feat/cloudflared (#94)

chore: update defunct github runner job feat(cloudflared): add a standalone cloudflare tunnel job docs(README): extend README Signed-off-by: Bruce Becker <[email protected]> --------- Signed-off-by: Bruce Becker <[email protected]>
brucellino · Jan 4, 2024 · 2dba64d · 2dba64d
1 parent fd10b77
commit 2dba64d
Show file tree

Hide file tree

Showing 5 changed files with 133 additions and 21 deletions.
diff --git a/README.md b/README.md
@@ -1,3 +1,41 @@
 # Hashi at Home Nomad jobs
 
-These are the Nomad jobs for [Hashi at Home](https://hashiatho.me)
+These are the Nomad jobs for [Hashi@Home](https://hashiatho.me)
+
+Many of them are inspired by the works of others, including the Hashicorp Nomad tutorials themselves, so I make no claim over their authorship.
+
+These are not quite ready for production.
+
+## Hashi Stack integration
+
+Hashi@Home is a playground of mostly Raspberry Pis created so that I could experiment and learn the Hashicorp Stack (Vault, Consul, Nomad) and perfect my usage of their tools (Terraform, Packer, Waypoint, _etc_.).
+Since the clients in the cluster are mixed architecture, the jobs use constraints or dynamic statements to retrieve relevant artifacts.
+
+### Consul and Vault
+
+Several of the jobs use templates with either Consul or Vault functions.
+Consul functions include either lookups in the Consul catalogue, of services or nodes, or template configuration files based on Consul KV data.
+The Nomad services and clients are configured to use Nomad workload identities, in order to issue Vault tokens to jobs so that they can consume secrets.
+
+### Terraform
+
+In cases where jobs required backing services outside of the cluster, they are implemented with Terraform.
+Terraform is responsible for the creation of the backing resources (DNS entries, S3 buckets, _etc_), as well as the actual Nomad job.
+This is especially useful when needing to template Nomad job descriptions, and is used in these cases as a kind of replacement for Nomad Pack.
+In these cases, the Terraform backend used is typically Consul, for the reasons provided above.
+
+## Using
+
+You will need a working Nomad cluster of course, which is sufficient for many of the jobs described here.
+However, as mentioned above the jobs that required service discovery or interaction with Consul or Vault for templating will of course require those services.
+If your cluster has ACLs enabled, you will need to set the `NOMAD_TOKEN` appropriately.
+
+## Jobs
+
+Jobs are found in the main directory, and are mostly schedulable via Nomad itself, using the usual `nomad plan/apply`, while a select few are deployed with Terraform directly.
+A few notable examples are described in a bit more depth below:
+
+* [Container Storage Interface](csi/README.md) - attempts to deploy CSI plugins
+* [jenkins](jenkins/README.md) - Jenkins controller with configuration as code
+* [loki](loki/README.md) - Grafana Loki deployment with DigitalOcean spaces storage
+* [monitoring](monitoring/README.md) - unified Grafana monitoring stack (Prometheus, loki, grafana, promtail, node-exporter)
diff --git a/cloudflared.nomad b/cloudflared.nomad
@@ -0,0 +1,77 @@
+job "cloudflare-tunnel" {
+  datacenters = ["dc1"]
+  type        = "service"
+
+  group "app" {
+    network {
+      port "metrics" {}
+      port "cloudflared" {}
+      mode = "bridge"
+    }
+    service {
+      name = "cloudflared-test"
+      tags = ["cloudflared", "test"]
+      port = "cloudflared"
+      // check {
+      //  name     = "alive"
+      //  type     = "tcp"
+      //  interval = "10s"
+      //  timeout  = "2s"
+      // }
+
+      check {
+        name     = "metrics"
+        type     = "http"
+        interval = "10s"
+        timeout  = "2s"
+        port     = "metrics"
+        path     = "/metrics"
+      }
+    }
+    reschedule {
+      attempts       = 1
+      interval       = "1m"
+      unlimited      = false
+      delay_function = "constant"
+    }
+    restart {
+      attempts = 1
+      interval = "2m"
+      delay    = "15s"
+      mode     = "delay"
+    }
+
+    task "tunnel" {
+      vault {}
+      template {
+        data        = <<EOH
+TUNNEL_TOKEN="{{ with secret "hashiatho.me-v2/data/cloudflare" }}{{- .Data.data.cloudflare_access_test_token -}}{{ end }}"
+  EOH
+        destination = "secrets/.env"
+        env         = true
+      }
+      env {
+        TUNNEL_METRICS  = "0.0.0.0:${NOMAD_PORT_metrics}"
+        TUNNEL_LOGLEVEL = "info"
+      }
+      restart {
+        interval = "1m"
+        attempts = 1
+        delay    = "5s"
+        mode     = "fail"
+      }
+      driver = "docker"
+      config {
+        image = "cloudflare/cloudflared"
+        args = [
+          "tunnel", "run"
+        ]
+      }
+
+      resources {
+        cpu    = 100
+        memory = 64
+      }
+    }
+  }
+}
diff --git a/github-runner/.terraform.lock.hcl b/github-runner/.terraform.lock.hcl
diff --git a/github-runner/github-runner.nomad b/github-runner/github-runner.nomad
@@ -1,19 +1,19 @@
 variable "runner_version" {
   description = "Version to use for the github runner.\nSee https://github.com/actions/runner/releases/"
-  default = "2.310.2"
-  type = string
+  default     = "2.310.2"
+  type        = string
 }
 
 variable "github_org" {
   description = "Name of the github org we attach the runner to"
-  default = "SouthAfricaDigitalScience"
-  type = string
+  default     = "AAROC"
+  type        = string
 }
 
 variable "token" {
   description = "Github Personal Access Token"
-  default = "AAQEOZFGCRNN2DT7DBTYXMTEGKUB2"
-  type = string
+  default     = "AAQEOZBRMWMWVTS5EFV534DFLI76E"
+  type        = string
 }
 job "github-runner" {
   datacenters = ["dc1"]
@@ -24,7 +24,7 @@ job "github-runner" {
         source = "https://github.com/actions/runner/releases/download/v${var.runner_version}/actions-runner-linux-${attr.cpu.arch}-${var.runner_version}.tar.gz"
       }
       lifecycle {
-        hook = "prestart"
+        hook    = "prestart"
         sidecar = false
       }
       config {
@@ -46,13 +46,20 @@ job "github-runner" {
       config {
         command = "/bin/bash"
         args = [
-          "local/run.sh"
+          "local/exec.sh"
         ]
       }
+      template {
+        destination = "local/exec.sh"
+        data        = <<EOH
+#!/bin/bash
+local/config.sh --unattended --url https://github.com/${var.github_org} --token  ${var.token} --labels test
+EOH
+      }
     }
     task "remove" {
       lifecycle {
-        hook = "poststop"
+        hook    = "poststop"
         sidecar = false
       }
       driver = "exec"

diff --git a/loki.nomad b/loki.nomad
@@ -71,7 +71,7 @@ job "loki" {
     task "server" {
       driver = "exec"
       vault {
-        policies      = ["read-only"]
+        // policies      = ["read-only"]
         change_mode   = "signal"
         change_signal = "SIGHUP"
       }