---

# The name of the Nomad job
instance: acme-to-vault

acme:
  # The Docker image to use
  image: '[[ .docker.repo ]]acme-to-vault:24.5-1'

  # If a cron expression is defined, the service will stay running and renew certs.
  # If an empty string, the container will exit after running once
  cron: 22 0 * * *

  # Resource allocation
  resources:
    cpu: 10
    memory: 100
    memory_max: 160

  # Vault related settings
  vault:
    addr: http://localhost:8200

    # The root in the KV store where the ACME account key and metadata will be stored
    kv_account_root: kv/service/acme-to-vault/account

  # Additional env
  env:
    LEGO_DISABLE_CNAME_SUPPORT: true

  traefik:
    # We use a fakse host rule (which will never match) so Traefik wont complain about a rule with no Host
    rule: Host(`fake-acme-host`) || PathPrefix(`/.well-known/acme-challenge/`)

    # List of entrypoints where the http-01 challenges will be exposed
    entrypoints:
      - http
      - https
    csp: false
    middlewares:
      proxy: false
      proto: false
      security: false
    priority: 2000
    auto_rule: false

  accounts: []
# accounts:
#  - ca: https://acme-staging-v02.api.letsencrypt.org/directory
#    email: infra@lapiole.org
#    kv_cert_root: kv/service/traefik/certs
#    key_type: rsa4096
#    certs:
#      - test.lapiole.org,foobar.lapiole.org
#      - audio.lapiole.org
#      - rpms.lapiole.org
#  - ca: https://acme-v02.api.letsencrypt.org/directory
#    challenge: dns-01
#    dns_provider: gandiv5
#    dns_resolvers:
#      - 1.1.1.1
#      - 8.8.8.8
#    dns_key_env: GANDIV5_API_KEY
#    dns_key_value: XXXXXXX
#    kv_cert_root: kv/service/postgres/ssl
#    certs:
#      - postgres.example.org