Updates

.gitignore

@@ -1 +1,2 @@
 .history
+*~

examples/homelab/README.md

@@ -0,0 +1,17 @@
+# Example homelab config
+
+Since this is a homelab and not a cloud provider the volumes are simple NFS configured in nomad.hcl
+
+All jobs can be started with `nomad job run -detach <(dhall-to-json --file ./path/to/file.dhall)`
+
+## Traefik
+
+* Host networking
+* System job
+* DNS set to round robin between all cluster hosts
+
+## Passbolt
+
+* NFS for gpg and mysql state
+* Consul connect service mesh for web<->mysql communication
+* Traefik as gateway

examples/homelab/passbolt/passbolt.dhall

@@ -0,0 +1,128 @@
+let nomad = ../../../package.dhall
+
+let Connect = nomad.Service.Connect
+
+let db =
+      { database = "passbolt"
+      , user = "passbolt"
+      , password = "passbolt-user-password"
+      , root_password = "passbolt-root-password"
+      , addr = "\${NOMAD_UPSTREAM_IP_passbolt_mysql}"
+      , port = "\${NOMAD_UPSTREAM_PORT_passbolt_mysql}"
+      }
+
+let mysql-task =
+      nomad.Task::{
+      , env = Some
+          ( toMap
+              { MARIADB_ROOT_PASSWORD = db.root_password
+              , MARIADB_DATABASE = db.database
+              , MARIADB_USER = db.user
+              , MARIADB_PASSWORD = db.password
+              }
+          )
+      , driver = "docker"
+      , resources = nomad.Resources::{ cpu = Some 4000, memory = 4000 }
+      , config =
+          nomad.Task.Config.Docker.new
+            nomad.Task.Config.Docker::{ image = "mariadb:10.11" }
+      , user = Some "mysql"
+      , volume_mount = Some
+        [ { volume = "mysql-volume"
+          , destination = "/var/lib/mysql"
+          , read_only = False
+          }
+        ]
+      }
+
+let web-task =
+      nomad.Task::{
+      , env = Some
+          ( toMap
+              { APP_FULL_BASE_URL = "http://passbolt.local"
+              , PASSBOLT_KEY_EMAIL = "[email protected]"
+              , PASSBOLT_SSL_FORCE = "false"
+              , DATASOURCES_DEFAULT_HOST = db.addr
+              , DATASOURCES_DEFAULT_PORT = db.port
+              , DATASOURCES_DEFAULT_DATABASE = db.database
+              , DATASOURCES_DEFAULT_USERNAME = db.user
+              , DATASOURCES_DEFAULT_PASSWORD = db.password
+              }
+          )
+      , driver = "docker"
+      , resources = nomad.Resources::{ cpu = Some 2000, memory = 2000 }
+      , config =
+          nomad.Task.Config.Docker.new
+            nomad.Task.Config.Docker::{ image = "passbolt/passbolt:latest-ce" }
+      , volume_mount = Some
+        [ { volume = "config-volume"
+          , destination = "/etc/passbolt/gpg"
+          , read_only = False
+          }
+        ]
+      }
+
+let config-volume =
+      nomad.Volume::{
+      , type = nomad.Volume.VolumeType.host
+      , source = "passbolt-config"
+      , read_only = False
+      }
+
+let mysql-volume =
+      nomad.Volume::{
+      , type = nomad.Volume.VolumeType.host
+      , source = "passbolt-mysql"
+      , read_only = False
+      }
+
+let mysql =
+      nomad.Group::{
+      , task = toMap { mysql-task }
+      , volume = Some (toMap { mysql-volume })
+      , network = Some nomad.Network::{=}
+      , service = Some
+        [ nomad.Service::{
+          , name = "passbolt-mysql"
+          , port = Some "3306"
+          , connect = Some Connect::{
+            , sidecar_service = Some Connect.SidecarService::{=}
+            }
+          }
+        ]
+      }
+
+let web =
+      nomad.Group::{
+      , task = toMap { web-task }
+      , volume = Some (toMap { config-volume })
+      , network = Some nomad.Network::{=}
+      , service = Some
+        [ nomad.Service::{
+          , name = "passbolt"
+          , port = Some "80"
+          , tags = Some
+            [ "traefik.enable=true"
+            , "traefik.consulcatalog.connect=true"
+            , "traefik.http.routers.passbolt.rule=Host(`passbolt.local`)"
+            ]
+          , connect = Some Connect::{
+            , sidecar_service = Some Connect.SidecarService::{
+              , proxy = Some Connect.SidecarService.Proxy::{
+                , upstreams = Some
+                  [ Connect.SidecarService.Proxy.Upstreams::{
+                    , destination_name = "passbolt-mysql"
+                    , local_bind_port = 3306
+                    }
+                  ]
+                }
+              }
+            }
+          }
+        ]
+      }
+
+let passbolt =
+      nomad.Job::{ datacenters = [ "dc1" ], group = toMap { web, mysql } }
+
+in  { job = toMap { passbolt } }

examples/homelab/traefik/traefik.dhall

@@ -0,0 +1,56 @@
+let nomad = ../../../package.dhall
+
+let traefikTask =
+      nomad.Task::{
+      , driver = "docker"
+      , resources = nomad.Resources::{ cpu = Some 500, memory = 500 }
+      , config =
+          nomad.Task.Config.Docker.new
+            nomad.Task.Config.Docker::{
+            , image = "traefik:2.11.0"
+            , ports = Some [ "admin", "http" ]
+            , network_mode = Some nomad.Task.Config.Docker.NetworkMode.host
+            , args = Some
+              [ "--api.dashboard=true"
+              , "--api.insecure=true"
+              , "--entrypoints.web.address=:80"
+              , "--entrypoints.traefik.address=:8080"
+              , "--providers.consulcatalog=true"
+              , "--providers.consulcatalog.exposedByDefault=false"
+              , "--providers.consulcatalog.connectAware=true"
+              , "--log.level=DEBUG"
+              ]
+            }
+      }
+
+let http = nomad.Port::{ static = Some 80 }
+
+let admin = nomad.Port::{ static = Some 8080 }
+
+let traefikGroup =
+      toMap
+        { traefik = nomad.Group::{
+          , task = toMap { traefikTask }
+          , network = Some nomad.Network::{
+            , port = Some (toMap { http, admin })
+            , mode = nomad.Network.Mode.host
+            }
+          , service = Some
+            [ nomad.Service::{
+              , name = "traefik-http"
+              , port = Some "http"
+              , connect = Some nomad.Service.Connect::{ native = Some True }
+              }
+            ]
+          }
+        }
+
+let traefik =
+      nomad.Job::{
+      , datacenters = [ "dc1" ]
+      , group = traefikGroup
+      , priority = 100
+      , type = nomad.Job.JobType.system
+      }
+
+in  { job = toMap { traefik } }

examples/postgres/postgres.dhall

@@ -46,6 +46,7 @@ let postgres =
                     ]
                   , resources = nomad.Resources::{
                     , network = Some nomad.Network::{
+                      , mode = nomad.Network.Mode.host
                       , port = Some
                         [ { mapKey = port.name
                           , mapValue = nomad.Port::{ static = Some port.from }

examples/prometheus/prometheus.dhall

@@ -65,7 +65,7 @@ let prometheusTask =
               ]
             , ports = Some [ ports.prometheus_ui.name ]
             }
-      , resources = nomad.Resources::{ cpu = 500, memory = 256 }
+      , resources = nomad.Resources::{ cpu = Some 500, memory = 256 }
       }
 
 let prometheus =
@@ -89,6 +89,7 @@ let prometheus =
               , mode = nomad.Restart.Mode.delay
               }
             , network = Some nomad.Network::{
+              , mode = nomad.Network.Mode.host
               , port = Some
                 [ { mapKey = ports.prometheus_ui.name
                   , mapValue = nomad.Port::{ to = Some ports.prometheus_ui.to }

package.dhall

@@ -28,4 +28,5 @@
 , Update = ./schemas/Update.dhall
 , Vault = ./schemas/Vault.dhall
 , Volume = ./schemas/Volume.dhall
+, VolumeMount = ./schemas/VolumeMount.dhall
 }

schemas/Connect.dhall

@@ -0,0 +1,17 @@
+let SidecarService = ./SidecarService.dhall
+
+let SidecarTask = ./SidecarTask.dhall
+
+let Gateway = ./Gateway.dhall
+
+in  { Type = ../types/Connect.dhall
+    , default =
+      { native = None Bool
+      , sidecar_service = None ../types/SidecarService.dhall
+      , sidecar_task = None ../types/SidecarTask.dhall
+      , gateway = None ../types/Gateway.dhall
+      }
+    , SidecarService
+    , SidecarTask
+    , Gateway
+    }

schemas/Constraint.dhall

@@ -1,6 +1,6 @@
 let Operator = ../types/ConstraintOperator.dhall
 
 in  { Type = ../types/Constraint.dhall
-    , default.operator = Operator.`=`
+    , default = { operator = Operator.`=`, attribute = None Text }
     , Operator
     }

schemas/Gateway.dhall

@@ -0,0 +1,20 @@
+let Proxy = ./GatewayProxy.dhall
+
+let Ingress = ./GatewayIngress.dhall
+
+let Terminating = ./GatewayTerminating.dhall
+
+let Mesh = ../types/GatewayMesh.dhall
+
+in  { Type = ../types/Gateway.dhall
+    , default =
+      { proxy = None ../types/GatewayProxy.dhall
+      , ingress = None ../types/GatewayIngress.dhall
+      , terminating = None ../types/GatewayTerminating.dhall
+      , mesh = None ../types/GatewayMesh.dhall
+      }
+    , Proxy
+    , Ingress
+    , Terminating
+    , Mesh
+    }

schemas/GatewayAddress.dhall

@@ -0,0 +1 @@
+{ Type = ../types/GatewayAddress.dhall, default = {=} }

schemas/GatewayIngress.dhall

@@ -0,0 +1,12 @@
+let GatewayTls = ./GatewayTls.dhall
+
+let GatewayListener = ./GatewayListener.dhall
+
+in  { Type = ../types/GatewayIngress.dhall
+    , default =
+      { tls = None ../types/GatewayTls.dhall
+      , listener = [] : List ../types/GatewayListener.dhall
+      }
+    , GatewayTls
+    , GatewayListener
+    }

schemas/GatewayListener.dhall

@@ -0,0 +1,12 @@
+let ListenerProtocol = ../types/GatewayListenerProtocol.dhall
+
+let ListenerService = ./GatewayListenerService.dhall
+
+in  { Type = ../types/GatewayListener.dhall
+    , default =
+      { protocol = ../types/GatewayListenerProtocol.dhall
+      , service = [] : List ../types/GatewayListenerService.dhall
+      }
+    , ListenerProtocol
+    , ListenerService
+    }

schemas/GatewayListenerService.dhall

@@ -0,0 +1,3 @@
+{ Type = ../types/GatewayListenerService.dhall
+, default.hosts = None (List Text)
+}

schemas/GatewayProxy.dhall

@@ -0,0 +1,17 @@
+{- https://developer.hashicorp.com/nomad/docs/job-specification/gateway#proxy-parameters -}
+let Map = (../Prelude.dhall).Map.Type
+
+let Address = ./GatewayAddress.dhall
+
+in  { Type = ../types/GatewayProxy.dhall
+    , default =
+      { connect_timeout = None Text
+      , envoy_gateway_bind_tagged_addresses = None Bool
+      , envoy_gateway_bind_addresses =
+          None (Map Text ../types/GatewayAddress.dhall)
+      , envoy_gateway_no_default_bind = None Bool
+      , envoy_dns_discovery_type = None Bool
+      , config = None (Map Text Text)
+      }
+    , Address
+    }

schemas/GatewayTerminating.dhall

@@ -0,0 +1,3 @@
+let Service = ./GatewayTerminatingService.dhall
+
+in  { Type = ../types/GatewayTerminating.dhall, Service }

schemas/GatewayTerminatingService.dhall

@@ -0,0 +1,8 @@
+{ Type = ../types/GatewayTerminatingService.dhall
+, default =
+  { ca_file = None Text
+  , cert_file = None Text
+  , key_file = None Text
+  , sni = None Text
+  }
+}

schemas/GatewayTls.dhall

@@ -0,0 +1,5 @@
+{ enabled = None Bool
+, tls_min_version = None Text
+, tls_max_version = None Text
+, cipher_suites = None (List Text)
+}