Elara6331/nomad
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial Commit

Browse Source
This commit is contained in:
Elara
2022-09-09 16:37:09 -07:00
commit dddb37e979
21 changed files with 826 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
traefik/README.md Normal file
View File

@@ -0,0 +1,21 @@
# Traefik
This job file is for the [Traefik](https://github.com/traefik/traefik) reverse proxy, which serves as the entry point for all requests to the cluster, and is the only way to access any services on it from outside the local network.
This nomad job file also contains Traefik's own config embedded within it as part of a template stanza.
In Traefik's config file is a variable called `email`. Set this to your email for Let's Encrypt to use when creating new TLS certificates for your domain. In the `tags` variable, there is a URL. In it, replace `<authelia address>` with the address of your Authelia server if you're running one.
If you would like to constrain the reverse proxy to only run on a specific node in order to ensure that its IP stays constant, you can place the following inside of `task "traefik"`:
```hcl
constraint {
attribute = "${attr.unique.hostname}"
operator = "=="
value = "<hostname>"
}
```
replacing `<hostname>` with the hostname of the node you want this to run on.
In the `service` stanza, there is a `tags` variable. Inside it, there is a section configuring Authelia. If not using Authelia, remove this section and the one under it. There should be comments above them stating the same thing.

109
traefik/traefik.nomad Normal file
View File

@@ -0,0 +1,109 @@
job "traefik" {
region = "global"
datacenters = ["dc1"]
type = "service"
group "traefik" {
count = 1
network {
port "http" {
static = 80
}
port "https" {
static = 443
}
port "api" {
static = 8081
}
}
service {
name = "traefik"
port = "api"
check {
name = "alive"
type = "tcp"
port = "http"
interval = "10s"
timeout = "2s"
}
tags = [
"traefik.enable=true",
// Redirect all http requests to HTTPS
"traefik.http.middlewares.https-redirect.redirectscheme.permanent=true",
"traefik.http.middlewares.https-redirect.redirectscheme.scheme=https",
"traefik.http.routers.http-catchall.entrypoints=http",
"traefik.http.routers.http-catchall.rule=HostRegexp(`{any:.+}`)",
"traefik.http.routers.http-catchall.middlewares=https-redirect",
// Forward requests to protected services to Authelia. Remove this if not running Authelia.
"traefik.http.middlewares.authelia.forwardauth.address=http://<authelia address>/api/verify?rd=https://auth.arsenm.dev/",
"traefik.http.middlewares.authelia.forwardauth.trustforwardheader=true",
"traefik.http.middlewares.authelia.forwardauth.authresponseheaders=Remote-User, Remote-Groups",
// Expose Traefik API with authentication. Remove this if not running Authelia.
"traefik.http.routers.traefik.rule=Host(`traefik.arsenm.dev`)",
"traefik.http.routers.traefik.tls.certResolver=letsencrypt",
"traefik.http.routers.traefik.middlewares=authelia",
]
}
task "traefik" {
driver = "docker"
config {
image = "traefik:v2.2"
network_mode = "host"
volumes = [
"/opt/traefik/acme.json:/acme.json",
"local/traefik.toml:/etc/traefik/traefik.toml",
]
}
template {
data = <<EOF
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.traefik]
address = ":8081"
[certificatesResolvers.letsencrypt.acme]
email = "you@example.com"
storage = "acme.json"
[certificatesResolvers.letsencrypt.acme.httpChallenge]
entryPoint = "http"
[api]
dashboard = true
insecure = true
# Enable Consul Catalog configuration backend.
[providers.consulCatalog]
prefix = "traefik"
exposedByDefault = false
[providers.consulCatalog.endpoint]
address = "127.0.0.1:8500"
scheme = "http"
EOF
destination = "local/traefik.toml"
}
resources {
cpu = 100
memory = 128
}
}
}
}