nomad
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adapt to new middleware model

This commit is contained in:
Daniel Berteaud 2024-01-29 00:02:39 +01:00
parent 16cdb74532
commit 04a1a75d33
3 changed files with 43 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
example/lemonldap-ng.nomad.hcl
View File

@ -27,6 +27,17 @@ job "lemonldap-ng" {
}
}
sidecar_task {
config {
args = [
"-c",
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
"-l",
"${meta.connect.log_level}",
"--concurrency",
"${meta.connect.proxy_concurrency}",
"--disable-hot-restart"
]
}
resources {
cpu = 50
@ -37,14 +48,24 @@ job "lemonldap-ng" {
}
tags = [
"traefik.enable=true",
"traefik.http.routers.lemonldap-ng-portal.rule=Host(`sso.example.org`) && !PathRegexp(`^/index\\.psgi/(config|sessions)`)",
"traefik.enable=true",
"traefik.http.routers.lemonldap-ng-portal.entrypoints=https",
"traefik.http.routers.lemonldap-ng-portal.priority=100",
"traefik.http.routers.lemonldap-ng-portal.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file",
"traefik.http.routers.lemonldap-ng-portal.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file",
"traefik.enable=true",
"traefik.http.routers.lemonldap-ng-manager.rule=Host(`manager.example.org`)",
"traefik.http.routers.lemonldap-ng-manager.entrypoints=https",
"traefik.http.routers.lemonldap-ng-manager.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file,compression@file,map[]",
"traefik.http.routers.lemonldap-ng-manager.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file",
"traefik.http.routers.lemonldap-ng-api.rule=Host(`sso.example.org`) && PathRegexp(`^/index\\.psgi/(config|sessions)`)",
]
}

25
lemonldap-ng.nomad.hcl
View File

@ -22,32 +22,13 @@ job "[[ .instance ]]" {
[[- $a := merge .llng.api .llng.portal . ]]
tags = [
[[- if $p.traefik.enabled ]]
"[[ $p.traefik.instance ]].enable=true",
"[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-portal[[ .consul.suffix ]].rule=Host(`[[ (urlParse $p.public_url).Hostname ]]`) && !PathRegexp(`^/index\\.psgi/(config|sessions)`)",
"[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-portal[[ .consul.suffix ]].entrypoints=[[ join $p.traefik.entrypoints "," ]]",
"[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-portal[[ .consul.suffix ]].priority=100",
"[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-portal[[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $p.traefik ]]",
[[- end ]]
[[ template "common/traefik_tags" $p ]]
[[- if $m.traefik.enabled ]]
[[- if ne $m.traefik.instance $c.traefik.instance ]]
"[[ $m.traefik.instance ]].enable=true",
[[- end ]]
"[[ $m.traefik.instance ]].http.routers.[[ .instance ]]-manager[[ .consul.suffix ]].rule=Host(`[[ (urlParse $m.public_url).Hostname ]]`)",
"[[ $m.traefik.instance ]].http.routers.[[ .instance ]]-manager[[ .consul.suffix ]].entrypoints=[[ join $m.traefik.entrypoints "," ]]",
"[[ $m.traefik.instance ]].http.routers.[[ .instance ]]-manager[[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $m.traefik ]]",
[[- end ]]
[[ template "common/traefik_tags" $m ]]
[[- if $a.traefik.enabled ]]
[[- if ne $a.traefik.instance $p.traefik.instance ]]
"[[ $a.traefik.instance ]].enable=true",
[[- end ]]
"[[ $a.traefik.instance ]].http.routers.[[ .instance ]]-api[[ .consul.suffix ]].rule=Host(`[[ (urlParse $p.public_url).Hostname ]]`) && PathRegexp(`^/index\\.psgi/(config|sessions)`)",
"[[ $a.traefik.instance ]].http.routers.[[ .instance ]]-api[[ .consul.suffix ]].entrypoints=[[ join $a.traefik.entrypoints "," ]]",
"[[ $a.traefik.instance ]].http.routers.[[ .instance ]]-api[[ .consul.suffix ]].priority=200",
"[[ $a.traefik.instance ]].http.routers.[[ .instance ]]-api[[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $a.traefik ]]",
[[- end ]]
[[ template "common/traefik_tags" $a ]]
]
}

42
variables.yml
View File

@ -79,17 +79,14 @@ llng:
# If disabled, the portal won't be exposed by Traefik
enabled: true
# Override base_middleware to remove csp-relaxed@file as Lemonldap::NG handle CSP itself
base_middlewares:
- rate-limit-std@file
- inflight-std@file
- security-headers@file
- hsts@file
# Disable default CSP as Lemonldap::NG handles it itself
csp: false
middlewares:
# Disable compression until https://github.com/traefik/traefik/pull/10178 is available in a release
#- compression@file
compression: false
# List of middlewares to apply
middlewares: []
auto_rule: false
router: '[[ .instance ]]-portal[[ .consul.suffix ]]'
# Cron jobs
cron:
@ -123,16 +120,10 @@ llng:
# If disabled, the manager will not be exposed by Traefik
enabled: true
# Override base_middleware to remove csp-relaxed@file as Lemonldap::NG handle CSP itself
base_middlewares:
- rate-limit-std@file
- inflight-std@file
- security-headers@file
- hsts@file
- compression@file
# Disable default CSP as Lemonldap::NG handle CSP itself
csp: false
# List of middlewares to apply
middlewares: {}
router: '[[ .instance ]]-manager[[ .consul.suffix ]]'
# The API is exposed by the portal, but usually must be secured differently
# The following settings only apply to the REST/SOAP API
@ -144,14 +135,11 @@ llng:
# If disabled, Traefik won't expose the API
enabled: false
# Override base_middleware to remove csp-relaxed@file as Lemonldap::NG handle CSP itself
base_middlewares:
- rate-limit-std@file
- inflight-std@file
- security-headers@file
- hsts@file
#- compression@file
csp: false
# List of middlewares to apply
middlewares: {}
middlewares:
compression: false
auto_rule: false
router: '[[ .instance ]]-api[[ .consul.suffix ]]'