96 lines
2.3 KiB
HCL
96 lines
2.3 KiB
HCL
[[ $c := merge .acme . -]]
|
|
|
|
job "[[ .instance ]]" {
|
|
type = "[[ if ne "" .acme.cron ]]service[[ else ]]batch[[ end ]]"
|
|
|
|
[[ template "common/job_start" $c ]]
|
|
|
|
group "acme-to-vault" {
|
|
|
|
network {
|
|
mode = "bridge"
|
|
}
|
|
|
|
ephemeral_disk {
|
|
size = 101
|
|
}
|
|
|
|
service {
|
|
name = "[[ .instance ]][[ .consul.suffix ]]"
|
|
port = 8787
|
|
|
|
[[ template "common/connect" $c ]]
|
|
|
|
tags = [
|
|
[[ template "common/traefik_tags" $c ]]
|
|
]
|
|
}
|
|
|
|
task "acme-to-vault" {
|
|
driver = "[[ $c.nomad.driver ]]"
|
|
user = 8787
|
|
|
|
config {
|
|
[[ template "common/image" $c ]]
|
|
pids_limit = 50
|
|
[[ template "common/tmpfs" dict "target" "/data" "size" "10000000" ]]
|
|
}
|
|
|
|
vault {
|
|
policies = ["[[ .instance ]][[ .consul.suffix ]]"]
|
|
}
|
|
|
|
[[ template "common/file_env" $c ]]
|
|
|
|
template {
|
|
data =<<_EOT
|
|
[[- if has .acme.vault "service_name" ]]
|
|
VAULT_ADDR=http://localhost:8200
|
|
[[- else ]]
|
|
VAULT_ADDR=[[ .acme.vault.addr ]]
|
|
[[- end ]]
|
|
[[- if ne .acme.cron "" ]]
|
|
MINIT_MAIN_KIND=cron
|
|
MINIT_MAIN_CRON=[[ .acme.cron ]]
|
|
MINIT_MAIN_IMMEDIATE=true
|
|
[[- else ]]
|
|
MINIT_MAIN_KIND=once
|
|
[[- end ]]
|
|
ACME_KV_ACCOUNT_ROOT=[[ .acme.vault.kv_account_root ]]
|
|
[[- range $acc_idx, $account := .acme.accounts ]]
|
|
ACME_[[ $acc_idx ]]_CA=[[ $account.ca ]]
|
|
ACME_[[ $acc_idx ]]_EMAIL=[[ $account.email ]]
|
|
ACME_[[ $acc_idx ]]_KV_CERT_ROOT=[[ $account.kv_cert_root ]]
|
|
[[- if has $account "challenge" ]]
|
|
ACME_[[ $acc_idx ]]_CHALLENGE=[[ $account.challenge ]]
|
|
[[- if eq $account.challenge "dns-01" ]]
|
|
ACME_[[ $acc_idx ]]_DNS_PROVIDER=[[ $account.dns_provider ]]
|
|
ACME_[[ $acc_idx ]]_DNS_KEY_ENV=[[ $account.dns_key_env ]]
|
|
ACME_[[ $acc_idx ]]_DNS_KEY_VALUE=[[ $account.dns_key_value ]]
|
|
[[- if has $account "dns_resolvers" ]]
|
|
ACME_[[ $acc_idx ]]_DNS_RESOLVERS=[[ join $account.dns_resolvers "," ]]
|
|
[[- end ]]
|
|
[[- else ]]
|
|
ACME_[[ $acc_idx ]]_CHALLENGE=http-01
|
|
[[- end ]]
|
|
[[- end ]]
|
|
[[- if has $account "key_type" ]]
|
|
ACME_[[ $acc_idx ]]_KEY_TYPE=[[ $account.key_type ]]
|
|
[[- end ]]
|
|
[[- range $crt_idx, $crt := $account.certs ]]
|
|
ACME_[[ $acc_idx ]]_CERT_[[ $crt_idx ]]=[[ $crt ]]
|
|
[[- end ]]
|
|
[[- end ]]
|
|
_EOT
|
|
destination = "secrets/acme-to-vault.env"
|
|
perms = 0400
|
|
env = true
|
|
}
|
|
|
|
[[ template "common/resources" $c ]]
|
|
}
|
|
}
|
|
}
|
|
|
|
# vim: syntax=hcl
|