106 lines
4.1 KiB
HCL
106 lines
4.1 KiB
HCL
[[ $c := merge .vaultwarden.server . -]]
|
|
job "[[ .instance ]]" {
|
|
|
|
[[ template "common/job_start" $c ]]
|
|
|
|
group "vaultwarden" {
|
|
count = [[ $c.count ]]
|
|
|
|
network {
|
|
mode = "bridge"
|
|
}
|
|
|
|
volume "data" {
|
|
type = [[ .vaultwarden.volumes.data.type | toJSON ]]
|
|
source = [[ .vaultwarden.volumes.data.source | toJSON ]]
|
|
[[- if ne .vaultwarden.volumes.data.type "host" ]]
|
|
attachment_mode = "file-system"
|
|
access_mode = "multi-node-multi-writer"
|
|
[[- end ]]
|
|
}
|
|
|
|
service {
|
|
name = "[[ .instance ]][[ .consul.suffix ]]"
|
|
port = 8234
|
|
|
|
[[ template "common/connect" $c ]]
|
|
|
|
check {
|
|
type = "http"
|
|
path = "/alive"
|
|
expose = true
|
|
interval = "5s"
|
|
timeout = "3s"
|
|
|
|
check_restart {
|
|
limit = 20
|
|
grace = "20s"
|
|
}
|
|
}
|
|
|
|
tags = [
|
|
[[- $a := merge .vaultwarden.admin . ]]
|
|
"[[ $c.traefik.instance ]].enable=true",
|
|
[[- if ne $c.traefik.instance $a.traefik.instance ]]
|
|
"[[ $a.traefik.instance ]].enable=true",
|
|
[[- end ]]
|
|
# Admin interface
|
|
"[[ $a.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]]-admin.rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse $c.public_url).Path | regexp.Replace "/$" "" ]]/admin`)",
|
|
"[[ $a.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]]-admin.entrypoints=[[ join $a.traefik.entrypoints "," ]]",
|
|
"[[ $a.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]]-admin.priority=200",
|
|
"[[ $a.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $a.traefik ]]",
|
|
|
|
# Main interface
|
|
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`)
|
|
[[- if not ((urlParse $c.public_url).Path | regexp.Match "^/?$") ]] && PathPrefix(`[[ (urlParse $c.public_url).Path ]]`)[[ end ]]",
|
|
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
|
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].priority=100",
|
|
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-csp[[ .consul.suffix ]].headers.contentSecurityPolicy=default-src 'self'; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory",
|
|
[[- if not ((urlParse $c.public_url).Path | regexp.Match "^/?$") ]]
|
|
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]][[ .consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse $c.public_url).Path ]]",
|
|
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-csp[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]],[[ .instance ]][[ .consul.suffix ]]-prefix",
|
|
[[- else ]]
|
|
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-csp[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]]",
|
|
[[- end ]]
|
|
]
|
|
}
|
|
|
|
[[ template "common/task.wait_for" $c ]]
|
|
|
|
task "vaultwarden" {
|
|
driver = [[ $c.nomad.driver | toJSON ]]
|
|
user = 8234
|
|
|
|
config {
|
|
image = [[ $c.image | toJSON ]]
|
|
pids_limit = 100
|
|
readonly_rootfs = true
|
|
}
|
|
|
|
vault {
|
|
policies = ["[[ .instance ]][[ .consul.suffix ]]"]
|
|
env = false
|
|
disable_file = true
|
|
}
|
|
|
|
env {
|
|
ROCKET_ADDRESS = "127.0.0.1"
|
|
ROCKET_PORT = 8234
|
|
IP_HEADER = "X-Forwarded-for"
|
|
DOMAIN = [[ $c.public_url | toJSON ]]
|
|
DB_CONNECTION_RETRIES = 0
|
|
[[ template "common/proxy_env" $c ]]
|
|
}
|
|
|
|
[[ template "common/file_env" $c.env ]]
|
|
|
|
volume_mount {
|
|
volume = "data"
|
|
destination = "/data"
|
|
}
|
|
|
|
[[ template "common/resources" $c.resources ]]
|
|
}
|
|
}
|
|
}
|