88 lines
3.2 KiB
HCL
88 lines
3.2 KiB
HCL
job [[ .acme.job_name | toJSON ]] {
|
|
type = "[[ if ne "" .acme.cron ]]service[[ else ]]batch[[ end ]]"
|
|
|
|
[[- template "common/job_start.tpl" dict "nomad" .nomad ]]
|
|
|
|
group "acme-to-vault" {
|
|
|
|
network {
|
|
mode = "bridge"
|
|
}
|
|
|
|
ephemeral_disk {
|
|
size = 101
|
|
}
|
|
|
|
service {
|
|
name = "[[ .acme.job_name ]][[ .env.suffix ]]"
|
|
port = 8787
|
|
|
|
[[ template "common/connect.tpl" dict "ctx" . "config" .acme ]]
|
|
|
|
tags = [
|
|
"[[ .traefik.instance ]].enable=true",
|
|
# Note : add a fake host in the rule to prevent warnings in Traefik logs
|
|
"[[ .traefik.instance ]].http.routers.[[ .acme.job_name ]][[ .env.suffix ]].rule=Host(`fake-acme-host`) || PathPrefix(`/.well-known/acme-challenge/`)",
|
|
"[[ .traefik.instance ]].http.routers.[[ .acme.job_name ]][[ .env.suffix ]].priority=[[ .acme.traefik.priority ]]",
|
|
"[[ .traefik.instance ]].http.routers.[[ .acme.job_name ]][[ .env.suffix ]].entrypoints=[[ join (merge .acme.traefik .traefik).entrypoints "," ]]",
|
|
"[[ .traefik.instance ]].http.routers.[[ .acme.job_name ]][[ .env.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" merge .acme.traefik .traefik ]]"
|
|
]
|
|
}
|
|
|
|
task "vault-acme-cert" {
|
|
driver = [[ .acme.driver | toJSON ]]
|
|
|
|
config {
|
|
image = [[ .acme.image | toJSON ]]
|
|
readonly_rootfs = true
|
|
pids_limit = 20
|
|
}
|
|
|
|
vault {
|
|
policies = ["[[ .acme.job_name ]][[ .env.suffix ]]"]
|
|
}
|
|
|
|
env {
|
|
TZ = [[ .locale.tz | toJSON ]]
|
|
LANG = [[ .locale.lang | toJSON ]]
|
|
[[- if has .acme.vault "service_name" ]]
|
|
VAULT_ADDR = "http://localhost:8200"
|
|
[[- else ]]
|
|
VAULT_ADDR = [[ .acme.vault.addr | toJSON ]]
|
|
[[- end ]]
|
|
[[- template "common/proxy_env.tpl" . -]]
|
|
ACME_CRON = [[ .acme.cron | toJSON ]]
|
|
ACME_KV_ACCOUNT_ROOT = [[ .acme.vault.kv_account_root | toJSON ]]
|
|
[[- range $acc_idx, $account := .acme.accounts ]]
|
|
ACME_[[ $acc_idx ]]_CA = [[ $account.ca | toJSON ]]
|
|
ACME_[[ $acc_idx ]]_EMAIL = [[ $account.email | toJSON ]]
|
|
ACME_[[ $acc_idx ]]_KV_CERT_ROOT = [[ $account.kv_cert_root | toJSON ]]
|
|
[[- if has $account "challenge" ]]
|
|
ACME_[[ $acc_idx ]]_CHALLENGE = [[ $account.challenge | toJSON ]]
|
|
[[- if eq $account.challenge "dns-01" ]]
|
|
ACME_[[ $acc_idx ]]_DNS_PROVIDER = [[ $account.dns_provider | toJSON ]]
|
|
ACME_[[ $acc_idx ]]_DNS_KEY_ENV = [[ $account.dns_key_env | toJSON ]]
|
|
ACME_[[ $acc_idx ]]_DNS_KEY_VALUE = [[ $account.dns_key_value | toJSON ]]
|
|
[[ if has $account "dns_resolvers" ]]
|
|
ACME_[[ $acc_idx ]]_DNS_RESOLVERS = [[ join $account.dns_resolvers "," | toJSON ]]
|
|
[[- end ]]
|
|
[[- else ]]
|
|
ACME_[[ $acc_idx ]]_CHALLENGE = "http-01"
|
|
[[- end ]]
|
|
[[- end ]]
|
|
[[- if has $account "key_type" ]]
|
|
ACME_[[ $acc_idx ]]_KEY_TYPE = [[ $account.key_type | toJSON ]]
|
|
[[- end ]]
|
|
[[- range $crt_idx, $crt := $account.certs ]]
|
|
ACME_[[ $acc_idx ]]_CERT_[[ $crt_idx ]] = [[ $crt | toJSON ]]
|
|
[[- end ]]
|
|
[[- end ]]
|
|
}
|
|
|
|
[[ template "common/resources.tpl" .acme.resources ]]
|
|
}
|
|
}
|
|
}
|
|
|
|
# vim: syntax=hcl
|