job "acme-to-vault" { type = "service" datacenters = ["dc1"] region = "global" group "acme-to-vault" { network { mode = "bridge" } ephemeral_disk { size = 101 } service { name = "acme-to-vault" port = 8787 connect { sidecar_service { } sidecar_task { config { args = [ "-c", "${NOMAD_SECRETS_DIR}/envoy_bootstrap.json", "-l", "${meta.connect.log_level}", "--concurrency", "${meta.connect.proxy_concurrency}", "--disable-hot-restart" ] } resources { cpu = 50 memory = 64 } } } tags = [ "traefik.enable=true", "traefik.http.routers.acme-to-vault.entrypoints=http,https", "traefik.http.routers.acme-to-vault.priority=2000", "traefik.http.routers.acme-to-vault.rule=Host(`fake-acme-host`) || PathPrefix(`/.well-known/acme-challenge/`)", "traefik.http.routers.acme-to-vault.middlewares=rate-limit-std@file,inflight-std@file,hsts@file,compression@file", ] } task "acme-to-vault" { driver = "docker" user = 8787 config { image = "danielberteaud/acme-to-vault:24.3-1" readonly_rootfs = true pids_limit = 50 mount { type = "tmpfs" target = "/data" tmpfs_options { size = 10000000 } } } vault { policies = ["acme-to-vault"] } # Use a template block instead of env {} so we can fetch values from vault template { data = <<_EOT LANG=fr_FR.utf8 LEGO_DISABLE_CNAME_SUPPORT=true TZ=Europe/Paris _EOT destination = "secrets/.env" perms = 400 env = true } template { data = <<_EOT VAULT_ADDR=http://localhost:8200 MINIT_MAIN_KIND=cron MINIT_MAIN_CRON=22 0 * * * MINIT_MAIN_IMMEDIATE=true ACME_KV_ACCOUNT_ROOT=kv/service/acme-to-vault/account _EOT destination = "secrets/acme-to-vault.env" perms = 0400 env = true } resources { cpu = 10 memory = 100 memory_max = 160 } } } } # vim: syntax=hcl