--- instance: common locale: # Timezone to set inside containers tz: Europe/Paris lang: fr_FR.utf8 vault: # A root for all vault mount points. Usefull if you have different environnements # This is an alternative to using vault namespaces as Nomad Community doesn't support it # Note : somme clients (like spring) doesn't like a leading /, so just use an empty root to mean / root: "" # Configuration for new PKI pki: path: '[[ .vault.root ]]pki/[[ .instance ]]' organization: ACME Corp ou: Internal PKI country: FR locality: FooBar Ville ttl: 131400h key_bits: 4096 key_type: rsa # The issuer is always the pki/root PKI, without vault.root issuer: pki/root # Configuration for the database secret engine database: ttl: 12h max_ttl: 720h # The name of the role to create on vault database secret role: '[[ .instance ]]' # The name of the postgres role which will be granted to ephemeral users created by vault pgrole: '[[ .instance ]]' # Transit engine transit: key: '[[ .instance ]]' params: allow_plaintext_backup: true exportable: true type: aes128-gcm96 auto_rotate_period: 8760h nomad: # List of datacenters jobs will be deployed to datacenters: - dc1 # Nomad region region: global # Default task driver driver: docker consul: # Domain name used by consul (to lookup services by DNS name) domain: consul # Datacenter datacenter: dc1 kv: # The root for consul KV store. Same as for vault root root: "" # A suffix to add to service names. Alternative to Consul namespaces as community Consul # doesn't support them # You can set it for example like this # suffix: "-qa" # And a postgres service for example will be registered on consul as postgres-qa # All the policies (vault, consul and nomad) will also be suffixed so they won't clash between # your env suffix: "" # Service metadata meta: alloc: '${NOMAD_ALLOC_INDEX}' job: '${NOMAD_JOB_NAME}' group: '${NOMAD_GROUP_NAME}' namespace: '${NOMAD_NAMESPACE}' region: '${NOMAD_REGION}' datacenter: '${NOMAD_DC}' node: '${node.unique.name}' # Consul connect config connect: upstreams: [] # log_level: debug logs: disabled: false resources: cpu: 50 memory: 64 # Default check settings check: interval: 30s timeout: 5s # Default settings for postgres postgres: host: 127.0.0.1 port: 5432 database: '[[ .instance ]]' # User and password are created by vault user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .vault.database.role ]]" }}{{ .Data.username }}{{ end }}' password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .vault.database.role ]]" }}{{ .Data.password }}{{ end }}' pooler: # Only none or pgbouncer supported for now engine: none # Credentials of the local user created (for the app to auth on the pooler) local_user: '[[ .instance ]]' local_password: '{{ env "NOMAD_ALLOC_ID" }}' # Port on which the pooler will listen port: 6432 # Mode can be session or transaction mode: session resources: cpu: 20 memory: 12 memory_max: 24 # Default settings for MySQL/MariaDB mysql: host: 127.0.0.1 port: 3306 # Traefik settings traefik: enabled: true # This will be both the service name and the prefix used in tags instance: traefik # Defaults list of entrypoints to use entrypoints: - https # Protocol for this service proto: http # Middlewares to attach to routers # format can be # - a string : the given middleware must be already defined in the conf # - a bool : set to false to disable the middleware # - a list, to define a custom middleware, ag # middlewares: # auth: lemonldap@file # compression: false # forward-proto: # - customrequestheaders.X-Forwarded-Proto=https middlewares: rate-limit: rate-limit-std@file infligtht: inflight-std@file compression: compression@file hsts: hsts@file security: security-headers@file proto: forward-proto@file # tcp and udp supports a lot less middlewares type # Handle them in dedicated settings tcp_middlewares: {} udp_middlewares: {} # CSP is handled separatly (even if its a middleware) as it's easier to customize this way csp: default-src: "'self'" img-src: "'self' data:" script-src: "'self' 'unsafe-inline' 'unsafe-eval'" style-src: "'self' 'unsafe-inline'" font-src: "'self' data:" # If public_url has a non empty path, should traefik_tags template add a middleware to strip the prefix before passing the request to the backend strip_prefix: true # If true, traefik_tags template will create a routing rule based on public_url # If false, you'll have to create your own rule auto_rule: true # Name of the Traefik router to declare router: '[[ .instance ]][[ .consul.suffix ]]' # Default env vars for all your tasks env: TZ: "[[ .locale.tz ]]" LANG: "[[ .locale.lang ]]" proxy: # A list of IP/hostname for which requests won't go through a (potentially) defined proxy no_proxy: - '*.consul' - localhost - 127.* # Address of the proxy address: http://[[ .instance ]]:[[ .instance ]]@127.0.0.1:3128 # If the proxy is reached through the service mesh, set the name of the service # It's used to automatically add the service if proxy is enabled # service_name: squid[[ .consul.suffix ]] # Is the proxy enabled enabled: false # The name of a service providing SMTP capabilitites through the service mesh # Can be used to easily switch from a mailpit to a real smtp relay for example mail: # The name of a service providing SMTP capabilitites through the service mesh # Can be used to easily switch from a mailpit to a real smtp relay for example smtp_service_name: smtp prometheus: # Set to true if prometheus is available so jobs can use it as a hint to # turn metrics support on available: false # Controls if prometheus metrics should be enabled on all tasks supporting it enabled: false # Path of the vault PKI used for monitoring vault_pki: '[[ .vault.root ]]pki/monitoring' # Default redis (or valkey) settings redis: image: '[[ .docker.repo ]][[ .docker.base_images.valkey.image ]]' resources: cpu: 10 memory: 20 docker: # Your repo where locally built images will be pushed repo: danielberteaud/ maintainer: Daniel Berteaud # Common base images base_images: # wait for services to be online, allow configuring service dependencies wait_for: image: wait-for:24.5-1 tags: - wait-for:latest # AlmaLinux 8 alma8: image: alma:8.24.5-1 build_args: ALMA: 8 tags: - alma8:latest - alma:8 depends_on: # minit is copied from alpine image - alpine # AlmaLinux 9 alma9: image: alma:9.24.5-1 build_args: ALMA: 9 tags: - alma9:latest - alma:9 depends_on: - alpine # Latest alpine alpine: image: alpine:24.5-1 tags: - alpine:latest # Alpine with Java8 (temurin) java8: image: java:8.24.5-2 build_args: JAVA_VERSION: 8 tags: - java8:latest - java:8 # Alpine with Java11 (temurin) java11: image: java:11.24.5-2 build_args: JAVA_VERSION: 11 tags: - java11:latest - java:11 # Alpine with Java17 (temurin) java17: image: java:17.24.5-2 build_args: JAVA_VERSION: 17 tags: - java17:latest - java:17 # Alpine with Java21 (temurin) java21: image: java:21.24.5-2 build_args: JAVA_VERSION: 21 tags: - java21:latest - java:21 # Postgres postgres15: image: postgres:15.24.5-1 build_args: PG_VERSION: 15 tags: - postgres15:latest - postgres:15 depends_on: - alma9 postgres16: image: postgres:16.24.5-1 build_args: PG_VERSION: 16 tags: - postgres16:latest - postgres:16 depends_on: - alma9 # Mariadb client mariadb_client: image: mariadb-client:24.5-1 tags: - mariadb-client:latest depends_on: - alpine # MariaDB server mariadb: image: mariadb:24.5-1 tags: - mariadb:latest depends_on: - mariadb_client # MongoDB mongo50: image: mongo:5.0.24.5-1 build_args: MONGO_MAJOR: "5.0" tags: - mongo:5.0 depends_on: - alma8 mongo60: image: mongo:6.0.24.5-1 build_args: MONGO_MAJOR: "6.0" tags: - mongo:6.0 depends_on: - alma8 mongo70: image: mongo:7.0.24.5-1 build_args: MONGO_MAJOR: "7.0" tags: - mongo:7.0 depends_on: - alma8 # SQLite sqlite: image: sqlite:24.5-1 tags: - sqlite:latest depends_on: - alpine # pgbouncer pgbouncer: image: pgbouncer:24.5-1 tags: - pgbouncer:latest depends_on: - alpine # PHP php82: image: php:82.24.5-1 build_args: PHP_VERSION: 82 tags: - php:82 - php82:latest depends_on: - alpine php83: image: php:83.24.5-1 build_args: PHP_VERSION: 83 tags: - php:83 - php83:latest depends_on: - alpine # alpine based wkhtml2pdf wkhtmltopdf: image: wkhtmltopdf:24.5-1 tags: - wkhtmltopdf:latest depends_on: - alpine # valkey (redis fork) valkey: image: valkey:24.5-5 tags: - valkey:latest