diff --git a/consul/config/service-defaults/unifi.hcl b/consul/config/service-defaults/unifi.hcl index cd60b69..587d5ee 100644 --- a/consul/config/service-defaults/unifi.hcl +++ b/consul/config/service-defaults/unifi.hcl @@ -1,3 +1,3 @@ Kind = "service-defaults" -Name = "[[ .unifi.job_name ]][[ .env.suffix ]]" +Name = "[[ .unifi.instance ]][[ .consul.suffix ]]" Protocol = "http" diff --git a/consul/config/service-intentions/unifi.hcl b/consul/config/service-intentions/unifi.hcl index 4d85a41..52381e1 100644 --- a/consul/config/service-intentions/unifi.hcl +++ b/consul/config/service-intentions/unifi.hcl @@ -1,8 +1,8 @@ Kind = "service-intentions" -Name = "[[ .unifi.job_name ]][[ .env.suffix ]]" +Name = "[[ .unifi.instance ]][[ .consul.suffix ]]" Sources = [ { - Name = "[[ .traefik.instance ]]" + Name = "[[ (merge .unifi.controller .traefik).instance ]]" Permissions = [ { Action = "allow" diff --git a/prep.d/mv_conf.sh b/prep.d/mv_conf.sh index 23aeb2a..036c5fd 100755 --- a/prep.d/mv_conf.sh +++ b/prep.d/mv_conf.sh @@ -1 +1 @@ -[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "unifi" .unifi.job_name) ]] +[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "unifi" .unifi.instance) ]] diff --git a/templates/controller/system.properties.tpl b/templates/controller/system.properties.tpl index 3a44ea0..3ec7a01 100644 --- a/templates/controller/system.properties.tpl +++ b/templates/controller/system.properties.tpl @@ -9,12 +9,12 @@ db.mongo.local=false [[- $mongo_stats := urlParse .unifi.controller.mongo.stats_address ]] db.mongo.uri=[[ $mongo.Scheme ]]:// [[- if has .unifi.controller.mongo "user" ]] -[[- .unifi.controller.mongo.user ]]:{{ with secret "[[ .env.suffix ]]kv/service/[[ .unifi.job_name ]]" }}{{ urlquery .Data.data.mongo_pwd }}{{ end }}@ +[[- .unifi.controller.mongo.user ]]:{{ with secret "[[ .consul.suffix ]]kv/service/[[ .unifi.instance ]]" }}{{ urlquery .Data.data.mongo_pwd }}{{ end }}@ [[- end ]] [[- $mongo.Host ]][[ $mongo.Path ]]?[[ $mongo.RawQuery ]] statdb.mongo.uri=[[ $mongo_stats.Scheme ]]:// [[- if has .unifi.controller.mongo "user" ]] -[[- .unifi.controller.mongo.user ]]:{{ with secret "[[ .env.suffix ]]kv/service/[[ .unifi.job_name ]]" }}{{ urlquery .Data.data.mongo_pwd }}{{ end }}@ +[[- .unifi.controller.mongo.user ]]:{{ with secret "[[ .consul.suffix ]]kv/service/[[ .unifi.instance ]]" }}{{ urlquery .Data.data.mongo_pwd }}{{ end }}@ [[- end ]] [[- $mongo_stats.Host ]][[ $mongo_stats.Path ]]?[[ $mongo_stats.RawQuery ]] debug.device=info diff --git a/unifi.nomad.hcl b/unifi.nomad.hcl index d3afd86..2c3aa38 100644 --- a/unifi.nomad.hcl +++ b/unifi.nomad.hcl @@ -1,9 +1,11 @@ -job [[ .unifi.job_name | toJSON ]] { +job [[ .unifi.instance | toJSON ]] { [[- template "common/job_start.tpl" . ]] group "unifi" { +[[- $c := merge .unifi.controller . ]] + network { mode = "bridge" port "stun" { @@ -12,50 +14,50 @@ job [[ .unifi.job_name | toJSON ]] { } service { - name = "[[ .unifi.job_name ]][[ .env.suffix ]]" + name = "[[ .unifi.instance ]][[ .consul.suffix ]]" port = 8888 -[[ template "common/connect.tpl" dict "ctx" . "config" .unifi.controller ]] +[[ template "common/connect.tpl" $c ]] tags = [ - "[[ .traefik.instance ]].enable=true", + "[[ $c.traefik.instance ]].enable=true", # Note : no Host as inform requests are sent without. But it's binded to the dedicated entrypoint anyway - "[[ .traefik.instance ]].http.routers.[[ .unifi.job_name ]]-inform[[ .env.suffix ]].rule=(Path(`/inform`) && Method(`POST`)) || (PathPrefix(`/dl/firmware-cached`) && (Method(`GET`) || Method(`HEAD`)))", - "[[ .traefik.instance ]].http.routers.[[ .unifi.job_name ]]-inform[[ .env.suffix ]].entrypoints=[[ join (merge .unifi.inform.traefik .traefik).entrypoints "," ]]", - "[[ .traefik.instance ]].http.routers.[[ .unifi.job_name ]]-inform[[ .env.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" merge .unifi.inform.traefik .traefik ]]", + "[[ $c.traefik.instance ]].http.routers.[[ .unifi.instance ]]-inform[[ .consul.suffix ]].rule=(Path(`/inform`) && Method(`POST`)) || (PathPrefix(`/dl/firmware-cached`) && (Method(`GET`) || Method(`HEAD`)))", + "[[ $c.traefik.instance ]].http.routers.[[ .unifi.instance ]]-inform[[ .consul.suffix ]].entrypoints=[[ join (merge .unifi.inform.traefik .traefik).entrypoints "," ]]", + "[[ $c.traefik.instance ]].http.routers.[[ .unifi.instance ]]-inform[[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" merge .unifi.inform.traefik .traefik ]]", - "[[ .traefik.instance ]].http.routers.[[ .unifi.job_name ]]-controller[[ .env.suffix ]].rule=Host(` + "[[ $c.traefik.instance ]].http.routers.[[ .unifi.instance ]]-controller[[ .consul.suffix ]].rule=Host(` [[- (urlParse .unifi.controller.public_url).Hostname -]]`) [[- if ne "" (urlParse .unifi.controller.public_url).Path ]] && PathPrefix(`[[ (urlParse .unifi.controller.public_url).Path ]]`)[[ end ]]", - "[[ .traefik.instance ]].http.routers.[[ .unifi.job_name ]]-controller[[ .env.suffix ]].entrypoints=[[ join (merge .unifi.controller.traefik .traefik).entrypoints "," ]]", - "[[ .traefik.instance ]].http.routers.[[ .unifi.job_name ]]-controller[[ .env.suffix ]].tls=true", - "[[ .traefik.instance ]].http.routers.[[ .unifi.job_name ]]-controller[[ .env.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" merge .unifi.controller.traefik .traefik ]]", + "[[ $c.traefik.instance ]].http.routers.[[ .unifi.instance ]]-controller[[ .consul.suffix ]].entrypoints=[[ join (merge .unifi.controller.traefik .traefik).entrypoints "," ]]", + "[[ $c.traefik.instance ]].http.routers.[[ .unifi.instance ]]-controller[[ .consul.suffix ]].tls=true", + "[[ $c.traefik.instance ]].http.routers.[[ .unifi.instance ]]-controller[[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" merge .unifi.controller.traefik .traefik ]]", - "[[ .traefik.instance ]].http.routers.[[ .unifi.job_name ]]-portal[[ .env.suffix ]].rule=Host(` + "[[ $c.traefik.instance ]].http.routers.[[ .unifi.instance ]]-portal[[ .consul.suffix ]].rule=Host(` [[- (urlParse .unifi.guest_portal.public_url).Hostname -]] `) && PathPrefix(`/guest`)", - "[[ .traefik.instance ]].http.routers.[[ .unifi.job_name ]]-portal[[ .env.suffix ]].entrypoints=[[ join (merge .unifi.guest_portal.traefik .traefik).entrypoints "," ]]", - "[[ .traefik.instance ]].http.routers.[[ .unifi.job_name ]]-portal[[ .env.suffix ]].tls=true", - "[[ .traefik.instance ]].http.routers.[[ .unifi.job_name ]]-portal[[ .env.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" merge .unifi.guest_portal.traefik .traefik ]]" + "[[ $c.traefik.instance ]].http.routers.[[ .unifi.instance ]]-portal[[ .consul.suffix ]].entrypoints=[[ join (merge .unifi.guest_portal.traefik .traefik).entrypoints "," ]]", + "[[ $c.traefik.instance ]].http.routers.[[ .unifi.instance ]]-portal[[ .consul.suffix ]].tls=true", + "[[ $c.traefik.instance ]].http.routers.[[ .unifi.instance ]]-portal[[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" merge .unifi.guest_portal.traefik .traefik ]]" ] } service { - name = "unifi-stun[[ .env.suffix ]]" + name = "[[ .unifi.instance ]]-stun[[ .consul.suffix ]]" port = "stun" tags = [ - "[[ .traefik.instance ]].enable=true", - "[[ .traefik.instance ]].udp.routers.[[ .unifi.job_name ]]-stun[[ .env.suffix ]].entrypoints=[[ join .unifi.stun.traefik.entrypoints "," ]]", - "[[ .traefik.instance ]].consulcatalog.connect=false" + "[[ $c.traefik.instance ]].enable=true", + "[[ $c.traefik.instance ]].udp.routers.[[ .unifi.instance ]]-stun[[ .consul.suffix ]].entrypoints=[[ join .unifi.stun.traefik.entrypoints "," ]]", + "[[ $c.traefik.instance ]].consulcatalog.connect=false" ] } [[- if not .unifi.controller.mongo.is_external ]] service { - name = "unifi-mongo[[ .env.suffix ]]" + name = "[[ .unifi.instance ]]-mongo[[ .consul.suffix ]]" port = 27017 check { @@ -72,16 +74,6 @@ job [[ .unifi.job_name | toJSON ]] { } } } -[[- end ]] - - volume "unifi-data" { - type = [[ .unifi.controller.volume.type | toJSON ]] - source = [[ .unifi.controller.volume.source | toJSON ]] - access_mode = "multi-node-multi-writer" - attachment_mode = "file-system" - } - -[[- if not .unifi.controller.mongo.is_external ]] volume "unifi-mongo" { type = [[ .unifi.mongo.volume.type | toJSON ]] @@ -92,12 +84,19 @@ job [[ .unifi.job_name | toJSON ]] { [[- end ]] + volume "unifi-data" { + type = [[ .unifi.controller.volume.type | toJSON ]] + source = [[ .unifi.controller.volume.source | toJSON ]] + access_mode = "multi-node-multi-writer" + attachment_mode = "file-system" + } + [[ template "common/task.wait_for.tpl" dict "ctx" . "wait_for" (coll.Slice (dict "service" .unifi.controller.mongo.service_name)) ]] task "nginx" { - driver = [[ .unifi.nginx.driver | toJSON ]] + driver = [[ .nomad.driver | toJSON ]] user = 8306 lifecycle { @@ -121,7 +120,7 @@ _EOF } task "firmware-downloader" { - driver = [[ .unifi.fw_dl.driver | toJSON ]] + driver = [[ .nomad.driver | toJSON ]] user = 8443 lifecycle { @@ -134,7 +133,7 @@ _EOF } env { -[[ template "common/env.tpl" .unifi.fw_dl.env ]] +[[ template "common/env.tpl" merge .unifi.fw_dl.env .env ]] [[ template "common/proxy_env.tpl" . ]] } @@ -149,7 +148,7 @@ _EOF task "controller" { leader = true - driver = [[ .unifi.controller.driver | toJSON ]] + driver = [[ .nomad.driver | toJSON ]] config { image = [[ .unifi.controller.image | toJSON ]] @@ -164,14 +163,14 @@ _EOF } vault { - policies = ["unifi[[ .env.suffix ]]"] + policies = ["[[ .unifi.instance ]][[ .consul.suffix ]]"] env = false disable_file = true } env { [[ template "common/proxy_env.tpl" . ]] - [[ template "common/env.tpl" .unifi.controller.env ]] + [[ template "common/env.tpl" $c.env ]] } template { @@ -201,7 +200,7 @@ _EOF [[- if not .unifi.controller.mongo.is_external ]] task "mongo" { - driver = [[ .unifi.mongo.driver | toJSON ]] + driver = [[ .nomad.driver | toJSON ]] lifecycle { hook = "prestart" diff --git a/variables.yml b/variables.yml index afec33a..bddcc5f 100644 --- a/variables.yml +++ b/variables.yml @@ -8,7 +8,7 @@ unifi: # The name of the nomad job - job_name: unifi + instance: unifi # This is for the web management console controller: @@ -129,9 +129,6 @@ unifi: # The image to use image: nginxinc/nginx-unprivileged:alpine - # The driver to use (docker or podman) - driver: docker - # Resource allocation resources: cpu: 10 @@ -144,9 +141,6 @@ unifi: # The image to use image: danielberteaud/mongo:5.0-1 - # The driver to use (docker or podman) - driver: docker - # Resource allocation resources: cpu: 100 @@ -165,9 +159,6 @@ unifi: # The image to use image: danielberteaud/ubnt-firmware-downloader:20230831-1 - # The driver (docker or podman) - driver: docker - # Resource allocation resources: cpu: 10 diff --git a/vault/policies/unifi.hcl b/vault/policies/unifi.hcl index 9d3e1ac..379aa09 100644 --- a/vault/policies/unifi.hcl +++ b/vault/policies/unifi.hcl @@ -1,3 +1,3 @@ -path "[[ .vault.prefix ]]kv/data/service/[[ .unifi.job_name ]]" { +path "[[ .vault.prefix ]]kv/data/service/[[ .unifi.instance ]]" { capabilities = ["read"] }