111

deployment/ansible/templates/consul-client.hcl.j2

@@ -0,0 +1,62 @@
+# Consul Client Configuration for {{ inventory_hostname }}
+datacenter = "dc1"
+data_dir = "/opt/consul/data"
+log_level = "INFO"
+node_name = "{{ inventory_hostname }}"
+bind_addr = "{{ ansible_host }}"
+
+# Client mode (not server)
+server = false
+
+# Connect to Consul servers (指向三节点集群)
+retry_join = [
+{% for server in consul_servers %}
+  "{{ server }}"{% if not loop.last %},{% endif %}
+{% endfor %}
+]
+
+# Performance optimization
+performance {
+  raft_multiplier = 5
+}
+
+# Ports configuration
+ports {
+  grpc = 8502
+  http = 8500
+  dns = 8600
+}
+
+# Enable Connect for service mesh
+connect {
+  enabled = true
+}
+
+# Cache configuration for performance
+cache {
+  entry_fetch_max_burst = 42
+  entry_fetch_rate = 30
+}
+
+# Node metadata
+node_meta = {
+  region = "unknown"
+  zone = "nomad-{{ 'server' if 'server' in group_names else 'client' }}"
+}
+
+# UI disabled for clients
+ui_config {
+  enabled = false
+}
+
+# ACL configuration (if needed)
+acl = {
+  enabled = false
+  default_policy = "allow"
+}
+
+# Logging
+log_file = "/var/log/consul/consul.log"
+log_rotate_duration = "24h"
+log_rotate_max_files = 7
+

deployment/ansible/templates/nomad-client.hcl

@@ -49,6 +49,11 @@ client {
     read_only = false
   }
   
+  host_volume "vault-storage" {
+    path = "/opt/nomad/data/vault-storage"
+    read_only = false
+  }
+  
   # 禁用Docker驱动，只使用Podman
   options {
     "driver.raw_exec.enable" = "1"

deployment/ansible/templates/nomad-server.hcl.j2

@@ -2,20 +2,20 @@ datacenter = "dc1"
 data_dir = "/opt/nomad/data"
 plugin_dir = "/opt/nomad/plugins"
 log_level = "INFO"
-name = "{{ server_name }}"
+name = "{{ ansible_hostname }}"
 
-bind_addr = "{{ server_name }}.tailnet-68f9.ts.net"
+bind_addr = "0.0.0.0"
 
 addresses {
-  http = "{{ server_name }}.tailnet-68f9.ts.net"
-  rpc  = "{{ server_name }}.tailnet-68f9.ts.net"
-  serf = "{{ server_name }}.tailnet-68f9.ts.net"
+  http = "{{ ansible_host }}"
+  rpc  = "{{ ansible_host }}"
+  serf = "{{ ansible_host }}"
 }
 
 advertise {
-  http = "{{ server_name }}.tailnet-68f9.ts.net:4646"
-  rpc  = "{{ server_name }}.tailnet-68f9.ts.net:4647"
-  serf = "{{ server_name }}.tailnet-68f9.ts.net:4648"
+  http = "{{ ansible_host }}:4646"
+  rpc  = "{{ ansible_host }}:4647"
+  serf = "{{ ansible_host }}:4648"
 }
 
 ports {
@@ -26,18 +26,56 @@ ports {
 
 server {
   enabled = true
-  bootstrap_expect = 7
-  retry_join = [
-    {%- for server in groups['nomad_servers'] -%}
-    {%- if server != inventory_hostname -%}
-    "{{ server }}.tailnet-68f9.ts.net"{% if not loop.last %},{% endif %}
-    {%- endif -%}
-    {%- endfor -%}
-  ]
+  bootstrap_expect = 3
+  server_join {
+    retry_join = [
+      "semaphore.tailnet-68f9.ts.net:4648",
+      "ash1d.tailnet-68f9.ts.net:4648", 
+      "ash2e.tailnet-68f9.ts.net:4648",
+      "ch2.tailnet-68f9.ts.net:4648",
+      "ch3.tailnet-68f9.ts.net:4648",
+      "onecloud1.tailnet-68f9.ts.net:4648",
+      "de.tailnet-68f9.ts.net:4648",
+      "hcp1.tailnet-68f9.ts.net:4648"
+    ]
+  }
 }
 
+{% if ansible_hostname == 'hcp1' %}
 client {
-  enabled = false
+  enabled = true
+  network_interface = "tailscale0"
+  
+  servers = [
+    "semaphore.tailnet-68f9.ts.net:4647",
+    "ash1d.tailnet-68f9.ts.net:4647",
+    "ash2e.tailnet-68f9.ts.net:4647",
+    "ch2.tailnet-68f9.ts.net:4647",
+    "ch3.tailnet-68f9.ts.net:4647",
+    "onecloud1.tailnet-68f9.ts.net:4647",
+    "de.tailnet-68f9.ts.net:4647",
+    "hcp1.tailnet-68f9.ts.net:4647"
+  ]
+  
+  host_volume "traefik-certs" {
+    path      = "/opt/traefik/certs"
+    read_only = false
+  }
+  
+  host_volume "fnsync" {
+    path = "/mnt/fnsync"
+    read_only = false
+  }
+  
+  meta {
+    consul = "true"
+    consul_version = "1.21.5"
+    consul_client = "true"
+  }
+  
+  gc_interval = "5m"
+  gc_disk_usage_threshold = 80
+  gc_inode_usage_threshold = 70
 }
 
 plugin "nomad-driver-podman" {
@@ -48,20 +86,21 @@ plugin "nomad-driver-podman" {
     }
   }
 }
+{% endif %}
 
 consul {
-  address = "master.tailnet-68f9.ts.net:8500,ash3c.tailnet-68f9.ts.net:8500,warden.tailnet-68f9.ts.net:8500"
+  address = "ch4.tailnet-68f9.ts.net:8500,ash3c.tailnet-68f9.ts.net:8500,warden.tailnet-68f9.ts.net:8500"
   server_service_name = "nomad"
   client_service_name = "nomad-client"
   auto_advertise = true
-  server_auto_join = true
+  server_auto_join = false
   client_auto_join = true
 }
 
-vault {
-  enabled = true
-  address = "http://master.tailnet-68f9.ts.net:8200,http://ash3c.tailnet-68f9.ts.net:8200,http://warden.tailnet-68f9.ts.net:8200"
-  token = "hvs.A5Fu4E1oHyezJapVllKPFsWg"
-  create_from_role = "nomad-cluster"
-  tls_skip_verify = true
+telemetry {
+  collection_interval = "1s"
+  disable_hostname = false
+  prometheus_metrics = true
+  publish_allocation_metrics = true
+  publish_node_metrics = true
 }

deployment/ansible/templates/nomad-unified.hcl.j2

@@ -64,7 +64,7 @@ plugin "nomad-driver-podman" {
 }
 
 consul {
-  address = "master.tailnet-68f9.ts.net:8500,ash3c.tailnet-68f9.ts.net:8500,warden.tailnet-68f9.ts.net:8500"
+  address = "ch4.tailnet-68f9.ts.net:8500,ash3c.tailnet-68f9.ts.net:8500,warden.tailnet-68f9.ts.net:8500"
   server_service_name = "nomad"
   client_service_name = "nomad-client"
   auto_advertise = true
@@ -74,7 +74,7 @@ consul {
 
 vault {
   enabled = true
-  address = "http://master.tailnet-68f9.ts.net:8200,http://ash3c.tailnet-68f9.ts.net:8200,http://warden.tailnet-68f9.ts.net:8200"
+  address = "http://ch4.tailnet-68f9.ts.net:8200,http://ash3c.tailnet-68f9.ts.net:8200,http://warden.tailnet-68f9.ts.net:8200"
   token = "hvs.A5Fu4E1oHyezJapVllKPFsWg"
   create_from_role = "nomad-cluster"
   tls_skip_verify = true

deployment/ansible/templates/vault.hcl.j2

@@ -0,0 +1,45 @@
+# Vault Configuration for {{ inventory_hostname }}
+
+# Storage backend - Consul
+storage "consul" {
+  address = "127.0.0.1:8500"
+  path    = "vault/"
+  
+  # Consul datacenter
+  datacenter = "{{ vault_datacenter }}"
+  
+  # Service registration
+  service = "vault"
+  service_tags = "vault-server"
+  
+  # Session TTL
+  session_ttl = "15s"
+  lock_wait_time = "15s"
+}
+
+# Listener configuration
+listener "tcp" {
+  address     = "0.0.0.0:8200"
+  tls_disable = 1
+}
+
+# API address - 使用Tailscale网络地址
+api_addr = "http://{{ ansible_host }}:8200"
+
+# Cluster address - 使用Tailscale网络地址  
+cluster_addr = "http://{{ ansible_host }}:8201"
+
+# UI
+ui = true
+
+# Cluster name
+cluster_name = "{{ vault_cluster_name }}"
+
+# Disable mlock for development (remove in production)
+disable_mlock = true
+
+# Log level
+log_level = "INFO"
+
+# Plugin directory
+plugin_directory = "/opt/vault/plugins"

deployment/ansible/templates/vault.service.j2

@@ -0,0 +1,34 @@
+[Unit]
+Description=Vault
+Documentation=https://www.vaultproject.io/docs/
+Requires=network-online.target
+After=network-online.target
+ConditionFileNotEmpty=/etc/vault.d/vault.hcl
+StartLimitIntervalSec=60
+StartLimitBurst=3
+
+[Service]
+Type=notify
+User=vault
+Group=vault
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+PrivateDevices=yes
+SecureBits=keep-caps
+AmbientCapabilities=CAP_IPC_LOCK
+CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
+NoNewPrivileges=yes
+ExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hcl
+ExecReload=/bin/kill --signal HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+StartLimitInterval=60
+StartLimitBurst=3
+LimitNOFILE=65536
+LimitMEMLOCK=infinity
+
+[Install]
+WantedBy=multi-user.target