nomad
/
vaultwarden
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vaultwarden/example/vaultwarden.nomad.hcl

209 lines
5.2 KiB
HCL
Raw Blame History

job "vaultwarden" {
datacenters = ["dc1"]
region = "global"
group "vaultwarden" {
count = 1
network {
mode = "bridge"
}
volume "data" {
source = "vaultwarden-data"
type = "csi"
access_mode = "multi-node-multi-writer"
attachment_mode = "file-system"
}
service {
name = "vaultwarden"
port = 8234
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "smtp"
local_bind_port = 25
# Work arround, see https://github.com/hashicorp/nomad/issues/18538
destination_type = "service"
}
upstreams {
destination_name = "postgres"
local_bind_port = 5432
# Work arround, see https://github.com/hashicorp/nomad/issues/18538
destination_type = "service"
}
}
}
sidecar_task {
config {
args = [
"-c",
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
"-l",
"${meta.connect.log_level}",
"--concurrency",
"${meta.connect.proxy_concurrency}",
"--disable-hot-restart"
]
}
resources {
cpu = 50
memory = 64
}
}
}
check {
type = "http"
path = "/alive"
expose = true
interval = "5s"
timeout = "3s"
check_restart {
limit = 20
grace = "20s"
}
}
tags = [
"traefik.enable=true",
"traefik.http.routers.vaultwarden-admin.entrypoints=https",
"traefik.http.routers.vaultwarden-admin.priority=200",
"traefik.http.routers.vaultwarden-admin.rule=Host(`vaultwarden.example.org`) && PathPrefix(`/admin`)",
"traefik.http.middlewares.csp-vaultwarden-admin.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.routers.vaultwarden-admin.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-vaultwarden-admin",
"traefik.enable=true",
"traefik.http.routers.vaultwarden.entrypoints=https",
"traefik.http.routers.vaultwarden.priority=100",
"traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.example.org`)",
"traefik.http.middlewares.csp-vaultwarden.headers.contentsecuritypolicy=connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory;default-src 'self';font-src 'self' data:;img-src 'self' data: https://www.gravatar.com;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.routers.vaultwarden.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-vaultwarden",
]
}
# wait for required services tp be ready before starting the main task
task "wait-for" {
driver = "docker"
user = 1053
config {
image = "danielberteaud/wait-for:24.3-1"
readonly_rootfs = true
pids_limit = 20
}
lifecycle {
hook = "prestart"
}
env {
SERVICE_0 = "master.postgres.service.consul"
}
resources {
cpu = 10
memory = 10
memory_max = 30
}
}
task "vaultwarden" {
driver = "docker"
user = 8234
config {
image = "vaultwarden/server:1.30.5-alpine"
pids_limit = 100
readonly_rootfs = true
}
vault {
policies = ["vaultwarden"]
env = false
disable_file = true
change_mode = "noop"
}
env {
ROCKET_ADDRESS = "127.0.0.1"
ROCKET_PORT = 8234
IP_HEADER = "X-Forwarded-for"
DOMAIN = "https://vaultwarden.example.org/"
DB_CONNECTION_RETRIES = 0
}
template {
data = <<_EOT
DATABASE_URL=postgresql://{{ with secret "database/creds/vaultwarden" }}{{ .Data.username }}{{ end }}:{{ with secret "database/creds/vaultwarden" }}{{ urlquery .Data.password }}{{ end }}@127.0.0.1:5432/vaultwarden]
_EOT
destination = "secrets/.db.env"
perms = 400
env = true
}
# Use a template block instead of env {} so we can fetch values from vault
template {
data = <<_EOT
EVENTS_DAYS_RETAIN=720
INCOMPLETE_2FA_TIME_LIMIT=5
LANG=fr_FR.utf8
ORG_EVENTS_ENABLED=true
SIGNUPS_VERIFY=true
SMTP_FROM=vaultwarden-no-reply@consul
SMTP_HOST=localhost
SMTP_PORT=25
SMTP_SECURITY=off
TRASH_AUTO_DELETE_DAYS=7
TZ=Europe/Paris
USER_ATTACHMENT_LIMIT=204800
_EOT
destination = "secrets/.env"
perms = 400
env = true
}
volume_mount {
volume = "data"
destination = "/data"
}
resources {
cpu = 300
memory = 128
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink