nomad

HCL and Docker files for Nomad deployments
git clone https://git.in0rdr.ch/nomad.git
Log | Files | Refs | Pull requests |Archive

commit a38a24b9dc3fe7a7d2ef3ed718bc39bee402ab99
parent 0f1b5bae2b27669d51b1ab2fe50238ffc553af90
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date:   Thu, 29 Aug 2024 00:05:02 +0200

feat: add pico

This adds pico, a simplistic git collaboration service:
* https://github.com/picosh/git-pr

I hope that it is useful for other people that would like to contribute
some part of code or documentation, but hesitate to open an account with
any code "forge" or service like Github, Gitlab, etc..

Diffstat:
Ahcl/default/pico/pico.nomad | 135+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Ahcl/default/pico/templates/.env.tmpl | 14++++++++++++++
Ahcl/default/pico/templates/git-pr.toml.tmpl | 15+++++++++++++++
Ahcl/default/pico/templates/nginx.conf.tmpl | 10++++++++++
Ahcl/default/pico/volume-pico.hcl | 31+++++++++++++++++++++++++++++++
5 files changed, 205 insertions(+), 0 deletions(-)

diff --git a/hcl/default/pico/pico.nomad b/hcl/default/pico/pico.nomad @@ -0,0 +1,135 @@ +# https://github.com/picosh/git-pr/blob/main/docker-compose.prod.yml +job "pico" { + datacenters = ["dc1"] + + priority = 80 + + group "server" { + count = 1 + + volume "pico" { + type = "csi" + source = "pico" + access_mode = "multi-node-multi-writer" + attachment_mode = "file-system" + } + volume "tls" { + type = "csi" + source = "certbot" + access_mode = "multi-node-multi-writer" + attachment_mode = "file-system" + } + + network { + port "web" { + to = 3000 + } + port "ssh" { + to = 2222 + static = 44405 + } + port "https" { + static = 44406 + } + } + + task "web" { + driver = "podman" + + config { + image = "ghcr.io/picosh/pico/git-web:latest" + ports = ["web"] + volumes = [ + # mount the templated config from the task directory to the container + "local/git-pr.toml:/app/git-pr.toml", + ] + } + + template { + destination = "${NOMAD_TASK_DIR}/.env" + data = file("./templates/.env.tmpl") + env = true + } + + template { + destination = "${NOMAD_TASK_DIR}/git-pr.toml" + data = file("./templates/git-pr.toml.tmpl") + } + + volume_mount { + volume = "pico" + destination = "/app/data" + } + + resources { + memory = 256 + memory_max = 512 + cpu = 250 + } + } + + task "ssh" { + driver = "podman" + + config { + image = "ghcr.io/picosh/pico/git-ssh:latest" + ports = ["ssh"] + volumes = [ + # mount the templated config from the task directory to the container + "local/git-pr.toml:/app/git-pr.toml", + ] + } + + template { + destination = "${NOMAD_TASK_DIR}/.env" + data = file("./templates/.env.tmpl") + env = true + } + + template { + destination = "${NOMAD_TASK_DIR}/git-pr.toml" + data = file("./templates/git-pr.toml.tmpl") + } + + volume_mount { + volume = "pico" + destination = "/app/data" + } + + resources { + memory = 256 + memory_max = 512 + cpu = 250 + } + } + + task "nginx" { + driver = "podman" + + config { + image = "docker.io/library/nginx:stable-alpine" + ports = ["https"] + volumes = [ + # mount the templated config from the task directory to the container + "local/pico.conf:/etc/nginx/conf.d/pico.conf", + ] + } + + volume_mount { + volume = "tls" + destination = "/etc/letsencrypt" + } + + template { + destination = "${NOMAD_TASK_DIR}/pico.conf" + data = file("./templates/nginx.conf.tmpl") + } + + resources { + memory = 50 + memory_max = 128 + cpu = 200 + } + } + } +} diff --git a/hcl/default/pico/templates/.env.tmpl b/hcl/default/pico/templates/.env.tmpl @@ -0,0 +1,14 @@ +# https://github.com/picosh/git-pr/blob/main/.env.example +CF_API_TOKEN= + +GITPR_V4= +GITPR_V6= +GITPR_HTTP_V4=$GIT_V4:80 +GITPR_HTTP_V6=[$GIT_V6]:80 +GITPR_HTTPS_V4=$GIT_V4:443 +GITPR_HTTPS_V6=[$GIT_V6]:443 +GITPR_SSH_V4=$GIT_V4:22 +GITPR_SSH_V6=[$GIT_V6]:22 +GITPR_HOST= +GITPR_SSH_PORT=2222 +GITPR_WEB_PORT=3000 diff --git a/hcl/default/pico/templates/git-pr.toml.tmpl b/hcl/default/pico/templates/git-pr.toml.tmpl @@ -0,0 +1,15 @@ +# url is used for help commands, exclude protocol +url = "-p 2222 pr.in0rdr.ch" +# where we store the sqlite db, this toml file, git repos, and ssh host keys +data_dir = "./data" +# this gives users the ability to submit reviews and other admin permissions +admins = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SnNAxEnre9hcPD74wNAouuXMgfIzwsB7qr88xSb8WS8CKqZGXzaQgebc0YExfV7PGyV6KUfu4KUvS1xDboRbU6ZLU4HdGlAi+hdv8dVVzdzCgFmdv5BEGam0SMhlzReWRiDvae0pObAPvAFg5ab6B/t1LjOosBOpPo2JfEkR6zfjDrMCYdEjWB5To1p5AX0BJneTiIeiEqR/05mZUk5L8hMFmwvm8QThd+SzpLY3zgWlWG7TlUQwx78xvell9KC0GChhwlkeEAwE3q1tq/LbgzvtY140Fg0bbBGcYQI4UvG85xfTfpbHeQ1RkSB8Rb8pMkaN7mT+3qhe08cHT9v3"] +# set datetime format for our clients +time_format = "2006-01-02" + +# add as many repos as you want +[[repo]] +id = "nomad" +default_branch = "master" +clone_addr = "https://git.in0rdr.ch/nomad.git" +desc = "HCL and Docker files for Nomad deployments" diff --git a/hcl/default/pico/templates/nginx.conf.tmpl b/hcl/default/pico/templates/nginx.conf.tmpl @@ -0,0 +1,10 @@ +server { + listen {{ env "NOMAD_PORT_https" }} ssl; + + ssl_certificate /etc/letsencrypt/live/pr.in0rdr.ch/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/pr.in0rdr.ch/privkey.pem; + + location / { + proxy_pass http://{{ env "NOMAD_ADDR_web" }}; + } +} diff --git a/hcl/default/pico/volume-pico.hcl b/hcl/default/pico/volume-pico.hcl @@ -0,0 +1,31 @@ +# Register external nfs volume with Nomad CSI +# https://www.nomadproject.io/docs/commands/volume/register +type = "csi" +# Unique ID of the volume, volume.source field in a job +id = "pico" +# Display name of the volume. +name = "pico" +# ID of the physical volume from the storage provider +external_id = "csi-pico" +plugin_id = "nfs" + +# You must provide at least one capability block +# You must provide a block for each capability +# youintend to use in a job's volume block +# https://www.nomadproject.io/docs/commands/volume/register +capability { + access_mode = "multi-node-multi-writer" + attachment_mode = "file-system" +} + +# https://github.com/kubernetes-csi/csi-driver-nfs/blob/master/docs/driver-parameters.md +context { + server = "turris" + share = "csi-pico" +} + +mount_options { + # mount.nfs: Either use '-o nolock' to keep locks local, or start statd. + mount_flags = ["nolock"] +} +