implement TLS

2022-04-24 22:19:18 +02:00 · 2022-04-24 22:19:18 +02:00 · 15d75f243a
commit 15d75f243a
parent 61a50e8298
3 changed files with 44 additions and 8 deletions
--- a/drone.nomad
+++ b/drone.nomad
@ -19,8 +19,12 @@ job "drone" {
        port = "http"
        tags = [
          "traefik.enable=true",
-          "traefik.http.routers.${NOMAD_JOB_NAME}_insecure.rule=Host(`${NOMAD_JOB_NAME}.ducamps.win`)",
+          "traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`${NOMAD_JOB_NAME}.ducamps.win`)",
          "traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.win",
+          "traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
+          "traefik.http.middlewares.httpsRedirect.redirectscheme.scheme=https",
+          "traefik.http.routers.${NOMAD_JOB_NAME}.middlewares=httpsRedirect"
+
        ]
      }
      config {
--- a/traefik-ingress.nomad
+++ b/traefik-ingress.nomad
@ -18,7 +18,9 @@ job "traefik-ingress" {
        host_network = "private"
      }
    }
-
+    vault{
+      policies=["access-tables"]
+    }
     task "server" {
      driver = "docker"
      service {
@ -46,8 +48,8 @@ job "traefik-ingress" {
          "admin"
        ]
        volumes =[
-          "local/traefik.toml:/etc/traefik/traefik.toml"
-          #"/mnt/diskstation/nomad/traefik/acme.json:acme.json"
+          "local/traefik.toml:/etc/traefik/traefik.toml",
+          "/mnt/diskstation/nomad/traefik/acme.json:/acme.json"
        ]

      }
@ -55,6 +57,13 @@ job "traefik-ingress" {
      #}
    env {
    }
+    template{
+      data=<<EOH
+        GANDIV5_API_KEY = "{{with secret "secrets/data/gandi"}}{{.Data.data.API_KEY}}{{end}}"
+        EOH
+      destination= "secrets/gandi.env"
+      env = true
+    }
    template{
        data= <<EOH
        [entryPoints]
@ -76,7 +85,11 @@ job "traefik-ingress" {
          dashboard = true
          insecure = true
        [ping]
-
+        [certificatesResolvers.myresolver.acme]
+        email = "vincent@ducamps.win"
+        storage = "acme.json"
+        [certificatesResolvers.myresolver.acme.httpChallenge]
+        entryPoint= "web"
        EOH
        destination = "local/traefik.toml"
        env         = false
--- a/traefik-local.nomad
+++ b/traefik-local.nomad
@ -15,6 +15,9 @@ job "traefik-local" {
        static = 9080
      }
    }
+   vault{
+      policies=["access-tables"]
+    }

     task "server" {
      driver = "docker"
@ -43,8 +46,8 @@ job "traefik-local" {
          "admin"
        ]
        volumes =[
-          "local/traefik.toml:/etc/traefik/traefik.toml"
-          #"/mnt/diskstation/nomad/traefik/acme.json:acme.json"
+          "local/traefik.toml:/etc/traefik/traefik.toml",
+          "/mnt/diskstation/nomad/traefik/acme-local.json:/acme.json"
        ]

      }
@ -52,6 +55,14 @@ job "traefik-local" {
      #}
    env {
    }
+    template{
+      data=<<EOH
+        GANDIV5_API_KEY = "{{with secret "secrets/data/gandi"}}{{.Data.data.API_KEY}}{{end}}"
+        EOH
+      destination= "secrets/gandi.env"
+      env = true
+    }
+
    template{
        data= <<EOH
        [entryPoints]
@ -67,12 +78,20 @@ job "traefik-local" {
        [providers.consulCatalog]
          exposedByDefault = false
          [providers.consulCatalog.endpoint]
-            address = "127.0.0.1:8500"
+            address = "172.17.0.1:8500"
        [log]
        [api]
          dashboard = true
          insecure = true
        [ping]
+        [certificatesResolvers.myresolver.acme]
+        email = "vincent@ducamps.win"
+        storage = "acme.json"
+        [certificatesResolvers.myresolver.acme.dnsChallenge]
+        provider = "gandiv5"
+        delayBeforeCheck = 0
+        resolvers = ["173.246.100.133:53"]
+

        EOH
        destination = "local/traefik.toml"