2021-05-12 12:22:48 +02:00
|
|
|
job "ingress" {
|
2021-06-23 11:41:06 +02:00
|
|
|
datacenters = [ "do-1" ]
|
2021-05-12 12:22:48 +02:00
|
|
|
type = "service"
|
|
|
|
|
|
|
|
constraint {
|
|
|
|
attribute = "${attr.unique.hostname}"
|
2021-06-23 11:41:06 +02:00
|
|
|
value = "toothpick"
|
2021-05-12 12:22:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
group "ingress" {
|
|
|
|
count = 1
|
|
|
|
|
2021-05-14 00:04:14 +02:00
|
|
|
volume "ingress-letsencrypt" {
|
|
|
|
type = "csi"
|
|
|
|
source = "ingress-letsencrypt"
|
|
|
|
read_only = false
|
2021-06-23 11:41:06 +02:00
|
|
|
|
|
|
|
attachment_mode = "file-system"
|
|
|
|
access_mode = "single-node-writer"
|
2021-05-14 00:04:14 +02:00
|
|
|
}
|
|
|
|
|
2021-05-12 12:22:48 +02:00
|
|
|
network {
|
2021-06-23 11:41:06 +02:00
|
|
|
mode = "bridge"
|
2021-05-12 12:22:48 +02:00
|
|
|
port "http" {
|
2021-06-23 11:41:06 +02:00
|
|
|
static = "80"
|
2021-05-12 12:22:48 +02:00
|
|
|
to = "80"
|
2021-06-23 11:41:06 +02:00
|
|
|
host_network = "public"
|
2021-05-12 12:22:48 +02:00
|
|
|
}
|
2021-05-14 00:04:14 +02:00
|
|
|
|
|
|
|
port "https" {
|
2021-06-23 11:41:06 +02:00
|
|
|
static = "443"
|
2021-05-14 00:04:14 +02:00
|
|
|
to = "443"
|
2021-06-23 11:41:06 +02:00
|
|
|
host_network = "public"
|
2021-05-14 00:04:14 +02:00
|
|
|
}
|
2021-05-12 12:22:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
service {
|
|
|
|
name = "ingress"
|
|
|
|
port = "http"
|
2021-06-23 11:41:06 +02:00
|
|
|
|
|
|
|
connect {
|
|
|
|
sidecar_service {
|
|
|
|
proxy {
|
|
|
|
upstreams {
|
|
|
|
destination_name = "gitea"
|
|
|
|
local_bind_port = 3000
|
|
|
|
datacenter = "homelab-1"
|
|
|
|
|
|
|
|
mesh_gateway {
|
|
|
|
mode = "local"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
upstreams {
|
|
|
|
destination_name = "hydra"
|
|
|
|
local_bind_port = 8666
|
|
|
|
datacenter = "homelab-1"
|
|
|
|
|
|
|
|
mesh_gateway {
|
|
|
|
mode = "local"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
upstreams {
|
|
|
|
destination_name = "nextcloud"
|
|
|
|
local_bind_port = 8777
|
|
|
|
datacenter = "homelab-1"
|
|
|
|
|
|
|
|
mesh_gateway {
|
|
|
|
mode = "local"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
upstreams {
|
|
|
|
destination_name = "website"
|
|
|
|
local_bind_port = 8080
|
|
|
|
datacenter = "homelab-1"
|
|
|
|
|
|
|
|
mesh_gateway {
|
|
|
|
mode = "local"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2021-05-12 12:22:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
task "nginx" {
|
|
|
|
driver = "docker"
|
|
|
|
|
2021-05-14 00:04:14 +02:00
|
|
|
volume_mount {
|
|
|
|
volume = "ingress-letsencrypt"
|
|
|
|
destination = "/etc/letsencrypt"
|
|
|
|
read_only = false
|
|
|
|
}
|
|
|
|
|
2021-05-12 12:22:48 +02:00
|
|
|
config {
|
|
|
|
image = "nixng-ingress:local"
|
2021-05-14 00:04:14 +02:00
|
|
|
ports = ["http", "https"]
|
|
|
|
}
|
|
|
|
|
2021-06-23 11:41:06 +02:00
|
|
|
resources {
|
|
|
|
cpu = 200
|
|
|
|
memory = 32
|
|
|
|
}
|
|
|
|
|
2021-05-14 00:04:14 +02:00
|
|
|
template {
|
|
|
|
data = <<EOF
|
|
|
|
ssl_certificate_key /etc/letsencrypt/live/redalder.org/privkey.pem;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/redalder.org/fullchain.pem;
|
|
|
|
|
|
|
|
ssl_session_cache shared:le_nginx_SSL:10m;
|
|
|
|
ssl_session_timeout 1440m;
|
|
|
|
ssl_session_tickets off;
|
|
|
|
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
|
|
ssl_prefer_server_ciphers off;
|
|
|
|
|
|
|
|
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
|
|
|
EOF
|
|
|
|
destination = "local/ssl.conf"
|
|
|
|
change_mode = "signal"
|
|
|
|
change_signal = "SIGHUP"
|
|
|
|
}
|
|
|
|
|
|
|
|
template {
|
|
|
|
data = <<EOF
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
EOF
|
|
|
|
destination = "local/headers.conf"
|
|
|
|
change_mode = "signal"
|
|
|
|
change_signal = "SIGHUP"
|
|
|
|
}
|
|
|
|
|
|
|
|
template {
|
|
|
|
data = <<EOF
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN";
|
|
|
|
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
|
|
|
|
EOF
|
|
|
|
destination = "local/security.conf"
|
|
|
|
change_mode = "signal"
|
|
|
|
change_signal = "SIGHUP"
|
2021-05-12 12:22:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
template {
|
|
|
|
data = <<EOF
|
|
|
|
upstream gitea {
|
2021-06-23 11:41:06 +02:00
|
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_gitea" }};
|
2021-05-12 12:22:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
upstream hydra {
|
2021-06-23 11:41:06 +02:00
|
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_hydra" }};
|
2021-05-12 12:22:48 +02:00
|
|
|
}
|
|
|
|
|
2021-05-12 17:31:15 +02:00
|
|
|
upstream nextcloud {
|
2021-06-23 11:41:06 +02:00
|
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_nextcloud" }};
|
2021-05-12 17:31:15 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
upstream website {
|
2021-06-23 11:41:06 +02:00
|
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_website" }};
|
2021-05-12 17:31:15 +02:00
|
|
|
}
|
|
|
|
|
2021-05-12 12:22:48 +02:00
|
|
|
server {
|
2021-05-14 00:04:14 +02:00
|
|
|
listen 443 ssl;
|
2021-05-12 12:22:48 +02:00
|
|
|
|
|
|
|
server_name _;
|
|
|
|
|
2021-05-14 00:04:14 +02:00
|
|
|
include /local/ssl.conf;
|
|
|
|
|
2021-05-12 12:22:48 +02:00
|
|
|
return 404;
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
2021-05-14 00:04:14 +02:00
|
|
|
listen 443 ssl;
|
2021-05-12 12:22:48 +02:00
|
|
|
|
|
|
|
server_name gitea.redalder.org;
|
|
|
|
|
2021-05-14 00:04:14 +02:00
|
|
|
include /local/security.conf;
|
|
|
|
include /local/ssl.conf;
|
2021-05-12 12:22:48 +02:00
|
|
|
|
2021-06-23 11:41:06 +02:00
|
|
|
client_max_body_size 100M;
|
|
|
|
|
2021-05-12 12:22:48 +02:00
|
|
|
location / {
|
2021-05-14 00:04:14 +02:00
|
|
|
include /local/headers.conf;
|
2021-05-12 12:22:48 +02:00
|
|
|
proxy_pass http://gitea;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
2021-05-14 00:04:14 +02:00
|
|
|
listen 443 ssl;
|
2021-05-12 12:22:48 +02:00
|
|
|
|
|
|
|
server_name hydra.redalder.org;
|
|
|
|
|
2021-05-14 00:04:14 +02:00
|
|
|
include /local/security.conf;
|
|
|
|
include /local/ssl.conf;
|
2021-05-12 12:22:48 +02:00
|
|
|
|
|
|
|
location / {
|
2021-05-14 00:04:14 +02:00
|
|
|
include /local/headers.conf;
|
2021-05-12 12:22:48 +02:00
|
|
|
proxy_pass http://hydra;
|
|
|
|
}
|
|
|
|
}
|
2021-05-12 17:31:15 +02:00
|
|
|
|
|
|
|
server {
|
2021-05-14 00:04:14 +02:00
|
|
|
listen 443 ssl;
|
2021-05-12 17:31:15 +02:00
|
|
|
|
2021-05-14 00:04:14 +02:00
|
|
|
server_name redalder.org nixng.org;
|
2021-05-12 17:31:15 +02:00
|
|
|
|
2021-05-14 00:04:14 +02:00
|
|
|
include /local/security.conf;
|
|
|
|
include /local/ssl.conf;
|
2021-05-12 17:31:15 +02:00
|
|
|
|
|
|
|
location /nextcloud/ {
|
2021-05-14 00:04:14 +02:00
|
|
|
include /local/headers.conf;
|
2021-05-12 17:31:15 +02:00
|
|
|
proxy_pass http://nextcloud/;
|
|
|
|
}
|
|
|
|
|
|
|
|
location / {
|
2021-05-14 00:04:14 +02:00
|
|
|
include /local/headers.conf;
|
2021-05-12 17:31:15 +02:00
|
|
|
proxy_pass http://website;
|
|
|
|
}
|
|
|
|
}
|
2021-05-12 12:22:48 +02:00
|
|
|
EOF
|
|
|
|
destination = "local/upstreams.conf"
|
|
|
|
change_mode = "signal"
|
|
|
|
change_signal = "SIGHUP"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|