2024-01-12 22:42:09 +01:00
job "vaultwarden" {
datacenters = [ "dc1" ]
2024-02-26 13:58:30 +01:00
region = "global"
2024-01-12 22:42:09 +01:00
group "vaultwarden" {
count = 1
network {
mode = "bridge"
}
2024-05-03 10:43:43 +02:00
2024-01-12 22:42:09 +01:00
volume "data" {
source = "vaultwarden-data"
type = "csi"
access_mode = "multi-node-multi-writer"
attachment_mode = "file-system"
}
service {
name = "vaultwarden"
port = 8234
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "smtp"
local_bind_port = 25
2024-02-13 09:38:01 +01:00
# Work arround, see https://github.com/hashicorp/nomad/issues/18538
destination_type = "service"
2024-01-12 22:42:09 +01:00
}
upstreams {
destination_name = "postgres"
local_bind_port = 5432
2024-02-13 09:38:01 +01:00
# Work arround, see https://github.com/hashicorp/nomad/issues/18538
destination_type = "service"
2024-01-12 22:42:09 +01:00
}
}
}
sidecar_task {
2024-05-12 21:26:59 +02:00
logs {
disabled = false
}
2024-01-27 00:11:39 +01:00
config {
args = [
"-c" ,
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json" ,
"-l" ,
"${meta.connect.log_level}" ,
"--concurrency" ,
"${meta.connect.proxy_concurrency}" ,
"--disable-hot-restart"
]
}
2024-01-12 22:42:09 +01:00
resources {
cpu = 50
memory = 64
}
}
}
check {
type = "http"
path = "/alive"
expose = true
2024-05-12 21:26:59 +02:00
interval = "30s"
timeout = "5s"
2024-01-12 22:42:09 +01:00
check_restart {
limit = 20
grace = "20s"
}
}
tags = [
2024-01-27 00:11:39 +01:00
2024-01-12 22:42:09 +01:00
"traefik.enable = true " ,
"traefik.http.routers.vaultwarden-admin.entrypoints = https " ,
"traefik.http.routers.vaultwarden-admin.priority = 200 " ,
2024-01-29 10:43:46 +01:00
"traefik.http.routers.vaultwarden-admin.rule = Host ( ` vaultwarden . example . org ` ) & & PathPrefix ( ` / admin ` ) " ,
"traefik.http.middlewares.csp-vaultwarden-admin.headers.contentsecuritypolicy = default - src ' self ' ; font - src ' self ' data : ; img - src ' self ' data : ; script - src ' self ' ' unsafe - inline ' ' unsafe - eval ' ; style - src ' self ' ' unsafe - inline ' ; " ,
"traefik.http.routers.vaultwarden-admin.middlewares = security - headers @ file , rate - limit - std @ file , forward - proto @ file , inflight - std @ file , hsts @ file , compression @ file , csp - vaultwarden - admin " ,
2024-01-27 00:11:39 +01:00
2024-01-12 22:42:09 +01:00
2024-01-27 00:11:39 +01:00
"traefik.enable = true " ,
2024-01-12 22:42:09 +01:00
"traefik.http.routers.vaultwarden.entrypoints = https " ,
"traefik.http.routers.vaultwarden.priority = 100 " ,
2024-01-29 10:43:46 +01:00
"traefik.http.routers.vaultwarden.rule = Host ( ` vaultwarden . example . org ` ) " ,
"traefik.http.middlewares.csp-vaultwarden.headers.contentsecuritypolicy = connect - src ' self ' https : / / api . pwnedpasswords . com https : / / api . 2 f a . directory ; default - src ' self ' ; font - src ' self ' data : ; img - src ' self ' data : https : / / www . gravatar . com ; script - src ' self ' ' unsafe - inline ' ' unsafe - eval ' ; style - src ' self ' ' unsafe - inline ' ; " ,
"traefik.http.routers.vaultwarden.middlewares = security - headers @ file , rate - limit - std @ file , forward - proto @ file , inflight - std @ file , hsts @ file , compression @ file , csp - vaultwarden " ,
2024-01-27 00:11:39 +01:00
2024-01-12 22:42:09 +01:00
]
}
# wait for required services tp be ready before starting the main task
task "wait-for" {
driver = "docker"
user = 1053
config {
2024-05-03 10:43:43 +02:00
image = "danielberteaud/wait-for:24.5-1"
2024-01-12 22:42:09 +01:00
readonly_rootfs = true
pids_limit = 20
}
lifecycle {
hook = "prestart"
}
env {
SERVICE_0 = "master.postgres.service.consul"
}
resources {
cpu = 10
memory = 10
memory_max = 30
}
}
task "vaultwarden" {
driver = "docker"
user = 8234
config {
2024-03-02 22:13:47 +01:00
image = "vaultwarden/server:1.30.5-alpine"
2024-01-12 22:42:09 +01:00
pids_limit = 100
readonly_rootfs = true
}
vault {
policies = [ "vaultwarden" ]
env = false
disable_file = true
2024-02-05 09:37:35 +01:00
change_mode = "noop"
2024-01-12 22:42:09 +01:00
}
2024-03-27 13:20:27 +01:00
2024-01-12 22:42:09 +01:00
env {
ROCKET_ADDRESS = "127.0.0.1"
ROCKET_PORT = 8234
IP_HEADER = "X-Forwarded-for"
DOMAIN = "https://vaultwarden.example.org/"
DB_CONNECTION_RETRIES = 0
}
template {
data = < < _EOT
2024-05-27 11:10:22 +02:00
DATABASE_URL = postgresql : / / {{ with secret "database/creds/vaultwarden" }}{{ .Data.username }}{{ end }}:{{ with secret "database/creds/vaultwarden" }}{{ urlquery . Data . password }}{{ end }}@ 127 . 0 . 0 . 1 : 5432 / vaultwarden
2024-01-12 22:42:09 +01:00
_EOT
destination = "secrets/.db.env"
perms = 400
env = true
}
2024-03-27 13:20:27 +01:00
2024-01-12 22:42:09 +01:00
# Use a template block instead of env {} so we can fetch values from vault
template {
data = < < _EOT
EVENTS_DAYS_RETAIN = 720
INCOMPLETE_2FA_TIME_LIMIT = 5
LANG = fr_FR . utf8
ORG_EVENTS_ENABLED = true
SIGNUPS_VERIFY = true
SMTP_FROM = vaultwarden - no - reply @ consul
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_SECURITY = off
TRASH_AUTO_DELETE_DAYS = 7
TZ = Europe / Paris
USER_ATTACHMENT_LIMIT = 204800
_EOT
destination = "secrets/.env"
perms = 400
env = true
}
volume_mount {
volume = "data"
destination = "/data"
}
2024-01-27 00:11:39 +01:00
2024-01-12 22:42:09 +01:00
resources {
cpu = 300
memory = 128
}
}
}
}