165 lines
3.5 KiB
HCL
165 lines
3.5 KiB
HCL
[[- $c := merge .squid . -]]
|
|
|
|
job "[[ .instance ]]" {
|
|
|
|
[[ template "common/job_start" $c ]]
|
|
|
|
group "squid" {
|
|
network {
|
|
mode = "bridge"
|
|
[[- if conv.ToBool $c.prometheus.enabled ]]
|
|
port "metrics" {}
|
|
[[- end ]]
|
|
}
|
|
|
|
count = [[ $c.count ]]
|
|
|
|
service {
|
|
name = "[[ .instance ]][[ .consul.suffix ]]"
|
|
port = 3128
|
|
[[ template "common/service_meta" $c ]]
|
|
[[ template "common/connect" $c ]]
|
|
}
|
|
|
|
task "squid" {
|
|
driver = "[[ $c.nomad.driver ]]"
|
|
|
|
config {
|
|
image = "[[ .squid.image ]]"
|
|
readonly_rootfs = true
|
|
pids_limit = 100
|
|
volumes = [
|
|
"local/squid.conf:/etc/squid/squid.conf:ro",
|
|
"secrets/:/etc/squid/conf.d",
|
|
"local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro"
|
|
]
|
|
}
|
|
|
|
[[ template "common/artifacts" $c ]]
|
|
[[ template "common/vault.policies" $c ]]
|
|
|
|
env {
|
|
SQUID_LISTS_DIR = "/local/lists"
|
|
SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/auth"
|
|
SQUID_CONF_5_acl = "ssl_ports port [[ join .squid.ssl_ports " " ]]"
|
|
}
|
|
|
|
template {
|
|
data =<<_EOT
|
|
[[ template "squid/filter_acl.sh.tpl" $c ]]
|
|
_EOT
|
|
destination = "local/filter-acl.sh"
|
|
uid = 100000
|
|
gid = 100000
|
|
perms = 755
|
|
}
|
|
|
|
template {
|
|
data =<<_EOT
|
|
[[ template "squid/squid.conf" $c ]]
|
|
_EOT
|
|
destination = "local/squid.conf"
|
|
}
|
|
|
|
template {
|
|
data =<<_EOT
|
|
[[ template "squid/reload.sh.tpl" $c ]]
|
|
_EOT
|
|
destination = "local/reload.sh"
|
|
uid = 100000
|
|
gid = 100000
|
|
perms = 755
|
|
}
|
|
|
|
template {
|
|
data =<<_EOT
|
|
[[ template "squid/auth.tpl" $c ]]
|
|
_EOT
|
|
destination = "secrets/auth"
|
|
uid = 100000
|
|
gid = 100031
|
|
perms = 0640
|
|
change_mode = "noop"
|
|
}
|
|
|
|
template {
|
|
data =<<_EOT
|
|
[[ template "squid/acl.conf.tpl" $c ]]
|
|
_EOT
|
|
destination = "secrets/acl.conf"
|
|
uid = 100000
|
|
gid = 100031
|
|
perms = 0640
|
|
change_mode = "script"
|
|
change_script {
|
|
command = "/local/reload.sh"
|
|
}
|
|
}
|
|
|
|
[[- range $k, $v := .squid.lists ]]
|
|
[[- if has $v "url" ]]
|
|
|
|
artifact {
|
|
source = "[[ $v.url ]]"
|
|
destination = "local/lists/[[ $v.category ]]/[[ $k ]].list"
|
|
mode = "file"
|
|
}
|
|
[[- else if has $v "content" ]]
|
|
|
|
template {
|
|
data =<<_EOT
|
|
[[ $v.content ]]
|
|
_EOT
|
|
destination = "local/lists/[[ $v.category ]]/[[ $k ]].list"
|
|
change_mode = "script"
|
|
change_script {
|
|
command = "/local/reload.sh"
|
|
}
|
|
}
|
|
[[- end ]]
|
|
[[- end ]]
|
|
|
|
[[ template "common/file_env" $c ]]
|
|
[[ template "common/resources" $c ]]
|
|
}
|
|
|
|
[[- if conv.ToBool $c.prometheus.enabled ]]
|
|
|
|
[[ template "common/task.metrics_proxy" $c ]]
|
|
|
|
[[- $c := merge $c.exporter $c ]]
|
|
|
|
task "exporter" {
|
|
driver = "[[ $c.nomad.driver ]]"
|
|
|
|
lifecycle {
|
|
hook = "poststart"
|
|
sidecar = true
|
|
}
|
|
|
|
config {
|
|
image = "[[ $c.image ]]"
|
|
readonly_rootfs = true
|
|
pids_limit = 20
|
|
}
|
|
|
|
[[ template "common/vault.policies" $c ]]
|
|
|
|
template {
|
|
data = <<_EOT
|
|
SQUID_EXPORTER_LISTEN=127.0.0.1:9301
|
|
SQUID_LOGIN=squid_manager
|
|
SQUID_PASSWORD='{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.manager_pwd }}{{ end }}'
|
|
_EOT
|
|
destination = "secrets/.squid-exporter.env"
|
|
perms = 400
|
|
env = true
|
|
}
|
|
|
|
[[ template "common/resources" $c ]]
|
|
}
|
|
|
|
[[- end ]]
|
|
}
|
|
}
|