diff options
| author | Mathias Magnusson <mathias@magnusson.space> | 2023-08-21 19:26:54 +0200 |
|---|---|---|
| committer | Mathias Magnusson <mathias@magnusson.space> | 2023-08-21 19:59:51 +0200 |
| commit | e9336eea2aa118216b0a833e19b19321e57d22e3 (patch) | |
| tree | 54d75c70f4da5f9b2136cf23c09500ed4c2e0572 /jobs | |
| parent | 259107885b046f2250c3705c2bdd1ea76284d151 (diff) | |
| download | garm-e9336eea2aa118216b0a833e19b19321e57d22e3.tar.gz | |
Add virtual hosting and certificate job specs
Diffstat (limited to 'jobs')
| -rw-r--r-- | jobs/certificates.nomad.hcl | 49 | ||||
| -rw-r--r-- | jobs/nginx.nomad.hcl | 114 |
2 files changed, 163 insertions, 0 deletions
diff --git a/jobs/certificates.nomad.hcl b/jobs/certificates.nomad.hcl new file mode 100644 index 0000000..26253b7 --- /dev/null +++ b/jobs/certificates.nomad.hcl @@ -0,0 +1,49 @@ +job "certificates" { + type = "batch" + + periodic { + cron = "@monthly" + } + + group "lego" { + volume "certs" { + type = "host" + source = "ca-certificates" + } + + task "lego" { + driver = "exec" + + volume_mount { + volume = "certs" + destination = "/lego" + } + + config { + command = "lego" + args = [ + "--accept-tos", + "--path", "/lego", + "--email", "mathias+certs@magnusson.space", + "--dns", "cloudflare", + "-d", "magnusson.wiki", "-d", "*.magnusson.wiki", + "run" + ] + } + + artifact { + source = "https://github.com/go-acme/lego/releases/download/v4.13.3/lego_v4.13.3_linux_amd64.tar.gz" + } + + template { + data = <<EOF +{{ with nomadVar "nomad/jobs/certificates" }} +CLOUDFLARE_DNS_API_TOKEN={{ .cloudflare_dns_api_token }} +{{ end }} +EOF + destination = "local/.env" + env = true + } + } + } +} diff --git a/jobs/nginx.nomad.hcl b/jobs/nginx.nomad.hcl new file mode 100644 index 0000000..1e21647 --- /dev/null +++ b/jobs/nginx.nomad.hcl @@ -0,0 +1,114 @@ +job "virtual-hosting" { + group "nginx" { + count = 1 + + network { + port "http" { + static = 80 + } + port "https" { + static = 443 + } + } + + volume "certs" { + type = "host" + source = "ca-certificates" + read_only = true + } + + task "nginx" { + driver = "docker" + + volume_mount { + volume = "certs" + destination = "/var/local/certs" + } + + config { + image = "nginx:1.25-alpine" + ports = ["http", "https"] + + volumes = [ + "local:/etc/nginx/conf.d", + ] + } + + template { + data = <<EOF +{{- range nomadServices -}} + {{- $hostname := "" -}} + {{- $certname := "" -}} + {{- range $tag := .Tags -}} + {{- if $tag | regexMatch "nginx.hostname=" -}} + {{- $hostname = $tag | replaceAll "nginx.hostname=" "" -}} + {{- end -}} + {{- if $tag | regexMatch "nginx.certname=" -}} + {{- $certname = $tag | replaceAll "nginx.certname=" "" -}} + {{- end -}} + {{- end -}} + {{- if eq $hostname "" -}} + {{- continue -}} + {{- end -}} + + {{- $upstream := .Name | toLower | regexReplaceAll "[^a-z0-9\\-._]" "" -}} + +################################################ +upstream {{ $upstream }} { + {{- range nomadService .Name }} + server {{ .Address }}:{{ .Port }}; + {{- end }} +} + +server { + listen 80; + listen [::]:80; + http2 on; + server_name {{ $hostname }}; + + location / { + proxy_pass http://{{ $upstream }}; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header Upgrade $http_upgrade; + } +} + +{{ if ne $certname "" -}} +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name {{ $hostname }}; + + ssl_certificate /var/local/certs/certificates/{{ $certname }}.crt; + ssl_certificate_key /var/local/certs/certificates/{{ $certname }}.key; + ssl_trusted_certificate /var/local/certs/certificates/{{ $certname }}.issuer.crt; + + location / { + proxy_pass http://{{ $upstream }}; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header Upgrade $http_upgrade; + } +} +{{ end -}} + +{{ end -}} +EOF + + destination = "local/virtual-hosting.conf" + change_mode = "signal" + change_signal = "SIGHUP" + } + } + } +} |