150 lines
4.2 KiB
HCL
150 lines
4.2 KiB
HCL
job [[ .repo.job_name | toJSON ]]{
|
|
|
|
[[- template "common/job_start.tpl" . ]]
|
|
|
|
group "web" {
|
|
|
|
count = [[ .repo.nginx.count ]]
|
|
|
|
network {
|
|
mode = "bridge"
|
|
}
|
|
|
|
volume "repo" {
|
|
type = [[ .repo.volumes.repo.type | toJSON ]]
|
|
source = [[ .repo.volumes.repo.source | toJSON ]]
|
|
attachment_mode = "file-system"
|
|
access_mode = "multi-node-single-writer"
|
|
read_only = true
|
|
}
|
|
|
|
service {
|
|
name = "repo-web[[ .env.suffix ]]"
|
|
port = 8080
|
|
|
|
[[ template "common/connect.tpl" dict "ctx" . "config" .repo.nginx ]]
|
|
|
|
tags = [
|
|
"[[ .traefik.instance ]].enable=true",
|
|
"[[ .traefik.instance ]].http.routers.repo-web[[ .env.suffix ]].rule=Host(`[[ (.repo.nginx.public_url | urlParse).Host ]]`)",
|
|
"[[ .traefik.instance ]].http.routers.repo-web[[ .env.suffix ]].entrypoints=[[ join (merge .repo.nginx.traefik .traefik).entrypoints "," ]]",
|
|
"[[ .traefik.instance ]].http.routers.repo-web[[ .env.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" merge .repo.nginx.traefik .traefik ]]",
|
|
"[[ .traefik.instance ]].http.routers.repo-web[[ .env.suffix ]].tls=true",
|
|
]
|
|
}
|
|
|
|
task "nginx" {
|
|
driver = [[ .repo.nginx.driver | toJSON ]]
|
|
user = 2022
|
|
|
|
config {
|
|
image = [[ .repo.nginx.image | toJSON ]]
|
|
volumes = [
|
|
"local/nginx.conf:/etc/nginx/conf.d/default.conf"
|
|
]
|
|
}
|
|
|
|
env {
|
|
[[ template "common/env.tpl" .repo.nginx.env ]]
|
|
}
|
|
|
|
template {
|
|
data = <<_EOF
|
|
[[ template "repo/nginx.conf.tpl" ]]
|
|
_EOF
|
|
destination = "local/nginx.conf"
|
|
}
|
|
|
|
volume_mount {
|
|
volume = "repo"
|
|
destination = "/data"
|
|
read_only = true
|
|
}
|
|
|
|
[[ template "common/resources.tpl" .repo.nginx.resources ]]
|
|
}
|
|
}
|
|
|
|
group "rsync" {
|
|
|
|
network {
|
|
mode = "bridge"
|
|
port "ssh" {}
|
|
}
|
|
|
|
volume "repo" {
|
|
type = [[ .repo.volumes.repo.type | toJSON ]]
|
|
source = [[ .repo.volumes.repo.source | toJSON ]]
|
|
attachment_mode = "file-system"
|
|
access_mode = "multi-node-single-writer"
|
|
}
|
|
|
|
volume "ssh" {
|
|
type = [[ .repo.volumes.ssh.type | toJSON ]]
|
|
source = [[ .repo.volumes.ssh.source | toJSON ]]
|
|
attachment_mode = "file-system"
|
|
access_mode = "single-node-writer"
|
|
}
|
|
|
|
service {
|
|
name = "repo-rsync[[ .env.suffix ]]"
|
|
port = "ssh"
|
|
tags = [
|
|
"[[ .traefik.instance ]].enable=true",
|
|
"[[ .traefik.instance ]].tcp.routers.repo-rsync[[ .env.suffix ]].rule=HostSNI(`*`)
|
|
[[- if gt (len .repo.rsync.allowed_cidr) 0 ]] && ([[ range $idx, $cidr := .repo.rsync.allowed_cidr ]][[ if ne $idx 0 ]] || [[ end ]]ClientIP(`[[ $cidr ]]`)[[ end ]])[[ end ]]",
|
|
"[[ .traefik.instance ]].tcp.routers.repo-rsync[[ .env.suffix ]].entrypoints=[[ join .repo.rsync.traefik.entrypoints "," ]]",
|
|
[[- if gt (len .repo.rsync.traefik.middlewares) 0 ]]
|
|
"[[ .traefik.instance ]].tcp.routers.repo-rsync[[ .env.suffix ]].middlewares=[[ join .repo.rsync.traefik.middlewares "," ]]",
|
|
[[- end ]]
|
|
# Traefik doesn't support Consul Connect for TCP services yet
|
|
"[[ .traefik.instance ]].consulcatalog.connect=false"
|
|
]
|
|
}
|
|
|
|
task "rsync-ssh" {
|
|
driver = [[ .repo.rsync.driver | toJSON ]]
|
|
|
|
config {
|
|
image = [[ .repo.rsync.image | toJSON ]]
|
|
}
|
|
|
|
env {
|
|
SSHD_PORT = "${NOMAD_PORT_ssh}"
|
|
[[ template "common/env.tpl" .repo.rsync.env ]]
|
|
}
|
|
|
|
vault {
|
|
policies = ["repo[[ .env.suffix ]]"]
|
|
env = false
|
|
disable_file = true
|
|
}
|
|
|
|
template {
|
|
data = <<-_EOF
|
|
{{ with secret "[[ .vault.prefix ]]kv/service/repo" }}
|
|
{{- range $idx, $key := .Data.data.ssh_keys | split "," -}}
|
|
SSH_AUTH_KEY_{{ $idx }}={{ $key }}
|
|
{{ end }}{{ end }}
|
|
_EOF
|
|
destination = "secrets/env"
|
|
env = true
|
|
}
|
|
|
|
volume_mount {
|
|
volume = "repo"
|
|
destination = "/data"
|
|
}
|
|
|
|
volume_mount {
|
|
volume = "ssh"
|
|
destination = "/config"
|
|
}
|
|
|
|
[[ template "common/resources.tpl" .repo.rsync.resources ]]
|
|
}
|
|
}
|
|
}
|
|
|
|
# vim: syntax=hcl
|