396 lines
9.3 KiB
YAML
396 lines
9.3 KiB
YAML
---
|
|
|
|
instance: common
|
|
|
|
locale:
|
|
# Timezone to set inside containers
|
|
tz: Europe/Paris
|
|
lang: fr_FR.utf8
|
|
|
|
vault:
|
|
# A root for all vault mount points. Usefull if you have different environnements
|
|
# This is an alternative to using vault namespaces as Nomad Community doesn't support it
|
|
# Note : somme clients (like spring) doesn't like a leading /, so just use an empty root to mean /
|
|
root: ""
|
|
|
|
# Configuration for new PKI
|
|
pki:
|
|
path: '[[ .vault.root ]]pki/[[ .instance ]]'
|
|
organization: ACME Corp
|
|
ou: Internal PKI
|
|
country: FR
|
|
locality: FooBar Ville
|
|
ttl: 131400h
|
|
key_bits: 4096
|
|
key_type: rsa
|
|
# The issuer is always the pki/root PKI, without vault.root
|
|
issuer: pki/root
|
|
|
|
# Configuration for the database secret engine
|
|
database:
|
|
ttl: 12h
|
|
max_ttl: 720h
|
|
# The name of the role to create on vault database secret
|
|
role: '[[ .instance ]]'
|
|
# The name of the postgres role which will be granted to ephemeral users created by vault
|
|
pgrole: '[[ .instance ]]'
|
|
|
|
# Transit engine
|
|
transit:
|
|
key: '[[ .instance ]]'
|
|
params:
|
|
allow_plaintext_backup: true
|
|
exportable: true
|
|
type: aes128-gcm96
|
|
auto_rotate_period: 8760h
|
|
|
|
nomad:
|
|
# List of datacenters jobs will be deployed to
|
|
datacenters:
|
|
- dc1
|
|
|
|
# Nomad region
|
|
region: global
|
|
|
|
# Default task driver
|
|
driver: docker
|
|
|
|
consul:
|
|
# Domain name used by consul (to lookup services by DNS name)
|
|
domain: consul
|
|
|
|
# Datacenter
|
|
datacenter: dc1
|
|
|
|
kv:
|
|
# The root for consul KV store. Same as for vault root
|
|
root: ""
|
|
|
|
# A suffix to add to service names. Alternative to Consul namespaces as community Consul
|
|
# doesn't support them
|
|
# You can set it for example like this
|
|
# suffix: "-qa"
|
|
# And a postgres service for example will be registered on consul as postgres-qa
|
|
# All the policies (vault, consul and nomad) will also be suffixed so they won't clash between
|
|
# your env
|
|
suffix: ""
|
|
|
|
# Service metadata
|
|
meta:
|
|
alloc: '${NOMAD_ALLOC_INDEX}'
|
|
job: '${NOMAD_JOB_NAME}'
|
|
group: '${NOMAD_GROUP_NAME}'
|
|
namespace: '${NOMAD_NAMESPACE}'
|
|
region: '${NOMAD_REGION}'
|
|
datacenter: '${NOMAD_DC}'
|
|
node: '${node.unique.name}'
|
|
|
|
# Consul connect config
|
|
connect:
|
|
upstreams: []
|
|
resources:
|
|
cpu: 50
|
|
memory: 64
|
|
|
|
# Default check settings
|
|
check:
|
|
interval: 30s
|
|
timeout: 5s
|
|
|
|
# Default settings for postgres
|
|
postgres:
|
|
host: 127.0.0.1
|
|
port: 5432
|
|
database: '[[ .instance ]]'
|
|
# User and password are created by vault
|
|
user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .vault.database.role ]]" }}{{ .Data.username }}{{ end }}'
|
|
password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .vault.database.role ]]" }}{{ .Data.password }}{{ end }}'
|
|
|
|
pooler:
|
|
# Only none or pgbouncer supported for now
|
|
engine: none
|
|
# Credentials of the local user created (for the app to auth on the pooler)
|
|
local_user: '[[ .instance ]]'
|
|
local_password: '{{ env "NOMAD_ALLOC_ID" }}'
|
|
# Port on which the pooler will listen
|
|
port: 6432
|
|
# Mode can be session or transaction
|
|
mode: session
|
|
resources:
|
|
cpu: 20
|
|
memory: 12
|
|
memory_max: 24
|
|
|
|
# Default settings for MySQL/MariaDB
|
|
mysql:
|
|
host: 127.0.0.1
|
|
port: 3306
|
|
|
|
# Traefik settings
|
|
traefik:
|
|
enabled: true
|
|
# This will be both the service name and the prefix used in tags
|
|
instance: traefik
|
|
# Defaults list of entrypoints to use
|
|
entrypoints:
|
|
- https
|
|
|
|
# Protocol for this service
|
|
proto: http
|
|
|
|
# Middlewares to attach to routers
|
|
# format can be
|
|
# - a string : the given middleware must be already defined in the conf
|
|
# - a bool : set to false to disable the middleware
|
|
# - a list, to define a custom middleware, ag
|
|
# middlewares:
|
|
# auth: lemonldap@file
|
|
# compression: false
|
|
# forward-proto:
|
|
# - customrequestheaders.X-Forwarded-Proto=https
|
|
middlewares:
|
|
rate-limit: rate-limit-std@file
|
|
infligtht: inflight-std@file
|
|
compression: compression@file
|
|
hsts: hsts@file
|
|
security: security-headers@file
|
|
proto: forward-proto@file
|
|
|
|
# tcp and udp supports a lot less middlewares type
|
|
# Handle them in dedicated settings
|
|
tcp_middlewares: {}
|
|
udp_middlewares: {}
|
|
|
|
# CSP is handled separatly (even if its a middleware) as it's easier to customize this way
|
|
csp:
|
|
default-src: "'self'"
|
|
img-src: "'self' data:"
|
|
script-src: "'self' 'unsafe-inline' 'unsafe-eval'"
|
|
style-src: "'self' 'unsafe-inline'"
|
|
font-src: "'self' data:"
|
|
|
|
# If public_url has a non empty path, should traefik_tags template add a middleware to strip the prefix before passing the request to the backend
|
|
strip_prefix: true
|
|
# If true, traefik_tags template will create a routing rule based on public_url
|
|
# If false, you'll have to create your own rule
|
|
auto_rule: true
|
|
# Name of the Traefik router to declare
|
|
router: '[[ .instance ]][[ .consul.suffix ]]'
|
|
|
|
# Default env vars for all your tasks
|
|
env:
|
|
TZ: "[[ .locale.tz ]]"
|
|
LANG: "[[ .locale.lang ]]"
|
|
|
|
proxy:
|
|
# A list of IP/hostname for which requests won't go through a (potentially) defined proxy
|
|
no_proxy:
|
|
- '*.consul'
|
|
- localhost
|
|
- 127.*
|
|
# Address of the proxy
|
|
address: http://[[ .instance ]]:[[ .instance ]]@127.0.0.1:3128
|
|
# If the proxy is reached through the service mesh, set the name of the service
|
|
# It's used to automatically add the service if proxy is enabled
|
|
# service_name: squid[[ .consul.suffix ]]
|
|
# Is the proxy enabled
|
|
enabled: false
|
|
|
|
# The name of a service providing SMTP capabilitites through the service mesh
|
|
# Can be used to easily switch from a mailpit to a real smtp relay for example
|
|
mail:
|
|
# The name of a service providing SMTP capabilitites through the service mesh
|
|
# Can be used to easily switch from a mailpit to a real smtp relay for example
|
|
smtp_service_name: smtp
|
|
|
|
prometheus:
|
|
# Set to true if prometheus is available so jobs can use it as a hint to
|
|
# turn metrics support on
|
|
available: false
|
|
# Controls if prometheus metrics should be enabled on all tasks supporting it
|
|
enabled: false
|
|
# Path of the vault PKI used for monitoring
|
|
vault_pki: '[[ .vault.root ]]pki/monitoring'
|
|
|
|
# Default redis (or valkey) settings
|
|
redis:
|
|
image: '[[ .docker.repo ]][[ .docker.base_images.valkey.image ]]'
|
|
resources:
|
|
cpu: 10
|
|
memory: 20
|
|
|
|
docker:
|
|
# Your repo where locally built images will be pushed
|
|
repo: danielberteaud/
|
|
maintainer: Daniel Berteaud <dbd@ehtrace.com>
|
|
# Common base images
|
|
base_images:
|
|
# wait for services to be online, allow configuring service dependencies
|
|
wait_for:
|
|
image: wait-for:24.5-1
|
|
tags:
|
|
- wait-for:latest
|
|
|
|
# AlmaLinux 8
|
|
alma8:
|
|
image: alma:8.24.5-1
|
|
build_args:
|
|
ALMA: 8
|
|
tags:
|
|
- alma8:latest
|
|
- alma:8
|
|
depends_on:
|
|
# minit is copied from alpine image
|
|
- alpine
|
|
|
|
# AlmaLinux 9
|
|
alma9:
|
|
image: alma:9.24.5-1
|
|
build_args:
|
|
ALMA: 9
|
|
tags:
|
|
- alma9:latest
|
|
- alma:9
|
|
depends_on:
|
|
- alpine
|
|
|
|
# Latest alpine
|
|
alpine:
|
|
image: alpine:24.5-1
|
|
tags:
|
|
- alpine:latest
|
|
|
|
# Alpine with Java8 (temurin)
|
|
java8:
|
|
image: java:8.24.5-1
|
|
build_args:
|
|
JAVA_VERSION: 8
|
|
tags:
|
|
- java8:latest
|
|
- java:8
|
|
|
|
# Alpine with Java11 (temurin)
|
|
java11:
|
|
image: java:11.24.5-1
|
|
build_args:
|
|
JAVA_VERSION: 11
|
|
tags:
|
|
- java11:latest
|
|
- java:11
|
|
|
|
# Alpine with Java17 (temurin)
|
|
java17:
|
|
image: java:17.24.5-1
|
|
build_args:
|
|
JAVA_VERSION: 17
|
|
tags:
|
|
- java17:latest
|
|
- java:17
|
|
|
|
# Alpine with Java21 (temurin)
|
|
java21:
|
|
image: java:21.24.5-1
|
|
build_args:
|
|
JAVA_VERSION: 21
|
|
tags:
|
|
- java21:latest
|
|
- java:21
|
|
|
|
# Postgres
|
|
postgres15:
|
|
image: postgres:15.24.5-1
|
|
build_args:
|
|
PG_VERSION: 15
|
|
tags:
|
|
- postgres15:latest
|
|
- postgres:15
|
|
depends_on:
|
|
- alma9
|
|
|
|
postgres16:
|
|
image: postgres:16.24.5-1
|
|
build_args:
|
|
PG_VERSION: 16
|
|
tags:
|
|
- postgres16:latest
|
|
- postgres:16
|
|
depends_on:
|
|
- alma9
|
|
|
|
# Mariadb client
|
|
mariadb_client:
|
|
image: mariadb-client:24.5-1
|
|
tags:
|
|
- mariadb-client:latest
|
|
depends_on:
|
|
- alpine
|
|
|
|
# MariaDB server
|
|
mariadb:
|
|
image: mariadb:24.5-1
|
|
tags:
|
|
- mariadb:latest
|
|
depends_on:
|
|
- mariadb_client
|
|
|
|
# MongoDB
|
|
mongo50:
|
|
image: mongo:5.0.24.5-1
|
|
build_args:
|
|
MONGO_MAJOR: "5.0"
|
|
tags:
|
|
- mongo:5.0
|
|
depends_on:
|
|
- alma8
|
|
|
|
# SQLite
|
|
sqlite:
|
|
image: sqlite:24.5-1
|
|
tags:
|
|
- sqlite:latest
|
|
depends_on:
|
|
- alpine
|
|
|
|
# pgbouncer
|
|
pgbouncer:
|
|
image: pgbouncer:24.5-1
|
|
tags:
|
|
- pgbouncer:latest
|
|
depends_on:
|
|
- alpine
|
|
|
|
# PHP
|
|
php82:
|
|
image: php:82.24.5-1
|
|
build_args:
|
|
PHP_VERSION: 82
|
|
tags:
|
|
- php:82
|
|
- php82:latest
|
|
depends_on:
|
|
- alpine
|
|
|
|
php83:
|
|
image: php:83.24.5-1
|
|
build_args:
|
|
PHP_VERSION: 83
|
|
tags:
|
|
- php:83
|
|
- php83:latest
|
|
depends_on:
|
|
- alpine
|
|
|
|
# alpine based wkhtml2pdf
|
|
wkhtmltopdf:
|
|
image: wkhtmltopdf:24.5-1
|
|
tags:
|
|
- wkhtmltopdf:latest
|
|
depends_on:
|
|
- alpine
|
|
|
|
# valkey (redis fork)
|
|
valkey:
|
|
image: valkey:24.5-1
|
|
tags:
|
|
- valkey:latest
|