diff options
| author | Mathias Magnusson <mathias@magnusson.space> | 2023-09-19 20:12:43 +0200 |
|---|---|---|
| committer | Mathias Magnusson <mathias@magnusson.space> | 2023-09-19 20:12:43 +0200 |
| commit | 0d1a7a8c7dfc8a79329d3364761a6eb0f3a3d8c3 (patch) | |
| tree | 25e940c1bf73f1124f0a0cb99b672d7b6240c545 /jobs | |
| parent | e25fb13a653dde3afd3e6fd2ad5e3ae7bfd2c044 (diff) | |
| download | garm-0d1a7a8c7dfc8a79329d3364761a6eb0f3a3d8c3.tar.gz | |
Add support for http challenges for tls certificates
Diffstat (limited to 'jobs')
| -rw-r--r-- | jobs/certificates.nomad.hcl | 28 | ||||
| -rw-r--r-- | jobs/virtual-hosting.nomad.hcl | 27 |
2 files changed, 54 insertions, 1 deletions
diff --git a/jobs/certificates.nomad.hcl b/jobs/certificates.nomad.hcl index f5452a3..7284deb 100644 --- a/jobs/certificates.nomad.hcl +++ b/jobs/certificates.nomad.hcl @@ -16,6 +16,20 @@ job "certificates" { source = "ca-certificates" } + network { + port "http" { } + } + + service { + name = "certificates" + port = "http" + provider = "nomad" + + tags = [ + "nginx.hijack_http=.dinlugnastund.se", + ] + } + task "lego" { driver = "exec" @@ -31,6 +45,7 @@ job "certificates" { template { data = <<EOF #!/usr/bin/env bash + function dns() { [ -f "/lego/certificates/$1.key" ] && cmd="renew --days 45" || cmd=run /local/lego \ @@ -41,9 +56,22 @@ function dns() { $${@/#/-d=} \ $cmd } + +function http() { + [ -f "/lego/certificates/$1.key" ] && cmd="renew --days 45" || cmd=run + /local/lego \ + --accept-tos \ + --path /lego \ + --email mathias+certs@magnusson.space \ + --http --http.port ":$NOMAD_PORT_http" \ + $${@/#/-d=} \ + $cmd +} + dns magnusson.space *.magnusson.space dns magnusson.wiki *.magnusson.wiki dns xn--srskildakommandorrelsegruppen-0pc88c.se *.xn--srskildakommandorrelsegruppen-0pc88c.se +http dinlugnastund.se www.dinlugnastund.se EOF destination = "local/certs.sh" } diff --git a/jobs/virtual-hosting.nomad.hcl b/jobs/virtual-hosting.nomad.hcl index 638a1c9..fcf4f91 100644 --- a/jobs/virtual-hosting.nomad.hcl +++ b/jobs/virtual-hosting.nomad.hcl @@ -41,6 +41,26 @@ job "virtual-hosting" { template { data = <<EOF +{{- $hijackHTTPHostnames := sprig_list -}} +{{- $hijackUpstream := "" -}} +{{- range $s := nomadServices -}} +{{- range $tag := $s.Tags -}} + {{- if $tag | regexMatch "nginx.hijack_http=" -}} + {{- $hijackHTTPHostnames = $tag | replaceAll "nginx.hijack_http=" "" | split "," -}} + {{- $hijackUpstream = $s.Name | toLower | regexReplaceAll "[^a-z0-9\\-._]" "" -}} +upstream {{ $hijackUpstream }} { + {{- range nomadService $s.Name }} + server {{ .Address }}:{{ .Port }}; + {{- end }} +} + {{- break -}} + {{- end -}} + {{- if ne (len $hijackHTTPHostnames) 0 -}} + {{- break -}} + {{- end -}} +{{- end -}} +{{- end }} + {{- range nomadServices -}} {{- $hostname := "" -}} @@ -77,8 +97,13 @@ server { server_name {{ $hostname }}; location / { - proxy_pass http://{{ $upstream }}; + {{ if $hijackHTTPHostnames | contains $hostname -}} + proxy_pass http://{{ $hijackUpstream }}; + {{- else -}} + proxy_pass http://{{ $upstream }}; + {{- end }} + proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; |