nomad
/
immich
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use traefik_tags template

This commit is contained in:
Daniel Berteaud 2024-01-28 23:17:47 +01:00
parent 1a61c3ec65
commit c76e76970d
3 changed files with 41 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
example/immich.nomad.hcl
View File

@ -39,6 +39,17 @@ job "immich" {
}
}
sidecar_task {
config {
args = [
"-c",
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
"-l",
"${meta.connect.log_level}",
"--concurrency",
"${meta.connect.proxy_concurrency}",
"--disable-hot-restart"
]
}
resources {
cpu = 50
@ -62,20 +73,20 @@ job "immich" {
}
tags = [
"traefik.enable=true",
# Define a middleware to set custom CSP headers
"traefik.http.middlewares.immich-headers.headers.contentsecuritypolicy=connect-src 'self' https://maputnik.github.io https://*.cofractal.com https://fonts.openmaptiles.org;default-src 'self';font-src 'self' data:;img-src 'self' data: blob:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';worker-src 'self' blob:;",
"traefik.http.middlewares.immich-headers.headers.customrequestheaders.X-Forwarded-Proto=https",
# We use a distinct routers for /share so we can apply different middlewares (eg, /share is public while everything else is private)
"traefik.http.routers.immich-share.rule=Host(`immich.example.org`) && PathRegexp(`^/(share/|_app/immutable/|custom\\.css|api/(asset|server-info)/)`)",
"traefik.http.routers.immich-share.entrypoints=https",
"traefik.http.routers.immich-share.middlewares=immich-headers,security-headers@file,hsts@file,compression@file",
# Main app router
"traefik.http.routers.immich.rule=Host(`immich.example.org`)",
"traefik.http.routers.immich.entrypoints=https",
"traefik.http.routers.immich.middlewares=immich-headers,security-headers@file,hsts@file,compression@file",
"traefik.http.middlewares.immich-csp.headers.contentsecuritypolicy=connect-src 'self' https://maputnik.github.io https://*.cofractal.com https://fonts.openmaptiles.org;default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.routers.immich.middlewares=security-headers@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,immich-csp",
"traefik.http.routers.immich-share.rule=Host(`immich.example.org`) && PathRegexp(`^/(share/|_app/immutable/|custom\\.css|api/(asset|server-info)/)",
"traefik.enable=true",
"traefik.http.routers.immich-share.entrypoints=https",
"traefik.http.middlewares.immich-csp.headers.contentsecuritypolicy=connect-src 'self' https://maputnik.github.io https://*.cofractal.com https://fonts.openmaptiles.org;default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.routers.immich-share.middlewares=security-headers@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,immich-csp",
]
}
@ -300,6 +311,17 @@ _EOT
sidecar_service {
}
sidecar_task {
config {
args = [
"-c",
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
"-l",
"${meta.connect.log_level}",
"--concurrency",
"${meta.connect.proxy_concurrency}",
"--disable-hot-restart"
]
}
resources {
cpu = 50

34
immich.nomad.hcl
View File

@ -33,36 +33,10 @@ job "[[ .instance ]]" {
}
tags = [
"[[ $c.traefik.instance ]].enable=[[ $c.traefik.enabled ]]",
# Define a middleware to set custom CSP headers
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ .consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $c.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ .consul.suffix ]].headers.customrequestheaders.X-Forwarded-Proto=https",
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
# Immich exposed by traefik on a subpath. Define a middleware to strip the prefix before passing the request to the backend
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-prefix[[ .consul.suffix ]].stripprefix.prefixes=[[ (urlParse .immich.public_url).Path ]]",
[[- end ]]
[[- $s := merge .immich.server.share .immich.server .immich . ]]
# We use a distinct routers for /share so we can apply different middlewares (eg, /share is public while everything else is private)
"[[ $s.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) && PathRegexp(`^[[ (urlParse $c.public_url).Path ]]/(share/|_app/immutable/|custom\\.css|api/(asset|server-info)/)`)",
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
"[[ $s.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ .instance ]]-prefix[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares" $s ]]",
[[- else ]]
"[[ $s.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $s ]]",
[[- end ]]
# Main app router
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`)
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]] && PathPrefix(`[[ (urlParse $c.public_url).Path ]]`)[[ end ]]",
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ .instance ]]-prefix[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares" $c ]]",
[[- else ]]
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c ]]",
[[- end ]]
[[ template "common/traefik_tags" $c ]]
[[- $s := merge $c.share $c ]]
"[[ $s.traefik.instance ]].http.routers.[[ $s.traefik.router ]].rule=Host(`[[ (urlParse $s.public_url).Hostname ]]`) && PathRegexp(`^[[ (urlParse $s.public_url).Path ]]/(share/|_app/immutable/|custom\\.css|api/(asset|server-info)/)",
[[ template "common/traefik_tags" merge $s ]]
]
}

22
variables.yml
View File

@ -52,33 +52,19 @@ immich:
# Controls how Traefik will expose the service
traefik:
enabled: true
# Immich needs a specific CSP
csp:
default-src: "'self'"
img-src: "'self' data: blob:"
script-src: "'self' 'unsafe-inline' 'unsafe-eval'"
style-src: "'self' 'unsafe-inline'"
font-src: "'self' data:"
worker-src: "'self' blob:"
connect-src: "'self' https://maputnik.github.io https://*.cofractal.com https://fonts.openmaptiles.org"
# Override the list of base middlewares as we need to remove rate-limits
base_middlewares:
- security-headers@file
- hsts@file
- compression@file
middlewares: []
middlewares:
rate-limit: false
# Use distinct Traefik settings for /share. This can be used for example to restrict the main app to trusted IP but allow /share from anywhere
share:
traefik:
base_middlewares:
- security-headers@file
- hsts@file
- compression@file
middlewares: []
auto_rule: false
router: '[[ .instance ]]-share[[ .consul.suffix ]]'
# Volumes used for data storage
volumes: