mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-26 10:06:13 +01:00
301 lines
6.2 KiB
HCL
301 lines
6.2 KiB
HCL
variable "flake_ref" {
|
|
type = string
|
|
}
|
|
|
|
variable "flake_sha" {
|
|
type = string
|
|
}
|
|
|
|
variable "store_path" {
|
|
type = string
|
|
}
|
|
|
|
variable "upstreams" {
|
|
type = string
|
|
}
|
|
|
|
job "ingress" {
|
|
datacenters = [ "homelab-1" ]
|
|
type = "service"
|
|
|
|
group "ingress" {
|
|
count = 1
|
|
|
|
constraint {
|
|
attribute = "${attr.unique.hostname}"
|
|
value = "blowhole"
|
|
}
|
|
|
|
network {
|
|
mode = "bridge"
|
|
|
|
port "http-paccess" {
|
|
static = 80
|
|
to = 81
|
|
host_network = "wan"
|
|
}
|
|
|
|
port "http" {
|
|
static = 80
|
|
to = 80
|
|
host_network = "default"
|
|
}
|
|
|
|
port "https" {
|
|
static = 443
|
|
to = 443
|
|
host_network = "default"
|
|
}
|
|
|
|
port "imap" {
|
|
static = 143
|
|
to = 143
|
|
host_network = "default"
|
|
}
|
|
}
|
|
|
|
service {
|
|
name = "ingress-blowhole"
|
|
port = "80"
|
|
|
|
check {
|
|
type = "http"
|
|
path = "/health"
|
|
name = "jellyfin"
|
|
port = "http"
|
|
interval = "5s"
|
|
timeout = "5s"
|
|
header {
|
|
Host = [ "jellyfin.in.redalder.org" ]
|
|
}
|
|
}
|
|
|
|
check {
|
|
type = "http"
|
|
path = "/"
|
|
name = "zigbee2mqtt"
|
|
port = "http"
|
|
interval = "5s"
|
|
timeout = "5s"
|
|
header {
|
|
Host = [ "zigbee2mqtt.in.redalder.org" ]
|
|
}
|
|
}
|
|
|
|
check {
|
|
type = "http"
|
|
path = "/"
|
|
name = "home-assistant"
|
|
port = "http"
|
|
interval = "5s"
|
|
timeout = "5s"
|
|
header {
|
|
Host = [ "hass.in.redalder.org" ]
|
|
}
|
|
}
|
|
|
|
# check {
|
|
# type = "http"
|
|
# path = "/"
|
|
# name = "syncthing"
|
|
# port = "http"
|
|
# interval = "5s"
|
|
# timeout = "5s"
|
|
# header {
|
|
# Host = [ "syncthing.in.redalder.org" ]
|
|
# }
|
|
# }
|
|
|
|
check {
|
|
type = "http"
|
|
path = "/api/health"
|
|
name = "grafana"
|
|
port = "http"
|
|
interval = "5s"
|
|
timeout = "5s"
|
|
header {
|
|
Host = [ "grafana.in.redalder.org" ]
|
|
}
|
|
}
|
|
|
|
check {
|
|
type = "http"
|
|
path = "/health"
|
|
name = "influx"
|
|
port = "http"
|
|
interval = "5s"
|
|
timeout = "5s"
|
|
header {
|
|
Host = [ "influx.in.redalder.org" ]
|
|
}
|
|
}
|
|
|
|
check {
|
|
type = "http"
|
|
path = "/"
|
|
name = "mainsail"
|
|
port = "http"
|
|
interval = "5s"
|
|
timeout = "5s"
|
|
header {
|
|
Host = [ "mainsail.in.redalder.org" ]
|
|
}
|
|
}
|
|
|
|
connect {
|
|
sidecar_service {
|
|
proxy {
|
|
upstreams {
|
|
destination_name = "jellyfin"
|
|
local_bind_port = 8001
|
|
}
|
|
|
|
upstreams {
|
|
destination_name = "zigbee2mqtt"
|
|
local_bind_port = 8002
|
|
}
|
|
|
|
upstreams {
|
|
destination_name = "home-assistant"
|
|
local_bind_port = 8003
|
|
}
|
|
|
|
upstreams {
|
|
destination_name = "syncthing"
|
|
local_bind_port = 8004
|
|
}
|
|
|
|
upstreams {
|
|
destination_name = "dovecot-imap"
|
|
local_bind_port = 8005
|
|
}
|
|
|
|
upstreams {
|
|
destination_name = "grafana"
|
|
local_bind_port = 8006
|
|
}
|
|
|
|
upstreams {
|
|
destination_name = "influx"
|
|
local_bind_port = 8007
|
|
}
|
|
|
|
upstreams {
|
|
destination_name = "mainsail"
|
|
local_bind_port = 8008
|
|
}
|
|
|
|
upstreams {
|
|
destination_name = "matrix-synapse"
|
|
local_bind_port = 8009
|
|
}
|
|
|
|
upstreams {
|
|
destination_name = "matrix-mautrix-facebook"
|
|
local_bind_port = 8010
|
|
}
|
|
}
|
|
}
|
|
|
|
sidecar_task {
|
|
resources {
|
|
cpu = 75
|
|
memory = 48
|
|
}
|
|
|
|
config {
|
|
memory_hard_limit = 96
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
task "nginx" {
|
|
driver = "docker"
|
|
|
|
config {
|
|
nix_flake_ref = "${var.flake_ref}#nixngConfigurations.ingressBlowhole.config.system.build.toplevel"
|
|
nix_flake_sha = var.flake_sha
|
|
nix_flake_store_path = var.store_path
|
|
entrypoint = [ "init" ]
|
|
|
|
labels {
|
|
grok_type = "nginx"
|
|
}
|
|
}
|
|
|
|
resources {
|
|
cpu = 200
|
|
memory = 32
|
|
memory_max = 128
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
ssl_certificate_key /etc/letsencrypt/live/redalder.org/privkey.pem;
|
|
ssl_certificate /etc/letsencrypt/live/redalder.org/fullchain.pem;
|
|
|
|
ssl_session_cache shared:le_nginx_SSL:10m;
|
|
ssl_session_timeout 1440m;
|
|
ssl_session_tickets off;
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_prefer_server_ciphers off;
|
|
|
|
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
|
EOF
|
|
destination = "local/ssl.conf"
|
|
change_mode = "signal"
|
|
change_signal = "SIGHUP"
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
EOF
|
|
destination = "local/headers.conf"
|
|
change_mode = "signal"
|
|
change_signal = "SIGHUP"
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
add_header X-Frame-Options "SAMEORIGIN";
|
|
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
|
|
EOF
|
|
destination = "local/security.conf"
|
|
change_mode = "signal"
|
|
change_signal = "SIGHUP"
|
|
}
|
|
|
|
template {
|
|
data = var.upstreams
|
|
|
|
destination = "local/upstreams.conf"
|
|
change_mode = "signal"
|
|
change_signal = "SIGHUP"
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
upstream dovecot-imap {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_dovecot-imap" }};
|
|
}
|
|
|
|
server {
|
|
listen 143;
|
|
|
|
proxy_pass dovecot-imap;
|
|
}
|
|
EOF
|
|
destination = "local/streams.conf"
|
|
change_mode = "signal"
|
|
change_signal = "SIGHUP"
|
|
}
|
|
}
|
|
}
|
|
}
|