~damien/infrastructure

infrastructure/jobs/fabio.nomad.erb -rw-r--r-- 2.4 KiB
e72863f8Damien Radtke Renew CAs 18 days ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
<%
  @fabio_version  = "1.6.1"
  @fabio_checksum = "sha256:74db83e1db2a561012b3acfbdf98f4c499387be623af62a372e880c78eff98ab"
%>

job "fabio" {
	region = "global"
	datacenters = ["ca-central"]
	type = "service"

	group "fabio" {
		constraint {
			attribute = "${node.class}"
			value     = "ingress"
		}

		network {
			port "ui" {
				static = 9998
			}
			port "balancer" {
				// TODO: if the below interpolation works, this doesn't need to be static
				static = 9999
			}
			port "http" {
				static = 80
			}
			port "https" {
				static = 443
			}
		}

		task "fabio" {
			driver = "exec"
			user   = "fabio"
			config {
				command = "fabio-<%= @fabio_version %>-linux_amd64"
				// TODO: this currently fails because consul-key.pem is not readable
				// Need to figure out a way to get fabio a client cert
				args = [
					"-registry.consul.addr", "https://localhost:8501",
                    "-registry.consul.tls.cafile", "/etc/ssl/consul-agent/ca.crt",
                    "-registry.consul.tls.certfile", "/etc/ssl/fabio/consul.crt",
                    "-registry.consul.tls.keyfile", "/etc/ssl/fabio/consul.key",
                    "-proxy.cs", "cs=mycerts;type=vault;cert=secret/fabio/certs",
                    "-proxy.addr", ":${NOMAD_PORT_balancer};cs=mycerts",
				]
			}

			artifact {
				source = "https://github.com/fabiolb/fabio/releases/download/v<%= @fabio_version %>/fabio-<%= @fabio_version %>-linux_amd64"
				options {
					checksum = "<%= @fabio_checksum %>"
				}
			}

			vault {
				policies = ["fabio"]
			}

			env {
				VAULT_ADDR = "https://vault.service.consul:8200"
				VAULT_CAPATH = "/etc/ssl/vault-server/ca.crt"
				VAULT_CLIENT_CERT = "/etc/ssl/fabio/vault.crt"
				VAULT_CLIENT_KEY = "/etc/ssl/fabio/vault.key"
			}

			resources {
				memory = 50  # MB
			}
		}

		task "porter" {
			driver = "raw_exec"
			config {
				command = "porter"
				args = [
                    "-to", "localhost:${NOMAD_PORT_balancer}",
                    "-http-redirect", "photos.radtke.family=https://radtke-family.synology.me:4430/photo/",
				]
			}

			artifact {
				source = "s3::http://45.33.126.243:9000/artifacts/bin/porter"
				options {
					aws_access_key_id = "<%= secret('minio', 'access_key') %>"
					aws_access_key_secret = "<%= secret('minio', 'secret_key') %>"
				}
			}

			resources {
				memory = 50  # MB
			}
		}
	}
}

// vim: set tabstop=4 shiftwidth=4: