diff options
| author | Mathias Magnusson <mathias@magnusson.space> | 2024-05-11 21:25:49 +0200 |
|---|---|---|
| committer | Mathias Magnusson <mathias@magnusson.space> | 2024-05-11 21:28:46 +0200 |
| commit | c2d3ec3c2ab124158e039fddfd22d35c704afd9f (patch) | |
| tree | e48e6ecbde72556a4973f6d9ad0132acb72ddc6a | |
| parent | 2248eaced59e6c89d812bd9fcb7285e6576a193b (diff) | |
| download | garm-c2d3ec3c2ab124158e039fddfd22d35c704afd9f.tar.gz | |
Replace nginx with traefik
| -rw-r--r-- | jobs/besiktn.ing/besiktn.ing.nomad.hcl | 6 | ||||
| -rw-r--r-- | jobs/certificates.nomad.hcl | 99 | ||||
| -rw-r--r-- | jobs/faeltkullen.nomad.hcl | 6 | ||||
| -rw-r--r-- | jobs/files.nomad.hcl | 6 | ||||
| -rw-r--r-- | jobs/försäkr.ing/försäkr.ing.nomad.hcl | 6 | ||||
| -rw-r--r-- | jobs/homepage/homepage.nomad.hcl | 7 | ||||
| -rw-r--r-- | jobs/hövd.ing/hövd.ing.nomad.hcl | 62 | ||||
| -rw-r--r-- | jobs/hövd.ing/index.html | 72 | ||||
| -rw-r--r-- | jobs/raytracer.nomad.hcl | 6 | ||||
| -rw-r--r-- | jobs/rr.nomad.hcl | 8 | ||||
| -rw-r--r-- | jobs/srg/srg.nomad.hcl | 6 | ||||
| -rw-r--r-- | jobs/traefik.nomad.hcl | 135 | ||||
| -rw-r--r-- | jobs/transfer-zip.nomad.hcl | 59 | ||||
| -rw-r--r-- | jobs/vaultwarden.nomad.hcl | 6 | ||||
| -rw-r--r-- | jobs/virtual-hosting.nomad.hcl | 255 | ||||
| -rw-r--r-- | nomad.tmpl.hcl | 14 |
16 files changed, 177 insertions, 576 deletions
diff --git a/jobs/besiktn.ing/besiktn.ing.nomad.hcl b/jobs/besiktn.ing/besiktn.ing.nomad.hcl index 8281b66..ace4d1a 100644 --- a/jobs/besiktn.ing/besiktn.ing.nomad.hcl +++ b/jobs/besiktn.ing/besiktn.ing.nomad.hcl @@ -14,8 +14,10 @@ job "besiktn.ing" { provider = "nomad" tags = [ - "nginx.hostname=.besiktn.ing", - "nginx.certname=besiktn.ing", + "traefik.enable=true", + "traefik.http.routers.besiktning.rule=Host(`besiktn.ing`)||Host(`www.besiktn.ing`)", + "traefik.http.routers.besiktning.entrypoints=https", + "traefik.http.routers.besiktning.tls.certresolver=default", ] } diff --git a/jobs/certificates.nomad.hcl b/jobs/certificates.nomad.hcl deleted file mode 100644 index 8731227..0000000 --- a/jobs/certificates.nomad.hcl +++ /dev/null @@ -1,99 +0,0 @@ -job "certificates" { - type = "batch" - - periodic { - crons = ["@monthly"] - } - - group "lego" { - restart { - attempts = 1 - delay = "1h" - } - - volume "certs" { - type = "host" - source = "ca-certificates" - } - - network { - port "http" { - # static = 80 - } - } - - service { - name = "certificates" - port = "http" - provider = "nomad" - - tags = [ - "nginx.acme-challenge", - ] - } - - task "lego" { - driver = "exec" - - volume_mount { - volume = "certs" - destination = "/lego" - } - - config { - command = "certs.sh" - } - - template { - data = <<EOF -#!/usr/bin/env bash - -function cert() { - # --server "https://acme-staging-v02.api.letsencrypt.org/directory" - /local/lego \ - --accept-tos \ - --path /lego \ - --email mathias+certs@magnusson.space \ - "$@" -} - -function dns() { - [ -f "/lego/certificates/$1.key" ] && cmd="renew --no-random-sleep --days 45" || cmd=run - cert --dns cloudflare $${@/#/-d=} $cmd -} - -function http() { - [ -f "/lego/certificates/$1.key" ] && cmd="renew --no-random-sleep --days 45" || cmd=run - cert --http --http.port ":$NOMAD_PORT_http" $${@/#/-d=} $cmd -} - -dns magnusson.space *.magnusson.space -dns magnusson.wiki *.magnusson.wiki -dns xn--srskildakommandorrelsegruppen-0pc88c.se *.xn--srskildakommandorrelsegruppen-0pc88c.se -dns xn--hvd-sna.ing *.xn--hvd-sna.ing -dns xn--frskr-ira7j.ing *.xn--frskr-ira7j.ing -dns besiktn.ing *.besiktn.ing -http dinlugnastund.se www.dinlugnastund.se -http transfer.zip www.transfer.zip -CLOUDFLARE_DNS_API_TOKEN=$CTFTAJM_TOKEN dns ctftajm.se *.ctftajm.se -EOF - destination = "local/certs.sh" - } - - template { - data = <<EOF -{{ with nomadVar "nomad/jobs/certificates" }} -CLOUDFLARE_DNS_API_TOKEN={{ .cloudflare_dns_api_token }} -CTFTAJM_TOKEN={{ .cloudflare_dns_api_token_ctftajm }} -{{ end }} -EOF - destination = "local/.env" - env = true - } - - artifact { - source = "https://github.com/go-acme/lego/releases/download/v4.13.3/lego_v4.13.3_linux_amd64.tar.gz" - } - } - } -} diff --git a/jobs/faeltkullen.nomad.hcl b/jobs/faeltkullen.nomad.hcl index 26798da..2cfbd55 100644 --- a/jobs/faeltkullen.nomad.hcl +++ b/jobs/faeltkullen.nomad.hcl @@ -18,8 +18,10 @@ job "faeltkullen" { provider = "nomad" tags = [ - "nginx.hostname=xn--fltkullen-v2a.magnusson.space", - "nginx.certname=magnusson.space", + "traefik.enable=true", + "traefik.http.routers.faeltkullen.rule=Host(`xn--fltkullen-v2a.magnusson.space`)||Host(`www.xn--fltkullen-v2a.magnusson.space`)", + "traefik.http.routers.faeltkullen.entrypoints=https", + "traefik.http.routers.faeltkullen.tls.certresolver=default", ] } diff --git a/jobs/files.nomad.hcl b/jobs/files.nomad.hcl index b5c63d5..28fa3a5 100644 --- a/jobs/files.nomad.hcl +++ b/jobs/files.nomad.hcl @@ -18,8 +18,10 @@ job "files" { provider = "nomad" tags = [ - "nginx.hostname=files.magnusson.space", - "nginx.certname=magnusson.space", + "traefik.enable=true", + "traefik.http.routers.files.rule=Host(`files.magnusson.space`)", + "traefik.http.routers.files.entrypoints=https", + "traefik.http.routers.files.tls.certresolver=default", ] } diff --git a/jobs/försäkr.ing/försäkr.ing.nomad.hcl b/jobs/försäkr.ing/försäkr.ing.nomad.hcl index 2c31858..0b0a7db 100644 --- a/jobs/försäkr.ing/försäkr.ing.nomad.hcl +++ b/jobs/försäkr.ing/försäkr.ing.nomad.hcl @@ -14,8 +14,10 @@ job "försäkr.ing" { provider = "nomad" tags = [ - "nginx.hostname=.xn--frskr-ira7j.ing", - "nginx.certname=xn--frskr-ira7j.ing", + "traefik.enable=true", + "traefik.http.routers.forsakring.rule=Host(`xn--frskr-ira7j.ing`)||Host(`www.xn--frskr-ira7j.ing`)", + "traefik.http.routers.forsakring.entrypoints=https", + "traefik.http.routers.forsakring.tls.certresolver=default", ] } diff --git a/jobs/homepage/homepage.nomad.hcl b/jobs/homepage/homepage.nomad.hcl index f747c0b..57be8fd 100644 --- a/jobs/homepage/homepage.nomad.hcl +++ b/jobs/homepage/homepage.nomad.hcl @@ -14,9 +14,10 @@ job "homepage" { provider = "nomad" tags = [ - "nginx.hostname=.magnusson.space", - "nginx.certname=magnusson.space", - "nginx.default_server", + "traefik.enable=true", + "traefik.http.routers.homepage.rule=Host(`magnusson.space`)||Host(`www.magnusson.space`)", + "traefik.http.routers.homepage.entrypoints=https", + "traefik.http.routers.homepage.tls.certresolver=default", ] } diff --git a/jobs/hövd.ing/hövd.ing.nomad.hcl b/jobs/hövd.ing/hövd.ing.nomad.hcl deleted file mode 100644 index dd06924..0000000 --- a/jobs/hövd.ing/hövd.ing.nomad.hcl +++ /dev/null @@ -1,62 +0,0 @@ -job "hövd.ing" { - group "web" { - count = 1 - - network { - port "http" { - to = 80 - } - } - - service { - name = "hovding" - port = "http" - provider = "nomad" - - tags = [ - "nginx.hostname=.xn--hvd-sna.ing", - "nginx.certname=xn--hvd-sna.ing", - ] - } - - task "web" { - driver = "docker" - - resources { - cpu = 50 - memory = 20 - } - - config { - image = "nginx:1.25-alpine" - ports = ["http"] - - volumes = [ - "local/config:/etc/nginx/conf.d", - "local/html:/var/www/html", - ] - } - - template { - data = <<EOF -server { - listen 80 default_server; - listen [::]:80 default_server; - http2 on; - - root /var/www/html; - location / { - index index.html; - } -} -EOF - destination = "local/config/website.conf" - } - - template { - data = file("jobs/hövd.ing/index.html") - destination = "local/html/index.html" - } - } - } -} diff --git a/jobs/hövd.ing/index.html b/jobs/hövd.ing/index.html deleted file mode 100644 index c0bf5f6..0000000 --- a/jobs/hövd.ing/index.html +++ /dev/null @@ -1,72 +0,0 @@ -<!DOCTYPE html> -<html lang="sv"> -<head> - <meta charset="utf-8" /> - <title>Hövding</title> - <style> - * { - margin: 0; - padding: 0; - box-sizing: border-box; - } - body { - display: flex; - align-items: center; - flex-direction: column; - justify-content: center; - gap: 2em; - min-height: 100vh; - font-family: monospace; - } - span { - position: relative; - } - .invisible { - display: none; - } - img { - max-width: 90vw; - max-height: 80vh; - } - </style> -</head> -<body> - <h1>Se på fan, en Hövding!</h1> - <img src="https://d2q01ftr6ua4w.cloudfront.net/assets/images/8d6f885ed2e20f3cd0ed3db9fb1901da6a2695f0.jpeg"> - - <script> - const el = document.querySelector("h1"); - const text = el.textContent; - el.innerHTML = ""; - const spans = new Array(text.length).fill().map((_, i) => { - const span = document.createElement("span"); - span.innerText = text[i]; - span.classList.add("invisible"); - el.appendChild(span); - return span; - }); - const underscore = document.createElement("span"); - const underscoreInner = document.createElement("span"); - underscoreInner.innerText = "_"; - underscore.appendChild(underscoreInner); - underscore.style.position = "relative"; - underscoreInner.style.position = "absolute"; - el.appendChild(underscore); - let i = 0; - function next() { - spans[i].classList.remove("invisible"); - - i++; - if (i >= spans.length) { - setTimeout(removeCursor, 200); - } else { - setTimeout(next, Math.ceil(Math.random() * 200)); - } - } - next(); - function removeCursor() { - underscore.classList.add("invisible"); - } - </script> -</body> -</html> diff --git a/jobs/raytracer.nomad.hcl b/jobs/raytracer.nomad.hcl index 709d91d..4642a8b 100644 --- a/jobs/raytracer.nomad.hcl +++ b/jobs/raytracer.nomad.hcl @@ -18,8 +18,10 @@ job "raytracer" { provider = "nomad" tags = [ - "nginx.hostname=raytracer.magnusson.space", - "nginx.certname=magnusson.space", + "traefik.enable=true", + "traefik.http.routers.raytracer.rule=Host(`raytracer.magnusson.space`)", + "traefik.http.routers.raytracer.entrypoints=https", + "traefik.http.routers.raytracer.tls.certresolver=default", ] } diff --git a/jobs/rr.nomad.hcl b/jobs/rr.nomad.hcl index 032ad03..4796b27 100644 --- a/jobs/rr.nomad.hcl +++ b/jobs/rr.nomad.hcl @@ -18,8 +18,10 @@ job "rr" { provider = "nomad" tags = [ - "nginx.hostname=rr.magnusson.space", - "nginx.certname=magnusson.space", + "traefik.enable=true", + "traefik.http.routers.rr.rule=Host(`rr.magnusson.space`)", + "traefik.http.routers.rr.entrypoints=https", + "traefik.http.routers.rr.tls.certresolver=default", ] } @@ -54,7 +56,7 @@ server { autoindex off; root /var/www/sites/rr; - index index.mp4; + index index.webm; } EOF destination = "local/website.conf" diff --git a/jobs/srg/srg.nomad.hcl b/jobs/srg/srg.nomad.hcl index 5b88c66..29d2374 100644 --- a/jobs/srg/srg.nomad.hcl +++ b/jobs/srg/srg.nomad.hcl @@ -14,8 +14,10 @@ job "srg" { provider = "nomad" tags = [ - "nginx.hostname=.xn--srskildakommandorrelsegruppen-0pc88c.se", - "nginx.certname=xn--srskildakommandorrelsegruppen-0pc88c.se", + "traefik.enable=true", + "traefik.http.routers.srg.rule=Host(`xn--srskildakommandorrelsegruppen-0pc88c.se`)||Host(`www.xn--srskildakommandorrelsegruppen-0pc88c.se`)", + "traefik.http.routers.srg.entrypoints=https", + "traefik.http.routers.srg.tls.certresolver=default", ] } diff --git a/jobs/traefik.nomad.hcl b/jobs/traefik.nomad.hcl new file mode 100644 index 0000000..8de6233 --- /dev/null +++ b/jobs/traefik.nomad.hcl @@ -0,0 +1,135 @@ +job "traefik" { + type = "service" + + group "traefik" { + count = 1 + + network { + port "http" { + static = 80 + } + + port "https" { + static = 443 + } + } + + volume "certs" { + type = "host" + source = "ca-certificates" + } + + task "traefik" { + driver = "docker" + + config { + image = "traefik:v3.0" + network_mode = "host" + + volumes = [ + "local/traefik.toml:/etc/traefik/traefik.toml", + "local/nomad-agent-ca.pem:/etc/traefik/nomad-agent-ca.pem", + "local/dynamic-conf.yaml:/etc/traefik/dynamic-conf.yaml" + ] + } + + volume_mount { + volume = "certs" + destination = "/certificates" + } + + template { + data = <<EOF +-----BEGIN CERTIFICATE----- +MIIDDTCCArKgAwIBAgIRAIYjjhWbJ80SG4cXZF6bGVIwCgYIKoZIzj0EAwIwgcgx +CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj +bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw +FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjEOMAwGA1UECxMFTm9tYWQxPzA9BgNVBAMT +Nk5vbWFkIEFnZW50IENBIDE3ODMwMTE2MzYzOTIwMDg3MDMyMTI4NzQyMTA5ODEy +MTE3MzMzMDAeFw0yMzA4MjAyMDE0MzdaFw0yODA4MTgyMDE0MzdaMIHIMQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAY +BgNVBAkTETEwMSBTZWNvbmQgU3RyZWV0MQ4wDAYDVQQREwU5NDEwNTEXMBUGA1UE +ChMOSGFzaGlDb3JwIEluYy4xDjAMBgNVBAsTBU5vbWFkMT8wPQYDVQQDEzZOb21h +ZCBBZ2VudCBDQSAxNzgzMDExNjM2MzkyMDA4NzAzMjEyODc0MjEwOTgxMjExNzMz +MzAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQnSx/6sQkxGuL9kaDAyUGoqWYJ +bAzrBrhyNLMkjjYXQ7QrzSOIzGfUGj2A4AzpHbU0t9k+JKaVHaKevcPVFyLMo3sw +eTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zApBgNVHQ4EIgQgqgrh +OUp/Z5bL0pf20U6mGO57+PdAU88f3U6MbvYPaqMwKwYDVR0jBCQwIoAgqgrhOUp/ +Z5bL0pf20U6mGO57+PdAU88f3U6MbvYPaqMwCgYIKoZIzj0EAwIDSQAwRgIhAOuN +l6lMSJW7er6SN22jKxR+oxrk9755eKm0b4GCDscCAiEAjlyxJnwTSF1v23cCS4c+ +V435uuYooblwdUaga7fTDkE= +-----END CERTIFICATE----- +EOF + destination = "local/nomad-agent-ca.pem" + } + + template { + data = <<EOF +[entryPoints] + [entryPoints.http] + address = ":80" + [entryPoints.http.http.redirections.entryPoint] + to = "https" + scheme = "https" + permanent = "true" + [entryPoints.https] + address = ":443" + +[accessLog] +[log] + level = "INFO" + +[api] + dashboard = true + +[certificatesResolvers.default.acme] + email = "mathias+certs@magnusson.space" + storage = "/certificates/acme.json" + [certificatesResolvers.default.acme.httpChallenge] + entryPoint = "http" + +# Enable Consul Catalog configuration backend. +[providers.nomad] + prefix = "traefik" + exposedByDefault = false + + [providers.nomad.endpoint] + address = "https://127.0.0.1:4646" + token = "{{ with nomadVar "nomad/jobs/traefik" }}{{ .nomad_token }}{{ end }}" + [providers.nomad.endpoint.tls] + ca = "/etc/traefik/nomad-agent-ca.pem" +[providers.file] + filename = "/etc/traefik/dynamic-conf.yaml" +EOF + + destination = "local/traefik.toml" + } + + template { + data = <<YAML +http: + routers: + api: + rule: Host(`traefik.magnusson.space`) + service: api@internal + middlewares: + - auth + tls: + certResolver: default + entrypoints: https + middlewares: + auth: + basicAuth: + users: + - mathias:$2y$05$NvMwyf/U2jh9TCYdxj8JbeDhFMGPBDid2IypQPebx4rk5WLOwR1M2 +YAML + destination = "local/dynamic-conf.yaml" + } + + resources { + cpu = 100 + memory = 128 + } + } + } +} diff --git a/jobs/transfer-zip.nomad.hcl b/jobs/transfer-zip.nomad.hcl deleted file mode 100644 index 0509b3e..0000000 --- a/jobs/transfer-zip.nomad.hcl +++ /dev/null @@ -1,59 +0,0 @@ -job "transfer-zip" { - group "web" { - network { - port "http" { - to = 80 - } - port "ws" { - to = 8001 - } - } - - service { - name = "transfer-zip" - port = "http" - provider = "nomad" - - tags = [ - "nginx.hostname=.transfer.zip", - "nginx.certname=transfer.zip", - ] - } - - task "web-server" { - driver = "docker" - - resources { - memory = 30 - } - - config { - image = "localhost/transfer.zip-web:49aeb34" - ports = ["http"] - command = "sh" - args = ["/local/start.sh"] - } - - template { - data = <<EOF -sed -i "s/signaling-server:8001/$NOMAD_ADDR_ws/" /etc/nginx/conf.d/nginx.conf -exec run-server.sh -EOF - destination = "local/start.sh" - } - } - - task "signaling-server" { - driver = "docker" - - resources { - memory = 50 - } - - config { - image = "localhost/transfer.zip-signal:49aeb34" - ports = ["ws"] - } - } - } -} diff --git a/jobs/vaultwarden.nomad.hcl b/jobs/vaultwarden.nomad.hcl index 8dcda82..9978c0e 100644 --- a/jobs/vaultwarden.nomad.hcl +++ b/jobs/vaultwarden.nomad.hcl @@ -14,8 +14,10 @@ job "vaultwarden" { provider = "nomad" tags = [ - "nginx.hostname=vaultwarden.magnusson.space", - "nginx.certname=magnusson.space", + "traefik.enable=true", + "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.magnusson.space`)", + "traefik.http.routers.vaultwarden.entrypoints=https", + "traefik.http.routers.vaultwarden.tls.certresolver=default", ] } diff --git a/jobs/virtual-hosting.nomad.hcl b/jobs/virtual-hosting.nomad.hcl deleted file mode 100644 index 5fa1a38..0000000 --- a/jobs/virtual-hosting.nomad.hcl +++ /dev/null @@ -1,255 +0,0 @@ -job "virtual-hosting" { - group "nginx" { - count = 1 - - network { - port "http" { - static = 80 - } - port "https" { - static = 443 - } - } - - volume "certs" { - type = "host" - source = "ca-certificates" - read_only = true - } - - task "nginx" { - driver = "docker" - - resources { - cpu = 50 - memory = 20 - } - - volume_mount { - volume = "certs" - destination = "/var/local/certs" - } - - config { - image = "nginx:1.25-alpine" - ports = ["http", "https"] - - volumes = [ - "local/nginx.conf:/etc/nginx/nginx.conf", - "local/virtual-hosting.conf:/etc/nginx/conf.d/virtual-hosting.conf", - ] - } - - template { - data = <<EOF -user nginx; -worker_processes auto; - -error_log /var/log/nginx/error.log notice; -pid /var/run/nginx.pid; - -events { - worker_connections 1024; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - client_max_body_size 500M; - - keepalive_timeout 65; - - #gzip on; - - server_names_hash_bucket_size 128; - - include /etc/nginx/conf.d/*.conf; -} -EOF - - destination = "local/nginx.conf" - change_signal = "SIGHUP" - } - template { - data = <<EOF -{{- $hijackUpstream := false -}} -{{- range $s := nomadServices -}} -{{- range $tag := $s.Tags -}} - {{- if eq $tag "nginx.acme-challenge" -}} - {{- $hijackUpstream = true -}} -upstream acme-challenge { - {{- range nomadService $s.Name }} - server {{ .Address }}:{{ .Port }}; - {{- end }} -} - {{- break -}} - {{- end -}} - {{- if $hijackUpstream -}} - {{- break -}} - {{- end -}} -{{- end -}} -{{- end }} -{{ if not $hijackUpstream }} -upstream acme-challenge { - server magnusson.space:10101; -} -{{ end }} - -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -{{ range nomadServices -}} - -{{- $hostname := "" -}} -{{- $certname := "" -}} -{{- $default := "" -}} -{{- range $tag := .Tags -}} - {{- if $tag | regexMatch "nginx.hostname=" -}} - {{- $hostname = $tag | replaceAll "nginx.hostname=" "" -}} - {{- end -}} - {{- if $tag | regexMatch "nginx.certname=" -}} - {{- $certname = $tag | replaceAll "nginx.certname=" "" -}} - {{- end -}} - {{- if $tag | regexMatch "nginx.default_server" -}} - {{- $default = "default_server" -}} - {{- end -}} -{{- end -}} -{{- if eq $hostname "" -}} - {{- continue -}} -{{- end -}} - -{{- $upstream := .Name | toLower | regexReplaceAll "[^a-z0-9\\-._]" "" -}} - -################################################ -upstream {{ $upstream }} { - {{- range nomadService .Name }} - server {{ .Address }}:{{ .Port }}; - {{- end }} -} - -{{ if eq $certname "" -}} -server { - listen 80 {{ $default }}; - listen [::]:80 {{ $default }}; - http2 on; - server_name {{ $hostname }}; - - location /.well-known/acme-challenge { - proxy_pass http://acme-challenge; - proxy_set_header Host $host; - } - - location / { - proxy_pass http://{{ $upstream }}; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } -} - -{{ else -}} -server { - listen 80; - listen [::]:80; - http2 on; - server_name http.{{ $hostname | sprig_trimPrefix "." }}; - - location / { - proxy_pass http://{{ $upstream }}; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - http2 on; - server_name http.{{ $hostname | sprig_trimPrefix "." }}; - - ssl_certificate /var/local/certs/certificates/{{ $certname }}.crt; - ssl_certificate_key /var/local/certs/certificates/{{ $certname }}.key; - ssl_trusted_certificate /var/local/certs/certificates/{{ $certname }}.issuer.crt; - - return 301 http://$host$request_uri; -} - -server { - listen 80 {{ $default }}; - listen [::]:80 {{ $default }}; - http2 on; - server_name {{ $hostname }}; - - location /.well-known/acme-challenge { - proxy_pass http://acme-challenge; - proxy_set_header Host $host; - } - - return 301 https://$host$request_uri; -} - -server { - listen 443 ssl {{ $default }}; - listen [::]:443 ssl {{ $default }}; - http2 on; - server_name {{ $hostname }}; - - ssl_certificate /var/local/certs/certificates/{{ $certname }}.crt; - ssl_certificate_key /var/local/certs/certificates/{{ $certname }}.key; - ssl_trusted_certificate /var/local/certs/certificates/{{ $certname }}.issuer.crt; - - location /.well-known/acme-challenge { - proxy_pass http://acme-challenge; - proxy_set_header Host $host; - } - - location / { - proxy_pass http://{{ $upstream }}; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } -} -{{ end -}} - -{{ end -}} -EOF - - destination = "local/virtual-hosting.conf" - change_signal = "SIGHUP" - } - } - } -} diff --git a/nomad.tmpl.hcl b/nomad.tmpl.hcl index e597b36..e703c0e 100644 --- a/nomad.tmpl.hcl +++ b/nomad.tmpl.hcl @@ -2,21 +2,21 @@ data_dir = "/opt/nomad/data" bind_addr = "0.0.0.0" advertise { - http = "127.0.0.1" - rpc = "127.0.0.1" - serf = "127.0.0.1" + http = "{{ ip address }}" + rpc = "{{ ip address }}" + serf = "{{ ip address }}" } server { enabled = true bootstrap_expect = 1 - encrypt = "{{ .secret }}" # why not? + encrypt = "{{ base64 }}" # why not? } client { enabled = true - servers = ["127.0.0.1"] + servers = ["{{ ip address }}"] host_volume "ca-certificates" { path = "/var/local/ca-certificates" @@ -30,10 +30,6 @@ client { path = "/var/www/faktura" } - host_volume "syncthing" { - path = "/var/local/syncthing" - } - host_volume "ctftajm-postgres" { path = "/var/local/ctftajm-postgres" } |