acme-to-vault/example/acme-to-vault.nomad.hcl

job "acme-to-vault" {
  type = "service"


  datacenters = ["dc1"]
  region      = "global"




  group "acme-to-vault" {

    network {
      mode = "bridge"
    }

    ephemeral_disk {
      size = 101
    }

    service {
      name = "acme-to-vault"
      port = 8787

      connect {
        sidecar_service {
        }
        sidecar_task {
          config {
            args = [
              "-c",
              "${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
              "-l",
              "${meta.connect.log_level}",
              "--concurrency",
              "${meta.connect.proxy_concurrency}",
              "--disable-hot-restart"
            ]
          }

          resources {
            cpu    = 50
            memory = 64
          }

        }
      }


      tags = [

        "traefik.enable=true",
        "traefik.http.routers.acme-to-vault.entrypoints=http,https",
        "traefik.http.routers.acme-to-vault.priority=2000",
        "traefik.http.routers.acme-to-vault.rule=Host(`fake-acme-host`) || PathPrefix(`/.well-known/acme-challenge/`)",
        "traefik.http.routers.acme-to-vault.middlewares=rate-limit-std@file,inflight-std@file,hsts@file,compression@file",

      ]
    }

    task "acme-to-vault" {
      driver = "docker"
      user   = 8787

      config {
        image           = "danielberteaud/acme-to-vault:24.3-1"
        readonly_rootfs = true
        pids_limit      = 50
        mount {
          type   = "tmpfs"
          target = "/data"
          tmpfs_options {
            size = 10000000
          }
        }

      }

      vault {
        policies = ["acme-to-vault"]
      }



      # Use a template block instead of env {} so we can fetch values from vault
      template {
        data        = <<_EOT
LANG=fr_FR.utf8
LEGO_DISABLE_CNAME_SUPPORT=true
TZ=Europe/Paris
_EOT
        destination = "secrets/.env"
        perms       = 400
        env         = true
      }


      template {
        data        = <<_EOT
VAULT_ADDR=http://localhost:8200
MINIT_MAIN_KIND=cron
MINIT_MAIN_CRON=22 0 * * *
MINIT_MAIN_IMMEDIATE=true
ACME_KV_ACCOUNT_ROOT=kv/service/acme-to-vault/account
_EOT
        destination = "secrets/acme-to-vault.env"
        perms       = 0400
        env         = true
      }


      resources {
        cpu        = 10
        memory     = 100
        memory_max = 160
      }

    }
  }
}

# vim: syntax=hcl