ben
/
mgmt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix SSH client configuration for gitea connection

This commit is contained in:
Houzhong Xu 2025-10-09 05:47:05 +00:00
parent 8f732a8f1c
commit e986e7c9b2
No known key found for this signature in database
GPG Key ID: B44BEB1438F1B46F
22 changed files with 1218 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ansible/ansible.cfg Normal file
View File

@ -0,0 +1,10 @@
[defaults]
inventory = inventory/hosts.yml
host_key_checking = False
timeout = 30
gathering = smart
fact_caching = memory
[ssh_connection]
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
pipelining = True

198
ansible/fix-warden-zsh.yml Normal file
View File

@ -0,0 +1,198 @@
---
# Ansible Playbook: 修复 warden 节点的 zsh 配置
- name: Fix zsh configuration on warden node
hosts: warden
become: yes
vars:
target_user: ben # 或者你想修复的用户名
tasks:
- name: 检查当前 shell
shell: echo $SHELL
register: current_shell
changed_when: false
- name: 显示当前 shell
debug:
msg: "当前 shell: {{ current_shell.stdout }}"
- name: 检查 zsh 是否已安装
package:
name: zsh
state: present
- name: 备份现有的 zsh 配置文件
shell: |
if [ -f ~/.zshrc ]; then
cp ~/.zshrc ~/.zshrc.backup.$(date +%Y%m%d_%H%M%S)
echo "已备份 ~/.zshrc"
fi
if [ -f ~/.zsh_history ]; then
cp ~/.zsh_history ~/.zsh_history.backup.$(date +%Y%m%d_%H%M%S)
echo "已备份 ~/.zsh_history"
fi
register: backup_result
changed_when: backup_result.stdout != ""
- name: 显示备份结果
debug:
msg: "{{ backup_result.stdout_lines }}"
when: backup_result.stdout != ""
- name: 检查 oh-my-zsh 是否存在
stat:
path: ~/.oh-my-zsh
register: ohmyzsh_exists
- name: 重新安装 oh-my-zsh (如果损坏)
shell: |
if [ -d ~/.oh-my-zsh ]; then
rm -rf ~/.oh-my-zsh
fi
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended
when: not ohmyzsh_exists.stat.exists or ansible_check_mode == false
- name: 创建基本的 .zshrc 配置
copy:
content: |
# Path to your oh-my-zsh installation.
export ZSH="$HOME/.oh-my-zsh"
# Set name of the theme to load
ZSH_THEME="robbyrussell"
# Which plugins would you like to load?
plugins=(git docker docker-compose kubectl)
source $ZSH/oh-my-zsh.sh
# User configuration
export PATH=$PATH:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
# Aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'
alias ..='cd ..'
alias ...='cd ../..'
# Nomad/Consul aliases
alias nomad-status='nomad status'
alias consul-members='consul members'
# History settings
HISTSIZE=10000
SAVEHIST=10000
setopt HIST_IGNORE_DUPS
setopt HIST_IGNORE_SPACE
setopt HIST_VERIFY
setopt SHARE_HISTORY
dest: ~/.zshrc
owner: "{{ target_user }}"
group: "{{ target_user }}"
mode: '0644'
backup: yes
- name: 设置 zsh 为默认 shell
user:
name: "{{ target_user }}"
shell: /usr/bin/zsh
- name: 检查 zsh 配置语法
shell: zsh -n ~/.zshrc
register: zsh_syntax_check
failed_when: zsh_syntax_check.rc != 0
changed_when: false
- name: 测试 zsh 启动
shell: zsh -c "echo 'zsh 配置测试成功'"
register: zsh_test
changed_when: false
- name: 显示修复结果
debug:
msg:
- "zsh 配置修复完成"
- "语法检查: {{ 'PASS' if zsh_syntax_check.rc == 0 else 'FAIL' }}"
- "启动测试: {{ zsh_test.stdout }}"
- name: 清理损坏的历史文件
shell: |
if [ -f ~/.zsh_history ]; then
# 尝试修复历史文件
strings ~/.zsh_history > ~/.zsh_history.clean
mv ~/.zsh_history.clean ~/.zsh_history
echo "已清理 zsh 历史文件"
fi
register: history_cleanup
changed_when: history_cleanup.stdout != ""
- name: 修复 DNS 配置问题
shell: |
# 备份现有DNS配置
sudo cp /etc/resolv.conf /etc/resolv.conf.backup.$(date +%Y%m%d_%H%M%S)
# 添加备用DNS服务器
echo "# 备用DNS服务器配置" | sudo tee -a /etc/resolv.conf
echo "nameserver 8.8.8.8" | sudo tee -a /etc/resolv.conf
echo "nameserver 8.8.4.4" | sudo tee -a /etc/resolv.conf
echo "nameserver 1.1.1.1" | sudo tee -a /etc/resolv.conf
echo "已添加备用DNS服务器"
register: dns_fix
changed_when: dns_fix.stdout != ""
- name: 测试 DNS 修复
shell: nslookup github.com
register: dns_test
changed_when: false
- name: 显示 DNS 测试结果
debug:
msg: "{{ dns_test.stdout_lines }}"
- name: 修复 zsh completion 权限问题
shell: |
# 修复系统 completion 目录权限
sudo chown -R root:root /usr/share/zsh/vendor-completions/ 2>/dev/null || true
sudo chown -R root:root /usr/share/bash-completion/ 2>/dev/null || true
sudo chown -R root:root /usr/share/fish/vendor_completions.d/ 2>/dev/null || true
sudo chown -R root:root /usr/local/share/zsh/site-functions/ 2>/dev/null || true
# 设置正确的权限
sudo chmod -R 755 /usr/share/zsh/vendor-completions/ 2>/dev/null || true
sudo chmod -R 755 /usr/share/bash-completion/ 2>/dev/null || true
sudo chmod -R 755 /usr/share/fish/vendor_completions.d/ 2>/dev/null || true
sudo chmod -R 755 /usr/local/share/zsh/site-functions/ 2>/dev/null || true
# 修复 oh-my-zsh completion 目录权限(如果存在)
if [ -d ~/.oh-my-zsh ]; then
chmod -R 755 ~/.oh-my-zsh/completions
chmod -R 755 ~/.oh-my-zsh/plugins
chmod -R 755 ~/.oh-my-zsh/lib
echo "已修复 oh-my-zsh 目录权限"
fi
# 重新生成 completion 缓存
rm -f ~/.zcompdump* 2>/dev/null || true
echo "已修复系统 completion 目录权限并清理缓存"
register: completion_fix
changed_when: completion_fix.stdout != ""
- name: 显示 completion 修复结果
debug:
msg: "{{ completion_fix.stdout_lines }}"
when: completion_fix.stdout != ""
- name: 测试 zsh completion 修复
shell: zsh -c "autoload -U compinit && compinit -D && echo 'completion 系统修复成功'"
register: completion_test
changed_when: false
- name: 重新加载 zsh 配置提示
debug:
msg:
- "修复完成!请执行以下命令重新加载配置:"
- "source ~/.zshrc"
- "或者重新登录以使用新的 shell 配置"
- "completion 权限问题已修复"

10
ansible/inventory/hosts.yml Normal file
View File

@ -0,0 +1,10 @@
---
all:
children:
warden:
hosts:
warden:
ansible_host: 100.122.197.112
ansible_user: ben
ansible_password: "3131"
ansible_become_password: "3131"

16
components/consul/jobs/consul-cluster.nomad
View File

@ -31,18 +31,18 @@ job "consul-cluster-nomad" {
args = [ args = [
"agent", "agent",
"-server", "-server",
"-bootstrap-expect=2", "-bootstrap-expect=3",
"-data-dir=/opt/nomad/data/consul", "-data-dir=/opt/nomad/data/consul",
"-client=0.0.0.0", "-client=0.0.0.0",
"-bind={{ env "NOMAD_IP_http" }}", "-bind={{ env \"NOMAD_IP_http\" }}",
"-advertise={{ env "NOMAD_IP_http" }}", "-advertise={{ env \"NOMAD_IP_http\" }}",
"-retry-join=ash3c.tailnet-68f9.ts.net:8301", "-retry-join=ash3c.tailnet-68f9.ts.net:8301",
"-retry-join=warden.tailnet-68f9.ts.net:8301", "-retry-join=warden.tailnet-68f9.ts.net:8301",
"-ui", "-ui",
"-http-port=8500", "-http-port=8500",
"-server-port=8300", "-server-port=8300",
"-serf-lan-port=8301", "-serf-lan-port=8301",
"-serf-wan-port=8302", "-serf-wan-port=8302"
] ]
} }
@ -85,8 +85,8 @@ job "consul-cluster-nomad" {
"-server", "-server",
"-data-dir=/opt/nomad/data/consul", "-data-dir=/opt/nomad/data/consul",
"-client=0.0.0.0", "-client=0.0.0.0",
"-bind={{ env "NOMAD_IP_http" }}", "-bind={{ env \"NOMAD_IP_http\" }}",
"-advertise={{ env "NOMAD_IP_http" }}", "-advertise={{ env \"NOMAD_IP_http\" }}",
"-retry-join=ch4.tailnet-68f9.ts.net:8301", "-retry-join=ch4.tailnet-68f9.ts.net:8301",
"-retry-join=warden.tailnet-68f9.ts.net:8301", "-retry-join=warden.tailnet-68f9.ts.net:8301",
"-ui", "-ui",
@ -136,8 +136,8 @@ job "consul-cluster-nomad" {
"-server", "-server",
"-data-dir=/opt/nomad/data/consul", "-data-dir=/opt/nomad/data/consul",
"-client=0.0.0.0", "-client=0.0.0.0",
"-bind={{ env "NOMAD_IP_http" }}", "-bind={{ env \"NOMAD_IP_http\" }}",
"-advertise={{ env "NOMAD_IP_http" }}", "-advertise={{ env \"NOMAD_IP_http\" }}",
"-retry-join=ch4.tailnet-68f9.ts.net:8301", "-retry-join=ch4.tailnet-68f9.ts.net:8301",
"-retry-join=ash3c.tailnet-68f9.ts.net:8301", "-retry-join=ash3c.tailnet-68f9.ts.net:8301",
"-ui", "-ui",

1
deployment/ansible/ansible.cfg
View File

@ -1,6 +1,7 @@
[defaults] [defaults]
inventory = inventory.ini inventory = inventory.ini
host_key_checking = False host_key_checking = False
forks = 8
timeout = 30 timeout = 30
gathering = smart gathering = smart
fact_caching = memory fact_caching = memory

6
deployment/ansible/inventories/production/hosts
View File

@ -2,7 +2,7 @@
# 服务器节点 (7个服务器节点) # 服务器节点 (7个服务器节点)
# ⚠️ 警告:能力越大,责任越大!服务器节点操作需极其谨慎! # ⚠️ 警告:能力越大,责任越大!服务器节点操作需极其谨慎!
# ⚠️ 任何对服务器节点的操作都可能影响整个集群的稳定性! # ⚠️ 任何对服务器节点的操作都可能影响整个集群的稳定性!
semaphore ansible_host=semaphore.tailnet-68f9.ts.net ansible_user=root ansible_password=3131 ansible_become_password=3131 semaphore ansible_host=127.0.0.1 ansible_user=root ansible_password=3131 ansible_become_password=3131 ansible_ssh_common_args="-o PreferredAuthentications=password -o PubkeyAuthentication=no"
ash1d ansible_host=ash1d.tailnet-68f9.ts.net ansible_user=ben ansible_password=3131 ansible_become_password=3131 ash1d ansible_host=ash1d.tailnet-68f9.ts.net ansible_user=ben ansible_password=3131 ansible_become_password=3131
ash2e ansible_host=ash2e.tailnet-68f9.ts.net ansible_user=ben ansible_password=3131 ansible_become_password=3131 ash2e ansible_host=ash2e.tailnet-68f9.ts.net ansible_user=ben ansible_password=3131 ansible_become_password=3131
ch2 ansible_host=ch2.tailnet-68f9.ts.net ansible_user=ben ansible_password=3131 ansible_become_password=3131 ch2 ansible_host=ch2.tailnet-68f9.ts.net ansible_user=ben ansible_password=3131 ansible_become_password=3131
@ -31,3 +31,7 @@ mount_point=/mnt/fnsync
# Ansible配置 # Ansible配置
ansible_ssh_common_args='-o StrictHostKeyChecking=no' ansible_ssh_common_args='-o StrictHostKeyChecking=no'
gitea ansible_host=gitea ansible_user=ben ansible_password=3131 ansible_become_password=3131
[gitea]
gitea ansible_host=gitea ansible_user=ben ansible_password=3131 ansible_become_password=3131

22
deployment/ansible/playbooks/cleanup-nomad-backups-thorough.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: Thorough cleanup of Nomad configuration backup files
hosts: nomad_nodes
become: yes
tasks:
- name: Remove all backup files with various patterns
shell: |
find /etc/nomad.d/ -name "nomad.hcl.*" -not -name "nomad.hcl" -delete
find /etc/nomad.d/ -name "*.bak" -delete
find /etc/nomad.d/ -name "*.backup*" -delete
find /etc/nomad.d/ -name "*.~" -delete
find /etc/nomad.d/ -name "*.broken" -delete
ignore_errors: yes
- name: List remaining files in /etc/nomad.d/
command: ls -la /etc/nomad.d/
register: remaining_files
changed_when: false
- name: Display remaining files
debug:
var: remaining_files.stdout_lines

25
deployment/ansible/playbooks/cleanup-nomad-backups.yml Normal file
View File

@ -0,0 +1,25 @@
---
- name: Cleanup Nomad configuration backup files
hosts: nomad_nodes
become: yes
tasks:
- name: Remove backup files from /etc/nomad.d/
file:
path: "{{ item }}"
state: absent
loop:
- "/etc/nomad.d/*.bak"
- "/etc/nomad.d/*.backup"
- "/etc/nomad.d/*.~"
- "/etc/nomad.d/*.broken"
- "/etc/nomad.d/nomad.hcl.*"
ignore_errors: yes
- name: List remaining files in /etc/nomad.d/
command: ls -la /etc/nomad.d/
register: remaining_files
changed_when: false
- name: Display remaining files
debug:
var: remaining_files.stdout_lines

48
nomad-configs/README.md Normal file
View File

@ -0,0 +1,48 @@
# Nomad配置管理
## 目录结构
```
nomad-configs/
├── templates/
│ └── nomad-client.hcl.j2 # 配置模板
├── nodes/
│ ├── warden.hcl # 各节点配置文件
│ ├── hcp1.hcl
│ ├── onecloud1.hcl
│ ├── influxdb1.hcl
│ ├── ash3c.hcl
│ ├── ch4.hcl
│ └── browser.hcl
├── scripts/
│ └── deploy.sh # 部署脚本
└── README.md
```
## 节点列表
- onecloud1 (down)
- hcp1 (down)
- influxdb1 (ready)
- ash3c (ready)
- ch4 (ready)
- warden (ready) - 成功模板
- browser (ready)
## 使用方法
### 部署单个节点
```bash
cd /root/mgmt/nomad-configs
./scripts/deploy.sh warden
```
### 部署所有节点
```bash
for node in onecloud1 hcp1 influxdb1 ash3c ch4 warden browser; do
./scripts/deploy.sh $node
done
```
## 配置说明
- 基于warden的成功配置
- 只替换节点名和FQDN
- 保持配置一致性

4
nomad-configs/nodes/influxdb1.hcl
View File

@ -83,11 +83,11 @@ plugin "nomad-driver-podman" {
} }
consul { consul {
enabled = false address = "ch4.tailnet-68f9.ts.net:8500,ash3c.tailnet-68f9.ts.net:8500,warden.tailnet-68f9.ts.net:8500"
server_service_name = "nomad" server_service_name = "nomad"
client_service_name = "nomad-client" client_service_name = "nomad-client"
auto_advertise = true auto_advertise = true
server_auto_join = true server_auto_join = false
client_auto_join = true client_auto_join = true
} }

130
nomad-configs/nodes/onecloud1-dual.hcl Normal file
View File

@ -0,0 +1,130 @@
datacenter = "dc1"
data_dir = "/opt/nomad/data"
plugin_dir = "/opt/nomad/plugins"
log_level = "INFO"
name = "onecloud1"
bind_addr = "onecloud1.tailnet-68f9.ts.net"
addresses {
http = "onecloud1.tailnet-68f9.ts.net"
rpc = "onecloud1.tailnet-68f9.ts.net"
serf = "onecloud1.tailnet-68f9.ts.net"
}
advertise {
http = "onecloud1.tailnet-68f9.ts.net:4646"
rpc = "onecloud1.tailnet-68f9.ts.net:4647"
serf = "onecloud1.tailnet-68f9.ts.net:4648"
}
ports {
http = 4646
rpc = 4647
serf = 4648
}
server {
enabled = true
bootstrap_expect = 3
server_join {
retry_join = [
"semaphore.tailnet-68f9.ts.net:4648",
"ash1d.tailnet-68f9.ts.net:4648",
"ash2e.tailnet-68f9.ts.net:4648",
"ch2.tailnet-68f9.ts.net:4648",
"ch3.tailnet-68f9.ts.net:4648",
"onecloud1.tailnet-68f9.ts.net:4648",
"de.tailnet-68f9.ts.net:4648",
"hcp1.tailnet-68f9.ts.net:4648"
]
}
}
client {
\nconsul {
address = "ch4.tailnet-68f9.ts.net:8500,ash3c.tailnet-68f9.ts.net:8500,warden.tailnet-68f9.ts.net:8500"
server_service_name = "nomad"
client_service_name = "nomad-client"
auto_advertise = true
server_auto_join = true
client_auto_join = true
}
enabled = true
network_interface = "tailscale0"
# 配置七仙女服务器地址使用完整FQDN
servers = [
"semaphore.tailnet-68f9.ts.net:4647",
"ash1d.tailnet-68f9.ts.net:4647",
"ash2e.tailnet-68f9.ts.net:4647",
"ch2.tailnet-68f9.ts.net:4647",
"ch3.tailnet-68f9.ts.net:4647",
"onecloud1.tailnet-68f9.ts.net:4647",
"de.tailnet-68f9.ts.net:4647"
]
# 配置host volumes
host_volume "fnsync" {
path = "/mnt/fnsync"
read_only = false
}
host_volume "vault-storage" {
path = "/opt/nomad/data/vault-storage"
read_only = false
}
# 禁用Docker驱动只使用Podman
options {
"driver.raw_exec.enable" = "1"
"driver.exec.enable" = "1"
}
# 配置节点元数据
meta {
consul = "true"
consul_version = "1.21.5"
consul_server = "true"
}
# 激进的垃圾清理策略
gc_interval = "5m"
gc_disk_usage_threshold = 80
gc_inode_usage_threshold = 70
}
plugin "nomad-driver-podman" {
config {
socket_path = "unix:///run/podman/podman.sock"
volumes {
enabled = true
}
}
}
consul {
enabled = false
server_service_name = "nomad"
client_service_name = "nomad-client"
auto_advertise = true
server_auto_join = true
client_auto_join = true
}
vault {
enabled = true
address = "http://master.tailnet-68f9.ts.net:8200,http://ash3c.tailnet-68f9.ts.net:8200,http://onecloud1.tailnet-68f9.ts.net:8200"
token = "hvs.A5Fu4E1oHyezJapVllKPFsWg"
create_from_role = "nomad-cluster"
tls_skip_verify = true
}
telemetry {
collection_interval = "1s"
disable_hostname = false
prometheus_metrics = true
publish_allocation_metrics = true
publish_node_metrics = true
}

13
nomad-configs/scripts/cleanup_backups.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/bash
# 清理所有节点的Nomad配置备份文件
NODES=("hcp1" "influxdb1" "ash3c" "ch4" "warden" "browser" "ash1d" "ash2e" "ch2" "ch3" "de" "semaphore" "onecloud1")
for NODE_NAME in "${NODES[@]}"; do
echo "清理节点 ${NODE_NAME} 的备份配置文件"
ssh ben@${NODE_NAME} "echo '3131' | sudo -S find /etc/nomad.d/ -name '*.bak' -o -name '*.backup' -o -name '*.~' -o -name '*.broken' | xargs -r sudo rm -f"
echo "节点 ${NODE_NAME} 清理完成"
echo "---"
done
echo "所有节点备份配置文件清理完成!"

26
nomad-configs/scripts/deploy-all.sh Executable file
View File

@ -0,0 +1,26 @@
#!/bin/bash
# 批量部署所有节点配置
# 用法: ./deploy-all.sh
NODES=("influxdb1" "ash3c" "ch4" "browser")
echo "开始批量部署Nomad配置..."
for node in "${NODES[@]}"; do
echo "部署配置到节点: $node"
# 下载配置文件
ssh ben@$node.tailnet-68f9.ts.net "curl -s 'https://gitea.tailnet-68f9.ts.net/ben/mgmt/raw/branch/main/nomad-configs/nodes/${node}.hcl' > /tmp/${node}.hcl && echo '3131' | sudo -S cp /tmp/${node}.hcl /etc/nomad.d/nomad.hcl"
# 创建必要的目录
ssh ben@$node.tailnet-68f9.ts.net "echo '3131' | sudo -S mkdir -p /opt/nomad/data/vault-storage"
# 重启Nomad服务
ssh ben@$node.tailnet-68f9.ts.net "echo '3131' | sudo -S systemctl restart nomad"
echo "节点 $node 部署完成"
echo "---"
done
echo "所有节点部署完成!"

31
nomad-configs/scripts/deploy.sh Executable file
View File

@ -0,0 +1,31 @@
#!/bin/bash
# Nomad配置部署脚本
# 用法: ./deploy.sh <node_name>
NODE_NAME=$1
NODE_FQDN="${NODE_NAME}.tailnet-68f9.ts.net"
if [ -z "$NODE_NAME" ]; then
echo "用法: $0 <node_name>"
echo "可用节点: onecloud1, hcp1, influxdb1, ash3c, ch4, warden, browser"
exit 1
fi
echo "部署配置到节点: $NODE_NAME ($NODE_FQDN)"
# 生成配置文件
sed "s/warden\.tailnet-68f9\.ts\.net/$NODE_FQDN/g" templates/nomad-client.hcl.j2 | \
sed "s/name = \"warden\"/name = \"$NODE_NAME\"/" > nodes/${NODE_NAME}.hcl
echo "配置文件已生成: nodes/${NODE_NAME}.hcl"
# 部署到节点
echo "部署到节点..."
ssh ben@$NODE_FQDN "echo '3131' | sudo -S tee /etc/nomad.d/nomad.hcl" < nodes/${NODE_NAME}.hcl
# 重启服务
echo "重启Nomad服务..."
ssh ben@$NODE_FQDN "echo '3131' | sudo -S systemctl restart nomad"
echo "部署完成!"

13
nomad-configs/scripts/deploy_servers.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/bash
SERVERS=("ash1d" "ash2e" "ch2" "ch3" "de" "semaphore" "hcp1" "onecloud1")
REPO_URL="https://gitea.tailnet-68f9.ts.net/ben/mgmt/raw/branch/main/nomad-configs/servers"
for SERVER_NAME in "${SERVERS[@]}"; do
echo "部署服务器配置到: ${SERVER_NAME}"
ssh ben@${SERVER_NAME} "curl -s \"${REPO_URL}/${SERVER_NAME}.hcl\" > /tmp/${SERVER_NAME}.hcl && echo '3131' | sudo -S cp /tmp/${SERVER_NAME}.hcl /etc/nomad.d/nomad.hcl && echo '3131' | sudo -S systemctl restart nomad"
echo "服务器 ${SERVER_NAME} 部署完成"
echo "---"
done
echo "所有Nomad服务器配置部署完成"

108
nomad-configs/templates/nomad-client.hcl.j2 Normal file
View File

@ -0,0 +1,108 @@
datacenter = "dc1"
data_dir = "/opt/nomad/data"
plugin_dir = "/opt/nomad/plugins"
log_level = "INFO"
name = "warden"
bind_addr = "warden.tailnet-68f9.ts.net"
addresses {
http = "warden.tailnet-68f9.ts.net"
rpc = "warden.tailnet-68f9.ts.net"
serf = "warden.tailnet-68f9.ts.net"
}
advertise {
http = "warden.tailnet-68f9.ts.net:4646"
rpc = "warden.tailnet-68f9.ts.net:4647"
serf = "warden.tailnet-68f9.ts.net:4648"
}
ports {
http = 4646
rpc = 4647
serf = 4648
}
server {
enabled = false
}
client {
enabled = true
network_interface = "tailscale0"
# 配置七仙女服务器地址使用完整FQDN
servers = [
"semaphore.tailnet-68f9.ts.net:4647",
"ash1d.tailnet-68f9.ts.net:4647",
"ash2e.tailnet-68f9.ts.net:4647",
"ch2.tailnet-68f9.ts.net:4647",
"ch3.tailnet-68f9.ts.net:4647",
"onecloud1.tailnet-68f9.ts.net:4647",
"de.tailnet-68f9.ts.net:4647"
]
# 配置host volumes
host_volume "fnsync" {
path = "/mnt/fnsync"
read_only = false
}
host_volume "vault-storage" {
path = "/opt/nomad/data/vault-storage"
read_only = false
}
# 禁用Docker驱动只使用Podman
options {
"driver.raw_exec.enable" = "1"
"driver.exec.enable" = "1"
}
# 配置节点元数据
meta {
consul = "true"
consul_version = "1.21.5"
consul_server = "true"
}
# 激进的垃圾清理策略
gc_interval = "5m"
gc_disk_usage_threshold = 80
gc_inode_usage_threshold = 70
}
plugin "nomad-driver-podman" {
config {
socket_path = "unix:///run/podman/podman.sock"
volumes {
enabled = true
}
}
}
consul {
enabled = false
server_service_name = "nomad"
client_service_name = "nomad-client"
auto_advertise = true
server_auto_join = true
client_auto_join = true
}
vault {
enabled = true
address = "http://master.tailnet-68f9.ts.net:8200,http://ash3c.tailnet-68f9.ts.net:8200,http://warden.tailnet-68f9.ts.net:8200"
token = "hvs.A5Fu4E1oHyezJapVllKPFsWg"
create_from_role = "nomad-cluster"
tls_skip_verify = true
}
telemetry {
collection_interval = "1s"
disable_hostname = false
prometheus_metrics = true
publish_allocation_metrics = true
publish_node_metrics = true
}

212
nomad-jobs/consul-cluster/consul-cluster.nomad Normal file
View File

@ -0,0 +1,212 @@
job "consul-cluster-nomad" {
datacenters = ["dc1"]
type = "service"
group "consul-ch4" {
constraint {
attribute = "${node.unique.name}"
value = "ch4"
}
network {
port "http" {
static = 8500
}
port "server" {
static = 8300
}
port "serf-lan" {
static = 8301
}
port "serf-wan" {
static = 8302
}
}
task "consul" {
driver = "exec"
config {
command = "consul"
args = [
"agent",
"-server",
"-bootstrap-expect=3",
"-data-dir=/opt/nomad/data/consul",
"-client=0.0.0.0",
"-bind=100.117.106.136",
"-advertise=100.117.106.136",
"-retry-join=ash3c.tailnet-68f9.ts.net:8301",
"-retry-join=warden.tailnet-68f9.ts.net:8301",
"-retry-join=onecloud1.tailnet-68f9.ts.net:8301",
"-ui",
"-http-port=8500",
"-server-port=8300",
"-serf-lan-port=8301",
"-serf-wan-port=8302"
]
}
resources {
cpu = 300
memory = 512
}
}
}
group "consul-ash3c" {
constraint {
attribute = "${node.unique.name}"
value = "ash3c"
}
network {
port "http" {
static = 8500
}
port "server" {
static = 8300
}
port "serf-lan" {
static = 8301
}
port "serf-wan" {
static = 8302
}
}
task "consul" {
driver = "exec"
config {
command = "consul"
args = [
"agent",
"-server",
"-data-dir=/opt/nomad/data/consul",
"-client=0.0.0.0",
"-bind=100.116.80.94",
"-advertise=100.116.80.94",
"-retry-join=ch4.tailnet-68f9.ts.net:8301",
"-retry-join=warden.tailnet-68f9.ts.net:8301",
"-retry-join=onecloud1.tailnet-68f9.ts.net:8301",
"-ui",
"-http-port=8500",
"-server-port=8300",
"-serf-lan-port=8301",
"-serf-wan-port=8302"
]
}
resources {
cpu = 300
memory = 512
}
}
}
group "consul-warden" {
constraint {
attribute = "${node.unique.name}"
value = "warden"
}
network {
port "http" {
static = 8500
}
port "server" {
static = 8300
}
port "serf-lan" {
static = 8301
}
port "serf-wan" {
static = 8302
}
}
task "consul" {
driver = "exec"
config {
command = "consul"
args = [
"agent",
"-server",
"-data-dir=/opt/nomad/data/consul",
"-client=0.0.0.0",
"-bind=100.122.197.112",
"-advertise=100.122.197.112",
"-retry-join=ch4.tailnet-68f9.ts.net:8301",
"-retry-join=ash3c.tailnet-68f9.ts.net:8301",
"-retry-join=onecloud1.tailnet-68f9.ts.net:8301",
"-ui",
"-http-port=8500",
"-server-port=8300",
"-serf-lan-port=8301",
"-serf-wan-port=8302"
]
}
resources {
cpu = 300
memory = 512
}
}
}
group "consul-onecloud1" {
constraint {
attribute = "${node.unique.name}"
value = "onecloud1"
}
network {
port "http" {
static = 8500
}
port "server" {
static = 8300
}
port "serf-lan" {
static = 8301
}
port "serf-wan" {
static = 8302
}
}
task "consul" {
driver = "exec"
config {
command = "consul"
args = [
"agent",
"-server",
"-data-dir=/opt/nomad/data/consul",
"-client=0.0.0.0",
"-bind=100.98.209.50",
"-advertise=100.98.209.50",
"-retry-join=ch4.tailnet-68f9.ts.net:8301",
"-retry-join=ash3c.tailnet-68f9.ts.net:8301",
"-retry-join=warden.tailnet-68f9.ts.net:8301",
"-ui",
"-http-port=8500",
"-server-port=8300",
"-serf-lan-port=8301",
"-serf-wan-port=8302"
]
}
resources {
cpu = 300
memory = 512
}
}
}
}

249
nomad-jobs/traefik-cloudflare/traefik-cloudflare-v3.nomad Normal file
View File

@ -0,0 +1,249 @@
job "traefik-cloudflare-v3" {
datacenters = ["dc1"]
type = "service"
group "traefik" {
count = 1
constraint {
attribute = "${node.unique.name}"
value = "hcp1"
}
volume "traefik-certs" {
type = "host"
read_only = false
source = "traefik-certs"
}
network {
mode = "host"
port "http" {
static = 80
}
port "https" {
static = 443
}
port "traefik" {
static = 8080
}
}
task "traefik" {
driver = "exec"
config {
command = "/usr/local/bin/traefik"
args = [
"--configfile=/local/traefik.yml"
]
}
env {
CLOUDFLARE_EMAIL = "locksmithknight@gmail.com"
CLOUDFLARE_DNS_API_TOKEN = "0aPWoLaQ59l0nyL1jIVzZaEx2e41Gjgcfhn3ztJr"
CLOUDFLARE_ZONE_API_TOKEN = "0aPWoLaQ59l0nyL1jIVzZaEx2e41Gjgcfhn3ztJr"
}
volume_mount {
volume = "traefik-certs"
destination = "/opt/traefik/certs"
read_only = false
}
template {
data = <<EOF
api:
dashboard: true
insecure: true
entryPoints:
web:
address: "0.0.0.0:80"
http:
redirections:
entrypoint:
to: websecure
scheme: https
permanent: true
websecure:
address: "0.0.0.0:443"
traefik:
address: "0.0.0.0:8080"
providers:
consulCatalog:
endpoint:
address: "warden.tailnet-68f9.ts.net:8500"
scheme: "http"
watch: true
exposedByDefault: false
prefix: "traefik"
defaultRule: "Host(`{{ .Name }}.git-4ta.live`)"
file:
filename: /local/dynamic.yml
watch: true
certificatesResolvers:
cloudflare:
acme:
email: {{ env "CLOUDFLARE_EMAIL" }}
storage: /opt/traefik/certs/acme.json
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 30s
log:
level: DEBUG
EOF
destination = "local/traefik.yml"
}
template {
data = <<EOF
http:
serversTransports:
waypoint-insecure:
insecureSkipVerify: true
authentik-insecure:
insecureSkipVerify: true
middlewares:
consul-stripprefix:
stripPrefix:
prefixes:
- "/consul"
waypoint-auth:
replacePathRegex:
regex: "^/auth/token(.*)$"
replacement: "/auth/token$1"
services:
consul-cluster:
loadBalancer:
servers:
- url: "http://ch4.tailnet-68f9.ts.net:8500" # 韩国Leader
- url: "http://warden.tailnet-68f9.ts.net:8500" # 北京Follower
- url: "http://ash3c.tailnet-68f9.ts.net:8500" # 美国Follower
healthCheck:
path: "/v1/status/leader"
interval: "30s"
timeout: "15s"
nomad-cluster:
loadBalancer:
servers:
- url: "http://ch2.tailnet-68f9.ts.net:4646" # 韩国Leader
- url: "http://ash3c.tailnet-68f9.ts.net:4646" # 美国Follower
healthCheck:
path: "/v1/status/leader"
interval: "30s"
timeout: "15s"
waypoint-cluster:
loadBalancer:
servers:
- url: "https://hcp1.tailnet-68f9.ts.net:9701" # hcp1 节点 HTTPS API
serversTransport: waypoint-insecure
vault-cluster:
loadBalancer:
servers:
- url: "http://warden.tailnet-68f9.ts.net:8200" # 北京,单节点
healthCheck:
path: "/ui/"
interval: "30s"
timeout: "15s"
authentik-cluster:
loadBalancer:
servers:
- url: "https://authentik.tailnet-68f9.ts.net:9443" # Authentik容器HTTPS端口
serversTransport: authentik-insecure
healthCheck:
path: "/flows/-/default/authentication/"
interval: "30s"
timeout: "15s"
routers:
consul-api:
rule: "Host(`consul.git-4ta.live`)"
service: consul-cluster
middlewares:
- consul-stripprefix
entryPoints:
- websecure
tls:
certResolver: cloudflare
traefik-dashboard:
rule: "Host(`traefik.git-4ta.live`)"
service: dashboard@internal
middlewares:
- dashboard_redirect@internal
- dashboard_stripprefix@internal
entryPoints:
- websecure
tls:
certResolver: cloudflare
traefik-api:
rule: "Host(`traefik.git-4ta.live`) && PathPrefix(`/api`)"
service: api@internal
entryPoints:
- websecure
tls:
certResolver: cloudflare
nomad-ui:
rule: "Host(`nomad.git-4ta.live`)"
service: nomad-cluster
entryPoints:
- websecure
tls:
certResolver: cloudflare
waypoint-ui:
rule: "Host(`waypoint.git-4ta.live`)"
service: waypoint-cluster
entryPoints:
- websecure
tls:
certResolver: cloudflare
vault-ui:
rule: "Host(`vault.git-4ta.live`)"
service: vault-cluster
entryPoints:
- websecure
tls:
certResolver: cloudflare
authentik-ui:
rule: "Host(`authentik1.git-4ta.live`)"
service: authentik-cluster
entryPoints:
- websecure
tls:
certResolver: cloudflare
EOF
destination = "local/dynamic.yml"
}
template {
data = <<EOF
CLOUDFLARE_EMAIL=locksmithknight@gmail.com
CLOUDFLARE_DNS_API_TOKEN=0aPWoLaQ59l0nyL1jIVzZaEx2e41Gjgcfhn3ztJr
CLOUDFLARE_ZONE_API_TOKEN=0aPWoLaQ59l0nyL1jIVzZaEx2e41Gjgcfhn3ztJr
EOF
destination = "local/cloudflare.env"
env = true
}
resources {
cpu = 500
memory = 512
}
}
}
}

0
nomad-jobs/vault-cluster.nomad → nomad-jobs/vault-single/vault-cluster.nomad
View File

0
nomad-jobs/vault-single.nomad → nomad-jobs/vault-single/vault-single.nomad
View File

57
nomad-jobs/waypoint-server/waypoint-server.nomad Normal file
View File

@ -0,0 +1,57 @@
job "waypoint-server" {
datacenters = ["dc1"]
type = "service"
group "waypoint" {
count = 1
volume "waypoint-data" {
type = "host"
read_only = false
source = "waypoint-data"
}
network {
port "http" {
static = 9701
}
port "grpc" {
static = 9702
}
}
task "waypoint" {
driver = "exec"
volume_mount {
volume = "waypoint-data"
destination = "/opt/waypoint"
read_only = false
}
config {
command = "/usr/local/bin/waypoint"
args = [
"server", "run",
"-accept-tos",
"-vvv",
"-db=/opt/waypoint/waypoint.db",
"-listen-grpc=0.0.0.0:9702",
"-listen-http=0.0.0.0:9701"
]
}
resources {
cpu = 500
memory = 512
}
env {
WAYPOINT_LOG_LEVEL = "DEBUG"
}
}
}
}

50
test-zsh-fix.sh Executable file
View File

@ -0,0 +1,50 @@
#!/bin/bash
echo "=== 测试 warden 节点 zsh 修复结果 ==="
# 测试SSH连接
echo "1. 测试SSH连接..."
sshpass -p "3131" ssh -o ConnectTimeout=5 ben@100.122.197.112 "echo 'SSH连接正常'" || {
echo "❌ SSH连接失败"
exit 1
}
echo "✅ SSH连接正常"
# 测试zsh启动
echo "2. 测试zsh启动..."
sshpass -p "3131" ssh ben@100.122.197.112 "zsh -c 'echo \"zsh启动成功\"'" || {
echo "❌ zsh启动失败"
exit 1
}
echo "✅ zsh启动成功"
# 测试completion权限修复
echo "3. 测试completion权限修复..."
sshpass -p "3131" ssh ben@100.122.197.112 "echo 'y' | zsh -c 'echo \"completion测试通过\"'" || {
echo "❌ completion测试失败"
exit 1
}
echo "✅ completion测试通过"
# 测试默认shell设置
echo "4. 测试默认shell设置..."
DEFAULT_SHELL=$(sshpass -p "3131" ssh ben@100.122.197.112 "echo \$SHELL")
if [[ "$DEFAULT_SHELL" == *"zsh"* ]]; then
echo "✅ 默认shell已设置为: $DEFAULT_SHELL"
else
echo "⚠️ 默认shell仍为: $DEFAULT_SHELL"
fi
# 测试oh-my-zsh配置
echo "5. 测试oh-my-zsh配置..."
sshpass -p "3131" ssh ben@100.122.197.112 "zsh -c 'source ~/.zshrc && echo \"oh-my-zsh配置加载成功\"'" || {
echo "❌ oh-my-zsh配置加载失败"
exit 1
}
echo "✅ oh-my-zsh配置加载成功"
echo ""
echo "🎉 所有测试通过warden节点的zsh环境修复完成"
echo ""
echo "现在可以安全地使用: zsh"
echo "不再会出现 'insecure directories' 错误"