~damien/infrastructure

ref: b481ba41c3bbdf8d4f9c0393f87b495160adc414 infrastructure/jobs/acme-renewer.nomad.erb -rw-r--r-- 2.1 KiB
b481ba41 — Damien Radtke Suppress cluster env output if non-interactive 7 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<%
  @acme_sh_version = "2.8.5"
%>

job "acme-renewer" {
	region = "global"
	datacenters = ["ca-central"]
	type = "batch"

	periodic {
	 	cron = "0 1 * * 0"  // 1am on Sundays
	 	time_zone = "America/Chicago"
	}

	// Disable rescheduling because otherwise it's easy to be rate-limited.
	reschedule {
		attempts = 0
		unlimited = false
	}

	<% ["damienradtke.com", "www.damienradtke.com"].each do |domain| %>
		group "<%= domain %>" {
			// Disable automatic restarts because otherwise it's easy to be rate-limited.
			restart {
				attempts = 0
			}

			task "renew" {
				// Network issues using plain exec?
				driver = "raw_exec"
				config {
					command = "${NOMAD_TASK_DIR}/acme.sh-<%= @acme_sh_version %>/acme.sh"
					args = [
						"--dns", "dns_linode_v4",
						"--dnssleep", "1800",
						"--cert-file", "${NOMAD_SECRETS_DIR}/cert.pem",
						"--fullchain-file", "${NOMAD_SECRETS_DIR}/fullchain.pem",
						"--key-file", "${NOMAD_SECRETS_DIR}/key.pem",
						"--home", "${NOMAD_TASK_DIR}",
						"--domain", "<%= domain %>",
						"--reloadcmd", "sh '${NOMAD_TASK_DIR}/vault-write-certs.sh' --domain '<%= domain %>' --cert-path '${NOMAD_SECRETS_DIR}/fullchain.pem' --key-path '${NOMAD_SECRETS_DIR}/key.pem'",
						"--issue",
						"--log",
					]
				}

				user = "nobody"

				artifact {
					source = "https://github.com/acmesh-official/acme.sh/archive/<%= @acme_sh_version %>.tar.gz"
					/*
					options {
						checksum = "sha256:45d964de8970096dae06aaa45dba2d9d09a41c0a43355191ee627eb00ba5db45"
					}
					*/
				}

				artifact {
					source = "s3::http://45.33.126.243:9000/artifacts/vault-write-certs.sh"
					options {
						aws_access_key_id = "<%= secret('minio', 'access_key') %>"
						aws_access_key_secret = "<%= secret('minio', 'secret_key') %>"
					}
				}

				resources {
					cpu = 20  // MHz, the minimum value
					memory = 30  // MB
				}

				vault {
					policies = ["acme-renewer"]
				}

				env {
					LINODE_V4_API_KEY = "<%= secret('linode/acme-renewer', 'api_key') %>"
					VAULT_CAPATH = "/etc/ssl/vault/ca.pem"
					VAULT_ADDR = "https://vault.service.consul:8200"
				}
			}
		}
	<% end %>
}

// vim: set tabstop=4 shiftwidth=4: