nomad
/
common
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
common/variables.yml

396 lines
9.3 KiB
YAML
Raw Permalink Blame History

---
instance: common
locale:
# Timezone to set inside containers
tz: Europe/Paris
lang: fr_FR.utf8
vault:
# A root for all vault mount points. Usefull if you have different environnements
# This is an alternative to using vault namespaces as Nomad Community doesn't support it
# Note : somme clients (like spring) doesn't like a leading /, so just use an empty root to mean /
root: ""
# Configuration for new PKI
pki:
path: '[[ .vault.root ]]pki/[[ .instance ]]'
organization: ACME Corp
ou: Internal PKI
country: FR
locality: FooBar Ville
ttl: 131400h
key_bits: 4096
key_type: rsa
# The issuer is always the pki/root PKI, without vault.root
issuer: pki/root
# Configuration for the database secret engine
database:
ttl: 12h
max_ttl: 720h
# The name of the role to create on vault database secret
role: '[[ .instance ]]'
# The name of the postgres role which will be granted to ephemeral users created by vault
pgrole: '[[ .instance ]]'
# Transit engine
transit:
key: '[[ .instance ]]'
params:
allow_plaintext_backup: true
exportable: true
type: aes128-gcm96
auto_rotate_period: 8760h
nomad:
# List of datacenters jobs will be deployed to
datacenters:
- dc1
# Nomad region
region: global
# Default task driver
driver: docker
consul:
# Domain name used by consul (to lookup services by DNS name)
domain: consul
# Datacenter
datacenter: dc1
kv:
# The root for consul KV store. Same as for vault root
root: ""
# A suffix to add to service names. Alternative to Consul namespaces as community Consul
# doesn't support them
# You can set it for example like this
# suffix: "-qa"
# And a postgres service for example will be registered on consul as postgres-qa
# All the policies (vault, consul and nomad) will also be suffixed so they won't clash between
# your env
suffix: ""
# Service metadata
meta:
alloc: '${NOMAD_ALLOC_INDEX}'
job: '${NOMAD_JOB_NAME}'
group: '${NOMAD_GROUP_NAME}'
namespace: '${NOMAD_NAMESPACE}'
region: '${NOMAD_REGION}'
datacenter: '${NOMAD_DC}'
node: '${node.unique.name}'
# Consul connect config
connect:
upstreams: []
resources:
cpu: 50
memory: 64
# Default check settings
check:
interval: 30s
timeout: 5s
# Default settings for postgres
postgres:
host: 127.0.0.1
port: 5432
database: '[[ .instance ]]'
# User and password are created by vault
user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .vault.database.role ]]" }}{{ .Data.username }}{{ end }}'
password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .vault.database.role ]]" }}{{ .Data.password }}{{ end }}'
pooler:
# Only none or pgbouncer supported for now
engine: none
# Credentials of the local user created (for the app to auth on the pooler)
local_user: '[[ .instance ]]'
local_password: '{{ env "NOMAD_ALLOC_ID" }}'
# Port on which the pooler will listen
port: 6432
# Mode can be session or transaction
mode: session
resources:
cpu: 20
memory: 12
memory_max: 24
# Default settings for MySQL/MariaDB
mysql:
host: 127.0.0.1
port: 3306
# Traefik settings
traefik:
enabled: true
# This will be both the service name and the prefix used in tags
instance: traefik
# Defaults list of entrypoints to use
entrypoints:
- https
# Protocol for this service
proto: http
# Middlewares to attach to routers
# format can be
# - a string : the given middleware must be already defined in the conf
# - a bool : set to false to disable the middleware
# - a list, to define a custom middleware, ag
# middlewares:
# auth: lemonldap@file
# compression: false
# forward-proto:
# - customrequestheaders.X-Forwarded-Proto=https
middlewares:
rate-limit: rate-limit-std@file
infligtht: inflight-std@file
compression: compression@file
hsts: hsts@file
security: security-headers@file
proto: forward-proto@file
# tcp and udp supports a lot less middlewares type
# Handle them in dedicated settings
tcp_middlewares: {}
udp_middlewares: {}
# CSP is handled separatly (even if its a middleware) as it's easier to customize this way
csp:
default-src: "'self'"
img-src: "'self' data:"
script-src: "'self' 'unsafe-inline' 'unsafe-eval'"
style-src: "'self' 'unsafe-inline'"
font-src: "'self' data:"
# If public_url has a non empty path, should traefik_tags template add a middleware to strip the prefix before passing the request to the backend
strip_prefix: true
# If true, traefik_tags template will create a routing rule based on public_url
# If false, you'll have to create your own rule
auto_rule: true
# Name of the Traefik router to declare
router: '[[ .instance ]][[ .consul.suffix ]]'
# Default env vars for all your tasks
env:
TZ: "[[ .locale.tz ]]"
LANG: "[[ .locale.lang ]]"
proxy:
# A list of IP/hostname for which requests won't go through a (potentially) defined proxy
no_proxy:
- '*.consul'
- localhost
- 127.*
# Address of the proxy
address: http://[[ .instance ]]:[[ .instance ]]@127.0.0.1:3128
# If the proxy is reached through the service mesh, set the name of the service
# It's used to automatically add the service if proxy is enabled
# service_name: squid[[ .consul.suffix ]]
# Is the proxy enabled
enabled: false
# The name of a service providing SMTP capabilitites through the service mesh
# Can be used to easily switch from a mailpit to a real smtp relay for example
mail:
# The name of a service providing SMTP capabilitites through the service mesh
# Can be used to easily switch from a mailpit to a real smtp relay for example
smtp_service_name: smtp
prometheus:
# Set to true if prometheus is available so jobs can use it as a hint to
# turn metrics support on
available: false
# Controls if prometheus metrics should be enabled on all tasks supporting it
enabled: false
# Path of the vault PKI used for monitoring
vault_pki: '[[ .vault.root ]]pki/monitoring'
# Default redis (or valkey) settings
redis:
image: '[[ .docker.repo ]][[ .docker.base_images.valkey.image ]]'
resources:
cpu: 10
memory: 20
docker:
# Your repo where locally built images will be pushed
repo: danielberteaud/
maintainer: Daniel Berteaud <dbd@ehtrace.com>
# Common base images
base_images:
# wait for services to be online, allow configuring service dependencies
wait_for:
image: wait-for:24.5-1
tags:
- wait-for:latest
# AlmaLinux 8
alma8:
image: alma:8.24.5-1
build_args:
ALMA: 8
tags:
- alma8:latest
- alma:8
depends_on:
# minit is copied from alpine image
- alpine
# AlmaLinux 9
alma9:
image: alma:9.24.5-1
build_args:
ALMA: 9
tags:
- alma9:latest
- alma:9
depends_on:
- alpine
# Latest alpine
alpine:
image: alpine:24.5-1
tags:
- alpine:latest
# Alpine with Java8 (temurin)
java8:
image: java:8.24.5-1
build_args:
JAVA_VERSION: 8
tags:
- java8:latest
- java:8
# Alpine with Java11 (temurin)
java11:
image: java:11.24.5-1
build_args:
JAVA_VERSION: 11
tags:
- java11:latest
- java:11
# Alpine with Java17 (temurin)
java17:
image: java:17.24.5-1
build_args:
JAVA_VERSION: 17
tags:
- java17:latest
- java:17
# Alpine with Java21 (temurin)
java21:
image: java:21.24.5-1
build_args:
JAVA_VERSION: 21
tags:
- java21:latest
- java:21
# Postgres
postgres15:
image: postgres:15.24.5-1
build_args:
PG_VERSION: 15
tags:
- postgres15:latest
- postgres:15
depends_on:
- alma9
postgres16:
image: postgres:16.24.5-1
build_args:
PG_VERSION: 16
tags:
- postgres16:latest
- postgres:16
depends_on:
- alma9
# Mariadb client
mariadb_client:
image: mariadb-client:24.5-1
tags:
- mariadb-client:latest
depends_on:
- alpine
# MariaDB server
mariadb:
image: mariadb:24.5-1
tags:
- mariadb:latest
depends_on:
- mariadb_client
# MongoDB
mongo50:
image: mongo:5.0.24.5-1
build_args:
MONGO_MAJOR: "5.0"
tags:
- mongo:5.0
depends_on:
- alma8
# SQLite
sqlite:
image: sqlite:24.5-1
tags:
- sqlite:latest
depends_on:
- alpine
# pgbouncer
pgbouncer:
image: pgbouncer:24.5-1
tags:
- pgbouncer:latest
depends_on:
- alpine
# PHP
php82:
image: php:82.24.5-1
build_args:
PHP_VERSION: 82
tags:
- php:82
- php82:latest
depends_on:
- alpine
php83:
image: php:83.24.5-1
build_args:
PHP_VERSION: 83
tags:
- php:83
- php83:latest
depends_on:
- alpine
# alpine based wkhtml2pdf
wkhtmltopdf:
image: wkhtmltopdf:24.5-1
tags:
- wkhtmltopdf:latest
depends_on:
- alpine
# valkey (redis fork)
valkey:
image: valkey:24.5-1
tags:
- valkey:latest
Reference in New Issue View Git Blame Copy Permalink