From b9c3bde2925bef186b258e2198f1e0b2fc584c8b Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Fri, 26 Jan 2024 23:32:12 +0100 Subject: [PATCH] Use new traefik_tags template --- boardgame-manager.nomad.hcl | 15 +-------------- example/boardgame-manager.nomad.hcl | 5 +++-- variables.yml | 6 ++++++ 3 files changed, 10 insertions(+), 16 deletions(-) diff --git a/boardgame-manager.nomad.hcl b/boardgame-manager.nomad.hcl index d235efd..9e7fef3 100644 --- a/boardgame-manager.nomad.hcl +++ b/boardgame-manager.nomad.hcl @@ -16,21 +16,8 @@ job "[[ .instance ]]" { [[ template "common/connect" $c ]] tags = [ -[[- if $c.traefik.enabled ]] - "[[ $c.traefik.instance ]].enable=true", - "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse .bgm.public_url).Hostname ]]`) - [[- if not (regexp.Match "^/?$" (urlParse .bgm.public_url).Path) ]] && PathPrefix(`[[ (urlParse .bgm.public_url).Path ]]`)[[ end ]]", - "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]", - "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].tls=true", - "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-csp[[ .consul.suffix ]].headers.contentSecurityPolicy=default-src 'self'; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:", - [[- if not (regexp.Match "^/?$" (urlParse .bgm.public_url).Path) ]] - "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]][[ .consul.suffix ]]-path.stripprefix.prefixes=[[ (urlParse .bgm.public_url).Path ]]", - "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]][[ .consul.suffix ]]-path,[[ .instance ]]-csp[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c ]]", - [[- else ]] - "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-csp[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c ]]", - [[- end ]] +[[ template "common/traefik_tags" $c ]] ] -[[- end ]] } volume "data" { diff --git a/example/boardgame-manager.nomad.hcl b/example/boardgame-manager.nomad.hcl index bd8eb9d..dfa6c3f 100644 --- a/example/boardgame-manager.nomad.hcl +++ b/example/boardgame-manager.nomad.hcl @@ -40,12 +40,13 @@ job "boardgame-manager" { tags = [ + "traefik.enable=true", "traefik.http.routers.boardgame-manager.rule=Host(`bgm.example.org`)", "traefik.http.routers.boardgame-manager.entrypoints=https", - "traefik.http.routers.boardgame-manager.tls=true", - "traefik.http.middlewares.boardgame-manager-csp.headers.contentSecurityPolicy=default-src 'self'; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:", + "traefik.http.middlewares.boardgame-manager-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data: https://www.gravatar.com;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", "traefik.http.routers.boardgame-manager.middlewares=boardgame-manager-csp,rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file,compression@file,csp-relaxed@file", + ] } diff --git a/variables.yml b/variables.yml index f6743c5..b8b1d03 100644 --- a/variables.yml +++ b/variables.yml @@ -35,6 +35,12 @@ bgm: middlewares: - compression@file - csp-relaxed@file + csp: + default-src: "'self'" + img-src: "'self' data: https://www.gravatar.com" + script-src: "'self' 'unsafe-inline' 'unsafe-eval'" + style-src: "'self' 'unsafe-inline'" + font-src: "'self' data:" backup: enabled: false