[[ $c := merge .vaultwarden.server . -]] job "[[ .instance ]]" { [[ template "common/job_start" $c ]] group "vaultwarden" { count = [[ $c.count ]] network { mode = "bridge" } volume "data" { type = [[ .vaultwarden.volumes.data.type | toJSON ]] source = [[ .vaultwarden.volumes.data.source | toJSON ]] [[- if ne .vaultwarden.volumes.data.type "host" ]] attachment_mode = "file-system" access_mode = "multi-node-multi-writer" [[- end ]] } service { name = "[[ .instance ]][[ .consul.suffix ]]" port = 8234 [[ template "common/connect" $c ]] check { type = "http" path = "/alive" expose = true interval = "5s" timeout = "3s" check_restart { limit = 20 grace = "20s" } } tags = [ [[- $a := merge .vaultwarden.admin . ]] "[[ $c.traefik.instance ]].enable=true", [[- if ne $c.traefik.instance $a.traefik.instance ]] "[[ $a.traefik.instance ]].enable=true", [[- end ]] # Admin interface "[[ $a.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]]-admin.rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse $c.public_url).Path | regexp.Replace "/$" "" ]]/admin`)", "[[ $a.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]]-admin.entrypoints=[[ join $a.traefik.entrypoints "," ]]", "[[ $a.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]]-admin.priority=200", "[[ $a.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $a.traefik ]]", # Main interface "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) [[- if not ((urlParse $c.public_url).Path | regexp.Match "^/?$") ]] && PathPrefix(`[[ (urlParse $c.public_url).Path ]]`)[[ end ]]", "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]", "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].priority=100", "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-csp[[ .consul.suffix ]].headers.contentSecurityPolicy=default-src 'self'; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory", [[- if not ((urlParse $c.public_url).Path | regexp.Match "^/?$") ]] "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]][[ .consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse $c.public_url).Path ]]", "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-csp[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]],[[ .instance ]][[ .consul.suffix ]]-prefix", [[- else ]] "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-csp[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]]", [[- end ]] ] } [[ template "common/task.wait_for" $c ]] task "vaultwarden" { driver = [[ $c.nomad.driver | toJSON ]] user = 8234 config { image = [[ $c.image | toJSON ]] pids_limit = 100 readonly_rootfs = true } vault { policies = ["[[ .instance ]][[ .consul.suffix ]]"] env = false disable_file = true } env { ROCKET_ADDRESS = "127.0.0.1" ROCKET_PORT = 8234 IP_HEADER = "X-Forwarded-for" DOMAIN = [[ $c.public_url | toJSON ]] DB_CONNECTION_RETRIES = 0 [[ template "common/proxy_env" $c ]] } [[ template "common/file_env" $c.env ]] volume_mount { volume = "data" destination = "/data" } [[ template "common/resources" $c.resources ]] } } }