cluster/nomad/regions/do-1/ingress.hcl

240 lines
5.2 KiB
HCL
Raw Permalink Normal View History

variable "flake_ref" {
type = string
}
variable "flake_sha" {
type = string
}
variable "upstreams" {
type = string
}
job "ingress" {
datacenters = [ "do-1" ]
region = "do-1"
type = "service"
group "ingress" {
count = 1
constraint {
attribute = "${attr.unique.hostname}"
value = "toothpick"
}
volume "ingress-letsencrypt" {
type = "csi"
source = "ingress-letsencrypt"
read_only = false
attachment_mode = "file-system"
access_mode = "single-node-writer"
}
network {
mode = "bridge"
port "http" {
static = 80
to = 80
host_network = "public"
}
port "http-matrix" {
static = 8448
to = 8448
host_network = "public"
}
port "https" {
static = 443
to = 443
host_network = "public"
}
port "minecraft" {
static = 25565
to = 25565
host_network = "public"
}
}
service {
name = "ingress-toothpick"
port = "http"
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "gitea"
local_bind_port = 3000
datacenter = "homelab-1"
mesh_gateway {
mode = "local"
}
}
upstreams {
destination_name = "hydra"
local_bind_port = 8666
datacenter = "homelab-1"
mesh_gateway {
mode = "local"
}
}
upstreams {
destination_name = "nextcloud"
local_bind_port = 8777
datacenter = "homelab-1"
mesh_gateway {
mode = "local"
}
}
upstreams {
destination_name = "website"
local_bind_port = 8080
datacenter = "homelab-1"
mesh_gateway {
mode = "local"
}
}
upstreams {
destination_name = "minecraft"
local_bind_port = 2666
datacenter = "homelab-1"
mesh_gateway {
mode = "local"
}
}
upstreams {
destination_name = "reicio"
local_bind_port = 8000
datacenter = "homelab-1"
mesh_gateway {
mode = "local"
}
}
upstreams {
destination_name = "matrix-synapse"
local_bind_port = 6167
datacenter = "homelab-1"
mesh_gateway {
mode = "local"
}
}
upstreams {
destination_name = "matrix-mautrix-facebook"
local_bind_port = 29319
datacenter = "homelab-1"
mesh_gateway {
mode = "local"
}
}
}
}
}
}
task "nginx" {
driver = "containerd-driver"
volume_mount {
volume = "ingress-letsencrypt"
destination = "/etc/letsencrypt"
read_only = false
}
config {
flake_ref = "${var.flake_ref}#nixngSystems.ingressToothpick.config.system.build.toplevel"
flake_sha = var.flake_sha
entrypoint = [ "init" ]
}
resources {
cpu = 200
memory = 128
}
template {
data = <<EOF
ssl_certificate_key /etc/letsencrypt/live/redalder.org/privkey.pem;
ssl_certificate /etc/letsencrypt/live/redalder.org/fullchain.pem;
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
EOF
destination = "local/ssl.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
template {
data = <<EOF
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
EOF
destination = "local/headers.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
template {
data = <<EOF
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
EOF
destination = "local/security.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
template {
data = <<EOF
upstream minecraft {
server {{ env "NOMAD_UPSTREAM_ADDR_minecraft" }};
}
server {
listen 25565;
proxy_pass minecraft;
}
EOF
destination = "local/streams.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
template {
data = var.upstreams
destination = "local/upstreams.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
}
}
}