implement TLS

This commit is contained in:
vincent 2022-04-24 22:19:18 +02:00
parent 61a50e8298
commit 15d75f243a
3 changed files with 44 additions and 8 deletions

View File

@ -19,8 +19,12 @@ job "drone" {
port = "http" port = "http"
tags = [ tags = [
"traefik.enable=true", "traefik.enable=true",
"traefik.http.routers.${NOMAD_JOB_NAME}_insecure.rule=Host(`${NOMAD_JOB_NAME}.ducamps.win`)", "traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`${NOMAD_JOB_NAME}.ducamps.win`)",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.win", "traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.win",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
"traefik.http.middlewares.httpsRedirect.redirectscheme.scheme=https",
"traefik.http.routers.${NOMAD_JOB_NAME}.middlewares=httpsRedirect"
] ]
} }
config { config {

View File

@ -18,7 +18,9 @@ job "traefik-ingress" {
host_network = "private" host_network = "private"
} }
} }
vault{
policies=["access-tables"]
}
task "server" { task "server" {
driver = "docker" driver = "docker"
service { service {
@ -46,8 +48,8 @@ job "traefik-ingress" {
"admin" "admin"
] ]
volumes =[ volumes =[
"local/traefik.toml:/etc/traefik/traefik.toml" "local/traefik.toml:/etc/traefik/traefik.toml",
#"/mnt/diskstation/nomad/traefik/acme.json:acme.json" "/mnt/diskstation/nomad/traefik/acme.json:/acme.json"
] ]
} }
@ -55,6 +57,13 @@ job "traefik-ingress" {
#} #}
env { env {
} }
template{
data=<<EOH
GANDIV5_API_KEY = "{{with secret "secrets/data/gandi"}}{{.Data.data.API_KEY}}{{end}}"
EOH
destination= "secrets/gandi.env"
env = true
}
template{ template{
data= <<EOH data= <<EOH
[entryPoints] [entryPoints]
@ -76,7 +85,11 @@ job "traefik-ingress" {
dashboard = true dashboard = true
insecure = true insecure = true
[ping] [ping]
[certificatesResolvers.myresolver.acme]
email = "vincent@ducamps.win"
storage = "acme.json"
[certificatesResolvers.myresolver.acme.httpChallenge]
entryPoint= "web"
EOH EOH
destination = "local/traefik.toml" destination = "local/traefik.toml"
env = false env = false

View File

@ -15,6 +15,9 @@ job "traefik-local" {
static = 9080 static = 9080
} }
} }
vault{
policies=["access-tables"]
}
task "server" { task "server" {
driver = "docker" driver = "docker"
@ -43,8 +46,8 @@ job "traefik-local" {
"admin" "admin"
] ]
volumes =[ volumes =[
"local/traefik.toml:/etc/traefik/traefik.toml" "local/traefik.toml:/etc/traefik/traefik.toml",
#"/mnt/diskstation/nomad/traefik/acme.json:acme.json" "/mnt/diskstation/nomad/traefik/acme-local.json:/acme.json"
] ]
} }
@ -52,6 +55,14 @@ job "traefik-local" {
#} #}
env { env {
} }
template{
data=<<EOH
GANDIV5_API_KEY = "{{with secret "secrets/data/gandi"}}{{.Data.data.API_KEY}}{{end}}"
EOH
destination= "secrets/gandi.env"
env = true
}
template{ template{
data= <<EOH data= <<EOH
[entryPoints] [entryPoints]
@ -67,12 +78,20 @@ job "traefik-local" {
[providers.consulCatalog] [providers.consulCatalog]
exposedByDefault = false exposedByDefault = false
[providers.consulCatalog.endpoint] [providers.consulCatalog.endpoint]
address = "127.0.0.1:8500" address = "172.17.0.1:8500"
[log] [log]
[api] [api]
dashboard = true dashboard = true
insecure = true insecure = true
[ping] [ping]
[certificatesResolvers.myresolver.acme]
email = "vincent@ducamps.win"
storage = "acme.json"
[certificatesResolvers.myresolver.acme.dnsChallenge]
provider = "gandiv5"
delayBeforeCheck = 0
resolvers = ["173.246.100.133:53"]
EOH EOH
destination = "local/traefik.toml" destination = "local/traefik.toml"