traefik/traefik.nomad.hcl

job "[[ .instance ]]" {

[[ template "common/job_start" . ]]

  group "traefik" {
[[ $c := merge .traefik . ]]
[[ template "common/group_start" $c ]]

    network {
      mode = "bridge"

[[- range $name, $def := $c.entrypoints ]]
  [[- if or (not (has $def "enabled")) ($def.enabled) ]]
      port "[[ $name ]]" {
    [[- if has $def "static" ]]
        static = [[ $def.static ]]
    [[- end ]]
    [[- if has $def "to" ]]
        to     = [[ $def.to ]]
    [[- end ]]
      }
  [[- end ]]
[[- end ]]
[[- if conv.ToBool $c.prometheus.enabled ]]
      port "metrics" {}
[[- end ]]
    }

    service {
      name = "[[ .instance ]]-sidecar[[ .consul.suffix ]]"
      port = "https"

[[ template "common/connect" $c ]]
    }

    service {
      name = "[[ .instance ]][[ .consul.suffix ]]"
      port = "https"
      task = "traefik"

[[ template "common/service_meta" $c ]]

      # Traefik supports native Consul service mesh
      connect {
        native = true
      }

      tags = [
[[- $a := merge $c.api $c ]]
        "[[ .instance ]].http.routers.[[ .instance ]]-api.rule=(Host(`[[ ($c.public_url | urlParse).Hostname ]]`) || HostRegexp(`(.+\\.)?[[ .instance ]].service.[[ .consul.domain ]]`)) && (PathPrefix(`/api`) || PathPrefix(`[[ (.traefik.public_url | urlParse).Path ]]`))",
        "[[ .instance ]].http.routers.[[ .instance ]]-api.service=api@internal",
[[ template "common/traefik_tags" $a ]]

[[- $p := merge $c.ping $c ]]
        "[[ .instance ]].http.routers.[[ .instance ]]-ping.rule=(Host(`[[ (.traefik.public_url | urlParse).Hostname ]]`) || HostRegexp(`(.+\\.)?[[ .instance ]].service.[[ .consul.domain ]]`)) && Path(`/ping`) && Method(`GET`)",
        "[[ .instance ]].http.routers.[[ .instance ]]-ping.service=ping@internal",
[[ template "common/traefik_tags" $p ]]

        "traefik-${NOMAD_ALLOC_INDEX}"
      ]
    }

[[- template "common/task.metrics_proxy" $c ]]

    task "traefik" {
      driver = "[[ $c.nomad.driver ]]"
      user   = 5443

[[ template "common/vault.policies" $c ]]

      config {
        image           = "[[ .traefik.image]]"
        readonly_rootfs = true
        pids_limit      = 300
        command         = "traefik"
        args            = [
          "--configfile=/secrets/traefik.yml"
        ]
      }

      # Main traefik configuration
      template {
        data        =<<_EOF
[[ template "traefik/traefik.yml.tpl" $c ]]
_EOF
        destination = "secrets/traefik.yml"
        perms       = "0400"
        uid         = 105443
        gid         = 100000
      }

  # Dynamic file configuration
  [[- range $file := coll.Slice "basicauth" "lemonldap" "certificates" "ip" "performance" "security" "proxy" ]]

      template {
        data        =<<_EOF
[[ tmpl.Exec (printf "traefik/config/%s.yml.tpl" $file) $ ]]
_EOF
        destination = "secrets/config/[[ $file ]].yml"
        change_mode = "noop"
        perms       = "0400"
        uid         = 105443
        gid         = 100000
      }

[[ end -]]

[[ template "common/resources" $c ]]
    }

[[- if .lemonldap.enabled ]]

  [[- $c = merge .lemonldap . ]]

    # LL::NG handler for sso
    task "lemonldap-ng-handler" {
      driver = "[[ $c.nomad.driver ]]"

      config {
        image = "[[ .lemonldap.image ]]"
        volumes = [
          "secrets/lemonldap-ng.ini:/etc/lemonldap-ng/lemonldap-ng.ini:ro",
        ]
        # Add a tmpfs to store config and session cache
[[ template "common/tmpfs" dict "size" "10000000" "target" "/tmp" ]]
      }

      lifecycle {
        hook    = "prestart"
        sidecar = true
      }

      env {
        LLNG_SOCKET_PROTO = "http"
        LLNG_LISTEN       = "127.0.0.1:8183"
        SOURCE_SERVER     = "traefik"
        MINIT_UNIT_DIR    = "/local/minit.d"
      }

[[ template "common/file_env" $c ]]

      vault {
        policies     = ["[[ .instance ]][[ .consul.suffix ]]"]
        env          = false
        disable_file = true
      }

      template {
        data        =<<_EOT
[[ template "traefik/lemonldap-ng.ini.tpl" . ]]
_EOT
        destination = "secrets/lemonldap-ng.ini"
        perms       = "0400"
        uid         = 100048
        gid         = 100048
      }

      template {
        data =<<_EOT
[[ template "traefik/minit.yml.tpl" . ]]
_EOT
        destination = "local/minit.d/lemonldap-ng.yml"
      }

      [[ template "common/resources" $c ]]
    }
[[- end ]]
  }
}

# vim: syntax=hcl
Replace caretakerd with minit 2024-01-19 22:35:23 +01:00			`job "[[ .instance ]]" {`
Cleanup 2023-10-08 18:10:14 +02:00
Use group_start 2024-04-09 10:27:46 +02:00			`[[ template "common/job_start" . ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00
			`group "traefik" {`
Use group_start 2024-04-09 10:27:46 +02:00			`[[ $c := merge .traefik . ]]`
			`[[ template "common/group_start" $c ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00
			`network {`
			`mode = "bridge"`
Cleanup 2023-08-21 16:05:28 +02:00
Replace caretakerd with minit 2024-01-19 22:35:23 +01:00			`[[- range $name, $def := $c.entrypoints ]]`
Correctly handle disabled entrypoints 2023-10-16 14:01:16 +02:00			`[[- if or (not (has $def "enabled")) ($def.enabled) ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`port "[[ $name ]]" {`
Correctly handle disabled entrypoints 2023-10-16 14:01:16 +02:00			`[[- if has $def "static" ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`static = [[ $def.static ]]`
Correctly handle disabled entrypoints 2023-10-16 14:01:16 +02:00			`[[- end ]]`
			`[[- if has $def "to" ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`to = [[ $def.to ]]`
Correctly handle disabled entrypoints 2023-10-16 14:01:16 +02:00			`[[- end ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`}`
Correctly handle disabled entrypoints 2023-10-16 14:01:16 +02:00			`[[- end ]]`
			`[[- end ]]`
Cleanup metrics handling 2024-03-27 13:15:53 +01:00			`[[- if conv.ToBool $c.prometheus.enabled ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`port "metrics" {}`
Do not allocate a port for metrics unless prometheus is enabled 2024-01-05 16:38:01 +01:00			`[[- end ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`}`

			`service {`
Replace caretakerd with minit 2024-01-19 22:35:23 +01:00			`name = "[[ .instance ]]-sidecar[[ .consul.suffix ]]"`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`port = "https"`

Cleanup 2023-12-21 23:27:52 +01:00			`[[ template "common/connect" $c ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`}`

			`service {`
Replace caretakerd with minit 2024-01-19 22:35:23 +01:00			`name = "[[ .instance ]][[ .consul.suffix ]]"`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`port = "https"`
			`task = "traefik"`

Reduce LL::NG cache validity 2024-03-25 13:24:01 +01:00			`[[ template "common/service_meta" $c ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00
			`# Traefik supports native Consul service mesh`
			`connect {`
			`native = true`
			`}`

			`tags = [`
Adapt to new middleware model 2024-01-28 23:54:36 +01:00			`[[- $a := merge $c.api $c ]]`
			"[[ .instance ]].http.routers.[[ .instance ]]-api.rule=(Host(`[[ ($c.public_url \| urlParse).Hostname ]]`) \|\| HostRegexp(`(.+\\.)?[[ .instance ]].service.[[ .consul.domain ]]`)) && (PathPrefix(`/api`) \|\| PathPrefix(`[[ (.traefik.public_url \| urlParse).Path ]]`))",
Cleanup 2023-12-21 23:27:52 +01:00			`"[[ .instance ]].http.routers.[[ .instance ]]-api.service=api@internal",`
Adapt to new middleware model 2024-01-28 23:54:36 +01:00			`[[ template "common/traefik_tags" $a ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00
Adapt to new middleware model 2024-01-28 23:54:36 +01:00			`[[- $p := merge $c.ping $c ]]`
Cleanup 2023-12-21 23:27:52 +01:00			"[[ .instance ]].http.routers.[[ .instance ]]-ping.rule=(Host(`[[ (.traefik.public_url \| urlParse).Hostname ]]`) \|\| HostRegexp(`(.+\\.)?[[ .instance ]].service.[[ .consul.domain ]]`)) && Path(`/ping`) && Method(`GET`)",
			`"[[ .instance ]].http.routers.[[ .instance ]]-ping.service=ping@internal",`
Adapt to new middleware model 2024-01-28 23:54:36 +01:00			`[[ template "common/traefik_tags" $p ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00
Cleanup 2023-08-21 16:05:28 +02:00			`"traefik-${NOMAD_ALLOC_INDEX}"`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`]`
			`}`

Cleanup metrics handling 2024-03-27 13:15:53 +01:00			`[[- template "common/task.metrics_proxy" $c ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00
			`task "traefik" {`
Replace caretakerd with minit 2024-01-19 22:35:23 +01:00			`driver = "[[ $c.nomad.driver ]]"`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`user = 5443`

Update to 3.0.0 2024-04-29 22:27:31 +02:00			`[[ template "common/vault.policies" $c ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00
			`config {`
Update to 3.0.0 2024-04-29 22:27:31 +02:00			`image = "[[ .traefik.image]]"`
			`readonly_rootfs = true`
			`pids_limit = 300`
			`command = "traefik"`
			`args = [`
Move config in secrets 2023-10-18 09:31:43 +02:00			`"--configfile=/secrets/traefik.yml"`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`]`
			`}`

			`# Main traefik configuration`
			`template {`
			`data =<<_EOF`
Cleanup metrics handling 2024-03-27 13:15:53 +01:00			`[[ template "traefik/traefik.yml.tpl" $c ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`_EOF`
Move config in secrets 2023-10-18 09:31:43 +02:00			`destination = "secrets/traefik.yml"`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`perms = "0400"`
			`uid = 105443`
			`gid = 100000`
			`}`

Cleanup + build our own Docker image 2023-08-29 23:19:28 +02:00			`# Dynamic file configuration`
Add a forward-proto middleware 2024-01-28 23:17:09 +01:00			`[[- range $file := coll.Slice "basicauth" "lemonldap" "certificates" "ip" "performance" "security" "proxy" ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00
			`template {`
			`data =<<_EOF`
Cleanup 2023-08-21 16:05:28 +02:00			`[[ tmpl.Exec (printf "traefik/config/%s.yml.tpl" $file) $ ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`_EOF`
			`destination = "secrets/config/[[ $file ]].yml"`
Cleanup 2023-08-21 16:05:28 +02:00			`change_mode = "noop"`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`perms = "0400"`
			`uid = 105443`
			`gid = 100000`
			`}`

			`[[ end -]]`

Replace caretakerd with minit 2024-01-19 22:35:23 +01:00			`[[ template "common/resources" $c ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`}`
Cleanup 2023-10-08 18:10:14 +02:00
			`[[- if .lemonldap.enabled ]]`

			`[[- $c = merge .lemonldap . ]]`

			`# LL::NG handler for sso`
Switch to the lemonldap-ng image 2024-01-04 11:27:27 +01:00			`task "lemonldap-ng-handler" {`
Replace caretakerd with minit 2024-01-19 22:35:23 +01:00			`driver = "[[ $c.nomad.driver ]]"`
Cleanup 2023-10-08 18:10:14 +02:00
			`config {`
Replace caretakerd with minit 2024-01-19 22:35:23 +01:00			`image = "[[ .lemonldap.image ]]"`
Cleanup 2023-10-08 18:10:14 +02:00			`volumes = [`
			`"secrets/lemonldap-ng.ini:/etc/lemonldap-ng/lemonldap-ng.ini:ro",`
			`]`
Use LL::NG REST API for config and sessions 2024-01-02 21:23:18 +01:00			`# Add a tmpfs to store config and session cache`
			`[[ template "common/tmpfs" dict "size" "10000000" "target" "/tmp" ]]`
Cleanup 2023-10-08 18:10:14 +02:00			`}`

			`lifecycle {`
			`hook = "prestart"`
			`sidecar = true`
			`}`

Switch to the lemonldap-ng image 2024-01-04 11:27:27 +01:00			`env {`
			`LLNG_SOCKET_PROTO = "http"`
			`LLNG_LISTEN = "127.0.0.1:8183"`
			`SOURCE_SERVER = "traefik"`
Replace caretakerd with minit 2024-01-19 22:35:23 +01:00			`MINIT_UNIT_DIR = "/local/minit.d"`
Switch to the lemonldap-ng image 2024-01-04 11:27:27 +01:00			`}`

Replace caretakerd with minit 2024-01-19 22:35:23 +01:00			`[[ template "common/file_env" $c ]]`
Possibility to set env vars in LL::NG handler container 2024-01-04 11:40:37 +01:00
Cleanup 2023-10-08 18:10:14 +02:00			`vault {`
Cleanup 2023-12-21 23:27:52 +01:00			`policies = ["[[ .instance ]][[ .consul.suffix ]]"]`
Cleanup 2023-10-08 18:10:14 +02:00			`env = false`
			`disable_file = true`
			`}`

			`template {`
Workarround a bug which duplicates headers in Traefik handler 2023-11-20 09:26:08 +01:00			`data =<<_EOT`
Use LL::NG REST API for config and sessions 2024-01-02 21:23:18 +01:00			`[[ template "traefik/lemonldap-ng.ini.tpl" . ]]`
Workarround a bug which duplicates headers in Traefik handler 2023-11-20 09:26:08 +01:00			`_EOT`
Cleanup 2023-10-08 18:10:14 +02:00			`destination = "secrets/lemonldap-ng.ini"`
			`perms = "0400"`
			`uid = 100048`
			`gid = 100048`
			`}`

Switch to the lemonldap-ng image 2024-01-04 11:27:27 +01:00			`template {`
			`data =<<_EOT`
Replace caretakerd with minit 2024-01-19 22:35:23 +01:00			`[[ template "traefik/minit.yml.tpl" . ]]`
Switch to the lemonldap-ng image 2024-01-04 11:27:27 +01:00			`_EOT`
Replace caretakerd with minit 2024-01-19 22:35:23 +01:00			`destination = "local/minit.d/lemonldap-ng.yml"`
Switch to the lemonldap-ng image 2024-01-04 11:27:27 +01:00			`}`

Replace caretakerd with minit 2024-01-19 22:35:23 +01:00			`[[ template "common/resources" $c ]]`
Cleanup 2023-10-08 18:10:14 +02:00			`}`
			`[[- end ]]`
Import from previous install and adapt for gomplate 2023-08-21 10:15:40 +02:00			`}`
			`}`

			`# vim: syntax=hcl`