Use traefik_tags template
This commit is contained in:
parent
9cef0d414f
commit
c942ed6442
|
@ -34,7 +34,7 @@ RUN set -euxo pipefail &&\
|
||||||
mv web-vault / &&\
|
mv web-vault / &&\
|
||||||
chown -R root:root /web-vault
|
chown -R root:root /web-vault
|
||||||
|
|
||||||
FROM danielberteaud/alpine:24.1-6
|
FROM danielberteaud/alpine:24.1-8
|
||||||
MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
|
MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
|
||||||
|
|
||||||
ENV ROCKET_PROFILE=release \
|
ENV ROCKET_PROFILE=release \
|
||||||
|
|
|
@ -38,6 +38,18 @@ job "vaultwarden" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
sidecar_task {
|
sidecar_task {
|
||||||
|
config {
|
||||||
|
args = [
|
||||||
|
"-c",
|
||||||
|
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
|
||||||
|
"-l",
|
||||||
|
"${meta.connect.log_level}",
|
||||||
|
"--concurrency",
|
||||||
|
"${meta.connect.proxy_concurrency}",
|
||||||
|
"--disable-hot-restart"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
resources {
|
resources {
|
||||||
cpu = 50
|
cpu = 50
|
||||||
memory = 64
|
memory = 64
|
||||||
|
@ -61,19 +73,21 @@ job "vaultwarden" {
|
||||||
}
|
}
|
||||||
|
|
||||||
tags = [
|
tags = [
|
||||||
|
|
||||||
"traefik.enable=true",
|
"traefik.enable=true",
|
||||||
# Admin interface
|
"traefik.http.routers.vaultwarden-admin.rule=Host(`vaultwarden.example.org`) && PathPrefix(`//admin`)",
|
||||||
"traefik.http.routers.vaultwarden-admin.rule=Host(`vaultwarden.example.org`) && PathPrefix(`/admin`)",
|
|
||||||
"traefik.http.routers.vaultwarden-admin.entrypoints=https",
|
"traefik.http.routers.vaultwarden-admin.entrypoints=https",
|
||||||
"traefik.http.routers.vaultwarden-admin.priority=200",
|
"traefik.http.routers.vaultwarden-admin.priority=200",
|
||||||
"traefik.http.routers.vaultwarden.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file,compression@file,csp-relaxed@file",
|
"traefik.http.routers.vaultwarden-admin.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file",
|
||||||
|
|
||||||
# Main interface
|
|
||||||
|
"traefik.enable=true",
|
||||||
"traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.example.org`)",
|
"traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.example.org`)",
|
||||||
"traefik.http.routers.vaultwarden.entrypoints=https",
|
"traefik.http.routers.vaultwarden.entrypoints=https",
|
||||||
"traefik.http.routers.vaultwarden.priority=100",
|
"traefik.http.routers.vaultwarden.priority=100",
|
||||||
"traefik.http.middlewares.vaultwarden-csp.headers.contentSecurityPolicy=default-src 'self'; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory",
|
"traefik.http.middlewares.vaultwarden-csp.headers.contentsecuritypolicy=connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory;default-src 'self';font-src 'self' data:;img-src 'self' data: https://www.gravatar.com;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||||
"traefik.http.routers.vaultwarden.middlewares=vaultwarden-csp,rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file,compression@file,csp-relaxed@file",
|
"traefik.http.routers.vaultwarden.middlewares=vaultwarden-csp,rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file",
|
||||||
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -172,6 +186,7 @@ _EOT
|
||||||
destination = "/data"
|
destination = "/data"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
resources {
|
resources {
|
||||||
cpu = 300
|
cpu = 300
|
||||||
memory = 128
|
memory = 128
|
||||||
|
|
|
@ -66,13 +66,26 @@ vaultwarden:
|
||||||
public_url: https://vaultwarden.example.org/
|
public_url: https://vaultwarden.example.org/
|
||||||
|
|
||||||
# Traefik settings
|
# Traefik settings
|
||||||
traefik: {}
|
traefik:
|
||||||
|
# Makes sure
|
||||||
|
priority: 100
|
||||||
|
csp:
|
||||||
|
default-src: "'self'"
|
||||||
|
img-src: "'self' data: https://www.gravatar.com"
|
||||||
|
script-src: "'self' 'unsafe-inline' 'unsafe-eval'"
|
||||||
|
style-src: "'self' 'unsafe-inline'"
|
||||||
|
font-src: "'self' data:"
|
||||||
|
connect-src: "'self' https://api.pwnedpasswords.com https://api.2fa.directory"
|
||||||
|
|
||||||
# Settings for the /admin interface
|
# Settings for the /admin interface
|
||||||
# Note that this interface is disabled unless ADMIN_TOKEN env var is set
|
# Note that this interface is disabled unless ADMIN_TOKEN env var is set
|
||||||
admin:
|
admin:
|
||||||
|
public_url: '[[ .vaultwarden.server.public_url ]]/admin'
|
||||||
# If enabled, we can set specific Traefik middlewares
|
# If enabled, we can set specific Traefik middlewares
|
||||||
traefik: {}
|
traefik:
|
||||||
|
strip_prefix: false
|
||||||
|
router: '[[ .instance ]]-admin[[ .consul.suffix ]]'
|
||||||
|
priority: 200
|
||||||
|
|
||||||
# Volumes for data persistance
|
# Volumes for data persistance
|
||||||
volumes:
|
volumes:
|
||||||
|
|
|
@ -33,28 +33,8 @@ job "[[ .instance ]]" {
|
||||||
|
|
||||||
tags = [
|
tags = [
|
||||||
[[- $a := merge .vaultwarden.admin .vaultwarden . ]]
|
[[- $a := merge .vaultwarden.admin .vaultwarden . ]]
|
||||||
"[[ $c.traefik.instance ]].enable=true",
|
[[ template "common/traefik_tags" $a ]]
|
||||||
[[- if ne $c.traefik.instance $a.traefik.instance ]]
|
[[ template "common/traefik_tags" $c ]]
|
||||||
"[[ $a.traefik.instance ]].enable=true",
|
|
||||||
[[- end ]]
|
|
||||||
# Admin interface
|
|
||||||
"[[ $a.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]]-admin.rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse $c.public_url).Path | regexp.Replace "/$" "" ]]/admin`)",
|
|
||||||
"[[ $a.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]]-admin.entrypoints=[[ join $a.traefik.entrypoints "," ]]",
|
|
||||||
"[[ $a.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]]-admin.priority=200",
|
|
||||||
"[[ $a.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $a.traefik ]]",
|
|
||||||
|
|
||||||
# Main interface
|
|
||||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`)
|
|
||||||
[[- if not ((urlParse $c.public_url).Path | regexp.Match "^/?$") ]] && PathPrefix(`[[ (urlParse $c.public_url).Path ]]`)[[ end ]]",
|
|
||||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
|
||||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].priority=100",
|
|
||||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-csp[[ .consul.suffix ]].headers.contentSecurityPolicy=default-src 'self'; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory",
|
|
||||||
[[- if not ((urlParse $c.public_url).Path | regexp.Match "^/?$") ]]
|
|
||||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]][[ .consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse $c.public_url).Path ]]",
|
|
||||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-csp[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]],[[ .instance ]][[ .consul.suffix ]]-prefix",
|
|
||||||
[[- else ]]
|
|
||||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-csp[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]]",
|
|
||||||
[[- end ]]
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user