ben/mgmt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: 重构基础设施配置与安全凭证管理
Some checks failed
Infrastructure CI/CD / Validate Infrastructure (push) Failing after 9s
Details
Infrastructure CI/CD / Plan Infrastructure (push) Has been skipped
Details
Infrastructure CI/CD / Apply Infrastructure (push) Has been skipped
Details
Simple Test / test (push) Successful in 1s
Details

Browse Source 
- 新增多个云服务商配置文件(OCI、阿里云)
- 重构Vault、Consul、Nomad等服务的部署配置
- 新增备份与恢复完美状态的脚本
- 更新安全凭证管理文档
- 优化Traefik动态配置
- 删除过时的脚本和配置文件

重构后的配置支持多区域部署,优化了服务发现和负载均衡机制,并完善了安全凭证的备份与恢复流程。
This commit is contained in:
Houzhong Xu
2025-10-13 03:08:22 +00:00
parent 41bff0cd02
commit 4381428b5d
48 changed files with 3628 additions and 498 deletions
Download Patch File Download Diff File Expand all files Collapse all files

163
infrastructure/nomad/nomad-jobs/traefik-cloudflare/traefik-cloudflare-v3.nomad
View File

@@ -16,6 +16,8 @@ job "traefik-cloudflare-v3" {
source = "traefik-certs"
}
network {
mode = "host"
port "http" {
@@ -51,12 +53,24 @@ job "traefik-cloudflare-v3" {
read_only = false
}
template {
data = <<EOF
api:
dashboard: true
insecure: true
# 开启访问日志
accessLog: {}
# 开启指标收集
metrics:
prometheus:
addEntryPointsLabels: true
addServicesLabels: true
entryPoint: "traefik"
entryPoints:
web:
address: "0.0.0.0:80"
@@ -81,7 +95,7 @@ providers:
prefix: "traefik"
defaultRule: "Host(`{{ .Name }}.git-4ta.live`)"
file:
filename: /local/dynamic.yml
directory: /opt/traefik/certs
watch: true
certificatesResolvers:
@@ -99,153 +113,6 @@ EOF
destination = "local/traefik.yml"
}
template {
data = <<EOF
http:
serversTransports:
waypoint-insecure:
insecureSkipVerify: true
authentik-insecure:
insecureSkipVerify: true
middlewares:
consul-stripprefix:
stripPrefix:
prefixes:
- "/consul"
waypoint-auth:
replacePathRegex:
regex: "^/auth/token(.*)$"
replacement: "/auth/token$1"
services:
consul-cluster:
loadBalancer:
servers:
- url: "http://ch4.tailnet-68f9.ts.net:8500" # 韩国Leader
- url: "http://warden.tailnet-68f9.ts.net:8500" # 北京Follower
- url: "http://ash3c.tailnet-68f9.ts.net:8500" # 美国Follower
healthCheck:
path: "/v1/status/leader"
interval: "30s"
timeout: "15s"
nomad-cluster:
loadBalancer:
servers:
- url: "http://ch2.tailnet-68f9.ts.net:4646" # 韩国Leader
- url: "http://ash3c.tailnet-68f9.ts.net:4646" # 美国Follower
healthCheck:
path: "/v1/status/leader"
interval: "30s"
timeout: "15s"
waypoint-cluster:
loadBalancer:
servers:
- url: "https://hcp1.tailnet-68f9.ts.net:9701" # hcp1 节点 HTTPS API
serversTransport: waypoint-insecure
vault-cluster:
loadBalancer:
servers:
- url: "http://warden.tailnet-68f9.ts.net:8200" # 北京,单节点
healthCheck:
path: "/ui/"
interval: "30s"
timeout: "15s"
authentik-cluster:
loadBalancer:
servers:
- url: "https://authentik.tailnet-68f9.ts.net:9443" # Authentik容器HTTPS端口
serversTransport: authentik-insecure
healthCheck:
path: "/flows/-/default/authentication/"
interval: "30s"
timeout: "15s"
grafana-cluster:
loadBalancer:
servers:
- url: "http://influxdb.tailnet-68f9.ts.net:3000" # Grafana服务
healthCheck:
path: "/api/health"
interval: "30s"
timeout: "15s"
routers:
consul-api:
rule: "Host(`consul.git-4ta.live`)"
service: consul-cluster
middlewares:
- consul-stripprefix
entryPoints:
- websecure
tls:
certResolver: cloudflare
traefik-dashboard:
rule: "Host(`traefik.git-4ta.live`)"
service: dashboard@internal
middlewares:
- dashboard_redirect@internal
- dashboard_stripprefix@internal
entryPoints:
- websecure
tls:
certResolver: cloudflare
traefik-api:
rule: "Host(`traefik.git-4ta.live`) && PathPrefix(`/api`)"
service: api@internal
entryPoints:
- websecure
tls:
certResolver: cloudflare
nomad-ui:
rule: "Host(`nomad.git-4ta.live`)"
service: nomad-cluster
entryPoints:
- websecure
tls:
certResolver: cloudflare
waypoint-ui:
rule: "Host(`waypoint.git-4ta.live`)"
service: waypoint-cluster
entryPoints:
- websecure
tls:
certResolver: cloudflare
vault-ui:
rule: "Host(`vault.git-4ta.live`)"
service: vault-cluster
entryPoints:
- websecure
tls:
certResolver: cloudflare
authentik-ui:
rule: "Host(`authentik1.git-4ta.live`)"
service: authentik-cluster
entryPoints:
- websecure
tls:
certResolver: cloudflare
grafana-ui:
rule: "Host(`grafana.git-4ta.live`)"
service: grafana-cluster
entryPoints:
- websecure
tls:
certResolver: cloudflare
EOF
destination = "local/dynamic.yml"
}
template {
data = <<EOF

463
infrastructure/nomad/nomad-jobs/vault-single/vault-single-fixed.nomad Normal file
View File

@@ -0,0 +1,463 @@
job "vault-single-nomad" {
datacenters = ["dc1"]
type = "service"
group "vault-warden" {
count = 1
volume "vault-storage" {
type = "host"
read_only = false
source = "vault-storage"
}
constraint {
attribute = "${node.unique.name}"
operator = "="
value = "warden"
}
network {
port "http" {
static = 8200
to = 8200
}
}
task "vault" {
driver = "exec"
volume_mount {
volume = "vault-storage"
destination = "/opt/nomad/data/vault-storage"
read_only = false
}
resources {
cpu = 500
memory = 1024
}
service {
name = "vault"
port = "http"
tags = ["vault-server"]
# 禁用健康检查 - 零信任网络不需要这些垃圾
# check {
# type = "http"
# path = "/v1/sys/health"
# interval = "60s"
# timeout = "10s"
# }
}
# Vault配置 - 使用Consul存储
template {
data = <<EOF
ui = true
disable_mlock = true
# 使用Consul作为存储后端
storage "consul" {
address = "100.122.197.112:8500"
path = "vault/"
# 集群配置
datacenter = "dc1"
service = "vault"
service_tags = "vault-server"
# 会话配置
session_ttl = "15s"
lock_wait_time = "15s"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
# 禁用所有垃圾安全机制 - 我们在零信任网络上
disable_request_limiter = true
max_request_size = 33554432
max_request_duration = "90s"
}
# API地址 - 使用Tailscale网络
api_addr = "http://warden.tailnet-68f9.ts.net:8200"
# 禁用无聊的集群监听器
cluster_addr = "http://warden.tailnet-68f9.ts.net:8201"
# 集群名称
cluster_name = "vault-cluster"
# 日志配置
log_level = "INFO"
# 禁用所有垃圾安全机制 - 零信任网络不需要
disable_mlock = true
disable_clustering = false
disable_performance_standby = true
# 禁用无聊的TLS和ALPN监听器
disable_sealwrap = true
disable_sentinel_trace = true
EOF
destination = "local/vault.hcl"
perms = "644"
}
# 自动解封脚本 - warden 节点
template {
data = <<EOF
#!/bin/bash
# 启动Vault
vault server -config=/local/vault.hcl &
VAULT_PID=$!
# 等待Vault启动
sleep 10
# 自动解封Vault - 使用 warden overlay 地址
echo "Auto-unsealing Vault..."
vault operator unseal -address=http://100.122.197.112:8200 /cmtMNRLgfqUv7g9vZWmkFY5d/cBKvFImJDloN6h58or
vault operator unseal -address=http://100.122.197.112:8200 /jCGo0LIGXrXhsrjLw8TyIoKAZStoSmqRFtZQ0tDPtzv
vault operator unseal -address=http://100.122.197.112:8200 3kOn8gah1fs6cHnVDJ/6F22b2ERTS+YmKRKJS2ZQhlPS
echo "Vault auto-unsealed successfully"
wait $VAULT_PID
EOF
destination = "local/start-vault.sh"
perms = "755"
}
config {
command = "/bin/bash"
args = [
"/local/start-vault.sh"
]
}
restart {
attempts = 2
interval = "30m"
delay = "15s"
mode = "fail"
}
}
update {
max_parallel = 3
health_check = "checks"
min_healthy_time = "10s"
healthy_deadline = "5m"
progress_deadline = "10m"
auto_revert = true
canary = 0
}
migrate {
max_parallel = 3
health_check = "checks"
min_healthy_time = "10s"
healthy_deadline = "5m"
}
}
group "vault-ch4" {
count = 1
constraint {
attribute = "${node.unique.name}"
operator = "="
value = "ch4"
}
network {
port "http" {
static = 8200
to = 8200
}
}
task "vault" {
driver = "exec"
resources {
cpu = 500
memory = 1024
}
service {
name = "vault"
port = "http"
tags = ["vault-server"]
# 禁用健康检查 - 零信任网络不需要这些垃圾
# check {
# type = "http"
# path = "/v1/sys/health"
# interval = "60s"
# timeout = "10s"
# }
}
# Vault配置 - 使用Consul存储
template {
data = <<EOF
ui = true
disable_mlock = true
# 使用Consul作为存储后端
storage "consul" {
address = "100.117.106.136:8500"
path = "vault/"
# 集群配置
datacenter = "dc1"
service = "vault"
service_tags = "vault-server"
# 会话配置
session_ttl = "15s"
lock_wait_time = "15s"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
# 禁用所有垃圾安全机制 - 我们在零信任网络上
disable_request_limiter = true
max_request_size = 33554432
max_request_duration = "90s"
}
# API地址 - 使用Tailscale网络
api_addr = "http://ch4.tailnet-68f9.ts.net:8200"
# 集群名称
cluster_name = "vault-cluster"
# 日志配置
log_level = "INFO"
# 禁用所有垃圾安全机制 - 零信任网络不需要
disable_mlock = true
disable_clustering = false
disable_performance_standby = true
# 禁用无聊的TLS和ALPN监听器
disable_sealwrap = true
disable_sentinel_trace = true
EOF
destination = "local/vault.hcl"
perms = "644"
}
# 自动解封脚本 - ch4 节点
template {
data = <<EOF
#!/bin/bash
# 启动Vault
vault server -config=/local/vault.hcl &
VAULT_PID=$!
# 等待Vault启动
sleep 10
# 自动解封Vault - 使用 ch4 overlay 地址
echo "Auto-unsealing Vault..."
vault operator unseal -address=http://100.117.106.136:8200 /cmtMNRLgfqUv7g9vZWmkFY5d/cBKvFImJDloN6h58or
vault operator unseal -address=http://100.117.106.136:8200 /jCGo0LIGXrXhsrjLw8TyIoKAZStoSmqRFtZQ0tDPtzv
vault operator unseal -address=http://100.117.106.136:8200 3kOn8gah1fs6cHnVDJ/6F22b2ERTS+YmKRKJS2ZQhlPS
echo "Vault auto-unsealed successfully"
wait $VAULT_PID
EOF
destination = "local/start-vault.sh"
perms = "755"
}
config {
command = "/bin/bash"
args = [
"/local/start-vault.sh"
]
}
restart {
attempts = 2
interval = "30m"
delay = "15s"
mode = "fail"
}
}
update {
max_parallel = 3
health_check = "checks"
min_healthy_time = "10s"
healthy_deadline = "5m"
progress_deadline = "10m"
auto_revert = true
canary = 0
}
migrate {
max_parallel = 3
health_check = "checks"
min_healthy_time = "10s"
healthy_deadline = "5m"
}
}
group "vault-ash3c" {
count = 1
constraint {
attribute = "${node.unique.name}"
operator = "="
value = "ash3c"
}
network {
port "http" {
static = 8200
to = 8200
}
}
task "vault" {
driver = "exec"
resources {
cpu = 500
memory = 1024
}
service {
name = "vault"
port = "http"
tags = ["vault-server"]
# 禁用健康检查 - 零信任网络不需要这些垃圾
# check {
# type = "http"
# path = "/v1/sys/health"
# interval = "60s"
# timeout = "10s"
# }
}
# Vault配置 - 使用Consul存储
template {
data = <<EOF
ui = true
disable_mlock = true
# 使用Consul作为存储后端
storage "consul" {
address = "100.116.80.94:8500"
path = "vault/"
# 集群配置
datacenter = "dc1"
service = "vault"
service_tags = "vault-server"
# 会话配置
session_ttl = "15s"
lock_wait_time = "15s"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
# 禁用所有垃圾安全机制 - 我们在零信任网络上
disable_request_limiter = true
max_request_size = 33554432
max_request_duration = "90s"
}
# API地址 - 使用Tailscale网络
api_addr = "http://ash3c.tailnet-68f9.ts.net:8200"
# 集群名称
cluster_name = "vault-cluster"
# 日志配置
log_level = "INFO"
# 禁用所有垃圾安全机制 - 零信任网络不需要
disable_mlock = true
disable_clustering = false
disable_performance_standby = true
# 禁用无聊的TLS和ALPN监听器
disable_sealwrap = true
disable_sentinel_trace = true
EOF
destination = "local/vault.hcl"
perms = "644"
}
# 自动解封脚本 - ash3c 节点
template {
data = <<EOF
#!/bin/bash
# 启动Vault
vault server -config=/local/vault.hcl &
VAULT_PID=$!
# 等待Vault启动
sleep 10
# 自动解封Vault - 使用 ash3c overlay 地址
echo "Auto-unsealing Vault..."
vault operator unseal -address=http://100.116.80.94:8200 /cmtMNRLgfqUv7g9vZWmkFY5d/cBKvFImJDloN6h58or
vault operator unseal -address=http://100.116.80.94:8200 /jCGo0LIGXrXhsrjLw8TyIoKAZStoSmqRFtZQ0tDPtzv
vault operator unseal -address=http://100.116.80.94:8200 3kOn8gah1fs6cHnVDJ/6F22b2ERTS+YmKRKJS2ZQhlPS
echo "Vault auto-unsealed successfully"
wait $VAULT_PID
EOF
destination = "local/start-vault.sh"
perms = "755"
}
config {
command = "/bin/bash"
args = [
"/local/start-vault.sh"
]
}
restart {
attempts = 2
interval = "30m"
delay = "15s"
mode = "fail"
}
}
update {
max_parallel = 3
health_check = "checks"
min_healthy_time = "10s"
healthy_deadline = "5m"
progress_deadline = "10m"
auto_revert = true
canary = 0
}
migrate {
max_parallel = 3
health_check = "checks"
min_healthy_time = "10s"
healthy_deadline = "5m"
}
}
}

39
infrastructure/nomad/nomad-jobs/vault-single/vault-single.nomad
View File

@@ -38,9 +38,6 @@ job "vault-single-nomad" {
memory = 1024
}
env {
VAULT_ADDR = "http://127.0.0.1:8200"
}
service {
name = "vault"
@@ -77,7 +74,7 @@ storage "consul" {
}
listener "tcp" {
address = "100.122.197.112:8200"
address = "0.0.0.0:8200"
tls_disable = 1
}
@@ -105,11 +102,11 @@ VAULT_PID=$!
# 等待Vault启动
sleep 10
# 自动解封Vault - 使用本地地址通过Consul发现其他节点
# 自动解封Vault - 使用 overlay 网络地址
echo "Auto-unsealing Vault..."
vault operator unseal -address=http://127.0.0.1:8200 nlmbQbNU7pZaeHUgT+ynOFDS37JbEGOjmcvQ1fSgYaQp
vault operator unseal -address=http://127.0.0.1:8200 a7lJqKNr2tJ+J84EnRM6u5fKBwe90nVe8NY/mJngVROn
vault operator unseal -address=http://127.0.0.1:8200 /YcUlgI3fclb13h/ybz0TjhlcedNkfmlWbQm3RxGyo+h
vault operator unseal -address=http://100.117.106.136:8200 nlmbQbNU7pZaeHUgT+ynOFDS37JbEGOjmcvQ1fSgYaQp
vault operator unseal -address=http://100.117.106.136:8200 a7lJqKNr2tJ+J84EnRM6u5fKBwe90nVe8NY/mJngVROn
vault operator unseal -address=http://100.117.106.136:8200 /YcUlgI3fclb13h/ybz0TjhlcedNkfmlWbQm3RxGyo+h
echo "Vault auto-unsealed successfully"
wait $VAULT_PID
@@ -175,9 +172,6 @@ EOF
memory = 1024
}
env {
VAULT_ADDR = "http://127.0.0.1:8200"
}
service {
name = "vault"
@@ -214,7 +208,7 @@ storage "consul" {
}
listener "tcp" {
address = "100.117.106.136:8200"
address = "0.0.0.0:8200"
tls_disable = 1
}
@@ -242,11 +236,11 @@ VAULT_PID=$!
# 等待Vault启动
sleep 10
# 自动解封Vault - 使用本地地址通过Consul发现其他节点
# 自动解封Vault - 使用 overlay 网络地址
echo "Auto-unsealing Vault..."
vault operator unseal -address=http://127.0.0.1:8200 nlmbQbNU7pZaeHUgT+ynOFDS37JbEGOjmcvQ1fSgYaQp
vault operator unseal -address=http://127.0.0.1:8200 a7lJqKNr2tJ+J84EnRM6u5fKBwe90nVe8NY/mJngVROn
vault operator unseal -address=http://127.0.0.1:8200 /YcUlgI3fclb13h/ybz0TjhlcedNkfmlWbQm3RxGyo+h
vault operator unseal -address=http://100.117.106.136:8200 nlmbQbNU7pZaeHUgT+ynOFDS37JbEGOjmcvQ1fSgYaQp
vault operator unseal -address=http://100.117.106.136:8200 a7lJqKNr2tJ+J84EnRM6u5fKBwe90nVe8NY/mJngVROn
vault operator unseal -address=http://100.117.106.136:8200 /YcUlgI3fclb13h/ybz0TjhlcedNkfmlWbQm3RxGyo+h
echo "Vault auto-unsealed successfully"
wait $VAULT_PID
@@ -312,9 +306,6 @@ EOF
memory = 1024
}
env {
VAULT_ADDR = "http://127.0.0.1:8200"
}
service {
name = "vault"
@@ -351,7 +342,7 @@ storage "consul" {
}
listener "tcp" {
address = "100.116.80.94:8200"
address = "0.0.0.0:8200"
tls_disable = 1
}
@@ -379,11 +370,11 @@ VAULT_PID=$!
# 等待Vault启动
sleep 10
# 自动解封Vault - 使用本地地址通过Consul发现其他节点
# 自动解封Vault - 使用 overlay 网络地址
echo "Auto-unsealing Vault..."
vault operator unseal -address=http://127.0.0.1:8200 nlmbQbNU7pZaeHUgT+ynOFDS37JbEGOjmcvQ1fSgYaQp
vault operator unseal -address=http://127.0.0.1:8200 a7lJqKNr2tJ+J84EnRM6u5fKBwe90nVe8NY/mJngVROn
vault operator unseal -address=http://127.0.0.1:8200 /YcUlgI3fclb13h/ybz0TjhlcedNkfmlWbQm3RxGyo+h
vault operator unseal -address=http://100.117.106.136:8200 nlmbQbNU7pZaeHUgT+ynOFDS37JbEGOjmcvQ1fSgYaQp
vault operator unseal -address=http://100.117.106.136:8200 a7lJqKNr2tJ+J84EnRM6u5fKBwe90nVe8NY/mJngVROn
vault operator unseal -address=http://100.117.106.136:8200 /YcUlgI3fclb13h/ybz0TjhlcedNkfmlWbQm3RxGyo+h
echo "Vault auto-unsealed successfully"
wait $VAULT_PID