job "[[ .instance ]]" { [[ template "common/job_start" . ]] group "traefik" { [[ $c := merge .traefik . ]] [[ template "common/group_start" $c ]] network { mode = "bridge" [[- range $name, $def := $c.entrypoints ]] [[- if or (not (has $def "enabled")) ($def.enabled) ]] port "[[ $name ]]" { [[- if has $def "static" ]] static = [[ $def.static ]] [[- end ]] [[- if has $def "to" ]] to = [[ $def.to ]] [[- end ]] } [[- end ]] [[- end ]] [[- if conv.ToBool $c.prometheus.enabled ]] port "metrics" {} [[- end ]] } service { name = "[[ .instance ]]-sidecar[[ .consul.suffix ]]" port = "https" [[ template "common/connect" $c ]] } service { name = "[[ .instance ]][[ .consul.suffix ]]" port = "https" task = "traefik" [[ template "common/service_meta" $c ]] # Traefik supports native Consul service mesh connect { native = true } tags = [ [[- $a := merge $c.api $c ]] "[[ .instance ]].http.routers.[[ .instance ]]-api.rule=(Host(`[[ ($c.public_url | urlParse).Hostname ]]`) || HostRegexp(`(.+\\.)?[[ .instance ]].service.[[ .consul.domain ]]`)) && (PathPrefix(`/api`) || PathPrefix(`[[ (.traefik.public_url | urlParse).Path ]]`))", "[[ .instance ]].http.routers.[[ .instance ]]-api.service=api@internal", [[ template "common/traefik_tags" $a ]] [[- $p := merge $c.ping $c ]] "[[ .instance ]].http.routers.[[ .instance ]]-ping.rule=(Host(`[[ (.traefik.public_url | urlParse).Hostname ]]`) || HostRegexp(`(.+\\.)?[[ .instance ]].service.[[ .consul.domain ]]`)) && Path(`/ping`) && Method(`GET`)", "[[ .instance ]].http.routers.[[ .instance ]]-ping.service=ping@internal", [[ template "common/traefik_tags" $p ]] "traefik-${NOMAD_ALLOC_INDEX}" ] } [[- template "common/task.metrics_proxy" $c ]] task "traefik" { driver = "[[ $c.nomad.driver ]]" user = 5443 [[ template "common/vault.policies" $c ]] config { image = "[[ .traefik.image]]" readonly_rootfs = true pids_limit = 300 command = "traefik" args = [ "--configfile=/secrets/traefik.yml" ] } # Main traefik configuration template { data =<<_EOF [[ template "traefik/traefik.yml.tpl" $c ]] _EOF destination = "secrets/traefik.yml" perms = "0400" uid = 105443 gid = 100000 } # Dynamic file configuration [[- range $file := coll.Slice "basicauth" "lemonldap" "certificates" "ip" "performance" "security" "proxy" ]] template { data =<<_EOF [[ tmpl.Exec (printf "traefik/config/%s.yml.tpl" $file) $ ]] _EOF destination = "secrets/config/[[ $file ]].yml" change_mode = "noop" perms = "0400" uid = 105443 gid = 100000 } [[ end -]] [[ template "common/resources" $c ]] } [[- if .lemonldap.enabled ]] [[- $c = merge .lemonldap . ]] # LL::NG handler for sso task "lemonldap-ng-handler" { driver = "[[ $c.nomad.driver ]]" config { image = "[[ .lemonldap.image ]]" volumes = [ "secrets/lemonldap-ng.ini:/etc/lemonldap-ng/lemonldap-ng.ini:ro", ] # Add a tmpfs to store config and session cache [[ template "common/tmpfs" dict "size" "10000000" "target" "/tmp" ]] } lifecycle { hook = "prestart" sidecar = true } env { LLNG_SOCKET_PROTO = "http" LLNG_LISTEN = "127.0.0.1:8183" SOURCE_SERVER = "traefik" MINIT_UNIT_DIR = "/local/minit.d" } [[ template "common/file_env" $c ]] vault { policies = ["[[ .instance ]][[ .consul.suffix ]]"] env = false disable_file = true } template { data =<<_EOT [[ template "traefik/lemonldap-ng.ini.tpl" . ]] _EOT destination = "secrets/lemonldap-ng.ini" perms = "0400" uid = 100048 gid = 100048 } template { data =<<_EOT [[ template "traefik/minit.yml.tpl" . ]] _EOT destination = "local/minit.d/lemonldap-ng.yml" } [[ template "common/resources" $c ]] } [[- end ]] } } # vim: syntax=hcl