acme-to-vault/acme-to-vault.nomad.hcl

[[ $c := merge .acme . -]]

job "[[ .instance ]]" {
  type = "[[ if ne "" .acme.cron ]]service[[ else ]]batch[[ end ]]"

[[ template "common/job_start" $c ]]

  group "acme-to-vault" {

    network {
      mode = "bridge"
    }

    ephemeral_disk {
      size = 101
    }

    service {
      name = "[[ .instance ]][[ .consul.suffix ]]"
      port = 8787

[[ template "common/connect" $c ]]

      tags = [
[[ template "common/traefik_tags" $c ]]
      ]
    }

    task "acme-to-vault" {
      driver = "[[ $c.nomad.driver ]]"
      user   = 8787

      config {
[[ template "common/image" $c ]]
        pids_limit      = 50
[[ template "common/tmpfs" dict "target" "/data" "size" "10000000" ]]
      }

      vault {
        policies = ["[[ .instance ]][[ .consul.suffix ]]"]
      }

[[ template "common/file_env" $c ]]

      template {
        data =<<_EOT
[[- if has .acme.vault "service_name" ]]
VAULT_ADDR=http://localhost:8200
[[- else ]]
VAULT_ADDR=[[ .acme.vault.addr ]]
[[- end ]]
[[- if ne .acme.cron "" ]]
MINIT_MAIN_KIND=cron
MINIT_MAIN_CRON=[[ .acme.cron ]]
MINIT_MAIN_IMMEDIATE=true
[[- else ]]
MINIT_MAIN_KIND=once
[[- end ]]
ACME_KV_ACCOUNT_ROOT=[[ .acme.vault.kv_account_root ]]
[[- range $acc_idx, $account := .acme.accounts ]]
ACME_[[ $acc_idx ]]_CA=[[ $account.ca ]]
ACME_[[ $acc_idx ]]_EMAIL=[[ $account.email ]]
ACME_[[ $acc_idx ]]_KV_CERT_ROOT=[[ $account.kv_cert_root ]]
  [[- if has $account "challenge" ]]
ACME_[[ $acc_idx ]]_CHALLENGE=[[ $account.challenge ]]
    [[- if eq $account.challenge "dns-01" ]]
ACME_[[ $acc_idx ]]_DNS_PROVIDER=[[ $account.dns_provider ]]
ACME_[[ $acc_idx ]]_DNS_KEY_ENV=[[ $account.dns_key_env ]]
ACME_[[ $acc_idx ]]_DNS_KEY_VALUE=[[ $account.dns_key_value ]]
    [[- if has $account "dns_resolvers" ]]
ACME_[[ $acc_idx ]]_DNS_RESOLVERS=[[ join $account.dns_resolvers "," ]]
    [[- end ]]
  [[- else ]]
ACME_[[ $acc_idx ]]_CHALLENGE=http-01
    [[- end ]]
  [[- end ]]
  [[- if has $account "key_type" ]]
ACME_[[ $acc_idx ]]_KEY_TYPE=[[ $account.key_type ]]
  [[- end ]]
  [[- range $crt_idx, $crt := $account.certs ]]
ACME_[[ $acc_idx ]]_CERT_[[ $crt_idx ]]=[[ $crt ]]
  [[- end ]]
[[- end ]]
_EOT
        destination = "secrets/acme-to-vault.env"
        perms       = 0400
        env         = true
      }

[[ template "common/resources" $c ]]
    }
  }
}

# vim: syntax=hcl
Cleanup, no feature change 2023-10-08 16:12:19 +02:00			`[[ $c := merge .acme . -]]`
Import job 2023-08-21 17:24:33 +02:00
Use minit as task manager, cleanup, do not save account in vault each time 2024-01-17 23:13:54 +01:00			`job "[[ .instance ]]" {`
Cleanup, no feature change 2023-10-08 16:12:19 +02:00			`type = "[[ if ne "" .acme.cron ]]service[[ else ]]batch[[ end ]]"`

Use minit as task manager, cleanup, do not save account in vault each time 2024-01-17 23:13:54 +01:00			`[[ template "common/job_start" $c ]]`
Use job_start and set entrypoints from the variables 2023-08-25 00:22:42 +02:00
Import job 2023-08-21 17:24:33 +02:00			`group "acme-to-vault" {`

			`network {`
			`mode = "bridge"`
			`}`

Use readonly_rootfs and reduced ephemeral_disk 2023-09-12 00:09:27 +02:00			`ephemeral_disk {`
			`size = 101`
			`}`

Import job 2023-08-21 17:24:33 +02:00			`service {`
Move instance var to the root 2023-12-21 22:10:31 +01:00			`name = "[[ .instance ]][[ .consul.suffix ]]"`
Import job 2023-08-21 17:24:33 +02:00			`port = 8787`

Use minit as task manager, cleanup, do not save account in vault each time 2024-01-17 23:13:54 +01:00			`[[ template "common/connect" $c ]]`
Import job 2023-08-21 17:24:33 +02:00
			`tags = [`
Use new traefik_tags template 2024-01-26 23:28:03 +01:00			`[[ template "common/traefik_tags" $c ]]`
Import job 2023-08-21 17:24:33 +02:00			`]`
			`}`

Make the image usable in single user, and store in /data 2023-11-15 12:26:36 +01:00			`task "acme-to-vault" {`
Use minit as task manager, cleanup, do not save account in vault each time 2024-01-17 23:13:54 +01:00			`driver = "[[ $c.nomad.driver ]]"`
Make the image usable in single user, and store in /data 2023-11-15 12:26:36 +01:00			`user = 8787`
Import job 2023-08-21 17:24:33 +02:00
			`config {`
Use the new image template 2024-04-04 13:17:25 +02:00			`[[ template "common/image" $c ]]`
Use minit as task manager, cleanup, do not save account in vault each time 2024-01-17 23:13:54 +01:00			`pids_limit = 50`
Cleanup 2023-12-20 21:43:02 +01:00			`[[ template "common/tmpfs" dict "target" "/data" "size" "10000000" ]]`
Import job 2023-08-21 17:24:33 +02:00			`}`

			`vault {`
Move instance var to the root 2023-12-21 22:10:31 +01:00			`policies = ["[[ .instance ]][[ .consul.suffix ]]"]`
Import job 2023-08-21 17:24:33 +02:00			`}`

Small cleanup 2024-01-17 16:51:47 +01:00			`[[ template "common/file_env" $c ]]`
Use a template block so we can fetch values from vault 2023-10-16 13:33:52 +02:00
			`template {`
			`data =<<_EOT`
			`[[- if has .acme.vault "service_name" ]]`
			`VAULT_ADDR=http://localhost:8200`
			`[[- else ]]`
			`VAULT_ADDR=[[ .acme.vault.addr ]]`
			`[[- end ]]`
Use minit as task manager, cleanup, do not save account in vault each time 2024-01-17 23:13:54 +01:00			`[[- if ne .acme.cron "" ]]`
			`MINIT_MAIN_KIND=cron`
			`MINIT_MAIN_CRON=[[ .acme.cron ]]`
			`MINIT_MAIN_IMMEDIATE=true`
			`[[- else ]]`
			`MINIT_MAIN_KIND=once`
			`[[- end ]]`
Use a template block so we can fetch values from vault 2023-10-16 13:33:52 +02:00			`ACME_KV_ACCOUNT_ROOT=[[ .acme.vault.kv_account_root ]]`
			`[[- range $acc_idx, $account := .acme.accounts ]]`
			`ACME_[[ $acc_idx ]]_CA=[[ $account.ca ]]`
			`ACME_[[ $acc_idx ]]_EMAIL=[[ $account.email ]]`
			`ACME_[[ $acc_idx ]]_KV_CERT_ROOT=[[ $account.kv_cert_root ]]`
			`[[- if has $account "challenge" ]]`
			`ACME_[[ $acc_idx ]]_CHALLENGE=[[ $account.challenge ]]`
			`[[- if eq $account.challenge "dns-01" ]]`
			`ACME_[[ $acc_idx ]]_DNS_PROVIDER=[[ $account.dns_provider ]]`
			`ACME_[[ $acc_idx ]]_DNS_KEY_ENV=[[ $account.dns_key_env ]]`
			`ACME_[[ $acc_idx ]]_DNS_KEY_VALUE=[[ $account.dns_key_value ]]`
Update rendered example 2024-03-05 14:42:27 +01:00			`[[- if has $account "dns_resolvers" ]]`
Use a template block so we can fetch values from vault 2023-10-16 13:33:52 +02:00			`ACME_[[ $acc_idx ]]_DNS_RESOLVERS=[[ join $account.dns_resolvers "," ]]`
			`[[- end ]]`
			`[[- else ]]`
			`ACME_[[ $acc_idx ]]_CHALLENGE=http-01`
			`[[- end ]]`
			`[[- end ]]`
			`[[- if has $account "key_type" ]]`
			`ACME_[[ $acc_idx ]]_KEY_TYPE=[[ $account.key_type ]]`
			`[[- end ]]`
			`[[- range $crt_idx, $crt := $account.certs ]]`
			`ACME_[[ $acc_idx ]]_CERT_[[ $crt_idx ]]=[[ $crt ]]`
			`[[- end ]]`
			`[[- end ]]`
			`_EOT`
Update rendered example 2024-03-05 14:42:27 +01:00			`destination = "secrets/acme-to-vault.env"`
Small cleanup 2024-01-17 16:51:47 +01:00			`perms = 0400`
			`env = true`
Import job 2023-08-21 17:24:33 +02:00			`}`

Small cleanup 2024-01-17 16:51:47 +01:00			`[[ template "common/resources" $c ]]`
Import job 2023-08-21 17:24:33 +02:00			`}`
			`}`
			`}`

			`# vim: syntax=hcl`