traefik/traefik.nomad.hcl

[[ $c:= merge .traefik . -]]

job [[ .traefik.instance | toJSON ]] {

[[- template "common/job_start.tpl" $c ]]

  group "traefik" {
    count          = [[ .traefik.count ]]
    shutdown_delay = "6s"

    network {
      mode = "bridge"

[[- range $name, $def := .traefik.entrypoints ]]
  [[- if or (not (has $def "enabled")) ($def.enabled) ]]
      port "[[ $name ]]" {
    [[- if has $def "static" ]]
        static = [[ $def.static ]]
    [[- end ]]
    [[- if has $def "to" ]]
        to     = [[ $def.to ]]
    [[- end ]]
      }
  [[- end ]]
[[- end ]]
      port "metrics" {}
    }

    service {
      name = "traefik-sidecar[[ .consul.suffix ]]"
      port = "https"

[[ template "common/connect.tpl" $c ]]
    }

    service {
      name = "[[ .traefik.instance ]]"
      port = "https"
      task = "traefik"

[[ template "common/metrics-meta.tpl" $c ]]

      check_restart {
        limit = 3
        grace = "10s"
      }

      check {
        type     = "tcp"
        port     = "http"
        interval = "10s"
        timeout  = "2s"
      }

      check {
        type     = "tcp"
        port     = "https"
        interval = "10s"
        timeout  = "2s"
      }

      # Traefik supports native Consul service mesh
      connect {
        native = true
      }

      tags = [
        "[[ .traefik.instance ]].enable=true",

        "[[ .traefik.instance ]].http.middlewares.[[ .traefik.instance ]]-path.replacepathregex.regex=^[[ (.traefik.public_url | urlParse).Path |regexp.Replace "/$" "" ]]/(.*)",
        "[[ .traefik.instance ]].http.middlewares.[[ .traefik.instance ]]-path.replacepathregex.replacement=/dashboard/$${1}",

        "[[ .traefik.instance ]].http.routers.[[ .traefik.instance ]]-api.rule=(Host(`[[ (.traefik.public_url | urlParse).Hostname ]]`) || HostRegexp(`(.+\\.)?[[ .traefik.instance ]].service.[[ .consul.domain ]]`)) && (PathPrefix(`/api`) || PathPrefix(`[[ (.traefik.public_url | urlParse).Path ]]`))",
        "[[ .traefik.instance ]].http.routers.[[ .traefik.instance ]]-api.entrypoints=[[ join (merge .traefik.api.traefik .traefik).entrypoints "," ]]",
        "[[ .traefik.instance ]].http.routers.[[ .traefik.instance ]]-api.service=api@internal",
        "[[ .traefik.instance ]].http.routers.[[ .traefik.instance ]]-api.middlewares=[[ template "common/traefik_middlewares.tpl" merge .traefik.api.traefik .traefik ]],traefik-path",

        "[[ .traefik.instance ]].http.routers.[[ .traefik.instance ]]-ping.rule=(Host(`[[ (.traefik.public_url | urlParse).Hostname ]]`) || HostRegexp(`(.+\\.)?[[ .traefik.instance ]].service.[[ .consul.domain ]]`)) && Path(`/ping`) && Method(`GET`)",
        "[[ .traefik.instance ]].http.routers.[[ .traefik.instance ]]-ping.entrypoints=[[ join (merge .traefik.ping.traefik .traefik).entrypoints "," ]]",
        "[[ .traefik.instance ]].http.routers.[[ .traefik.instance ]]-ping.service=ping@internal",
        "[[ .traefik.instance ]].http.routers.[[ .traefik.instance ]]-ping.priority=[[ .traefik.ping.traefik.priority ]]",
        "[[ .traefik.instance ]].http.routers.[[ .traefik.instance ]]-ping.middlewares=[[ template "common/traefik_middlewares.tpl" merge .traefik.ping.traefik .traefik ]]",

        "traefik-${NOMAD_ALLOC_INDEX}"
      ]
    }

[[- if.prometheus.enabled ]]
  [[- template "common/task.metrics_proxy.tpl" $c ]]
[[- end ]]

    task "traefik" {
      driver = [[ $c.nomad.driver | toJSON ]]
      user   = 5443

      vault {
        policies = ["[[ .traefik.instance ]][[ .consul.suffix ]]"]
      }

      config {
        image = [[ .traefik.image | toJSON ]]
        command = "traefik"
        args = [
          "--configfile=/local/traefik.yml"
        ]
      }

      # Main traefik configuration
      template {
        data        =<<_EOF
[[ template "traefik/traefik.yml.tpl" . ]]
_EOF
        destination = "local/traefik.yml"
        perms       = "0400"
        uid         = 105443
        gid         = 100000
      }

  # Dynamic file configuration
  [[- range $file := coll.Slice "basicauth" "lemonldap" "certificates" "ip" "performance" "security" ]]

      template {
        data        =<<_EOF
[[ tmpl.Exec (printf "traefik/config/%s.yml.tpl" $file) $ ]]
_EOF
        destination = "secrets/config/[[ $file ]].yml"
        change_mode = "noop"
        perms       = "0400"
        uid         = 105443
        gid         = 100000
      }

[[ end -]]

[[ template "common/resources.tpl" .traefik.resources ]]
    }

[[- if .lemonldap.enabled ]]

  [[- $c = merge .lemonldap . ]]

    # LL::NG handler for sso
    task "llng-handler" {
      driver = [[ $c.nomad.driver | toJSON ]]

      config {
        image = [[ .lemonldap.image | toJSON ]]
        volumes = [
          "secrets/lemonldap-ng.ini:/etc/lemonldap-ng/lemonldap-ng.ini:ro",
        ]
      }

      lifecycle {
        hook    = "prestart"
        sidecar = true
      }

      vault {
        policies     = ["[[ .traefik.instance ]][[ .consul.suffix ]]"]
        env          = false
        disable_file = true
      }

      template {
        data        =<<_EOF
  [[ template "traefik/lemonldap-ng.ini.tpl" . ]]
_EOF
        destination = "secrets/lemonldap-ng.ini"
        perms       = "0400"
        uid         = 100048
        gid         = 100048
      }

      [[ template "common/resources.tpl" .lemonldap.resources ]]
    }
[[- end ]]
  }
}

# vim: syntax=hcl