
321 lines
7.9 KiB
Raw Normal View History

2024-02-27 13:28:44 +01:00
job "cloudbeaver" {
datacenters = ["dc1"]
region = "global"
group "cloudbeaver" {
shutdown_delay = "6s"
network {
mode = "bridge"
volume "data" {
source = "cloudbeaver-data"
type = "csi"
access_mode = "single-node-writer"
attachment_mode = "file-system"
service {
name = "cloudbeaver"
port = 8978
meta {
alloc = "${NOMAD_ALLOC_INDEX}"
job = "${NOMAD_JOB_NAME}"
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "postgres"
local_bind_port = 5432
# Work arround, see
destination_type = "service"
sidecar_task {
config {
args = [
resources {
cpu = 50
memory = 64
tags = [
"traefik.http.middlewares.csp-cloudbeaver.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
# wait for required services tp be ready before starting the main task
task "wait-for" {
driver = "docker"
user = 1053
config {
image = "danielberteaud/wait-for:24.2-1"
readonly_rootfs = true
pids_limit = 20
lifecycle {
hook = "prestart"
env {
SERVICE_0 = "master.postgres.service.consul"
resources {
cpu = 10
memory = 10
memory_max = 30
task "cloudbeaver" {
driver = "docker"
config {
image = "danielberteaud/cloudbeaver:23.3.5"
pids_limit = 100
readonly_rootfs = true
mount {
type = "tmpfs"
target = "/tmp"
tmpfs_options {
size = 3000000
vault {
policies = ["cloudbeaver"]
env = false
disable_file = true
change_mode = "noop"
env {
CLOUDBEAVER_WEB_CONFIG = "/local/cloudbeaver.conf"
# Use a template block instead of env {} so we can fetch values from vault
template {
data = <<_EOT
destination = "secrets/.env"
perms = 400
env = true
# Postgres DB config
template {
data = <<_EOT
PGUSER={{ with secret "/database/creds/cloudbeaver" }}{{ .Data.username }}{{ end }}
PGPASSWORD={{ with secret "/database/creds/cloudbeaver" }}{{ .Data.password }}{{ end }}
destination = "secrets/.db.env"
perms = 0400
env = true
# Main cloudbeaver configuration
template {
data = <<_EOT
"app": {
"adminCredentialsSaveEnabled": false,
"anonymousAccessAllowed": false,
"anonymousUserTeam": "user",
"authenticationEnabled": true,
"defaultNavigatorSettings": {
"hideFolders": false,
"hideSchemas": false,
"mergeEntities": false,
"showOnlyEntities": false,
"showSystemObjects": true,
"showUtilityObjects": false
"disabledDrivers": [
"enabledAuthProviders": [
"enabledDrivers": [],
"forwardProxy": true,
"plugins": {},
"publicCredentialsSaveEnabled": false,
"resourceManagerEnabled": true,
"resourceQuotas": {
"dataExportFileSizeLimit": 1000000000,
"resourceManagerFileSizeLimit": 500000,
"sqlBinaryPreviewMaxLength": 261120,
"sqlMaxRunningQueries": 100,
"sqlResultSetMemoryLimit": 2000000,
"sqlResultSetRowsLimit": 100000,
"sqlTextPreviewMaxLength": 4096
"supportsCustomConnections": true
"server": {
"contentRoot": "web",
"database": {
"driver": "postgres-jdbc",
"initialDataConfiguration": "/secrets/initial-data.conf",
"password": "$${PGPASSWORD}",
"pool": {
"maxConnections": 100,
"maxIdleConnections": 10,
"minIdleConnections": 4,
"validationQuery": "SELECT 1"
"url": "jdbc:postgresql://$${PGHOST}:$${PGPORT}/$${PGDATABASE}",
"user": "$${PGUSER}"
"develMode": false,
"driversLocation": "drivers",
"expireSessionAfterPeriod": 600000,
"productConfiguration": "conf/product.conf",
"rootURI": "/",
"serverHost": "",
"serverName": "cloudbeaver",
"serverPort": 8978,
"serverURL": "",
"serviceURI": "/api/",
"sm": {
"blockLoginPeriod": "$${CLOUDBEAVER_BLOCK_PERIOD:300}",
"enableBruteForceProtection": true,
"expiredAuthAttemptInfoTtl": 60,
"maxFailedLogin": "$${CLOUDBEAVER_MAX_FAILED_LOGINS:5}",
"minimumLoginTimeout": "$${CLOUDBEAVER_MINIMUM_LOGIN_TIMEOUT:1}",
"passwordPolicy": {
"workspaceLocation": "/data"
destination = "local/cloudbeaver.conf"
# Logback config
template {
data = <<_EOT
<?xml version="1.0" encoding="UTF-8"?>
<appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
<layout class="ch.qos.logback.classic.PatternLayout">
%d{dd-MM-yyyy HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n
<!-- Disable logback status messages -->
<statusListener class="ch.qos.logback.core.status.NopStatusListener"/>
<logger name="org.jkiss" level="INFO"/>
<logger name="io.cloudbeaver" level="INFO"/>
<root level="INFO">
<appender-ref ref="CONSOLE"/>
destination = "local/logback.xml"
# Initial config (admin user and teams)
template {
data = <<_EOT
adminName: "cloudbeaver",
adminPassword: "{{ with secret "/kv/service/cloudbeaver" }}{{ }}{{ end }}",
teams: [
subjectId: "admin",
teamName: "Admin",
description: "Administrative access. Has all permissions.",
permissions: [ "admin" ]
subjectId: "user",
teamName: "User",
description: "All users, including anonymous.",
permissions: [ ]
destination = "secrets/initial-data.conf"
uid = 100000
gid = 108978
perms = 440
# Mount persistent volume in /data
volume_mount {
volume = "data"
destination = "/data"
resources {
cpu = 100
memory = 512