ben/cluster-state
1
0
Fork 0
Code Issues 1 Pull requests Activity Actions

feat(matrix): add Nomad job specification for Matrix service

Browse source 
feat(matrix): update resource allocation in Nomad job specification

feat(matrix): onboard element service to traefik

feat(matrix): add port configuration for Element service

chore(matrix): reformat

feat(matrix): update resource allocation in Nomad job specification

fix(matrix): minimum MemoryMB value is 10

feat(matrix): update resource allocation in Nomad job specification

feat(matrix): split server and clients into seperate groups

feat(matrix): well known to be served by nginx

fix(matrix): add well known route for all hosts

feat(matrix): use separate traefik router for well known

feat(matrix): migrate config.yaml for mas

feat(matrix): divide mas config between nomad and volume

feat(matrix): split cinny and element task groups

refactor(media-centre): Migrate media-centre job spec to Nomad HCL format

fix(media-centre): remove json from resource nomad job

fix(media-centre): update media-centre job spec to use Nomad HCL format

feat(media-centre): add downloader group

- Added a new group called "downloaders" to handle proxy tasks for downloading media files.
- Configured the proxy task with necessary settings and environment variables.

fix(media-centre): use OPENVPN_USER env variable in proxy task

fix(media-centre): Add /dev/net/tun device to proxy task

feat(media-centre): Add resource limits to proxy task

feat(media-centre): Add Plex task to media-centre job spec

fix(media-centre): add constraints to media-centre job spec

fix(media-centre): nomad doesn't allow sharing devices

fix(media-centre): disable change config dir ownership

fix(media-centre): plex process user is set using env vars

fix(media-centre): update PLEX_GID in job spec

fix(media-centre): update PLEX_GID in job spec

fix(media-centre): update PLEX_UID in job spec

feat(media-centre): enable nvidia gpu capabilities

feat(media-centre): add Tautulli service to media-centre job spec

fix(media-centre): update tautulli volumes

feat(plextraktsync): add plextraktsync module

fix(plextraktsync): update plextraktsync job spec "type" to "batch"

feat(plextraktsync): update resource allocation

fix(plextraktsync): fix cron schedule in plextraktsync job spec

feat(nfs-csi): add nfs-csi module

chore: update .gitignore to include .env file

chore: format files

feat(seedbox): add seedbox module

feat(seedbox): add qbittorrent module and NFS volume

feat(seedbox): add timezone configuration for seedbox job

fix(seedbox): vuetorrent-lsio-mod image env var

feat(seedbox): add HTTP_PORT environment variable for qbittorrent module

feat(seedbox): update access mode for NFS volume

feat(seedbox): add node constraint for seedbox job

feat(seedbox): add subdirectories for NFS volumes

feat(seedbox): add nolock mount flag for NFS volumes

feat(seedbox): Update NFS volume configuration

feat(seedbox): update Docker image and enable force pull

feat(seedbox): pause container network definition

feat(elk): create kibana

feat(elk): update kibana cpu allocation

feat(elk): add elasticsearch container to elk job

This commit adds a new task "elasticsearch" to the "elk" job in the "node" group. The task uses the "podman" driver and pulls the "docker.elastic.co/elasticsearch/elasticsearch:8.15.2" image with force pull enabled. It exposes the "transport" port and mounts the "/mnt/docker/elastic/elasticsearch/config" and "/mnt/docker/elastic/elasticsearch/data" volumes. The task is allocated with 500 CPU and 1024 memory resources.

feat(seedbox): update resource allocation in seedbox job

fix(elk): remove ulimit from elk job

See: https://github.com/hashicorp/nomad-driver-podman/issues/341

fix(elk): add selinuxlabel to volume mounts in elk job

refactor(modules): remove unused modules and jobspecs

refactor(elk): update CPU allocation in elk job

feat(media-centre): Plex to use host network

feat(elk): add 9200 port to es node

feat(elk): allocate more ram to node

feat(elk): allocate even more ram to node

feat(media-centre): reduce memory allocation of tautulli

feat(elk): revert memory allocation after shard tidy-up

feat(media-centre): set memory soft limit

feat(media-centre): update memory hard limit for tautulli

feat(elk): tweak node mem alloc

See: https://www.elastic.co/guide/en/elasticsearch/reference/current/size-your-shards.html#_example_11

feat(seedbox): add memory soft limit to vpn client

feat(seedbox): update memory hard limit for vpn client

fix(matrix): increase whatsapp-bridge memory allocation

refactor(elk): update elastic and kibana image versions in elk job

feat: add latest image versions and add force pull

feat: enable force pull for all podman driver tasks

feat(matrix): increase syncv3 memory allocation

feat: migrate podman memory allocation to nomad max memory

fix: nomad max memory is defined by memory_max

feat(matrix): add ecs fields to task metadata

refactor(matrix): migrate shared meta to parent

refactor(matrix): update resource allocation in jobspec.nomad.hcl

refactor(matrix): update resource allocation in jobspec.nomad.hcl

refactor(matrix): update resource allocation in jobspec.nomad.hcl

refactor(plextraktsync): update resource allocation in jobspec.nomad.hcl

refactor(plextraktsync): remove task node constraint

refactor: migrate podman tasks to docker tasks

feat(elk): update ulimit for elasticsearch container

refactor(elk): update volume paths in jobspec.nomad.hcl

feat(seedbox): remove pause container

feat(elk): update kibana count in jobspec.nomad.hcl

refactor(elk): remove node constraint from kibana

refactor(elk): add spread attribute to kibana

refactor(elk): update port configuration in jobspec.nomad.hcl

refactor(dummy): migrate json jobspec to hcl

feat(dummy): update service provider to consul

fix(dummy): add port label to port definition

refactor(dummy): rename jobspec to match standard

feat(dummy): migrate to service mesh

chore(dummy): update Nomad provider version to 2.4.0

chore(dummy): update Nomad provider version to 2.4.0

feat(dummy): configure traefik

refactor(dummy): update provider to use consul instead of nomad

feat(renovate): create module for automated dependency updates

Add renovate.json

fix(renovate): increase memory allocation

feat(renovate): add GITHUB_COM_TOKEN variable

refactor(renovate): pin version

feat(renovate): enable dependency dashboard

refactor(matrix): use bridge netowrking for server group

refactor(matrix): update URLs to use allocated addresses

refactor(matrix): remove host.docker.internal host

fix(matrix): update SYNCV3_BINDADDR

fix(matrix): update SYNCV3_BINDADDR port to 8009

fix(elk): increase memory allocation

feat(elk): disable co-located kibana allocations

refactor(jobspec): update provider to consul for elk and media-centre services

feat(media-centre): reduce memory allocation from 4096 to 1024

fix(jobspec): replace constraints with new neto client id

feat(elk): update data volume path to use unique node name

feat(elk): migrate elastic config to nfs

feat(elk): add Nyx

refactor(workflows): reformat (#17)

Reviewed-on: #17

fix(elk): increase memory allocation to 2048 MB

refactor(matrix): remove specific node constraint from job specification

feat(matrix): implement consul service mesh

feat(elk): use allocation index for node state location

refactor(media-centre): remove deprecated NVIDIA_DRIVER_CAPABILITIES

fix(media-centre): plex transcode dir not writable

fix(media-centre): set transcode dir to world writable

fix(media-centre): set transcode dir to world writable

feat(media-centre): replace plex transcode dir with a persistent volume

feat(media-centre): increase plex memory limit

For caching

chore(elk): promote elastic version

feat(elk): remove force_pull option from Elasticsearch and Kibana configurations

style(jobspec): improve formatting in HCL files

feat(elk): add health check

feat(media-centre): add NVIDIA visible devices for Jellyfin and Plex

fix(media-centre): increase max memory for tautulli

feat(plugin-csi): add NFS CSI driver jobspec and main configuration

feat(main.tf): add plugin-csi module to main configuration

fix(plugin-csi): refactor NFS job specifications into separate files for controller and node

fix(plugin-csi): add NFS path variable for controller and node resources

fix(plugin-csi): add NFS path variable to controller and node job specifications

fix(plugin-csi): add provisioner name to NFS job specifications for controller and node

fix(plugin-csi): update NFS job specifications

feat(seedbox): restructure job specifications and add NFS volume registrations for media and qbittorrent config

feat(workflows): add lint workflow for Terraform and Nomad formatting

fix(seedbox): add attachment and access modes for media and qbittorrent_config volumes

feat(seedbox): remove node constraint

Update modules/seedbox/main.tf

fix(seedbox): add mount options with nolock flag for media and qbittorrent_config volumes

fix(seedbox): update share paths to use lowercase in media and qbittorrent_config volumes

fix(seedbox): remove unused device configuration from jobspec

feat(matrix): add health check configuration

feat(matrix): add health check ports for synapse, mas, and nginx

fix(matrix): remove health check configuration for synapse, mas, and nginx

feat(main.tf): remove unused and broken seedbox module

feat(renovate): use JSON log format

chore(elk): upgrade version to latest

feat(elk): use 2 kibana replicas

feat(elk): add on_update ignore option to ready check configuration

fix(elk): update volume paths to use node unique name for configuration and data

feat(matrix): add envoy_metrics port and update service metadata for Consul integration

feat(matrix): add health check configuration to synapse job

feat(matrix): add /metrics endpoint exposure for envoy_metrics

fix(matrix): update service port configurations to use static port numbers

feat(matrix): restructure ingress groups and enhance service configurations for improved routing

fix(matrix): update whatsapp bridge tokens and change push to receive ephemeral

feat(media-centre): remove node constraint from tautulli task configuration

feat(elk): onboard hestia node to nomad

feat(elk): enhance job specification with Envoy metrics and update service configurations

feat(renovate): onboard nomad docker image updates

chore(deps): update ghcr.io/renovatebot/renovate docker tag to v38.142.7

chore(jobspec): use explicit image version tags where possible

fix(jobspec): formatting

chore(deps): update busybox docker tag to v1.37.0

chore(deps): update docker.io/library/nginx docker tag to v1.27.3

chore(deps): update ghcr.io/renovatebot/renovate docker tag to v39

chore(deps): update ghcr.io/renovatebot/renovate docker tag to v39.59.0

chore(deps): update ghcr.io/renovatebot/renovate docker tag to v39.60.0

chore(matrix): format multiline string in jobspec.nomad.hcl for improved readability

chore(secrets): refactor jobspecs to use templates for sensitive environment variables
This commit is contained in:
Ben Martin 2024-09-26 18:17:46 +00:00
parent ea6c8893b6
commit 9af9846216
Signed by: ben
GPG key ID: 859A655FCD290E4A
28 changed files with 1428 additions and 296 deletions
Download patch file Download diff file Expand all files Collapse all files

618
modules/matrix/jobspec.nomad.hcl Normal file
View file

@ -0,0 +1,618 @@
job "matrix" {
meta = {
"service.type" = "matrix"
}
group "synapse" {
network {
mode = "bridge"
port "envoy_metrics" {
to = 9102
}
}
service {
provider = "consul"
port = "8008"
meta {
envoy_metrics_port = "${NOMAD_HOST_PORT_envoy_metrics}"
}
check {
type = "http"
path = "/health"
interval = "20s"
timeout = "5s"
expose = true
}
connect {
sidecar_service {
proxy {
config {
protocol = "http"
local_idle_timeout_ms = 120000
}
expose {
path {
path = "/metrics"
protocol = "http"
local_path_port = 9102
listener_port = "envoy_metrics"
}
}
transparent_proxy {}
}
}
}
}
task "synapse" {
driver = "docker"
config {
image = "ghcr.io/element-hq/synapse:v1.120.2"
ports = ["8008"]
volumes = [
"/mnt/docker/matrix/synapse:/data",
"/mnt/docker/matrix/media_store:/media_store",
]
}
env = {
SYNAPSE_WORKER = "synapse.app.homeserver"
}
template {
data = <<-EOF
id: whatsapp
url: http://matrix-whatsapp-bridge.virtual.consul
{{with nomadVar "nomad/jobs/matrix/synapse/synapse"}}
as_token="{{.as_token}}"
hs_token="{{.hs_token}}"
{{end}}
sender_localpart: ctvppZV8epjY9iUtTt0nR29e92V4nIJb
rate_limited: false
namespaces:
users:
- regex: ^@whatsappbot:brmartin\.co\.uk$
exclusive: true
- regex: ^@whatsapp_.*:brmartin\.co\.uk$
exclusive: true
de.sorunome.msc2409.push_ephemeral: true
receive_ephemeral: true
EOF
destination = "local/matrix-whatsapp-registration.yaml"
}
resources {
cpu = 500
memory = 128
memory_max = 256
}
meta = {
"service.name" = "synapse"
}
}
}
group "whatsapp-bridge" {
network {
mode = "bridge"
port "envoy_metrics" {
to = 9102
}
}
service {
provider = "consul"
port = "8082"
meta {
envoy_metrics_port = "${NOMAD_HOST_PORT_envoy_metrics}"
}
connect {
sidecar_service {
proxy {
config {
protocol = "http"
}
expose {
path {
path = "/metrics"
protocol = "http"
local_path_port = 9102
listener_port = "envoy_metrics"
}
}
transparent_proxy {}
}
}
}
}
task "whatsapp-bridge" {
driver = "docker"
config {
image = "dock.mau.dev/mautrix/whatsapp:v0.11.1"
ports = ["8082"]
volumes = [
"/mnt/docker/matrix/whatsapp-data:/data"
]
}
resources {
cpu = 50
memory = 16
memory_max = 32
}
meta = {
"service.name" = "whatsapp"
}
}
}
group "mas" {
network {
mode = "bridge"
port "envoy_metrics" {
to = 9102
}
}
service {
port = "8081"
provider = "consul"
meta {
envoy_metrics_port = "${NOMAD_HOST_PORT_envoy_metrics}"
}
connect {
sidecar_service {
proxy {
config {
protocol = "http"
}
expose {
path {
path = "/metrics"
protocol = "http"
local_path_port = 9102
listener_port = "envoy_metrics"
}
}
transparent_proxy {}
}
}
}
}
task "mas" {
driver = "docker"
config {
image = "ghcr.io/matrix-org/matrix-authentication-service:main"
force_pull = true
ports = ["8081"]
volumes = [
"/mnt/docker/matrix/synapse-mas/config.yaml:/config.yaml:ro"
]
}
env {
MAS_CONFIG = "/config.yaml"
}
resources {
cpu = 100
memory = 32
memory_max = 64
}
meta = {
"service.name" = "mas"
}
}
}
group "syncv3" {
network {
mode = "bridge"
port "envoy_metrics" {
to = 9102
}
}
service {
provider = "consul"
port = "8008"
meta {
envoy_metrics_port = "${NOMAD_HOST_PORT_envoy_metrics}"
}
connect {
sidecar_service {
proxy {
config {
protocol = "http"
}
expose {
path {
path = "/metrics"
protocol = "http"
local_path_port = 9102
listener_port = "envoy_metrics"
}
}
transparent_proxy {}
}
}
}
}
task "syncv3" {
driver = "docker"
config {
image = "ghcr.io/matrix-org/sliding-sync:v0.99.19"
ports = ["8008"]
}
env = {
SYNCV3_SERVER = "http://synapse.service.consul"
}
template {
data = <<-EOH
{{with nomadVar "nomad/jobs/matrix/syncv3/syncv3"}}
SYNCV3_SECRET="{{.SYNCV3_SECRET}}"
SYNCV3_DB="{{.SYNCV3_DB}}"
{{end}}
EOH
destination = "secrets/file.env"
env = true
}
resources {
cpu = 50
memory = 16
memory_max = 32
}
meta = {
"service.name" = "syncv3"
}
}
}
group "nginx" {
network {
mode = "bridge"
port "nginx" {
to = 80
}
port "envoy_metrics" {
to = 9102
}
}
service {
provider = "consul"
port = "80"
meta {
envoy_metrics_port = "${NOMAD_HOST_PORT_envoy_metrics}"
}
connect {
sidecar_service {
proxy {
config {
protocol = "http"
local_idle_timeout_ms = 120000
}
expose {
path {
path = "/metrics"
protocol = "http"
local_path_port = 9102
listener_port = "envoy_metrics"
}
}
transparent_proxy {}
}
}
}
}
task "nginx" {
driver = "docker"
config {
image = "docker.io/library/nginx:1.27.3-alpine"
ports = ["80"]
volumes = [
"/mnt/docker/matrix/nginx/templates:/etc/nginx/templates:ro",
"/mnt/docker/matrix/nginx/html:/usr/share/nginx/html:ro",
]
}
env = {
NGINX_PORT = "80"
}
resources {
cpu = 50
memory = 16
}
meta = {
"service.name" = "nginx"
}
}
}
group "synapse-ingress-group" {
network {
mode = "bridge"
port "inbound" {
to = 8080
}
}
service {
port = "inbound"
tags = [
"traefik.enable=true",
"traefik.http.routers.synapse.rule=Host(`matrix.brmartin.co.uk`)",
"traefik.http.routers.synapse.entrypoints=websecure",
"traefik.http.routers.synapse.middlewares=synapseHeaders,synapseBuffering",
"traefik.http.middlewares.synapseHeaders.headers.accesscontrolallowmethods=GET,POST,PUT,DELETE,OPTIONS",
"traefik.http.middlewares.synapseHeaders.headers.accesscontrolallowheaders=Origin,X-Requested-With,Content-Type,Accept,Authorization",
"traefik.http.middlewares.synapseHeaders.headers.accesscontrolalloworiginlist=*",
"traefik.http.middlewares.synapseBuffering.buffering.maxRequestBodyBytes=1000000000",
]
connect {
gateway {
proxy {
config {
local_idle_timeout_ms = 120000
}
}
ingress {
listener {
port = 8080
protocol = "http"
service {
name = "matrix-synapse"
hosts = ["*"]
}
}
}
}
}
}
}
group "mas-ingress-group" {
network {
mode = "bridge"
port "inbound" {
to = 8080
}
}
service {
port = "inbound"
tags = [
"traefik.enable=true",
"traefik.http.routers.mas.rule=Host(`mas.brmartin.co.uk`) || (Host(`matrix.brmartin.co.uk`) && PathRegexp(`^/_matrix/client/(.*)/(login|logout|refresh)`))",
"traefik.http.routers.mas.entrypoints=websecure",
]
connect {
gateway {
ingress {
listener {
port = 8080
protocol = "http"
service {
name = "matrix-mas"
hosts = ["*"]
}
}
}
}
}
}
}
group "wellknown-ingress-group" {
network {
mode = "bridge"
port "inbound" {
to = 8080
}
}
service {
port = "inbound"
tags = [
"traefik.enable=true",
"traefik.http.routers.matrixWellKnown.rule=PathPrefix(`/.well-known/matrix`)",
"traefik.http.routers.matrixWellKnown.entrypoints=websecure",
"traefik.http.routers.matrixWellKnown.middlewares=matrixWellKnown",
"traefik.http.middlewares.matrixWellKnown.headers.accesscontrolalloworiginlist=*",
]
connect {
gateway {
ingress {
listener {
port = 8080
protocol = "http"
service {
name = "matrix-nginx"
hosts = ["*"]
}
}
}
}
}
}
}
group "syncv3-ingress-group" {
network {
mode = "bridge"
port "inbound" {
to = 8080
}
}
service {
port = "inbound"
tags = [
"traefik.enable=true",
"traefik.http.routers.matrixsyncv3.rule=Host(`matrix.brmartin.co.uk`) && (PathPrefix(`/client`) || PathPrefix(`/_matrix/client/unstable/org.matrix.msc3575/sync`))",
"traefik.http.routers.matrixsyncv3.entrypoints=websecure",
]
connect {
gateway {
ingress {
listener {
port = 8080
protocol = "http"
service {
name = "matrix-syncv3"
hosts = ["*"]
}
}
}
}
}
}
}
group "element" {
network {
port "element" {
to = 80
}
}
task "element" {
driver = "docker"
config {
image = "docker.io/vectorim/element-web:v1.11.87"
ports = ["element"]
volumes = [
"/mnt/docker/matrix/element/config.json:/app/config.json:ro"
]
}
resources {
cpu = 100
memory = 16
}
service {
tags = [
"traefik.enable=true",
"traefik.http.routers.element.rule=Host(`element.brmartin.co.uk`)",
"traefik.http.routers.element.entrypoints=websecure",
]
port = "element"
address_mode = "host"
provider = "consul"
}
meta = {
"service.name" = "element"
}
}
}
group "cinny" {
network {
port "cinny" {
to = 80
}
}
task "cinny" {
driver = "docker"
config {
image = "ghcr.io/cinnyapp/cinny:v4.2.3"
ports = ["cinny"]
volumes = [
"/mnt/docker/matrix/cinny/config.json:/app/config.json:ro"
]
}
resources {
cpu = 50
memory = 16
}
service {
tags = [
"traefik.enable=true",
"traefik.http.routers.cinny.rule=Host(`cinny.brmartin.co.uk`)",
"traefik.http.routers.cinny.entrypoints=websecure",
]
port = "cinny"
address_mode = "host"
provider = "consul"
}
meta = {
"service.name" = "cinny"
}
}
}
}