initial commit

Signed-off-by: Amneesh Singh <natto@weirdnatto.in>

.gitignore

@@ -0,0 +1,2 @@
+.terraform*
+*.tstate

bots/main.tf

@@ -0,0 +1,10 @@
+provider "nomad" {}
+//Set everything via environment variables
+
+resource "nomad_job" "singh3" {
+  jobspec = file("./singh3.nomad")
+  purge_on_destroy = true
+  hcl2 {
+    enabled = true
+  }
+}

bots/singh3.nomad

@@ -0,0 +1,81 @@
+job "singh3" {
+  region      = "global"
+  datacenters = ["nazrin"]
+  type        = "service"
+
+  group "svc" {
+    count = 1
+
+    network {
+      mode = "bridge"
+
+      port "db" {
+        static = 5454
+        to     = 5432
+      }
+    }
+
+    vault {
+      policies = ["singh3-policy"]
+    }
+
+    service {
+      name = "singh3-db"
+      port = "db"
+    }
+
+    task "db" {
+      template {
+        data = <<EOF
+{{with secret "kv/data/singh3/db"}}{{.Data.data.pass}}{{end}}
+EOF
+
+        destination = "${NOMAD_SECRETS_DIR}/db.pass"
+      }
+
+      driver = "docker"
+
+      config {
+        image   = "postgres:alpine"
+        ports   = ["db"]
+        volumes = ["/var/lib/nomad-st/postgres-singh3:/var/lib/postgresql/data"]
+      }
+
+      env {
+        POSTGRES_USER          = "singh3"
+        POSTGRES_PASSWORD_FILE = "${NOMAD_SECRETS_DIR}/db.pass"
+        POSTGRES_DB            = "singh3"
+      }
+
+      resources {
+        cpu    = 256
+        memory = 128
+      }
+    }
+
+    task "bot" {
+      driver = "docker"
+
+      config {
+        image      = "natto17/singh3:latest"
+        force_pull = true
+        volumes = [ "/tmp:/tmp" ]
+      }
+
+      template {
+        data = <<EOF
+{{with secret "kv/data/singh3/db"}}
+DB_URL="postgresql://singh3:{{.Data.data.pass}}@localhost:5432/singh3"
+{{end}}
+{{with secret "kv/data/singh3/discord"}}
+DISCORD_TOKEN="{{.Data.data.token}}"
+{{end}}
+RUST_BACKTRACE=1
+EOF
+
+        destination = "${NOMAD_SECRETS_DIR}/data.env"
+        env         = true
+      }
+    }
+  }
+}

concourse/concourse-worker.nomad

@@ -0,0 +1,61 @@
+job "concourse-worker" { 
+  region = "global"
+  datacenters = [ "nazrin" ]
+  type = "service"
+  group "svc" {
+    count = 1
+    network {
+      mode = "bridge"
+    }
+    vault {
+      policies = [ "concourse-worker" ]
+    }
+    service {
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              destination_name = "concourse-tsa"
+              local_bind_port = 2222
+            }
+          }
+        }
+      }
+    }
+    task "concourse" {
+      driver = "docker"
+      config {
+        image = "rdclda/concourse:7.7.0"
+        command = "worker"
+        image_pull_timeout = "30m"
+        privileged = true
+        volumes = [ "/var/lib/nomad-st/concourse-worker:/work"]
+        entrypoint = [ "dumb-init", "/work/entrypoint.sh" ]
+      }
+      resources {
+        cpu    = 2048
+        memory = 2048
+      }
+      template {
+        data = <<EOF
+{{ with secret (printf "kv/data/concourse/workers/%s" (env "node.unique.name") )}}{{ .Data.data.worker_key }}{{ end }}
+EOF
+        destination = "${NOMAD_SECRETS_DIR}/worker_key"
+      }
+      template {
+        data = <<EOF
+{{ with secret "kv/data/concourse/keys" }}{{ .Data.data.tsa_host_key_pub }}{{ end }}
+EOF
+        destination = "${NOMAD_SECRETS_DIR}/tsa_host_key.pub"
+      }
+      env {
+        CONCOURSE_RUNTIME="containerd"
+        CONCOURSE_TSA_PUBLIC_KEY="${NOMAD_SECRETS_DIR}/tsa_host_key.pub"
+        CONCOURSE_TSA_WORKER_PRIVATE_KEY="${NOMAD_SECRETS_DIR}/worker_key"
+        CONCOURSE_WORK_DIR="/work"
+        CONCOURSE_TSA_HOST="${NOMAD_UPSTREAM_ADDR_concourse_tsa}"
+ #       CONCOURSE_WORKER_BAGGAGECLAIM_DRIVER = "btrfs"
+      }
+    }
+  }
+}

concourse/concourse.nomad

@@ -0,0 +1,133 @@
+job "concourse" {
+  region = "global"
+  datacenters = [ "nazrin" ]
+  type = "service"
+  update { 
+    health_check = "checks"   
+    min_healthy_time  = "30s"   
+    healthy_deadline  = "15m"
+    progress_deadline = "30m"
+  }
+  group "svc" {
+    count = 1
+    network {
+      mode = "bridge"
+       port "db" {
+        to = 5432
+      }
+      port "http" { 
+        static = "6666"
+        to = "8080"
+      }
+      port "tsa" {
+        to = "2222"
+      }
+    }
+    vault {
+      policies = [ "concourse-ci" ]
+    }
+    service {
+      name = "concourse-db"
+      port = "db"
+    }
+    service {
+      name = "concourse-http"
+      port = "http"
+    }
+    service {
+      name = "concourse-tsa"
+      port = "2222"
+      connect {   
+        sidecar_service {}   
+      }
+    }
+    task "db" {
+      template {
+        data = <<EOF
+{{with secret "kv/data/concourse/db"}}{{.Data.data.pass}}{{end}}
+EOF
+        destination = "${NOMAD_SECRETS_DIR}/cc-db.pass"
+      }
+      driver = "docker"
+      config {
+        image = "postgres:alpine"
+        ports = ["db"]
+        volumes = [ "/var/lib/nomad-st/postgres-concourse:/var/lib/postgresql/data" ]
+      }
+      env {
+        POSTGRES_USER     = "concourse"
+        POSTGRES_PASSWORD_FILE="${NOMAD_SECRETS_DIR}/cc-db.pass"
+        POSTGRES_DB       = "concourse"
+      }
+      resources {
+        cpu    = 250
+        memory = 128
+      }
+    }
+    task "concourse" {
+      driver = "docker"
+      config {
+        image = "rdclda/concourse:7.7.0"
+        command = "web"
+        image_pull_timeout = "30m"
+        ports = ["http", "tsa" ]
+      }
+      resources {
+        cpu    = 250
+        memory = 128
+      }
+      template {
+        data = <<EOF
+{{ with secret "kv/data/concourse/keys" }}
+{{ .Data.data.session_signing_key }}
+{{ end }}
+EOF
+        destination = "${NOMAD_SECRETS_DIR}/session_signing_key"
+      }
+
+      template {
+        data = <<EOF
+{{ with secret "kv/data/concourse/keys" }}
+{{ .Data.data.tsa_host_key }}
+{{ end }}
+EOF
+        destination = "${NOMAD_SECRETS_DIR}/tsa_host_key"
+      }
+
+
+      template {
+        data = <<EOF
+{{ range secrets "kv/metadata/concourse/workers/" }}
+{{ with secret (printf "kv/data/concourse/workers/%s" .) }}{{ .Data.data.worker_key_pub }}
+{{ end }}
+{{ end }}
+EOF
+        destination = "${NOMAD_SECRETS_DIR}/authorized_worker_keys"
+        change_mode = "restart"
+      }
+      template {
+        data = <<EOF
+{{ with secret "kv/data/concourse/keys" }}
+CONCOURSE_ADD_LOCAL_USER={{ .Data.data.local_username }}:{{ .Data.data.local_userpass }}
+CONCOURSE_MAIN_TEAM_LOCAL_USER={{ .Data.data.local_username }}
+{{end}}
+CONCOURSE_SESSION_SIGNING_KEY={{ env "NOMAD_SECRETS_DIR" }}/session_signing_key
+CONCOURSE_TSA_HOST_KEY={{ env "NOMAD_SECRETS_DIR" }}/tsa_host_key
+CONCOURSE_TSA_AUTHORIZED_KEYS={{ env "NOMAD_SECRETS_DIR" }}/authorized_worker_keys
+CONCOURSE_POSTGRES_HOST=localhost
+CONCOURSE_POSTGRES_PORT={{ env "NOMAD_PORT_db" }}
+CONCOURSE_POSTGRES_USER=concourse
+CONCOURSE_POSTGRES_DATABASE=concourse
+CONCOURSE_EXTERNAL_URL=https://ci.weirdnatto.in
+{{ with secret "kv/data/concourse/db" }}CONCOURSE_POSTGRES_PASSWORD={{ .Data.data.pass }}{{end}}
+CONCOURSE_VAULT_URL=https://vault.weirdnatto.in
+CONCOURSE_VAULT_PATH_PREFIX=/kv/concourse
+{{ with secret "kv/data/concourse/vault" }}CONCOURSE_VAULT_CLIENT_TOKEN={{ .Data.data.token }}{{end}}
+EOF
+        env = true
+        change_mode = "restart"
+        destination = "${NOMAD_SECRETS_DIR}/data.env"
+      }
+    }
+  }
+}

concourse/main.tf

@@ -0,0 +1,16 @@
+provider "nomad" {}
+//Set everything via environment variables
+
+resource "nomad_job" "concourse" {
+  jobspec = file("./concourse.nomad")
+  hcl2 {
+    enabled = true
+  }
+}
+
+resource "nomad_job" "concourse-worker" {
+  jobspec = file("./concourse-worker.nomad")
+  hcl2 {
+    enabled = true
+  }
+}

concourse/terraform.tfstate

@@ -0,0 +1,8 @@
+{
+  "version": 4,
+  "terraform_version": "1.1.7",
+  "serial": 3,
+  "lineage": "024f69f1-cac1-435f-fdb1-d90b3bfd0638",
+  "outputs": {},
+  "resources": []
+}

gitea/gitea.nomad

@@ -0,0 +1,98 @@
+job "gitea" {
+  region = "global"
+  datacenters = [ "nazrin" ]
+  type = "service"
+  group "svc" {
+    count = 1
+    network {
+      mode = "bridge"
+      port "http" {
+        static = 5000
+        to = 3000
+      }
+      port "ssh_pass" {
+        static = 222
+        to = 22
+      }
+      port "db" {
+        to = 5432
+      }
+    }
+    service {
+      name = "gitea-http"
+      port = "http"
+    } 
+    vault {
+      policies = [ "giteapolicy" ]
+    }
+    task "app" {
+      template {
+        data = <<EOF
+APP_NAME=Natto Tea
+RUN_MODE=prod
+SSH_DOMAIN=git.weirdnatto.in
+ROOT_URL=https://git.weirdnatto.in/
+SSH_PORT=22
+SSH_LISTEN_PORT=22
+USER_UID=1002
+USER_GID=1002
+GITEA__database__DB_TYPE=postgres
+GITEA__database__NAME=gitea
+GITEA__database__USER=gitea
+GITEA__database__HOST=localhost:{{ env "NOMAD_PORT_db" }}
+{{with secret "kv/data/gitea"}}
+GITEA__database__PASSWD_FILE={{.Data.data.dbpass}}
+GITEA__mailer__ENABLED=true
+GITEA__mailer__FROM={{.Data.data.mailer}}
+GITEA__mailer__TYPE=smtp
+GITEA__mailer__HOST={{.Data.data.mailhost}}
+GITEA__mailer__IS_TLS_ENABLED=true
+GITEA__mailer__USER={{.Data.data.mailer}}
+GITEA__mailer__PASSWD={{.Data.data.mailerpass}}
+GITEA__service__REGISTER_EMAIL_CONFIRM=true
+GITEA__oauth2_client__REGISTER_EMAIL_CONFIRM=true
+{{end}}
+EOF
+        destination = "${NOMAD_SECRETS_DIR}/data.env"
+        env = true
+      }
+      driver = "docker"
+      config {
+        image = "gitea/gitea:dev-linux-arm64"
+        ports = [ "http", "ssh_pass" ]
+        volumes = [ "/var/lib/nomad-st/gitea:/data" ]
+      }
+      resources {
+        cpu    = 1024
+        memory = 512
+      }
+    }
+    task "db" {
+      template {
+        data = <<EOF
+  {{with secret "kv/data/gitea"}}{{.Data.data.dbpass}}{{end}}
+  EOF
+        destination = "${NOMAD_SECRETS_DIR}/gitea_db.pass"
+      }
+      driver = "docker"
+      config {
+        image = "postgres:alpine"
+        ports = ["db"]
+        volumes = [ "/var/lib/nomad-st/postgres-gitea:/var/lib/postgresql/data" ]
+      }
+      env {
+        POSTGRES_USER     = "gitea"
+        POSTGRES_PASSWORD_FILE="${NOMAD_SECRETS_DIR}/gitea_db.pass"
+        POSTGRES_DB       = "gitea"
+      }
+      resources {
+        cpu    = 200
+        memory = 128
+      }
+      service {
+        name = "gitea-db"
+        port = "db"
+      }
+    }
+  }
+}

gitea/main.tf

@@ -0,0 +1,9 @@
+provider "nomad" {}
+//Set everything via environment variables
+
+resource "nomad_job" "gitea" {
+  jobspec = file("./gitea.nomad")
+  hcl2 {
+    enabled = true
+  }
+}