nomad
/
vaultwarden
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vaultwarden/vaultwarden.nomad.hcl

104 lines
4.3 KiB
HCL
Raw Blame History

[[ $c := merge .vaultwarden.server . -]]
job "[[ .vaultwarden.instance ]]" {
[[ template "common/job_start.tpl" $c ]]
group "vaultwarden" {
count = [[ $c.count ]]
network {
mode = "bridge"
}
volume "data" {
type = [[ .vaultwarden.volumes.data.type | toJSON ]]
source = [[ .vaultwarden.volumes.data.source | toJSON ]]
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
service {
name = "[[ .vaultwarden.instance ]][[ $c.consul.suffix ]]"
port = 8234
[[ template "common/connect.tpl" $c ]]
check {
type = "http"
path = "/alive"
expose = true
interval = "5s"
timeout = "3s"
check_restart {
limit = 20
grace = "20s"
}
}
tags = [
[[- $a := merge .vaultwarden.admin . ]]
"[[ $c.traefik.instance ]].enable=true",
[[- if ne $c.traefik.instance $a.traefik.instance ]]
"[[ $a.traefik.instance ]].enable=true",
[[- end ]]
# Admin interface
"[[ $a.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $a.consul.suffix ]]-admin.rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse $c.public_url).Path | regexp.Replace "/$" "" ]]/admin`)",
"[[ $a.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $a.consul.suffix ]]-admin.entrypoints=[[ join $a.traefik.entrypoints "," ]]",
"[[ $a.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $a.consul.suffix ]]-admin.priority=200",
"[[ $a.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $a.consul.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" $a.traefik ]]",
# Main interface
"[[ $c.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $c.consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`)
[[- if not ((urlParse $c.public_url).Path | regexp.Match "^/?$") ]] && PathPrefix(`[[ (urlParse $c.public_url).Path ]]`)[[ end ]]",
"[[ $c.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
"[[ $c.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $c.consul.suffix ]].priority=100",
"[[ $c.traefik.instance ]].http.middlewares.[[ .vaultwarden.instance ]]-csp[[ $c.consul.suffix ]].headers.contentSecurityPolicy=default-src 'self'; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory",
[[- if not ((urlParse $c.public_url).Path | regexp.Match "^/?$") ]]
"[[ $c.traefik.instance ]].http.middlewares.[[ .vaultwarden.instance ]][[ $c.consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse $c.public_url).Path ]]",
"[[ $c.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $c.consul.suffix ]].middlewares=[[ .vaultwarden.instance ]]-csp[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares.tpl" $c.traefik ]],[[ .vaultwarden.instance ]][[ $c.consul.suffix ]]-prefix",
[[- else ]]
"[[ $c.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $c.consul.suffix ]].middlewares=[[ .vaultwarden.instance ]]-csp[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares.tpl" $c.traefik ]]",
[[- end ]]
]
}
[[ template "common/task.wait_for.tpl" $c ]]
task "vaultwarden" {
driver = [[ $c.nomad.driver | toJSON ]]
user = 8234
config {
image = [[ $c.image | toJSON ]]
pids_limit = 100
readonly_rootfs = true
}
vault {
policies = ["[[ .vaultwarden.instance ]][[ $c.consul.suffix ]]"]
env = false
disable_file = true
}
env {
ROCKET_ADDRESS = "127.0.0.1"
ROCKET_PORT = 8234
IP_HEADER = "X-Forwarded-for"
DOMAIN = [[ $c.public_url | toJSON ]]
DB_CONNECTION_RETRIES = 0
[[ template "common/proxy_env.tpl" $c ]]
}
[[ template "common/file_env.tpl" $c.env ]]
volume_mount {
volume = "data"
destination = "/data"
}
[[ template "common/resources.tpl" $c.resources ]]
}
}
}
Reference in New Issue View Git Blame Copy Permalink