From c2d3ec3c2ab124158e039fddfd22d35c704afd9f Mon Sep 17 00:00:00 2001
From: Mathias Magnusson <mathias@magnusson.space>
Date: Sat, 11 May 2024 21:25:49 +0200
Subject: Replace nginx with traefik

---
 jobs/besiktn.ing/besiktn.ing.nomad.hcl             |   6 +-
 jobs/certificates.nomad.hcl                        |  99 --------
 jobs/faeltkullen.nomad.hcl                         |   6 +-
 jobs/files.nomad.hcl                               |   6 +-
 .../f\303\266rs\303\244kr.ing.nomad.hcl"           |   6 +-
 jobs/homepage/homepage.nomad.hcl                   |   7 +-
 "jobs/h\303\266vd.ing/h\303\266vd.ing.nomad.hcl"   |  62 -----
 "jobs/h\303\266vd.ing/index.html"                  |  72 ------
 jobs/raytracer.nomad.hcl                           |   6 +-
 jobs/rr.nomad.hcl                                  |   8 +-
 jobs/srg/srg.nomad.hcl                             |   6 +-
 jobs/traefik.nomad.hcl                             | 135 +++++++++++
 jobs/transfer-zip.nomad.hcl                        |  59 -----
 jobs/vaultwarden.nomad.hcl                         |   6 +-
 jobs/virtual-hosting.nomad.hcl                     | 255 ---------------------
 nomad.tmpl.hcl                                     |  14 +-
 16 files changed, 177 insertions(+), 576 deletions(-)
 delete mode 100644 jobs/certificates.nomad.hcl
 delete mode 100644 "jobs/h\303\266vd.ing/h\303\266vd.ing.nomad.hcl"
 delete mode 100644 "jobs/h\303\266vd.ing/index.html"
 create mode 100644 jobs/traefik.nomad.hcl
 delete mode 100644 jobs/transfer-zip.nomad.hcl
 delete mode 100644 jobs/virtual-hosting.nomad.hcl

diff --git a/jobs/besiktn.ing/besiktn.ing.nomad.hcl b/jobs/besiktn.ing/besiktn.ing.nomad.hcl
index 8281b66..ace4d1a 100644
--- a/jobs/besiktn.ing/besiktn.ing.nomad.hcl
+++ b/jobs/besiktn.ing/besiktn.ing.nomad.hcl
@@ -14,8 +14,10 @@ job "besiktn.ing" {
       provider = "nomad"
 
       tags = [
-        "nginx.hostname=.besiktn.ing",
-        "nginx.certname=besiktn.ing",
+        "traefik.enable=true",
+        "traefik.http.routers.besiktning.rule=Host(`besiktn.ing`)||Host(`www.besiktn.ing`)",
+        "traefik.http.routers.besiktning.entrypoints=https",
+        "traefik.http.routers.besiktning.tls.certresolver=default",
       ]
     }
 
diff --git a/jobs/certificates.nomad.hcl b/jobs/certificates.nomad.hcl
deleted file mode 100644
index 8731227..0000000
--- a/jobs/certificates.nomad.hcl
+++ /dev/null
@@ -1,99 +0,0 @@
-job "certificates" {
-  type = "batch"
-
-  periodic {
-    crons = ["@monthly"]
-  }
-
-  group "lego" {
-    restart {
-      attempts = 1
-      delay    = "1h"
-    }
-
-    volume "certs" {
-      type   = "host"
-      source = "ca-certificates"
-    }
-
-    network {
-      port "http" {
-        # static = 80
-      }
-    }
-
-    service {
-      name     = "certificates"
-      port     = "http"
-      provider = "nomad"
-
-      tags = [
-        "nginx.acme-challenge",
-      ]
-    }
-
-    task "lego" {
-      driver = "exec"
-
-      volume_mount {
-        volume      = "certs"
-        destination = "/lego"
-      }
-
-      config {
-        command = "certs.sh"
-      }
-
-      template {
-        data = <<EOF
-#!/usr/bin/env bash
-
-function cert() {
-    # --server "https://acme-staging-v02.api.letsencrypt.org/directory"
-    /local/lego \
-        --accept-tos \
-        --path /lego \
-        --email mathias+certs@magnusson.space \
-        "$@"
-}
-
-function dns() {
-    [ -f "/lego/certificates/$1.key" ] && cmd="renew --no-random-sleep --days 45" || cmd=run
-    cert --dns cloudflare $${@/#/-d=} $cmd
-}
-
-function http() {
-    [ -f "/lego/certificates/$1.key" ] && cmd="renew --no-random-sleep --days 45" || cmd=run
-    cert --http --http.port ":$NOMAD_PORT_http" $${@/#/-d=} $cmd
-}
-
-dns magnusson.space *.magnusson.space
-dns magnusson.wiki *.magnusson.wiki
-dns xn--srskildakommandorrelsegruppen-0pc88c.se *.xn--srskildakommandorrelsegruppen-0pc88c.se
-dns xn--hvd-sna.ing *.xn--hvd-sna.ing
-dns xn--frskr-ira7j.ing *.xn--frskr-ira7j.ing
-dns besiktn.ing *.besiktn.ing
-http dinlugnastund.se www.dinlugnastund.se
-http transfer.zip www.transfer.zip
-CLOUDFLARE_DNS_API_TOKEN=$CTFTAJM_TOKEN dns ctftajm.se *.ctftajm.se
-EOF
-        destination = "local/certs.sh"
-      }
-
-      template {
-        data = <<EOF
-{{ with nomadVar "nomad/jobs/certificates" }}
-CLOUDFLARE_DNS_API_TOKEN={{ .cloudflare_dns_api_token }}
-CTFTAJM_TOKEN={{ .cloudflare_dns_api_token_ctftajm }}
-{{ end }}
-EOF
-        destination = "local/.env"
-        env         = true
-      }
-
-      artifact {
-        source = "https://github.com/go-acme/lego/releases/download/v4.13.3/lego_v4.13.3_linux_amd64.tar.gz"
-      }
-    }
-  }
-}
diff --git a/jobs/faeltkullen.nomad.hcl b/jobs/faeltkullen.nomad.hcl
index 26798da..2cfbd55 100644
--- a/jobs/faeltkullen.nomad.hcl
+++ b/jobs/faeltkullen.nomad.hcl
@@ -18,8 +18,10 @@ job "faeltkullen" {
       provider = "nomad"
 
       tags = [
-        "nginx.hostname=xn--fltkullen-v2a.magnusson.space",
-        "nginx.certname=magnusson.space",
+        "traefik.enable=true",
+        "traefik.http.routers.faeltkullen.rule=Host(`xn--fltkullen-v2a.magnusson.space`)||Host(`www.xn--fltkullen-v2a.magnusson.space`)",
+        "traefik.http.routers.faeltkullen.entrypoints=https",
+        "traefik.http.routers.faeltkullen.tls.certresolver=default",
       ]
     }
 
diff --git a/jobs/files.nomad.hcl b/jobs/files.nomad.hcl
index b5c63d5..28fa3a5 100644
--- a/jobs/files.nomad.hcl
+++ b/jobs/files.nomad.hcl
@@ -18,8 +18,10 @@ job "files" {
       provider = "nomad"
 
       tags = [
-        "nginx.hostname=files.magnusson.space",
-        "nginx.certname=magnusson.space",
+        "traefik.enable=true",
+        "traefik.http.routers.files.rule=Host(`files.magnusson.space`)",
+        "traefik.http.routers.files.entrypoints=https",
+        "traefik.http.routers.files.tls.certresolver=default",
       ]
     }
 
diff --git "a/jobs/f\303\266rs\303\244kr.ing/f\303\266rs\303\244kr.ing.nomad.hcl" "b/jobs/f\303\266rs\303\244kr.ing/f\303\266rs\303\244kr.ing.nomad.hcl"
index 2c31858..0b0a7db 100644
--- "a/jobs/f\303\266rs\303\244kr.ing/f\303\266rs\303\244kr.ing.nomad.hcl"
+++ "b/jobs/f\303\266rs\303\244kr.ing/f\303\266rs\303\244kr.ing.nomad.hcl"
@@ -14,8 +14,10 @@ job "försäkr.ing" {
       provider = "nomad"
 
       tags = [
-        "nginx.hostname=.xn--frskr-ira7j.ing",
-        "nginx.certname=xn--frskr-ira7j.ing",
+        "traefik.enable=true",
+        "traefik.http.routers.forsakring.rule=Host(`xn--frskr-ira7j.ing`)||Host(`www.xn--frskr-ira7j.ing`)",
+        "traefik.http.routers.forsakring.entrypoints=https",
+        "traefik.http.routers.forsakring.tls.certresolver=default",
       ]
     }
 
diff --git a/jobs/homepage/homepage.nomad.hcl b/jobs/homepage/homepage.nomad.hcl
index f747c0b..57be8fd 100644
--- a/jobs/homepage/homepage.nomad.hcl
+++ b/jobs/homepage/homepage.nomad.hcl
@@ -14,9 +14,10 @@ job "homepage" {
       provider = "nomad"
 
       tags = [
-        "nginx.hostname=.magnusson.space",
-        "nginx.certname=magnusson.space",
-        "nginx.default_server",
+        "traefik.enable=true",
+        "traefik.http.routers.homepage.rule=Host(`magnusson.space`)||Host(`www.magnusson.space`)",
+        "traefik.http.routers.homepage.entrypoints=https",
+        "traefik.http.routers.homepage.tls.certresolver=default",
       ]
     }
 
diff --git "a/jobs/h\303\266vd.ing/h\303\266vd.ing.nomad.hcl" "b/jobs/h\303\266vd.ing/h\303\266vd.ing.nomad.hcl"
deleted file mode 100644
index dd06924..0000000
--- "a/jobs/h\303\266vd.ing/h\303\266vd.ing.nomad.hcl"
+++ /dev/null
@@ -1,62 +0,0 @@
-job "hövd.ing" {
-  group "web" {
-    count = 1
-
-    network {
-      port "http" {
-        to = 80
-      }
-    }
-
-    service {
-      name     = "hovding"
-      port     = "http"
-      provider = "nomad"
-
-      tags = [
-        "nginx.hostname=.xn--hvd-sna.ing",
-        "nginx.certname=xn--hvd-sna.ing",
-      ]
-    }
-
-    task "web" {
-      driver = "docker"
-
-      resources {
-        cpu    = 50
-        memory = 20
-      }
-
-      config {
-        image = "nginx:1.25-alpine"
-        ports = ["http"]
-
-        volumes = [
-          "local/config:/etc/nginx/conf.d",
-          "local/html:/var/www/html",
-        ]
-      }
-
-      template {
-        data = <<EOF
-server {
-  listen 80 default_server;
-  listen [::]:80 default_server;
-  http2 on;
-
-  root /var/www/html;
-  location / {
-    index index.html;
-  }
-}
-EOF
-        destination = "local/config/website.conf"
-      }
-
-      template {
-        data = file("jobs/hövd.ing/index.html")
-        destination = "local/html/index.html"
-      }
-    }
-  }
-}
diff --git "a/jobs/h\303\266vd.ing/index.html" "b/jobs/h\303\266vd.ing/index.html"
deleted file mode 100644
index c0bf5f6..0000000
--- "a/jobs/h\303\266vd.ing/index.html"
+++ /dev/null
@@ -1,72 +0,0 @@
-<!DOCTYPE html>
-<html lang="sv">
-<head>
-    <meta charset="utf-8" />
-    <title>Hövding</title>
-    <style>
-        * {
-            margin: 0;
-            padding: 0;
-            box-sizing: border-box;
-        }
-        body {
-            display: flex;
-            align-items: center;
-            flex-direction: column;
-            justify-content: center;
-            gap: 2em;
-            min-height: 100vh;
-            font-family: monospace;
-        }
-        span {
-            position: relative;
-        }
-        .invisible {
-            display: none;
-        }
-        img {
-            max-width: 90vw;
-            max-height: 80vh;
-        }
-    </style>
-</head>
-<body>
-    <h1>Se på fan, en Hövding!</h1>
-    <img src="https://d2q01ftr6ua4w.cloudfront.net/assets/images/8d6f885ed2e20f3cd0ed3db9fb1901da6a2695f0.jpeg">
-
-    <script>
-        const el = document.querySelector("h1");
-        const text = el.textContent;
-        el.innerHTML = "";
-        const spans = new Array(text.length).fill().map((_, i) => {
-            const span = document.createElement("span");
-            span.innerText = text[i];
-            span.classList.add("invisible");
-            el.appendChild(span);
-            return span;
-        });
-        const underscore = document.createElement("span");
-        const underscoreInner = document.createElement("span");
-        underscoreInner.innerText = "_";
-        underscore.appendChild(underscoreInner);
-        underscore.style.position = "relative";
-        underscoreInner.style.position = "absolute";
-        el.appendChild(underscore);
-        let i = 0;
-        function next() {
-            spans[i].classList.remove("invisible");
-
-            i++;
-            if (i >= spans.length) {
-                setTimeout(removeCursor, 200);
-            } else {
-                setTimeout(next, Math.ceil(Math.random() * 200));
-            }
-        }
-        next();
-        function removeCursor() {
-            underscore.classList.add("invisible");
-        }
-    </script>
-</body>
-</html>
diff --git a/jobs/raytracer.nomad.hcl b/jobs/raytracer.nomad.hcl
index 709d91d..4642a8b 100644
--- a/jobs/raytracer.nomad.hcl
+++ b/jobs/raytracer.nomad.hcl
@@ -18,8 +18,10 @@ job "raytracer" {
       provider = "nomad"
 
       tags = [
-        "nginx.hostname=raytracer.magnusson.space",
-        "nginx.certname=magnusson.space",
+        "traefik.enable=true",
+        "traefik.http.routers.raytracer.rule=Host(`raytracer.magnusson.space`)",
+        "traefik.http.routers.raytracer.entrypoints=https",
+        "traefik.http.routers.raytracer.tls.certresolver=default",
       ]
     }
 
diff --git a/jobs/rr.nomad.hcl b/jobs/rr.nomad.hcl
index 032ad03..4796b27 100644
--- a/jobs/rr.nomad.hcl
+++ b/jobs/rr.nomad.hcl
@@ -18,8 +18,10 @@ job "rr" {
       provider = "nomad"
 
       tags = [
-        "nginx.hostname=rr.magnusson.space",
-        "nginx.certname=magnusson.space",
+        "traefik.enable=true",
+        "traefik.http.routers.rr.rule=Host(`rr.magnusson.space`)",
+        "traefik.http.routers.rr.entrypoints=https",
+        "traefik.http.routers.rr.tls.certresolver=default",
       ]
     }
 
@@ -54,7 +56,7 @@ server {
 
   autoindex off;
   root /var/www/sites/rr;
-  index index.mp4;
+  index index.webm;
 }
 EOF
         destination = "local/website.conf"
diff --git a/jobs/srg/srg.nomad.hcl b/jobs/srg/srg.nomad.hcl
index 5b88c66..29d2374 100644
--- a/jobs/srg/srg.nomad.hcl
+++ b/jobs/srg/srg.nomad.hcl
@@ -14,8 +14,10 @@ job "srg" {
       provider = "nomad"
 
       tags = [
-        "nginx.hostname=.xn--srskildakommandorrelsegruppen-0pc88c.se",
-        "nginx.certname=xn--srskildakommandorrelsegruppen-0pc88c.se",
+        "traefik.enable=true",
+        "traefik.http.routers.srg.rule=Host(`xn--srskildakommandorrelsegruppen-0pc88c.se`)||Host(`www.xn--srskildakommandorrelsegruppen-0pc88c.se`)",
+        "traefik.http.routers.srg.entrypoints=https",
+        "traefik.http.routers.srg.tls.certresolver=default",
       ]
     }
 
diff --git a/jobs/traefik.nomad.hcl b/jobs/traefik.nomad.hcl
new file mode 100644
index 0000000..8de6233
--- /dev/null
+++ b/jobs/traefik.nomad.hcl
@@ -0,0 +1,135 @@
+job "traefik" {
+  type = "service"
+
+  group "traefik" {
+    count = 1
+
+    network {
+      port "http" {
+        static = 80
+      }
+
+      port "https" {
+        static = 443
+      }
+    }
+
+    volume "certs" {
+      type   = "host"
+      source = "ca-certificates"
+    }
+
+    task "traefik" {
+      driver = "docker"
+
+      config {
+        image        = "traefik:v3.0"
+        network_mode = "host"
+
+        volumes = [
+          "local/traefik.toml:/etc/traefik/traefik.toml",
+          "local/nomad-agent-ca.pem:/etc/traefik/nomad-agent-ca.pem",
+          "local/dynamic-conf.yaml:/etc/traefik/dynamic-conf.yaml"
+        ]
+      }
+
+      volume_mount {
+        volume = "certs"
+        destination = "/certificates"
+      }
+
+      template {
+        data = <<EOF
+-----BEGIN CERTIFICATE-----
+MIIDDTCCArKgAwIBAgIRAIYjjhWbJ80SG4cXZF6bGVIwCgYIKoZIzj0EAwIwgcgx
+CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
+bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
+FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjEOMAwGA1UECxMFTm9tYWQxPzA9BgNVBAMT
+Nk5vbWFkIEFnZW50IENBIDE3ODMwMTE2MzYzOTIwMDg3MDMyMTI4NzQyMTA5ODEy
+MTE3MzMzMDAeFw0yMzA4MjAyMDE0MzdaFw0yODA4MTgyMDE0MzdaMIHIMQswCQYD
+VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAY
+BgNVBAkTETEwMSBTZWNvbmQgU3RyZWV0MQ4wDAYDVQQREwU5NDEwNTEXMBUGA1UE
+ChMOSGFzaGlDb3JwIEluYy4xDjAMBgNVBAsTBU5vbWFkMT8wPQYDVQQDEzZOb21h
+ZCBBZ2VudCBDQSAxNzgzMDExNjM2MzkyMDA4NzAzMjEyODc0MjEwOTgxMjExNzMz
+MzAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQnSx/6sQkxGuL9kaDAyUGoqWYJ
+bAzrBrhyNLMkjjYXQ7QrzSOIzGfUGj2A4AzpHbU0t9k+JKaVHaKevcPVFyLMo3sw
+eTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zApBgNVHQ4EIgQgqgrh
+OUp/Z5bL0pf20U6mGO57+PdAU88f3U6MbvYPaqMwKwYDVR0jBCQwIoAgqgrhOUp/
+Z5bL0pf20U6mGO57+PdAU88f3U6MbvYPaqMwCgYIKoZIzj0EAwIDSQAwRgIhAOuN
+l6lMSJW7er6SN22jKxR+oxrk9755eKm0b4GCDscCAiEAjlyxJnwTSF1v23cCS4c+
+V435uuYooblwdUaga7fTDkE=
+-----END CERTIFICATE-----
+EOF
+        destination = "local/nomad-agent-ca.pem"
+      }
+
+      template {
+        data = <<EOF
+[entryPoints]
+    [entryPoints.http]
+        address = ":80"
+        [entryPoints.http.http.redirections.entryPoint]
+            to = "https"
+            scheme = "https"
+            permanent = "true"
+    [entryPoints.https]
+        address = ":443"
+
+[accessLog]
+[log]
+    level = "INFO"
+
+[api]
+    dashboard = true
+
+[certificatesResolvers.default.acme]
+    email = "mathias+certs@magnusson.space"
+    storage = "/certificates/acme.json"
+    [certificatesResolvers.default.acme.httpChallenge]
+        entryPoint = "http"
+
+# Enable Consul Catalog configuration backend.
+[providers.nomad]
+    prefix           = "traefik"
+    exposedByDefault = false
+
+    [providers.nomad.endpoint]
+        address = "https://127.0.0.1:4646"
+        token = "{{ with nomadVar "nomad/jobs/traefik" }}{{ .nomad_token }}{{ end }}"
+        [providers.nomad.endpoint.tls]
+            ca = "/etc/traefik/nomad-agent-ca.pem"
+[providers.file]
+    filename = "/etc/traefik/dynamic-conf.yaml"
+EOF
+
+        destination = "local/traefik.toml"
+      }
+
+      template {
+        data = <<YAML
+http:
+  routers:
+    api:
+      rule: Host(`traefik.magnusson.space`)
+      service: api@internal
+      middlewares:
+        - auth
+      tls:
+        certResolver: default
+      entrypoints: https
+  middlewares:
+    auth:
+      basicAuth:
+        users:
+          - mathias:$2y$05$NvMwyf/U2jh9TCYdxj8JbeDhFMGPBDid2IypQPebx4rk5WLOwR1M2
+YAML
+        destination = "local/dynamic-conf.yaml"
+      }
+
+      resources {
+        cpu    = 100
+        memory = 128
+      }
+    }
+  }
+}
diff --git a/jobs/transfer-zip.nomad.hcl b/jobs/transfer-zip.nomad.hcl
deleted file mode 100644
index 0509b3e..0000000
--- a/jobs/transfer-zip.nomad.hcl
+++ /dev/null
@@ -1,59 +0,0 @@
-job "transfer-zip" {
-  group "web" {
-    network {
-      port "http" {
-        to = 80
-      }
-      port "ws" {
-        to = 8001
-      }
-    }
-
-    service {
-      name     = "transfer-zip"
-      port     = "http"
-      provider = "nomad"
-
-      tags = [
-        "nginx.hostname=.transfer.zip",
-        "nginx.certname=transfer.zip",
-      ]
-    }
-
-    task "web-server" {
-      driver = "docker"
-
-      resources {
-        memory = 30
-      }
-
-      config {
-        image = "localhost/transfer.zip-web:49aeb34"
-        ports = ["http"]
-        command = "sh"
-        args = ["/local/start.sh"]
-      }
-
-      template {
-        data = <<EOF
-sed -i "s/signaling-server:8001/$NOMAD_ADDR_ws/" /etc/nginx/conf.d/nginx.conf
-exec run-server.sh
-EOF
-        destination = "local/start.sh"
-      }
-    }
-
-    task "signaling-server" {
-      driver = "docker"
-
-      resources {
-        memory = 50
-      }
-
-      config {
-        image = "localhost/transfer.zip-signal:49aeb34"
-        ports = ["ws"]
-      }
-    }
-  }
-}
diff --git a/jobs/vaultwarden.nomad.hcl b/jobs/vaultwarden.nomad.hcl
index 8dcda82..9978c0e 100644
--- a/jobs/vaultwarden.nomad.hcl
+++ b/jobs/vaultwarden.nomad.hcl
@@ -14,8 +14,10 @@ job "vaultwarden" {
       provider = "nomad"
 
       tags = [
-        "nginx.hostname=vaultwarden.magnusson.space",
-        "nginx.certname=magnusson.space",
+        "traefik.enable=true",
+        "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.magnusson.space`)",
+        "traefik.http.routers.vaultwarden.entrypoints=https",
+        "traefik.http.routers.vaultwarden.tls.certresolver=default",
       ]
     }
 
diff --git a/jobs/virtual-hosting.nomad.hcl b/jobs/virtual-hosting.nomad.hcl
deleted file mode 100644
index 5fa1a38..0000000
--- a/jobs/virtual-hosting.nomad.hcl
+++ /dev/null
@@ -1,255 +0,0 @@
-job "virtual-hosting" {
-  group "nginx" {
-    count = 1
-
-    network {
-      port "http" {
-        static = 80
-      }
-      port "https" {
-        static = 443
-      }
-    }
-
-    volume "certs" {
-      type      = "host"
-      source    = "ca-certificates"
-      read_only = true
-    }
-
-    task "nginx" {
-      driver = "docker"
-
-      resources {
-        cpu    = 50
-        memory = 20
-      }
-
-      volume_mount {
-        volume      = "certs"
-        destination = "/var/local/certs"
-      }
-
-      config {
-        image = "nginx:1.25-alpine"
-        ports = ["http", "https"]
-
-        volumes = [
-          "local/nginx.conf:/etc/nginx/nginx.conf",
-          "local/virtual-hosting.conf:/etc/nginx/conf.d/virtual-hosting.conf",
-        ]
-      }
-
-      template {
-        data = <<EOF
-user nginx;
-worker_processes auto;
-
-error_log  /var/log/nginx/error.log notice;
-pid        /var/run/nginx.pid;
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log  /var/log/nginx/access.log  main;
-
-    sendfile        on;
-    #tcp_nopush     on;
-
-    client_max_body_size 500M;
-
-    keepalive_timeout 65;
-
-    #gzip  on;
-
-    server_names_hash_bucket_size 128;
-
-    include /etc/nginx/conf.d/*.conf;
-}
-EOF
-
-        destination   = "local/nginx.conf"
-        change_signal = "SIGHUP"
-      }
-      template {
-        data = <<EOF
-{{- $hijackUpstream := false -}}
-{{- range $s := nomadServices -}}
-{{- range $tag := $s.Tags -}}
-  {{- if eq $tag "nginx.acme-challenge" -}}
-    {{- $hijackUpstream = true -}}
-upstream acme-challenge {
-  {{- range nomadService $s.Name }}
-  server {{ .Address }}:{{ .Port }};
-  {{- end }}
-}
-    {{- break -}}
-  {{- end -}}
-  {{- if $hijackUpstream -}}
-    {{- break -}}
-  {{- end -}}
-{{- end -}}
-{{- end }}
-{{ if not $hijackUpstream }}
-upstream acme-challenge {
-  server magnusson.space:10101;
-}
-{{ end }}
-
-map $http_upgrade $connection_upgrade {
-    default upgrade;
-    ''      close;
-}
-
-{{ range nomadServices -}}
-
-{{- $hostname := "" -}}
-{{- $certname := "" -}}
-{{- $default := "" -}}
-{{- range $tag := .Tags -}}
-  {{- if $tag | regexMatch "nginx.hostname=" -}}
-    {{- $hostname = $tag | replaceAll "nginx.hostname=" "" -}}
-  {{- end -}}
-  {{- if $tag | regexMatch "nginx.certname=" -}}
-    {{- $certname = $tag | replaceAll "nginx.certname=" "" -}}
-  {{- end -}}
-  {{- if $tag | regexMatch "nginx.default_server" -}}
-    {{- $default = "default_server" -}}
-  {{- end -}}
-{{- end -}}
-{{- if eq $hostname "" -}}
-  {{- continue -}}
-{{- end -}}
-
-{{- $upstream := .Name | toLower | regexReplaceAll "[^a-z0-9\\-._]" "" -}}
-
-################################################
-upstream {{ $upstream }} {
-  {{- range nomadService .Name }}
-  server {{ .Address }}:{{ .Port }};
-  {{- end }}
-}
-
-{{ if eq $certname "" -}}
-server {
-  listen 80 {{ $default }};
-  listen [::]:80 {{ $default }};
-  http2 on;
-  server_name {{ $hostname }};
-
-  location /.well-known/acme-challenge {
-    proxy_pass http://acme-challenge;
-    proxy_set_header Host $host;
-  }
-
-  location / {
-    proxy_pass http://{{ $upstream }};
-
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-Host $host;
-    proxy_set_header X-Forwarded-Port $server_port;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection $connection_upgrade;
-  }
-}
-
-{{ else -}}
-server {
-  listen 80;
-  listen [::]:80;
-  http2 on;
-  server_name http.{{ $hostname | sprig_trimPrefix "." }};
-
-  location / {
-    proxy_pass http://{{ $upstream }};
-
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-Host $host;
-    proxy_set_header X-Forwarded-Port $server_port;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection $connection_upgrade;
-  }
-}
-
-server {
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  http2 on;
-  server_name http.{{ $hostname | sprig_trimPrefix "." }};
-
-  ssl_certificate /var/local/certs/certificates/{{ $certname }}.crt;
-  ssl_certificate_key /var/local/certs/certificates/{{ $certname }}.key;
-  ssl_trusted_certificate /var/local/certs/certificates/{{ $certname }}.issuer.crt;
-
-  return 301 http://$host$request_uri;
-}
-
-server {
-  listen 80 {{ $default }};
-  listen [::]:80 {{ $default }};
-  http2 on;
-  server_name {{ $hostname }};
-
-  location /.well-known/acme-challenge {
-    proxy_pass http://acme-challenge;
-    proxy_set_header Host $host;
-  }
-
-  return 301 https://$host$request_uri;
-}
-
-server {
-  listen 443 ssl {{ $default }};
-  listen [::]:443 ssl {{ $default }};
-  http2 on;
-  server_name {{ $hostname }};
-
-  ssl_certificate /var/local/certs/certificates/{{ $certname }}.crt;
-  ssl_certificate_key /var/local/certs/certificates/{{ $certname }}.key;
-  ssl_trusted_certificate /var/local/certs/certificates/{{ $certname }}.issuer.crt;
-
-  location /.well-known/acme-challenge {
-    proxy_pass http://acme-challenge;
-    proxy_set_header Host $host;
-  }
-
-  location / {
-    proxy_pass http://{{ $upstream }};
-
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-Host $host;
-    proxy_set_header X-Forwarded-Port $server_port;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection $connection_upgrade;
-  }
-}
-{{ end -}}
-
-{{ end -}}
-EOF
-
-        destination   = "local/virtual-hosting.conf"
-        change_signal = "SIGHUP"
-      }
-    }
-  }
-}
diff --git a/nomad.tmpl.hcl b/nomad.tmpl.hcl
index e597b36..e703c0e 100644
--- a/nomad.tmpl.hcl
+++ b/nomad.tmpl.hcl
@@ -2,21 +2,21 @@ data_dir  = "/opt/nomad/data"
 bind_addr = "0.0.0.0"
 
 advertise {
-  http = "127.0.0.1"
-  rpc  = "127.0.0.1"
-  serf = "127.0.0.1"
+  http = "{{ ip address }}"
+  rpc  = "{{ ip address }}"
+  serf = "{{ ip address }}"
 }
 
 server {
   enabled          = true
   bootstrap_expect = 1
 
-  encrypt = "{{ .secret }}" # why not?
+  encrypt = "{{ base64 }}" # why not?
 }
 
 client {
   enabled = true
-  servers = ["127.0.0.1"]
+  servers = ["{{ ip address }}"]
 
   host_volume "ca-certificates" {
     path = "/var/local/ca-certificates"
@@ -30,10 +30,6 @@ client {
     path = "/var/www/faktura"
   }
 
-  host_volume "syncthing" {
-    path = "/var/local/syncthing"
-  }
-
   host_volume "ctftajm-postgres" {
     path = "/var/local/ctftajm-postgres"
   }
-- 
cgit v1.2.3