[
{
"path": ".bootstrap.mk",
"content": "export VERSION_TAG=$(shell git rev-parse --short HEAD)\nexport JOB_NAME=$(shell basename $PWD)\n\ndash-split = $(word $2,$(subst -, ,$1))\ndash-1 = $(call dash-split,$*,1)\ndash-2 = $(call dash-split,$*,2)\n\nhelp:##............Show this help.\n\t@echo \"\"\n\t@fgrep -h \"##\" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/\\\\$$//' | sed -e 's/##//' | sed 's/^/ /'\n\t@echo \"\"\n\t@echo \"\"\n"
},
{
"path": ".gitattributes",
"content": "*.job linguist-language=HCL\n"
},
{
"path": ".github/workflows/build-gcp-dns-updater.yaml",
"content": "# .github/workflows/build-gcp-dns-updater.yaml\nname: Build GCP DNS Updater Image\n\non:\n push:\n branches:\n - main\n paths:\n - 'docker_images/gcp-dns-updater/**'\n workflow_dispatch:\n\njobs:\n build-and-push:\n runs-on: ubuntu-latest\n permissions:\n contents: read\n packages: write # Required for pushing to GitHub Packages if used, good practice anyway\n\n steps:\n - name: Checkout Code\n uses: actions/checkout@v6\n\n - name: Set up Docker Buildx\n uses: docker/setup-buildx-action@v4\n\n - name: Login to Docker Registry\n uses: docker/login-action@v4\n with:\n registry: docker.${{ secrets.NOMAD_VAR_tld }}\n username: ${{ secrets.DOCKER_REGISTRY_USER }}\n password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}\n\n - name: Build Image using Makefile\n env:\n NOMAD_VAR_tld: ${{ secrets.NOMAD_VAR_tld }}\n run: make build-gcp-dns-updater\n\n - name: Push Image\n run: docker push docker.${{ secrets.NOMAD_VAR_tld }}/gcp-dns-updater:latest\n"
},
{
"path": ".github/workflows/nomad.yaml",
"content": "on:\n push:\n branches:\n - master\n\njobs:\n # JOB to run change detection\n changes:\n runs-on: ubuntu-latest\n permissions:\n pull-requests: read\n outputs:\n jobs: ${{ steps.filter.outputs.nomadjobs_files }}\n volumes: ${{ steps.filter_volumes.outputs.volumes_files }}\n steps:\n - name: 'Checkout'\n uses: 'actions/checkout@v6'\n\n - uses: dorny/paths-filter@v4\n id: filter_volumes\n with:\n list-files: 'json'\n filters: |\n volumes:\n - 'nomad_jobs/**/volume.hcl'\n - 'nomad_jobs/**/*-volume.hcl'\n\n - uses: dorny/paths-filter@v4\n id: filter\n with:\n list-files: 'json'\n filters: |\n nomadjobs:\n # Updated paths based on directory restructure\n - 'nomad_jobs/media-stack/plex/*.job'\n - 'nomad_jobs/media-stack/radarr/*.job'\n - 'nomad_jobs/media-stack/lidarr/*.job'\n - 'nomad_jobs/media-stack/overseerr/*.job'\n - 'nomad_jobs/storage-backends/postgres/*.job'\n - 'nomad_jobs/storage-backends/redis/*.job'\n - 'nomad_jobs/storage-backends/pgvector/*.job'\n - 'nomad_jobs/core-infra/coredns/*.job'\n - 'nomad_jobs/storage-backends/iscsi-csi-plugin/*.job'\n - 'nomad_jobs/media-stack/sabnzbd/*.job'\n - 'nomad_jobs/media-stack/qbittorrent/*.job'\n - 'nomad_jobs/media-stack/prowlarr/*.job'\n - 'nomad_jobs/media-stack/tdarr/*.job'\n - 'nomad_jobs/core-infra/smtp/*.job'\n - 'nomad_jobs/ai-ml/ollama/*.job'\n - 'nomad_jobs/ai-ml/open-webui/*.job'\n - 'nomad_jobs/misc/gcp-dns-updater/*.job'\n - 'nomad_jobs/core-infra/tailscale-este/*.job'\n - 'nomad_jobs/core-infra/traefik/*.job'\n - 'nomad_jobs/core-infra/iscsi-csi-plugin/*.job'\n - 'nomad_jobs/observability/alertmanager/*.job'\n - 'nomad_jobs/observability/prometheus/*.job'\n - 'nomad_jobs/ai-ml/radbot/*.job'\n - 'nomad_jobs/personal-cloud/ntfy/*.job'\n - 'nomad_jobs/web-apps/homepage/*.job'\n - 'nomad_jobs/media-stack/multi-scrobbler/*.job'\n - 'nomad_jobs/media-stack/lidify/*.job'\n - 'nomad_jobs/media-stack/mediasage/*.job'\n - 'nomad_jobs/core-infra/netboot-xyz/*.job'\n - 'nomad_jobs/web-apps/kideo/*.job'\n - 'nomad_jobs/web-apps/minecraftmath/*.job'\n\n add_volumes:\n runs-on: ubuntu-latest\n needs: changes\n if: needs.changes.outputs.volumes != '[]'\n continue-on-error: true\n strategy:\n matrix:\n job: ${{ fromJSON(needs.changes.outputs.volumes ) }}\n\n steps:\n - name: 'Checkout'\n uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6\n\n - name: Connect to Tailscale\n uses: tailscale/github-action@v4\n with:\n oauth-client-id: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}\n oauth-secret: ${{ secrets.TAILSCALE_OAUTH_SECRET }}\n tags: tag:github-actions\n args: --accept-dns=true\n\n - name: Setup Nomad\n uses: hashicorp/setup-nomad@v1.0.0\n with:\n version: \"1.10.4\"\n\n - name: deploy\n shell: bash\n run: |\n # Extract volume ID from the HCL file\n VOLUME_ID=$(grep '^id' ${{ matrix.job }} | head -1 | sed 's/.*= *\"\\(.*\\)\"/\\1/')\n # Skip if volume already exists\n if nomad volume status \"$VOLUME_ID\" > /dev/null 2>&1; then\n echo \"Volume '$VOLUME_ID' already exists, skipping creation\"\n else\n echo \"Creating volume '$VOLUME_ID'\"\n nomad volume create ${{ matrix.job }}\n fi\n env:\n NOMAD_ADDR: '${{ secrets.NOMAD_ADDR }}'\n\n deploy_jobs:\n runs-on: ubuntu-latest\n needs: changes\n if: needs.changes.outputs.jobs != '[]'\n continue-on-error: true\n strategy:\n matrix:\n job: ${{ fromJSON(needs.changes.outputs.jobs ) }}\n\n steps:\n - name: 'Checkout'\n uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6\n\n - name: Connect to Tailscale\n uses: tailscale/github-action@v4\n with:\n oauth-client-id: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}\n oauth-secret: ${{ secrets.TAILSCALE_OAUTH_SECRET }}\n tags: tag:github-actions\n args: --accept-dns=true\n\n - name: Setup Nomad\n uses: hashicorp/setup-nomad@v1.0.0\n with:\n version: \"1.10.4\"\n\n - name: deploy\n shell: bash\n run: |\n nomad job run ${{ matrix.job }} # Removed -var flags\n env:\n NOMAD_ADDR: '${{ secrets.NOMAD_ADDR }}'\n NOMAD_VAR_region: 'home'\n NOMAD_VAR_tld: '${{ secrets.NOMAD_VAR_tld }}' # Corrected case\n NOMAD_VAR_shared_dir: '/home/shared/'\n NOMAD_VAR_downloads_dir: '/home/sabnzbd/downloads'\n NOMAD_VAR_music_dir: '/home/media/Music'\n NOMAD_VAR_movies_dir: '/home/media/Movies'\n NOMAD_VAR_books_dir: '/home/media/Books'\n NOMAD_VAR_tv_dir: '/home/media/TV'\n NOMAD_VAR_media_dir: '/home/media'\n NOMAD_VAR_hass_key: '${{ secrets.NOMAD_VAR_hass_key }}' # Corrected case\n NOMAD_VAR_hass_ip: '${{ secrets.NOMAD_VAR_hass_ip }}'\n NOMAD_VAR_github_pat: ${{ secrets.NOMAD_VAR_github_pat }} # Corrected case\n NOMAD_VAR_datacenters_all: '[\"dc1\", \"public\"]'\n NOMAD_VAR_datacenters_dc1: '[\"dc1\"]'\n NOMAD_VAR_datacenters_public: '[\"public\"]'\n NOMAD_VAR_tailscale_auth: '${{ secrets.NOMAD_VAR_tailscale_auth }}' # Corrected case\n NOMAD_VAR_tailscale_auth_este: '${{ secrets.NOMAD_VAR_tailscale_auth_este }}' # Corrected case\n NOMAD_VAR_oauth_client_id: '${{ secrets.NOMAD_VAR_oauth_client_id }}' # Corrected case\n NOMAD_VAR_oauth_client_secret: '${{ secrets.NOMAD_VAR_oauth_client_secret }}' # Corrected case\n NOMAD_VAR_oauth_secret: '${{ secrets.NOMAD_VAR_oauth_secret }}' # Corrected case\n NOMAD_VAR_oauth_emails: '${{ secrets.NOMAD_VAR_oauth_emails }}' # Corrected case\n NOMAD_VAR_ssh_id: '${{ secrets.NOMAD_VAR_ssh_id }}' # Corrected case\n NOMAD_VAR_truenas_api_key: '${{ secrets.NOMAD_VAR_truenas_api_key }}' # Corrected case\n NOMAD_VAR_gh_access_token: '${{ secrets.NOMAD_VAR_gh_access_token }}' # Corrected case\n NOMAD_VAR_ollama_data_dir: '/home/shared/ollama'\n NOMAD_VAR_ollama_base_url: 'http://ollama.service.consul:11434'\n NOMAD_VAR_webui_secret_key: '${{ secrets.NOMAD_VAR_webui_secret_key }}' # Corrected case\n NOMAD_VAR_datacenter: 'dc1'\n NOMAD_VAR_dns_server_ip: '192.168.50.2'\n # Added missing variables\n NOMAD_VAR_aws_access_key: ${{ secrets.NOMAD_VAR_aws_access_key }}\n NOMAD_VAR_aws_secret_key: ${{ secrets.NOMAD_VAR_aws_secret_key }}\n NOMAD_VAR_bedrock_aws_region: ${{ secrets.NOMAD_VAR_bedrock_aws_region }}\n NOMAD_VAR_gcp_dns_admin: ${{ secrets.NOMAD_VAR_gcp_dns_admin }}\n NOMAD_VAR_gemini_api_key: ${{ secrets.NOMAD_VAR_gemini_api_key }}\n NOMAD_VAR_litellm_master_key: ${{ secrets.NOMAD_VAR_litellm_master_key }}\n NOMAD_VAR_manyfold_secret_key: ${{ secrets.NOMAD_VAR_manyfold_secret_key }}\n NOMAD_VAR_postgres_pass: ${{ secrets.NOMAD_VAR_postgres_pass }}\n NOMAD_VAR_truenas_iscsi_pass: ${{ secrets.NOMAD_VAR_truenas_iscsi_pass }}\n # Added gcp_project_id\n NOMAD_VAR_gcp_project_id: ${{ secrets.NOMAD_VAR_gcp_project_id }}\n # GitHub PAT is now stored securely in secrets\n NOMAD_VAR_truenass_iscsi_pass: ${{ secrets.NOMAD_VAR_truenass_iscsi_pass }} # Note potential typo in name\n NOMAD_VAR_dns_zone: ${{ secrets.NOMAD_VAR_dns_zone }}\n NOMAD_VAR_ingress_ip: ${{ secrets.NOMAD_VAR_ingress_ip }}\n NOMAD_VAR_radbot_credential_key: ${{ secrets.NOMAD_VAR_radbot_credential_key }}\n NOMAD_VAR_radbot_admin_token: ${{ secrets.NOMAD_VAR_radbot_admin_token }}\n NOMAD_VAR_radbot_mcp_token: ${{ secrets.NOMAD_VAR_radbot_mcp_token }}\n NOMAD_VAR_mullvad_wireguard_key: ${{ secrets.NOMAD_VAR_mullvad_wireguard_key }}\n NOMAD_VAR_mullvad_wireguard_addr: ${{ secrets.NOMAD_VAR_mullvad_wireguard_addr }}\n NOMAD_VAR_sonarr_api_key: ${{ secrets.NOMAD_VAR_sonarr_api_key }}\n NOMAD_VAR_radarr_api_key: ${{ secrets.NOMAD_VAR_radarr_api_key }}\n NOMAD_VAR_curseforge_api_key: ${{ secrets.NOMAD_VAR_curseforge_api_key }}\n NOMAD_VAR_pgvector_pass: ${{ secrets.NOMAD_VAR_pgvector_pass }}\n NOMAD_VAR_pgvector_admin_password: ${{ secrets.NOMAD_VAR_pgvector_admin_password }}\n NOMAD_VAR_postgres_admin_password: ${{ secrets.NOMAD_VAR_postgres_admin_password }}\n NOMAD_VAR_litellm_crawl4ai_key: ${{ secrets.NOMAD_VAR_litellm_crawl4ai_key }}\n NOMAD_VAR_litellm_salt_key: ${{ secrets.NOMAD_VAR_litellm_salt_key }}\n NOMAD_VAR_wazuh_api_password: ${{ secrets.NOMAD_VAR_wazuh_api_password }}\n NOMAD_VAR_wazuh_dashboard_password: ${{ secrets.NOMAD_VAR_wazuh_dashboard_password }}\n NOMAD_VAR_wazuh_indexer_password: ${{ secrets.NOMAD_VAR_wazuh_indexer_password }}\n NOMAD_VAR_otr_pass: ${{ secrets.NOMAD_VAR_otr_pass }}\n NOMAD_VAR_plex_token: ${{ secrets.NOMAD_VAR_plex_token }}\n NOMAD_VAR_listenbrainz_token: ${{ secrets.NOMAD_VAR_listenbrainz_token }}\n NOMAD_VAR_listenbrainz_username: ${{ secrets.NOMAD_VAR_listenbrainz_username }}\n NOMAD_VAR_lastfm_api_key: ${{ secrets.NOMAD_VAR_lastfm_api_key }}\n NOMAD_VAR_lastfm_api_secret: ${{ secrets.NOMAD_VAR_lastfm_api_secret }}\n NOMAD_VAR_lidarr_api_key: ${{ secrets.NOMAD_VAR_lidarr_api_key }}\n NOMAD_VAR_kideo_jwt_secret: ${{ secrets.NOMAD_VAR_kideo_jwt_secret }}\n NOMAD_VAR_kideo_youtube_cookies: ${{ secrets.NOMAD_VAR_kideo_youtube_cookies }}\n NOMAD_VAR_kideo_curiositystream_user: ${{ secrets.NOMAD_VAR_kideo_curiositystream_user }}\n NOMAD_VAR_kideo_curiositystream_pass: ${{ secrets.NOMAD_VAR_kideo_curiositystream_pass }}\n NOMAD_VAR_minecraftmath_jwt_secret: ${{ secrets.NOMAD_VAR_minecraftmath_jwt_secret }}\n"
},
{
"path": ".github/workflows/update-kideo.yaml",
"content": "name: Update kideo image tag\n\non:\n repository_dispatch:\n types: [update-kideo]\n\njobs:\n update-and-deploy:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v6\n with:\n token: ${{ secrets.ACTIONS_PAT }}\n\n - name: Update image tag in Nomad job\n run: |\n TAG=\"${{ github.event.client_payload.tag }}\"\n sed -i \"s|ghcr.io/perrymanuk/kideo:[^ \\\"]*|ghcr.io/perrymanuk/kideo:${TAG}|\" \\\n nomad_jobs/web-apps/kideo/nomad.job\n echo \"Updated kideo image tag to ${TAG}\"\n\n - name: Commit and push\n run: |\n git config user.name \"github-actions[bot]\"\n git config user.email \"github-actions[bot]@users.noreply.github.com\"\n TAG=\"${{ github.event.client_payload.tag }}\"\n git add nomad_jobs/web-apps/kideo/nomad.job\n git commit -m \"chore: bump kideo to ${TAG}\"\n git push\n"
},
{
"path": ".github/workflows/update-minecraftmath.yaml",
"content": "name: Update minecraftmath image tag\n\non:\n repository_dispatch:\n types: [update-minecraftmath]\n\njobs:\n update-and-deploy:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v6\n with:\n token: ${{ secrets.ACTIONS_PAT }}\n\n - name: Update image tag in Nomad job\n run: |\n TAG=\"${{ github.event.client_payload.tag }}\"\n sed -i \"s|ghcr.io/perrymanuk/minecraftmath:[^ \\\"]*|ghcr.io/perrymanuk/minecraftmath:${TAG}|\" \\\n nomad_jobs/web-apps/minecraftmath/nomad.job\n echo \"Updated minecraftmath image tag to ${TAG}\"\n\n - name: Commit and push\n run: |\n git config user.name \"github-actions[bot]\"\n git config user.email \"github-actions[bot]@users.noreply.github.com\"\n TAG=\"${{ github.event.client_payload.tag }}\"\n git add nomad_jobs/web-apps/minecraftmath/nomad.job\n git commit -m \"chore: bump minecraftmath to ${TAG}\"\n git push\n"
},
{
"path": ".github/workflows/update-radbot-dev.yaml",
"content": "name: Update radbot-dev image tag\n\non:\n repository_dispatch:\n types: [update-radbot-dev]\n\njobs:\n update-and-deploy:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v6\n with:\n token: ${{ secrets.ACTIONS_PAT }}\n\n - name: Update image tag in dev Nomad job\n run: |\n TAG=\"${{ github.event.client_payload.tag }}\"\n sed -i \"s|ghcr.io/perrymanuk/radbot:[^ \\\"]*|ghcr.io/perrymanuk/radbot:${TAG}|\" \\\n nomad_jobs/ai-ml/radbot/nomad-dev.job\n echo \"Updated radbot-dev image tag to ${TAG}\"\n\n - name: Commit and push\n run: |\n git config user.name \"github-actions[bot]\"\n git config user.email \"github-actions[bot]@users.noreply.github.com\"\n TAG=\"${{ github.event.client_payload.tag }}\"\n git add nomad_jobs/ai-ml/radbot/nomad-dev.job\n git commit -m \"chore: deploy radbot-dev with ${TAG}\"\n git push\n"
},
{
"path": ".github/workflows/update-radbot.yaml",
"content": "name: Update radbot image tag\n\non:\n repository_dispatch:\n types: [update-radbot]\n\njobs:\n update-and-deploy:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v6\n with:\n token: ${{ secrets.ACTIONS_PAT }}\n\n - name: Update image tag in Nomad job\n run: |\n TAG=\"${{ github.event.client_payload.tag }}\"\n sed -i \"s|ghcr.io/perrymanuk/radbot:[^ \\\"]*|ghcr.io/perrymanuk/radbot:${TAG}|\" \\\n nomad_jobs/ai-ml/radbot/nomad.job\n echo \"Updated radbot image tag to ${TAG}\"\n\n - name: Commit and push\n run: |\n git config user.name \"github-actions[bot]\"\n git config user.email \"github-actions[bot]@users.noreply.github.com\"\n TAG=\"${{ github.event.client_payload.tag }}\"\n git add nomad_jobs/ai-ml/radbot/nomad.job\n git commit -m \"chore: bump radbot to ${TAG}\"\n git push\n"
},
{
"path": ".gitignore",
"content": ".envrc\n.env\n*-pub\n.passwords\n.envrc*\nvault/secrets.yaml\nvault/*.hcl\nwww/main.jpg\nssl\nlevant/*\n!levant/defaults.yml\nhosts\n*.swp\n.ra-aid\nCLAUDE.md\nscripts/*\n"
},
{
"path": "LICENSE",
"content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n"
},
{
"path": "Makefile",
"content": "# Load .env files\n#include .envrc\n\ninclude ./.bootstrap.mk\n\n# Define base deployments using their service names\nbase_deployments = coredns docker-registry haproxy\n\n#help: # Placeholder for potential future help generation\n\n# Find the nomad job file for a given service name ($1) within nomad_jobs/ structure\n# Usage: $(call find_job_file, service_name)\n# Example: $(call find_job_file, coredns) -> nomad_jobs/core-infra/coredns/coredns.job (or .nomad)\nfind_job_file = $(shell find nomad_jobs/ -mindepth 2 -maxdepth 3 -type f \\( -name '$1.job' -o -name '$1.nomad' \\) -print -quit)\n\n.PHONY: dc1-%\ndc1-%: ## Deploy specific job to dc1 (searches within nomad_jobs/ structure)\n\t@JOB_FILE=$(call find_job_file,$*); \\\n\tif [ -z \"$$JOB_FILE\" ]; then \\\n\t\techo \"Error: Could not find nomad job file for '$*' in nomad_jobs/.\"; \\\n\t\texit 1; \\\n\tfi; \\\n\techo \"Found job file: $$JOB_FILE\"; \\\n\tnomad job run -var datacenters='[\"dc1\"]' $$JOB_FILE\n\n.PHONY: all-%\nall-%: ## Deploy specific job to all DCs (searches within nomad_jobs/ structure)\n\t@JOB_FILE=$(call find_job_file,$*); \\\n\tif [ -z \"$$JOB_FILE\" ]; then \\\n\t\techo \"Error: Could not find nomad job file for '$*' in nomad_jobs/.\"; \\\n\t\texit 1; \\\n\tfi; \\\n\techo \"Found job file: $$JOB_FILE\"; \\\n\tnomad job run -var datacenters='[\"dc1\", \"hetzner\"]' $$JOB_FILE\n\n.PHONY: deploy-%\ndeploy-%: ## Deploy specific job (searches within nomad_jobs/ structure)\n\t@JOB_FILE=$(call find_job_file,$*); \\\n\tif [ -z \"$$JOB_FILE\" ]; then \\\n\t\techo \"Error: Could not find nomad job file for '$*' in nomad_jobs/.\"; \\\n\t\texit 1; \\\n\tfi; \\\n\techo \"Found job file: $$JOB_FILE\"; \\\n\tnomad job run $$JOB_FILE\n\n.PHONY: deploy-base\ndeploy-base: ## Deploys base jobs (coredns, docker-registry, haproxy) to dc1\n\t@echo \"Deploying base services to dc1: $(base_deployments)\"\n\t$(foreach var,$(base_deployments), \\\n\t @JOB_FILE=$$(call find_job_file,$(var)); \\\n\t if [ -z \"$$JOB_FILE\" ]; then \\\n\t echo \"Error: Could not find nomad job file for base deployment '$(var)' in nomad_jobs/.\"; \\\n\t exit 1; \\\n\t fi; \\\n\t echo \"Deploying $(var) from $$JOB_FILE...\"; \\\n\t nomad job run -var datacenters='[\"dc1\"]' $$JOB_FILE; \\\n\t)\n\n.PHONY: sslkeys\nsslkeys: ## Generate certs if you have SSL enabled\n\tconsul-template -config ssl/consul-template.hcl -once -vault-renew-token=false\n\n.PHONY: ssl-browser-cert\nssl-browser-cert: ## Generate browser cert if you have SSL enabled\n\tsudo openssl pkcs12 -export -out browser_cert.p12 -inkey ssl/hetzner/server-key.pem -in ssl/hetzner/server.pem -certfile ssl/hetzner/nomad-ca.pem\n\n.PHONY: sync-github-secrets\nsync-github-secrets: ## Sync NOMAD_VAR variables from .envrc to GitHub secrets using gh CLI\n\t@echo \"Syncing NOMAD_VAR variables from .envrc to GitHub secrets...\"\n\t@bash -c 'source .envrc && env | grep \"^NOMAD_VAR_\" | while read -r line; do \\\n\t\tname=\"$${line%%=*}\"; \\\n\t\tvalue=\"$${line#*=}\"; \\\n\t\techo \"Setting $$name\"; \\\n\t\tprintf \"%s\" \"$$value\" | gh secret set \"$$name\"; \\\n\tdone'\n\t@echo \"✅ All NOMAD_VAR secrets synced to GitHub\"\n\n.PHONY: build-update-metadata\nbuild-update-metadata: ## Build the update-metadata Docker image\n\t@echo \"Building update-metadata Docker image...\"\n\t# Assumes update-metadata is in docker_images/update-metadata/\n\tdocker build --platform linux/amd64 -t update-metadata:latest docker_images/update-metadata/\n\n.PHONY: build-gcp-dns-updater\nbuild-gcp-dns-updater: ## Build the gcp-dns-updater Docker image\n\t@echo \"Building gcp-dns-updater Docker image...\"\n\t# Assumes gcp-dns-updater is in docker_images/gcp-dns-updater/\n\tdocker build --platform linux/amd64 -t docker.$$NOMAD_VAR_tld/gcp-dns-updater:latest docker_images/gcp-dns-updater/\n\n# Example deployment target for gcp-dns-updater (if needed, uncomment and adjust)\n#.PHONY: deploy-gcp-dns-updater\n#deploy-gcp-dns-updater: ## Deploy gcp-dns-updater job using generic target\n#\t$(MAKE) deploy-gcp-dns-updater\n"
},
{
"path": "README.md",
"content": "# Hashi-Homelab\n\n![](\"homelab.png\")
\n
\n\n### UPDATE - September 2nd 2025\n\nThis repo has gone through some major changes since the last update. I've completely reorganized the job structure into 10 clean categories (77 services total now!), added a comprehensive AI/ML stack with Ollama and Open-WebUI, enhanced the monitoring with Loki and Vector for log aggregation, modernized the alertmanager with better persistence and pushover notifications, added weekly docker cleanup automation, redesigned CoreDNS and Traefik for proper HA deployment, and implemented comprehensive Nomad allocation monitoring. The GitHub Actions deployment has been refined with better change detection and the whole thing just runs much more smoothly now. Also added a bunch of new services like smart home integration, personal cloud apps, and storage backends including pgvector for AI workloads, plus a few other bits and bobs that make the whole setup more robust.\n\n### Background\n\nThe hashi-homelab was born of a desire to have a simple to maintain but very flexible homelab setup. While designed to work as a cohesive whole, each individual job can be taken and deployed on any Nomad cluster with minimal adjustments - they're built to be portable and self-contained.\n\nThe main goals were to keep the resources required to run the base lab setup small and to have all of the parts be easily exchangeable. \n\n`make deploy-base` will deploy coredns, docker-registry and haproxy - these are needed for everything else to work but aside from these you can pick and choose what to deploy with `make deploy-SERVICE_NAME` to deploy any of the 77 services organized across 10 categories. `make deploy-prometheus` or `make deploy-ollama` for example. You can also target specific datacenters with `make dc1-traefik` or `make all-postgres`.\n\nThe whole thing is organized much better now with services grouped into logical categories like ai-ml, media-stack, smart-home, observability, etc. Makes it way easier to find what you're looking for and deploy related services together.\n\nIn the future I would like to provide a ready to boot image for a raspberry pi where you can run all of this as the resources needed are really minimal. With just the basics you can get away with one pi4 4gb model with plenty of room to spare.\n\n### Core Components:\n\n* **Scheduler**: Nomad *...with proper allocation monitoring now*\n* **Service Catalog/Registry**: Consul \n* **Service Mesh**: Traefik *...redesigned for HA deployment, much more robust*\n* **VPN**: Tailscale *...can't say enough good things about tailscale, its integral for my homelab now*\n* **DNS**: CoreDNS *...now with HA setup and proper failover*\n* **Keepalived**: Assign a floating IP for DNS to not lose it if a node goes down\n* **Monitoring**: Prometheus, Alertmanager, Telegraf, Blackbox-exporter, and Grafana *...plus Loki and Vector for log aggregation* \n* **Container Registry**: Docker-Registry *...because sometimes you don't want to rely on Docker Hub being up* \n* **AI/ML**: Ollama for local LLM serving, Open-WebUI for chat interface, LiteLLM for API compatibility\n* **Vector Database**: PostgreSQL with pgvector extension for AI/ML vector embeddings storage and similarity search\n* **Storage**: NFS and iSCSI CSI plugins for persistent storage across the cluster\n\n### Service Categories (77 total):\n\n* **ai-ml** (8): ollama, open-webui, litellm, cognee, crawl4ai, manyfold, paperless-ai, pgvector-client\n* **core-infra** (13): coredns, traefik, haproxy, keepalived, tailscale, github-runner, csi plugins, etc.\n* **media-stack** (16): plex, sonarr, radarr, lidarr, sabnzbd, qbittorrent, overseerr, navidrome, etc.\n* **personal-cloud** (4): nextcloud, bitwarden, paperless, radicale\n* **smart-home** (5): home-assistant, deconz, zigbee2mqtt, mqtt, owntracks-recorder \n* **observability** (7): prometheus, grafana, alertmanager, loki, vector, telegraf, blackbox-exporter\n* **storage-backends** (9): postgres, pgvector, redis, mariadb, neo4j, qdrant, docker-registry, etc.\n* **web-apps** (5): heimdall, wordpress, firecrawl, alertmanager-dashboard, www\n* **misc** (7): gitea, uploader, murmur, octoprint, adb, linuxgsm, gcp-dns-updater\n* **system** (3): docker-cleanup, volumes\n\n### Setup\n\nYou need to have Nomad and Consul already running, a simple setup with the -dev flag will suffice for testing but you'll want a proper cluster for real usage. If don't already have a Nomad and Consul cluster, there are some excellent guides here... \nhttps://www.nomadproject.io/guides/install/production/deployment-guide.html \nhttps://learn.hashicorp.com/consul/datacenter-deploy/deployment-guide \n\nThere are also some files in the `config` folder to help you get started and also one with some services to announce so the Consul and Nomad UI are available over the service mesh.\n\nThis repo relies on a `.envrc` file and direnv installed or setting the environment variables manually.\nThere is an `envrc` example file located in the repo that you can fill in and move to `.envrc`\n\n\nThe secret values from the `.envrc` also need to be put into your github secrets if you plan on deploying via the automated workflow. You can use `make sync-github-secrets` to sync them all at once which is pretty handy.\n\nOnce this is done, you simply run a `make deploy-base` and point your DNS to resolve via one of the Nomad nodes' IP address. \n\nOne of the more specific parts of the setup that you may need to adjust is I use several NFS mounts to provide persistent storage mounted on each client at `/home/shared` for configs and `/home/media` for images, video, audio, etc. Depending on which parts of this you are planning to deploy you will just need to adjust this persistent storage to meet the setup of your clients. The CSI plugins help make this more flexible now.\n\nServices are exposed by their task name in the nomad job and whatever you configure your TLD to be in the `.envrc`. The whole thing works really well with the automated GitHub Actions deployment now - just push changes and they get deployed automatically to your cluster. This requires tailscale for the GitHub Actions to connect to your cluster.\n"
},
{
"path": "ansible/configs/consul.hcl.j2",
"content": "#jinja2: trim_blocks:False\nserver = {% if \"lan-client-server\" in group_names %}true{% else %}false{% endif %}\nui = {% if \"lan-client-server\" in group_names %}true{% else %}false{% endif %}\n{% if \"wan-clients\" in group_names %}\n{% raw %}\nclient_addr = \"{{GetInterfaceIP \\\"tailscale0\\\"}}\"\nadvertise_addr = \"{{GetInterfaceIP \\\"tailscale0\\\"}}\"\nbind_addr = \"{{GetInterfaceIP \\\"tailscale0\\\"}}\"\n{% endraw %}\n{% else %}\n{% raw %}\nclient_addr = \"0.0.0.0\"\nadvertise_addr = \"{{ GetPrivateInterfaces | include \\\"network\\\" \\\"192.168.50.0/24\\\" | attr \\\"address\\\" }}\"\nbind_addr = \"0.0.0.0\"\n{% endraw %}\n{% endif %}\n{% raw %}\nadvertise_addr_wan = \"{{ GetPrivateInterfaces | include \\\"network\\\" \\\"192.168.50.0/24\\\" | attr \\\"address\\\" }}\"\n{% endraw %}\ntranslate_wan_addrs = true\ndata_dir = \"/var/lib/consul\"\ndatacenter = \"homelab\"\nenable_syslog = true\nleave_on_terminate = true\nlog_level = \"WARN\"\nretry_join = [\"192.168.50.39\", \"192.168.50.113\", \"192.168.50.85\"]\n{% if \"lan-client-server\" in group_names %}bootstrap_expect = 3{% else %}{% endif %}\ntelemetry {\n prometheus_retention_time = \"60s\"\n}\n"
},
{
"path": "ansible/configs/consul.service",
"content": "[Unit]\nDescription=consul agent\nRequires=network-online.target tailscaled.service\nAfter=network-online.target tailscaled.service\n\n[Service]\nExecStartPre=/bin/sleep 30\nEnvironmentFile=-/etc/default/consul\nRestart=always\nExecStart=/usr/bin/consul agent -domain consul -ui -config-dir=/etc/consul.d\nExecReload=/bin/kill -HUP $MAINPID\nKillSignal=SIGINT\n[Install]\nWantedBy=multi-user.target\n"
},
{
"path": "ansible/configs/docker-daemon.json.j2",
"content": "{\n \"dns\": [\"192.168.50.2\", \"192.168.50.1\", \"8.8.8.8\"]{% if 'cheese' in group_names %},\n \"runtimes\": {\n \"nvidia\": {\n \"args\": [],\n \"path\": \"nvidia-container-runtime\"\n }\n }\n{% endif %}\n}\n"
},
{
"path": "ansible/configs/nomad.hcl.j2",
"content": "#jinja2: trim_blocks:False\ndata_dir = \"/var/lib/nomad/\"\ndatacenter = {% if \"cheese\" in group_names %}\"cheese\"{% elif \"minecraft\" in group_names %}\"minecraft\"{% else %}\"dc1\"{% endif %}\nlog_level = \"warn\"\nbind_addr = \"0.0.0.0\"\nregion = \"home\"\n\nserver {\n enabled = {% if \"lan-client-server\" in group_names %}true{% else %}false{% endif %}\n bootstrap_expect = 3\n server_join {\n retry_join = [\"192.168.50.39\", \"192.168.50.113\", \"192.168.50.85\"]\n retry_max = 3\n retry_interval = \"15s\"\n }\n authoritative_region = \"home\"\n heartbeat_grace = \"300s\"\n min_heartbeat_ttl = \"20s\"\n}\n\nclient {\n enabled = true\n{% raw %}\n network_interface = \"{{ GetPrivateInterfaces | include \\\"network\\\" \\\"192.168.50.0/24\\\" | attr \\\"name\\\" }}\"\n{% endraw %}\n options {\n docker.auth.config = \"/root/.docker/config.json\"\n docker.privileged.enabled = true\n driver.raw_exec.enable = \"1\"\n docker.volumes.enabled = true\n }\n\n meta {\n shared_mount = {% if \"wan-clients\" in group_names %}\"false\"{% else %}\"true\"{% endif %}\n dns = {% if \"wan-clients\" in group_names %}\"false\"{% else %}\"true\"{% endif %}\n {%- if ansible_hostname == \"klo01\" %}\n keepalived_priority = \"100\"\n keepalived_priority_dns1 = \"100\"\n keepalived_priority_dns2 = \"{{ 200 | random(start=101) }}\"\n {%- else %}\n keepalived_priority = \"{{ 200 | random(start=101) }}\"\n keepalived_priority_dns1 = \"{{ 200 | random(start=101) }}\"\n keepalived_priority_dns2 = \"{{ 200 | random(start=101) }}\"\n {%- endif %}\n }\n\n host_network \"lan\" {\n cidr = \"192.168.50.0/24\"\n reserved_ports = \"22\"\n }\n\n host_network \"tailscale\" {\n cidr = \"100.0.0.0/8\"\n reserved_ports = \"22\"\n }\n\n {% if \"wan-clients\" in group_names %}\n host_network \"public\" {\n cidr = \"78.47.90.68/32\"\n reserved_ports = \"22\"\n }\n {%- endif %}\n\n {%- if ansible_hostname == \"klo01\" %}\n reserved {\n memory = 3072\n }\n {%- endif %}\n\n}\n\ntelemetry {\n disable_hostname = true\n prometheus_metrics = true\n publish_allocation_metrics = true\n publish_node_metrics = true\n use_node_name = false\n}\n{% raw %}\nadvertise {\n http = \"{{ GetPrivateInterfaces | include \\\"network\\\" \\\"192.168.50.0/24\\\" | attr \\\"address\\\" }}:4646\"\n rpc = \"{{ GetPrivateInterfaces | include \\\"network\\\" \\\"192.168.50.0/24\\\" | attr \\\"address\\\" }}:4647\"\n serf = \"{{ GetPrivateInterfaces | include \\\"network\\\" \\\"192.168.50.0/24\\\" | attr \\\"address\\\" }}:4648\"\n}\n{% endraw %}\nconsul {\n # The address to the Consul agent.\n {%- raw %}\n address = \"127.0.0.1:8500\"\n {%- endraw %}\n # The service name to register the server and client with Consul.\n\n client_service_name = \"nomad-client\"\n\n # Enables automatically registering the services.\n auto_advertise = true\n\n # Enabling the server and client to bootstrap using Consul.\n server_auto_join = true\n client_auto_join = true\n}\n\n#vault {\n# enabled = true\n# address = \"http://vault.service.home:8200\"\n# allow_unauthenticated = true\n# create_from_role = \"nomad-cluster\"\n#}\n\nplugin \"docker\" {\n config {\n allow_caps = [\"CHOWN\",\"DAC_OVERRIDE\",\"FSETID\",\"FOWNER\",\"MKNOD\",\"NET_RAW\",\"SETGID\",\"SETUID\",\"SETFCAP\",\"SETPCAP\",\"NET_BIND_SERVICE\",\"SYS_CHROOT\",\"KILL\",\"AUDIT_WRITE\",\"NET_ADMIN\",\"NET_BROADCAST\",\"SYS_NICE\"]\n # extra Docker labels to be set by Nomad on each Docker container with the appropriate value\n extra_labels = [\"job_name\", \"task_group_name\", \"task_name\", \"namespace\", \"node_name\"]\n allow_privileged = true\n volumes {\n enabled = true\n selinuxlabel = \"z\"\n }\n }\n}\n"
},
{
"path": "ansible/configs/nomad.service",
"content": "[Unit]\nDescription=nomad.agent\nRequires=network-online.target tailscaled.service\nAfter=network-online.target tailscaled.service remote-fs.target\n# Hard requirement: Nomad must not start until NFS mounts are ready\nRequiresMountsFor=/home/shared /home/media/TV /home/media/Music /home/media/Movies /home/media/Books\n\n[Service]\nEnvironmentFile=-/etc/default/nomad\nRestart=on-failure\nRestartSec=10\nExecStart=/usr/bin/nomad agent $OPTIONS -config=/etc/nomad.d/nomad.hcl\nExecReload=/bin/kill -HUP $MAINPID\nKillSignal=SIGINT\nKillMode=process\n\n[Install]\nWantedBy=multi-user.target\n"
},
{
"path": "ansible/playbook.yml",
"content": "---\n- name: network mounts\n hosts:\n - lan-client-server\n - lan-client\n - cheese\n - minecraft\n become: true\n remote_user: root\n tasks:\n - name: Configure static IP via netplan\n copy:\n dest: /etc/netplan/00-installer-config.yaml\n content: |\n network:\n version: 2\n ethernets:\n ens3:\n addresses:\n - {{ inventory_hostname }}/24\n routes:\n - to: default\n via: 192.168.50.1\n nameservers:\n addresses:\n - 192.168.50.1\n notify: Apply netplan\n\n - name: Ensure directories exist\n file:\n path: \"{{ item }}\"\n state: directory\n mode: '0755'\n with_items:\n - /home/shared\n - /home/media/TV\n - /home/media/Music\n - /home/media/Movies\n - /home/media/Books\n\n - name: makesure multipath.conf exists\n copy:\n content: \"\"\n dest: /etc/multipath.conf\n force: no\n backup: yes\n ignore_errors: yes\n\n - name: Manage /etc/multipath.conf\n blockinfile:\n path: /etc/multipath.conf\n block: |\n defaults {\n user_friendly_names yes\n find_multipaths yes\n }\n\n - name: Install Apt packages\n apt:\n name:\n - nfs-common\n - avahi-daemon\n - docker.io\n - open-iscsi\n - lsscsi\n - sg3-utils\n - multipath-tools\n - scsitools\n\n - name: Ensure /etc/docker directory exists\n file:\n path: /etc/docker\n state: directory\n mode: '0755'\n\n - name: Add NVIDIA Container Toolkit GPG key\n apt_key:\n url: https://nvidia.github.io/libnvidia-container/gpgkey\n state: present\n keyring: /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg\n when: \"'cheese' in group_names\"\n\n - name: Add NVIDIA Container Toolkit repository\n apt_repository:\n repo: \"deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://nvidia.github.io/libnvidia-container/stable/deb/$(ARCH) /\"\n state: present\n filename: nvidia-container-toolkit\n when: \"'cheese' in group_names\"\n\n - name: Install NVIDIA Container Toolkit\n apt:\n name: nvidia-container-toolkit\n state: present\n update_cache: yes\n when: \"'cheese' in group_names\"\n\n - name: Configure Docker daemon with fallback DNS and nvidia runtime\n template:\n src: configs/docker-daemon.json.j2\n dest: /etc/docker/daemon.json\n notify: Restart Docker\n\n - name: Remove old NFS fstab entries\n lineinfile:\n path: /etc/fstab\n regexp: '^192\\.168\\.50\\.208:/mnt/.*'\n state: absent\n\n - name: Add NFS fstab entries with proper options\n blockinfile:\n path: /etc/fstab\n marker: \"# {mark} ANSIBLE MANAGED NFS MOUNTS\"\n block: |\n 192.168.50.208:/mnt/pool0/share /home/shared nfs4 _netdev,hard,timeo=600,retrans=5,x-systemd.mount-timeout=90,x-systemd.requires=network-online.target,x-systemd.after=network-online.target 0 0\n 192.168.50.208:/mnt/pool1/media/TV /home/media/TV nfs4 _netdev,hard,timeo=600,retrans=5,x-systemd.mount-timeout=90,x-systemd.requires=network-online.target,x-systemd.after=network-online.target 0 0\n 192.168.50.208:/mnt/pool0/media/music /home/media/Music nfs4 _netdev,hard,timeo=600,retrans=5,x-systemd.mount-timeout=90,x-systemd.requires=network-online.target,x-systemd.after=network-online.target 0 0\n 192.168.50.208:/mnt/pool1/media/Movies /home/media/Movies nfs4 _netdev,hard,timeo=600,retrans=5,x-systemd.mount-timeout=90,x-systemd.requires=network-online.target,x-systemd.after=network-online.target 0 0\n 192.168.50.208:/mnt/pool0/media/audiobooks /home/media/Books nfs4 _netdev,hard,timeo=600,retrans=5,x-systemd.mount-timeout=90,x-systemd.requires=network-online.target,x-systemd.after=network-online.target 0 0\n notify:\n - Reload systemd fstab\n - Mount Filesystems\n\n - name: Enable services\n systemd:\n name: \"{{ item }}\"\n enabled: yes\n state: started\n with_items:\n - open-iscsi\n - multipath-tools\n\n handlers:\n - name: Apply netplan\n command: netplan apply\n\n - name: Reload systemd fstab\n systemd:\n daemon_reload: yes\n\n - name: Mount Filesystems\n command: mount -a\n\n - name: Restart Docker\n service:\n name: docker\n state: restarted\n\n- name: Update configuration, execute command, and install packages\n hosts:\n - lan-client-server\n - lan-client\n - wan-clients\n - cheese\n - minecraft\n remote_user: root\n #roles:\n # - role: artis3n.tailscale\n # vars:\n # # Example pulling the API key from the env vars on the host running Ansible\n # tailscale_authkey: \"{{ lookup('env', 'NOMAD_VAR_tailscale_auth') }}\"\n # tailscale_args: \"{% if 'wan-clients' in group_names %}--accept-routes=true{% else %}--accept-routes=false{% endif %}\"\n tasks:\n - name: Ensure directories exist\n file:\n path: \"{{ item }}\"\n state: directory\n mode: '0755'\n with_items:\n - /var/lib/nomad\n - /var/lib/consul\n - /etc/nomad.d\n - /etc/consul.d\n\n - name: Manage systemd service file nomad\n copy:\n src: configs/nomad.service\n dest: /lib/systemd/system/nomad.service\n notify: Reload systemd\n\n - name: Manage systemd service file consul\n copy:\n src: configs/consul.service\n dest: /lib/systemd/system/consul.service\n notify: Reload systemd\n\n - name: manage nomad config\n template:\n src: configs/nomad.hcl.j2\n dest: /etc/nomad.d/nomad.hcl\n notify: Restart Service\n\n - name: manage consul config\n template:\n src: configs/consul.hcl.j2\n dest: /etc/consul.d/server.hcl\n\n - name: Add HashiCorp APT repository key\n apt_key:\n url: https://apt.releases.hashicorp.com/gpg\n state: present\n validate_certs: no\n keyring: /usr/share/keyrings/hashicorp-archive-keyring.gpg\n\n - name: Configure HashiCorp APT repository\n apt_repository:\n repo: \"deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com {{ ansible_distribution_release }} main\"\n\n - name: Install Apt packages\n apt:\n name:\n - nomad=1.10.4-1\n - consul=1.19.1-1\n dpkg_options: 'force-confdef,force-confold'\n update_cache: true\n state: latest\n allow_downgrade: true\n\n - name: Modify sysctl entry for net.ipv4.ip_nonlocal_bind\n sysctl:\n name: \"{{ item.name }}\"\n value: \"{{ item.value }}\"\n state: present\n with_items:\n - { name: \"net.ipv4.ip_nonlocal_bind\", value: \"1\" }\n - { name: \"net.ipv4.conf.all.forwarding\", value: \"1\" }\n notify: Apply Sysctl Changes\n\n - name: Enable services\n systemd:\n name: \"{{ item }}\"\n enabled: yes\n state: started\n with_items:\n - nomad\n - consul\n - tailscaled\n\n handlers:\n - name: Restart Service\n service:\n name: nomad\n state: restarted\n\n - name: Reload systemd\n systemd:\n daemon_reload: yes\n\n - name: Mount Filesystems\n command: mount -a\n\n - name: Apply Sysctl Changes\n command: sysctl -p /etc/sysctl.conf\n\n- name: Install and configure Tailscale\n hosts:\n - all\n become: yes\n remote_user: root\n gather_facts: yes\n tags: tailscale\n\n vars:\n # Read authkey from environment variable; default to 'MISSING' if not set\n tailscale_auth_key: \"{{ lookup('env', 'NOMAD_VAR_tailscale_auth') | default('MISSING') }}\"\n # Optionally customize your Tailscale hostname\n tailscale_hostname: \"{{ inventory_hostname }}\"\n # Tag to advertise (must match OAuth client tag)\n tailscale_tags: \"tag:nomad\"\n\n tasks:\n - name: Download Tailscale GPG key via curl\n shell: >\n curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.noarmor.gpg\n | tee /usr/share/keyrings/tailscale-archive-keyring.gpg\n >/dev/null\n changed_when: true\n\n - name: Update apt cache\n apt:\n update_cache: yes\n\n - name: Configure Tailscale apt repository\n copy:\n dest: /etc/apt/sources.list.d/tailscale.list\n content: |\n deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg arch=amd64] https://pkgs.tailscale.com/stable/ubuntu/ noble main\n\n - name: Update apt cache (after adding Tailscale repo)\n apt:\n update_cache: yes\n\n - name: Install Tailscale\n apt:\n name: tailscale\n state: latest\n\n - name: Enable and start tailscaled service\n service:\n name: tailscaled\n state: started\n enabled: yes\n\n - name: Bring Tailscale interface up using authkey\n # \"command\" used because there's no official Ansible module for \"tailscale up\".\n # This is not strictly idempotent; see notes below for advanced usage.\n command: >\n tailscale up\n --authkey={{ tailscale_auth_key }}\n --hostname={{ tailscale_hostname }}\n --advertise-tags={{ tailscale_tags }}\n --accept-dns=false\n --reset\n register: tailscale_up\n changed_when: \"'Success' in tailscale_up.stdout or 'Success' in tailscale_up.stderr or tailscale_up.rc == 0\"\n\n - name: Show tailscale status\n command: tailscale status\n register: tailscale_status\n changed_when: false\n\n - debug:\n var: tailscale_status.stdout\n\n- name: Install Zsh and Oh My Zsh with Agnoster theme\n hosts: all\n become: yes\n remote_user: root\n gather_facts: yes\n\n vars:\n my_zsh_user: \"root\" # Change this to the desired user\n\n tasks:\n - name: Install zsh\n apt:\n name: zsh\n state: present\n update_cache: yes\n\n - name: Ensure home directory path is known\n user:\n name: \"{{ my_zsh_user }}\"\n register: user_info # This captures the user details, including home directory.\n\n - name: Check if Oh My Zsh is already installed\n stat:\n path: \"/root/.oh-my-zsh\"\n register: oh_my_zsh_stat\n\n - name: Check if zshrc exists\n stat:\n path: \"/root/.zshrc\"\n register: zshrc_stat\n\n - name: Clone Oh My Zsh\n git:\n repo: \"https://github.com/ohmyzsh/ohmyzsh.git\"\n dest: \"/root/.oh-my-zsh\"\n become_user: \"{{ my_zsh_user }}\"\n when: not oh_my_zsh_stat.stat.exists\n\n - name: Copy the default .zshrc template if not present\n copy:\n src: \"/root/.oh-my-zsh/templates/zshrc.zsh-template\"\n dest: \"/root/.zshrc\"\n remote_src: yes\n become_user: \"{{ my_zsh_user }}\"\n when: not zshrc_stat.stat.exists\n\n - name: Set Oh My Zsh theme to agnoster\n # Uses a regex replace to ensure 'ZSH_THEME=\"agnoster\"'\n replace:\n path: \"/root/.zshrc\"\n regexp: '^ZSH_THEME=\"[^\"]+\"'\n replace: 'ZSH_THEME=\"agnoster\"'\n become_user: \"{{ my_zsh_user }}\"\n\n - name: Change default shell to zsh for the user\n user:\n name: \"{{ my_zsh_user }}\"\n shell: /usr/bin/zsh\n"
},
{
"path": "ansible/zsh.yml",
"content": "---\n- name: Install Zsh and Oh My Zsh with Agnoster theme\n hosts: cheese\n become: yes\n remote_user: root\n gather_facts: yes\n\n vars:\n my_zsh_user: \"root\" # Change this to the desired user\n\n tasks:\n - name: Install zsh\n apt:\n name: zsh\n state: present\n update_cache: yes\n\n - name: Ensure home directory path is known\n user:\n name: \"{{ my_zsh_user }}\"\n register: user_info # This captures the user details, including home directory.\n\n - name: Check if Oh My Zsh is already installed\n stat:\n path: \"/root/.oh-my-zsh\"\n register: oh_my_zsh_stat\n\n - name: Check if zshrc exists\n stat:\n path: \"/root/.zshrc\"\n register: zshrc_stat\n\n - name: Clone Oh My Zsh \n git:\n repo: \"https://github.com/ohmyzsh/ohmyzsh.git\"\n dest: \"/root/.oh-my-zsh\"\n become_user: \"{{ my_zsh_user }}\"\n when: not oh_my_zsh_stat.stat.exists\n\n - name: Copy the default .zshrc template if not present\n copy:\n src: \"/root/.oh-my-zsh/templates/zshrc.zsh-template\"\n dest: \"/root/.zshrc\"\n remote_src: yes\n become_user: \"{{ my_zsh_user }}\"\n when: not zshrc_stat.stat.exists\n\n - name: Set Oh My Zsh theme to agnoster\n # Uses a regex replace to ensure 'ZSH_THEME=\"agnoster\"'\n replace:\n path: \"/root/.zshrc\"\n regexp: '^ZSH_THEME=\"[^\"]+\"'\n replace: 'ZSH_THEME=\"agnoster\"'\n become_user: \"{{ my_zsh_user }}\"\n\n - name: Change default shell to zsh for the user\n user:\n name: \"{{ my_zsh_user }}\"\n shell: /usr/bin/zsh\n\n"
},
{
"path": "docker_images/gcp-dns-updater/Dockerfile",
"content": "FROM python:3.14-slim\n\n# Set the working directory in the container\nWORKDIR /app\n\n# Copy the requirements file into the container at /app\nCOPY requirements.txt .\n\n# Install any needed packages specified in requirements.txt\n# Using --no-cache-dir to reduce image size\nRUN pip install --no-cache-dir -r requirements.txt\n\n# Copy the current directory contents into the container at /app\nCOPY update_dns.py .\n\n# Define the command to run the application\nCMD [\"python\", \"update_dns.py\"]\n"
},
{
"path": "docker_images/gcp-dns-updater/README.md",
"content": "# GCP Dynamic DNS Updater Service\n\nThis service periodically checks the public IPv4 address of the node it's running on and updates a specified A record in a Google Cloud DNS managed zone. It's designed to run as a Nomad job within the Hashi-Homelab environment, utilizing a **pre-built Docker image**.\n\n## Features\n\n* Fetches the current public IPv4 address from `https://v4.ifconfig.co/ip`.\n* Uses the `google-cloud-dns` Python SDK to interact with Google Cloud DNS.\n* Authenticates using a GCP Service Account key provided via an environment variable.\n* Checks the specified DNS record:\n * If it's a CNAME, it deletes the CNAME record.\n * If it's an A record, it updates the IP address if it has changed.\n * If it doesn't exist (or after deleting a CNAME), it creates the A record with the specified TTL.\n* Runs periodically via a Nomad job, executing the Python script within the pre-built Docker container.\n\n## Prerequisites\n\n1. **Docker:** Docker must be installed locally to build the service image.\n2. **GCP Service Account:** You need a Google Cloud Platform service account with the necessary permissions to manage DNS records.\n * Go to the GCP Console -> IAM & Admin -> Service Accounts.\n * Create a new service account (e.g., `gcp-dns-updater-sa`).\n * Grant this service account the `DNS Administrator` role (`roles/dns.admin`) on the project containing your managed zone.\n * Create a JSON key file for this service account and download it securely. You will need the *contents* of this file, not the file itself.\n3. **Nomad Environment:** A running Nomad cluster where this job can be scheduled. The Nomad clients must have Docker installed and configured.\n\n## Configuration\n\nThe service is configured via environment variables passed to the Nomad task, which are then consumed by the `update_dns.py` script running inside the Docker container:\n\n* `GCP_DNS_ZONE_NAME`: The name of the managed zone in GCP DNS (e.g., `demonsafe-com`). The script derives the Project ID from the credentials.\n* `GCP_DNS_RECORD_NAME`: The DNS record name to update (e.g., `*.demonsafe.com`). **Note:** The script expects the base name; the trailing dot is handled internally if needed by the SDK.\n* `RECORD_TTL`: (Optional) The Time-To-Live (in seconds) for the created/updated A record. Defaults to 300 if not set.\n* `GCP_PROJECT_ID`: The Google Cloud Project ID containing the DNS zone.\n* `GCP_SERVICE_ACCOUNT_KEY_B64`: **Required.** The base64-encoded *content* of the GCP service account JSON key file.\n\n**Generating the Base64 Key:**\n\nYou need to encode the *content* of your downloaded JSON key file into a single-line base64 string.\n\nOn Linux/macOS, you can use:\n```bash\nbase64 -w 0 < /path/to/your/gcp_key.json\n```\n*(Ensure you use `-w 0` or an equivalent flag for your `base64` command to prevent line wrapping)*\n\nCopy the resulting string.\n\n**Setting Environment Variables in Nomad:**\n\nThese variables are defined within the `env` block of the `nomad.job` file using Go templating to read runtime environment variables provided by the Nomad agent (which in turn are often sourced from the deployment mechanism, like GitHub Actions):\n\n```hcl\n# Example within nomad.job task config\nenv {\n GCP_DNS_ZONE_NAME = < {existing_a_record.rrdatas}\")\n elif record_set.record_type == 'CNAME' and record_set.name == fqdn:\n existing_cname_record = record_set\n logging.info(f\"Found existing CNAME record: {existing_cname_record.name} -> {existing_cname_record.rrdatas}\")\n\n changes = zone.changes()\n needs_update = False\n\n # Handle existing CNAME (delete it to replace with A)\n if existing_cname_record:\n logging.warning(f\"Deleting existing CNAME record {fqdn} to replace with A record.\")\n changes.delete_record_set(existing_cname_record)\n needs_update = True\n # Ensure we don't try to delete an A record if we just deleted a CNAME\n existing_a_record = None\n\n # Define the new A record we want\n new_a_record = zone.resource_record_set(fqdn, \"A\", 300, [ip_address])\n\n # Handle existing A record\n if existing_a_record:\n if existing_a_record.rrdatas == [ip_address]:\n logging.info(f\"Existing A record {fqdn} already points to {ip_address}. No update needed.\")\n return # Nothing to do\n else:\n logging.info(f\"Existing A record {fqdn} points to {existing_a_record.rrdatas}. Updating to {ip_address}.\")\n changes.delete_record_set(existing_a_record)\n changes.add_record_set(new_a_record)\n needs_update = True\n # Handle case where no A record (and no CNAME was found/deleted)\n elif not existing_cname_record: # Only add if we didn't already decide to replace CNAME\n logging.info(f\"No existing A or CNAME record found for {fqdn}. Creating new A record pointing to {ip_address}.\")\n changes.add_record_set(new_a_record)\n needs_update = True\n # Handle case where CNAME was found and deleted - we still need to add the A record\n elif existing_cname_record:\n logging.info(f\"Adding A record for {fqdn} pointing to {ip_address} after CNAME deletion.\")\n changes.add_record_set(new_a_record)\n # needs_update should already be True\n\n # Execute the changes if any were queued\n if needs_update:\n logging.info(f\"Executing DNS changes for {fqdn} in zone {gcp_zone_name}...\")\n changes.create()\n # Wait until the changes are finished.\n while changes.status != 'done':\n logging.info(f\"Waiting for DNS changes to complete (status: {changes.status})...\")\n time.sleep(5) # Wait 5 seconds before checking again\n changes.reload()\n logging.info(f\"Successfully updated DNS record {fqdn} to {ip_address} in zone {gcp_zone_name}.\")\n else:\n # This case should only be hit if an A record existed and was correct\n logging.info(\"No DNS changes were necessary.\")\n\n except GoogleAPIError as e:\n logging.error(f\"GCP API Error updating DNS record {fqdn} in zone {gcp_zone_name}: {e}\")\n except Exception as e:\n logging.error(f\"An unexpected error occurred during DNS update for {fqdn} in zone {gcp_zone_name}: {e}\")\n\n\ndef update_spf_record(client: dns.Client, project_id: str, zone_name: str, record_name: str, ip_address: str):\n \"\"\"Updates the SPF TXT record on the bare domain with the current public IP.\"\"\"\n try:\n gcp_zone_name = zone_name.replace('.', '-')\n logging.info(f\"Updating SPF record in zone: {gcp_zone_name}\")\n\n zone = client.zone(gcp_zone_name, project_id)\n if not zone.exists():\n logging.error(f\"DNS zone '{gcp_zone_name}' not found in project '{project_id}'.\")\n return\n\n # Derive bare domain from record_name (e.g., \"*.demonsafe.com\" -> \"demonsafe.com.\")\n domain = record_name.lstrip('*.') if record_name.startswith('*.') else record_name\n fqdn = domain if domain.endswith('.') else f\"{domain}.\"\n logging.info(f\"Checking TXT records for: {fqdn}\")\n\n spf_value = f'\"v=spf1 ip4:{ip_address} ~all\"'\n\n record_sets = list(zone.list_resource_record_sets(filter_=f\"name={fqdn}\"))\n existing_txt = None\n for rs in record_sets:\n if rs.record_type == 'TXT' and rs.name == fqdn:\n existing_txt = rs\n logging.info(f\"Found existing TXT record: {rs.name} -> {rs.rrdatas}\")\n break\n\n changes = zone.changes()\n needs_update = False\n\n if existing_txt:\n new_rrdatas = []\n spf_found = False\n for rd in existing_txt.rrdatas:\n if 'v=spf1' in rd:\n spf_found = True\n if ip_address in rd:\n logging.info(f\"SPF record already contains {ip_address}. No update needed.\")\n return\n logging.info(f\"Replacing SPF entry: {rd} -> {spf_value}\")\n new_rrdatas.append(spf_value)\n else:\n new_rrdatas.append(rd)\n if not spf_found:\n logging.info(f\"No existing SPF entry found. Adding: {spf_value}\")\n new_rrdatas.append(spf_value)\n\n changes.delete_record_set(existing_txt)\n new_txt = zone.resource_record_set(fqdn, \"TXT\", 300, new_rrdatas)\n changes.add_record_set(new_txt)\n needs_update = True\n else:\n logging.info(f\"No TXT record found for {fqdn}. Creating with SPF: {spf_value}\")\n new_txt = zone.resource_record_set(fqdn, \"TXT\", 300, [spf_value])\n changes.add_record_set(new_txt)\n needs_update = True\n\n if needs_update:\n logging.info(f\"Executing SPF TXT changes for {fqdn}...\")\n changes.create()\n while changes.status != 'done':\n logging.info(f\"Waiting for SPF changes to complete (status: {changes.status})...\")\n time.sleep(5)\n changes.reload()\n logging.info(f\"Successfully updated SPF record for {fqdn} with ip4:{ip_address}\")\n\n except GoogleAPIError as e:\n logging.error(f\"GCP API Error updating SPF record: {e}\")\n except Exception as e:\n logging.error(f\"Unexpected error updating SPF record: {e}\")\n\n\nif __name__ == \"__main__\":\n logging.info(\"Starting DNS update script.\")\n project_id, zone_name, record_name, key_b64 = get_env_vars()\n public_ip = get_public_ip()\n\n # DNS Pre-check logic\n if public_ip:\n hostname_to_check = 'asdf.demonsafe.com'\n logging.info(f\"Performing pre-check for hostname: {hostname_to_check}\")\n try:\n resolved_ip = socket.gethostbyname(hostname_to_check)\n logging.info(f\"Resolved IP for {hostname_to_check}: {resolved_ip}\")\n if resolved_ip == public_ip:\n logging.info(f'DNS record for {hostname_to_check} ({resolved_ip}) already matches public IP ({public_ip}). No update needed.')\n sys.exit(0)\n else:\n logging.info(f'Resolved IP for {hostname_to_check} ({resolved_ip}) does not match public IP ({public_ip}). Proceeding with potential update.')\n except socket.gaierror as e:\n logging.warning(f'Could not resolve IP for {hostname_to_check}: {e}. Proceeding with potential update.')\n except Exception as e:\n logging.warning(f'An unexpected error occurred during DNS pre-check for {hostname_to_check}: {e}. Proceeding with potential update.')\n\n if public_ip:\n dns_client = get_dns_client(key_b64, project_id)\n if dns_client:\n update_dns_record(dns_client, project_id, zone_name, record_name, public_ip)\n update_spf_record(dns_client, project_id, zone_name, record_name, public_ip)\n logging.info(\"DNS update script finished.\")\n else:\n logging.error(\"Exiting due to DNS client initialization failure.\")\n sys.exit(1)\n else:\n logging.error(\"Exiting due to inability to fetch public IP.\")\n sys.exit(1)\n"
},
{
"path": "docker_images/update-metadata/Dockerfile",
"content": "FROM python:3.14-slim\n\nWORKDIR /app\n\nCOPY requirements.txt .\nRUN pip install --no-cache-dir -r requirements.txt\n\nCOPY sync_secrets.py .\n\nENTRYPOINT [\"python\", \"sync_secrets.py\"]\n"
},
{
"path": "docker_images/update-metadata/README.md",
"content": "# GitHub Secret Synchronization Script (Containerized)\n\n## Purpose\n\nThis script (`sync_secrets.py`), running inside a Docker container, reads environment variables defined in the project's root `.envrc` file and synchronizes them as GitHub secrets to the `perrymanuk/hashi-homelab` repository using the `PyGithub` library.\n\n## Requirements\n\n* **Docker:** Docker must be installed and running to build and execute the container.\n* **`NOMAD_VAR_github_pat` Environment Variable:** A GitHub Personal Access Token (PAT) with the `repo` scope must be available as an environment variable named `NOMAD_VAR_github_pat` in the **host shell** where you run the `make` command. The Makefile target (`sync-secrets`) will handle passing this token into the container under the name `GITHUB_TOKEN` for the script to use.\n* **`.envrc` File:** An `.envrc` file must exist at the project root (`/Users/perry.manuk/git/perrymanuk/hashi-homelab/.envrc`) containing the secrets to sync.\n\n## Usage\n\n1. **Ensure `NOMAD_VAR_github_pat` is set:** Export your GitHub PAT in your current host shell session:\n ```bash\n export NOMAD_VAR_github_pat=\"your_github_pat_here\"\n ```\n2. **Navigate to the project root directory:**\n ```bash\n cd /Users/perry.manuk/git/perrymanuk/hashi-homelab\n ```\n3. **Run the Makefile target:**\n ```bash\n make sync-secrets\n ```\n\nThis command will:\n * Build the Docker image defined in `scripts/Dockerfile`.\n * Run a container from the image.\n * Mount the host's `.envrc` file into the container.\n * Pass the **host's** `NOMAD_VAR_github_pat` environment variable into the container as `GITHUB_TOKEN`.\n * Execute the `sync_secrets.py` script within the container.\n\nThe script will output the status of each secret synchronization attempt (created, updated, or failed).\n\n**Important:** Running the script will overwrite any existing secrets in the GitHub repository that have the same name as variables found in the `.envrc` file.\n\n## `.envrc` Format\n\nThe script expects the `.envrc` file to follow this format:\n\n```bash\nexport VARIABLE_NAME=value\nexport ANOTHER_VARIABLE='value with spaces'\nexport YET_ANOTHER=\"double quoted value\"\n# This is a comment and will be ignored\n\n# Empty lines are also ignored\nexport SECRET_KEY=a_very_secret_value_here\n```\n\n* Lines must start with `export`.\n* Variable names and values are separated by `=`.\n* Values can be unquoted, single-quoted (`'...'`), or double-quoted (`\"...\"`). Quotes are stripped before syncing.\n* Lines starting with `#` (comments) and empty lines are ignored.\n"
},
{
"path": "docker_images/update-metadata/requirements.txt",
"content": "PyGithub\nhcl2\n"
},
{
"path": "docker_images/update-metadata/update_job_metadata.py",
"content": "\nimport argparse\nimport logging\nimport pathlib\nimport re\nimport sys\n\n# Configure logging\nlogging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')\n\n\ndef find_job_block(content):\n \"\"\"Find the start and end indices of the main 'job' block.\"\"\"\n job_match = re.search(r'^job\\s+\"[^\"]+\"\\s*\\{', content, re.MULTILINE)\n if not job_match:\n logging.warning(\"Could not find job block start.\")\n return None, None\n\n start_index = job_match.start()\n # Find the matching closing brace\n brace_level = 0\n end_index = -1\n in_string = False\n escaped = False\n for i, char in enumerate(content[start_index:]):\n if escaped:\n escaped = False\n continue\n if char == '\\\\':\n escaped = True\n continue\n if char == '\"':\n in_string = not in_string\n continue\n if not in_string:\n if char == '{':\n brace_level += 1\n elif char == '}':\n brace_level -= 1\n if brace_level == 0:\n end_index = start_index + i\n break\n\n if end_index == -1:\n logging.warning(\"Could not find matching closing brace for job block.\")\n return None, None\n\n return start_index, end_index + 1\n\ndef find_meta_block(content):\n \"\"\"Find the start and end indices of the 'meta' block within the given content.\"\"\"\n meta_match = re.search(r'^\\s*meta\\s*\\{', content, re.MULTILINE)\n if not meta_match:\n return None, None\n\n start_index = meta_match.start()\n # Find the matching closing brace\n brace_level = 0\n end_index = -1\n in_string = False\n escaped = False\n for i, char in enumerate(content[start_index:]):\n if escaped:\n escaped = False\n continue\n if char == '\\\\':\n escaped = True\n continue\n if char == '\"':\n in_string = not in_string\n continue\n if not in_string:\n if char == '{':\n brace_level += 1\n elif char == '}':\n brace_level -= 1\n if brace_level == 0:\n end_index = start_index + i\n break\n\n if end_index == -1:\n logging.warning(\"Could not find matching closing brace for meta block.\")\n return None, None\n\n return start_index, end_index + 1\n\ndef update_job_metadata(repo_root):\n \"\"\"Finds Nomad job files and updates their meta block with job_file path.\"\"\"\n repo_path = pathlib.Path(repo_root).resolve()\n nomad_jobs_path = repo_path / 'nomad_jobs'\n\n if not nomad_jobs_path.is_dir():\n logging.error(f\"'nomad_jobs' directory not found in {repo_path}\")\n sys.exit(1)\n\n logging.info(f\"Scanning for job files in {nomad_jobs_path}...\")\n\n job_files = list(nomad_jobs_path.rglob('*.nomad')) + list(nomad_jobs_path.rglob('*.job'))\n\n if not job_files:\n logging.warning(\"No *.nomad or *.job files found.\")\n return\n\n modified_count = 0\n for job_file in job_files:\n try:\n relative_path = job_file.relative_to(repo_path).as_posix()\n logging.debug(f\"Processing file: {relative_path}\")\n content = job_file.read_text()\n original_content = content # Keep a copy for comparison\n\n job_start, job_end = find_job_block(content)\n if job_start is None or job_end is None:\n logging.warning(f\"Skipping {relative_path}: Could not find main job block.\")\n continue\n job_block_content = content[job_start:job_end]\n job_opening_line_match = re.match(r'^job\\s+\"[^\"]+\"\\s*\\{\\s*\\n?', job_block_content, re.MULTILINE)\n if not job_opening_line_match:\n logging.warning(f\"Skipping {relative_path}: Could not match job opening line format.\")\n continue\n job_insert_pos = job_start + job_opening_line_match.end()\n\n meta_start_rel, meta_end_rel = find_meta_block(job_block_content)\n new_job_file_line = f' job_file = \"{relative_path}\"'\n modified = False\n\n if meta_start_rel is not None and meta_end_rel is not None:\n meta_start_abs = job_start + meta_start_rel\n meta_end_abs = job_start + meta_end_rel\n meta_block_content = content[meta_start_abs:meta_end_abs]\n meta_opening_line_match = re.match(r'^\\s*meta\\s*\\{\\s*\\n?', meta_block_content, re.MULTILINE)\n if not meta_opening_line_match:\n logging.warning(f\"Skipping {relative_path}: Could not match meta opening line format.\")\n continue\n meta_insert_pos = meta_start_abs + meta_opening_line_match.end()\n\n job_file_line_match = re.search(r'^(\\s*)job_file\\s*=\\s*\".*?\"$\\n?', meta_block_content, re.MULTILINE)\n\n if job_file_line_match:\n existing_line = job_file_line_match.group(0)\n indent = job_file_line_match.group(1)\n new_line_with_indent = f'{indent}job_file = \"{relative_path}\"\\n' # Ensure newline\n if existing_line.strip() != new_line_with_indent.strip():\n # Replace existing line\n start = meta_start_abs + job_file_line_match.start()\n end = meta_start_abs + job_file_line_match.end()\n # Ensure we capture the trailing newline if present in match\n content = content[:start] + new_line_with_indent + content[end:]\n modified = True\n else:\n # Insert new job_file line inside meta block\n content = content[:meta_insert_pos] + new_job_file_line + '\\n' + content[meta_insert_pos:]\n modified = True\n else:\n # Insert new meta block\n new_meta_block = f'\\n meta {{\\n{new_job_file_line}\\n }}\\n'\n content = content[:job_insert_pos] + new_meta_block + content[job_insert_pos:]\n modified = True\n\n if modified and content != original_content:\n job_file.write_text(content)\n logging.info(f\"Updated metadata in: {relative_path}\")\n modified_count += 1\n elif not modified:\n logging.debug(f\"No changes needed for: {relative_path}\")\n\n except Exception as e:\n logging.error(f\"Failed to process {relative_path}: {e}\")\n\n logging.info(f\"Metadata update complete. {modified_count} files modified.\")\n\n\nif __name__ == \"__main__\":\n parser = argparse.ArgumentParser(description=\"Update Nomad job files with job_file metadata.\")\n # Default to the parent directory of the script's directory (../)\n script_dir = pathlib.Path(__file__).parent.resolve()\n default_repo_root = script_dir.parent\n parser.add_argument(\n \"--repo-root\",\n type=str,\n default=str(default_repo_root),\n help=\"Path to the root of the repository.\"\n )\n args = parser.parse_args()\n\n update_job_metadata(args.repo_root)\n\n"
},
{
"path": "envrc",
"content": "export CONSUL_HTTP_ADDR=http://FILL_IN_IP:8500\nexport CONSUL_CACERT=/etc/consul.d/ssl/ca.cert\nexport CONSUL_CLIENT_CERT=/etc/consul.d/ssl/consul.cert\nexport CONSUL_CLIENT_KEY=/etc/consul.d/ssl/consul.key\nexport VAULT_ADDR=http://FILL_IN_IP:8200\nexport VAULT_TOKEN=FILL_IN_TOKEN\nexport NOMAD_ADDR=http://FILL_IN_IP:4646\nexport NOMAD_VAR_region='home'\nexport NOMAD_VAR_tld='home'\nexport NOMAD_VAR_shared_dir='/home/shared/'\nexport NOMAD_VAR_downloads_dir='/home/sabnzbd/downloads'\nexport NOMAD_VAR_music_dir='/home/media/Music'\nexport NOMAD_VAR_movies_dir='/home/media/Movies'\nexport NOMAD_VAR_tv_dir='/home/media/TV'\nexport NOMAD_VAR_media_dir='/home/media'\n"
},
{
"path": "nomad_jobs/TEMPLATE-volume.hcl",
"content": "// =============================================================================\n// Nomad CSI Volume Template\n// =============================================================================\n//\n// Usage:\n// 1. Copy this file to nomad_jobs///volume.hcl\n// 2. Replace __VOL_NAME__ with the volume name (usually same as service name)\n// 3. Replace __SIZE__ with capacity (e.g. \"5GiB\", \"10GiB\", \"50GiB\")\n// 4. Set access_mode based on your needs (see below)\n// 5. Volume is auto-created by CI when pushed (if path is in workflow filter)\n//\n// Access modes:\n// single-node-writer : one node read/write (most services)\n// single-node-reader-only : one node read-only\n// multi-node-single-writer : multiple nodes can mount, one writes (HA failover)\n//\n// Size guide:\n// Config-only (app state): 1-5 GiB\n// Small databases: 5-10 GiB\n// Media metadata/indexes: 10-20 GiB\n// Time-series / logs: 50-100 GiB\n//\n// =============================================================================\n\nid = \"__VOL_NAME__\"\nexternal_id = \"__VOL_NAME__\"\nname = \"__VOL_NAME__\"\ntype = \"csi\"\nplugin_id = \"org.democratic-csi.iscsi\"\ncapacity_min = \"__SIZE__\"\ncapacity_max = \"__SIZE__\"\n\ncapability {\n access_mode = \"single-node-writer\"\n attachment_mode = \"file-system\"\n}\n\nmount_options {\n fs_type = \"ext4\"\n mount_flags = [\"noatime\"]\n}\n"
},
{
"path": "nomad_jobs/TEMPLATE.job",
"content": "// =============================================================================\n// Nomad Job Template\n// =============================================================================\n//\n// Usage:\n// 1. Copy this file to nomad_jobs///nomad.job\n// 2. Find/replace the following placeholders:\n// - __JOB_NAME__ : lowercase service name (e.g. \"sonarr\")\n// - __GROUP_NAME__ : group name (e.g. \"downloaders\", \"monitoring\", \"ai\")\n// - __CATEGORY__ : directory category (e.g. \"media-stack\", \"ai-ml\")\n// - __IMAGE__ : docker image with tag (e.g. \"linuxserver/sonarr:4.0.16\")\n// - __PORT__ : container port number (e.g. \"8989\")\n// - __HEALTH_PATH__ : HTTP health check path (e.g. \"/ping\", \"/-/healthy\", \"/api/health\")\n// - __CPU__ : CPU MHz allocation (see guide below)\n// - __MEMORY__ : Memory MB allocation (see guide below)\n// 3. Remove any optional sections you don't need (marked with OPTIONAL)\n// 4. Update the variable declarations at the bottom\n// 5. Add any job-specific secrets to .envrc as NOMAD_VAR_\n// 6. Add the job path to .github/workflows/nomad.yaml if it should auto-deploy\n//\n// Resource guide:\n// Light services (static sites, proxies): cpu = 100-200, memory = 128-256\n// Medium services (APIs, web apps): cpu = 500-1000, memory = 512-1024\n// Heavy services (.NET apps, databases, Java): cpu = 1000+, memory = 1024-2048\n// GPU / ML workloads: cpu = 200+, memory = 4096-8192\n//\n// =============================================================================\n\njob \"__JOB_NAME__\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/__CATEGORY__/__JOB_NAME__/nomad.job\"\n version = \"1\"\n }\n\n // Ensures scheduling on nodes with NFS shared mount available.\n // Remove if the service has no need for shared storage or config dirs.\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"__GROUP_NAME__\" {\n count = 1\n\n network {\n port \"http\" {\n host_network = \"lan\"\n to = \"__PORT__\"\n }\n }\n\n // --- OPTIONAL: CSI Volume ------------------------------------------------\n // Use for services that need persistent block storage (databases, stateful apps).\n // Requires a matching volume.hcl deployed first.\n // Remove this block and the prep-disk task + volume_mount if not needed.\n //\n // volume \"__JOB_NAME__\" {\n // type = \"csi\"\n // read_only = false\n // source = \"__JOB_NAME__\"\n // access_mode = \"single-node-writer\"\n // attachment_mode = \"file-system\"\n // }\n // -------------------------------------------------------------------------\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n healthy_deadline = \"5m\"\n progress_deadline = \"10m\"\n auto_revert = true\n }\n\n // --- OPTIONAL: Prep-disk task --------------------------------------------\n // Required when using CSI volumes to fix ownership before the main task runs.\n // Set UID:GID to match the user the main container runs as.\n // Common values:\n // linuxserver images: 65534:65534 (nobody)\n // prometheus: 1000:2000\n // grafana: 472:472\n // loki: 10001:10001\n //\n // task \"prep-disk\" {\n // driver = \"docker\"\n //\n // lifecycle {\n // hook = \"prestart\"\n // sidecar = false\n // }\n //\n // volume_mount {\n // volume = \"__JOB_NAME__\"\n // destination = \"/volume/\"\n // read_only = false\n // }\n //\n // config {\n // image = \"busybox:latest\"\n // command = \"sh\"\n // args = [\"-c\", \"chown -R UID:GID /volume/\"]\n // }\n //\n // resources {\n // cpu = 200\n // memory = 128\n // }\n // }\n // -------------------------------------------------------------------------\n\n task \"__JOB_NAME__\" {\n driver = \"docker\"\n\n config {\n image = \"__IMAGE__\"\n ports = [\"http\"]\n\n // --- Bind mount pattern (shared NFS config dir) ---\n // Use for services that store config on shared NFS.\n // volumes = [\n // \"${var.shared_dir}__JOB_NAME__:/config\",\n // ]\n\n // --- Template mount pattern (config rendered by Nomad) ---\n // Use when config is templated inline below.\n // volumes = [\n // \"local/config.yaml:/app/config.yaml\",\n // ]\n }\n\n // --- OPTIONAL: CSI volume mount ----------------------------------------\n // volume_mount {\n // volume = \"__JOB_NAME__\"\n // destination = \"/data\"\n // read_only = false\n // }\n // -----------------------------------------------------------------------\n\n env {\n TZ = \"Etc/UTC\"\n // PUID = \"65534\" // common for linuxserver images\n // PGID = \"65534\"\n }\n\n // --- OPTIONAL: Config template -----------------------------------------\n // Use for services that need a rendered config file.\n // Reference secrets with ${var.secret_name} syntax.\n //\n // template {\n // data = < 768MB\n }\n\n group \"web\" {\n network {\n mode = \"host\"\n port \"web\" {\n to = \"8080\"\n host_network = \"lan\"\n }\n }\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n task \"open-webui\" {\n driver = \"docker\"\n\n config {\n image = \"ghcr.io/open-webui/open-webui:v0.8.12\"\n dns_servers = [var.dns_server_ip]\n volumes = [\n \"${var.shared_dir}open-webui:/app/backend/data\",\n ]\n ports = [\"web\"]\n }\n\n env {\n OLLAMA_BASE_URL= var.ollama_base_url\n WEBUI_SECRET_KEY = var.webui_secret_key\n }\n service {\n name = \"${NOMAD_JOB_NAME}\"\n tags = [\"traefik.enable=true\"]\n port = \"web\"\n\n check {\n type = \"tcp\"\n port = \"web\"\n interval = \"30s\"\n timeout = \"2s\"\n }\n }\n\n resources {\n cpu = \"200\"\n memory = \"768\"\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\nvariable \"shared_dir\" {\n type = string\n}\n\nvariable \"ollama_base_url\" {\n type = string\n}\n\nvariable \"webui_secret_key\" {\n type = string\n}\n\nvariable \"datacenter\" {\n type = string\n}\n\nvariable \"dns_server_ip\" {\n type = string\n}\n"
},
{
"path": "nomad_jobs/ai-ml/paperless-ai/nomad.job",
"content": "job \"paperless-ai\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/ai-ml/paperless-ai/nomad.job\"\nversion = \"2\"\n }\n\n group \"web\" {\n network {\n mode = \"host\"\n port \"web\" {\n to = \"3000\"\n host_network = \"lan\"\n }\n }\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n task \"paperless-ai\" {\n driver = \"docker\"\n\n config {\n image = \"clusterzx/paperless-ai\"\n dns_servers = [\"192.168.50.2\"]\n volumes = [\n \"${var.shared_dir}paperless-ai:/app/data\",\n ]\n ports = [\"web\"]\n }\n\n service {\n name = \"${NOMAD_JOB_NAME}\"\n tags = [\"traefik.enable=true\"]\n port = \"web\"\n\n check {\n type = \"tcp\"\n port = \"web\"\n interval = \"30s\"\n timeout = \"2s\"\n }\n }\n\n resources {\n cpu = \"200\"\n memory = \"2048\"\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\nvariable \"shared_dir\" {\n type = string\n}\n"
},
{
"path": "nomad_jobs/ai-ml/pgvector-client/nomad.job",
"content": "job \"pgvector-client-example\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"batch\"\n\n meta {\n job_file = \"nomad_jobs/ai-ml/pgvector-client/nomad.job\"\n version = \"1\" // Initial version\n }\n\n group \"client\" {\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n task \"embedding-example\" {\n driver = \"docker\"\n\n config {\n image = \"python:3.14-slim\"\n command = \"python\"\n args = [\n \"/local/embedding-example.py\"\n ]\n }\n\n env {\n PGVECTOR_HOST = \"pgvector.service.consul\"\n PGVECTOR_PORT = \"5433\"\n PGVECTOR_USER = \"postgres\"\n PGVECTOR_PASSWORD = \"${var.pgvector_pass}\"\n PGVECTOR_DB = \"embeddings\"\n }\n\n template {\n data = < %s) AS similarity\n FROM documents\n ORDER BY embedding <=> %s\n LIMIT 3\n\"\"\", (query_embedding, query_embedding))\n\nresults = cursor.fetchall()\nprint(\"\\nTop 3 most similar documents:\")\nfor id, content, similarity in results:\n print(f\"ID: {id}, Similarity: {similarity:.4f}\")\n print(f\"Content: {content}\")\n print(\"-\" * 50)\n\n# Commit and close\nconn.commit()\ncursor.close()\nconn.close()\nprint(\"Example completed successfully!\")\nEOH\n destination = \"local/embedding-example.py\"\n }\n\n resources {\n cpu = 500\n memory = 512\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\nvariable \"pgvector_pass\" {\n type = string\n description = \"Admin password for pgvector PostgreSQL server\"\n}\n"
},
{
"path": "nomad_jobs/ai-ml/radbot/nomad-dev.job",
"content": "job \"radbot-dev\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/ai-ml/radbot/nomad-dev.job\"\n version = \"1\"\n }\n\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"web\" {\n count = 1\n\n network {\n port \"http\" {\n host_network = \"lan\"\n to = 8000\n }\n }\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"60s\"\n healthy_deadline = \"5m\"\n auto_revert = true\n }\n\n task \"radbot-dev\" {\n driver = \"docker\"\n\n config {\n image = \"ghcr.io/perrymanuk/radbot:dev\"\n dns_servers = [var.dns_server_ip]\n ports = [\"http\"]\n volumes = [\n \"local/config.yaml:/app/config.yaml\",\n ]\n }\n\n env {\n RADBOT_CREDENTIAL_KEY = var.radbot_credential_key\n RADBOT_ADMIN_TOKEN = var.radbot_admin_token\n RADBOT_CONFIG_FILE = \"/app/config.yaml\"\n RADBOT_ENV = \"dev\"\n }\n\n template {\n data = </ai-intel at /mnt/ai-intel).\"\n}\n"
},
{
"path": "nomad_jobs/core-infra/coredns/README.md",
"content": "### Coredns\nyou can place extra configuration for coredns in the consul kv store at `apps/coredns/corefile` and it will be deployed with the job\n\n"
},
{
"path": "nomad_jobs/core-infra/coredns/nomad.job",
"content": "job \"coredns\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n priority = 100\n\n meta {\n job_file = \"nomad_jobs/core-infra/coredns/nomad.job\"\n version = \"10\" // Write keepalived.conf directly instead of env.yaml\n }\n\n constraint {\n attribute = \"${meta.dns}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"dns\" {\n count = 2\n \n constraint {\n operator = \"distinct_hosts\"\n value = \"true\"\n }\n \n network {\n mode = \"host\"\n port \"dns\" {\n static = \"53\"\n host_network = \"lan\"\n }\n port \"metrics\" {\n static = \"9153\"\n host_network = \"lan\"\n }\n }\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"60s\"\n auto_revert = true\n auto_promote = true\n canary = 2\n }\n\n task \"keepalived-dns\" {\n driver = \"docker\"\n \n lifecycle {\n hook = \"prestart\"\n sidecar = true\n }\n \n config {\n image = \"osixia/keepalived:2.3.4\"\n network_mode = \"host\"\n force_pull = false\n volumes = [\n \"local/keepalived.conf:/etc/keepalived/keepalived.conf\"\n ]\n cap_add = [\"NET_ADMIN\", \"NET_BROADCAST\", \"NET_RAW\"]\n }\n\n template {\n destination = \"local/keepalived.conf\"\n change_mode = \"restart\"\n splay = \"1m\"\n data = <\n postgres\n ${var.postgres_pass}\n 5432\n postgres.service.consul\n lidarr_main\n lidarr_logs\n info\n \n *\n 8686\n 6868\n False\n False\n ${var.lidarr_api_key}\n External\n DisabledForLocalAddresses\n 100.64.0.0/10,192.168.50.0/24\n master\n Lidarr\n Docker\n\nEOH\n destination = \"local/config.xml\"\n perms = \"644\"\n }\n\n service {\n port = \"http\"\n name = \"lidarr\"\n tags = [\n \"traefik.enable=true\",\n \"traefik.http.routers.${NOMAD_TASK_NAME}.tls.domains[0].sans=${NOMAD_TASK_NAME}.${var.tld}\",\n ]\n check {\n type = \"http\"\n path = \"/ping\"\n interval = \"10s\"\n timeout = \"2s\"\n check_restart {\n limit = 3\n grace = \"60s\"\n ignore_warnings = false\n }\n }\n }\n\n resources {\n cpu = 100\n memory = 256\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\nvariable \"tld\" {\n type = string\n}\n\nvariable \"shared_dir\" {\n type = string\n}\n\nvariable \"downloads_dir\" {\n type = string\n}\n\nvariable \"music_dir\" {\n type = string\n}\n\nvariable \"postgres_pass\" {\n type = string\n description = \"Admin password for PostgreSQL\"\n}\n\nvariable \"lidarr_api_key\" {\n type = string\n description = \"API key for Lidarr\"\n}\n"
},
{
"path": "nomad_jobs/media-stack/lidarr/volume.hcl",
"content": "id = \"lidarr2\"\nexternal_id = \"lidarr2\"\nname = \"lidarr2\"\ntype = \"csi\"\nplugin_id = \"org.democratic-csi.iscsi\"\ncapacity_min = \"10GiB\"\ncapacity_max = \"10GiB\"\n\ncapability {\n access_mode = \"single-node-writer\"\n attachment_mode = \"block-device\"\n}\n\nmount_options {\n fs_type = \"ext4\"\n mount_flags = [\"noatime\"]\n}\n\n"
},
{
"path": "nomad_jobs/media-stack/lidify/nomad.job",
"content": "job \"lidify\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/media-stack/lidify/nomad.job\"\n version = \"1\"\n }\n\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"discovery\" {\n count = 1\n\n network {\n port \"http\" {\n host_network = \"lan\"\n to = \"5000\"\n }\n }\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"lidify\" {\n driver = \"docker\"\n config {\n image = \"thewicklowwolf/lidify:latest\"\n ports = [\"http\"]\n dns_servers = [\"192.168.50.2\"]\n volumes = [\n \"${var.shared_dir}lidify:/lidify/config\",\n ]\n }\n\n env {\n lidarr_address = \"http://lidarr.service.consul:8686\"\n lidarr_api_key = var.lidarr_api_key\n lastfm_api_key = var.lastfm_api_key\n root_folder_path = \"/music\"\n quality_profile_id = \"1\"\n metadata_profile_id = \"1\"\n sleep_interval = \"3600\"\n }\n\n service {\n port = \"http\"\n name = \"lidify\"\n tags = [\n \"traefik.enable=true\",\n ]\n check {\n type = \"http\"\n path = \"/\"\n interval = \"10s\"\n timeout = \"2s\"\n check_restart {\n limit = 3\n grace = \"60s\"\n ignore_warnings = false\n }\n }\n }\n\n resources {\n cpu = 100\n memory = 256\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\nvariable \"tld\" {\n type = string\n}\n\nvariable \"shared_dir\" {\n type = string\n}\n\nvariable \"lidarr_api_key\" {\n type = string\n description = \"API key for Lidarr\"\n}\n\nvariable \"lastfm_api_key\" {\n type = string\n description = \"Last.fm API key\"\n}\n"
},
{
"path": "nomad_jobs/media-stack/maintainerr/nomad.job",
"content": "job \"maintainerr\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/media-stack/maintainerr/nomad.job\"\n version = \"2\"\n }\n\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"media\" {\n count = 1\n\n network {\n port \"http\" {\n host_network = \"lan\"\n to = 6246\n }\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"maintainerr\" {\n driver = \"docker\"\n\n config {\n image = \"ghcr.io/maintainerr/maintainerr:3.7.0\"\n ports = [\"http\"]\n volumes = [\n \"${var.shared_dir}maintainerr:/opt/data\",\n ]\n }\n\n env {\n TZ = \"Etc/UTC\"\n }\n\n user = \"1000:1000\"\n\n service {\n port = \"http\"\n name = \"maintainerr\"\n tags = [\n \"traefik.enable=true\"\n ]\n check {\n type = \"http\"\n path = \"/\"\n interval = \"30s\"\n timeout = \"5s\"\n check_restart {\n limit = 3\n grace = \"60s\"\n ignore_warnings = false\n }\n }\n }\n\n resources {\n cpu = 200\n memory = 512\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\nvariable \"tld\" {\n type = string\n}\n\nvariable \"shared_dir\" {\n type = string\n}\n"
},
{
"path": "nomad_jobs/media-stack/mediasage/nomad.job",
"content": "job \"mediasage\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/media-stack/mediasage/nomad.job\"\n version = \"1\"\n }\n\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"playlists\" {\n count = 1\n\n network {\n port \"http\" {\n host_network = \"lan\"\n to = \"5765\"\n }\n }\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"prep-disk\" {\n driver = \"docker\"\n lifecycle {\n hook = \"prestart\"\n sidecar = false\n }\n config {\n image = \"busybox:latest\"\n command = \"sh\"\n args = [\"-c\", \"mkdir -p /data && chmod 777 /data\"]\n volumes = [\n \"${var.shared_dir}mediasage:/data\",\n ]\n }\n resources {\n cpu = 50\n memory = 32\n }\n }\n\n task \"mediasage\" {\n driver = \"docker\"\n config {\n image = \"ghcr.io/ecwilsonaz/mediasage:latest\"\n ports = [\"http\"]\n dns_servers = [\"192.168.50.2\"]\n volumes = [\n \"${var.shared_dir}mediasage:/app/data\",\n ]\n }\n\n env {\n PLEX_URL = \"http://plex.service.consul:32400\"\n PLEX_TOKEN = var.plex_token\n AI_PROVIDER = \"ollama\"\n OLLAMA_URL = \"http://ollama.service.consul:11434\"\n }\n\n service {\n port = \"http\"\n name = \"mediasage\"\n tags = [\n \"traefik.enable=true\",\n ]\n check {\n type = \"http\"\n path = \"/\"\n interval = \"10s\"\n timeout = \"2s\"\n check_restart {\n limit = 3\n grace = \"60s\"\n ignore_warnings = false\n }\n }\n }\n\n resources {\n cpu = 200\n memory = 512\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\nvariable \"tld\" {\n type = string\n}\n\nvariable \"shared_dir\" {\n type = string\n}\n\nvariable \"plex_token\" {\n type = string\n description = \"Plex authentication token\"\n}\n"
},
{
"path": "nomad_jobs/media-stack/multi-scrobbler/nomad.job",
"content": "job \"multi-scrobbler\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/media-stack/multi-scrobbler/nomad.job\"\n version = \"1\"\n }\n\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"scrobbler\" {\n count = 1\n\n network {\n port \"http\" {\n host_network = \"lan\"\n to = \"9078\"\n }\n }\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"multi-scrobbler\" {\n driver = \"docker\"\n config {\n image = \"foxxmd/multi-scrobbler:latest\"\n ports = [\"http\"]\n dns_servers = [\"192.168.50.2\"]\n volumes = [\n \"${var.shared_dir}multi-scrobbler:/config\",\n \"local/config.json:/config/config.json\",\n ]\n }\n\n env {\n TZ = \"Etc/UTC\"\n }\n\n template {\n data = </dev/null || true)\" ]; then\n echo \"Database volume is empty, copying existing databases if any...\"\n if [ -d \"$DB_DIR\" ] && [ -n \"$(ls -A \"$DB_DIR\" 2>/dev/null || true)\" ]; then\n cp -a \"$DB_DIR\"/* /opt/plex-db/\n echo \"Copied existing databases to persistent volume\"\n fi\nfi\n\n# Set up link to optimized database storage (only if not already linked)\nif [ ! -L \"$DB_DIR\" ] || [ \"$(readlink \"$DB_DIR\")\" != \"/opt/plex-db\" ]; then\n echo \"Setting up database symlink...\"\n rm -rf \"$DB_DIR\"\n ln -sf /opt/plex-db \"$DB_DIR\"\nfi\n\n# Install SQLite3 if needed\nif ! command -v sqlite3 &>/dev/null; then\n echo \"Installing SQLite3...\"\n apt-get update && apt-get install -y sqlite3\nfi\n\n# Set environment variables for SQLite\nexport SQLITE_TMPDIR=/tmp/plex_sqlite\nmkdir -p \"$SQLITE_TMPDIR\"\n\n# Apply optimizations to all databases\necho \"Applying SQLite optimizations to databases...\"\nfind /opt/plex-db -name \"*.db\" -type f 2>/dev/null | while read -r db; do\n echo \"Optimizing $db\"\n sqlite3 \"$db\" < 256\n }\n\n group \"downloaders\" {\n count = 1\n\n network {\n port \"http\" {\n host_network = \"lan\"\n static = 9696\n }\n port \"flaresolverr\" {\n host_network = \"lan\"\n static = 8191\n }\n }\n\n volume \"prowlarr\" {\n type = \"csi\"\n read_only = false\n source = \"prowlarr\"\n access_mode = \"single-node-writer\"\n attachment_mode = \"file-system\"\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"prowlarr\" {\n driver = \"docker\"\n\n config {\n image = \"linuxserver/prowlarr\"\n dns_servers = [\"192.168.50.2\"]\n ports = [\"http\"]\n }\n\n volume_mount {\n volume = \"prowlarr\"\n destination = \"/config\"\n read_only = false\n }\n\n env {\n PUID = \"65534\"\n PGID = \"65534\"\n TZ = \"Etc/UTC\"\n }\n\n service {\n port = \"http\"\n name = \"prowlarr\"\n tags = [\n \"traefik.enable=true\",\n ]\n check {\n type = \"http\"\n path = \"/ping\"\n interval = \"10s\"\n timeout = \"2s\"\n check_restart {\n limit = 3\n grace = \"60s\"\n ignore_warnings = false\n }\n }\n }\n\n resources {\n cpu = 500\n memory = 256\n }\n }\n\n task \"flaresolverr\" {\n driver = \"docker\"\n\n config {\n image = \"ghcr.io/flaresolverr/flaresolverr:v3.4.6\"\n ports = [\"flaresolverr\"]\n }\n\n env {\n LOG_LEVEL = \"info\"\n LOG_HTML = \"false\"\n TZ = \"Etc/UTC\"\n }\n\n service {\n port = \"flaresolverr\"\n name = \"flaresolverr\"\n check {\n type = \"http\"\n path = \"/\"\n interval = \"30s\"\n timeout = \"5s\"\n }\n }\n\n resources {\n cpu = 500\n memory = 512\n }\n\n lifecycle {\n hook = \"prestart\"\n sidecar = true\n }\n }\n }\n}\n\nvariable \"region\" {}\n\nvariable \"tld\" {}\n"
},
{
"path": "nomad_jobs/media-stack/prowlarr/volume.hcl",
"content": "id = \"prowlarr\"\nexternal_id = \"prowlarr\"\nname = \"prowlarr\"\ntype = \"csi\"\nplugin_id = \"org.democratic-csi.iscsi\"\ncapacity_min = \"5GiB\"\ncapacity_max = \"5GiB\"\n\ncapability {\n access_mode = \"single-node-writer\"\n attachment_mode = \"block-device\"\n}\n\nmount_options {\n fs_type = \"ext4\"\n mount_flags = [\"noatime\"]\n}\n"
},
{
"path": "nomad_jobs/media-stack/qbittorrent/nomad.job",
"content": "job \"qbittorrent\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/media-stack/qbittorrent/nomad.job\"\n version = \"5\"\n }\n\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"downloaders\" {\n count = 1\n\n network {\n port \"http\" {\n host_network = \"lan\"\n static = 8081\n }\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"gluetun\" {\n driver = \"docker\"\n\n lifecycle {\n hook = \"prestart\"\n sidecar = true\n }\n\n config {\n image = \"qmcgaw/gluetun\"\n\n cap_add = [\"NET_ADMIN\"]\n\n ports = [\"http\"]\n\n mounts = [\n {\n type = \"tmpfs\"\n target = \"/tmp/gluetun\"\n readonly = false\n },\n ]\n }\n\n env {\n VPN_SERVICE_PROVIDER = \"mullvad\"\n VPN_TYPE = \"wireguard\"\n WIREGUARD_PRIVATE_KEY = var.mullvad_wireguard_key\n WIREGUARD_ADDRESSES = var.mullvad_wireguard_addr\n SERVER_COUNTRIES = \"Netherlands\"\n FIREWALL_VPN_INPUT_PORTS = \"8081\"\n }\n\n resources {\n cpu = 500\n memory = 512\n }\n }\n\n task \"qbittorrent\" {\n driver = \"docker\"\n\n config {\n image = \"linuxserver/qbittorrent\"\n network_mode = \"container:gluetun-${NOMAD_ALLOC_ID}\"\n\n mounts = [\n {\n type = \"bind\"\n target = \"/config\"\n source = \"${var.shared_dir}qbittorrent\"\n readonly = false\n bind_options = {\n propagation = \"rshared\"\n }\n },\n {\n type = \"bind\"\n target = \"/downloads\"\n source = \"${var.downloads_dir}\"\n readonly = false\n bind_options = {\n propagation = \"rshared\"\n }\n },\n {\n type = \"bind\"\n target = \"/media\"\n source = \"${var.media_dir}\"\n readonly = false\n bind_options = {\n propagation = \"rshared\"\n }\n },\n ]\n }\n\n env {\n PUID = \"65534\"\n PGID = \"65534\"\n TZ = \"Etc/UTC\"\n WEBUI_PORT = \"8081\"\n }\n\n service {\n port = \"http\"\n name = \"qbittorrent\"\n tags = [\n \"traefik.enable=true\",\n ]\n check {\n type = \"tcp\"\n interval = \"10s\"\n timeout = \"2s\"\n check_restart {\n limit = 3\n grace = \"90s\"\n ignore_warnings = false\n }\n }\n }\n\n resources {\n cpu = 1000\n memory = 1024\n }\n }\n }\n}\n\nvariable \"region\" {}\n\nvariable \"tld\" {}\n\nvariable \"shared_dir\" {}\n\nvariable \"downloads_dir\" {}\n\nvariable \"media_dir\" {}\n\nvariable \"mullvad_wireguard_key\" {\n type = string\n description = \"Mullvad WireGuard private key\"\n}\n\nvariable \"mullvad_wireguard_addr\" {\n type = string\n description = \"Mullvad WireGuard interface address\"\n}\n"
},
{
"path": "nomad_jobs/media-stack/radarr/nomad.job",
"content": "job \"radarr\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/media-stack/radarr/nomad.job\"\nversion = \"10\" // Full config.xml template with API key\n }\n\n group \"downloaders\" {\n count = 1 \n network {\n port \"http\" {\n host_network = \"lan\"\n to = \"7878\"\n }\n }\n\n volume \"radarr\" {\n type = \"csi\"\n read_only = false\n source = \"radarr2\"\n access_mode = \"single-node-writer\"\n attachment_mode = \"file-system\"\n }\n\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"radarr\" {\n driver = \"docker\"\n config {\n image = \"linuxserver/radarr:6.1.1\"\n dns_servers = [\"192.168.50.2\"]\n ports = [\"http\"]\n volumes = [\n \"${var.downloads_dir}:/downloads\",\n \"${var.movies_dir}:/media/Movies\",\n \"local/config.xml:/config/config.xml\",\n ]\n }\n\n volume_mount {\n volume = \"radarr\"\n destination = \"/config\"\n read_only = false\n }\n\n env {\n UMASK_SET = \"022\"\n TZ = \"UTC\"\n PUID = \"65534\"\n PGID = \"65534\"\n }\n\n template {\n data = <\n postgres\n ${var.postgres_pass}\n 5432\n postgres.service.consul\n radarr_main\n radarr_logs\n info\n \n *\n 7878\n 9898\n False\n False\n ${var.radarr_api_key}\n External\n DisabledForLocalAddresses\n 100.64.0.0/10,192.168.50.0/24\n master\n Radarr\n Docker\n\nEOH\n destination = \"local/config.xml\"\n perms = \"644\"\n }\n \n service {\n port = \"http\"\n name = \"radarr\"\n tags = [\n \"traefik.enable=true\"\n ]\n check {\n type = \"http\"\n path = \"/ping\"\n interval = \"10s\"\n timeout = \"2s\"\n check_restart {\n limit = 3\n grace = \"60s\"\n ignore_warnings = false\n }\n }\n }\n\n resources {\n cpu = 1000\n memory = 512\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\nvariable \"tld\" {\n type = string\n}\n\nvariable \"downloads_dir\" {\n type = string\n}\n\nvariable \"tv_dir\" {\n type = string\n}\n\nvariable \"movies_dir\" {\n type = string\n}\n\nvariable \"postgres_pass\" {\n type = string\n description = \"Admin password for PostgreSQL\"\n}\n\nvariable \"radarr_api_key\" {\n type = string\n description = \"API key for Radarr\"\n}\n"
},
{
"path": "nomad_jobs/media-stack/radarr/volume.hcl",
"content": "id = \"radarr2\"\nexternal_id = \"radarr2\"\nname = \"radarr2\"\ntype = \"csi\"\nplugin_id = \"org.democratic-csi.iscsi\"\ncapacity_min = \"10GiB\"\ncapacity_max = \"10GiB\"\n\ncapability {\n access_mode = \"single-node-writer\"\n attachment_mode = \"block-device\"\n}\n\nmount_options {\n fs_type = \"ext4\"\n mount_flags = [\"noatime\"]\n}\n"
},
{
"path": "nomad_jobs/media-stack/requestrr/nomad.job",
"content": "job \"requestrr\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/media-stack/requestrr/nomad.job\"\n version = \"1\"\n }\n\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"media\" {\n count = 1\n\n network {\n port \"http\" {\n host_network = \"lan\"\n to = 4545\n }\n }\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"requestrr\" {\n driver = \"docker\"\n\n config {\n dns_servers = [\"192.168.50.2\"]\n image = \"thomst08/requestrr:v2.1.9\"\n ports = [\"http\"]\n volumes = [\n \"${var.shared_dir}requestrr:/root/config\",\n ]\n }\n\n env {\n TZ = \"Etc/UTC\"\n }\n\n service {\n port = \"http\"\n name = \"requestrr\"\n tags = [\n \"traefik.enable=true\"\n ]\n check {\n type = \"tcp\"\n interval = \"10s\"\n timeout = \"2s\"\n }\n }\n\n resources {\n cpu = 200\n memory = 256\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\nvariable \"tld\" {\n type = string\n}\n\nvariable \"shared_dir\" {\n type = string\n}\n"
},
{
"path": "nomad_jobs/media-stack/sabnzbd/nomad.job",
"content": "job \"sabnzbd\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/media-stack/sabnzbd/nomad.job\"\nversion = \"6\"\n }\n\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"downloaders\" {\n count = 1 \n network {\n port \"http\" {\n host_network = \"lan\"\n static = \"8080\"\n }\n }\n\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"sabnzbd\" {\n driver = \"docker\"\n config {\n image = \"linuxserver/sabnzbd\"\n network_mode = \"host\"\n ports = [\"http\"]\n mounts = [\n {\n type = \"bind\"\n target = \"/config\"\n source = \"${var.shared_dir}sabnzbd\",\n readonly = false\n bind_options = {\n propagation = \"rshared\"\n }\n },\n {\n type = \"bind\"\n target = \"/downloads\"\n source = \"/tmp\"\n readonly = false\n bind_options = {\n propagation = \"rshared\"\n }\n },\n {\n type = \"bind\"\n target = \"/media\"\n source = \"${var.media_dir}\"\n readonly = false\n bind_options = {\n propagation = \"rshared\"\n }\n }\n ]\n }\n \n env {\n PUID = \"65534\"\n PGID = \"65534\"\n TZ = \"Etc/UTC\"\n }\n\n service {\n port = \"http\"\n name = \"${NOMAD_TASK_NAME}\"\n tags = [\n \"traefik.enable=true\"\n ]\n check {\n type = \"http\"\n path = \"/api?mode=auth\"\n interval = \"10s\"\n timeout = \"2s\"\n check_restart {\n limit = 3\n grace = \"60s\"\n ignore_warnings = false\n }\n }\n }\n\n resources {\n cpu = 1000 # Match actual usage (952 MHz observed)\n memory = 3072 # Accommodate 2GB cache + 1GB overhead\n memory_max = 4096 # Hard limit for burst usage\n }\n }\n }\n}\n\nvariable \"region\" {}\n\nvariable \"tld\" {}\n\nvariable \"shared_dir\" {}\n\nvariable \"media_dir\" {}\n\nvariable \"downloads_dir\" {}\n"
},
{
"path": "nomad_jobs/media-stack/sickchill/nomad.job",
"content": "job \"sickchill\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/media-stack/sickchill/nomad.job\"\nversion = \"4\"\n }\n\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"downloaders\" {\n count = 1 \n network {\n port \"http\" {\n host_network = \"lan\"\n to = \"8081\"\n }\n }\n\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"sickchill\" {\n driver = \"docker\"\n config {\n image = \"linuxserver/sickchill:2024.3.1\"\n dns_servers = [\"192.168.50.2\"]\n ports = [\"http\"]\n volumes = [\n \"${var.downloads_dir}:/downloads\",\n \"${var.tv_dir}:/tv\",\n \"${var.shared_dir}sickchill:/config\",\n ]\n }\n\n env {\n PUID = \"65534\"\n PGID = \"65534\"\n TZ = \"Etc/UTC\"\n }\n\n service {\n port = \"http\"\n name = \"sickchill\"\n tags = [\n \"traefik.enable=true\"\n ]\n check {\n type = \"http\"\n path = \"/\"\n interval = \"10s\"\n timeout = \"2s\"\n check_restart {\n limit = 3\n grace = \"60s\"\n ignore_warnings = false\n }\n }\n }\n\n resources {\n cpu = 1000\n memory = 256\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\nvariable \"tld\" {\n type = string\n}\n\nvariable \"downloads_dir\" {\n type = string\n}\n\nvariable \"tv_dir\" {\n type = string\n}\n\nvariable \"shared_dir\" {\n type = string\n}\n"
},
{
"path": "nomad_jobs/media-stack/sonarr/nomad.job",
"content": "job \"sonarr\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/media-stack/sonarr/nomad.job\"\nversion = \"11\" // Full config.xml template with API key\n }\n\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"downloaders\" {\n count = 1 \n network {\n port \"http\" {\n host_network = \"lan\"\n to = \"8989\"\n }\n }\n\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"sonarr\" {\n driver = \"docker\"\n config {\n image = \"linuxserver/sonarr:4.0.17\"\n dns_servers = [\"192.168.50.2\"]\n ports = [\"http\"]\n volumes = [\n \"${var.shared_dir}sonarr:/config\",\n \"${var.downloads_dir}:/downloads\",\n \"${var.tv_dir}:/media/TV\",\n \"local/config.xml:/config/config.xml\",\n ]\n }\n\n env {\n PUID = \"65534\"\n PGID = \"65534\"\n TZ = \"Etc/UTC\"\n }\n\n template {\n data = <\n postgres\n ${var.postgres_pass}\n 5432\n postgres.service.consul\n sonarr_main\n sonarr_logs\n info\n \n *\n 8989\n 9898\n False\n False\n ${var.sonarr_api_key}\n External\n DisabledForLocalAddresses\n 100.64.0.0/10,192.168.50.0/24\n main\n Sonarr\n Docker\n\nEOH\n destination = \"local/config.xml\"\n perms = \"644\"\n }\n\n service {\n port = \"http\"\n name = \"sonarr\"\n tags = [\n \"traefik.enable=true\",\n ]\n check {\n type = \"http\"\n path = \"/ping\"\n interval = \"10s\"\n timeout = \"2s\"\n check_restart {\n limit = 3\n grace = \"60s\"\n ignore_warnings = false\n }\n }\n }\n\n resources {\n cpu = 1000\n memory = 512\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\nvariable \"tld\" {\n type = string\n}\n\nvariable \"shared_dir\" {\n type = string\n}\n\nvariable \"downloads_dir\" {\n type = string\n}\n\nvariable \"tv_dir\" {\n type = string\n}\n\nvariable \"postgres_pass\" {\n type = string\n description = \"Admin password for PostgreSQL\"\n}\n\nvariable \"sonarr_api_key\" {\n type = string\n description = \"API key for Sonarr\"\n}\n"
},
{
"path": "nomad_jobs/media-stack/synclounge/nomad.job",
"content": "job \"synclounge\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/media-stack/synclounge/nomad.job\"\nversion = \"4\"\n }\n\n group \"synclounge\" {\n count = 1 \n network {\n port \"http\" {\n host_network = \"tailscale\"\n to = \"8088\"\n }\n port \"server\" {\n host_network = \"tailscale\"\n to = \"8089\"\n }\n }\n\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"plexlounge\" {\n driver = \"docker\"\n config {\n image = \"starbix/synclounge\"\n network_mode = \"host\"\n force_pull = \"true\"\n ports = [\"http\", \"server\"]\n }\n\n env {\n DOMAIN = \"${NOMAD_TASK_NAME}.${var.tld}\"\n }\n\n service {\n port = \"http\"\n\tname = \"plexlounge\"\n tags = [\n \"traefik.enable=true\",\n \"traefik.http.middlewares.httpsRedirect.redirectscheme.scheme=https\",\n\n\n \"traefik.http.routers.${NOMAD_TASK_NAME}.tls.domains[0].sans=${NOMAD_TASK_NAME}.${var.tld}\",\n \"traefik.http.routers.${NOMAD_TASK_NAME}.middlewares=forward-auth\"\n ]\n\n check {\n type = \"tcp\"\n interval = \"10s\"\n timeout = \"2s\"\n }\n }\n\n service {\n port = \"server\"\n\tname = \"syncserver\"\n tags = [\n \"traefik.enable=true\",\n \"traefik.http.middlewares.httpsRedirect.redirectscheme.scheme=https\",\n\n\n \"traefik.http.routers.syncserver.tls.domains[0].sans=syncserver.${var.tld}\",\n \"traefik.http.routers.syncserver.middlewares=forward-auth\"\n ]\n\n check {\n type = \"tcp\"\n interval = \"10s\"\n timeout = \"2s\"\n }\n }\n\n resources {\n cpu = 3500\n memory = 512\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\n\n\nvariable \"tld\" {\n type = string\n}\n\n"
},
{
"path": "nomad_jobs/media-stack/tautulli/nomad.job",
"content": "job \"tautulli\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/media-stack/tautulli/nomad.job\"\nversion = \"3\"\n }\n\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"metrics\" {\n count = 1 \n network {\n port \"http\" {\n host_network = \"tailscale\"\n to = \"8181\"\n }\n }\n\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"tautulli\" {\n driver = \"docker\"\n config {\n image = \"tautulli/tautulli\"\n ports = [\"http\"]\n volumes = [\n \"${var.shared_dir}tautulli:/config\",\n \"[[ .dirs.plexlogs ]]:/media/TV\",\n ]\n }\n\n service {\n port = \"http\"\n\tname = \"tautulli\"\n tags = [\"net-internal\", \"net-external\", \"tautulli\", \"net.frontend.entryPoints=https\"]\n check {\n type = \"http\"\n path = \"/\"\n interval = \"10s\"\n timeout = \"2s\"\n check_restart {\n limit = 3\n grace = \"60s\"\n ignore_warnings = false\n }\n }\n }\n\n resources {\n cpu = 100\n memory = 128\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\n\n\nvariable \"tld\" {\n type = string\n}\n\nvariable \"shared_dir\" {\n type = string\n}\n"
},
{
"path": "nomad_jobs/media-stack/tdarr/nomad.job",
"content": "job \"tdarr\" {\n region = var.region\n datacenters = [\"cheese\"]\n type = \"service\"\n priority = 50\n\n meta {\n job_file = \"nomad_jobs/media-stack/tdarr/nomad.job\"\n version = \"4\" // Move to cheese01 for NVENC GPU transcoding\n }\n\n group \"tdarr\" {\n count = 1\n\n constraint {\n attribute = \"${attr.unique.hostname}\"\n value = \"cheese01\"\n }\n\n network {\n port \"http\" {\n host_network = \"lan\"\n static = 8265\n }\n port \"server\" {\n host_network = \"lan\"\n static = 8266\n }\n }\n\n volume \"tdarr\" {\n type = \"csi\"\n read_only = false\n source = \"tdarr\"\n access_mode = \"single-node-writer\"\n attachment_mode = \"file-system\"\n }\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n healthy_deadline = \"9m\"\n progress_deadline = \"15m\"\n auto_revert = true\n }\n\n task \"tdarr\" {\n driver = \"docker\"\n\n config {\n image = \"ghcr.io/haveagitgat/tdarr:latest\"\n network_mode = \"host\"\n privileged = true\n runtime = \"nvidia\"\n force_pull = true\n ports = [\"http\", \"server\"]\n volumes = [\n \"/tmp/tdarr:/temp\",\n \"${var.shared_dir}tdarr/configs:/app/configs\",\n \"${var.shared_dir}tdarr/logs:/app/logs\",\n \"${var.media_dir}:/media\",\n ]\n }\n\n volume_mount {\n volume = \"tdarr\"\n destination = \"/app/server\"\n read_only = false\n }\n\n env {\n PUID = \"1000\"\n PGID = \"1000\"\n NVIDIA_VISIBLE_DEVICES = \"all\"\n serverIP = \"0.0.0.0\"\n serverPort = \"8266\"\n webUIPort = \"8265\"\n internalNode = \"true\"\n nodeName = \"cheese01\"\n }\n\n service {\n port = \"http\"\n name = \"tdarr\"\n tags = [\n \"traefik.enable=true\",\n ]\n check {\n type = \"tcp\"\n interval = \"10s\"\n timeout = \"2s\"\n check_restart {\n limit = 3\n grace = \"120s\"\n ignore_warnings = false\n }\n }\n }\n\n resources {\n cpu = 2000\n memory = 2048\n }\n }\n }\n}\n\nvariable \"region\" {}\nvariable \"tld\" {}\nvariable \"shared_dir\" {}\nvariable \"media_dir\" {}\n"
},
{
"path": "nomad_jobs/media-stack/tdarr/volume.hcl",
"content": "id = \"tdarr\"\nexternal_id = \"tdarr\"\nname = \"tdarr\"\ntype = \"csi\"\nplugin_id = \"org.democratic-csi.iscsi\"\ncapacity_min = \"10GiB\"\ncapacity_max = \"10GiB\"\n\ncapability {\n access_mode = \"single-node-writer\"\n attachment_mode = \"block-device\"\n}\n\nmount_options {\n fs_type = \"ext4\"\n mount_flags = [\"noatime\"]\n}\n"
},
{
"path": "nomad_jobs/misc/adb/nomad.job",
"content": "job \"adb\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/misc/adb/nomad.job\"\nversion = \"4\"\n }\n\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n constraint {\n attribute = \"${meta.zigbee}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"downloaders\" {\n count = 1 \n\n network {\n mode = \"host\"\n port \"tcp\" {\n static = \"5037\"\n host_network = \"lan\"\n }\n }\n\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"adb\" {\n driver = \"docker\"\n config {\n image = \"docker-registry.demonsafe.com/adb\"\n entrypoint = [\"/local/start.sh\"]\n network_mode = \"host\"\n extra_hosts = [\"hassio:127.0.0.1\"]\n args = [\"&\", \"adb\", \"-a\", \"-P\", \"5037\", \"server\", \"nodaemon\"]\n volumes = [\n \"${var.shared_dir}home-assistant/android:/root/.android\",\n ]\n }\n\n env {\n log_level = \"warning\"\n }\n\n service {\n port = \"tcp\"\n\tname = \"adb\"\n tags = [\"net-internal\", \"adb\"]\n check {\n type = \"tcp\"\n interval = \"10s\"\n timeout = \"2s\"\n }\n }\n\n template {\ndata = < IAM & Admin -> Service Accounts.\n * Create a new service account (e.g., `gcp-dns-updater-sa`).\n * Grant this service account the `DNS Administrator` role (`roles/dns.admin`) on the project containing your managed zone.\n * Create a JSON key file for this service account and download it securely. You will need the *contents* of this file, not the file itself.\n3. **Nomad Environment:** A running Nomad cluster where this job can be scheduled. The Nomad clients must have Docker installed and configured.\n\n## Configuration\n\nThe service is configured via environment variables passed to the Nomad task, which are then consumed by the `update_dns.py` script running inside the Docker container:\n\n* `GCP_DNS_ZONE_NAME`: The name of the managed zone in GCP DNS (e.g., `demonsafe-com`). The script derives the Project ID from the credentials.\n* `GCP_DNS_RECORD_NAME`: The DNS record name to update (e.g., `*.demonsafe.com`). **Note:** The script expects the base name; the trailing dot is handled internally if needed by the SDK.\n* `RECORD_TTL`: (Optional) The Time-To-Live (in seconds) for the created/updated A record. Defaults to 300 if not set.\n* `GCP_PROJECT_ID`: The Google Cloud Project ID containing the DNS zone.\n* `GCP_SERVICE_ACCOUNT_KEY_B64`: **Required.** The base64-encoded *content* of the GCP service account JSON key file.\n\n**Generating the Base64 Key:**\n\nYou need to encode the *content* of your downloaded JSON key file into a single-line base64 string.\n\nOn Linux/macOS, you can use:\n```bash\nbase64 -w 0 < /path/to/your/gcp_key.json\n```\n*(Ensure you use `-w 0` or an equivalent flag for your `base64` command to prevent line wrapping)*\n\nCopy the resulting string.\n\n**Setting Environment Variables in Nomad:**\n\nThese variables are defined within the `env` block of the `nomad.job` file using Go templating to read runtime environment variables provided by the Nomad agent (which in turn are often sourced from the deployment mechanism, like GitHub Actions):\n\n```hcl\n# Example within nomad.job task config\nenv {\n GCP_DNS_ZONE_NAME = < 50 else ''}\")\n \n # Clean the base64 string - remove any whitespace/newlines\n key_b64 = key_b64.strip().replace('\\n', '').replace('\\r', '').replace(' ', '')\n logging.info(f\"Cleaned key length: {len(key_b64)}\")\n logging.info(f\"Cleaned key content (first 50 chars): {key_b64[:50]}{'...' if len(key_b64) > 50 else ''}\")\n \n # Check if this looks like a valid base64 string\n if len(key_b64) < 100:\n logging.warning(f\"Service account key seems too short ({len(key_b64)} chars). Expected several thousand characters.\")\n logging.warning(f\"Full key content: '{key_b64}'\")\n logging.error(\"The GCP_SERVICE_ACCOUNT_KEY_B64 environment variable appears to contain invalid or incomplete data.\")\n sys.exit(1)\n \n # Fix base64 padding if needed\n missing_padding = len(key_b64) % 4\n if missing_padding:\n padding_needed = 4 - missing_padding\n key_b64 += '=' * padding_needed\n logging.info(f\"Added {padding_needed} padding characters\")\n \n logging.info(f\"Final key length: {len(key_b64)}\")\n decoded_key = base64.b64decode(key_b64, validate=True)\n logging.info(\"Base64 key decoded successfully.\")\n\n logging.info(\"Parsing service account key JSON...\")\n key_info = json.loads(decoded_key)\n logging.info(\"Service account key JSON parsed successfully.\")\n\n credentials = service_account.Credentials.from_service_account_info(key_info)\n client = dns.Client(project=project_id, credentials=credentials)\n logging.info(f\"Successfully created DNS client for project {project_id}\")\n return client\n\n except binascii.Error as e:\n logging.error(f\"Failed to decode base64 service account key: {e}\")\n sys.exit(1)\n except json.JSONDecodeError as e:\n logging.error(f\"Failed to parse service account key JSON: {e}\")\n sys.exit(1)\n except Exception as e:\n logging.error(f\"Failed to create DNS client from service account info: {e}\")\n sys.exit(1)\n\ndef update_traefik_whitelist(ip_address: str):\n \"\"\"Updates Traefik IP whitelist configuration.\"\"\"\n try:\n logging.info(f\"Updating Traefik whitelist with IP: {ip_address}\")\n \n traefik_config = {\n \"http\": {\n \"middlewares\": {\n \"home-ip-whitelist\": {\n \"ipAllowList\": {\n \"sourceRange\": [\n f\"{ip_address}/32\",\n \"192.168.0.0/16\",\n \"10.0.0.0/8\",\n \"172.16.0.0/12\",\n \"100.64.0.0/10\"\n ]\n }\n }\n }\n }\n }\n \n config_path = \"/shared/traefik-ingress/dynamic-whitelist.toml\"\n \n # Write as TOML format\n toml_content = f\"\"\"[http.middlewares.home-ip-whitelist.ipAllowList]\nsourceRange = [\"{ip_address}/32\", \"192.168.0.0/16\", \"10.0.0.0/8\", \"172.16.0.0/12\", \"100.64.0.0/10\"]\n\"\"\"\n \n with open(config_path, 'w') as f:\n f.write(toml_content)\n \n logging.info(f\"Successfully updated Traefik whitelist configuration at {config_path}\")\n \n except Exception as e:\n logging.error(f\"Failed to update Traefik whitelist: {e}\")\n\ndef update_dns_record(client: dns.Client, project_id: str, zone_name: str, record_name: str, ip_address: str):\n \"\"\"Updates DNS record.\"\"\"\n try:\n # Use zone_name directly as it should already be the correct GCP zone name\n gcp_zone_name = zone_name\n logging.info(f\"Targeting GCP DNS Zone: {gcp_zone_name}\")\n\n zone = client.zone(gcp_zone_name, project_id)\n if not zone.exists():\n logging.error(f\"DNS zone '{gcp_zone_name}' not found in project '{project_id}'.\")\n return\n\n fqdn = record_name if record_name.endswith('.') else f\"{record_name}.\"\n logging.info(f\"Checking DNS records for: {fqdn} in zone {gcp_zone_name}\")\n\n record_sets = list(zone.list_resource_record_sets())\n\n existing_a_record = None\n existing_cname_record = None\n\n for record_set in record_sets:\n if record_set.record_type == 'A' and record_set.name == fqdn:\n existing_a_record = record_set\n logging.info(f\"Found existing A record: {existing_a_record.name} -> {existing_a_record.rrdatas}\")\n elif record_set.record_type == 'CNAME' and record_set.name == fqdn:\n existing_cname_record = record_set\n logging.info(f\"Found existing CNAME record: {existing_cname_record.name} -> {existing_cname_record.rrdatas}\")\n\n changes = zone.changes()\n needs_update = False\n\n if existing_cname_record:\n logging.warning(f\"Deleting existing CNAME record {fqdn} to replace with A record.\")\n changes.delete_record_set(existing_cname_record)\n needs_update = True\n existing_a_record = None\n\n new_a_record = zone.resource_record_set(fqdn, \"A\", 300, [ip_address])\n\n if existing_a_record:\n if existing_a_record.rrdatas == [ip_address]:\n logging.info(f\"Existing A record {fqdn} already points to {ip_address}. No update needed.\")\n return\n else:\n logging.info(f\"Existing A record {fqdn} points to {existing_a_record.rrdatas}. Updating to {ip_address}.\")\n changes.delete_record_set(existing_a_record)\n changes.add_record_set(new_a_record)\n needs_update = True\n elif not existing_cname_record:\n logging.info(f\"No existing A or CNAME record found for {fqdn}. Creating new A record pointing to {ip_address}.\")\n changes.add_record_set(new_a_record)\n needs_update = True\n elif existing_cname_record:\n logging.info(f\"Adding A record for {fqdn} pointing to {ip_address} after CNAME deletion.\")\n changes.add_record_set(new_a_record)\n\n if needs_update:\n logging.info(f\"Executing DNS changes for {fqdn} in zone {gcp_zone_name}...\")\n changes.create()\n while changes.status != 'done':\n logging.info(f\"Waiting for DNS changes to complete (status: {changes.status})...\")\n time.sleep(5)\n changes.reload()\n logging.info(f\"Successfully updated DNS record {fqdn} to {ip_address} in zone {gcp_zone_name}.\")\n else:\n logging.info(\"No DNS changes were necessary.\")\n\n except GoogleAPIError as e:\n logging.error(f\"GCP API Error updating DNS record {fqdn} in zone {gcp_zone_name}: {e}\")\n except Exception as e:\n logging.error(f\"An unexpected error occurred during DNS update for {fqdn} in zone {gcp_zone_name}: {e}\")\n\ndef update_spf_record(client: dns.Client, project_id: str, zone_name: str, record_name: str, ip_address: str):\n \"\"\"Updates the SPF TXT record on the bare domain with the current public IP.\"\"\"\n try:\n gcp_zone_name = zone_name\n logging.info(f\"Updating SPF record in zone: {gcp_zone_name}\")\n\n zone = client.zone(gcp_zone_name, project_id)\n if not zone.exists():\n logging.error(f\"DNS zone '{gcp_zone_name}' not found in project '{project_id}'.\")\n return\n\n # Derive bare domain from record_name (e.g., \"*.demonsafe.com\" -> \"demonsafe.com.\")\n domain = record_name.lstrip('*.') if record_name.startswith('*.') else record_name\n fqdn = domain if domain.endswith('.') else f\"{domain}.\"\n logging.info(f\"Checking TXT records for: {fqdn}\")\n\n spf_value = f'\"v=spf1 ip4:{ip_address} ~all\"'\n\n record_sets = list(zone.list_resource_record_sets())\n existing_txt = None\n for rs in record_sets:\n if rs.record_type == 'TXT' and rs.name == fqdn:\n existing_txt = rs\n logging.info(f\"Found existing TXT record: {rs.name} -> {rs.rrdatas}\")\n break\n\n changes = zone.changes()\n needs_update = False\n\n if existing_txt:\n new_rrdatas = []\n spf_found = False\n for rd in existing_txt.rrdatas:\n if 'v=spf1' in rd:\n spf_found = True\n if ip_address in rd:\n logging.info(f\"SPF record already contains {ip_address}. No update needed.\")\n return\n logging.info(f\"Replacing SPF entry: {rd} -> {spf_value}\")\n new_rrdatas.append(spf_value)\n else:\n new_rrdatas.append(rd)\n if not spf_found:\n logging.info(f\"No existing SPF entry found. Adding: {spf_value}\")\n new_rrdatas.append(spf_value)\n\n changes.delete_record_set(existing_txt)\n new_txt = zone.resource_record_set(fqdn, \"TXT\", 300, new_rrdatas)\n changes.add_record_set(new_txt)\n needs_update = True\n else:\n logging.info(f\"No TXT record found for {fqdn}. Creating with SPF: {spf_value}\")\n new_txt = zone.resource_record_set(fqdn, \"TXT\", 300, [spf_value])\n changes.add_record_set(new_txt)\n needs_update = True\n\n if needs_update:\n logging.info(f\"Executing SPF TXT changes for {fqdn}...\")\n changes.create()\n while changes.status != 'done':\n logging.info(f\"Waiting for SPF changes to complete (status: {changes.status})...\")\n time.sleep(5)\n changes.reload()\n logging.info(f\"Successfully updated SPF record for {fqdn} with ip4:{ip_address}\")\n\n except GoogleAPIError as e:\n logging.error(f\"GCP API Error updating SPF record: {e}\")\n except Exception as e:\n logging.error(f\"Unexpected error updating SPF record: {e}\")\n\nif __name__ == \"__main__\":\n logging.info(\"Starting DNS update script.\")\n project_id, zone_name, record_name, key_b64 = get_env_vars()\n logging.info(f\"Environment variables loaded - zone_name: '{zone_name}', record_name: '{record_name}'\")\n public_ip = get_public_ip()\n\n if public_ip:\n dns_client = get_dns_client(key_b64, project_id)\n if dns_client:\n update_dns_record(dns_client, project_id, zone_name, record_name, public_ip)\n update_spf_record(dns_client, project_id, zone_name, record_name, public_ip)\n update_traefik_whitelist(public_ip)\n logging.info(\"DNS, SPF, and Traefik whitelist update script finished.\")\n else:\n logging.error(\"Exiting due to DNS client initialization failure.\")\n sys.exit(1)\n else:\n logging.error(\"Exiting due to inability to fetch public IP.\")\n sys.exit(1)\n \n # Sleep to allow log viewing before container exits\n logging.info(\"Sleeping for 10 seconds to allow log viewing...\")\n time.sleep(10)\nEOF\n destination = \"local/update_dns.py\"\n }\n\n resources {\n cpu = 100 \n memory = 128 \n }\n }\n }\n}\n\nvariable \"gcp_project_id\" {}\nvariable \"dns_zone\" {}\nvariable \"tld\" {}\nvariable \"gcp_dns_admin\" {}\nvariable \"shared_dir\" {}\n"
},
{
"path": "nomad_jobs/misc/gcp-dns-updater/requirements.txt",
"content": "google-cloud-dns\nrequests\ngoogle-auth"
},
{
"path": "nomad_jobs/misc/gcp-dns-updater/update_dns.py",
"content": "\nimport os\nimport requests\nimport logging\nimport sys\nimport base64\nimport json\nimport time # Moved import to top\n\n# Import GCP specific libraries\nfrom google.cloud import dns\nfrom google.oauth2 import service_account\nfrom google.api_core.exceptions import GoogleAPIError\n\n# Setup logging\nlogging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')\n\ndef get_env_vars():\n \"\"\"Reads required environment variables and returns them.\"\"\"\n project_id = os.environ.get('GCP_PROJECT_ID')\n zone_name = os.environ.get('GCP_DNS_ZONE_NAME') # This will be the TLD like \"demonsafe.com\"\n record_name = os.environ.get('GCP_DNS_RECORD_NAME')\n key_b64 = os.environ.get('GCP_SERVICE_ACCOUNT_KEY_B64') # Changed variable name\n\n if not all([project_id, zone_name, record_name, key_b64]): # Check for key_b64\n missing = [var for var, val in [\n ('GCP_PROJECT_ID', project_id),\n ('GCP_DNS_ZONE_NAME', zone_name),\n ('GCP_DNS_RECORD_NAME', record_name),\n ('GCP_SERVICE_ACCOUNT_KEY_B64', key_b64) # Updated missing check\n ] if not val]\n logging.error(f\"Missing required environment variables: {', '.join(missing)}\")\n sys.exit(1)\n\n return project_id, zone_name, record_name, key_b64 # Return key_b64\n\ndef get_public_ip():\n \"\"\"Fetches the public IPv4 address.\"\"\"\n try:\n response = requests.get('https://v4.ifconfig.me/ip', timeout=10)\n response.raise_for_status() # Raise an exception for bad status codes\n ip_address = response.text.strip()\n logging.info(f\"Successfully fetched public IP: {ip_address}\")\n return ip_address\n except requests.exceptions.RequestException as e:\n logging.error(f\"Error fetching public IP: {e}\")\n sys.exit(1) # Exit if IP cannot be fetched\n\ndef get_dns_client(key_b64: str, project_id: str): # Changed key_path to key_b64 and added project_id\n \"\"\"Creates and returns a DNS client authenticated with a base64 encoded service account key.\"\"\"\n try:\n # Decode the base64 string\n logging.info(\"Decoding base64 service account key...\")\n decoded_key = base64.b64decode(key_b64)\n logging.info(\"Base64 key decoded successfully.\")\n\n # Parse the decoded JSON key\n logging.info(\"Parsing service account key JSON...\")\n key_info = json.loads(decoded_key)\n logging.info(\"Service account key JSON parsed successfully.\")\n\n # Create credentials from the parsed key info\n credentials = service_account.Credentials.from_service_account_info(key_info)\n\n # Use the provided project_id, not the one from credentials, to ensure consistency\n client = dns.Client(project=project_id, credentials=credentials)\n logging.info(f\"Successfully created DNS client for project {project_id}\")\n return client\n\n except base64.binascii.Error as e:\n logging.error(f\"Failed to decode base64 service account key: {e}\")\n sys.exit(1)\n except json.JSONDecodeError as e:\n logging.error(f\"Failed to parse service account key JSON: {e}\")\n sys.exit(1)\n except Exception as e:\n logging.error(f\"Failed to create DNS client from service account info: {e}\")\n sys.exit(1)\n\ndef update_dns_record(client: dns.Client, project_id: str, zone_name: str, record_name: str, ip_address: str):\n \"\"\"\n Checks and updates/creates an A record for the given name in the specified zone,\n replacing a CNAME if necessary.\n\n Args:\n client: Authenticated DNS client.\n project_id: GCP project ID.\n zone_name: The domain TLD (e.g., \"demonsafe.com\"). This will be converted\n to the GCP zone name format (e.g., \"demonsafe-com\").\n record_name: The specific record to update (e.g., \"*.demonsafe.com\").\n ip_address: The public IP address to set.\n \"\"\"\n try:\n # Convert the TLD zone name (e.g., \"demonsafe.com\") to GCP zone name format (e.g., \"demonsafe-com\")\n gcp_zone_name = zone_name.replace('.', '-')\n logging.info(f\"Targeting GCP DNS Zone: {gcp_zone_name}\")\n\n zone = client.zone(gcp_zone_name, project_id)\n if not zone.exists():\n logging.error(f\"DNS zone '{gcp_zone_name}' not found in project '{project_id}'.\")\n return # Cannot proceed without the zone\n\n # Ensure record_name ends with a dot for FQDN matching\n fqdn = record_name if record_name.endswith('.') else f\"{record_name}.\"\n logging.info(f\"Checking DNS records for: {fqdn} in zone {gcp_zone_name}\")\n\n record_sets = list(zone.list_resource_record_sets(filter_=f\"name={fqdn}\"))\n\n existing_a_record = None\n existing_cname_record = None\n\n for record_set in record_sets:\n if record_set.record_type == 'A' and record_set.name == fqdn:\n existing_a_record = record_set\n logging.info(f\"Found existing A record: {existing_a_record.name} -> {existing_a_record.rrdatas}\")\n elif record_set.record_type == 'CNAME' and record_set.name == fqdn:\n existing_cname_record = record_set\n logging.info(f\"Found existing CNAME record: {existing_cname_record.name} -> {existing_cname_record.rrdatas}\")\n\n changes = zone.changes()\n needs_update = False\n\n # Handle existing CNAME (delete it to replace with A)\n if existing_cname_record:\n logging.warning(f\"Deleting existing CNAME record {fqdn} to replace with A record.\")\n changes.delete_record_set(existing_cname_record)\n needs_update = True\n # Ensure we don't try to delete an A record if we just deleted a CNAME\n existing_a_record = None\n\n # Define the new A record we want\n new_a_record = zone.resource_record_set(fqdn, \"A\", 300, [ip_address])\n\n # Handle existing A record\n if existing_a_record:\n if existing_a_record.rrdatas == [ip_address]:\n logging.info(f\"Existing A record {fqdn} already points to {ip_address}. No update needed.\")\n return # Nothing to do\n else:\n logging.info(f\"Existing A record {fqdn} points to {existing_a_record.rrdatas}. Updating to {ip_address}.\")\n changes.delete_record_set(existing_a_record)\n changes.add_record_set(new_a_record)\n needs_update = True\n # Handle case where no A record (and no CNAME was found/deleted)\n elif not existing_cname_record: # Only add if we didn't already decide to replace CNAME\n logging.info(f\"No existing A or CNAME record found for {fqdn}. Creating new A record pointing to {ip_address}.\")\n changes.add_record_set(new_a_record)\n needs_update = True\n # Handle case where CNAME was found and deleted - we still need to add the A record\n elif existing_cname_record:\n logging.info(f\"Adding A record for {fqdn} pointing to {ip_address} after CNAME deletion.\")\n changes.add_record_set(new_a_record)\n # needs_update should already be True\n\n # Execute the changes if any were queued\n if needs_update:\n logging.info(f\"Executing DNS changes for {fqdn} in zone {gcp_zone_name}...\")\n changes.create()\n # Wait until the changes are finished.\n while changes.status != 'done':\n logging.info(f\"Waiting for DNS changes to complete (status: {changes.status})...\")\n time.sleep(5) # Wait 5 seconds before checking again\n changes.reload()\n logging.info(f\"Successfully updated DNS record {fqdn} to {ip_address} in zone {gcp_zone_name}.\")\n else:\n # This case should only be hit if an A record existed and was correct\n logging.info(\"No DNS changes were necessary.\")\n\n except GoogleAPIError as e:\n logging.error(f\"GCP API Error updating DNS record {fqdn} in zone {gcp_zone_name}: {e}\")\n except Exception as e:\n logging.error(f\"An unexpected error occurred during DNS update for {fqdn} in zone {gcp_zone_name}: {e}\")\n\n\ndef update_spf_record(client: dns.Client, project_id: str, zone_name: str, record_name: str, ip_address: str):\n \"\"\"Updates the SPF TXT record on the bare domain with the current public IP.\"\"\"\n try:\n gcp_zone_name = zone_name.replace('.', '-')\n logging.info(f\"Updating SPF record in zone: {gcp_zone_name}\")\n\n zone = client.zone(gcp_zone_name, project_id)\n if not zone.exists():\n logging.error(f\"DNS zone '{gcp_zone_name}' not found in project '{project_id}'.\")\n return\n\n # Derive bare domain from record_name (e.g., \"*.demonsafe.com\" -> \"demonsafe.com.\")\n domain = record_name.lstrip('*.') if record_name.startswith('*.') else record_name\n fqdn = domain if domain.endswith('.') else f\"{domain}.\"\n logging.info(f\"Checking TXT records for: {fqdn}\")\n\n spf_value = f'\"v=spf1 ip4:{ip_address} ~all\"'\n\n record_sets = list(zone.list_resource_record_sets(filter_=f\"name={fqdn}\"))\n existing_txt = None\n for rs in record_sets:\n if rs.record_type == 'TXT' and rs.name == fqdn:\n existing_txt = rs\n logging.info(f\"Found existing TXT record: {rs.name} -> {rs.rrdatas}\")\n break\n\n changes = zone.changes()\n needs_update = False\n\n if existing_txt:\n new_rrdatas = []\n spf_found = False\n for rd in existing_txt.rrdatas:\n if 'v=spf1' in rd:\n spf_found = True\n if ip_address in rd:\n logging.info(f\"SPF record already contains {ip_address}. No update needed.\")\n return\n logging.info(f\"Replacing SPF entry: {rd} -> {spf_value}\")\n new_rrdatas.append(spf_value)\n else:\n new_rrdatas.append(rd)\n if not spf_found:\n logging.info(f\"No existing SPF entry found. Adding: {spf_value}\")\n new_rrdatas.append(spf_value)\n\n changes.delete_record_set(existing_txt)\n new_txt = zone.resource_record_set(fqdn, \"TXT\", 300, new_rrdatas)\n changes.add_record_set(new_txt)\n needs_update = True\n else:\n logging.info(f\"No TXT record found for {fqdn}. Creating with SPF: {spf_value}\")\n new_txt = zone.resource_record_set(fqdn, \"TXT\", 300, [spf_value])\n changes.add_record_set(new_txt)\n needs_update = True\n\n if needs_update:\n logging.info(f\"Executing SPF TXT changes for {fqdn}...\")\n changes.create()\n while changes.status != 'done':\n logging.info(f\"Waiting for SPF changes to complete (status: {changes.status})...\")\n time.sleep(5)\n changes.reload()\n logging.info(f\"Successfully updated SPF record for {fqdn} with ip4:{ip_address}\")\n\n except GoogleAPIError as e:\n logging.error(f\"GCP API Error updating SPF record: {e}\")\n except Exception as e:\n logging.error(f\"Unexpected error updating SPF record: {e}\")\n\n\nif __name__ == \"__main__\":\n logging.info(\"Starting DNS update script.\")\n project_id, zone_name, record_name, key_b64 = get_env_vars()\n public_ip = get_public_ip()\n\n if public_ip:\n dns_client = get_dns_client(key_b64, project_id)\n if dns_client:\n update_dns_record(dns_client, project_id, zone_name, record_name, public_ip)\n update_spf_record(dns_client, project_id, zone_name, record_name, public_ip)\n logging.info(\"DNS update script finished.\")\n else:\n # Error handled in get_dns_client, it exits\n logging.error(\"Exiting due to DNS client initialization failure.\")\n sys.exit(1) # Explicit exit for clarity\n else:\n # Error handled in get_public_ip, it exits\n logging.error(\"Exiting due to inability to fetch public IP.\")\n sys.exit(1) # Explicit exit for clarity\n"
},
{
"path": "nomad_jobs/misc/gitea/nomad.job",
"content": "job \"gitea\" {\n \n meta {\n job_file = \"nomad_jobs/misc/gitea/nomad.job\"\n }\nregion = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n group \"svc\" {\n count = 1\n volume \"gitea-data\" {\n type = \"host\"\n source = \"gitea-data\"\n read_only = false\n }\n volume \"gitea-db\" {\n type = \"host\"\n source = \"gitea-db\"\n read_only = false\n }\n restart {\n attempts = 5\n delay = \"30s\"\n }\n task \"app\" {\n driver = \"docker\"\n volume_mount {\n volume = \"gitea-data\"\n destination = \"/data\"\n read_only = false\n }\n config {\n image = \"gitea/gitea\"\n port_map {\n http = 3000\n ssh_pass = 22\n }\n }\n env = {\n \"APP_NAME\" = \"Gitea: Git with a cup of tea\"\n \"RUN_MODE\" = \"prod\"\n \"SSH_DOMAIN\" = \"git.${var.tld}\"\n \"SSH_PORT\" = \"22\"\n \"ROOT_URL\" = \"http://git.${var.tld}/\"\n \"USER_UID\" = \"1002\"\n \"USER_GID\" = \"1002\"\n \"DB_TYPE\" = \"postgres\"\n \"DB_NAME\" = \"gitea\"\n \"DB_USER\" = \"gitea\"\n \"DB_PASSWD\" = \"gitea\"\n \"SHOW_REGISTRATION_BUTTON\" = \"false\"\n }\n template {\ndata = <Welcome to this server running Murmur.
Enjoy your stay!
\"\n\n; The welcometext can also be read from an external file which might be useful\n; if you want to specify a rather lengthy text. If a value for welcometext is\n; set, the welcometextfile will not be read.\n;welcometextfile=\n\n; Port to bind TCP and UDP sockets to.\nport={{ env \"NOMAD_PORT_0\" }}\n\n; Specific IP or hostname to bind to.\n; If this is left blank (default), Murmur will bind to all available addresses.\n;host=\n\n; Password to join server.\nserverpassword=\n\n; Maximum bandwidth (in bits per second) clients are allowed\n; to send speech at.\nbandwidth=558000\n\n; Murmur and Mumble are usually pretty good about cleaning up hung clients, but\n; occasionally one will get stuck on the server. The timeout setting will cause\n; a periodic check of all clients who haven't communicated with the server in\n; this many seconds - causing zombie clients to be disconnected.\n;\n; Note that this has no effect on idle clients or people who are AFK. It will\n; only affect people who are already disconnected, and just haven't told the\n; server.\n;timeout=30\n\n; Maximum number of concurrent clients allowed.\nusers=100\n\n; Where users sets a blanket limit on the number of clients per virtual server,\n; usersperchannel sets a limit on the number per channel. The default is 0, for\n; no limit.\n;usersperchannel=0\n\n; Per-user rate limiting\n;\n; These two settings allow to configure the per-user rate limiter for some\n; command messages sent from the client to the server. The messageburst setting\n; specifies an amount of messages which are allowed in short bursts. The\n; messagelimit setting specifies the number of messages per second allowed over\n; a longer period. If a user hits the rate limit, his packages are then ignored\n; for some time. Both of these settings have a minimum of 1 as setting either to\n; 0 could render the server unusable.\nmessageburst=5\nmessagelimit=1\n\n; Respond to UDP ping packets.\n;\n; Setting to true exposes the current user count, the maximum user count, and\n; the server's maximum bandwidth per client to unauthenticated users. In the\n; Mumble client, this information is shown in the Connect dialog.\nallowping=true\n\n; Amount of users with Opus support needed to force Opus usage, in percent.\n; 0 = Always enable Opus, 100 = enable Opus if it's supported by all clients.\n;opusthreshold=100\n\n; Maximum depth of channel nesting. Note that some databases like MySQL using\n; InnoDB will fail when operating on deeply nested channels.\n;channelnestinglimit=10\n\n; Maximum number of channels per server. 0 for unlimited. Note that an\n; excessive number of channels will impact server performance\n;channelcountlimit=1000\n\n; Regular expression used to validate channel names.\n; (Note that you have to escape backslashes with \\ )\n;channelname=[ \\\\-=\\\\w\\\\#\\\\[\\\\]\\\\{\\\\}\\\\(\\\\)\\\\@\\\\|]+\n\n; Regular expression used to validate user names.\n; (Note that you have to escape backslashes with \\ )\n;username=[-=\\\\w\\\\[\\\\]\\\\{\\\\}\\\\(\\\\)\\\\@\\\\|\\\\.]+\n\n; If a user has no stored channel (they've never been connected to the server\n; before, or rememberchannel is set to false) and the client hasn't been given\n; a URL that includes a channel path, the default behavior is that they will\n; end up in the root channel.\n;\n; You can set this setting to a channel ID, and the user will automatically be\n; moved into that channel instead. Note that this is the numeric ID of the\n; channel, which can be a little tricky to get (you'll either need to use an\n; RPC mechanism, watch the console of a debug client, or root around through\n; the Murmur Database to get it).\n;\n;defaultchannel=0\n\n; When a user connects to a server they've already been on, by default the\n; server will remember the last channel they were in and move them to it\n; automatically. Toggling this setting to false will disable that feature.\n;\n;rememberchannel=true\n\n; How many seconds should the server remember the last channel of a user.\n; Set to 0 (default) to remember forever. This option has no effect if\n; rememberchannel is set to false.\n;rememberchannelduration=0\n\n; Maximum length of text messages in characters. 0 for no limit.\n;textmessagelength=5000\n\n; Maximum length of text messages in characters, with image data. 0 for no limit.\n;imagemessagelength=131072\n\n; Allow clients to use HTML in messages, user comments and channel descriptions?\n;allowhtml=true\n\n; Murmur retains the per-server log entries in an internal database which\n; allows it to be accessed over D-Bus/ICE.\n; How many days should such entries be kept?\n; Set to 0 to keep forever, or -1 to disable logging to the DB.\n;logdays=31\n\n; To enable public server registration, the serverpassword must be blank, and\n; this must all be filled out.\n; The password here is used to create a registry for the server name; subsequent\n; updates will need the same password. Don't lose your password.\n; The URL is your own website, and only set the registerHostname for static IP\n; addresses.\n; Location is typically the country of typical users of the server, in\n; two-letter TLD style (ISO 3166-1 alpha-2 country code)\n;\n; If you only wish to give your \"Root\" channel a custom name, then only\n; uncomment the 'registerName' parameter.\n;\n;registerName=Mumble Server\n;registerPassword=secret\n;registerUrl=http://www.mumble.info/\n;registerHostname=\n;registerLocation=\n\n; If this option is enabled, the server will announce its presence via the\n; bonjour service discovery protocol. To change the name announced by bonjour\n; adjust the registerName variable.\n; See http://developer.apple.com/networking/bonjour/index.html for more information\n; about bonjour.\n;bonjour=True\n\n; If you have a proper SSL certificate, you can provide the filenames here.\n; Otherwise, Murmur will create its own certificate automatically.\n;sslCert=\n;sslKey=\n\n; If the keyfile specified above is encrypted with a passphrase, you can enter\n; it in this setting. It must be plaintext, so you may wish to adjust the\n; permissions on your murmur.ini file accordingly.\n;sslPassPhrase=\n\n; If your certificate is signed by an authority that uses a sub-signed or\n; \"intermediate\" certificate, you probably need to bundle it with your\n; certificate in order to get Murmur to accept it. You can either concatenate\n; the two certificates into one file, or you can put it in a file by itself and\n; put the path to that PEM-file in sslCA.\n;sslCA=\n\n; The sslDHParams option allows you to specify a PEM-encoded file with\n; Diffie-Hellman parameters, which will be used as the default Diffie-\n; Hellman parameters for all virtual servers.\n;\n; Instead of pointing sslDHParams to a file, you can also use the option\n; to specify a named set of Diffie-Hellman parameters for Murmur to use.\n; Murmur comes bundled with the Diffie-Hellman parameters from RFC 7919.\n; These parameters are available by using the following names:\n;\n; @ffdhe2048, @ffdhe3072, @ffdhe4096, @ffdhe6144, @ffdhe8192\n;\n; By default, Murmur uses @ffdhe2048.\n;sslDHParams=@ffdhe2048\n\n; The sslCiphers option chooses the cipher suites to make available for use\n; in SSL/TLS. This option is server-wide, and cannot be set on a\n; per-virtual-server basis.\n;\n; This option is specified using OpenSSL cipher list notation (see\n; https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT).\n;\n; It is recommended that you try your cipher string using 'openssl ciphers '\n; before setting it here, to get a feel for which cipher suites you will get.\n;\n; After setting this option, it is recommend that you inspect your Murmur log\n; to ensure that Murmur is using the cipher suites that you expected it to.\n;\n; Note: Changing this option may impact the backwards compatibility of your\n; Murmur server, and can remove the ability for older Mumble clients to be able\n; to connect to it.\n;sslCiphers=EECDH+AESGCM:EDH+aRSA+AESGCM:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA\n\n; If Murmur is started as root, which user should it switch to?\n; This option is ignored if Murmur isn't started with root privileges.\n;uname=\n\n; By default, in log files and in the user status window for privileged users,\n; Mumble will show IP addresses - in some situations you may find this unwanted\n; behavior. If obfuscate is set to true, Murmur will randomize the IP addresses\n; of connecting users.\n;\n; The obfuscate function only affects the log file and DOES NOT effect the user\n; information section in the client window.\n;obfuscate=false\n\n; If this options is enabled, only clients which have a certificate are allowed\n; to connect.\n;certrequired=False\n\n; If enabled, clients are sent information about the servers version and operating\n; system.\n;sendversion=True\n\n; You can set a recommended minimum version for your server, and clients will\n; be notified in their log when they connect if their client does not meet the\n; minimum requirements. suggestVersion expects the version in the format X.X.X.\n;\n; Note that the suggest* options appeared after 1.2.3 and will have no effect\n; on client versions 1.2.3 and earlier.\n;\n;suggestVersion=\n\n; Setting this to \"true\" will alert any user who does not have positional audio\n; enabled that the server administrators recommend enabling it. Setting it to\n; \"false\" will have the opposite effect - if you do not care whether the user\n; enables positional audio or not, set it to blank. The message will appear in\n; the log window upon connection, but only if the user's settings do not match\n; what the server requests.\n;\n; Note that the suggest* options appeared after 1.2.3 and will have no effect\n; on client versions 1.2.3 and earlier.\n;\n;suggestPositional=\n\n; Setting this to \"true\" will alert any user who does not have Push-To-Talk\n; enabled that the server administrators recommend enabling it. Setting it to\n; \"false\" will have the opposite effect - if you do not care whether the user\n; enables PTT or not, set it to blank. The message will appear in the log\n; window upon connection, but only if the user's settings do not match what the\n; server requests.\n;\n; Note that the suggest* options appeared after 1.2.3 and will have no effect\n; on client versions 1.2.3 and earlier.\n;\n;suggestPushToTalk=\n\n; This sets password hash storage to legacy mode (1.2.4 and before)\n; (Note that setting this to true is insecure and should not be used unless absolutely necessary)\n;legacyPasswordHash=false\n\n; By default a strong amount of PBKDF2 iterations are chosen automatically. If >0 this setting\n; overrides the automatic benchmark and forces a specific number of iterations.\n; (Note that you should only change this value if you know what you are doing)\n;kdfIterations=-1\n\n; In order to prevent misconfigured, impolite or malicious clients from\n; affecting the low-latency of other users, Murmur has a rudimentary global-ban\n; system. It's configured using the autobanAttempts, autobanTimeframe and\n; autobanTime settings.\n;\n; If a client attempts autobanAttempts connections in autobanTimeframe seconds,\n; they will be banned for autobanTime seconds. This is a global ban, from all\n; virtual servers on the Murmur process. It will not show up in any of the\n; ban-lists on the server, and they can't be removed without restarting the\n; Murmur process - just let them expire. A single, properly functioning client\n; should not trip these bans.\n;\n; To disable, set autobanAttempts or autobanTimeframe to 0. Commenting these\n; settings out will cause Murmur to use the defaults:\n;\n; To avoid autobanning successful connection attempts from the same IP address,\n; set autobanSuccessfulConnections=False.\n;\n;autobanAttempts=10\n;autobanTimeframe=120\n;autobanTime=300\n;autobanSuccessfulConnections=True\n\n; Enables logging of group changes. This means that every time a group in a\n; channel changes, the server will log all groups and their members from before\n; the change and after the change. Deault is false. This option was introduced\n; with Murmur 1.4.0.\n;\n;loggroupchanges=false\n\n; Enables logging of ACL changes. This means that every time the ACL in a\n; channel changes, the server will log all ACLs from before the change and\n; after the change. Default is false. This option was introduced with Murmur\n; 1.4.0.\n;\n;logaclchanges=false\n\n; You can configure any of the configuration options for Ice here. We recommend\n; leave the defaults as they are.\n; Please note that this section has to be last in the configuration file.\n;\n[Ice]\nIce.Warn.UnknownProperties=1\nIce.MessageSizeMax=65536\n\nEOH\n destination = \"local/murmur-config\"\n env = false\n }\n\n resources {\n cpu = 100\n memory = 128\n network {\n port \"0\" {}\n }\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\n\n\nvariable \"tld\" {\n type = string\n}\n\nvariable \"shared_dir\" {\n type = string\n}\n\nvariable \"auth\" {\n type = string\n}\n"
},
{
"path": "nomad_jobs/misc/octoprint/nomad.job",
"content": "job \"octoprint\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/misc/octoprint/nomad.job\"\nversion = \"6\"\n }\n\n constraint {\n attribute = \"${meta.3d_printer}\"\n operator = \"=\"\n value = \"true\"\n }\n\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"3dprinter\" {\n count = 1 \n\n network {\n port \"web\" {\n host_network = \"tailscale\"\n to = \"5000\"\n }\n }\n\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"octoprint\" {\n driver = \"docker\"\n config {\n image = \"octoprint/octoprint\"\n force_pull = true\n #network_mode = \"host\"\n privileged = true\n ports = [\"web\"]\n volumes = [\n \"${var.shared_dir}octoprint:/home/octoprint/.octoprint\",\n \"/dev/ttyUSB0:/dev/ttyUSB0\",\n ]\n }\n\n service {\n port = \"web\"\n\tname = \"octoprint\"\n tags = [\n \"traefik.enable=true\",\n \"traefik.http.middlewares.cors.headers.accesscontrolallowmethods=GET,OPTIONS,PUT\",\n \"traefik.http.middlewares.cors.headers.accesscontrolalloworigin=origin-list-or-null\",\n \"traefik.http.middlewares.cors.headers.accesscontrolmaxage=100\",\n \"traefik.http.middlewares.cors.headers.addvaryheader=true\",\n\n\n \"traefik.http.middlewares.malpotAuth.basicauth.users=${var.auth}\",\n \"traefik.http.routers.${NOMAD_TASK_NAME}.middlewares=forward-auth\"\n ]\n check {\n type = \"http\"\n path = \"/\"\n interval = \"10s\"\n timeout = \"2s\"\n check_restart {\n limit = 3\n grace = \"60s\"\n ignore_warnings = false\n }\n }\n }\n\n env {\n TZ = \"Europe/Amsterdam\"\n }\n\n resources {\n cpu = 100\n memory = 1024\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\n\n\nvariable \"tld\" {\n type = string\n}\n\nvariable \"shared_dir\" {\n type = string\n}\n"
},
{
"path": "nomad_jobs/misc/uploader/nomad.job",
"content": "job \"uploader\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n meta {\n job_file = \"nomad_jobs/misc/uploader/nomad.job\"\nversion = \"5\"\n }\n\n group \"webserver\" {\n count = 1\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n task \"uploader\" {\n driver = \"docker\"\n\n service {\n name = \"uploader\"\n tags = [\n \"traefik.enable=true\",\n \"traefik.http.middlewares.httpsRedirect.redirectscheme.scheme=https\",\n\n\n \"traefik.http.routers.${NOMAD_TASK_NAME}.tls.domains[0].sans=${NOMAD_TASK_NAME}.${var.tld}\",\n \"traefik.http.routers.${NOMAD_TASK_NAME}.middlewares=forward-auth\"\n ]\n port = \"http\"\n\n check {\n type = \"tcp\"\n interval = \"10s\"\n timeout = \"2s\"\n }\n }\n\n config {\n image = \"docker-registry.${var.tld}/uploader:latest\"\n network_mode = \"host\"\n volumes = [\n \"${var.shared_dir}uploader:/data\",\n ]\n }\n template {\ndata = <5 minutes.\n - alert: InstanceDown\n expr: up{job!=\"hass\"} == 0\n for: 5m\n labels:\n severity: page\n annotations:\n summary: \"Instance {{ $labels.instance }} down\"\n description: \"{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes.\"\n \n - alert: HomeAssistantDown\n expr: up{job=\"hass\"} == 0\n for: 10m\n labels:\n severity: warning\n annotations:\n summary: \"Home Assistant is down\" \n description: \"Home Assistant at {{ $labels.instance }} has been down for more than 10 minutes.\"\n # Alert for any device that is over 80% capacity \n - alert: DiskUsage\n expr: avg(nomad_client_host_disk_used_percent) by (host, device) > 80\n for: 5m\n labels:\n severity: page\n annotations:\n summary: \"Host {{ $labels.host }} disk {{ $labels.device }} usage alert\"\n description: \"{{ $labels.host }} is using over 80% of its device: {{ $labels.device }}\"\n\n- name: nomad_allocation_alerts\n rules:\n - alert: NomadJobFailureRate\n expr: rate(nomad_nomad_job_summary_failed[5m]) > 0\n for: 2m\n labels:\n severity: critical\n alertname: \"NomadJobFailureRate\"\n annotations:\n summary: \"Nomad job {{ $labels.exported_job }} is experiencing failures\"\n description: \"Job {{ $labels.exported_job }} is failing allocations at a rate of {{ $value | printf \\\"%.2f\\\" }} per second\"\n service: \"nomad\"\n \n - alert: NomadJobLostRate\n expr: rate(nomad_nomad_job_summary_lost[5m]) > 0\n for: 2m\n labels:\n severity: warning\n alertname: \"NomadJobLostRate\"\n annotations:\n summary: \"Nomad job {{ $labels.exported_job }} is losing allocations\"\n description: \"Job {{ $labels.exported_job }} is losing allocations at a rate of {{ $value | printf \\\"%.2f\\\" }} per second\"\n service: \"nomad\"\n \n - alert: NomadJobQueued\n expr: nomad_nomad_job_summary_queued > 0\n for: 5m\n labels:\n severity: warning\n alertname: \"NomadJobQueued\"\n annotations:\n summary: \"Nomad job {{ $labels.exported_job }} has queued allocations\"\n description: \"Job {{ $labels.exported_job }} has {{ $value }} allocations queued for over 5 minutes\"\n service: \"nomad\"\n \n - alert: NomadAllocationsRestarting\n expr: rate(nomad_client_allocs_restart[5m]) > 0.1\n for: 2m\n labels:\n severity: warning\n alertname: \"NomadAllocationsRestarting\"\n annotations:\n summary: \"High allocation restart rate on {{ $labels.host }}\"\n description: \"Allocation restart rate is {{ $value }} per second on {{ $labels.host }}\"\n service: \"nomad\"\n \n - alert: NomadAllocationsOOMKilled\n expr: nomad_client_allocs_oom_killed > 0\n for: 0s\n labels:\n severity: critical\n alertname: \"NomadAllocationsOOMKilled\"\n annotations:\n summary: \"Allocation killed due to OOM on {{ $labels.host }}\"\n description: \"{{ $value }} allocations were killed due to out-of-memory on {{ $labels.host }}\"\n service: \"nomad\"\n \nEOH\n }\n\n\n config {\n image = \"prom/prometheus:v3.11.2\"\n network_mode = \"host\"\n args = [\"--storage.tsdb.path\", \"/opt/prometheus\", \"--web.listen-address\", \"0.0.0.0:9090\", \"--storage.tsdb.retention.time\", \"90d\"]\n force_pull = true\n ports = [\"http\"]\n dns_servers = [\"192.168.50.2\"]\n volumes = [\n \"local/alerts.yml:/prometheus/alerts.yml\",\n \"local/prometheus.yml:/prometheus/prometheus.yml\",\n ]\n }\n\n resources {\n cpu = 1000\n memory = 512\n }\n }\n }\n}\n\n\n\nvariable \"region\" {}\nvariable \"tld\" {}\nvariable \"shared_dir\" {}\nvariable \"hass_key\" {}\nvariable \"hass_ip\" {}\n"
},
{
"path": "nomad_jobs/observability/prometheus/volume.hcl",
"content": "id = \"prometheus\"\nexternal_id = \"prometheus\"\nname = \"prometheus\"\ntype = \"csi\"\nplugin_id = \"org.democratic-csi.iscsi\"\ncapacity_min = \"50GiB\"\ncapacity_max = \"50GiB\"\n\ncapability {\n access_mode = \"multi-node-single-writer\"\n attachment_mode = \"file-system\"\n}\n\nmount_options {\n fs_type = \"ext4\"\n mount_flags = [\"noatime\"]\n}\n\n"
},
{
"path": "nomad_jobs/observability/telegraf/nomad.job",
"content": "job \"telegraf\" {\n region = var.region\n datacenters = [\"dc1\", \"public\", \"system\"]\n type = \"system\"\n priority = 100\n meta {\n job_file = \"nomad_jobs/observability/telegraf/nomad.job\"\nversion = \"4\"\n }\n group \"telegraf-exporter\" {\n\n network {\n port \"http\" {\n host_network = \"tailscale\"\n to = \"9273\"\n }\n }\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"telegraf\" {\n driver = \"docker\"\n service {\n name = \"telegraf\"\n port = \"http\"\n tags = [\"metrics\"]\n check {\n type = \"tcp\"\n interval = \"5s\"\n timeout = \"2s\"\n }\n }\n\n config {\n image = \"telegraf:1.38.2\"\n privileged = \"true\"\n ports = [\"http\"]\n args = [\n \"--config=/local/config.yaml\",\n ]\n }\n template {\n data = < /dev/null || pgrep -x suricata > /dev/null\"]\n interval = \"30s\"\n timeout = \"5s\"\n }\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\nvariable \"shared_dir\" {\n type = string\n}\n"
},
{
"path": "nomad_jobs/security/suricata-update/nomad.job",
"content": "job \"suricata-update\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"batch\"\n priority = 80\n\n meta {\n job_file = \"nomad_jobs/security/suricata-update/nomad.job\"\n version = \"3\" // Single instance with shared NFS storage\n }\n\n # Run daily at 4am\n periodic {\n crons = [\"0 4 * * *\"]\n prohibit_overlap = true\n }\n\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"update\" {\n count = 1\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n task \"suricata-update\" {\n driver = \"docker\"\n\n config {\n image = \"jasonish/suricata:8.0\"\n command = \"suricata-update\"\n volumes = [\n \"${var.shared_dir}suricata/rules:/var/lib/suricata\",\n ]\n }\n\n resources {\n cpu = 500\n memory = 1024\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\nvariable \"shared_dir\" {\n type = string\n}\n"
},
{
"path": "nomad_jobs/security/wazuh-agent/nomad.job",
"content": "job \"wazuh-agent\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"system\"\n priority = 100\n\n meta {\n job_file = \"nomad_jobs/security/wazuh-agent/nomad.job\"\n version = \"6\" // Fix client.keys file permissions for persistence\n }\n\n group \"agent\" {\n network {\n mode = \"host\"\n }\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n # Ensure agent data directory exists on host\n task \"prep-agent-dir\" {\n driver = \"docker\"\n\n config {\n image = \"busybox:latest\"\n command = \"sh\"\n args = [\"-c\", \"mkdir -p /host/var/lib/wazuh-agent; test -f /host/var/lib/wazuh-agent/client.keys || touch /host/var/lib/wazuh-agent/client.keys; chmod 666 /host/var/lib/wazuh-agent/client.keys\"]\n volumes = [\n \"/var/lib:/host/var/lib\",\n ]\n }\n\n resources {\n cpu = 100\n memory = 32\n }\n\n lifecycle {\n hook = \"prestart\"\n sidecar = false\n }\n }\n\n task \"wazuh-agent\" {\n driver = \"docker\"\n\n config {\n image = \"wazuh/wazuh-agent:4.14.4\"\n network_mode = \"host\"\n force_pull = true\n privileged = true\n\n # Mount host directories for monitoring and config\n volumes = [\n \"/var/log:/host/var/log:ro\",\n \"/var/run/docker.sock:/var/run/docker.sock:ro\",\n \"/:/host:ro\",\n \"/var/lib/wazuh-agent/client.keys:/var/ossec/etc/client.keys\",\n \"local/ossec.conf:/var/ossec/etc/ossec.conf\",\n ]\n }\n\n # Configuration template for the agent\n # Uses Consul service discovery to automatically find Wazuh manager\n template {\n data = <\n \n \n{{- if service \"wazuh-agent-comm\" -}}\n{{- with index (service \"wazuh-agent-comm\") 0 }}\n {{ .Address }}\n {{ .Port }}\n{{- end -}}\n{{- else }}\n 127.0.0.1\n 1514\n{{- end }}\n tcp\n \n ubuntu, ubuntu20, ubuntu20.04\n 10\n 60\n yes\n \n\n \n no\n 5000\n 500\n \n\n \n\n \n \n syslog\n /host/var/log/syslog\n \n\n \n syslog\n /host/var/log/auth.log\n \n\n \n syslog\n /host/var/log/kern.log\n \n\n \n syslog\n /host/var/log/dpkg.log\n \n\n \n \n json\n /host/var/log/nomad/*.log\n \n\n \n json\n /host/var/log/consul/*.log\n \n\n \n \n syslog\n /host/var/log/docker.log\n \n\n \n \n audit\n /host/var/log/audit/audit.log\n \n\n \n \n syslog\n /host/var/log/secure\n \n\n \n \n journald\n journald\n \n\n \n \n \n json\n /host/var/log/suricata/eve.json\n \n\n \n \n syslog\n /host/var/log/suricata/suricata.log\n \n\n \n \n no\n 21600\n yes\n yes\n\n \n /host/etc\n /host/usr/bin\n /host/usr/sbin\n /host/bin\n /host/sbin\n\n \n /host/etc/nomad.d\n /host/etc/consul.d\n\n \n /host/root/.ssh\n /host/home/*/.ssh\n\n \n /host/etc/mtab\n /host/etc/hosts.deny\n /host/etc/mail/statistics\n /host/etc/random-seed\n /host/etc/adjtime\n /host/etc/httpd/logs\n /host/etc/resolv.conf\n .log$|.tmp$|.swp$\n \n\n \n \n no\n yes\n yes\n yes\n yes\n yes\n yes\n yes\n 43200\n /var/ossec/etc/shared/rootkit_files.txt\n /var/ossec/etc/shared/rootkit_trojans.txt\n \n\n \n \n no\n 1h\n yes\n yes\n yes\n yes\n yes\n yes\n yes\n \n\n \n \n yes\n yes\n 12h\n yes\n \n\n \n \n no\n 10m\n 5\n yes\n \n\n \n \n \n yes\n \n\n\nEOH\n destination = \"local/ossec.conf\"\n change_mode = \"restart\"\n }\n\n resources {\n cpu = 300\n memory = 512\n }\n\n service {\n name = \"wazuh-agent\"\n tags = [\"security\", \"monitoring\"]\n\n # Use a simple script check that runs inside the container\n check {\n type = \"script\"\n name = \"agent-status\"\n command = \"/var/ossec/bin/wazuh-control\"\n args = [\"status\"]\n interval = \"30s\"\n timeout = \"10s\"\n }\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n"
},
{
"path": "nomad_jobs/security/wazuh-server/nomad.job",
"content": "job \"wazuh-server\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"wazuh-stack\" {\n count = 1\n\n network {\n port \"indexer\" {\n host_network = \"lan\"\n to = 9200\n }\n port \"manager\" {\n static = 1514\n host_network = \"lan\"\n to = 1514\n }\n port \"manager_reg\" {\n static = 1515\n host_network = \"lan\"\n to = 1515\n }\n port \"manager_api\" {\n host_network = \"lan\"\n to = 55000\n }\n port \"dashboard\" {\n host_network = \"lan\"\n to = 443\n }\n }\n\n # Persistent volumes for Wazuh components\n volume \"wazuh-indexer\" {\n type = \"csi\"\n read_only = false\n source = \"wazuh-indexer\"\n access_mode = \"single-node-writer\"\n attachment_mode = \"file-system\"\n }\n\n volume \"wazuh-manager\" {\n type = \"csi\"\n read_only = false\n source = \"wazuh-manager\"\n access_mode = \"single-node-writer\"\n attachment_mode = \"file-system\"\n }\n\n volume \"wazuh-dashboard\" {\n type = \"csi\"\n read_only = false\n source = \"wazuh-dashboard\"\n access_mode = \"single-node-writer\"\n attachment_mode = \"file-system\"\n }\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n # Prep disk task for indexer volume permissions\n task \"prep-indexer-disk\" {\n driver = \"docker\"\n\n volume_mount {\n volume = \"wazuh-indexer\"\n destination = \"/volume/\"\n read_only = false\n }\n\n config {\n image = \"busybox:latest\"\n command = \"sh\"\n args = [\"-c\", \"chown -R 1000:1000 /volume/\"]\n }\n\n resources {\n cpu = 200\n memory = 128\n }\n\n lifecycle {\n hook = \"prestart\"\n sidecar = false\n }\n }\n\n # Prep disk task for manager volume permissions\n task \"prep-manager-disk\" {\n driver = \"docker\"\n\n volume_mount {\n volume = \"wazuh-manager\"\n destination = \"/volume/\"\n read_only = false\n }\n\n config {\n image = \"busybox:latest\"\n command = \"sh\"\n args = [\"-c\", \"chown -R 999:999 /volume/\"]\n }\n\n resources {\n cpu = 200\n memory = 128\n }\n\n lifecycle {\n hook = \"prestart\"\n sidecar = false\n }\n }\n\n\n # Prep disk task for dashboard volume permissions\n task \"prep-dashboard-disk\" {\n driver = \"docker\"\n\n volume_mount {\n volume = \"wazuh-dashboard\"\n destination = \"/volume/\"\n read_only = false\n }\n\n config {\n image = \"busybox:latest\"\n command = \"sh\"\n args = [\"-c\", \"rm -rf /volume/wazuh && mkdir -p /volume/wazuh/config && chown -R 1000:1000 /volume/\"]\n }\n\n resources {\n cpu = 200\n memory = 128\n }\n\n lifecycle {\n hook = \"prestart\"\n sidecar = false\n }\n }\n\n # Wazuh Indexer (OpenSearch-based)\n task \"wazuh-indexer\" {\n driver = \"docker\"\n\n volume_mount {\n volume = \"wazuh-indexer\"\n destination = \"/var/lib/wazuh-indexer\"\n read_only = false\n }\n\n config {\n image = \"wazuh/wazuh-indexer:4.14.4\"\n force_pull = true\n ports = [\"indexer\"]\n volumes = [\n \"local/opensearch.yml:/usr/share/wazuh-indexer/config/opensearch.yml\",\n ]\n ulimit {\n nofile = \"65536:65536\"\n memlock = \"-1:-1\"\n }\n }\n\n env {\n OPENSEARCH_JAVA_OPTS = \"-Xms1g -Xmx1g\"\n }\n\n template {\n data = <\n\n\n \n \n \n 86601\n Suppressed: Suricata STREAM ESTABLISHED invalid ack\n \n\n\nEOH\n destination = \"local/local_rules.xml\"\n perms = \"0644\"\n }\n\n # Wazuh ossec.conf with log_alert_level=8 (only high/critical alerts)\n # Wazuh levels: 0=ignored, 1-4=low, 5-7=medium, 8-10=high, 11-15=critical\n template {\n data = <\n\n\n \n yes\n yes\n no\n no\n no\n smtp.example.wazuh.com\n wazuh@example.wazuh.com\n recipient@example.wazuh.com\n 12\n alerts.log\n 15m\n 0\n yes\n \n\n \n \n 8\n 12\n \n\n \n \n plain\n \n\n \n secure\n 1514\n tcp\n 131072\n \n\n \n \n no\n yes\n yes\n yes\n yes\n yes\n yes\n yes\n\n \n 43200\n\n etc/rootcheck/rootkit_files.txt\n etc/rootcheck/rootkit_trojans.txt\n\n yes\n\n /var/lib/containerd\n /var/lib/docker/overlay2\n \n\n \n yes\n 1800\n 1d\n yes\n\n wodles/java\n wodles/ciscat\n \n\n \n \n yes\n yes\n /var/log/osquery/osqueryd.results.log\n /etc/osquery/osquery.conf\n yes\n \n\n \n \n no\n 1h\n yes\n yes\n yes\n yes\n yes\n yes\n yes\n yes\n yes\n yes\n yes\n\n \n \n 10\n \n \n\n \n yes\n yes\n 12h\n yes\n \n\n \n yes\n yes\n 60m\n \n\n \n yes\n \n https://{{ env \"NOMAD_IP_indexer\" }}:{{ env \"NOMAD_HOST_PORT_indexer\" }}\n \n \n \n /etc/filebeat/certs/root-ca.pem\n \n /etc/filebeat/certs/filebeat.pem\n /etc/filebeat/certs/filebeat-key.pem\n \n \n\n \n \n no\n\n \n 43200\n\n yes\n\n \n yes\n\n \n no\n\n \n /etc,/usr/bin,/usr/sbin\n /bin,/sbin,/boot\n\n \n /etc/mtab\n /etc/hosts.deny\n /etc/mail/statistics\n /etc/random-seed\n /etc/random.seed\n /etc/adjtime\n /etc/httpd/logs\n /etc/utmpx\n /etc/wtmpx\n /etc/cups/certs\n /etc/dumpdates\n /etc/svc/volatile\n\n \n .log$|.swp$\n\n \n /etc/ssl/private.key\n\n yes\n yes\n yes\n yes\n\n \n 10\n\n \n 50\n\n \n \n yes\n 5m\n 10\n \n \n\n \n \n 127.0.0.1\n ^localhost.localdomain$\n 168.63.129.16\n \n\n \n disable-account\n disable-account\n yes\n \n\n \n restart-wazuh\n restart-wazuh\n \n\n \n firewall-drop\n firewall-drop\n yes\n \n\n \n host-deny\n host-deny\n yes\n \n\n \n route-null\n route-null\n yes\n \n\n \n win_route-null\n route-null.exe\n yes\n \n\n \n netsh\n netsh.exe\n yes\n \n\n \n\n \n \n command\n df -P\n 360\n \n\n \n full_command\n netstat -tulpn | sed 's/\\([[:alnum:]]\\+\\)\\ \\+[[:digit:]]\\+\\ \\+[[:digit:]]\\+\\ \\+\\(.*\\):\\([[:digit:]]*\\)\\ \\+\\([0-9\\.\\:\\*]\\+\\).\\+\\ \\([[:digit:]]*\\/[[:alnum:]\\-]*\\).*/\\1 \\2 == \\3 == \\4 \\5/' | sort -k 4 -g | sed 's/ == \\(.*\\) ==/:\\1/' | sed 1,2d\n netstat listening ports\n 360\n \n\n \n full_command\n last -n 20\n 360\n \n\n \n \n ruleset/decoders\n ruleset/rules\n 0215-policy_rules.xml\n etc/lists/audit-keys
\n etc/lists/amazon/aws-eventnames
\n etc/lists/security-eventchannel
\n etc/lists/malicious-ioc/malware-hashes
\n etc/lists/malicious-ioc/malicious-ip
\n etc/lists/malicious-ioc/malicious-domains
\n\n \n etc/decoders\n etc/rules\n \n\n \n yes\n 1\n 64\n 15m\n \n\n \n \n no\n 1515\n no\n yes\n no\n HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH\n \n no\n etc/sslmanager.cert\n etc/sslmanager.key\n no\n \n\n \n wazuh\n node01\n master\n \n 1516\n 0.0.0.0\n \n NODE_IP\n \n no\n yes\n \n\n\n\n\n \n syslog\n /var/ossec/logs/active-responses.log\n \n\n\nEOH\n destination = \"local/ossec.conf\"\n perms = \"0644\"\n }\n\n resources {\n cpu = 1000\n memory = 1024\n }\n\n service {\n name = \"wazuh-manager\"\n port = \"manager_api\"\n tags = [\"metrics\"]\n\n meta {\n api_port = \"${NOMAD_HOST_PORT_manager_api}\"\n }\n\n check {\n type = \"tcp\"\n port = \"manager_api\"\n interval = \"10s\"\n timeout = \"2s\"\n }\n }\n\n service {\n name = \"wazuh-agent-comm\"\n port = \"manager\"\n tags = [\"agent-communication\"]\n\n check {\n type = \"tcp\"\n port = \"manager\"\n interval = \"10s\"\n timeout = \"2s\"\n }\n }\n\n service {\n name = \"wazuh-agent-reg\"\n port = \"manager_reg\"\n tags = [\"agent-registration\"]\n\n check {\n type = \"tcp\"\n port = \"manager_reg\"\n interval = \"10s\"\n timeout = \"2s\"\n }\n }\n }\n\n # Wazuh Dashboard (Web UI)\n task \"wazuh-dashboard\" {\n driver = \"docker\"\n\n volume_mount {\n volume = \"wazuh-dashboard\"\n destination = \"/usr/share/wazuh-dashboard/data\"\n read_only = false\n }\n\n config {\n image = \"wazuh/wazuh-dashboard:4.14.4\"\n force_pull = true\n ports = [\"dashboard\"]\n volumes = [\n \"local/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml\",\n \"local/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml:ro\",\n ]\n }\n\n template {\n data = < 128MB\n }\n\n group \"db\" {\n network {\n mode = \"host\"\n port \"pgvector\" {\n static = \"5432\" \n host_network = \"lan\"\n }\n }\n \n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"pgvector\" {\n driver = \"docker\"\n config {\n image = \"pgvector/pgvector:pg16\"\n volumes = [\n \"${var.shared_dir}pgvector-data:/var/lib/postgresql/data\",\n ]\n ports = [\"pgvector\"]\n }\n\n env {\n POSTGRES_DB = \"vectordb\"\n POSTGRES_USER = \"postgres\"\n POSTGRES_PASSWORD = \"${var.postgres_pass}\"\n PGDATA = \"/var/lib/postgresql/data\"\n }\n\n service {\n name = \"${NOMAD_JOB_NAME}\"\n tags = [\"pgvector\", \"database\", \"vector-database\"]\n port = \"pgvector\"\n\n check {\n type = \"tcp\"\n port = \"pgvector\"\n interval = \"30s\"\n timeout = \"2s\"\n }\n }\n\n resources {\n cpu = \"100\"\n memory = \"128\"\n }\n }\n }\n}\n\nvariable \"region\" {}\nvariable \"shared_dir\" {}\nvariable \"pgvector_admin_password\" {}\n"
},
{
"path": "nomad_jobs/storage-backends/pgvector/pgvector-setup.job",
"content": "job \"pgvector-setup\" {\n type = \"batch\"\n datacenters = [\"dc1\"]\n \n meta {\n job_file = \"nomad_jobs/storage-backends/pgvector/pgvector-setup.job\"\n version = \"1\"\n }\n \n group \"setup\" {\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n task \"initialize-pgvector\" {\n driver = \"docker\"\n \n config {\n image = \"pgvector/pgvector:pg16\"\n command = \"sh\"\n args = [\n \"-c\",\n \"PGPASSWORD=$PGVECTOR_PASSWORD psql -h 192.168.50.120 -p 5432 -U postgres -d cognee_db -c \\\"CREATE EXTENSION IF NOT EXISTS vector;\\\" && PGPASSWORD=$PGVECTOR_PASSWORD psql -h 192.168.50.120 -p 5432 -U postgres -c \\\"DO \\\\$\\\\$ BEGIN CREATE DATABASE embeddings; EXCEPTION WHEN duplicate_database THEN RAISE NOTICE 'embeddings database exists'; END \\\\$\\\\$;\\\" && PGPASSWORD=$PGVECTOR_PASSWORD psql -h 192.168.50.120 -p 5432 -U postgres -d embeddings -c \\\"CREATE EXTENSION IF NOT EXISTS vector;\\\"\"\n ]\n }\n \n env {\n PGVECTOR_PASSWORD = \"${var.pgvector_pass}\"\n }\n \n resources {\n cpu = 200\n memory = 256\n }\n }\n }\n}\n\nvariable \"pgvector_pass\" {\n type = string\n description = \"Admin password for the pgvector PostgreSQL server\"\n}\n"
},
{
"path": "nomad_jobs/storage-backends/postgres/nomad.job",
"content": "job \"postgres\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/storage-backends/postgres/nomad.job\"\nversion = \"5\" // Fixed postgres password variable\n }\n\n group \"db\" {\n network {\n mode = \"host\"\n port \"postgres\" {\n static = \"5432\"\n host_network = \"lan\"\n }\n }\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"postgres\" {\n driver = \"docker\"\n\n config {\n image = \"postgres:15.17\"\n volumes = [\n \"${var.shared_dir}paperless-postgres:/appdata/postgres\",\n ]\n ports = [\"postgres\"]\n }\n\n env {\n POSTGRES_DB = \"paperless\"\n POSTGRES_USER = \"postgres\"\n POSTGRES_PASSWORD = \"${var.postgres_pass}\"\n PGDATA = \"/appdata/postgres\"\n }\n\n service {\n name = \"${NOMAD_JOB_NAME}\"\n tags = [\"postgres\"]\n port = \"postgres\"\n\n check {\n type = \"tcp\"\n port = \"postgres\"\n interval = \"30s\"\n timeout = \"2s\"\n }\n }\n\n resources {\n cpu = \"200\"\n memory = \"512\"\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\nvariable \"shared_dir\" {\n type = string\n}\n\nvariable \"postgres_pass\" {\n type = string\n description = \"Admin password for PostgreSQL\"\n}\n"
},
{
"path": "nomad_jobs/storage-backends/postgres/postgres-setup.job",
"content": "job \"postgres-setup\" {\n type = \"batch\"\n datacenters = [\"dc1\"]\n \n meta {\n job_file = \"nomad_jobs/storage-backends/postgres/postgres-setup.job\"\nversion = \"2\"\n }\n \n group \"setup\" {\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n task \"create-dbs\" {\n driver = \"docker\"\n \n config {\n image = \"postgres:15\"\n command = \"sh\"\n args = [\n \"-c\",\n \"PGPASSWORD=$POSTGRES_PASSWORD psql -h postgres.service.consul -U postgres -c \\\"DO \\\\$\\\\$ BEGIN CREATE DATABASE sonarr_main; EXCEPTION WHEN duplicate_database THEN RAISE NOTICE 'sonarr_main exists'; END \\\\$\\\\$;\\\" -c \\\"DO \\\\$\\\\$ BEGIN CREATE DATABASE sonarr_logs; EXCEPTION WHEN duplicate_database THEN RAISE NOTICE 'sonarr_logs exists'; END \\\\$\\\\$;\\\" -c \\\"DO \\\\$\\\\$ BEGIN CREATE DATABASE radarr_main; EXCEPTION WHEN duplicate_database THEN RAISE NOTICE 'radarr_main exists'; END \\\\$\\\\$;\\\" -c \\\"DO \\\\$\\\\$ BEGIN CREATE DATABASE radarr_logs; EXCEPTION WHEN duplicate_database THEN RAISE NOTICE 'radarr_logs exists'; END \\\\$\\\\$;\\\" -c \\\"DO \\\\$\\\\$ BEGIN CREATE DATABASE lidarr_main; EXCEPTION WHEN duplicate_database THEN RAISE NOTICE 'lidarr_main exists'; END \\\\$\\\\$;\\\" -c \\\"DO \\\\$\\\\$ BEGIN CREATE DATABASE lidarr_logs; EXCEPTION WHEN duplicate_database THEN RAISE NOTICE 'lidarr_logs exists'; END \\\\$\\\\$;\\\" -c \\\"DO \\\\$\\\\$ BEGIN CREATE DATABASE litellm; EXCEPTION WHEN duplicate_database THEN RAISE NOTICE 'litellm exists'; END \\\\$\\\\$;\\\" -c \\\"DO \\\\$\\\\$ BEGIN CREATE DATABASE nextcloud; EXCEPTION WHEN duplicate_database THEN RAISE NOTICE 'nextcloud exists'; END \\\\$\\\\$;\\\" -c \\\"DO \\\\$\\\\$ BEGIN CREATE DATABASE paperless; EXCEPTION WHEN duplicate_database THEN RAISE NOTICE 'paperless exists'; END \\\\$\\\\$;\\\" \"\n ]\n }\n \n env {\n POSTGRES_PASSWORD = \"${var.postgres_pass}\"\n }\n \n resources {\n cpu = 200\n memory = 256\n }\n }\n }\n}\n\nvariable \"postgres_pass\" {\n type = string\n description = \"Admin password for the PostgreSQL server\"\n}\n"
},
{
"path": "nomad_jobs/storage-backends/qdrant/nomad.job",
"content": "job \"qdrant\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/storage-backends/qdrant/nomad.job\"\n version = \"3\"\n }\n\n group \"qdrant\" {\n count = 1\n\n network {\n mode = \"host\"\n port \"http\" {\n static = 6333\n to = 6333\n host_network = \"lan\"\n }\n port \"grpc\" {\n static = 6334\n to = 6334\n host_network = \"lan\"\n }\n }\n\n volume \"qdrant-data\" {\n type = \"csi\"\n read_only = false\n source = \"qdrant-data\"\n access_mode = \"single-node-writer\"\n attachment_mode = \"file-system\"\n }\n\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"qdrant\" {\n driver = \"docker\"\n\n config {\n image = \"qdrant/qdrant:v1.17\"\n ports = [\"http\", \"grpc\"]\n }\n\n volume_mount {\n volume = \"qdrant-data\"\n destination = \"/qdrant/storage\"\n read_only = false\n }\n\n resources {\n cpu = 500\n memory = 128\n }\n\n service {\n name = \"qdrant\"\n tags = [\"vector-db\", \"ai\", \"http\"]\n port = \"http\"\n\n check {\n type = \"tcp\"\n port = \"http\"\n interval = \"30s\"\n timeout = \"2s\"\n }\n }\n }\n }\n\n}\nvariable \"region\" {\n type = string\n default = \"global\"\n}\n"
},
{
"path": "nomad_jobs/storage-backends/qdrant/volume.hcl",
"content": "# Qdrant vector database storage volume\nid = \"qdrant-data\"\nname = \"qdrant-data\"\ntype = \"csi\"\nplugin_id = \"org.democratic-csi.iscsi\"\ncapacity_min = \"10GiB\"\ncapacity_max = \"10GiB\"\n\ncapability {\n access_mode = \"single-node-writer\"\n attachment_mode = \"block-device\"\n}\n\nmount_options {\n fs_type = \"ext4\"\n mount_flags = [\"noatime\"]\n}\n"
},
{
"path": "nomad_jobs/storage-backends/redis/nomad.job",
"content": "job \"redis\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"service\"\n\n meta {\n job_file = \"nomad_jobs/storage-backends/redis/nomad.job\"\n version = \"4\" // Reduced memory 512MB -> 128MB\n }\n\n constraint {\n attribute = \"${meta.shared_mount}\"\n operator = \"=\"\n value = \"true\"\n }\n\n group \"db\" {\n count = 1\n\n network {\n mode = \"host\"\n port \"redis\" {\n static = 6379\n host_network = \"lan\"\n }\n }\n\n volume \"redis\" {\n type = \"csi\"\n read_only = false\n source = \"redis-data\"\n access_mode = \"single-node-writer\"\n attachment_mode = \"file-system\"\n }\n\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"prep-disk\" {\n driver = \"docker\"\n volume_mount {\n volume = \"redis\"\n destination = \"/volume/\"\n read_only = false\n }\n config {\n image = \"busybox:latest\"\n command = \"sh\"\n args = [\"-c\", \"chmod 777 /volume/\"]\n }\n resources {\n cpu = 200\n memory = 128\n }\n\n lifecycle {\n hook = \"prestart\"\n sidecar = false\n }\n }\n\n task \"redis\" {\n driver = \"docker\"\n\n config {\n image = \"redis:8.6.2-alpine\"\n ports = [\"redis\"]\n }\n\n volume_mount {\n volume = \"redis\"\n destination = \"/data\"\n read_only = false\n }\n\n env {\n # Save settings - save to disk every 60 seconds if at least 1 change\n REDIS_SAVE_TO_DISK = \"60 1\"\n # Set appendonly for durability\n REDIS_APPENDONLY = \"yes\"\n }\n\n service {\n name = \"redis\"\n port = \"redis\"\n\n check {\n type = \"tcp\"\n port = \"redis\"\n interval = \"10s\"\n timeout = \"2s\"\n }\n }\n\n resources {\n cpu = 300\n memory = 128\n }\n }\n }\n}\n\nvariable \"region\" {\n type = string\n}\n\nvariable \"shared_dir\" {\n type = string\n}"
},
{
"path": "nomad_jobs/storage-backends/redis/volume.hcl",
"content": "id = \"redis-data\"\nexternal_id = \"redis-data\"\nname = \"redis-data\"\ntype = \"csi\"\nplugin_id = \"org.democratic-csi.iscsi\"\ncapacity_min = \"5GiB\"\ncapacity_max = \"5GiB\"\n\ncapability {\n access_mode = \"single-node-writer\"\n attachment_mode = \"block-device\"\n}\n\nmount_options {\n fs_type = \"ext4\"\n mount_flags = [\"noatime\", \"nodiratime\", \"data=ordered\"]\n}"
},
{
"path": "nomad_jobs/storage-backends/volumes/nfs-example.hcl",
"content": "type = \"csi\"\nid = \"example\"\nname = \"example\"\nplugin_id = \"nfsofficial\"\nexternal_id = \"example\"\ncapability {\n access_mode = \"multi-node-multi-writer\"\n attachment_mode = \"file-system\"\n}\ncontext {\n server = \"192.168.50.208\"\n share = \"/mnt/pool0/share/example\"\n mountPermissions = \"0\" \n}\nmount_options {\n fs_type = \"nfs\"\n mount_flags = [ \"timeo=30\", \"intr\", \"vers=3\", \"_netdev\" , \"nolock\" ]\n}\n"
},
{
"path": "nomad_jobs/system/docker-cleanup/nomad.job",
"content": "job \"docker-cleanup\" {\n region = var.region\n datacenters = [\"dc1\"]\n type = \"sysbatch\"\n\n meta {\n job_file = \"nomad_jobs/system/docker-cleanup/nomad.job\"\n version = \"1\"\n }\n\n # Run weekly on Sundays at 2 AM\n periodic {\n crons = [\"0 2 * * 0\"]\n prohibit_overlap = true\n time_zone = \"UTC\"\n }\n\n group \"cleanup\" {\n # sysbatch will automatically run on all eligible nodes\n\n restart {\n attempts = 3\n delay = \"15s\"\n interval = \"10m\"\n mode = \"delay\"\n }\n\n task \"docker-prune\" {\n driver = \"raw_exec\"\n \n config {\n command = \"/bin/bash\"\n args = [\"-c\", <&1 >/dev/null; do echo '.'; sleep 2; done\"]\n network_mode = \"host\"\n }\n\n resources {\n cpu = 200\n memory = 128\n }\n\n lifecycle {\n hook = \"prestart\"\n sidecar = false\n }\n }\n\n\n update {\n max_parallel = 1\n min_healthy_time = \"30s\"\n auto_revert = true\n }\n\n task \"wordpress\" {\n driver = \"docker\"\n\n template {\n data = <\n\n 
\n\n