Start job skeletton

.gitmodules

@@ -0,0 +1,4 @@
+[submodule "common"]
+	path = deps/common
+	url = https://git.lapiole.org/nomad/common.git
+	branch = master

deps/common

@@ -0,0 +1 @@
+Subproject commit 6c43f35bca0f6720c07c993a4b377047339cf591

images/mongo/Dockerfile

@@ -0,0 +1,19 @@
+FROM danielberteaud/alma:8
+MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
+
+ARG MONGO_MAJOR=3.6
+
+COPY mongodb.repo /etc/yum.repos.d/
+RUN set -eux &&\
+    sed -i -e "s/__MONGO_MAJOR__/${MONGO_MAJOR}/g" /etc/yum.repos.d/mongodb.repo &&\
+    microdnf -y --best --nodocs --noplugins --setopt=install_weak_deps=0 update &&\
+    # Create mongod user with same UID as mongodb in the official image \
+    groupadd -g 999 mongod &&\
+    useradd -M -r -g mongod -u 999 -d /var/lib/mongo -s /bin/false -c mongod mongod &&\
+    microdnf -y --nodocs --setopt=install_weak_deps=0 install tini mongodb-org-server mongodb-org-shell mongodb-mongosh mongodb-org-tools &&\
+    microdnf clean all &&\
+    rm -rf /var/cache/yum/* /var/log/yum/* /var/lib/dnf/history*
+
+USER mongod
+ENTRYPOINT ["tini", "--"]
+CMD ["mongod"]

images/mongo/mongodb.repo

@@ -0,0 +1,6 @@
+[mongodb-org-__MONGO_MAJOR__]
+name=MongoDB Repository
+baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/__MONGO_MAJOR__/x86_64/
+gpgcheck=1
+enabled=1
+gpgkey=https://www.mongodb.org/static/pgp/server-__MONGO_MAJOR__.asc

images/mongodb_exporter/Dockerfile

@@ -0,0 +1,2 @@
+FROM percona/mongodb_exporter:0.39.0
+MAINTAINER Daniel Berteaud <dbd@ehtrace.com>

images/unifi/Dockerfile

@@ -0,0 +1,28 @@
+FROM danielberteaud/alpine:latest AS builder
+
+ARG UNIFI_VERSION=7.4.162
+
+RUN set -eu &&\
+    apk --no-cache add curl ca-certificates unzip &&\
+    cd /tmp &&\
+    curl -sSLO https://www.ubnt.com/downloads/unifi/${UNIFI_VERSION}/UniFi.unix.zip &&\
+    unzip UniFi.unix.zip
+
+FROM danielberteaud/java:11-alpine
+MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
+
+COPY --from=build /tmp/UniFi /opt/unifi
+RUN set -eu &&\
+    apk --no-cache upgrade &&\
+    addgroup -g 8443 unifi &&\
+    adduser --system --ingroup unifi --disabled-password --uid 8443 --home /opt/unifi --shell /sbin/nologin unifi &&\
+    chown -R root:root /opt/unifi &&\
+    chown -R unifi:unifi /opt/unifi/dl &&\
+    chown -R :unifi /opt/unifi/conf &&\
+    chmod 750 /opt/unifi/conf
+
+EXPOSE 8443 8080 3778
+USER unifi
+
+CMD ["sh", "-c", "java ${JAVA_OPTS} -jar /opt/unifi/app/lib/ace.jar start"]
+

templates/unifi/system.properties.tpl

@@ -0,0 +1,42 @@
+## system.properties
+#
+# each unifi instance requires a set of ports:
+#
+## device inform
+unifi.http.port={{ env "NOMAD_PORT_inform" }}
+## controller UI / API
+# unifi.https.port=8443
+## portal redirect port for HTTP
+portal.http.port=8880
+## portal redirect port for HTTPs
+# portal.https.port=8843
+## local-bound port for DB server
+# unifi.db.port=27117
+## UDP port used for STUN
+# unifi.stun.port=3478
+#
+## the IP devices should be talking to for inform
+# system_ip=a.b.c.d
+## disable mongodb journaling
+# unifi.db.nojournal=false
+## extra mongod args
+# unifi.db.extraargs
+#
+## HTTPS options
+# unifi.https.ciphers=TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
+# unifi.https.sslEnabledProtocols=TLSv1,SSLv2Hello
+# unifi.https.hsts=false
+# unifi.https.hsts.max_age=31536000
+# unifi.https.hsts.preload=false
+# unifi.https.hsts.subdomain=false
+#
+# Ports reserved for device redirector. There is no need to open
+# firewall for these ports on controller, however do NOT set
+# controller to use these ports.
+#
+# portal.redirector.port=8881
+# portal.redirector.port.wired=8882
+#
+# Port used for throughput measurement.
+# unifi.throughput.port=6789
+#

unifi.nomad.hcl

@@ -0,0 +1,110 @@
+job "unifi" {
+
+  datacenters = [[ .noamd.datacenters | toJSON ]]
+
+  group "controller" {
+
+    network {
+      mode = "bridge"
+      port "stun" {}
+    }
+
+    service "unifi-inform" {
+      port = 8080
+
+      connect {
+        sidecar_service {}
+        sidecar_task {
+[[ template "common/resources.tpl" .envoy ]]
+        }
+      }
+
+      tags = [
+        "[[ .env.traefik ]].enable=true",
+        "[[ .env.traefik ]].http.routers.unifi-inform[[ .env.suffix ]].rule=Host(`[[ (urlParse .unifi.inform.public_url).Host ]]`) && (Path(`/inform`) || PathPrefix(`/dl/firmware-cached`))",
+        "[[ .env.traefik ]].http.routers.unifi-inform[[ .env.suffix ]].entrypoints=[[ join .unifi.inform.traefik.entrypoints "," ]]",
+        "[[ .env.traefik ]].http.routers.unifi-inform[[ .env.suffix ]].middlewares=[[ join .unifi.inform.traefik.middlewares  "," ]]"
+      ]
+    }
+
+    service "unifi-controller" {
+      port = 8443
+
+      connect {
+        sidecar_service {}
+        sidecar_task {
+[[ template "common/resources.tpl" .envoy ]]
+        }
+      }
+
+      tags = [
+        "[[ .env.traefik ]].enable=true",
+        "[[ .env.traefik ]].http.routers.unifi-controller[[ .env.suffix ]].rule=Host(`(urlParse .unifi.controller.public_url).Host`) && PathPrefix(`(urlParse .unifi.controller.public_url).Path`)",
+        "[[ .env.traefik ]].http.routers.unifi-controller[[ .env.suffix ]].entrypoints=[[ join .unifi.controller.traefik.entrypoints ]]",
+        "[[ .env.traefik ]].http.routers.unifi-controller[[ .env.suffix ]].tls=true",
+        "[[ .env.traefik ]].http.routers.unifi-controller[[ .env.suffix ]].scheme=https",
+        "[[ .env.traefik ]].http.routers.unifi-controller[[ .env.suffix ]].middlewares=[[ join .unifi.controller.traefik.middlewares  "," ]]"
+      ]
+    }
+
+    service "unifi-portal" {
+      port = 8880
+
+      connect {
+        sidecar_service {}
+        sidecar_task {
+[[ template "common/resources.tpl" .envoy ]]
+        }
+      }
+
+      tags = [
+        "[[ .env.traefik ]].enable=true",
+        "[[ .env.traefik ]].http.routers.unifi-portal[[ .env.suffix ]].rule=Host(`(urlParse .unifi.guest_portal.public_url).Host`) && PathPrefix(`/guest`)",
+        "[[ .env.traefik ]].http.routers.unifi-portal[[ .env.suffix ]].entrypoints=[[ join .unifi.guest_portal.traefik.entrypoints ]]",
+        "[[ .env.traefik ]].http.routers.unifi-portal[[ .env.suffix ]].tls=true",
+        "[[ .env.traefik ]].http.routers.unifi-portal[[ .env.suffix ]].middlewares=[[ join .unifi.guest_portal.traefik.middlewares  "," ]]"
+      ]
+    }
+
+    service "unifi-stun" {
+      port = "stun"
+
+      tags = [
+        "[[ .env.traefik ]].enable=true",
+        "[[ .env.traefik ]].udp.routers.unifi-stun[[ .env.suffix ]].entrypoints=[[ join .unifi.stun.traefik.middlewares "," ]]",
+        "[[ .env.traefik ]].consulcatalog.connect=false"
+      ]
+    }
+  }
+
+[[ template "common/task.wait_for" dict 
+  "ctx" .
+  "SERVICE_1" "unifi-mongo" ]]
+
+  task "unifi" {
+
+    driver = [[ .unifi.controller.driver | toJSON ]]
+
+    config {
+      image = [[ .unifi.controller.image | toJSON ]]
+    }
+
+    env {
+      [[ template "common/env.tpl" .unifi.controller.env ]]
+    }
+
+    template {
+      data =<<_EOF
+[[ template "unifi/controller/system.properties" . ]]
+_EOF
+      destination = "secrets/system.properties"
+    }
+
+    [[ template "common/resources.tpl" .unifi.controller.resources ]]
+
+  }
+
+  group "mongodb" {
+  }
+}
+