0:{{ env "NOMAD_PORT_mc" }}
forwarding:
mode: legacy
lite:
enabled: true
routes:
# Consul template to generate routes
# matches against all consul services ending in "-mc"
# NOTE: each minecraft job must have both:
# - a name ending in "-mc"
# - a port attached to the service
{{- range services }}
{{- if .Name | regexMatch ".*-mc$" }}
{{- range service .Name }}
- host: {{ .Name }}.rb.dcu.ie
backend: {{ .Name }}.service.consul:{{ .Port }}{{ end -}}{{ end -}}{{ end }}
# Fallback route for when any service is unavailable
- host: '*'
backend: localhost:2000 # backend must exist - this is a dummy value
fallback:
motd: |
§cThis server is offline/does not exist!
§eCheck back later!
version:
name: '§cTry again later!'
protocol: -1
EOH
destination = "local/config.yaml"
}
}
}
}

205
jobs/ingress/traefik.hcl
View file

@ -1,205 +0,0 @@
job "traefik" {
datacenters = ["aperture"]
node_pool = "ingress"
type = "service"
group "traefik" {
network {
port "http" {
static = 80
}
port "https" {
static = 443
}
port "admin" {
static = 8080
}
port "ssh" {
static = 22
}
port "smtp" {
static = 25
}
port "submission" {
static = 587
}
port "submissions" {
static = 465
}
port "imap" {
static = 143
}
port "imaps" {
static = 993
}
port "pop3" {
static = 110
}
port "pop3s" {
static = 995
}
port "managesieve" {
static = 4190
}
port "voice-tcp" {
static = 4502
}
port "voice-udp" {
static = 4503
}
}
service {
name = "traefik-http"
provider = "nomad"
port = "https"
}
task "traefik" {
driver = "docker"
config {
image = "traefik"
network_mode = "host"
volumes = [
"local/traefik.toml:/etc/traefik/traefik.toml",
"/storage/nomad/traefik/acme/acme.json:/acme.json",
"/storage/nomad/traefik/access.log:/access.log",
]
}
template {
data = <<EOF
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[entryPoints.traefik]
address = ":8080"
[entryPoints.ssh]
address = ":22"
[entryPoints.smtp]
address = ":25"
[entryPoints.submission]
address = ":587"
[entryPoints.submissions]
address = ":465"
[entryPoints.imap]
address = ":143"
[entryPoints.imaps]
address = ":993"
[entryPoints.pop3]
address = ":110"
[entryPoints.pop3s]
address = ":995"
[entryPoints.managesieve]
address = ":4190"
[entryPoints.voice-tcp]
address = ":4502"
[entryPoints.voice-udp]
address = ":4503/udp"
[entryPoints.voice-udp.udp]
timeout = "15s" # this will help reduce random dropouts in audio https://github.com/mumble-voip/mumble/issues/3550#issuecomment-441495977
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
]
[api]
dashboard = true
insecure = true
# Enable Consul Catalog configuration backend.
[providers.consulCatalog]
prefix = "traefik"
exposedByDefault = false
[providers.consulCatalog.endpoint]
address = "127.0.0.1:8500"
scheme = "http"
# Enable the file provider for dynamic configuration.
[providers.file]
filename = "/local/dynamic.toml"
#[providers.nomad]
# [providers.nomad.endpoint]
# address = "127.0.0.1:4646"
# scheme = "http"
[certificatesResolvers.lets-encrypt.acme]
email = "elected-admins@redbrick.dcu.ie"
storage = "acme.json"
[certificatesResolvers.lets-encrypt.acme.tlsChallenge]
[tracing]
[accessLog]
filePath = "/access.log"
EOF
destination = "/local/traefik.toml"
}
template {
data = <<EOF
[http]
[http.middlewares]
# handle redirects for short links
# NOTE: this is a consul template, add entries via consul kv
# create the middlewares with replacements for each redirect
{{ range $pair := tree "redirect/redbrick" }}
[http.middlewares.redirect-{{ trimPrefix "redirect/redbrick/" $pair.Key }}.redirectRegex]
regex = ".*" # match everything - hosts are handled by the router
replacement = "{{ $pair.Value }}"
permanent = true
{{- end }}
[http.routers]
# create routers with middlewares for each redirect
{{ range $pair := tree "redirect/redbrick" }}
[http.routers.{{ trimPrefix "redirect/redbrick/" $pair.Key }}-redirect]
rule = "Host(`{{ trimPrefix "redirect/redbrick/" $pair.Key }}.redbrick.dcu.ie`)"
entryPoints = ["web", "websecure"]
middlewares = ["redirect-{{ trimPrefix "redirect/redbrick/" $pair.Key }}"]
service = "dummy-service" # all routers need a service, this isn't used
[http.routers.{{ trimPrefix "redirect/redbrick/" $pair.Key }}-redirect.tls]
{{- end }}
[http.services]
[http.services.dummy-service.loadBalancer]
[[http.services.dummy-service.loadBalancer.servers]]
url = "http://127.0.0.1" # Dummy service - not used
EOF
destination = "local/dynamic.toml"
change_mode = "noop"
}
}
}
}

87
jobs/minecraft.hcl Normal file
View file

@ -0,0 +1,87 @@
job "minecraft" {
datacenters = ["aperture"]
type = "service"
group "vanilla" {
constraint {
attribute = "${attr.unique.hostname}"
value = "glados"
}
count = 1
network {
port "mc-vanilla-port" {
static = 25565
to = 25565
}
port "mc-vanilla-rcon" {
to = 25575
}
#mode = "bridge"
}
service {
name = "minecraft-vanilla"
}
task "minecraft-server" {
driver = "docker"
config {
image = "itzg/minecraft-server"
ports = ["mc-vanilla-port","mc-vanilla-rcon"]
volumes = [
"/storage/nomad/${NOMAD_TASK_NAME}:/data/world"
]
}
resources {
cpu = 3000 # 500 MHz
memory = 6144 # 6gb
}
env {
EULA = "TRUE"
MEMORY = "6G"
}
}
}
group "create-astral" {
count = 1
network {
port "mc-astral-port" {
static = 25566
to = 25565
}
port "mc-astral-rcon" {
to = 25575
}
mode = "bridge"
}
service {
name = "minecraft-astral"
}
task "minecraft-astral" {
driver = "docker"
config {
image = "ghcr.io/maxi0604/create-astral:main"
ports = ["mc-astral-port","mc-astral-rcon"]
volumes = [
"/storage/nomad/${NOMAD_TASK_NAME}:/data/world"
]
}
resources {
cpu = 3000 # 500 MHz
memory = 8168 # 8gb
}
env {
EULA = "TRUE"
MEMORY = "6G"
}
}
}
}

44
jobs/monitoring/uptime-huma.hcl
View file

@ -1,44 +0,0 @@
job "uptime-kuma" {
datacenters = ["aperture"]
type = "service"
group "web" {
count = 1
network {
port "http" {
to = 3001
}
}
service {
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.http.routers.uptime-kuma.rule=Host(`status.redbrick.dcu.ie`)",
"traefik.http.routers.uptime-kuma.entrypoints=web,websecure",
"traefik.http.routers.uptime-kuma.tls.certresolver=lets-encrypt",
]
}
task "web" {
driver = "docker"
config {
image = "louislam/uptime-kuma:1"
ports = ["http"]
volumes = [
"/storage/nomad/uptime-kuma/data:/app/data"
]
}
}
}
}

48
jobs/nessus.hcl Normal file
View file

@ -0,0 +1,48 @@
job "nessus" {
datacenters = ["aperture"]
type = "service"
group "web" {
network {
port "http" {
to = 8834
}
}
service {
name = "nessus"
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
protocol = "https"
}
}
task "nessus" {
driver = "docker"
config {
image = "tenable/nessus:latest-ubuntu"
ports = ["http"]
}
template {
data = <<EOF
USERNAME={{ key "nessus/username" }}
PASSWORD={{ key "nessus/password" }}
ACTIVATION_CODE={{ key "nessus/activation_code" }}
EOF
destination = ".env"
env = true
}
resources {
memory = 2000
}
}
}
}

46
jobs/nginx/anime-manga-soc.hcl Normal file
View file

@ -0,0 +1,46 @@
job "nginx-ams" {
datacenters = ["aperture"]
type = "service"
group "ams-web" {
count = 1
network {
port "http" {
to = 80
}
}
service {
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.http.routers.nginx-ams.rule=Host(`amikon.me`,`www.amikon.me`)",
"traefik.http.routers.nginx-ams.entrypoints=web,websecure",
"traefik.http.routers.nginx-ams.tls.certresolver=lets-encrypt",
]
}
task "webserver" {
driver = "docker"
config {
image = "ghcr.io/dcuams/amikon-site-v2:latest"
ports = ["http"]
}
resources {
cpu = 100
memory = 500
}
}
}
}

60
jobs/nginx/atlas.hcl
View file

@ -1,60 +0,0 @@
job "atlas" {
datacenters = ["aperture"]
type = "service"
meta {
git-sha = ""
}
group "nginx-atlas" {
count = 1
network {
port "http" {
to = 80
}
}
service {
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.http.routers.nginx-atlas.rule=Host(`redbrick.dcu.ie`) || Host(`www.redbrick.dcu.ie`) || Host(`www.rb.dcu.ie`) || Host(`rb.dcu.ie`)",
"traefik.http.routers.nginx-atlas.entrypoints=web,websecure",
"traefik.http.routers.nginx-atlas.tls.certresolver=lets-encrypt",
"traefik.http.routers.nginx-atlas.middlewares=atlas-www-redirect,redirect-user-web",
# redirect redbrick.dcu.ie/~user to user.redbrick.dcu.ie
"traefik.http.middlewares.redirect-user-web.redirectregex.regex=https://redbrick\\.dcu\\.ie/~([^/]*)/?([^/].*)?",
"traefik.http.middlewares.redirect-user-web.redirectregex.replacement=https://$1.redbrick.dcu.ie/$2",
"traefik.http.middlewares.redirect-user-web.redirectregex.permanent=true",
# redirect www.redbrick.dcu.ie to redbrick.dcu.ie
"traefik.http.middlewares.atlas-www-redirect.redirectregex.regex=^https?://www.redbrick.dcu.ie/(.*)",
"traefik.http.middlewares.atlas-www-redirect.redirectregex.replacement=https://redbrick.dcu.ie/$${1}",
"traefik.http.middlewares.atlas-www-redirect.redirectregex.permanent=true",
]
}
task "web" {
driver = "docker"
config {
image = "ghcr.io/redbrick/atlas:latest"
ports = ["http"]
force_pull = true
}
resources {
cpu = 100
memory = 50
}
}
}
}

6
jobs/nginx/cawnj-test.hcl
View file

@ -20,10 +20,10 @@ job "cawnj-test" {
port = "http" port = "http"
check { check {
type = "http" type = "http"
path = "/" path = "/"
interval = "10s" interval = "10s"
timeout = "2s" timeout = "2s"
} }
tags = [ tags = [
"traefik.enable=true", "traefik.enable=true",

8
jobs/nginx/karting.hcl
View file

@ -20,14 +20,14 @@ job "nginx-karting" {
port = "http" port = "http"
check { check {
type = "http" type = "http"
path = "/" path = "/"
interval = "10s" interval = "10s"
timeout = "2s" timeout = "2s"
} }
tags = [ tags = [
"traefik.enable=true", "traefik.enable=true",
"traefik.http.routers.nginx-karting.rule=Host(`karting.rb.dcu.ie`)", "traefik.http.routers.nginx-karting.rule=Host(`dcukartingsociety.ie`)",
"traefik.http.routers.nginx-karting.entrypoints=web,websecure", "traefik.http.routers.nginx-karting.entrypoints=web,websecure",
"traefik.http.routers.nginx-karting.tls.certresolver=lets-encrypt" "traefik.http.routers.nginx-karting.tls.certresolver=lets-encrypt"
] ]

62
jobs/nginx/nginx.hcl
View file

@ -5,7 +5,7 @@ job "nginx" {
group "aperture" { group "aperture" {
count = 3 count = 3
network { network {
port "http" { port "http" {
to = "80" to = "80"
@ -20,14 +20,14 @@ job "nginx" {
port = "http" port = "http"
check { check {
type = "http" type = "http"
path = "/" path = "/"
interval = "10s" interval = "10s"
timeout = "2s" timeout = "2s"
} }
tags = [ tags = [
"traefik.enable=true", "traefik.enable=true",
"traefik.http.routers.nginx-aperture.rule=Host(`aperture.redbrick.dcu.ie`)", "traefik.http.routers.nginx-aperture.rule=Host(`aperture.redbrick.dcu.ie`)",
"traefik.http.routers.nginx-aperture.entrypoints=web,websecure", "traefik.http.routers.nginx-aperture.entrypoints=web,websecure",
"traefik.http.routers.nginx-aperture.tls.certresolver=lets-encrypt" "traefik.http.routers.nginx-aperture.tls.certresolver=lets-encrypt"
] ]
@ -49,7 +49,7 @@ job "nginx" {
} }
template { template {
source = "local/index.html" source = "local/index.html"
destination = "local/index.html" destination = "local/index.html"
} }
} }
@ -57,7 +57,7 @@ job "nginx" {
group "glados" { group "glados" {
count = 1 count = 1
network { network {
port "http" { port "http" {
to = "80" to = "80"
@ -72,14 +72,14 @@ job "nginx" {
port = "http" port = "http"
check { check {
type = "http" type = "http"
path = "/" path = "/"
interval = "10s" interval = "10s"
timeout = "2s" timeout = "2s"
} }
tags = [ tags = [
"traefik.enable=true", "traefik.enable=true",
"traefik.http.routers.nginx-glados.rule=Host(`glados.redbrick.dcu.ie`)", "traefik.http.routers.nginx-glados.rule=Host(`glados.redbrick.dcu.ie`)",
"traefik.http.routers.nginx-glados.entrypoints=web,websecure", "traefik.http.routers.nginx-glados.entrypoints=web,websecure",
"traefik.http.routers.nginx-glados.tls.certresolver=lets-encrypt" "traefik.http.routers.nginx-glados.tls.certresolver=lets-encrypt"
] ]
@ -88,7 +88,7 @@ job "nginx" {
task "glados" { task "glados" {
constraint { constraint {
attribute = "${attr.unique.hostname}" attribute = "${attr.unique.hostname}"
value = "glados" value = "glados"
} }
driver = "docker" driver = "docker"
@ -105,7 +105,7 @@ job "nginx" {
} }
template { template {
source = "local/glados.html" source = "local/glados.html"
destination = "local/index.html" destination = "local/index.html"
} }
} }
@ -113,7 +113,7 @@ job "nginx" {
group "wheatley" { group "wheatley" {
count = 1 count = 1
network { network {
port "http" { port "http" {
to = "80" to = "80"
@ -128,14 +128,14 @@ job "nginx" {
port = "http" port = "http"
check { check {
type = "http" type = "http"
path = "/" path = "/"
interval = "10s" interval = "10s"
timeout = "2s" timeout = "2s"
} }
tags = [ tags = [
"traefik.enable=true", "traefik.enable=true",
"traefik.http.routers.nginx-wheatley.rule=Host(`wheatley.redbrick.dcu.ie`)", "traefik.http.routers.nginx-wheatley.rule=Host(`wheatley.redbrick.dcu.ie`)",
"traefik.http.routers.nginx-wheatley.entrypoints=web,websecure", "traefik.http.routers.nginx-wheatley.entrypoints=web,websecure",
"traefik.http.routers.nginx-wheatley.tls.certresolver=lets-encrypt" "traefik.http.routers.nginx-wheatley.tls.certresolver=lets-encrypt"
] ]
@ -144,7 +144,7 @@ job "nginx" {
task "wheatley" { task "wheatley" {
constraint { constraint {
attribute = "${attr.unique.hostname}" attribute = "${attr.unique.hostname}"
value = "wheatley" value = "wheatley"
} }
driver = "docker" driver = "docker"
@ -162,7 +162,7 @@ job "nginx" {
} }
template { template {
source = "local/wheatley.html" source = "local/wheatley.html"
destination = "local/index.html" destination = "local/index.html"
} }
} }
@ -170,7 +170,7 @@ job "nginx" {
group "chell" { group "chell" {
count = 1 count = 1
network { network {
port "http" { port "http" {
to = "80" to = "80"
@ -185,14 +185,14 @@ job "nginx" {
port = "http" port = "http"
check { check {
type = "http" type = "http"
path = "/" path = "/"
interval = "10s" interval = "10s"
timeout = "2s" timeout = "2s"
} }
tags = [ tags = [
"traefik.enable=true", "traefik.enable=true",
"traefik.http.routers.nginx-chell.rule=Host(`chell.redbrick.dcu.ie`)", "traefik.http.routers.nginx-chell.rule=Host(`chell.redbrick.dcu.ie`)",
"traefik.http.routers.nginx-chell.entrypoints=web,websecure", "traefik.http.routers.nginx-chell.entrypoints=web,websecure",
"traefik.http.routers.nginx-chell.tls.certresolver=lets-encrypt" "traefik.http.routers.nginx-chell.tls.certresolver=lets-encrypt"
] ]
@ -201,7 +201,7 @@ job "nginx" {
task "chell" { task "chell" {
constraint { constraint {
attribute = "${attr.unique.hostname}" attribute = "${attr.unique.hostname}"
value = "chell" value = "chell"
} }
driver = "docker" driver = "docker"
@ -219,7 +219,7 @@ job "nginx" {
} }
template { template {
source = "local/chell.html" source = "local/chell.html"
destination = "local/index.html" destination = "local/index.html"
} }
} }

83
jobs/services/api.hcl
View file

@ -1,83 +0,0 @@
job "api" {
datacenters = ["aperture"]
type = "service"
group "api" {
count = 1
network {
port "http" {
to = 80
}
}
service {
name = "api"
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.http.routers.api.rule=Host(`api.redbrick.dcu.ie`)",
"traefik.http.routers.api.entrypoints=web,websecure",
"traefik.http.routers.api.tls.certresolver=lets-encrypt",
]
}
task "api" {
driver = "docker"
config {
image = "ghcr.io/redbrick/api:latest"
ports = ["http"]
volumes = [
"/oldstorage:/storage",
"/oldstorage/home:/home",
"local/ldap.secret:/etc/ldap.secret",
]
auth {
username = "${DOCKER_USER}"
password = "${DOCKER_PASS}"
}
}
template {
destination = "local/.env"
env = true
change_mode = "restart"
data = <<EOH
DOCKER_USER={{ key "api/ghcr/username" }}
DOCKER_PASS={{ key "api/ghcr/password" }}
AUTH_USERNAME={{ key "api/auth/username" }}
AUTH_PASSWORD={{ key "api/auth/password" }}
LDAP_URI={{ key "api/ldap/uri" }}
LDAP_ROOTBINDDN={{ key "api/ldap/rootbinddn" }}
LDAP_SEARCHBASE={{ key "api/ldap/searchbase" }}
EMAIL_DOMAIN=redbrick.dcu.ie
EMAIL_SERVER={{ key "api/smtp/server" }}
EMAIL_PORT=587
EMAIL_USERNAME={{ key "api/smtp/username" }}
EMAIL_PASSWORD={{ key "api/smtp/password" }}
EMAIL_SENDER={{ key "api/smtp/sender" }}
EOH
}
template {
destination = "local/ldap.secret"
perms = "600"
data = "{{ key \"api/ldap/secret\" }}" # this is necessary as the secret has no EOF
}
resources {
cpu = 300
memory = 1024
}
}
}
}

56
jobs/services/brickbot.hcl
View file

@ -1,56 +0,0 @@
job "brickbot2" {
datacenters = ["aperture"]
type = "service"
group "brickbot2" {
count = 1
task "brickbot2" {
driver = "docker"
config {
image = "ghcr.io/redbrick/brickbot2:latest"
auth {
username = "${DOCKER_USER}"
password = "${DOCKER_PASS}"
}
volumes = [
"local/ldap.secret:/etc/ldap.secret:ro",
]
}
template {
destination = "local/ldap.secret"
perms = "600"
data = "{{ key \"api/ldap/secret\" }}" # this is necessary as the secret has no EOF
}
template {
destination = "local/.env"
env = true
change_mode = "restart"
data = <<EOH
DOCKER_USER={{ key "brickbot/ghcr/username" }}
DOCKER_PASS={{ key "brickbot/ghcr/password" }}
BOT_DB={{ key "brickbot/db" }}
BOT_TOKEN={{ key "brickbot/discord/token" }}
BOT_PRIVILEGED={{ key "brickbot/discord/privileged" }}
BOT_PREFIX=.
BOT_GUILD={{ key "brickbot/discord/guild" }}
LDAP_HOST={{ key "brickbot/ldap/host" }}
SMTP_DOMAIN={{ key "brickbot/smtp/domain" }}
SMTP_HOST={{ key "brickbot/smtp/host" }}
SMTP_PORT=587
SMTP_USERNAME={{ key "brickbot/smtp/username" }}
SMTP_PASSWORD={{ key "brickbot/smtp/password" }}
SMTP_SENDER={{ key "brickbot/smtp/sender" }}
API_USERNAME={{ key "brickbot/api/username" }}
API_PASSWORD={{ key "brickbot/api/password" }}
VERIFIED_ROLE={{ key "brickbot/discord/verified_role" }}
USER=brickbot
EOH
}
}
}
}

59
jobs/services/gh-actions-runner.hcl
View file

@ -1,59 +0,0 @@
job "github-actions-runner" {
datacenters = ["aperture"]
type = "service"
meta {
version = "2.320.0"
sha256 = "93ac1b7ce743ee85b5d386f5c1787385ef07b3d7c728ff66ce0d3813d5f46900"
}
group "github-actions" {
count = 3
spread {
attribute = "${node.unique.id}"
weight = 100
}
task "actions-runner" {
driver = "raw_exec"
# user = "nomad"
config {
command = "/bin/bash"
args = ["${NOMAD_TASK_DIR}/bootstrap.sh"]
}
template {
data = <<EOF
#!/bin/bash
export RUNNER_ALLOW_RUNASROOT=1
echo "Querying API for registration token..."
reg_token=$(curl -L \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer {{ key "github/actions-runner/token" }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/redbrick/actions/runners/registration-token | jq -r '.token')
echo "Configuring runner..."
bash -c "${NOMAD_TASK_DIR}/config.sh --unattended --url https://github.com/redbrick --token ${reg_token} --name $(hostname) --labels aperture,deployment-runner --replace"
echo "Running actions runner..."
bash "${NOMAD_TASK_DIR}/run.sh"
EOF
destination = "local/bootstrap.sh"
}
artifact {
source = "https://github.com/actions/runner/releases/download/v2.320.0/actions-runner-linux-x64-2.320.0.tar.gz"
options {
checksum = "sha256:93ac1b7ce743ee85b5d386f5c1787385ef07b3d7c728ff66ce0d3813d5f46900"
}
}
}
}
}

50
jobs/services/hedgedoc-backup.hcl
View file

@ -1,50 +0,0 @@
job "hedgedoc-backup" {
datacenters = ["aperture"]
type = "batch"
periodic {
crons = ["0 */3 * * * *"]
prohibit_overlap = true
}
group "db-backup" {
task "postgres-backup" {
driver = "raw_exec"
config {
command = "/bin/bash"
args = ["local/script.sh"]
}
template {
data = <<EOH
#!/bin/bash
file=/storage/backups/nomad/hedgedoc/postgresql-hedgedoc-$(date +%Y-%m-%d_%H-%M-%S).sql
mkdir -p /storage/backups/nomad/hedgedoc
alloc_id=$(nomad job status hedgedoc | grep running | tail -n 1 | cut -d " " -f 1)
job_name=$(echo ${NOMAD_JOB_NAME} | cut -d "/" -f 1)
nomad alloc exec -task hedgedoc-db $alloc_id pg_dumpall -U {{ key "hedgedoc/db/user" }} > "${file}"
find /storage/backups/nomad/hedgedoc/postgresql-hedgedoc* -ctime +3 -exec rm {} \; || true
if [ -s "$file" ]; then # check if file exists and is not empty
echo "Backup successful"
exit 0
else
rm $file
curl -H "Content-Type: application/json" -d \
'{"content": "<@&585512338728419341> `PostgreSQL` backup for **'"${job_name}"'** has just **FAILED**\nFile name: `'"$file"'`\nDate: `'"$(TZ=Europe/Dublin date)"'`\nTurn off this script with `nomad job stop '"${job_name}"'` \n\n## Remember to restart this backup job when fixed!!!"}' \
{{ key "postgres/webhook/discord" }}
fi
EOH
destination = "local/script.sh"
}
}
}
}

121
jobs/services/hedgedoc.hcl
View file

@ -1,121 +0,0 @@
job "hedgedoc" {
datacenters = ["aperture"]
type = "service"
group "web" {
network {
# mode = "bridge"
port "http" {
to = 3000
}
port "db" {
to = 5432
}
}
service {
name = "hedgedoc"
port = "http"
check {
type = "http"
path = "/_health"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.frontend.headers.STSSeconds=63072000",
"traefik.frontend.headers.browserXSSFilter=true",
"traefik.frontend.headers.contentTypeNosniff=true",
"traefik.enable=true",
"traefik.port=${NOMAD_PORT_http}",
"traefik.http.routers.md.entrypoints=web,websecure",
"traefik.http.routers.md.rule=Host(`md.redbrick.dcu.ie`) || Host(`md.rb.dcu.ie`)",
"traefik.http.routers.md.tls.certresolver=lets-encrypt",
]
}
task "app" {
driver = "docker"
config {
image = "quay.io/hedgedoc/hedgedoc:1.10.2"
ports = ["http"]
volumes = [
"/storage/nomad/hedgedoc/banner:/hedgedoc/public/banner",
]
}
template {
data = <<EOH
CMD_DB_URL = "postgres://{{ key "hedgedoc/db/user" }}:{{ key "hedgedoc/db/password" }}@{{ env "NOMAD_ADDR_db" }}/{{ key "hedgedoc/db/name" }}"
CMD_ALLOW_FREEURL = "false"
CMD_FORBIDDEN_NOTE_IDS = ['robots.txt', 'favicon.ico', 'api', 'build', 'css', 'docs', 'fonts', 'js', 'uploads', 'vendor', 'views', 'auth']
CMD_DOMAIN = "md.redbrick.dcu.ie"
CMD_ALLOW_ORIGIN = ["redbrick.dcu.ie", "rb.dcu.ie"]
CMD_USE_CDN = "true"
CMD_PROTOCOL_USESSL = "true"
CMD_URL_ADDPORT = "false"
CMD_LOG_LEVEL = "debug"
CMD_ENABLE_STATS_API = "true"
# Accounts
CMD_ALLOW_EMAIL_REGISTER = "false"
CMD_ALLOW_ANONYMOUS = "false"
CMD_ALLOW_ANONYMOUS_EDITS = "false"
CMD_EMAIL = "false"
CMD_LDAP_URL = "{{ key "hedgedoc/ldap/url" }}"
CMD_LDAP_SEARCHBASE = "ou=accounts,o=redbrick"
CMD_LDAP_SEARCHFILTER = "{{`(uid={{username}})`}}"
CMD_LDAP_PROVIDERNAME = "Redbrick"
CMD_LDAP_USERIDFIELD = "uidNumber"
CMD_LDAP_USERNAMEFIELD = "uid"
CMD_SESSION_SECRET = "{{ key "hedgedoc/session/secret" }}"
CMD_DEFAULT_PERMISSION = "limited"
# Security/Privacy
CMD_HSTS_PRELOAD = "true"
CMD_CSP_ENABLE = "true"
CMD_HSTS_INCLUDE_SUBDOMAINS = "true"
CMD_CSP_ADD_DISQUS = "false"
CMD_CSP_ADD_GOOGLE_ANALYTICS= "false"
CMD_CSP_ALLOW_PDF_EMBED = "true"
CMD_ALLOW_GRAVATAR = "true"
# Uploads
CMD_IMAGE_UPLOAD_TYPE = "imgur"
CMD_IMGUR_CLIENTID = "{{ key "hedgedoc/imgur/clientid" }}"
CMD_IMGUR_CLIENTSECRET = "{{ key "hedgedoc/imgur/clientsecret" }}"
EOH
destination = "local/.env"
env = true
}
}
task "hedgedoc-db" {
driver = "docker"
config {
image = "postgres:13.4-alpine"
ports = ["db"]
volumes = [
"/storage/nomad/hedgedoc:/var/lib/postgresql/data",
]
}
template {
data = <<EOH
POSTGRES_PASSWORD={{ key "hedgedoc/db/password" }}
POSTGRES_USER={{ key "hedgedoc/db/user" }}
POSTGRES_NAME={{ key "hedgedoc/db/name" }}
EOH
destination = "local/db.env"
env = true
}
}
}
}

50
jobs/services/members-mysql-backup.hcl
View file

@ -1,50 +0,0 @@
job "members-mysql-backup" {
datacenters = ["aperture"]
type = "batch"
periodic {
crons = ["0 */3 * * * *"]
prohibit_overlap = true
}
group "db-backup" {
task "mysql-backup" {
driver = "raw_exec"
config {
command = "/bin/bash"
args = ["local/script.sh"]
}
template {
data = <<EOH
#!/bin/bash
file=/storage/backups/nomad/mysql/members/members-mysql-$(date +%Y-%m-%d_%H-%M-%S).sql
mkdir -p /storage/backups/nomad/mysql/members
alloc_id=$(nomad job status members-mysql | grep running | tail -n 1 | cut -d " " -f 1)
job_name=$(echo ${NOMAD_JOB_NAME} | cut -d "/" -f 1)
nomad alloc exec $alloc_id mariadb-dump -u root -p'{{ key "members-mysql/root/password"}}' --all-databases > "${file}"
find /storage/backups/nomad/mysql/members/members-mysql* -ctime +3 -exec rm {} \; || true
if [ -s "$file" ]; then # check if file exists and is not empty
echo "Backup successful"
exit 0
else
rm $file
curl -H "Content-Type: application/json" -d \
'{"content": "<@&585512338728419341> `MySQL` backup for **'"${job_name}"'** has just **FAILED**\nFile name: `'"$file"'`\nDate: `'"$(TZ=Europe/Dublin date)"'`\nTurn off this script with `nomad job stop '"${job_name}"'` \n\n## Remember to restart this backup job when fixed!!!"}' \
{{ key "mysql/webhook/discord" }}
fi
EOH
destination = "local/script.sh"
}
}
}
}

78
jobs/services/members-mysql.hcl
View file

@ -1,78 +0,0 @@
job "members-mysql" {
datacenters = ["aperture"]
constraint {
attribute = "${attr.unique.hostname}"
value = "wheatley"
}
group "db" {
network {
port "db" {
static = 3306
}
}
task "mariadb" {
driver = "docker"
template {
data = <<EOH
MYSQL_ROOT_PASSWORD="{{ key "members-mysql/root/password" }}"
MYSQL_USER="{{ key "members-mysql/user/username" }}"
MYSQL_PASSWORD="{{ key "members-mysql/user/password" }}"
EOH
destination = "local/file.env"
env = true
}
config {
image = "mariadb:latest"
ports = ["db"]
volumes = [
"/opt/members-mysql:/var/lib/mysql",
"local/server.cnf:/etc/mysql/mariadb.conf.d/50-server.cnf",
]
}
template {
data = <<EOH
[server]
[mariadbd]
pid-file = /run/mysqld/mysqld.pid
basedir = /usr
bind-address = 0.0.0.0
expire_logs_days = 10
character-set-server = utf8mb4
character-set-collations = utf8mb4=uca1400_ai_ci
[mariadbd]
EOH
destination = "local/server.cnf"
}
resources {
cpu = 400
memory = 800
}
service {
name = "members-mysql"
port = "db"
check {
type = "tcp"
interval = "2s"
timeout = "2s"
}
}
}
}
}

68
jobs/services/minio.hcl
View file

@ -1,68 +0,0 @@
job "minio" {
datacenters = ["aperture"]
type = "service"
group "minio" {
count = 1
network {
port "api" {
}
port "console" {
}
}
service {
name = "minio-console"
port = "console"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.http.routers.minio-api.service=minio-api",
"traefik.http.services.minio-api.loadbalancer.server.port=${NOMAD_PORT_api}",
"traefik.http.routers.minio-api.rule=Host(`cdn.redbrick.dcu.ie`)",
"traefik.http.routers.minio-api.entrypoints=web,websecure",
"traefik.http.routers.minio-api.tls.certresolver=lets-encrypt",
"traefik.http.routers.minio-console.service=minio-console",
"traefik.http.services.minio-console.loadbalancer.server.port=${NOMAD_PORT_console}",
"traefik.http.routers.minio-console.rule=Host(`minio.rb.dcu.ie`)",
"traefik.http.routers.minio-console.entrypoints=web,websecure",
"traefik.http.routers.minio-console.tls.certresolver=lets-encrypt",
]
}
task "minio" {
driver = "docker"
config {
image = "quay.io/minio/minio"
ports = ["api", "console"]
command = "server"
args = ["/data", "--address", ":${NOMAD_PORT_api}", "--console-address", ":${NOMAD_PORT_console}"]
volumes = [
"/storage/nomad/minio:/data",
]
}
template {
destination = "local/.env"
env = true
change_mode = "restart"
data = <<EOH
MINIO_ROOT_USER={{ key "minio/root/username" }}
MINIO_ROOT_PASSWORD={{ key "minio/root/password" }}
EOH
}
}
}
}

50
jobs/services/paperless-backup.hcl
View file

@ -1,50 +0,0 @@
job "paperless-backup" {
datacenters = ["aperture"]
type = "batch"
periodic {
crons = ["0 */3 * * * *"]
prohibit_overlap = true
}
group "db-backup" {
task "postgres-backup" {
driver = "raw_exec"
config {
command = "/bin/bash"
args = ["local/script.sh"]
}
template {
data = <<EOH
#!/bin/bash
file=/storage/backups/nomad/paperless/postgresql-paperless-$(date +%Y-%m-%d_%H-%M-%S).sql
mkdir -p /storage/backups/nomad/paperless
alloc_id=$(nomad job status paperless | grep running | tail -n 1 | cut -d " " -f 1)
job_name=$(echo ${NOMAD_JOB_NAME} | cut -d "/" -f 1)
nomad alloc exec -task db $alloc_id pg_dumpall -U {{ key "paperless/db/user" }} > "${file}"
find /storage/backups/nomad/paperless/postgresql-paperless* -ctime +3 -exec rm {} \; || true
if [ -s "$file" ]; then # check if file exists and is not empty
echo "Backup successful"
exit 0
else
rm $file
curl -H "Content-Type: application/json" -d \
'{"content": "<@&585512338728419341> `PostgreSQL` backup for **'"${job_name}"'** has just **FAILED**\nFile name: `'"$file"'`\nDate: `'"$(TZ=Europe/Dublin date)"'`\nTurn off this script with `nomad job stop '"${job_name}"'` \n\n## Remember to restart this backup job when fixed!!!"}' \
{{ key "postgres/webhook/discord" }}
fi
EOH
destination = "local/script.sh"
}
}
}
}

118
jobs/services/paperless.hcl
View file

@ -1,118 +0,0 @@
job "paperless" {
datacenters = ["aperture"]
type = "service"
group "paperless-web" {
network {
port "http" {
to = 8000
}
port "redis" {
to = 6379
}
port "db" {
to = 5432
}
}
service {
name = "paperless"
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.http.routers.paperless.rule=Host(`paperless.redbrick.dcu.ie`) || Host(`paperless.rb.dcu.ie`)",
"traefik.http.routers.paperless.entrypoints=websecure",
"traefik.http.routers.paperless.tls=true",
"traefik.http.routers.paperless.tls.certresolver=lets-encrypt",
"traefik.http.middlewares.paperless.headers.contentSecurityPolicy=default-src 'self'; img-src 'self' data:"
]
}
task "web" {
driver = "docker"
config {
image = "ghcr.io/paperless-ngx/paperless-ngx:latest"
ports = ["http"]
volumes = [
"/storage/nomad/paperless/consume:/usr/src/paperless/consume",
"/storage/nomad/paperless/data:/usr/src/paperless/data",
"/storage/nomad/paperless/media:/usr/src/paperless/media",
"/storage/nomad/paperless/export:/usr/src/paperless/export",
"/storage/nomad/paperless/preconsume:/usr/src/paperless/preconsume",
]
}
template {
data = <<EOH
PAPERLESS_REDIS = "redis://{{ env "NOMAD_ADDR_redis" }}"
PAPERLESS_DBHOST = "{{ env "NOMAD_IP_db" }}"
PAPERLESS_DBPORT = "{{ env "NOMAD_HOST_PORT_db" }}"
PAPERLESS_DBPASS={{ key "paperless/db/password" }}
PAPERLESS_DBUSER={{ key "paperless/db/user" }}
PAPERLESS_DBNAME={{ key "paperless/db/name" }}
PAPERLESS_SECRETKEY={{ key "paperless/secret_key" }}
PAPERLESS_URL=https://paperless.redbrick.dcu.ie
PAPERLESS_ADMIN_USER={{ key "paperless/admin/user" }}
PAPERLESS_ADMIN_PASSWORD={{ key "paperless/admin/password" }}
PAPERLESS_ALLOWED_HOSTS="paperless.redbrick.dcu.ie,paperless.rb.dcu.ie,10.10.0.4,10.10.0.5,10.10.0.6" # allow internal aperture IPs for health check
PAPERLESS_CONSUMER_POLLING=1
EOH
destination = "local/.env"
env = true
}
# PAPERLESS_PRE_CONSUME_SCRIPT={{ key "paperless/env/preconsume-script" }}
resources {
cpu = 800
memory = 1000
}
}
task "broker" {
driver = "docker"
config {
image = "docker.io/library/redis:7"
ports = ["redis"]
}
resources {
cpu = 300
memory = 50
}
}
task "db" {
driver = "docker"
config {
image = "postgres:16-alpine"
ports = ["db"]
volumes = [
"/storage/nomad/paperless/db:/var/lib/postgresql/data"
]
}
template {
data = <<EOH
POSTGRES_PASSWORD={{ key "paperless/db/password" }}
POSTGRES_USER={{ key "paperless/db/user" }}
POSTGRES_NAME={{ key "paperless/db/name" }}
EOH
destination = "local/db.env"
env = true
}
}
}
}

174
jobs/services/plausible.hcl
View file

@ -1,174 +0,0 @@
job "plausible" {
datacenters = ["aperture"]
type = "service"
group "web" {
network {
port "http" {
to = 8000
}
port "clickhouse" {
static = 8123
}
port "db" {
static = 5432
}
}
task "app" {
service {
name = "plausible"
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.http.routers.plausible.rule=Host(`plausible.redbrick.dcu.ie`)",
"traefik.http.routers.plausible.entrypoints=web,websecure",
"traefik.http.routers.plausible.tls.certresolver=lets-encrypt"
]
}
driver = "docker"
config {
image = "ghcr.io/plausible/community-edition:v2.1"
ports = ["http"]
volumes = [
"/storage/nomad/${NOMAD_JOB_NAME}/${NOMAD_TASK_NAME}:/var/lib/plausible"
]
command = "/bin/sh"
args = ["-c", "sleep 10 && /entrypoint.sh db migrate && /entrypoint.sh run"]
}
template {
data = <<EOH
TMPDIR=/var/lib/plausible/tmp
BASE_URL=https://plausible.redbrick.dcu.ie
SECRET_KEY_BASE={{ key "plausible/secret" }}
TOTP_VAULT_KEY={{ key "plausible/totp/key" }}
# Maxmind/GeoIP settings (for regions/cities)
MAXMIND_LICENSE_KEY={{ key "plausible/maxmind/license" }}
MAXMIND_EDITION=GeoLite2-City
# Google search console integration
GOOGLE_CLIENT_ID={{ key "plausible/google/client_id" }}
GOOGLE_CLIENT_SECRET={{ key "plausible/google/client_secret" }}
# Database settings
DATABASE_URL=postgres://{{ key "plausible/db/user" }}:{{ key "plausible/db/password" }}@{{ env "NOMAD_ADDR_db" }}/{{ key "plausible/db/name" }}
CLICKHOUSE_DATABASE_URL=http://{{ env "NOMAD_ADDR_clickhouse" }}/plausible_events_db
# Email settings
MAILER_NAME="Redbrick Plausible"
MAILER_EMAIL={{ key "plausible/smtp/from" }}
MAILER_ADAPTER=Bamboo.SMTPAdapter
SMTP_HOST_ADDR={{ key "plausible/smtp/host" }}
SMTP_HOST_PORT={{ key "plausible/smtp/port" }}
SMTP_USER_NAME={{ key "plausible/smtp/user" }}
SMTP_USER_PWD={{ key "plausible/smtp/password" }}
DISABLE_REGISTRATION=invite_only
EOH
destination = "local/file.env"
env = true
}
resources {
memory = 1000
}
}
task "db" {
driver = "docker"
config {
image = "postgres:17-alpine"
ports = ["db"]
volumes = [
"/storage/nomad/${NOMAD_JOB_NAME}/${NOMAD_TASK_NAME}:/var/lib/postgresql/data",
]
}
template {
data = <<EOH
POSTGRES_PASSWORD={{ key "plausible/db/password" }}
POSTGRES_USER={{ key "plausible/db/user" }}
POSTGRES_NAME={{ key "plausible/db/name" }}
EOH
destination = "local/db.env"
env = true
}
}
task "clickhouse" {
service {
name = "plausible-clickhouse"
port = "clickhouse"
}
driver = "docker"
config {
image = "clickhouse/clickhouse-server:24.3.3.102-alpine"
ports = ["clickhouse"]
volumes = [
"/storage/nomad/${NOMAD_JOB_NAME}/${NOMAD_TASK_NAME}:/var/lib/clickhouse",
"local/clickhouse.xml:/etc/clickhouse-server/config.d/logging.xml:ro",
"local/clickhouse-user-config.xml:/etc/clickhouse-server/users.d/logging.xml:ro"
]
}
template {
data = <<EOH
<clickhouse>
<logger>
<level>warning</level>
<console>true</console>
</logger>
<!-- Stop all the unnecessary logging -->
<query_thread_log remove="remove"/>
<query_log remove="remove"/>
<text_log remove="remove"/>
<trace_log remove="remove"/>
<metric_log remove="remove"/>
<asynchronous_metric_log remove="remove"/>
<session_log remove="remove"/>
<part_log remove="remove"/>
</clickhouse>
EOH
destination = "local/clickhouse.xml"
}
template {
data = <<EOH
<clickhouse>
<profiles>
<default>
<log_queries>0</log_queries>
<log_query_threads>0</log_query_threads>
</default>
</profiles>
</clickhouse>
EOH
destination = "local/clickhouse-user-config.xml"
}
resources {
memory = 1000
}
}
}
}

50
jobs/services/privatebin-backup.hcl
View file

@ -1,50 +0,0 @@
job "privatebin-backup" {
datacenters = ["aperture"]
type = "batch"
periodic {
crons = ["0 */3 * * * *"]
prohibit_overlap = true
}
group "db-backup" {
task "postgres-backup" {
driver = "raw_exec"
config {
command = "/bin/bash"
args = ["local/script.sh"]
}
template {
data = <<EOH
#!/bin/bash
file=/storage/backups/nomad/privatebin/postgresql-privatebin-$(date +%Y-%m-%d_%H-%M-%S).sql
mkdir -p /storage/backups/nomad/privatebin
alloc_id=$(nomad job status privatebin | grep running | tail -n 1 | cut -d " " -f 1)
job_name=$(echo ${NOMAD_JOB_NAME} | cut -d "/" -f 1)
nomad alloc exec -task db $alloc_id pg_dumpall -U {{ key "privatebin/db/user" }} > "${file}"
find /storage/backups/nomad/privatebin/postgresql-privatebin* -ctime +3 -exec rm {} \; || true
if [ -s "$file" ]; then # check if file exists and is not empty
echo "Backup successful"
exit 0
else
rm $file
curl -H "Content-Type: application/json" -d \
'{"content": "<@&585512338728419341> `PostgreSQL` backup for **'"${job_name}"'** has just **FAILED**\nFile name: `'"$file"'`\nDate: `'"$(TZ=Europe/Dublin date)"'`\nTurn off this script with `nomad job stop '"${job_name}"'` \n\n## Remember to restart this backup job when fixed!!!"}' \
{{ key "postgres/webhook/discord" }}
fi
EOH
destination = "local/script.sh"
}
}
}
}

218
jobs/services/privatebin.hcl
View file

@ -1,218 +0,0 @@
job "privatebin" {
datacenters = ["aperture"]
type = "service"
group "privatebin" {
count = 1
network {
port "http" {
to = 8080
}
port "db" {
to = 5432
}
}
service {
name = "privatebin"
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.http.routers.privatebin.rule=Host(`paste.redbrick.dcu.ie`) || Host(`paste.rb.dcu.ie`)",
"traefik.http.routers.privatebin.entrypoints=web,websecure",
"traefik.http.routers.privatebin.tls.certresolver=lets-encrypt",
]
}
task "privatebin" {
driver = "docker"
config {
image = "privatebin/nginx-fpm-alpine:stable"
ports = ["http"]
volumes = [
"local/conf.php:/srv/data/conf.php",
]
}
env {
TZ = "Europe/Dublin"
PHP_TZ = "Europe/Dublin"
CONFIG_PATH = "/srv/data/"
}
template {
destination = "local/conf.php"
data = <<EOH
[main]
name = "Redbrick PasteBin"
basepath = "https://paste.redbrick.dcu.ie/"
discussion = true
opendiscussion = false
password = true
fileupload = true
burnafterreadingselected = false
defaultformatter = "markdown"
; (optional) set a syntax highlighting theme, as found in css/prettify/
syntaxhighlightingtheme = "sons-of-obsidian"
; size limit per paste or comment in bytes, defaults to 10 Mebibytes
sizelimit = 10485760
; template to include, default is "bootstrap" (tpl/bootstrap.php)
template = "bootstrap-dark"
; (optional) info text to display
; use single, instead of double quotes for HTML attributes
;info = "More information on the <a href='https://privatebin.info/'>project page</a>."
; (optional) notice to display
; notice = "Note: Distro is a Goombean."
languageselection = false
languagedefault = "en"
; (optional) URL shortener address to offer after a new paste is created.
; It is suggested to only use this with self-hosted shorteners as this will leak
; the pastes encryption key.
urlshortener = "https://s.rb.dcu.ie/rest/v1/short-urls/shorten?apiKey={{ key "privatebin/shlink/api" }}&format=txt&longUrl="
qrcode = true
email = true
; Can be set to one these values:
; "none" / "identicon" (default) / "jdenticon" / "vizhash".
icon = "identicon"
; Content Security Policy headers allow a website to restrict what sources are
; allowed to be accessed in its context. You need to change this if you added
; custom scripts from third-party domains to your templates, e.g. tracking
; scripts or run your site behind certain DDoS-protection services.
; Check the documentation at https://content-security-policy.com/
; Notes:
; - If you use a bootstrap theme, you can remove the allow-popups from the
; sandbox restrictions.
; - By default this disallows to load images from third-party servers, e.g. when
; they are embedded in pastes. If you wish to allow that, you can adjust the
; policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images
; for details.
; - The 'unsafe-eval' is used in two cases; to check if the browser supports
; async functions and display an error if not and for Chrome to enable
; webassembly support (used for zlib compression). You can remove it if Chrome
; doesn't need to be supported and old browsers don't need to be warned.
; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
zerobincompatibility = false
httpwarning = true
compression = "zlib"
[expire]
; make sure the value exists in [expire_options]
default = "1week"
[expire_options]
5min = 300
10min = 600
1hour = 3600
1day = 86400
1week = 604800
2week = 1209600
; Well this is not *exactly* one month, it's 30 days:
1month = 2592000
1year = 31536000
never = 0
[formatter_options]
plaintext = "Plain Text"
markdown = "Markdown"
syntaxhighlighting = "Source Code"
[traffic]
; time limit between calls from the same IP address in seconds
; Set this to 0 to disable rate limiting.
limit = 10
; (optional) Set IPs addresses (v4 or v6) or subnets (CIDR) which are exempted
; from the rate-limit. Invalid IPs will be ignored. If multiple values are to
; be exempted, the list needs to be comma separated. Leave unset to disable
; exemptions.
; exempted = "1.2.3.4,10.10.10/24"
; (optional) If you want only some source IP addresses (v4 or v6) or subnets
; (CIDR) to be allowed to create pastes, set these here. Invalid IPs will be
; ignored. If multiple values are to be exempted, the list needs to be comma
; separated. Leave unset to allow anyone to create pastes.
; creators = "1.2.3.4,10.10.10/24"
; (optional) if your website runs behind a reverse proxy or load balancer,
; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
; header = "X_FORWARDED_FOR"
[purge]
; minimum time limit between two purgings of expired pastes, it is only
; triggered when pastes are created
; Set this to 0 to run a purge every time a paste is created.
limit = 300
; maximum amount of expired pastes to delete in one purge
; Set this to 0 to disable purging. Set it higher, if you are running a large
; site
batchsize = 10
[model]
class = Database
[model_options]
dsn = "pgsql:host={{ env "NOMAD_ADDR_db" }};dbname={{ key "privatebin/db/name" }}"
tbl = "{{ key "privatebin/db/name" }}" ; table prefix
usr = "{{ key "privatebin/db/user" }}"
pwd = "{{ key "privatebin/db/password" }}"
opt[12] = true ; PDO::ATTR_PERSISTENT ; use persistent connections - default
EOH
}
}
task "db" {
driver = "docker"
config {
image = "postgres:17-alpine"
ports = ["db"]
volumes = [
"/storage/nomad/${NOMAD_JOB_NAME}/${NOMAD_TASK_NAME}:/var/lib/postgresql/data",
]
}
template {
data = <<EOH
POSTGRES_PASSWORD={{ key "privatebin/db/password" }}
POSTGRES_USER={{ key "privatebin/db/user" }}
POSTGRES_NAME={{ key "privatebin/db/name" }}
EOH
destination = "local/db.env"
env = true
}
}
}
}

93
jobs/services/shlink.hcl
View file

@ -1,93 +0,0 @@
job "shlink" {
datacenters = ["aperture"]
type = "service"
group "web" {
network {
port "api" {
to = 8080
}
port "web" {
to = 8080
}
}
service {
name = "shlink"
port = "api"
tags = [
"traefik.enable=true",
"traefik.http.routers.shlink-api.entrypoints=web,websecure",
"traefik.http.routers.shlink-api.rule=Host(`s.rb.dcu.ie`)",
"traefik.http.routers.shlink-api.tls=true",
"traefik.http.routers.shlink-api.tls.certresolver=lets-encrypt",
]
}
task "shlink" {
driver = "docker"
config {
image = "shlinkio/shlink"
ports = ["api"]
}
template {
data = <<EOH
DEFAULT_DOMAIN=s.rb.dcu.ie
IS_HTTPS_ENABLED=true
DB_DRIVER=postgres
DB_USER={{ key "shlink/db/user" }}
DB_PASSWORD={{ key "shlink/db/password" }}
DB_NAME={{ key "shlink/db/name" }}
DB_HOST=postgres.service.consul
GEOLITE_LICENSE_KEY={{ key "shlink/geolite/key" }}
EOH
destination = "local/file.env"
env = true
}
resources {
memory = 1000
}
}
# task "shlink-web-client" {
# driver = "docker"
#
# config {
# image = "shlinkio/shlink-web-client"
# ports = ["web"]
# }
#
# template {
# data = <<EOH
#SHLINK_SERVER_URL=https://s.rb.dcu.ie
#SHLINK_API_KEY={{ key "shlink/api/key" }}
#EOH
# destination = "local/file.env"
# env = true
# }
#
#
#
# service {
# name = "shlink"
# port = "api"
#
# tags = [
# "traefik.enable=true",
# "traefik.http.routers.shlink-web.entrypoints=web,websecure",
# "traefik.http.routers.shlink-web.rule=Host(`shlink.rb.dcu.ie`)",
# "traefik.http.routers.shlink-web.tls=true",
# "traefik.http.routers.shlink-web.tls.certresolver=lets-encrypt",
# ]
# }
# resources {
# memory = 500
# }
# }
}
}

50
jobs/services/vaultwarden-backup.hcl
View file

@ -1,50 +0,0 @@
job "vaultwarden-backup" {
datacenters = ["aperture"]
type = "batch"
periodic {
crons = ["0 */3 * * * *"]
prohibit_overlap = true
}
group "db-backup" {
task "postgres-backup" {
driver = "raw_exec"
config {
command = "/bin/bash"
args = ["local/script.sh"]
}
template {
data = <<EOH
#!/bin/bash
file=/storage/backups/nomad/vaultwarden/postgresql-vaultwarden-$(date +%Y-%m-%d_%H-%M-%S).sql
mkdir -p /storage/backups/nomad/vaultwarden
alloc_id=$(nomad job status vaultwarden | grep running | tail -n 1 | cut -d " " -f 1)
job_name=$(echo ${NOMAD_JOB_NAME} | cut -d "/" -f 1)
nomad alloc exec -task db $alloc_id pg_dumpall -U {{ key "vaultwarden/db/user" }} > "${file}"
find /storage/backups/nomad/vaultwarden/postgresql-vaultwarden* -ctime +3 -exec rm {} \; || true
if [ -s "$file" ]; then # check if file exists and is not empty
echo "Backup successful"
exit 0
else
rm $file
curl -H "Content-Type: application/json" -d \
'{"content": "<@&585512338728419341> `PostgreSQL` backup for **'"${job_name}"'** has just **FAILED**\nFile name: `'"$file"'`\nDate: `'"$(TZ=Europe/Dublin date)"'`\nTurn off this script with `nomad job stop '"${job_name}"'` \n\n## Remember to restart this backup job when fixed!!!"}' \
{{ key "postgres/webhook/discord" }}
fi
EOH
destination = "local/script.sh"
}
}
}
}

95
jobs/services/vaultwarden.hcl
View file

@ -1,95 +0,0 @@
job "vaultwarden" {
datacenters = ["aperture"]
type = "service"
group "vaultwarden" {
count = 1
network {
port "http" {
to = 80
}
port "db" {
to = 5432
}
}
service {
name = "vaultwarden"
port = "http"
tags = [
"traefik.enable=true",
"traefik.http.routers.vaultwarden.rule=Host(`vault.redbrick.dcu.ie`)",
"traefik.http.routers.vaultwarden.entrypoints=websecure",
"traefik.http.routers.vaultwarden.tls.certresolver=lets-encrypt",
]
}
task "vaultwarden" {
driver = "docker"
config {
image = "vaultwarden/server:latest-alpine"
ports = ["http"]
volumes = [
"/storage/nomad/${NOMAD_JOB_NAME}:/data",
"/etc/localtime:/etc/localtime:ro"
]
}
template {
data = <<EOF
DOMAIN=https://vault.redbrick.dcu.ie
DATABASE_URL=postgresql://{{ key "vaultwarden/db/user" }}:{{ key "vaultwarden/db/password" }}@{{ env "NOMAD_ADDR_db" }}/{{ key "vaultwarden/db/name" }}
SIGNUPS_ALLOWED=false
INVITATIONS_ALLOWED=true
# This is not the actual token, but a hash of it. Vaultwarden does not like the actual token.
ADMIN_TOKEN={{ key "vaultwarden/admin/hash" }}
SMTP_HOST={{ key "vaultwarden/smtp/host" }}
SMTP_FROM={{ key "vaultwarden/smtp/from" }}
SMTP_PORT={{ key "vaultwarden/smtp/port" }}
SMTP_SECURITY=starttls
SMTP_USERNAME={{ key "vaultwarden/smtp/username" }}
SMTP_PASSWORD={{ key "vaultwarden/smtp/password" }}
EOF
destination = "local/env"
env = true
}
# These yubico variables are not necessary for yubikey support, only to verify the keys with yubico.
#YUBICO_CLIENT_ID={{ key "vaultwarden/yubico/client_id" }}
#YUBICO_SECRET_KEY={{ key "vaultwarden/yubico/secret_key" }}
resources {
cpu = 500
memory = 500
}
}
task "db" {
driver = "docker"
config {
image = "postgres:17-alpine"
ports = ["db"]
volumes = [
"/storage/nomad/${NOMAD_JOB_NAME}/${NOMAD_TASK_NAME}:/var/lib/postgresql/data",
]
}
template {
data = <<EOH
POSTGRES_PASSWORD={{ key "vaultwarden/db/password" }}
POSTGRES_USER={{ key "vaultwarden/db/user" }}
POSTGRES_NAME={{ key "vaultwarden/db/name" }}
EOH
destination = "local/db.env"
env = true
}
}
}
}

52
jobs/services/wetty.hcl
View file

@ -1,52 +0,0 @@
job "wetty" {
datacenters = ["aperture"]
type = "service"
group "wetty" {
count = 1
network {
port "http" {
to = 3000
}
}
service {
name = "wetty"
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.http.routers.wetty.rule=Host(`wetty.rb.dcu.ie`) || Host(`wetty.redbrick.dcu.ie`) || Host(`term.redbrick.dcu.ie`) || Host(`anyterm.redbrick.dcu.ie`) || Host(`ajaxterm.redbrick.dcu.ie`)",
"traefik.http.routers.wetty.entrypoints=web,websecure",
"traefik.http.routers.wetty.tls.certresolver=lets-encrypt",
]
}
task "wetty" {
driver = "docker"
config {
image = "wettyoss/wetty"
ports = ["http"]
}
template {
destination = "local/.env"
env = true
data = <<EOH
SSHHOST={{ key "wetty/ssh/host" }}
SSHPORT=22
BASE=/
EOH
}
}
}
}

174
jobs/services/wiki/LocalSettings.php
View file

@ -1,174 +0,0 @@
<?php
# Protect against web entry
if ( !defined( 'MEDIAWIKI' ) ) {
exit;
}
$wgSitename = "Redbrick Wiki";
$wgScriptPath = "";
$wgArticlePath = "/$1";
$wgUsePathInfo = true;
$wgScriptExtension = ".php";
$wgServer = "https://{{ env "NOMAD_META_domain" }}";
## The URL path to static resources (images, scripts, etc.)
$wgResourceBasePath = $wgScriptPath;
$wgLogo = "$wgResourceBasePath/Resources/assets/logo.png";
$wgFavicon = "$wgResourceBasePath/Resources/assets/favicon.ico";
$wgAllowExternalImages = true;
## UPO: this is also a user preference option
$wgEnableEmail = false;
$wgEnableUserEmail = false; # UPO
$wgEmergencyContact = "{{ key "mediawiki/mail/emergency/contact" }}";
$wgPasswordSender = "{{ key "mediawiki/mail/password/sender" }}";
$wgEnotifUserTalk = false; # UPO
$wgEnotifWatchlist = false; # UPO
$wgEmailAuthentication = true;
## Database settings
$wgDBtype = "mysql";
$wgDBserver = "{{ env "NOMAD_ALLOC_IP_db" }}";
$wgDBport = "{{ env "NOMAD_ALLOC_PORT_db" }}";
$wgDBname = "{{ key "mediawiki/db/name" }}";
$wgDBuser = "{{ key "mediawiki/db/username" }}";
$wgDBpassword = "{{ key "mediawiki/db/password" }}";
# MySQL specific settings
$wgDBprefix = "rbwiki_";
# MySQL table options to use during installation or update
$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=utf8mb4";
## Shared memory settings
$wgMainCacheType = CACHE_NONE;
$wgMemCachedServers = [];
$wgEnableUploads = true;
$wgUseImageMagick = true;
$wgImageMagickConvertCommand = "/usr/bin/convert";
$wgUploadPath = "$wgScriptPath/images";
$wgUploadDirectory = "{$IP}/images";
$wgHashedUploadDirectory = true;
$wgDirectoryMode = 0755;
umask(0022);
# InstantCommons allows wiki to use images from https://commons.wikimedia.org
$wgUseInstantCommons = false;
$wgPingback = false;
$wgShellLocale = "C.UTF-8";
$wgLanguageCode = "en";
$wgSecretKey = "{{ key "mediawiki/key/secret" }}";
# Changing this will log out all existing sessions.
$wgAuthenticationTokenVersion = "1";
# Site upgrade key. Must be set to a string (default provided) to turn on the
# web installer while LocalSettings.php is in place
$wgUpgradeKey = "{{ key "mediawiki/key/upgrade" }}";
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
$wgRightsUrl = "";
$wgRightsText = "";
$wgRightsIcon = "";
$wgDiff3 = "/usr/bin/diff3";
$wgDefaultSkin = "vector";
$wgDefaultMobileSkin = 'vector-2022';
# Enabled skins.
wfLoadSkin( 'Vector' );
wfLoadSkin( 'Citizen' );
wfLoadSkin( 'Timeless' );
wfLoadSkin( 'MinervaNeue' );
wfLoadSkin( 'Medik' );
$wgCitizenThemeColor = "#a81e22";
$wgCitizenShowPageTools = "permission";
$wgCitizenSearchDescriptionSource = "pagedescription";
$wgMedikColor = "#a81e22";
$wgMedikShowLogo = "main";
$wgLocalisationUpdateDirectory = "$IP/cache";
# load extensions
wfLoadExtension( 'HitCounters' );
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'PluggableAuth' );
$wgPluggableAuth_ButtonLabel = "Redbrick Log In";
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'OpenGraphMeta' );
wfLoadExtension( 'Description2' );
$wgEnableMetaDescriptionFunctions = true;
wfLoadExtension( 'PageImages' );
$wgPageImagesOpenGraphFallbackImage = $wgLogo;
wfLoadExtension( 'Plausible' );
$wgPlausibleDomain = "https://plausible.redbrick.dcu.ie";
$wgPlausibleDomainKey = "{{ env "NOMAD_META_domain" }}";
$wgPlausibleTrackOutboundLinks = true;
$wgPlausibleTrackLoggedIn = true;
$wgPlausibleTrack404 = true;
$wgPlausibleTrackSearchInput = true;
$wgPlausibleTrackCitizenSearchLinks = true;
$wgPlausibleTrackCitizenMenuLinks = true;
wfLoadExtension( 'WikiMarkdown' );
$wgAllowMarkdownExtra = true;
$wgAllowMarkdownExtended = true;
wfLoadExtension( 'RSS' );
wfLoadExtension( 'SyntaxHighlight_GeSHi' );
wfLoadExtension( 'WikiEditor' );
wfLoadExtension( 'MobileFrontend' );
$LDAPProviderDomainConfigs = "/etc/mediawiki/ldapprovider.json";
$wgPluggableAuth_Config['Redbrick Log In'] = [
'plugin' => 'LDAPAuthentication2',
'data' => [
'domain' => 'LDAP'
],
];
# RBOnly Namespace
# To allow semi-public pages
$wgExtraNamespaces = array(100 => "RBOnly", 101 => "RBOnly_talk");
$wgNamespacesWithSubpages = array( -1 => 0, 0 => 0, 1 => 1, 2 => 1, 3 => 1, 4 => 0, 5 => 1, 6 => 0, 7 => 1, 8 => 0, 9 => 1, 10 => 0, 11 => 1,100 => 1,101 => 1);
$wgNamespacesToBeSearchedDefault = array( -1 => 0, 0 => 1, 1 => 0, 2 => 0, 3 => 0, 4 => 0, 5 => 0, 6 => 0, 7 => 0, 8 => 0, 9 => 0, 10 => 0, 11 => 0,100 => 0,101 => 0);
$wgNonincludableNamespaces[] = 100;
$wgGroupPermissions['*']['readrbonly'] = false;
$wgGroupPermissions['sysop']['readrbonly'] = true;
$wgNamespaceProtection[ 100 ] = array( 'readrbonly' );
# group permissions
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['read'] = true;
$wgGroupPermissions['*']['edit'] = false;
# Exclude user group page views from counting.
$wgGroupPermissions['sysop']['hitcounter-exempt'] = true;
# When set to true, it adds the PageId to the special page "PopularPages". The default value is false.
$wgEnableAddPageId = false;
# When set to true, it adds the TextLength to the special page "PopularPages". The default value is false.
$wgEnableAddTextLength = true;
# debug logs
# $wgDebugDumpSql = true;
$wgShowExceptionDetails = true;
$wgShowDBErrorBacktrace = true;
$wgShowSQLErrors = true;
$wgDebugLogFile = "/dev/stderr";

89
jobs/services/wiki/mediawiki-backup.hcl
View file

@ -1,89 +0,0 @@
job "mediawiki-backup" {
datacenters = ["aperture"]
type = "batch"
periodic {
crons = ["0 */3 * * * *"]
prohibit_overlap = true
}
group "db-backup" {
task "mysql-backup" {
driver = "raw_exec"
config {
command = "/bin/bash"
args = ["local/mysql-backup.sh"]
}
template {
data = <<EOH
#!/bin/bash
file=/storage/backups/nomad/wiki/mysql/rbwiki-mysql-$(date +%Y-%m-%d_%H-%M-%S).sql
mkdir -p /storage/backups/nomad/wiki/mysql
alloc_id=$(nomad job status mediawiki | grep running | tail -n 1 | cut -d " " -f 1)
job_name=$(echo ${NOMAD_JOB_NAME} | cut -d "/" -f 1)
nomad alloc exec -task rbwiki-db $alloc_id mariadb-dump -u {{ key "mediawiki/db/username" }} -p'{{ key "mediawiki/db/password"}}' {{ key "mediawiki/db/name" }} > "${file}"
find /storage/backups/nomad/wiki/mysql/rbwiki-mysql* -ctime +30 -exec rm {} \; || true
if [ -s "$file" ]; then # check if file exists and is not empty
echo "Backup successful"
exit 0
else
rm $file
curl -H "Content-Type: application/json" -d \
'{"content": "<@&585512338728419341> `MySQL` backup for **'"${job_name}"'** has just **FAILED**\nFile name: `'"$file"'`\nDate: `'"$(TZ=Europe/Dublin date)"'`\nTurn off this script with `nomad job stop '"${job_name}"'` \n\n## Remember to restart this backup job when fixed!!!"}' \
{{ key "mysql/webhook/discord" }}
fi
EOH
destination = "local/mysql-backup.sh"
}
}
}
group "xml-dump" {
task "xml-dump" {
driver = "raw_exec"
config {
command = "/bin/bash"
args = ["local/xml-dump.sh"]
}
template {
data = <<EOH
#!/bin/bash
file=/storage/backups/nomad/wiki/xml/rbwiki-dump-$(date +%Y-%m-%d_%H-%M-%S).xml
mkdir -p /storage/backups/nomad/wiki/xml
alloc_id=$(nomad job status mediawiki | grep running | tail -n 1 | cut -d " " -f 1)
job_name=$(echo ${NOMAD_JOB_NAME} | cut -d "/" -f 1)
nomad alloc exec -task rbwiki-php $alloc_id /usr/local/bin/php /var/www/html/maintenance/dumpBackup.php --full --include-files --uploads > "${file}"
find /storage/backups/nomad/wiki/xml/rbwiki-dump* -ctime +3 -exec rm {} \; || true
if [ -n "$(find ${file} -prune -size +100000000c)" ]; then # check if file exists and is not empty
echo "Backup successful"
exit 0
else
rm $file
curl -H "Content-Type: application/json" -d \
'{"content": "<@&585512338728419341> `dumpBackup.php` backup for **'"${job_name}"'** has just **FAILED**\nFile name: `'"$file"'`\nDate: `'"$(TZ=Europe/Dublin date)"'`\nTurn off this script with `nomad job stop '"${job_name}"'` \n\n## Remember to restart this backup job when fixed!!!"}' \
{{ key "mysql/webhook/discord" }}
fi
EOH
destination = "local/xml-dump.sh"
}
}
}
}

270
jobs/services/wiki/mediawiki.hcl
View file

@ -1,270 +0,0 @@
job "mediawiki" {
datacenters = ["aperture"]
type = "service"
meta {
domain = "wiki.redbrick.dcu.ie"
}
group "rbwiki" {
count = 1
network {
mode = "bridge"
port "http" {
to = 80
}
port "fpm" {
to = 9000
}
port "db" {
to = 3306
}
}
service {
name = "rbwiki-web"
port = "http"
check {
type = "http"
path = "/Main_Page"
interval = "10s"
timeout = "5s"
}
tags = [
"traefik.enable=true",
"traefik.port=${NOMAD_PORT_http}",
"traefik.http.routers.rbwiki.rule=Host(`${NOMAD_META_domain}`) || Host(`wiki.rb.dcu.ie`)",
"traefik.http.routers.rbwiki.entrypoints=web,websecure",
"traefik.http.routers.rbwiki.tls.certresolver=lets-encrypt",
"traefik.http.routers.rbwiki.middlewares=rbwiki-redirect-root, rbwiki-redirect-mw",
"traefik.http.middlewares.rbwiki-redirect-root.redirectregex.regex=^https://wiki\\.redbrick\\.dcu\\.ie/?$",
"traefik.http.middlewares.rbwiki-redirect-root.redirectregex.replacement=https://wiki.redbrick.dcu.ie/Main_Page",
"traefik.http.middlewares.rbwiki-redirect-mw.redirectregex.regex=https://wiki\\.redbrick\\.dcu\\.ie/Mw/(.*)",
"traefik.http.middlewares.rbwiki-redirect-mw.redirectregex.replacement=https://wiki.redbrick.dcu.ie/$1",
]
}
task "rbwiki-nginx" {
driver = "docker"
config {
image = "nginx:alpine"
ports = ["http"]
volumes = [
"local/nginx.conf:/etc/nginx/nginx.conf",
"/storage/nomad/mediawiki/extensions:/var/www/html/extensions",
"/storage/nomad/mediawiki/images:/var/www/html/images",
"/storage/nomad/mediawiki/skins:/var/www/html/skins",
"/storage/nomad/mediawiki/resources/assets:/var/www/html/Resources/assets",
]
}
resources {
cpu = 200
memory = 100
}
template {
data = <<EOH
# user www-data www-data;
error_log /dev/stderr error;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
server_tokens off;
error_log /dev/stderr error;
access_log /dev/stdout;
charset utf-8;
server {
server_name {{ env "NOMAD_META_domain" }};
listen 80;
listen [::]:80;
root /var/www/html;
index index.php index.html index.htm;
client_max_body_size 5m;
client_body_timeout 60;
# MediaWiki short URLs
location / {
try_files $uri $uri/ @rewrite;
}
location @rewrite {
rewrite ^/(.*)$ /index.php?title=$1&$args;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|otf|eot|ico)$ {
try_files $uri /index.php;
expires max;
log_not_found off;
}
# Pass the PHP scripts to FastCGI server
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass {{ env "NOMAD_HOST_ADDR_fpm" }};
fastcgi_index index.php;
}
location ~ /\.ht {
deny all;
}
}
}
EOH
destination = "local/nginx.conf"
}
}
task "rbwiki-php" {
driver = "docker"
config {
image = "ghcr.io/wizzdom/mediawiki-fpm-ldap-alpine:latest"
ports = ["fpm"]
volumes = [
"/storage/nomad/mediawiki/extensions:/var/www/html/extensions",
"/storage/nomad/mediawiki/images:/var/www/html/images",
"/storage/nomad/mediawiki/skins:/var/www/html/skins",
"/storage/nomad/mediawiki/resources/assets:/var/www/html/Resources/assets",
"local/LocalSettings.php:/var/www/html/LocalSettings.php",
"local/ldapprovider.json:/etc/mediawiki/ldapprovider.json"
]
}
resources {
cpu = 4000
memory = 1200
}
template {
data = <<EOH
{
"LDAP": {
"authorization": {
"rules": {
"groups": {
"required": []
}
}
},
"connection": {
"server": "{{ key "mediawiki/ldap/server" }}",
"user": "{{ key "mediawiki/ldap/user" }}",
"pass": "{{ key "mediawiki/ldap/password" }}",
"options": {
"LDAP_OPT_DEREF": 1
},
"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMemberUid::factory",
"basedn": "o=redbrick",
"groupbasedn": "ou=groups,o=redbrick",
"userbasedn": "ou=accounts,o=redbrick",
"searchattribute": "uid",
"searchstring": "uid=USER-NAME,ou=accounts,o=redbrick",
"usernameattribute": "uid",
"realnameattribute": "cn",
"emailattribute": "altmail"
}
}
}
EOH
destination = "local/ldapprovider.json"
}
template {
data = file("LocalSettings.php")
destination = "local/LocalSettings.php"
}
}
service {
name = "rbwiki-db"
port = "db"
check {
name = "mariadb_probe"
type = "tcp"
interval = "10s"
timeout = "2s"
}
}
task "rbwiki-db" {
driver = "docker"
config {
image = "mariadb"
ports = ["db"]
volumes = [
"/storage/nomad/mediawiki/db:/var/lib/mysql",
"/oldstorage/wiki_backups:/wiki-backups/backup",
"local/conf.cnf:/etc/mysql/mariadb.conf.d/50-server.cnf",
]
}
template {
data = <<EOH
[mysqld]
# Ensure full UTF-8 support
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
skip-character-set-client-handshake
# Fix 1000-byte key length issue
innodb_large_prefix = 1
innodb_file_format = Barracuda
innodb_file_per_table = 1
innodb_default_row_format = dynamic
# Performance optimizations (Keep these based on your system)
max_connections = 100
key_buffer_size = 2G
query_cache_size = 0
innodb_buffer_pool_size = 6G
innodb_log_file_size = 512M
innodb_flush_log_at_trx_commit = 1
innodb_flush_method = O_DIRECT
innodb_io_capacity = 200
tmp_table_size = 5242K
max_heap_table_size = 5242K
innodb_log_buffer_size = 16M
# Logging
slow_query_log = 1
slow_query_log_file = /var/log/mysql/slow.log
long_query_time = 1
# Network
bind-address = 0.0.0.0
EOH
destination = "local/conf.cnf"
}
resources {
cpu = 800
memory = 2500
}
template {
data = <<EOH
MYSQL_DATABASE={{ key "mediawiki/db/name" }}
MYSQL_USER={{ key "mediawiki/db/username" }}
MYSQL_PASSWORD={{ key "mediawiki/db/password" }}
MYSQL_RANDOM_ROOT_PASSWORD=yes
EOH
destination = "local/.env"
env = true
}
}
}
}

36
jobs/socs/ams-amikon-update.hcl
View file

@ -1,36 +0,0 @@
job "ams-amikon-update" {
datacenters = ["aperture"]
type = "batch"
periodic {
crons = ["0 */6 * * * *"]
prohibit_overlap = true
}
group "ams-amikon-update" {
task "ams-amikon-update" {
driver = "raw_exec"
config {
command = "/bin/bash"
args = ["local/script.sh"]
}
template {
data = <<EOH
#!/bin/bash
# stop the ams-amikon job
nomad job stop ams-amikon
sleep 1
# revert the ams-amikon job to the previous version
# this will trigger a new deployment, which will pull the latest image
nomad job revert ams-amikon $(($(nomad job inspect ams-amikon | jq '.Job.Version')-1))
EOH
destination = "local/script.sh"
}
}
}
}

65
jobs/socs/ams-amikon.hcl
View file

@ -1,65 +0,0 @@
job "ams-amikon" {
datacenters = ["aperture"]
meta {
run_uuid = "${uuidv4()}"
}
type = "service"
group "ams-amikon" {
count = 1
network {
port "http" {
to = 3000
}
}
service {
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.http.routers.ams-amikon.rule=Host(`amikon.me`) || Host(`www.amikon.me`)",
"traefik.http.routers.ams-amikon.entrypoints=web,websecure",
"traefik.http.routers.ams-amikon.tls.certresolver=lets-encrypt",
"traefik.http.routers.ams-amikon.middlewares=amikon-www-redirect",
"traefik.http.middlewares.amikon-www-redirect.redirectregex.regex=^https?://www.amikon.me/(.*)",
"traefik.http.middlewares.amikon-www-redirect.redirectregex.replacement=https://amikon.me/$${1}",
"traefik.http.middlewares.amikon-www-redirect.redirectregex.permanent=true",
]
}
task "amikon-node" {
driver = "docker"
config {
image = "ghcr.io/dcuams/amikon-site-v2:latest"
force_pull = true
ports = ["http"]
}
template {
data = <<EOF
EMAIL={{ key "ams/amikon/email/user" }}
EMAIL_PASS={{ key "ams/amikon/email/password" }}
TO_EMAIL={{ key "ams/amikon/email/to" }}
EOF
destination = ".env"
env = true
}
resources {
cpu = 800
memory = 500
}
}
}
}

107
jobs/socs/dcusr-listmonk.hcl
View file

@ -1,107 +0,0 @@
job "dcusr-listmonk" {
datacenters = ["aperture"]
type = "service"
meta {
domain = "lists.solarracing.ie"
}
group "listmonk" {
network {
port "http" {
}
port "db" {
to = 5432
}
}
service {
name = "listmonk"
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.port=${NOMAD_PORT_http}",
"traefik.http.routers.dcusr-listmonk.entrypoints=web,websecure",
"traefik.http.routers.dcusr-listmonk.rule=Host(`${NOMAD_META_domain}`)",
"traefik.http.routers.dcusr-listmonk.tls=true",
"traefik.http.routers.dcusr-listmonk.tls.certresolver=lets-encrypt",
]
}
task "app" {
driver = "docker"
config {
image = "listmonk/listmonk:latest"
ports = ["http"]
entrypoint = ["./listmonk", "--static-dir=/listmonk/static"]
volumes = [
"/storage/nomad/dcusr-listmonk/static:/listmonk/static",
"/storage/nomad/dcusr-listmonk/postgres/:/var/lib/postgresql/data",
"local/config.toml:/listmonk/config.toml"
]
}
resources {
cpu = 1000
memory = 500
}
template {
data = <<EOH
[app]
address = "0.0.0.0:{{ env "NOMAD_PORT_http" }}"
admin_username = "{{ key "dcusr/listmonk/admin/username" }}"
admin_password = "{{ key "dcusr/listmonk/admin/password" }}"
# Database.
[db]
host = "{{ env "NOMAD_HOST_IP_db" }}"
port = {{ env "NOMAD_HOST_PORT_db" }}
user = "{{ key "dcusr/listmonk/db/username" }}"
password = "{{ key "dcusr/listmonk/db/password" }}"
database = "{{ key "dcusr/listmonk/db/name" }}"
ssl_mode = "disable"
max_open = 25
max_idle = 25
max_lifetime = "300s"
EOH
destination = "local/config.toml"
}
}
task "listmonk-db" {
driver = "docker"
config {
image = "postgres:17-alpine"
ports = ["db"]
volumes = [
"/storage/nomad/dcusr-listmonk/postgres:/var/lib/postgresql/data"
]
}
template {
data = <<EOH
POSTGRES_DB = "{{ key "dcusr/listmonk/db/name" }}"
POSTGRES_USER = "{{ key "dcusr/listmonk/db/username" }}"
POSTGRES_PASSWORD = "{{ key "dcusr/listmonk/db/password" }}"
EOH
destination = "local/db.env"
env = true
}
}
}
}

50
jobs/socs/dcusr-outline-backup.hcl
View file

@ -1,50 +0,0 @@
job "dcusr-outline-backup" {
datacenters = ["aperture"]
type = "batch"
periodic {
crons = ["0 */3 * * * *"]
prohibit_overlap = true
}
group "db-backup" {
task "postgres-backup" {
driver = "raw_exec"
config {
command = "/bin/bash"
args = ["local/script.sh"]
}
template {
data = <<EOH
#!/bin/bash
file=/storage/backups/nomad/postgres/dcusr/outline/postgresql-outline-$(date +%Y-%m-%d_%H-%M-%S).sql
mkdir -p /storage/backups/nomad/postgres/dcusr/outline
alloc_id=$(nomad job status dcusr-outline | grep running | tail -n 1 | cut -d " " -f 1)
job_name=$(echo ${NOMAD_JOB_NAME} | cut -d "/" -f 1)
nomad alloc exec -task outline-db $alloc_id pg_dumpall -U {{ key "outline/db/username" }} > "${file}"
find /storage/backups/nomad/postgres/dcusr/outline/postgresql-outline* -ctime +3 -exec rm {} \; || true
if [ -s "$file" ]; then # check if file exists and is not empty
echo "Backup successful"
exit 0
else
rm $file
curl -H "Content-Type: application/json" -d \
'{"content": "<@&585512338728419341> `PostgreSQL` backup for **'"${job_name}"'** has just **FAILED**\nFile name: `'"$file"'`\nDate: `'"$(TZ=Europe/Dublin date)"'`\nTurn off this script with `nomad job stop '"${job_name}"'` \n\n## Remember to restart this backup job when fixed!!!"}' \
{{ key "postgres/webhook/discord" }}
fi
EOH
destination = "local/script.sh"
}
}
}
}

148
jobs/socs/dcusr-outline.hcl
View file

@ -1,148 +0,0 @@
job "dcusr-outline" {
datacenters = ["aperture"]
type = "service"
meta {
domain = "outline.solarracing.ie"
}
group "outline" {
network {
# mode = "bridge"
port "http" {
static = 3000
to = 3000
}
port "db" {
to = 5432
}
port "redis" {
to = 6379
}
}
service {
name = "outline"
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.port=${NOMAD_PORT_http}",
"traefik.http.routers.dcusr-outline.entrypoints=web,websecure",
"traefik.http.routers.dcusr-outline.rule=Host(`${NOMAD_META_domain}`)",
"traefik.http.routers.dcusr-outline.tls=true",
"traefik.http.routers.dcusr-outline.tls.certresolver=lets-encrypt",
]
}
task "app" {
driver = "docker"
config {
image = "docker.getoutline.com/outlinewiki/outline:latest"
ports = ["http"]
volumes = [
"/storage/nomad/outline/data:/var/lib/outline/data"
]
}
resources {
cpu = 1000
memory = 500
}
template {
data = <<EOH
NODE_ENV=production
SECRET_KEY={{ key "outline/secret/key" }}
UTILS_SECRET={{ key "outline/secret/utils" }}
DATABASE_URL=postgres://{{ key "outline/db/username" }}:{{ key "outline/db/password" }}@{{ env "NOMAD_ADDR_db" }}/{{ key "outline/db/name" }}
DATABASE_CONNECTION_POOL_MIN=
DATABASE_CONNECTION_POOL_MAX=
# Uncomment this to disable SSL for connecting to Postgres
PGSSLMODE=disable
REDIS_URL=redis://{{ env "NOMAD_ADDR_redis" }}
URL=https://{{ env "NOMAD_META_domain" }}
PORT=3000
COLLABORATION_URL=https://{{ env "NOMAD_META_domain" }}
FILE_STORAGE=local
FILE_STORAGE_LOCAL_ROOT_DIR=/var/lib/outline/data
# Maximum allowed size for the uploaded attachment.
FILE_STORAGE_UPLOAD_MAX_SIZE=262144000
GOOGLE_CLIENT_ID = "{{ key "outline/google/client/id" }}"
GOOGLE_CLIENT_SECRET = "{{ key "outline/google/client/secret" }}"
FORCE_HTTPS = false
ENABLE_UPDATES = true
WEB_CONCURRENCY = 1
DEBUG = http
# error, warn, info, http, verbose, debug and silly
LOG_LEVEL=info
SMTP_HOST = "{{ key "outline/smtp/host" }}"
SMTP_PORT = "{{ key "outline/smtp/port" }}"
SMTP_USERNAME = "{{ key "outline/smtp/username" }}"
SMTP_PASSWORD = "{{ key "outline/smtp/password" }}"
SMTP_FROM_EMAIL = "{{ key "outline/smtp/from" }}"
DEFAULT_LANGUAGE=en_US
EOH
destination = "local/.env"
env = true
}
}
task "outline-redis" {
driver = "docker"
config {
image = "redis:latest"
ports = ["redis"]
}
}
task "outline-db" {
driver = "docker"
config {
image = "postgres:16-alpine"
ports = ["db"]
volumes = [
"/storage/nomad/outline/postgres:/var/lib/postgresql/data"
]
}
template {
data = <<EOH
POSTGRES_DB = "{{ key "outline/db/name" }}"
POSTGRES_USER = "{{ key "outline/db/username" }}"
POSTGRES_PASSWORD = "{{ key "outline/db/password" }}"
EOH
destination = "local/db.env"
env = true
}
}
}
}

137
jobs/socs/dcusr-pretix.hcl
View file

@ -1,137 +0,0 @@
job "dcusr-pretix" {
datacenters = ["aperture"]
type = "service"
meta {
domain = "tickets.solarracing.ie"
}
group "web" {
network {
# mode = "bridge"
port "http" {
to = 80
}
port "db" {
to = 5432
}
port "redis" {
to = 6379
}
}
service {
name = "pretix-web"
port = "http"
tags = [
"traefik.enable=true",
"traefik.port=${NOMAD_PORT_http}",
"traefik.http.routers.pretix.entrypoints=web,websecure",
"traefik.http.routers.pretix.rule=Host(`${NOMAD_META_domain}`)",
"traefik.http.routers.pretix.tls=true",
"traefik.http.routers.pretix.tls.certresolver=lets-encrypt",
]
}
task "pretix" {
driver = "docker"
config {
image = "pretix/standalone:stable"
ports = ["http"]
volumes = [
"local/pretix.cfg:/etc/pretix/pretix.cfg",
"/storage/nomad/pretix/data:/data",
"/etc/timezone:/etc/timezone:ro",
]
}
resources {
memory = 5000
cores = 1
}
env {
NUM_WORKERS = 1
}
template {
data = <<EOH
[pretix]
instance_name=DCU Solar Racing
url=https://{{ env "NOMAD_META_domain" }}
currency=EUR
datadir=/data
registration=off
[locale]
timezone=Europe/Dublin
[database]
backend=postgresql
name={{ key "pretix/db/name" }}
user={{ key "pretix/db/user" }}
password={{ key "pretix/db/password" }}
host={{ env "NOMAD_IP_db" }}
port={{ env "NOMAD_HOST_PORT_db" }}
[mail]
from={{ key "pretix/mail/from" }}
host={{ key "pretix/mail/host" }}
user={{ key "pretix/mail/user" }}
password={{ key "pretix/mail/password" }}
port=587
tls=on
ssl=off
[redis]
location=redis://{{ env "NOMAD_ADDR_redis" }}/0
sessions=true
[celery]
backend=redis://{{ env "NOMAD_ADDR_redis" }}/1
broker=redis://{{ env "NOMAD_ADDR_redis" }}/2
worker_prefetch_multiplier = 0
EOH
destination = "local/pretix.cfg"
}
}
task "pretix-db" {
driver = "docker"
config {
image = "postgres:16-alpine"
ports = ["db"]
volumes = [
"/storage/nomad/pretix/db:/var/lib/postgresql/data",
]
}
template {
data = <<EOH
POSTGRES_USER={{ key "pretix/db/user" }}
POSTGRES_PASSWORD={{ key "pretix/db/password" }}
EOH
destination = "local/db.env"
env = true
}
}
task "redis" {
driver = "docker"
config {
image = "redis:latest"
ports = ["redis"]
}
}
}
}

65
jobs/socs/dcusr.hcl
View file

@ -1,65 +0,0 @@
job "dcusr" {
datacenters = ["aperture"]
type = "service"
group "dcusr" {
count = 1
network {
port "http" {
to = 3000
}
}
service {
name = "dcusr"
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.http.routers.dcusr.rule=Host(`solarracing.rb.dcu.ie`) || Host(`solarracing.ie`) || Host(`www.solarracing.ie`)",
"traefik.http.routers.dcusr.entrypoints=web,websecure",
"traefik.http.routers.dcusr.tls.certresolver=lets-encrypt",
]
}
task "nextjs-website" {
driver = "docker"
config {
image = "ghcr.io/dcu-solar-racing/nextjs-website:main"
ports = ["http"]
force_pull = true
auth {
username = "${DOCKER_USER}"
password = "${DOCKER_PASS}"
}
}
template {
destination = "secrets/secret.env"
env = true
change_mode = "restart"
data = <<EOH
DOCKER_USER={{ key "dcusr/ghcr/username" }}
DOCKER_PASS={{ key "dcusr/ghcr/password" }}
TO_EMAIL={{ key "dcusr/nodemailer/to" }}
EMAIL={{ key "dcusr/nodemailer/from" }}
EMAIL_PASS={{ key "dcusr/nodemailer/password" }}
LISTMONK_ENDPOINT={{ key "dcusr/listmonk/endpoint" }}
LISTMONK_USERNAME={{ key "dcusr/listmonk/username" }}
LISTMONK_PASSWORD={{ key "dcusr/listmonk/password" }}
LISTMONK_LIST_IDS={{ key "dcusr/listmonk/list/id" }}
RECAPTCHA_SECRET_KEY={{ key "dcusr/recaptcha/secret/key" }}
EOH
}
}
}
}

47
jobs/socs/esports-discord-bot.hcl
View file

@ -1,47 +0,0 @@
job "esports-discord-bot" {
datacenters = ["aperture"]
type = "service"
group "esports-bot" {
count = 1
task "esports-bot" {
driver = "docker"
config {
image = "ghcr.io/aydenjahola/discord-multipurpose-bot:main"
force_pull = true
}
resources {
cpu = 500
memory = 256
}
template {
data = <<EOH
BOT_TOKEN={{ key "socs/esports/bot/discord/token" }}
EMAIL_NAME={{ key "socs/esports/bot/email/name" }}
EMAIL_PASS={{ key "socs/esports/bot/email/pass" }}
EMAIL_USER={{key "socs/esports/bot/email/user" }}
MONGODB_URI={{key "socs/esports/bot/mongodb/uri"}}
RAPIDAPI_KEY={{ key "socs/esports/bot/rapidapi/key" }}
TRACKER_API_KEY={{ key "socs/esports/bot/trackerapi/key" }}
TRACKER_API_URL={{ key "socs/esports/bot/trackerapi/url" }}
WORDNIK_API_KEY={{key "socs/esports/bot/wordnikapi/key" }}
HUGGING_FACE_API_KEY={{ key "socs/esports/bot/huggingface/key" }}
RCON_HOST=esports-mc-rcon.service.consul
# https://discuss.hashicorp.com/t/passing-registered-ip-and-port-from-consul-to-env-nomad-job-section/35647
{{ range service "esports-mc-rcon" }}
RCON_PORT={{ .Port }}{{ end }}
RCON_PASSWORD={{ key "games/mc/esports-mc/rcon/password" }}
EOH
destination = "local/.env"
env = true
}
}
}
}

36
jobs/socs/mps-site-update.hcl
View file

@ -1,36 +0,0 @@
job "mps-site-update" {
datacenters = ["aperture"]
type = "batch"
periodic {
crons = ["0 */6 * * * *"]
prohibit_overlap = true
}
group "mps-site-update" {
task "mps-site-update" {
driver = "raw_exec"
config {
command = "/bin/bash"
args = ["local/script.sh"]
}
template {
data = <<EOH
#!/bin/bash
# stop the mps-site job
nomad job stop mps-site
sleep 1
# revert the mps-site job to the previous version
# this will trigger a new deployment, which will pull the latest image
nomad job revert mps-site $(($(nomad job inspect mps-site | jq '.Job.Version')-1))
EOH
destination = "local/script.sh"
}
}
}
}

66
jobs/socs/mps-site.hcl
View file

@ -1,66 +0,0 @@
job "mps-site" {
datacenters = ["aperture"]
type = "service"
group "mps-django" {
count = 1
network {
port "http" {
to = 8000
}
}
service {
name = "mps-django"
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "5s"
}
tags = [
"traefik.enable=true",
"traefik.port=${NOMAD_PORT_http}",
"traefik.http.routers.mps-django.rule=Host(`mps.rb.dcu.ie`) || Host(`dcumps.ie`) || Host(`www.dcumps.ie`) || Host(`dcumps.com`) || Host(`www.dcumps.com`)",
"traefik.http.routers.mps-django.entrypoints=web,websecure",
"traefik.http.routers.mps-django.tls.certresolver=lets-encrypt",
"traefik.http.routers.mps-django.middlewares=mps-django-redirect-com",
"traefik.http.middlewares.mps-django-redirect-com.redirectregex.regex=dcumps\\.com/(.*)",
"traefik.http.middlewares.mps-django-redirect-com.redirectregex.replacement=dcumps.ie/$1",
]
}
task "django-web" {
driver = "docker"
config {
image = "ghcr.io/dcumps/dcumps-website-django:latest"
ports = ["http"]
force_pull = true
hostname = "${NOMAD_TASK_NAME}"
auth {
username = "${DOCKER_USER}"
password = "${DOCKER_PASS}"
}
}
template {
data = <<EOH
DOCKER_USER={{ key "mps/site/ghcr/username" }}
DOCKER_PASS={{ key "mps/site/ghcr/password" }}
EOH
destination = "local/.env"
env = true
}
resources {
cpu = 300
memory = 500
}
}
}
}

49
jobs/socs/mps-thecollegeview-backup.hcl
View file

@ -1,49 +0,0 @@
job "mps-thecollegeview-backup" {
datacenters = ["aperture"]
type = "batch"
periodic {
crons = ["0 */3 * * * *"]
prohibit_overlap = true
}
group "db-backup" {
task "mysql-backup" {
driver = "raw_exec"
config {
command = "/bin/bash"
args = ["local/mysql-backup.sh"]
}
template {
data = <<EOH
#!/bin/bash
file=/storage/backups/nomad/mps-thecollegeview/mysql/tcv-mysql-$(date +%Y-%m-%d_%H-%M-%S).sql
mkdir -p /storage/backups/nomad/mps-thecollegeview/mysql
alloc_id=$(nomad job status mps-thecollegeview | grep running | tail -n 1 | cut -d " " -f 1)
job_name=$(echo ${NOMAD_JOB_NAME} | cut -d "/" -f 1)
nomad alloc exec -task tcv-db $alloc_id mariadb-dump -u {{ key "mps/thecollegeview/db/username" }} -p'{{ key "mps/thecollegeview/db/password"}}' {{ key "mps/thecollegeview/db/name" }} > "${file}"
find /storage/backups/nomad/mps-thecollegeview/mysql/tcv-mysql* -ctime +3 -exec rm {} \; || true
if [ -s "$file" ]; then # check if file exists and is not empty
echo "Backup successful"
exit 0
else
rm $file
curl -H "Content-Type: application/json" -d \
'{"content": "# <@&585512338728419341> `MySQL` backup for **'"${job_name}"'** has just **FAILED**\nFile name: `'"$file"'`\nDate: `'"$(TZ=Europe/Dublin date)"'`\nTurn off this script with `nomad job stop '"${job_name}"'` \n\n## Remember to restart this backup job when fixed!!!"}' \
{{ key "mysql/webhook/discord" }}
fi
EOH
destination = "local/mysql-backup.sh"
}
}
}
}

257
jobs/socs/mps-thecollegeview.hcl
View file

@ -1,257 +0,0 @@
job "mps-thecollegeview" {
datacenters = ["aperture"]
type = "service"
meta {
domain = "thecollegeview.ie"
}
group "tcv" {
count = 1
network {
mode = "bridge"
port "http" {
to = 80
}
port "fpm" {
to = 9000
}
port "db" {
to = 3306
}
port "redis" {
to = 6379
}
}
service {
name = "tcv-web"
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "5s"
}
tags = [
"traefik.enable=true",
"traefik.http.routers.tcv.rule=Host(`${NOMAD_META_domain}`)",
"traefik.http.routers.tcv.entrypoints=web,websecure",
"traefik.http.routers.tcv.tls.certresolver=lets-encrypt",
]
}
task "tcv-nginx" {
driver = "docker"
config {
image = "nginx:alpine"
ports = ["http"]
volumes = [
"local/nginx.conf:/etc/nginx/nginx.conf",
"/storage/nomad/mps-thecollegeview:/var/www/html/",
]
group_add = [82] # www-data in alpine
}
resources {
cpu = 200
memory = 100
}
template {
data = <<EOH
# user www-data www-data;
error_log /dev/stderr error;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
server_tokens off;
error_log /dev/stderr error;
access_log /dev/stdout;
charset utf-8;
server {
server_name {{ env "NOMAD_META_domain" }};
listen 80;
listen [::]:80;
root /var/www/html;
index index.php index.html index.htm;
client_max_body_size 5m;
client_body_timeout 60;
# NOTE: Not used here, WP super cache rule used instead
# # Pass all folders to FPM
# location / {
# try_files $uri $uri/ /index.php?$args;
# }
# Pass the PHP scripts to FastCGI server
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass {{ env "NOMAD_ADDR_fpm" }};
fastcgi_index index.php;
}
location ~ /\.ht {
deny all;
}
# WP Super Cache rules.
set $cache_uri $request_uri;
# POST requests and urls with a query string should always go to PHP
if ($request_method = POST) {
set $cache_uri 'null cache';
}
if ($query_string != "") {
set $cache_uri 'null cache';
}
# Don't cache uris containing the following segments
if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
set $cache_uri 'null cache';
}
# Don't use the cache for logged in users or recent commenters
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in") {
set $cache_uri 'null cache';
}
# Use cached or actual file if they exists, otherwise pass request to WordPress
location / {
try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args ;
}
}
}
EOH
destination = "local/nginx.conf"
}
}
task "tcv-phpfpm" {
driver = "docker"
config {
image = "wordpress:php8.3-fpm-alpine"
ports = ["fpm"]
volumes = [
"/storage/nomad/mps-thecollegeview:/var/www/html/",
"local/custom.ini:/usr/local/etc/php/conf.d/custom.ini",
]
}
resources {
cpu = 800
memory = 500
}
template {
data = <<EOH
WORDPRESS_DB_HOST={{ env "NOMAD_ADDR_db" }}
WORDPRESS_DB_USER={{ key "mps/thecollegeview/db/username" }}
WORDPRESS_DB_PASSWORD={{ key "mps/thecollegeview/db/password" }}
WORDPRESS_DB_NAME={{ key "mps/thecollegeview/db/name" }}
WORDPRESS_TABLE_PREFIX=wp_2
WORDPRESS_CONFIG_EXTRA="define('WP_REDIS_HOST', '{{ env "NOMAD_ADDR_redis" }}');"
EOH
destination = "local/.env"
env = true
}
template {
data = <<EOH
pm.max_children = 10
upload_max_filesize = 64M
post_max_size = 64M
EOH
destination = "local/custom.ini"
}
}
service {
name = "tcv-db"
port = "db"
}
task "tcv-db" {
driver = "docker"
config {
image = "mariadb"
ports = ["db"]
volumes = [
"/storage/nomad/mps-thecollegeview/db:/var/lib/mysql",
]
}
template {
data = <<EOH
[mysqld]
max_connections = 100
key_buffer_size = 2G
query_cache_size = 0
innodb_buffer_pool_size = 6G
innodb_log_file_size = 512M
innodb_flush_log_at_trx_commit = 1
innodb_flush_method = O_DIRECT
innodb_io_capacity = 200
tmp_table_size = 5242K
max_heap_table_size = 5242K
innodb_log_buffer_size = 16M
innodb_file_per_table = 1
bind-address = 0.0.0.0
# Logging
slow_query_log = 1
slow_query_log_file = /var/log/mysql/slow.log
long_query_time = 1
EOH
destination = "local/conf.cnf"
}
resources {
cpu = 800
memory = 800
}
template {
data = <<EOH
MYSQL_DATABASE={{ key "mps/thecollegeview/db/name" }}
MYSQL_USER={{ key "mps/thecollegeview/db/username" }}
MYSQL_PASSWORD={{ key "mps/thecollegeview/db/password" }}
MYSQL_RANDOM_ROOT_PASSWORD=yes
EOH
destination = "local/.env"
env = true
}
}
task "redis" {
driver = "docker"
config {
image = "redis:latest"
ports = ["redis"]
}
resources {
cpu = 200
}
}
}
}

49
jobs/socs/style-thelook-backup.hcl
View file

@ -1,49 +0,0 @@
job "style-thelook-backup" {
datacenters = ["aperture"]
type = "batch"
periodic {
crons = ["0 */3 * * * *"]
prohibit_overlap = true
}
group "db-backup" {
task "mysql-backup" {
driver = "raw_exec"
config {
command = "/bin/bash"
args = ["local/mysql-backup.sh"]
}
template {
data = <<EOH
#!/bin/bash
file=/storage/backups/nomad/style-thelook/mysql/thelook-mysql-$(date +%Y-%m-%d_%H-%M-%S).sql
mkdir -p /storage/backups/nomad/style-thelook/mysql
alloc_id=$(nomad job status style-thelook | grep running | tail -n 1 | cut -d " " -f 1)
job_name=$(echo ${NOMAD_JOB_NAME} | cut -d "/" -f 1)
nomad alloc exec -task thelook-db $alloc_id mariadb-dump -u {{ key "style/thelook/db/username" }} -p'{{ key "style/thelook/db/password"}}' {{ key "style/thelook/db/name" }} > "${file}"
find /storage/backups/nomad/style-thelook/mysql/thelook-mysql* -ctime +3 -exec rm {} \; || true
if [ -s "$file" ]; then # check if file exists and is not empty
echo "Backup successful"
exit 0
else
rm $file
curl -H "Content-Type: application/json" -d \
'{"content": "# <@&585512338728419341> `MySQL` backup for **'"${job_name}"'** has just **FAILED**\nFile name: `'"$file"'`\nDate: `'"$(TZ=Europe/Dublin date)"'`\nTurn off this script with `nomad job stop '"${job_name}"'` \n\n## Remember to restart this backup job when fixed!!!"}' \
{{ key "mysql/webhook/discord" }}
fi
EOH
destination = "local/mysql-backup.sh"
}
}
}
}

257
jobs/socs/style-thelook.hcl
View file

@ -1,257 +0,0 @@
job "style-thelook" {
datacenters = ["aperture"]
type = "service"
meta {
domain = "thelookonline.dcu.ie"
}
group "thelook" {
count = 1
network {
mode = "bridge"
port "http" {
to = 80
}
port "fpm" {
to = 9000
}
port "db" {
to = 3306
}
port "redis" {
to = 6379
}
}
service {
name = "thelook-web"
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "5s"
}
tags = [
"traefik.enable=true",
"traefik.http.routers.thelook.rule=Host(`${NOMAD_META_domain}`) || Host(`style.redbrick.dcu.ie`)",
"traefik.http.routers.thelook.entrypoints=web,websecure",
"traefik.http.routers.thelook.tls.certresolver=lets-encrypt",
]
}
task "thelook-nginx" {
driver = "docker"
config {
image = "nginx:alpine"
ports = ["http"]
volumes = [
"local/nginx.conf:/etc/nginx/nginx.conf",
"/storage/nomad/style-thelook:/var/www/html/",
]
group_add = [82] # www-data in alpine
}
resources {
cpu = 200
memory = 100
}
template {
data = <<EOH
# user www-data www-data;
error_log /dev/stderr error;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
server_tokens off;
error_log /dev/stderr error;
access_log /dev/stdout;
charset utf-8;
server {
server_name {{ env "NOMAD_META_domain" }};
listen 80;
listen [::]:80;
root /var/www/html;
index index.php index.html index.htm;
client_max_body_size 5m;
client_body_timeout 60;
# NOTE: Not used here, WP super cache rule used instead
# Pass all folders to FPM
# location / {
# try_files $uri $uri/ /index.php?$args;
# }
# Pass the PHP scripts to FastCGI server
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass {{ env "NOMAD_ADDR_fpm" }};
fastcgi_index index.php;
}
location ~ /\.ht {
deny all;
}
# WP Super Cache rules.
set $cache_uri $request_uri;
# POST requests and urls with a query string should always go to PHP
if ($request_method = POST) {
set $cache_uri 'null cache';
}
if ($query_string != "") {
set $cache_uri 'null cache';
}
# Don't cache uris containing the following segments
if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
set $cache_uri 'null cache';
}
# Don't use the cache for logged in users or recent commenters
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in") {
set $cache_uri 'null cache';
}
# Use cached or actual file if they exists, otherwise pass request to WordPress
location / {
try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args ;
}
}
}
EOH
destination = "local/nginx.conf"
}
}
task "thelook-phpfpm" {
driver = "docker"
config {
image = "wordpress:php8.3-fpm-alpine"
ports = ["fpm"]
volumes = [
"/storage/nomad/style-thelook:/var/www/html/",
"local/custom.ini:/usr/local/etc/php/conf.d/custom.ini",
]
}
resources {
cpu = 800
memory = 500
}
template {
data = <<EOH
WORDPRESS_DB_HOST={{ env "NOMAD_ADDR_db" }}
WORDPRESS_DB_USER={{ key "style/thelook/db/username" }}
WORDPRESS_DB_PASSWORD={{ key "style/thelook/db/password" }}
WORDPRESS_DB_NAME={{ key "style/thelook/db/name" }}
WORDPRESS_TABLE_PREFIX=wp_
WORDPRESS_CONFIG_EXTRA="define('WP_REDIS_HOST', '{{ env "NOMAD_ADDR_redis" }}');"
EOH
destination = "local/.env"
env = true
}
template {
data = <<EOH
pm.max_children = 10
upload_max_filesize = 64M
post_max_size = 64M
EOH
destination = "local/custom.ini"
}
}
service {
name = "thelook-db"
port = "db"
}
task "thelook-db" {
driver = "docker"
config {
image = "mariadb"
ports = ["db"]
volumes = [
"/storage/nomad/style-thelook/db:/var/lib/mysql",
]
}
template {
data = <<EOH
[mysqld]
max_connections = 100
key_buffer_size = 2G
query_cache_size = 0
innodb_buffer_pool_size = 6G
innodb_log_file_size = 512M
innodb_flush_log_at_trx_commit = 1
innodb_flush_method = O_DIRECT
innodb_io_capacity = 200
tmp_table_size = 5242K
max_heap_table_size = 5242K
innodb_log_buffer_size = 16M
innodb_file_per_table = 1
bind-address = 0.0.0.0
# Logging
slow_query_log = 1
slow_query_log_file = /var/log/mysql/slow.log
long_query_time = 1
EOH
destination = "local/conf.cnf"
}
resources {
cpu = 800
memory = 800
}
template {
data = <<EOH
MYSQL_DATABASE={{ key "style/thelook/db/name" }}
MYSQL_USER={{ key "style/thelook/db/username" }}
MYSQL_PASSWORD={{ key "style/thelook/db/password" }}
MYSQL_RANDOM_ROOT_PASSWORD=yes
EOH
destination = "local/.env"
env = true
}
}
task "redis" {
driver = "docker"
config {
image = "redis:latest"
ports = ["redis"]
}
resources {
cpu = 200
}
}
}
}

89
jobs/traefik.hcl Normal file
View file

@ -0,0 +1,89 @@
job "traefik" {
datacenters = ["aperture"]
type = "system"
group "traefik" {
network {
port "http"{
static = 80
}
port "https" {
static = 443
}
port "admin"{
static = 8080
}
}
service {
name = "traefik-http"
provider = "nomad"
port = "https"
}
task "traefik" {
driver = "docker"
config {
image = "traefik"
network_mode = "host"
volumes = [
"local/traefik.toml:/etc/traefik/traefik.toml",
]
}
template {
data = <<EOF
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[entryPoints.traefik]
address = ":8080"
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
]
[api]
dashboard = true
insecure = true
# Enable Consul Catalog configuration backend.
[providers.consulCatalog]
prefix = "traefik"
exposedByDefault = false
[providers.consulCatalog.endpoint]
address = "127.0.0.1:8500"
scheme = "http"
#[providers.nomad]
# [providers.nomad.endpoint]
# address = "127.0.0.1:4646"
# scheme = "http"
[certificatesResolvers.lets-encrypt.acme]
email = "elected-admins@redbrick.dcu.ie"
storage = "local/acme.json"
[certificatesResolvers.lets-encrypt.acme.tlsChallenge]
EOF
destination = "/local/traefik.toml"
}
}
}
}

38
jobs/user-projects/general/ayden-discord-bot.hcl
View file

@ -1,38 +0,0 @@
job "ayden-discord-bot" {
datacenters = ["aperture"]
type = "service"
group "discordbotgoml" {
count = 1
task "discordbotgoml" {
driver = "docker"
config {
image = "ghcr.io/aydenjahola/discordbotgoml:main"
force_pull = true
auth {
username = "${DOCKER_USER}"
password = "${DOCKER_PASS}"
}
}
resources {
cpu = 500
memory = 256
}
template {
data = <<EOH
DISCORD_TOKEN={{ key "user-projects/ayden/gomlbot/discord/token" }}
DOCKER_USER={{ key "user-projects/ayden/ghcr/username" }}
DOCKER_PASS={{ key "user-projects/ayden/ghcr/password" }}
DEBUG=false
MONGO_DB={{ key "user-projects/ayden/gomlbot/mongo/db" }}
EOH
destination = "local/.env"
env = true
}
}
}
}

26
jobs/user-projects/general/midnight-calendarbot.hcl
View file

@ -1,26 +0,0 @@
job "midnight-calendarbot" {
datacenters = ["aperture"]
type = "service"
group "calendarbot" {
count = 1
task "calendarbot" {
driver = "docker"
config {
image = "ghcr.io/nightmarishblue/calendarbot:latest"
force_pull = true
}
template {
data = <<EOH
BOT_TOKEN={{ key "user-projects/midnight/calendarbot/discord/token" }}
APPLICATION_ID={{ key "user-projects/midnight/calendarbot/discord/appid" }}
EOH
destination = "local/.env"
env = true
}
}
}
}

149
jobs/user-projects/general/nova-timetable.hcl
View file

@ -1,149 +1,60 @@
job "nova-timetable" { job "nova-timetable" {
datacenters = ["aperture"] datacenters = ["aperture"]
type = "service"
type = "service"
group "nova-timetable" { group "nova-timetable" {
count = 1 count = 1
network { network {
port "redis" { port "http" {
to = 6379 to = 80
} }
port "db" { port "db" {
to = 5432 to = 6379
}
port "frontend" {
to = 3000
}
port "backend" {
to = 4000
} }
} }
task "frontend" { service {
name = "nova-timetable"
port = "http"
check {
type = "http"
path = "/healthcheck"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.http.routers.nova-timetable.rule=Host(`timetable.redbrick.dcu.ie`)",
"traefik.http.routers.nova-timetable.entrypoints=web,websecure",
"traefik.http.routers.nova-timetable.tls.certresolver=lets-encrypt",
]
}
task "python-application" {
driver = "docker" driver = "docker"
env { env {
PORT = "${NOMAD_PORT_frontend}" REDIS_ADDRESS = "${NOMAD_ADDR_db}"
} }
config { config {
image = "ghcr.io/novanai/timetable-sync-frontend:latest" image = "novanai/timetable-sync"
ports = ["frontend"] ports = ["http"]
}
service {
name = "nova-timetable-frontend"
port = "frontend"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.port=${NOMAD_PORT_frontend}",
"traefik.http.routers.nova-timetable-frontend.rule=Host(`timetable.redbrick.dcu.ie`)",
"traefik.http.routers.nova-timetable-frontend.entrypoints=web,websecure",
"traefik.http.routers.nova-timetable-frontend.tls.certresolver=lets-encrypt",
]
} }
} }
task "backend" { task "redis-db" {
driver = "docker"
env {
BACKEND_PORT = "${NOMAD_PORT_backend}"
REDIS_ADDRESS = "${NOMAD_ADDR_redis}"
CNS_ADDRESS = "https://clubsandsocs.jakefarrell.ie"
}
config {
image = "ghcr.io/novanai/timetable-sync-backend:latest"
ports = ["backend"]
}
service {
name = "nova-timetable-backend"
port = "backend"
check {
type = "http"
path = "/api/healthcheck"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.port=${NOMAD_PORT_backend}",
"traefik.http.routers.nova-timetable-backend.rule=Host(`timetable.redbrick.dcu.ie`) && PathPrefix(`/api`)",
"traefik.http.routers.nova-timetable-backend.entrypoints=web,websecure",
"traefik.http.routers.nova-timetable-backend.tls.certresolver=lets-encrypt",
]
}
}
task "redis" {
driver = "docker" driver = "docker"
config { config {
image = "redis:latest" image = "redis:latest"
ports = ["redis"]
}
}
task "timetable-db" {
driver = "docker"
config {
image = "postgres:17.0-alpine"
ports = ["db"] ports = ["db"]
volumes = [
"/storage/nomad/nova-timetable/db:/var/lib/postgresql/data"
]
}
template {
data = <<EOH
POSTGRES_USER={{ key "user-projects/nova/db/user" }}
POSTGRES_PASSWORD={{ key "user-projects/nova/db/password" }}
POSTGRES_DB={{ key "user-projects/nova/db/name" }}
EOH
destination = "local/db.env"
env = true
}
}
task "timetable-bot" {
driver = "docker"
config {
image = "ghcr.io/novanai/timetable-sync-bot:latest"
}
template {
data = <<EOH
BOT_TOKEN={{ key "user-projects/nova/bot/token" }}
REDIS_ADDRESS={{ env "NOMAD_ADDR_redis" }}
POSTGRES_USER={{ key "user-projects/nova/db/user" }}
POSTGRES_PASSWORD={{ key "user-projects/nova/db/password" }}
POSTGRES_DB={{ key "user-projects/nova/db/name" }}
POSTGRES_HOST={{ env "NOMAD_IP_db" }}
POSTGRES_PORT={{ env "NOMAD_HOST_PORT_db" }}
CNS_ADDRESS="https://clubsandsocs.jakefarrell.ie"
EOH
destination = "local/.env"
env = true
} }
} }
} }
} }

36
jobs/user-projects/general/urri-meetups-update.hcl
View file

@ -1,36 +0,0 @@
job "urri-meetups-update" {
datacenters = ["aperture"]
type = "batch"
periodic {
crons = ["0 */6 * * * *"]
prohibit_overlap = true
}
group "urri-meetups-update" {
task "urri-meetups-update" {
driver = "raw_exec"
config {
command = "/bin/bash"
args = ["local/script.sh"]
}
template {
data = <<EOH
#!/bin/bash
# stop the urri-meetups job
nomad job stop urri-meetups
sleep 1
# revert the urri-meetups job to the previous version
# this will trigger a new deployment, which will pull the latest image
nomad job revert urri-meetups $(($(nomad job inspect urri-meetups | jq '.Job.Version')-1))
EOH
destination = "local/script.sh"
}
}
}
}

47
jobs/user-projects/general/urri-meetups.hcl
View file

@ -1,47 +0,0 @@
job "urri-meetups" {
datacenters = ["aperture"]
type = "service"
group "urri-meetups" {
count = 1
network {
port "http" {
to = 8000
}
}
service {
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.http.routers.urri-meetups.rule=Host(`urri-meetups.rb.dcu.ie`)",
"traefik.http.routers.urri-meetups.entrypoints=web,websecure",
"traefik.http.routers.urri-meetups.tls.certresolver=lets-encrypt",
]
}
task "web" {
driver = "docker"
config {
image = "ghcr.io/haefae222/pizza_app:latest"
ports = ["http"]
force_pull = true
}
resources {
cpu = 1000
memory = 800
}
}
}
}

61
jobs/user-projects/general/wizzdom-clubsandsocs.hcl
View file

@ -1,61 +0,0 @@
job "cands-room-bookings" {
datacenters = ["aperture"]
type = "service"
meta {
git-sha = ""
}
group "clubsandsocs-room-bookings" {
count = 1
network {
port "http" {
to = 5000
}
}
service {
port = "http"
check {
type = "http"
path = "/"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
"traefik.http.routers.clubsandsocs-room-bookings.rule=Host(`rooms.rb.dcu.ie`)",
"traefik.http.routers.clubsandsocs-room-bookings.entrypoints=web,websecure",
"traefik.http.routers.clubsandsocs-room-bookings.tls.certresolver=lets-encrypt",
]
}
task "web" {
driver = "docker"
config {
image = "ghcr.io/wizzdom/clubsandsocs-room-bookings:latest"
ports = ["http"]
force_pull = true
volumes = [
"local/.env:/app/.env"
]
}
template {
data = <<EOF
UPLOAD_FOLDER=uploads
SECRET_KEY={{ key "user-projects/wizzdom/clubsandsocs-room-bookings/secret" }}
EOF
destination = "local/.env"
}
resources {
cpu = 1000
memory = 800
}
}
}
}

91
jobs/user-vms/README.md Normal file → Executable file
View file

@ -1,89 +1,94 @@
# User VMs # User VMs
For the latest docs, see [here](https://docs.redbrick.dcu.ie/services/user-vms/). This directory contains the configuration files for the user VMs.
User VMs are deployed on [`aperture`](https://docs.redbrick.dcu.ie/hardware/aperture/) using [nomad](https://docs.redbrick.dcu.ie/services/nomad/)'s [QEMU driver](https://developer.hashicorp.com/nomad/docs/drivers/qemu). Each VM is configured with cloud-init. Those configuration files are served by wheatley, but they can
be served by any HTTP server.
Each VM is configured with cloud-init. Those configuration files are served by [`wheatley`](https://docs.redbrick.dcu.ie/hardware/aperture/wheatley/), but they can be served by any HTTP server. ## Setting up networking on the host
## Setting up Networking on the Host The host needs to be configured to allow the VMs to communicate with each other. This is done by creating
a bridge and adding the VMs to it.
The host needs to be configured to allow the VMs to communicate with each other. This is done by creating a bridge and adding the VMs to it. ### Create a bridge
### Create a Bridge To create a bridge that qemu can use to place the guest (vm) onto the same network as the host, follow
the instructions listed [here](https://wiki.archlinux.org/title/Network_bridge#With_iproute2) for
To create a bridge that qemu can use to place the guest (VM) onto the same network as the host, follow the instructions listed [here](https://wiki.archlinux.org/title/Network_bridge#With_iproute2) for `iproute2`, summarised below. iproute2, summarised below.
We need to create a bridge interface on the host. We need to create a bridge interface on the host.
```bash ```bash
sudo ip link add name br0 type bridge $ sudo ip link add name br0 type bridge
sudo ip link set dev br0 up $ sudo ip link set dev br0 up
``` ```
We'll be adding a physical interface to this bridge to allow it to communicate with the external ([UDM](https://docs.redbrick.dcu.ie/hardware/network/mordor/)) network. We'll be adding a physical interface to this bridge to allow it to communicate with the external (UDM)
network.
```bash ```bash
sudo ip link set eno1 master br0 $ sudo ip link set eno1 master br0
``` ```
You'll need to assign an IP address to the bridge interface. This will be used as the default address for the host. You can do this with DHCP or by assigning a static IP address. The best way to do this is to create a DHCP static lease on the [UDM](https://docs.redbrick.dcu.ie/hardware/network/mordor/) for the bridge interface MAC address. You'll need to assign an IP address to the bridge interface. This will be used as the default address
for the host. You can do this with DHCP or by assigning a static IP address. The best way to do this
is to create a DHCP static lease on the UDM for the bridge interface MAC address.
> [!NOTE] :::note
> TODO: Find out why connectivity seems to be lost when the bridge interface receives an address before the physical interface. TODO: Find out why connectivity seems to be lost when the bridge interface receives an address before
> If connectivity is lost, release the addresses from both the bridge and the physical interface (in that order) with `sudo dhclient -v -r <iface>` and then run `sudo dhclient -v <iface>` to assign the bridge interface an address. the physical interface.
### Add the VMs to the Bridge If connectivity is lost, release the addresses from both the bridge and the physical interface (in
that order) with `sudo dhclient -v -r <iface>` and then run `sudo dhclient -v <iface>` to assign the
bridge interface an address.
:::
The configuration of the qemu network options in the job file will create a new tap interface and add it to the bridge and the VM. I advise you for your own sanity to never touch the network options, they will only cause you pain. ### Add the VMs to the bridge
For others looking, this configuration is specific to *QEMU only*. The configuration of the qemu network options in the job file will create a new tap interface and add
it to the bridge and the VM. I advise you for your own sanity to never touch the network options, they
will only cause you pain.
For others looking, this configuration is specific to QEMU only.
```bash ```bash
qemu-system-x86_64 ... -netdev bridge,id=hn0 -device virtio-net-pci,netdev=hn0,id=nic1 qemu-system-x86_64 ... -netdev bridge,id=hn0 -device virtio-net-pci,netdev=hn0,id=nic1
``` ```
This will assign the VM an address on the external network. The VM will be able to communicate with the host and other VMs in the network. This will assign the VM an address on the external network. The VM will be able to communicate with
the host and other VMs in the network.
You must also add `allow br0` to `/etc/qemu/bridge.conf` to allow qemu to add the tap interfaces to the bridge. [Source](https://wiki.qemu.org/Features/HelperNetworking) You must also add `allow br0` to `/etc/qemu/bridge.conf` to allow qemu to add the tap interfaces to
the bridge. [Source](https://wiki.qemu.org/Features/HelperNetworking)
The VMs, once connected to the bridge, will be assigned an address via DHCP. You can assign a static IP address to the VMs by adding a DHCP static lease on the [UDM](https://docs.redbrick.dcu.ie/hardware/network/mordor/) for the VMs MAC address. You can get the address of a VM by checking the `nomad alloc logs` for that VM and searching for `ens3`. The VMs, once connected to the bridge, will be assigned an address via DHCP. You can assign a static
IP address to the VMs by adding a DHCP static lease on the UDM for the VMs MAC address. You can get
the address of a VM by checking the nomad alloc logs for that VM and searching for `ens3`.
```bash ```bash
nomad job status distro-vm | grep "Node ID" -A 1 | tail -n 1 | cut -d " " -f 1 $ nomad job status distro-vm | grep "Node ID" -A 1 | tail -n 1 | cut -d " " -f 1
# <alloc-id> # <alloc-id>
nomad alloc logs <alloc-id> | grep -E "ens3.*global" | cut -d "|" -f 4 | xargs $ nomad alloc logs <alloc-id> | grep -E "ens3.*global" | cut -d "|" -f 4 | xargs
# cloud init... ens3: <ip-address> global # cloud init... ens3: <ip-address> global
``` ```
## Configuring the VMs ## Configuring the VMs
The VMs are configured with cloud-init. Their [docs](https://cloudinit.readthedocs.io/en/latest/) are pretty good, so I won't repeat them here. The files can be served by any HTTP server, and the address is placed into the job file in the QEMU options. The VMs are configured with cloud-init. Their docs are pretty good, so I won't repeat them here. The
files can be served by any HTTP server, and the address is placed into the job file in the QEMU options.
```hcl title="Nomad" ```hcl
... ...
args = [ args = [
... ...
"virtio-net-pci,netdev=hn0,id=nic1,mac=52:54:84:ba:49:22", # make sure this MAC address is unique!!
"-smbios", "-smbios",
"type=1,serial=ds=nocloud-net;s=http://vm-resources.service.consul:8000/res/", "type=1,serial=ds=nocloud-net;s=http://136.206.16.5:8000/",
] ]
... ...
``` ```
## Creating a new VM
Here in the args block: To create a new VM, you'll need to create a new job file and a cloud-init configuration file. Copy
any of the existing job files and modify them to suit your needs. The cloud-init configuration files
- we define that the VM will have a network device using the `virtio` driver, we pass it an `id` and a random ***unique*** MAC address can be copied and changed based on the user also.
- we tell it to use `smbios` type 1 and to grab its `cloud-init` configs from `http://vm-resources.service.consul:8000/res/`
> [!NOTE]
> If you're running multiple VMs on the same network make sure to set different MAC addresses for each VM, otherwise you'll have a bad time.
## Creating a New VM
To create a new VM, you'll need to create a new job file and a cloud-init configuration file. Copy any of the existing job files and modify them to suit your needs. The cloud-init configuration files can be copied and changed based on the user also. **Remember to ensure the MAC addresses are unique!**

87
jobs/user-vms/admin-exams.hcl
View file

@ -1,87 +0,0 @@
job "admin-exams" {
datacenters = ["aperture"]
group "ayden-vm" {
network {
mode = "host"
}
service {
name = "ayden-vm"
}
task "ayden-vm" {
resources {
cpu = 12000
memory = 4096
}
artifact {
source = "http://vm-resources.service.consul:8000/res/base-images/debian-12-genericcloud-amd64-30G.qcow2"
destination = "local/ayden-vm.qcow2"
mode = "file"
}
driver = "qemu"
config {
image_path = "local/ayden-vm.qcow2"
accelerator = "kvm"
drive_interface = "virtio"
args = [
"-netdev",
"bridge,id=hn0",
"-device",
"virtio-net-pci,netdev=hn0,id=nic1,mac=52:54:84:ba:49:20", # mac address must be unique or else you will regret it
"-smbios",
"type=1,serial=ds=nocloud-net;s=http://vm-resources.service.consul:8000/res/ayden-vm/",
]
}
}
}
group "hypnoant-vm" {
network {
mode = "host"
}
service {
name = "hypnoant-vm"
}
task "hypnoant-vm" {
resources {
cpu = 12000
memory = 4096
}
artifact {
source = "http://vm-resources.service.consul:8000/res/base-images/debian-12-genericcloud-amd64-30G.qcow2"
destination = "local/hypnoant-vm.qcow2"
mode = "file"
}
driver = "qemu"
config {
image_path = "local/hypnoant-vm.qcow2"
accelerator = "kvm"
drive_interface = "virtio"
args = [
"-netdev",
"bridge,id=hn0",
"-device",
"virtio-net-pci,netdev=hn0,id=nic1,mac=52:54:84:ba:49:22",
"-smbios",
"type=1,serial=ds=nocloud-net;s=http://vm-resources.service.consul:8000/res/hypnoant-vm/",
]
}
}
}
}

64
jobs/user-vms/bastion-vm-backup.hcl
View file

@ -1,64 +0,0 @@
job "bastion-vm-backup" {
datacenters = ["aperture"]
type = "batch"
periodic {
crons = ["0 */3 * * * *"]
prohibit_overlap = true
}
group "vm-backup" {
task "qcow-backup" {
driver = "raw_exec"
config {
command = "/bin/bash"
args = ["local/script.sh"]
}
resources {
cpu = 3000
memory = 1000
}
template {
data = <<EOH
#!/bin/bash
path=/storage/backups/nomad/bastion-vm
file=bastion-vm-$(date +%Y-%m-%d_%H-%M-%S).qcow2
mkdir -p ${path}
host=$(nomad job status -verbose bastion-vm | grep running | tail -n 1 | cut -d " " -f 7)
alloc_id=$(nomad job status -verbose bastion-vm | grep running | tail -n 1 | cut -d " " -f 1)
job_name=$(echo ${NOMAD_JOB_NAME} | cut -d "/" -f 1)
echo "Backing up alloc id: ${alloc_id} on: ${host} to ${path}/${file}..."
ssh -i {{ key "bastion-vm/service/key" }} {{ key "bastion-vm/service/user" }}@${host} "sudo cat /opt/nomad/alloc/${alloc_id}/bastion-vm/local/bastion-vm.qcow2" > ${path}/${file}
find ${path}/bastion-vm-* -ctime +2 -exec rm {} \; || true
size=$(stat -c%s "${path}/${file}")
if [ ${size} -gt 4000000000 ]; then # check if file exists and is not empty
echo "Updating latest symlink to ${file}..."
ln -sf ./${file} ${path}/bastion-vm-latest.qcow2
echo "Backup successful"
exit 0
else
rm $file
curl -H "Content-Type: application/json" -d \
'{"content": "## <@&585512338728419341> `VM` backup for **'"${job_name}"'** has just **FAILED**\nFile name: `'"$file"'`\nDate: `'"$(TZ=Europe/Dublin date)"'`\nTurn off this script with `nomad job stop '"${job_name}"'` \n\n## Remember to restart this backup job when fixed!!!"}' \
{{ key "bastion-vm/webhook/discord" }}
fi
EOH
destination = "local/script.sh"
}
}
}
}

46
jobs/user-vms/bastion-vm.hcl
View file

@ -1,46 +0,0 @@
job "bastion-vm" {
datacenters = ["aperture"]
group "bastion-vm" {
network {
mode = "host"
}
service {
name = "bastion-vm"
}
task "bastion-vm" {
resources {
cpu = 12000
memory = 4096
}
artifact {
source = "http://vm-resources.service.consul:8000/bastion/bastion-vm-latest.qcow2"
destination = "local/bastion-vm.qcow2"
mode = "file"
}
driver = "qemu"
config {
image_path = "local/bastion-vm.qcow2"
accelerator = "kvm"
drive_interface = "virtio"
args = [
"-netdev",
"bridge,id=hn0",
"-device",
"virtio-net-pci,netdev=hn0,id=nic1,mac=52:54:84:ba:49:02",
"-smbios",
#"type=1,serial=ds=nocloud-net;s=http://10.10.0.5:8000/bastion-vm/",
"type=1",
]
}
}
}
}

16
jobs/user-vms/distro-vm.hcl → jobs/user-vms/distro.hcl Normal file → Executable file
View file

@ -12,23 +12,29 @@ job "distro-vm" {
} }
task "distro-vm" { task "distro-vm" {
constraint {
attribute = "${attr.unique.hostname}"
value = "wheatley"
}
resources { resources {
cpu = 12000 cpu = 12000
memory = 4096 memory = 4096
} }
artifact { artifact {
source = "http://vm-resources.service.consul:8000/res/base-images/debian-12-genericcloud-amd64-30G.qcow2" source = "https://cloud.debian.org/images/cloud/bullseye/latest/debian-11-genericcloud-amd64.qcow2"
destination = "local/distro-vm.qcow2" destination = "local/distro-vm.qcow2"
mode = "file" mode = "file"
} }
driver = "qemu" driver = "qemu"
config { config {
image_path = "local/distro-vm.qcow2" image_path = "local/distro-vm.qcow2"
accelerator = "kvm"
accelerator = "kvm"
drive_interface = "virtio" drive_interface = "virtio"
args = [ args = [

34
jobs/user-vms/vm-resources.hcl
View file

@ -1,34 +0,0 @@
job "vm-resources" {
datacenters = ["aperture"]
type = "service"
group "vm-resources" {
count = 1
network {
port "http" {
static = "8000"
to = "80"
}
}
service {
name = "vm-resources"
port = "http"
}
task "resource-server" {
driver = "docker"
config {
image = "nginx"
ports = ["http"]
volumes = [
"/storage/nomad/vm-resources/:/usr/share/nginx/html/res",
"/storage/backups/nomad/bastion-vm:/usr/share/nginx/html/bastion",
]
}
}
}
}