2024-01-05 12:12:47 +01:00
|
|
|
job "acme-to-vault" {
|
2024-01-17 23:13:54 +01:00
|
|
|
type = "service"
|
|
|
|
|
|
|
|
|
|
|
2024-01-05 12:12:47 +01:00
|
|
|
datacenters = ["dc1"]
|
2024-02-18 21:52:07 +01:00
|
|
|
region = "global"
|
2024-01-05 12:12:47 +01:00
|
|
|
|
|
|
|
|
|
2024-03-28 23:07:51 +01:00
|
|
|
|
|
|
|
|
|
2024-01-05 12:12:47 +01:00
|
|
|
group "acme-to-vault" {
|
|
|
|
|
|
|
|
|
|
network {
|
|
|
|
|
mode = "bridge"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ephemeral_disk {
|
|
|
|
|
size = 101
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
service {
|
|
|
|
|
name = "acme-to-vault"
|
|
|
|
|
port = 8787
|
|
|
|
|
|
|
|
|
|
connect {
|
|
|
|
|
sidecar_service {
|
|
|
|
|
}
|
|
|
|
|
sidecar_task {
|
2024-01-26 22:19:53 +01:00
|
|
|
config {
|
|
|
|
|
args = [
|
|
|
|
|
"-c",
|
|
|
|
|
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
|
|
|
|
|
"-l",
|
|
|
|
|
"${meta.connect.log_level}",
|
|
|
|
|
"--concurrency",
|
|
|
|
|
"${meta.connect.proxy_concurrency}",
|
|
|
|
|
"--disable-hot-restart"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-05 12:12:47 +01:00
|
|
|
resources {
|
|
|
|
|
cpu = 50
|
|
|
|
|
memory = 64
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
tags = [
|
2024-01-26 23:28:03 +01:00
|
|
|
|
|
|
|
|
"traefik.enable=true",
|
2024-01-05 12:12:47 +01:00
|
|
|
"traefik.http.routers.acme-to-vault.entrypoints=http,https",
|
2024-01-26 23:28:03 +01:00
|
|
|
"traefik.http.routers.acme-to-vault.priority=2000",
|
2024-01-29 11:35:30 +01:00
|
|
|
"traefik.http.routers.acme-to-vault.rule=Host(`fake-acme-host`) || PathPrefix(`/.well-known/acme-challenge/`)",
|
2024-02-13 15:27:40 +01:00
|
|
|
"traefik.http.routers.acme-to-vault.middlewares=rate-limit-std@file,inflight-std@file,hsts@file,compression@file",
|
2024-01-26 23:28:03 +01:00
|
|
|
|
2024-01-05 12:12:47 +01:00
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
task "acme-to-vault" {
|
|
|
|
|
driver = "docker"
|
|
|
|
|
user = 8787
|
|
|
|
|
|
|
|
|
|
config {
|
2024-03-04 23:15:19 +01:00
|
|
|
image = "danielberteaud/acme-to-vault:24.3-1"
|
2024-01-05 12:12:47 +01:00
|
|
|
readonly_rootfs = true
|
2024-01-17 23:13:54 +01:00
|
|
|
pids_limit = 50
|
2024-01-05 12:12:47 +01:00
|
|
|
mount {
|
|
|
|
|
type = "tmpfs"
|
|
|
|
|
target = "/data"
|
|
|
|
|
tmpfs_options {
|
|
|
|
|
size = 10000000
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
vault {
|
|
|
|
|
policies = ["acme-to-vault"]
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-23 22:12:56 +01:00
|
|
|
|
|
|
|
|
|
2024-01-05 12:12:47 +01:00
|
|
|
# Use a template block instead of env {} so we can fetch values from vault
|
|
|
|
|
template {
|
|
|
|
|
data = <<_EOT
|
|
|
|
|
LANG=fr_FR.utf8
|
|
|
|
|
LEGO_DISABLE_CNAME_SUPPORT=true
|
|
|
|
|
TZ=Europe/Paris
|
|
|
|
|
_EOT
|
|
|
|
|
destination = "secrets/.env"
|
|
|
|
|
perms = 400
|
|
|
|
|
env = true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
template {
|
|
|
|
|
data = <<_EOT
|
|
|
|
|
VAULT_ADDR=http://localhost:8200
|
2024-01-17 23:13:54 +01:00
|
|
|
MINIT_MAIN_KIND=cron
|
|
|
|
|
MINIT_MAIN_CRON=22 0 * * *
|
|
|
|
|
MINIT_MAIN_IMMEDIATE=true
|
2024-01-05 12:12:47 +01:00
|
|
|
ACME_KV_ACCOUNT_ROOT=kv/service/acme-to-vault/account
|
|
|
|
|
_EOT
|
2024-03-05 14:42:27 +01:00
|
|
|
destination = "secrets/acme-to-vault.env"
|
2024-01-05 12:12:47 +01:00
|
|
|
perms = 0400
|
|
|
|
|
env = true
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-26 22:19:53 +01:00
|
|
|
|
2024-01-05 12:12:47 +01:00
|
|
|
resources {
|
2024-01-13 14:35:41 +01:00
|
|
|
cpu = 10
|
2024-01-17 23:13:54 +01:00
|
|
|
memory = 100
|
|
|
|
|
memory_max = 160
|
2024-01-05 12:12:47 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# vim: syntax=hcl
|
