diff --git a/bounca.nomad.hcl b/bounca.nomad.hcl index e1aba0d..af18392 100644 --- a/bounca.nomad.hcl +++ b/bounca.nomad.hcl @@ -16,31 +16,10 @@ job [[ .instance | toJSON ]] { [[ template "common/connect.tpl" $c ]] tags = [ - "[[ $c.traefik.instance ]].enable=[[ if $c.traefik.enabled ]]true[[ else ]]false[[ end ]]", - -[[- if $c.public.traefik.enabled ]] - [[ $p := merge .bounca.public . ]] - "[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-public[[ .consul.suffix ]].rule=Host(`[[ (urlParse .bounca.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse .bounca.public_url).Path ]]/public/`)", - "[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-public[[ .consul.suffix ]].priority=200", - "[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-public[[ .consul.suffix ]].entrypoints=[[ join $p.traefik.entrypoints "," ]]", - [[- if not (regexp.Match "^/?$" (urlParse .bounca.public_url).Path) ]] - "[[ $p.traefik.instance ]].http.middlewares.[[ .instance ]]-public[[ .consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse .bounca.public_url).Path ]]", - "[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-public[[ .consul.suffix ]].middlewares=[[ .instance ]]-public[[ .consul.suffix ]]-prefix,[[ template "common/traefik_middlewares.tpl" $p.traefik ]]", - [[- else ]] - "[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-public[[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" $p.traefik ]]", - [[- end ]] -[[- end ]] - - "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse .bounca.public_url).Hostname ]]`) - [[- if not (regexp.Match "^/?$" (urlParse .bounca.public_url).Path) ]] && PathPrefix(`[[ (urlParse .bounca.public_url).Path ]]`)[[ end ]]", - "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].priority=100", - "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]", -[[- if not (regexp.Match "^/?$" (urlParse .bounca.public_url).Path) ]] - "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]][[ .consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse .bounca.public_url).Path ]]", - "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]][[ .consul.suffix ]]-prefix,[[ template "common/traefik_middlewares.tpl" $c.traefik ]]", -[[- else ]] - "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" $c.traefik ]]", -[[- end ]] +[[ $p := merge .bounca.public . ]] +[[ template "common/traefik_tags" $p ]] + "[[ $p.traefik.instance ]].http.routers.[[ $p.traefik.router ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse $c.public_url).Path ]]/public`)", +[[ template "common/traefik_tags" $c ]] ] diff --git a/example/bounca.nomad.hcl b/example/bounca.nomad.hcl index 6253706..d2f57c2 100644 --- a/example/bounca.nomad.hcl +++ b/example/bounca.nomad.hcl @@ -23,6 +23,18 @@ job "bounca" { } } sidecar_task { + config { + args = [ + "-c", + "${NOMAD_SECRETS_DIR}/envoy_bootstrap.json", + "-l", + "${meta.connect.log_level}", + "--concurrency", + "${meta.connect.proxy_concurrency}", + "--disable-hot-restart" + ] + } + resources { cpu = 50 memory = 64 @@ -33,17 +45,23 @@ job "bounca" { tags = [ + + "traefik.enable=true", - - "traefik.http.routers.bounca-public.rule=Host(`pki.example.org`) && PathPrefix(`/public/`)", - "traefik.http.routers.bounca-public.priority=200", "traefik.http.routers.bounca-public.entrypoints=https", - "traefik.http.routers.bounca-public.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file,compression@file,csp-relaxed@file", + "traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", + "traefik.http.middlewares.bounca-proxy.headers.customrequestheaders.X-Forwarded-Proto=https", + "traefik.http.routers.bounca-public.middlewares=security-headers@file,rate-limit-std@file,bounca-proxy,inflight-std@file,hsts@file,compression@file,bounca-csp", + "traefik.http.routers.bounca-public.rule=Host(`pki.example.org`) && PathPrefix(`/public`)", + + "traefik.enable=true", "traefik.http.routers.bounca.rule=Host(`pki.example.org`)", - "traefik.http.routers.bounca.priority=100", "traefik.http.routers.bounca.entrypoints=https", - "traefik.http.routers.bounca.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file,compression@file,csp-relaxed@file", + "traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", + "traefik.http.middlewares.bounca-proxy.headers.customrequestheaders.X-Forwarded-Proto=https", + "traefik.http.routers.bounca.middlewares=security-headers@file,rate-limit-std@file,bounca-proxy,inflight-std@file,hsts@file,compression@file,bounca-csp", + ] @@ -180,6 +198,7 @@ _EOT destination = "secrets/.db.env" } + resources { cpu = 200 memory = 192 diff --git a/variables.yml b/variables.yml index dc4d46e..ff0a397 100644 --- a/variables.yml +++ b/variables.yml @@ -41,14 +41,14 @@ bounca: local_bind_port: 5432 # Traefik settings - traefik: - enabled: true + traefik: {} # Settings for /public, which can be different from the main interface # /public expose certificates and CRL so it should usually be publicly accessible public: traefik: - enabled: true + auto_rule: false + router: '[[ .instance ]]-public[[ .consul.suffix ]]' # Resource allocation for the main bounca task resources: