From 1a4d434d5b2367ad5fd9b88542f9b0c04a03dcab Mon Sep 17 00:00:00 2001
From: Adrian Cowan <othrayte@gmail.com>
Date: Sat, 3 May 2025 18:00:30 +1000
Subject: [PATCH] Change from basic auth to authelia

---
 2-nomad-config/authelia.nomad.hcl       | 101 ++++++++++++++++++++
 2-nomad-config/glance.nomad.hcl         |   1 +
 2-nomad-config/hello-world.nomad.hcl    |   1 +
 2-nomad-config/services.tf              |   4 +
 2-nomad-config/terraform.tfstate        |  81 +++++++++++++---
 2-nomad-config/terraform.tfstate.backup | 120 ++++++++++++++++++++----
 2-nomad-config/traefik.nomad.hcl        |  24 +++--
 2-nomad-config/volume-test.nomad.hcl    |   1 +
 2-nomad-config/webapp.nomad.hcl         |   1 +
 9 files changed, 298 insertions(+), 36 deletions(-)
 create mode 100644 2-nomad-config/authelia.nomad.hcl

diff --git a/2-nomad-config/authelia.nomad.hcl b/2-nomad-config/authelia.nomad.hcl
new file mode 100644
index 0000000..00062ef
--- /dev/null
+++ b/2-nomad-config/authelia.nomad.hcl
@@ -0,0 +1,101 @@
+job "authelia" {
+  group "authelia" {
+    network {
+      port "http" {
+        static = 9091
+      }
+    }
+
+    service {
+      name = "auth"
+      port = "http"
+
+      tags = [
+        "traefik.enable=true",
+      ]
+
+      check {
+        type     = "http"
+        path     = "/health"
+        interval = "10s"
+        timeout  = "2s"
+      }
+    }
+
+    task "authelia" {
+      driver = "docker"
+
+      config {
+        image = "authelia/authelia:latest"
+
+        ports = ["http"]
+
+        volumes = [
+          "local/config:/config",
+          "local/data:/data" # TODO: Move this to a volume
+        ]
+      }
+
+      resources {
+        cpu    = 100
+        memory = 128
+      }
+
+      template {
+        data = <<EOF
+server:
+  address: tcp://0.0.0.0:{{ env "NOMAD_PORT_http" }}/
+theme: "auto"
+identity_validation:
+  reset_password:
+    jwt_secret: "{{ with nomadVar "nomad/jobs/authelia" }}{{ .jwt_secret }}{{ end }}"
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+
+access_control:
+  default_policy: deny
+  rules:
+    - domain: "*.othrayte.one"
+      policy: one_factor
+    # Disable auth for authelia
+    #- domain: "auth.othrayte.one"
+    #  policy: bypass
+
+session:
+  name: authelia_session
+  secret: "{{ with nomadVar "nomad/jobs/authelia" }}{{ .session_secret }}{{ end }}"
+  expiration: 3600
+  cookies:
+    - domain: othrayte.one
+      authelia_url: "https://auth.othrayte.one"
+
+storage:
+  local:
+    path: /config/db.sqlite3
+  encryption_key: "{{ with nomadVar "nomad/jobs/authelia" }}{{ .encryption_key }}{{ end }}"
+
+notifier:
+  filesystem:
+    filename: /config/notification.txt
+EOF
+
+        destination = "local/config/configuration.yml"
+      }
+
+      template {
+        data = <<EOF
+# Users database for Authelia
+users:
+  othrayte:
+    password: "$2y$10$FeemMJevZXq6y1pc6FNOXeIlthGWiGHRmMfpV33BNcpChA5ozLUmK"
+    displayname: "Adrian"
+    email: "othrayte@gmail.com"
+EOF
+
+        destination = "local/config/users_database.yml"
+      }
+    }
+  }
+}
diff --git a/2-nomad-config/glance.nomad.hcl b/2-nomad-config/glance.nomad.hcl
index ec7a9e1..8b67804 100644
--- a/2-nomad-config/glance.nomad.hcl
+++ b/2-nomad-config/glance.nomad.hcl
@@ -25,6 +25,7 @@ job "glance" {
         
         tags = [
           "traefik.enable=true",
+          "traefik.http.routers.home.middlewares=auth@file",
         ]
 
         check {
diff --git a/2-nomad-config/hello-world.nomad.hcl b/2-nomad-config/hello-world.nomad.hcl
index 42220fd..e0eb6dc 100644
--- a/2-nomad-config/hello-world.nomad.hcl
+++ b/2-nomad-config/hello-world.nomad.hcl
@@ -12,6 +12,7 @@ job "hello-world" {
     
       tags = [
         "traefik.enable=true",
+        "traefik.http.routers.hello-world.middlewares=auth@file",
       ]
 
       check {
diff --git a/2-nomad-config/services.tf b/2-nomad-config/services.tf
index 4b8f9eb..5992f9c 100644
--- a/2-nomad-config/services.tf
+++ b/2-nomad-config/services.tf
@@ -15,6 +15,10 @@ resource "nomad_job" "traefik" {
   jobspec = file("traefik.nomad.hcl")
 }
 
+resource "nomad_job" "authelia" {
+  jobspec = file("authelia.nomad.hcl")
+}
+
 resource "nomad_job" "webapp" {
   jobspec = file("webapp.nomad.hcl")
 }
diff --git a/2-nomad-config/terraform.tfstate b/2-nomad-config/terraform.tfstate
index 7371b03..dd66ade 100644
--- a/2-nomad-config/terraform.tfstate
+++ b/2-nomad-config/terraform.tfstate
@@ -1,7 +1,7 @@
 {
   "version": 4,
   "terraform_version": "1.11.4",
-  "serial": 333,
+  "serial": 484,
   "lineage": "15e0900c-88bc-9754-4600-e3977d018ba0",
   "outputs": {},
   "resources": [
@@ -37,6 +37,61 @@
         }
       ]
     },
+    {
+      "mode": "managed",
+      "type": "nomad_job",
+      "name": "authelia",
+      "provider": "provider[\"registry.terraform.io/hashicorp/nomad\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "allocation_ids": [],
+            "datacenters": [
+              "*"
+            ],
+            "deployment_id": null,
+            "deployment_status": null,
+            "deregister_on_destroy": true,
+            "deregister_on_id_change": true,
+            "detach": true,
+            "hcl2": [],
+            "id": "authelia",
+            "jobspec": "job \"authelia\" {\n  group \"authelia\" {\n    network {\n      port \"http\" {\n        static = 9091\n      }\n    }\n\n    service {\n      name = \"auth\"\n      port = \"http\"\n\n      tags = [\n        \"traefik.enable=true\",\n      ]\n\n      check {\n        type     = \"http\"\n        path     = \"/health\"\n        interval = \"10s\"\n        timeout  = \"2s\"\n      }\n    }\n\n    task \"authelia\" {\n      driver = \"docker\"\n\n      config {\n        image = \"authelia/authelia:latest\"\n\n        ports = [\"http\"]\n\n        volumes = [\n          \"local/config:/config\",\n          \"local/data:/data\"\n        ]\n      }\n\n      resources {\n        cpu    = 100\n        memory = 128\n      }\n\n      template {\n        data = \u003c\u003cEOF\nserver:\n  address: tcp://0.0.0.0:{{ env \"NOMAD_PORT_http\" }}/\ntheme: \"auto\"\nidentity_validation:\n  reset_password:\n    jwt_secret: \"{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .jwt_secret }}{{ end }}\"\n\nauthentication_backend:\n  file:\n    path: /config/users_database.yml\n\naccess_control:\n  default_policy: deny\n  rules:\n    - domain: \"*.othrayte.one\"\n      policy: one_factor\n    # Disable auth for authelia\n    #- domain: \"auth.othrayte.one\"\n    #  policy: bypass\n\nsession:\n  name: authelia_session\n  secret: \"{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .session_secret }}{{ end }}\"\n  expiration: 3600\n  cookies:\n    - domain: othrayte.one\n      authelia_url: \"https://auth.othrayte.one\"\n\nstorage:\n  local:\n    path: /config/db.sqlite3\n  encryption_key: \"{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .encryption_key }}{{ end }}\"\n\nnotifier:\n  filesystem:\n    filename: /config/notification.txt\nEOF\n\n        destination = \"local/config/configuration.yml\"\n      }\n\n      template {\n        data = \u003c\u003cEOF\n# Users database for Authelia\nusers:\n  othrayte:\n    password: \"$2y$10$FeemMJevZXq6y1pc6FNOXeIlthGWiGHRmMfpV33BNcpChA5ozLUmK\"\n    displayname: \"Adrian\"\n    email: \"othrayte@gmail.com\"\nEOF\n\n        destination = \"local/config/users_database.yml\"\n      }\n    }\n  }\n}\n",
+            "json": null,
+            "modify_index": "17976",
+            "name": "authelia",
+            "namespace": "default",
+            "policy_override": null,
+            "purge_on_destroy": null,
+            "read_allocation_ids": false,
+            "region": "global",
+            "rerun_if_dead": false,
+            "status": "running",
+            "task_groups": [
+              {
+                "count": 1,
+                "meta": {},
+                "name": "authelia",
+                "task": [
+                  {
+                    "driver": "docker",
+                    "meta": {},
+                    "name": "authelia",
+                    "volume_mounts": []
+                  }
+                ],
+                "volumes": []
+              }
+            ],
+            "timeouts": null,
+            "type": "service"
+          },
+          "sensitive_attributes": [],
+          "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozMDAwMDAwMDAwMDAsInVwZGF0ZSI6MzAwMDAwMDAwMDAwfX0="
+        }
+      ]
+    },
     {
       "mode": "managed",
       "type": "nomad_job",
@@ -112,9 +167,9 @@
             "detach": true,
             "hcl2": [],
             "id": "glance",
-            "jobspec": "job \"glance\" {\n  group \"glance\" {\n    count = 1\n\n    network {\n      port \"http\" {\n        to = 8080\n      }\n    }\n\n    task \"glance\" {\n      driver = \"docker\"\n\n      config {\n        image = \"glanceapp/glance:latest\"\n        ports = [\"http\"]\n        volumes = [\n          \"local/glance.yml:/app/config/glance.yml\",\n        ]\n      }\n\n      service {\n        name = \"home\"\n        port = \"http\"\n        \n        tags = [\n          \"traefik.enable=true\",\n        ]\n\n        check {\n          name     = \"alive\"\n          type     = \"tcp\"\n          port     = \"http\"\n          interval = \"10s\"\n          timeout  = \"2s\"\n        }\n      }\n\n      resources {\n        cpu    = 50\n        memory = 128\n      }\n\n\n      template {\n        data = \u003c\u003cEOF\npages:\n  - name: Home\n    # Optionally, if you only have a single page you can hide the desktop navigation for a cleaner look\n    # hide-desktop-navigation: true\n    columns:\n      - size: small\n        widgets:\n          - type: calendar\n            first-day-of-week: monday\n\n          - type: rss\n            limit: 10\n            collapse-after: 3\n            cache: 12h\n            feeds:\n              - url: https://selfh.st/rss/\n                title: selfh.st\n                limit: 4\n              - url: https://ciechanow.ski/atom.xml\n              - url: https://www.joshwcomeau.com/rss.xml\n                title: Josh Comeau\n              - url: https://samwho.dev/rss.xml\n              - url: https://ishadeed.com/feed.xml\n                title: Ahmad Shadeed\n\n          - type: twitch-channels\n            channels:\n              - theprimeagen\n              - j_blow\n              - piratesoftware\n              - cohhcarnage\n              - christitustech\n              - EJ_SA\n\n      - size: full\n        widgets:\n          - type: group\n            widgets:\n              - type: hacker-news\n              - type: lobsters\n\n          - type: videos\n            channels:\n              - UCXuqSBlHAE6Xw-yeJA0Tunw # Linus Tech Tips\n              - UCR-DXc1voovS8nhAvccRZhg # Jeff Geerling\n              - UCsBjURrPoezykLs9EqgamOA # Fireship\n              - UCBJycsmduvYEL83R_U4JriQ # Marques Brownlee\n              - UCHnyfMqiRRG1u-2MsSQLbXA # Veritasium\n\n          - type: bookmarks\n            groups:\n              - links:\n                  - title: Gmail\n                    url: https://mail.google.com/mail/u/0/\n                  - title: Amazon\n                    url: https://www.amazon.com/\n                  - title: Github\n                    url: https://github.com/\n                  - title: Wikipedia\n                    url: https://en.wikipedia.org/\n              - title: Infra\n                color: 10 70 50\n                links:\n                  - title: Nomad\n                    url: https://nomad.othrayte.one/\n                  - title: Consul\n                    url: https://consul.othrayte.one/\n                  - title: Traefik\n                    url: https://traefik.othrayte.one/\n              - title: Social\n                color: 200 50 50\n                links:\n                  - title: Reddit\n                    url: https://www.reddit.com/\n                  - title: Twitter\n                    url: https://twitter.com/\n                  - title: Instagram\n                    url: https://www.instagram.com/\n\n      - size: small\n        widgets:\n          - type: weather\n            location: Melbourne, Australia\n            units: metric\n            hour-format: 12h\n            # Optionally hide the location from being displayed in the widget\n            # hide-location: true\n\n          - type: releases\n            cache: 1d\n            # Without authentication the Github API allows for up to 60 requests per hour. You can create a\n            # read-only token from your Github account settings and use it here to increase the limit.\n            # token: ...\n            repositories:\n              - glanceapp/glance\n              - go-gitea/gitea\n              - immich-app/immich\n              - syncthing/syncthing\n\n  # Add more pages here:\n  # - name: Your page name\n  #   columns:\n  #     - size: small\n  #       widgets:\n  #         # Add widgets here\n\n  #     - size: full\n  #       widgets:\n  #         # Add widgets here\n\n  #     - size: small\n  #       widgets:\n  #         # Add widgets here\nEOF\n\n        destination = \"local/glance.yml\"\n      }\n\n    }\n  }\n}",
+            "jobspec": "job \"glance\" {\n  group \"glance\" {\n    count = 1\n\n    network {\n      port \"http\" {\n        to = 8080\n      }\n    }\n\n    task \"glance\" {\n      driver = \"docker\"\n\n      config {\n        image = \"glanceapp/glance:latest\"\n        ports = [\"http\"]\n        volumes = [\n          \"local/glance.yml:/app/config/glance.yml\",\n        ]\n      }\n\n      service {\n        name = \"home\"\n        port = \"http\"\n        \n        tags = [\n          \"traefik.enable=true\",\n          \"traefik.http.routers.home.middlewares=auth@file\",\n        ]\n\n        check {\n          name     = \"alive\"\n          type     = \"tcp\"\n          port     = \"http\"\n          interval = \"10s\"\n          timeout  = \"2s\"\n        }\n      }\n\n      resources {\n        cpu    = 50\n        memory = 128\n      }\n\n\n      template {\n        data = \u003c\u003cEOF\npages:\n  - name: Home\n    # Optionally, if you only have a single page you can hide the desktop navigation for a cleaner look\n    # hide-desktop-navigation: true\n    columns:\n      - size: small\n        widgets:\n          - type: calendar\n            first-day-of-week: monday\n\n          - type: rss\n            limit: 10\n            collapse-after: 3\n            cache: 12h\n            feeds:\n              - url: https://selfh.st/rss/\n                title: selfh.st\n                limit: 4\n              - url: https://ciechanow.ski/atom.xml\n              - url: https://www.joshwcomeau.com/rss.xml\n                title: Josh Comeau\n              - url: https://samwho.dev/rss.xml\n              - url: https://ishadeed.com/feed.xml\n                title: Ahmad Shadeed\n\n          - type: twitch-channels\n            channels:\n              - theprimeagen\n              - j_blow\n              - piratesoftware\n              - cohhcarnage\n              - christitustech\n              - EJ_SA\n\n      - size: full\n        widgets:\n          - type: group\n            widgets:\n              - type: hacker-news\n              - type: lobsters\n\n          - type: videos\n            channels:\n              - UCXuqSBlHAE6Xw-yeJA0Tunw # Linus Tech Tips\n              - UCR-DXc1voovS8nhAvccRZhg # Jeff Geerling\n              - UCsBjURrPoezykLs9EqgamOA # Fireship\n              - UCBJycsmduvYEL83R_U4JriQ # Marques Brownlee\n              - UCHnyfMqiRRG1u-2MsSQLbXA # Veritasium\n\n          - type: bookmarks\n            groups:\n              - links:\n                  - title: Gmail\n                    url: https://mail.google.com/mail/u/0/\n                  - title: Amazon\n                    url: https://www.amazon.com/\n                  - title: Github\n                    url: https://github.com/\n                  - title: Wikipedia\n                    url: https://en.wikipedia.org/\n              - title: Infra\n                color: 10 70 50\n                links:\n                  - title: Nomad\n                    url: https://nomad.othrayte.one/\n                  - title: Consul\n                    url: https://consul.othrayte.one/\n                  - title: Traefik\n                    url: https://traefik.othrayte.one/\n              - title: Social\n                color: 200 50 50\n                links:\n                  - title: Reddit\n                    url: https://www.reddit.com/\n                  - title: Twitter\n                    url: https://twitter.com/\n                  - title: Instagram\n                    url: https://www.instagram.com/\n\n      - size: small\n        widgets:\n          - type: weather\n            location: Melbourne, Australia\n            units: metric\n            hour-format: 12h\n            # Optionally hide the location from being displayed in the widget\n            # hide-location: true\n\n          - type: releases\n            cache: 1d\n            # Without authentication the Github API allows for up to 60 requests per hour. You can create a\n            # read-only token from your Github account settings and use it here to increase the limit.\n            # token: ...\n            repositories:\n              - glanceapp/glance\n              - go-gitea/gitea\n              - immich-app/immich\n              - syncthing/syncthing\n\n  # Add more pages here:\n  # - name: Your page name\n  #   columns:\n  #     - size: small\n  #       widgets:\n  #         # Add widgets here\n\n  #     - size: full\n  #       widgets:\n  #         # Add widgets here\n\n  #     - size: small\n  #       widgets:\n  #         # Add widgets here\nEOF\n\n        destination = \"local/glance.yml\"\n      }\n\n    }\n  }\n}",
             "json": null,
-            "modify_index": "9627",
+            "modify_index": "17710",
             "name": "glance",
             "namespace": "default",
             "policy_override": null,
@@ -167,9 +222,9 @@
             "detach": true,
             "hcl2": [],
             "id": "hello-world",
-            "jobspec": "job \"hello-world\" {\n  group \"servers\" {\n    network {\n      port \"www\" {\n        to = -1\n      }\n    }\n\n    service {\n      name = \"hello-world\"\n      port = \"www\"\n    \n      tags = [\n        \"traefik.enable=true\",\n      ]\n\n      check {\n        name     = \"alive\"\n        type     = \"tcp\"\n        port     = \"www\"\n        interval = \"10s\"\n        timeout  = \"2s\"\n      }\n    }\n    \n\n    # Tasks are individual units of work that are run by Nomad.\n    task \"web\" {\n      # This particular task starts a simple web server within a Docker container\n      driver = \"docker\"\n\n      config {\n        image   = \"busybox:1\"\n        command = \"httpd\"\n        args    = [\"-v\", \"-f\", \"-p\", \"${NOMAD_PORT_www}\", \"-h\", \"/local\"]\n        ports   = [\"www\"]\n      }\n\n      template {\n        data        = \u003c\u003c-EOF\n                      \u003ch1\u003eHello, Nomad!\u003c/h1\u003e\n                      \u003cul\u003e\n                        \u003cli\u003eTask: {{env \"NOMAD_TASK_NAME\"}}\u003c/li\u003e\n                        \u003cli\u003eGroup: {{env \"NOMAD_GROUP_NAME\"}}\u003c/li\u003e\n                        \u003cli\u003eJob: {{env \"NOMAD_JOB_NAME\"}}\u003c/li\u003e\n                        \u003cli\u003eMetadata value for foo: {{env \"NOMAD_META_foo\"}}\u003c/li\u003e\n                        \u003cli\u003eCurrently running on port: {{env \"NOMAD_PORT_www\"}}\u003c/li\u003e\n                      \u003c/ul\u003e\n                      EOF\n        destination = \"local/index.html\"\n      }\n\n      # Specify the maximum resources required to run the task\n      resources {\n        cpu    = 50\n        memory = 64\n      }\n    }\n  }\n}",
+            "jobspec": "job \"hello-world\" {\n  group \"servers\" {\n    network {\n      port \"www\" {\n        to = -1\n      }\n    }\n\n    service {\n      name = \"hello-world\"\n      port = \"www\"\n    \n      tags = [\n        \"traefik.enable=true\",\n        \"traefik.http.routers.hello-world.middlewares=auth@file\",\n      ]\n\n      check {\n        name     = \"alive\"\n        type     = \"tcp\"\n        port     = \"www\"\n        interval = \"10s\"\n        timeout  = \"2s\"\n      }\n    }\n    \n\n    # Tasks are individual units of work that are run by Nomad.\n    task \"web\" {\n      # This particular task starts a simple web server within a Docker container\n      driver = \"docker\"\n\n      config {\n        image   = \"busybox:1\"\n        command = \"httpd\"\n        args    = [\"-v\", \"-f\", \"-p\", \"${NOMAD_PORT_www}\", \"-h\", \"/local\"]\n        ports   = [\"www\"]\n      }\n\n      template {\n        data        = \u003c\u003c-EOF\n                      \u003ch1\u003eHello, Nomad!\u003c/h1\u003e\n                      \u003cul\u003e\n                        \u003cli\u003eTask: {{env \"NOMAD_TASK_NAME\"}}\u003c/li\u003e\n                        \u003cli\u003eGroup: {{env \"NOMAD_GROUP_NAME\"}}\u003c/li\u003e\n                        \u003cli\u003eJob: {{env \"NOMAD_JOB_NAME\"}}\u003c/li\u003e\n                        \u003cli\u003eMetadata value for foo: {{env \"NOMAD_META_foo\"}}\u003c/li\u003e\n                        \u003cli\u003eCurrently running on port: {{env \"NOMAD_PORT_www\"}}\u003c/li\u003e\n                      \u003c/ul\u003e\n                      EOF\n        destination = \"local/index.html\"\n      }\n\n      # Specify the maximum resources required to run the task\n      resources {\n        cpu    = 50\n        memory = 64\n      }\n    }\n  }\n}",
             "json": null,
-            "modify_index": "8507",
+            "modify_index": "17709",
             "name": "hello-world",
             "namespace": "default",
             "policy_override": null,
@@ -212,9 +267,7 @@
           "schema_version": 0,
           "attributes": {
             "allocation_ids": [],
-            "datacenters": [
-              "*"
-            ],
+            "datacenters": [],
             "deployment_id": null,
             "deployment_status": null,
             "deregister_on_destroy": true,
@@ -222,9 +275,9 @@
             "detach": true,
             "hcl2": [],
             "id": "traefik",
-            "jobspec": "job \"traefik\" {\n  group \"traefik\" {\n    network {\n      port \"http\" {\n        static = 80\n      }\n\n      port \"https\" {\n        static = 443\n      }\n\n      port \"api\" {\n        static = 8081\n      }\n    }\n\n    service {\n      name = \"traefik\"\n\n      tags = [\n        \"traefik.enable=true\",\n        \"traefik.http.routers.traefik.rule=Host(`traefik.othrayte.one`)\",\n        \"traefik.http.routers.traefik.service=traefik\",\n        \"traefik.http.services.traefik.loadbalancer.server.port=8081\",\n      ]\n\n      check {\n        name     = \"alive\"\n        type     = \"tcp\"\n        port     = \"http\"\n        interval = \"10s\"\n        timeout  = \"2s\"\n      }\n    }\n\n    volume \"traefik\" {\n      type      = \"host\"\n      read_only = false\n      source    = \"traefik\"\n    }\n\n    task \"traefik\" {\n      driver = \"docker\"\n\n      config {\n        image        = \"traefik:v3.3\"\n        network_mode = \"host\"\n\n        volumes = [\n          \"local/traefik.yml:/etc/traefik/traefik.yml\",\n          \"local/configs/:/etc/traefik/configs/\"\n        ]\n      }\n\n      volume_mount {\n        volume      = \"traefik\"\n        destination = \"/opt/traefik\"\n        read_only   = false\n      }\n\n      template {\n        data = \u003c\u003cEOF\nentryPoints:\n  web:\n    address: \":80\"\n    http:\n      redirections:\n        entryPoint:\n          to: websecure\n          scheme: https\n  websecure:\n    address: \":443\"\n    http:\n      middlewares:\n        - auth@file\n      tls:\n        certResolver: letsencrypt\n  traefik:\n    address: \":8081\"\n\napi:\n  dashboard: true\n  insecure: true\n\nproviders:\n  file:\n    directory: \"/etc/traefik/configs/\"\n\n  consulCatalog:\n    prefix: \"traefik\"\n    exposedByDefault: false\n    defaultRule: {{\"Host(`{{ .Name }}.othrayte.one`)\"}}\n    endpoint:\n      address: \"127.0.0.1:8500\"\n      scheme: \"http\"\n\ncertificatesResolvers:\n  letsencrypt:\n    acme:\n      email: \"othrayte@gmail.com\"\n      storage: \"/opt/traefik/acme.json\"\n      httpChallenge:\n        entryPoint: web\nEOF\n\n        destination = \"local/traefik.yml\"\n      }\n\n      template {\n        data = \u003c\u003cEOF\nhttp:\n  middlewares:\n    auth:\n      basicAuth:\n        users:\n          - \"othrayte:$apr1$7PqVUfNm$Go/SNo6y331KYDnQdOLIt/\"\n \n  routers:\n    nomad-ui:\n      rule: \"Host(`nomad.othrayte.one`)\"\n      service: nomad-ui\n    consul-ui:\n      rule: \"Host(`consul.othrayte.one`)\"\n      service: consul-ui\n    unraid:\n      rule: \"Host(`unraid.othrayte.one`)\"\n      service: unraid\n\n  services:\n    nomad-ui:\n      loadBalancer:\n        servers:\n          - url: \"http://127.0.0.1:4646\"\n    consul-ui:\n      loadBalancer:\n        servers:\n          - url: \"http://127.0.0.1:8500\"\n    unraid:\n      loadBalancer:\n        servers:\n          - url: \"http://192.168.1.192:80\"\nEOF\n\n        destination = \"local/configs/nomad.yml\"\n      }\n\n      resources {\n        cpu    = 100\n        memory = 128\n      }\n    }\n  }\n}\n",
+            "jobspec": "job \"traefik\" {\n  group \"traefik\" {\n    network {\n      port \"http\" {\n        static = 80\n      }\n\n      port \"https\" {\n        static = 443\n      }\n\n      port \"api\" {\n        static = 8081\n      }\n    }\n\n    service {\n      name = \"traefik\"\n\n      tags = [\n        \"traefik.enable=true\",\n        \"traefik.http.routers.traefik.rule=Host(`traefik.othrayte.one`)\",\n        \"traefik.http.routers.traefik.service=traefik\",\n        \"traefik.http.routers.traefik.middlewares=auth@file\",\n        \"traefik.http.services.traefik.loadbalancer.server.port=8081\",\n      ]\n\n      check {\n        name     = \"alive\"\n        type     = \"tcp\"\n        port     = \"http\"\n        interval = \"10s\"\n        timeout  = \"2s\"\n      }\n    }\n\n    volume \"traefik\" {\n      type      = \"host\"\n      read_only = false\n      source    = \"traefik\"\n    }\n\n    task \"traefik\" {\n      driver = \"docker\"\n\n      config {\n        image        = \"traefik:v3.3\"\n        network_mode = \"host\"\n\n        volumes = [\n          \"local/traefik.yml:/etc/traefik/traefik.yml\",\n          \"local/configs/:/etc/traefik/configs/\"\n        ]\n      }\n\n      volume_mount {\n        volume      = \"traefik\"\n        destination = \"/opt/traefik\"\n        read_only   = false\n      }\n\n      template {\n        data = \u003c\u003cEOF\nentryPoints:\n  web:\n    address: \":80\"\n    http:\n      redirections:\n        entryPoint:\n          to: websecure\n          scheme: https\n  websecure:\n    address: \":443\"\n    http:\n      tls:\n        certResolver: letsencrypt\n  traefik:\n    address: \":8081\"\n\napi:\n  dashboard: true\n  insecure: true\n\nproviders:\n  file:\n    directory: \"/etc/traefik/configs/\"\n\n  consulCatalog:\n    prefix: \"traefik\"\n    exposedByDefault: false\n    defaultRule: {{\"Host(`{{ .Name }}.othrayte.one`)\"}}\n    endpoint:\n      address: \"127.0.0.1:8500\"\n      scheme: \"http\"\n\ncertificatesResolvers:\n  letsencrypt:\n    acme:\n      email: \"othrayte@gmail.com\"\n      storage: \"/opt/traefik/acme.json\"\n      httpChallenge:\n        entryPoint: web\nEOF\n\n        destination = \"local/traefik.yml\"\n      }\n\n      template {\n        data = \u003c\u003cEOF\nhttp:\n  middlewares:\n    auth:\n      forwardAuth:\n        address: \"http://192.168.1.235:9091/api/authz/forward-auth\"\n        trustForwardHeader: true\n  routers:\n    fallback:\n      rule: \"HostRegexp(`^.+$`)\"\n      entryPoints:\n        - websecure\n      middlewares:\n        - auth\n      service: noop@internal  # This router just applies middleware\n      priority: 1\n    nomad-ui:\n      rule: \"Host(`nomad.othrayte.one`)\"\n      service: nomad-ui\n      middlewares:\n        - auth\n    consul-ui:\n      rule: \"Host(`consul.othrayte.one`)\"\n      service: consul-ui\n      middlewares:\n        - auth\n    unraid:\n      rule: \"Host(`unraid.othrayte.one`)\"\n      service: unraid\n      middlewares:\n        - auth\n\n  services:\n    nomad-ui:\n      loadBalancer:\n        servers:\n          - url: \"http://127.0.0.1:4646\"\n    consul-ui:\n      loadBalancer:\n        servers:\n          - url: \"http://127.0.0.1:8500\"\n    unraid:\n      loadBalancer:\n        servers:\n          - url: \"http://192.168.1.192:80\"\nEOF\n\n        destination = \"local/configs/nomad.yml\"\n      }\n\n      resources {\n        cpu    = 100\n        memory = 128\n      }\n    }\n  }\n}\n",
             "json": null,
-            "modify_index": "10880",
+            "modify_index": "18000",
             "name": "traefik",
             "namespace": "default",
             "policy_override": null,
@@ -290,9 +343,9 @@
             "detach": true,
             "hcl2": [],
             "id": "volume-test",
-            "jobspec": "job \"volume-test\" {\n  group \"web\" {\n    network {\n      port \"www\" {\n        to = 80\n      }\n    }\n\n    volume \"unraid_transfer_use\" {\n      type            = \"csi\"\n      source          = \"unraid_transfer_id5\"\n      access_mode     = \"single-node-writer\"\n      attachment_mode = \"file-system\"\n      read_only       = true\n\n      mount_options {\n        fs_type     = \"ext4\"\n        mount_flags = [\"noatime\"]\n      }\n    }\n\n    service {\n      name = \"volume-test\"\n      port = \"www\"\n    \n      tags = [\n        \"traefik.enable=true\",\n      ]\n\n      check {\n        name     = \"alive\"\n        type     = \"tcp\"\n        port     = \"www\"\n        interval = \"10s\"\n        timeout  = \"2s\"\n      }\n    }\n\n    task \"webserver\" {\n      driver = \"docker\"\n\n      config {\n        image = \"nginx:latest\"\n\n        ports = [\"www\"]\n        # volumes = [\n        #   \"local:/usr/share/nginx/html:ro\"\n        # ]\n      }\n\n      volume_mount {\n        volume      = \"unraid_transfer_use\"\n\t      destination = \"/usr/share/nginx/html/transfer\"\n        read_only   = true\n      }\n\n      # template {\n      #   data        = \"\u003ch1\u003eVolume Test 1\u003c/h1\u003e\"\n      #   destination = \"local/index.html\"\n      # }\n\n      resources {\n        cpu    = 500\n        memory = 256\n      }\n    }\n\n    # volume \"local\" {\n    #   type      = \"csi\"\n    #   source    = \"unraid_transfer\"\n    #   read_only = true\n    #   access_mode     = \"single-node-writer\"\n    #   attachment_mode = \"file-system\"\n    # }\n  }\n}",
+            "jobspec": "job \"volume-test\" {\n  group \"web\" {\n    network {\n      port \"www\" {\n        to = 80\n      }\n    }\n\n    volume \"unraid_transfer_use\" {\n      type            = \"csi\"\n      source          = \"unraid_transfer_id5\"\n      access_mode     = \"single-node-writer\"\n      attachment_mode = \"file-system\"\n      read_only       = true\n\n      mount_options {\n        fs_type     = \"ext4\"\n        mount_flags = [\"noatime\"]\n      }\n    }\n\n    service {\n      name = \"volume-test\"\n      port = \"www\"\n    \n      tags = [\n        \"traefik.enable=true\",\n        \"traefik.http.routers.volume-test.middlewares=auth@file\",\n      ]\n\n      check {\n        name     = \"alive\"\n        type     = \"tcp\"\n        port     = \"www\"\n        interval = \"10s\"\n        timeout  = \"2s\"\n      }\n    }\n\n    task \"webserver\" {\n      driver = \"docker\"\n\n      config {\n        image = \"nginx:latest\"\n\n        ports = [\"www\"]\n        # volumes = [\n        #   \"local:/usr/share/nginx/html:ro\"\n        # ]\n      }\n\n      volume_mount {\n        volume      = \"unraid_transfer_use\"\n\t      destination = \"/usr/share/nginx/html/transfer\"\n        read_only   = true\n      }\n\n      # template {\n      #   data        = \"\u003ch1\u003eVolume Test 1\u003c/h1\u003e\"\n      #   destination = \"local/index.html\"\n      # }\n\n      resources {\n        cpu    = 500\n        memory = 256\n      }\n    }\n\n    # volume \"local\" {\n    #   type      = \"csi\"\n    #   source    = \"unraid_transfer\"\n    #   read_only = true\n    #   access_mode     = \"single-node-writer\"\n    #   attachment_mode = \"file-system\"\n    # }\n  }\n}",
             "json": null,
-            "modify_index": "12228",
+            "modify_index": "17705",
             "name": "volume-test",
             "namespace": "default",
             "policy_override": null,
@@ -358,9 +411,9 @@
             "detach": true,
             "hcl2": [],
             "id": "demo-webapp",
-            "jobspec": "job \"demo-webapp\" {\n  group \"demo\" {\n    count = 3\n\n    network {\n      port \"http\"{\n        to = -1\n      }\n    }\n\n    service {\n      name = \"demo-webapp\"\n      port = \"http\"\n\n      tags = [\n        \"traefik.enable=true\",\n      ]\n\n      check {\n        type     = \"http\"\n        path     = \"/\"\n        interval = \"2s\"\n        timeout  = \"2s\"\n      }\n    }\n\n    task \"server\" {\n      env {\n        PORT    = \"${NOMAD_PORT_http}\"\n        NODE_IP = \"${NOMAD_IP_http}\"\n      }\n\n      driver = \"docker\"\n\n      config {\n        image = \"hashicorp/demo-webapp-lb-guide\"\n        ports = [\"http\"]\n      }\n    }\n  }\n}",
+            "jobspec": "job \"demo-webapp\" {\n  group \"demo\" {\n    count = 3\n\n    network {\n      port \"http\"{\n        to = -1\n      }\n    }\n\n    service {\n      name = \"demo-webapp\"\n      port = \"http\"\n\n      tags = [\n        \"traefik.enable=true\",\n        \"traefik.http.routers.demo-webapp.middlewares=auth@file\",\n      ]\n\n      check {\n        type     = \"http\"\n        path     = \"/\"\n        interval = \"2s\"\n        timeout  = \"2s\"\n      }\n    }\n\n    task \"server\" {\n      env {\n        PORT    = \"${NOMAD_PORT_http}\"\n        NODE_IP = \"${NOMAD_IP_http}\"\n      }\n\n      driver = \"docker\"\n\n      config {\n        image = \"hashicorp/demo-webapp-lb-guide\"\n        ports = [\"http\"]\n      }\n    }\n  }\n}",
             "json": null,
-            "modify_index": "8567",
+            "modify_index": "17707",
             "name": "demo-webapp",
             "namespace": "default",
             "policy_override": null,
diff --git a/2-nomad-config/terraform.tfstate.backup b/2-nomad-config/terraform.tfstate.backup
index 0609ec5..940eae2 100644
--- a/2-nomad-config/terraform.tfstate.backup
+++ b/2-nomad-config/terraform.tfstate.backup
@@ -1,10 +1,97 @@
 {
   "version": 4,
   "terraform_version": "1.11.4",
-  "serial": 332,
+  "serial": 482,
   "lineage": "15e0900c-88bc-9754-4600-e3977d018ba0",
   "outputs": {},
   "resources": [
+    {
+      "mode": "data",
+      "type": "nomad_plugin",
+      "name": "smb",
+      "provider": "provider[\"registry.terraform.io/hashicorp/nomad\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "controller_required": false,
+            "controllers_expected": 0,
+            "controllers_healthy": 0,
+            "id": "smb",
+            "nodes": [
+              {
+                "healthy": true,
+                "healthy_description": "healthy",
+                "name": "0db77253-0579-e8b0-42cd-d619af9d8e73"
+              }
+            ],
+            "nodes_expected": 1,
+            "nodes_healthy": 1,
+            "plugin_id": "smb",
+            "plugin_provider": "smb.csi.k8s.io",
+            "plugin_provider_version": "v1.7.0",
+            "wait_for_healthy": true,
+            "wait_for_registration": false
+          },
+          "sensitive_attributes": []
+        }
+      ]
+    },
+    {
+      "mode": "managed",
+      "type": "nomad_job",
+      "name": "authelia",
+      "provider": "provider[\"registry.terraform.io/hashicorp/nomad\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "allocation_ids": [],
+            "datacenters": [
+              "*"
+            ],
+            "deployment_id": null,
+            "deployment_status": null,
+            "deregister_on_destroy": true,
+            "deregister_on_id_change": true,
+            "detach": true,
+            "hcl2": [],
+            "id": "authelia",
+            "jobspec": "job \"authelia\" {\n  group \"authelia\" {\n    network {\n      port \"http\" {\n        static = 9091\n      }\n    }\n\n    service {\n      name = \"auth\"\n      port = \"http\"\n\n      tags = [\n        \"traefik.enable=true\",\n      ]\n\n      check {\n        type     = \"http\"\n        path     = \"/health\"\n        interval = \"10s\"\n        timeout  = \"2s\"\n      }\n    }\n\n    task \"authelia\" {\n      driver = \"docker\"\n\n      config {\n        image = \"authelia/authelia:latest\"\n\n        ports = [\"http\"]\n\n        volumes = [\n          \"local/config:/config\",\n          \"local/data:/data\"\n        ]\n      }\n\n      resources {\n        cpu    = 100\n        memory = 128\n      }\n\n      template {\n        data = \u003c\u003cEOF\nserver:\n  address: tcp://0.0.0.0:{{ env \"NOMAD_PORT_http\" }}/\ntheme: \"auto\"\nidentity_validation:\n  reset_password:\n    jwt_secret: \"{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .jwt_secret }}{{ end }}\"\n\nauthentication_backend:\n  file:\n    path: /config/users_database.yml\n\naccess_control:\n  default_policy: deny\n  rules:\n    - domain: \"*.othrayte.one\"\n      policy: one_factor\n    # Disable auth for authelia\n    #- domain: \"auth.othrayte.one\"\n    #  policy: bypass\n\nsession:\n  name: authelia_session\n  secret: \"{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .session_secret }}{{ end }}\"\n  expiration: 3600\n  cookies:\n    - domain: othrayte.one\n      authelia_url: \"https://auth.othrayte.one\"\n\nstorage:\n  local:\n    path: /config/db.sqlite3\n  encryption_key: \"{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .encryption_key }}{{ end }}\"\n\nnotifier:\n  filesystem:\n    filename: /config/notification.txt\nEOF\n\n        destination = \"local/config/configuration.yml\"\n      }\n\n      template {\n        data = \u003c\u003cEOF\n# Users database for Authelia\nusers:\n  othrayte:\n    password: \"$2y$10$FeemMJevZXq6y1pc6FNOXeIlthGWiGHRmMfpV33BNcpChA5ozLUmK\"\n    displayname: \"Adrian\"\n    email: \"othrayte@gmail.com\"\nEOF\n\n        destination = \"local/config/users_database.yml\"\n      }\n    }\n  }\n}\n",
+            "json": null,
+            "modify_index": "17976",
+            "name": "authelia",
+            "namespace": "default",
+            "policy_override": null,
+            "purge_on_destroy": null,
+            "read_allocation_ids": false,
+            "region": "global",
+            "rerun_if_dead": false,
+            "status": "running",
+            "task_groups": [
+              {
+                "count": 1,
+                "meta": {},
+                "name": "authelia",
+                "task": [
+                  {
+                    "driver": "docker",
+                    "meta": {},
+                    "name": "authelia",
+                    "volume_mounts": []
+                  }
+                ],
+                "volumes": []
+              }
+            ],
+            "timeouts": null,
+            "type": "service"
+          },
+          "sensitive_attributes": [],
+          "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozMDAwMDAwMDAwMDAsInVwZGF0ZSI6MzAwMDAwMDAwMDAwfX0="
+        }
+      ]
+    },
     {
       "mode": "managed",
       "type": "nomad_job",
@@ -80,9 +167,9 @@
             "detach": true,
             "hcl2": [],
             "id": "glance",
-            "jobspec": "job \"glance\" {\n  group \"glance\" {\n    count = 1\n\n    network {\n      port \"http\" {\n        to = 8080\n      }\n    }\n\n    task \"glance\" {\n      driver = \"docker\"\n\n      config {\n        image = \"glanceapp/glance:latest\"\n        ports = [\"http\"]\n        volumes = [\n          \"local/glance.yml:/app/config/glance.yml\",\n        ]\n      }\n\n      service {\n        name = \"home\"\n        port = \"http\"\n        \n        tags = [\n          \"traefik.enable=true\",\n        ]\n\n        check {\n          name     = \"alive\"\n          type     = \"tcp\"\n          port     = \"http\"\n          interval = \"10s\"\n          timeout  = \"2s\"\n        }\n      }\n\n      resources {\n        cpu    = 50\n        memory = 128\n      }\n\n\n      template {\n        data = \u003c\u003cEOF\npages:\n  - name: Home\n    # Optionally, if you only have a single page you can hide the desktop navigation for a cleaner look\n    # hide-desktop-navigation: true\n    columns:\n      - size: small\n        widgets:\n          - type: calendar\n            first-day-of-week: monday\n\n          - type: rss\n            limit: 10\n            collapse-after: 3\n            cache: 12h\n            feeds:\n              - url: https://selfh.st/rss/\n                title: selfh.st\n                limit: 4\n              - url: https://ciechanow.ski/atom.xml\n              - url: https://www.joshwcomeau.com/rss.xml\n                title: Josh Comeau\n              - url: https://samwho.dev/rss.xml\n              - url: https://ishadeed.com/feed.xml\n                title: Ahmad Shadeed\n\n          - type: twitch-channels\n            channels:\n              - theprimeagen\n              - j_blow\n              - piratesoftware\n              - cohhcarnage\n              - christitustech\n              - EJ_SA\n\n      - size: full\n        widgets:\n          - type: group\n            widgets:\n              - type: hacker-news\n              - type: lobsters\n\n          - type: videos\n            channels:\n              - UCXuqSBlHAE6Xw-yeJA0Tunw # Linus Tech Tips\n              - UCR-DXc1voovS8nhAvccRZhg # Jeff Geerling\n              - UCsBjURrPoezykLs9EqgamOA # Fireship\n              - UCBJycsmduvYEL83R_U4JriQ # Marques Brownlee\n              - UCHnyfMqiRRG1u-2MsSQLbXA # Veritasium\n\n          - type: bookmarks\n            groups:\n              - links:\n                  - title: Gmail\n                    url: https://mail.google.com/mail/u/0/\n                  - title: Amazon\n                    url: https://www.amazon.com/\n                  - title: Github\n                    url: https://github.com/\n                  - title: Wikipedia\n                    url: https://en.wikipedia.org/\n              - title: Infra\n                color: 10 70 50\n                links:\n                  - title: Nomad\n                    url: https://nomad.othrayte.one/\n                  - title: Consul\n                    url: https://consul.othrayte.one/\n                  - title: Traefik\n                    url: https://traefik.othrayte.one/\n              - title: Social\n                color: 200 50 50\n                links:\n                  - title: Reddit\n                    url: https://www.reddit.com/\n                  - title: Twitter\n                    url: https://twitter.com/\n                  - title: Instagram\n                    url: https://www.instagram.com/\n\n      - size: small\n        widgets:\n          - type: weather\n            location: Melbourne, Australia\n            units: metric\n            hour-format: 12h\n            # Optionally hide the location from being displayed in the widget\n            # hide-location: true\n\n          - type: releases\n            cache: 1d\n            # Without authentication the Github API allows for up to 60 requests per hour. You can create a\n            # read-only token from your Github account settings and use it here to increase the limit.\n            # token: ...\n            repositories:\n              - glanceapp/glance\n              - go-gitea/gitea\n              - immich-app/immich\n              - syncthing/syncthing\n\n  # Add more pages here:\n  # - name: Your page name\n  #   columns:\n  #     - size: small\n  #       widgets:\n  #         # Add widgets here\n\n  #     - size: full\n  #       widgets:\n  #         # Add widgets here\n\n  #     - size: small\n  #       widgets:\n  #         # Add widgets here\nEOF\n\n        destination = \"local/glance.yml\"\n      }\n\n    }\n  }\n}",
+            "jobspec": "job \"glance\" {\n  group \"glance\" {\n    count = 1\n\n    network {\n      port \"http\" {\n        to = 8080\n      }\n    }\n\n    task \"glance\" {\n      driver = \"docker\"\n\n      config {\n        image = \"glanceapp/glance:latest\"\n        ports = [\"http\"]\n        volumes = [\n          \"local/glance.yml:/app/config/glance.yml\",\n        ]\n      }\n\n      service {\n        name = \"home\"\n        port = \"http\"\n        \n        tags = [\n          \"traefik.enable=true\",\n          \"traefik.http.routers.home.middlewares=auth@file\",\n        ]\n\n        check {\n          name     = \"alive\"\n          type     = \"tcp\"\n          port     = \"http\"\n          interval = \"10s\"\n          timeout  = \"2s\"\n        }\n      }\n\n      resources {\n        cpu    = 50\n        memory = 128\n      }\n\n\n      template {\n        data = \u003c\u003cEOF\npages:\n  - name: Home\n    # Optionally, if you only have a single page you can hide the desktop navigation for a cleaner look\n    # hide-desktop-navigation: true\n    columns:\n      - size: small\n        widgets:\n          - type: calendar\n            first-day-of-week: monday\n\n          - type: rss\n            limit: 10\n            collapse-after: 3\n            cache: 12h\n            feeds:\n              - url: https://selfh.st/rss/\n                title: selfh.st\n                limit: 4\n              - url: https://ciechanow.ski/atom.xml\n              - url: https://www.joshwcomeau.com/rss.xml\n                title: Josh Comeau\n              - url: https://samwho.dev/rss.xml\n              - url: https://ishadeed.com/feed.xml\n                title: Ahmad Shadeed\n\n          - type: twitch-channels\n            channels:\n              - theprimeagen\n              - j_blow\n              - piratesoftware\n              - cohhcarnage\n              - christitustech\n              - EJ_SA\n\n      - size: full\n        widgets:\n          - type: group\n            widgets:\n              - type: hacker-news\n              - type: lobsters\n\n          - type: videos\n            channels:\n              - UCXuqSBlHAE6Xw-yeJA0Tunw # Linus Tech Tips\n              - UCR-DXc1voovS8nhAvccRZhg # Jeff Geerling\n              - UCsBjURrPoezykLs9EqgamOA # Fireship\n              - UCBJycsmduvYEL83R_U4JriQ # Marques Brownlee\n              - UCHnyfMqiRRG1u-2MsSQLbXA # Veritasium\n\n          - type: bookmarks\n            groups:\n              - links:\n                  - title: Gmail\n                    url: https://mail.google.com/mail/u/0/\n                  - title: Amazon\n                    url: https://www.amazon.com/\n                  - title: Github\n                    url: https://github.com/\n                  - title: Wikipedia\n                    url: https://en.wikipedia.org/\n              - title: Infra\n                color: 10 70 50\n                links:\n                  - title: Nomad\n                    url: https://nomad.othrayte.one/\n                  - title: Consul\n                    url: https://consul.othrayte.one/\n                  - title: Traefik\n                    url: https://traefik.othrayte.one/\n              - title: Social\n                color: 200 50 50\n                links:\n                  - title: Reddit\n                    url: https://www.reddit.com/\n                  - title: Twitter\n                    url: https://twitter.com/\n                  - title: Instagram\n                    url: https://www.instagram.com/\n\n      - size: small\n        widgets:\n          - type: weather\n            location: Melbourne, Australia\n            units: metric\n            hour-format: 12h\n            # Optionally hide the location from being displayed in the widget\n            # hide-location: true\n\n          - type: releases\n            cache: 1d\n            # Without authentication the Github API allows for up to 60 requests per hour. You can create a\n            # read-only token from your Github account settings and use it here to increase the limit.\n            # token: ...\n            repositories:\n              - glanceapp/glance\n              - go-gitea/gitea\n              - immich-app/immich\n              - syncthing/syncthing\n\n  # Add more pages here:\n  # - name: Your page name\n  #   columns:\n  #     - size: small\n  #       widgets:\n  #         # Add widgets here\n\n  #     - size: full\n  #       widgets:\n  #         # Add widgets here\n\n  #     - size: small\n  #       widgets:\n  #         # Add widgets here\nEOF\n\n        destination = \"local/glance.yml\"\n      }\n\n    }\n  }\n}",
             "json": null,
-            "modify_index": "9627",
+            "modify_index": "17710",
             "name": "glance",
             "namespace": "default",
             "policy_override": null,
@@ -135,9 +222,9 @@
             "detach": true,
             "hcl2": [],
             "id": "hello-world",
-            "jobspec": "job \"hello-world\" {\n  group \"servers\" {\n    network {\n      port \"www\" {\n        to = -1\n      }\n    }\n\n    service {\n      name = \"hello-world\"\n      port = \"www\"\n    \n      tags = [\n        \"traefik.enable=true\",\n      ]\n\n      check {\n        name     = \"alive\"\n        type     = \"tcp\"\n        port     = \"www\"\n        interval = \"10s\"\n        timeout  = \"2s\"\n      }\n    }\n    \n\n    # Tasks are individual units of work that are run by Nomad.\n    task \"web\" {\n      # This particular task starts a simple web server within a Docker container\n      driver = \"docker\"\n\n      config {\n        image   = \"busybox:1\"\n        command = \"httpd\"\n        args    = [\"-v\", \"-f\", \"-p\", \"${NOMAD_PORT_www}\", \"-h\", \"/local\"]\n        ports   = [\"www\"]\n      }\n\n      template {\n        data        = \u003c\u003c-EOF\n                      \u003ch1\u003eHello, Nomad!\u003c/h1\u003e\n                      \u003cul\u003e\n                        \u003cli\u003eTask: {{env \"NOMAD_TASK_NAME\"}}\u003c/li\u003e\n                        \u003cli\u003eGroup: {{env \"NOMAD_GROUP_NAME\"}}\u003c/li\u003e\n                        \u003cli\u003eJob: {{env \"NOMAD_JOB_NAME\"}}\u003c/li\u003e\n                        \u003cli\u003eMetadata value for foo: {{env \"NOMAD_META_foo\"}}\u003c/li\u003e\n                        \u003cli\u003eCurrently running on port: {{env \"NOMAD_PORT_www\"}}\u003c/li\u003e\n                      \u003c/ul\u003e\n                      EOF\n        destination = \"local/index.html\"\n      }\n\n      # Specify the maximum resources required to run the task\n      resources {\n        cpu    = 50\n        memory = 64\n      }\n    }\n  }\n}",
+            "jobspec": "job \"hello-world\" {\n  group \"servers\" {\n    network {\n      port \"www\" {\n        to = -1\n      }\n    }\n\n    service {\n      name = \"hello-world\"\n      port = \"www\"\n    \n      tags = [\n        \"traefik.enable=true\",\n        \"traefik.http.routers.hello-world.middlewares=auth@file\",\n      ]\n\n      check {\n        name     = \"alive\"\n        type     = \"tcp\"\n        port     = \"www\"\n        interval = \"10s\"\n        timeout  = \"2s\"\n      }\n    }\n    \n\n    # Tasks are individual units of work that are run by Nomad.\n    task \"web\" {\n      # This particular task starts a simple web server within a Docker container\n      driver = \"docker\"\n\n      config {\n        image   = \"busybox:1\"\n        command = \"httpd\"\n        args    = [\"-v\", \"-f\", \"-p\", \"${NOMAD_PORT_www}\", \"-h\", \"/local\"]\n        ports   = [\"www\"]\n      }\n\n      template {\n        data        = \u003c\u003c-EOF\n                      \u003ch1\u003eHello, Nomad!\u003c/h1\u003e\n                      \u003cul\u003e\n                        \u003cli\u003eTask: {{env \"NOMAD_TASK_NAME\"}}\u003c/li\u003e\n                        \u003cli\u003eGroup: {{env \"NOMAD_GROUP_NAME\"}}\u003c/li\u003e\n                        \u003cli\u003eJob: {{env \"NOMAD_JOB_NAME\"}}\u003c/li\u003e\n                        \u003cli\u003eMetadata value for foo: {{env \"NOMAD_META_foo\"}}\u003c/li\u003e\n                        \u003cli\u003eCurrently running on port: {{env \"NOMAD_PORT_www\"}}\u003c/li\u003e\n                      \u003c/ul\u003e\n                      EOF\n        destination = \"local/index.html\"\n      }\n\n      # Specify the maximum resources required to run the task\n      resources {\n        cpu    = 50\n        memory = 64\n      }\n    }\n  }\n}",
             "json": null,
-            "modify_index": "8507",
+            "modify_index": "17709",
             "name": "hello-world",
             "namespace": "default",
             "policy_override": null,
@@ -180,9 +267,7 @@
           "schema_version": 0,
           "attributes": {
             "allocation_ids": [],
-            "datacenters": [
-              "*"
-            ],
+            "datacenters": [],
             "deployment_id": null,
             "deployment_status": null,
             "deregister_on_destroy": true,
@@ -190,9 +275,9 @@
             "detach": true,
             "hcl2": [],
             "id": "traefik",
-            "jobspec": "job \"traefik\" {\n  group \"traefik\" {\n    network {\n      port \"http\" {\n        static = 80\n      }\n\n      port \"https\" {\n        static = 443\n      }\n\n      port \"api\" {\n        static = 8081\n      }\n    }\n\n    service {\n      name = \"traefik\"\n\n      tags = [\n        \"traefik.enable=true\",\n        \"traefik.http.routers.traefik.rule=Host(`traefik.othrayte.one`)\",\n        \"traefik.http.routers.traefik.service=traefik\",\n        \"traefik.http.services.traefik.loadbalancer.server.port=8081\",\n      ]\n\n      check {\n        name     = \"alive\"\n        type     = \"tcp\"\n        port     = \"http\"\n        interval = \"10s\"\n        timeout  = \"2s\"\n      }\n    }\n\n    volume \"traefik\" {\n      type      = \"host\"\n      read_only = false\n      source    = \"traefik\"\n    }\n\n    task \"traefik\" {\n      driver = \"docker\"\n\n      config {\n        image        = \"traefik:v3.3\"\n        network_mode = \"host\"\n\n        volumes = [\n          \"local/traefik.yml:/etc/traefik/traefik.yml\",\n          \"local/configs/:/etc/traefik/configs/\"\n        ]\n      }\n\n      volume_mount {\n        volume      = \"traefik\"\n        destination = \"/opt/traefik\"\n        read_only   = false\n      }\n\n      template {\n        data = \u003c\u003cEOF\nentryPoints:\n  web:\n    address: \":80\"\n    http:\n      redirections:\n        entryPoint:\n          to: websecure\n          scheme: https\n  websecure:\n    address: \":443\"\n    http:\n      middlewares:\n        - auth@file\n      tls:\n        certResolver: letsencrypt\n  traefik:\n    address: \":8081\"\n\napi:\n  dashboard: true\n  insecure: true\n\nproviders:\n  file:\n    directory: \"/etc/traefik/configs/\"\n\n  consulCatalog:\n    prefix: \"traefik\"\n    exposedByDefault: false\n    defaultRule: {{\"Host(`{{ .Name }}.othrayte.one`)\"}}\n    endpoint:\n      address: \"127.0.0.1:8500\"\n      scheme: \"http\"\n\ncertificatesResolvers:\n  letsencrypt:\n    acme:\n      email: \"othrayte@gmail.com\"\n      storage: \"/opt/traefik/acme.json\"\n      httpChallenge:\n        entryPoint: web\nEOF\n\n        destination = \"local/traefik.yml\"\n      }\n\n      template {\n        data = \u003c\u003cEOF\nhttp:\n  middlewares:\n    auth:\n      basicAuth:\n        users:\n          - \"othrayte:$apr1$7PqVUfNm$Go/SNo6y331KYDnQdOLIt/\"\n \n  routers:\n    nomad-ui:\n      rule: \"Host(`nomad.othrayte.one`)\"\n      service: nomad-ui\n    consul-ui:\n      rule: \"Host(`consul.othrayte.one`)\"\n      service: consul-ui\n    unraid:\n      rule: \"Host(`unraid.othrayte.one`)\"\n      service: unraid\n\n  services:\n    nomad-ui:\n      loadBalancer:\n        servers:\n          - url: \"http://127.0.0.1:4646\"\n    consul-ui:\n      loadBalancer:\n        servers:\n          - url: \"http://127.0.0.1:8500\"\n    unraid:\n      loadBalancer:\n        servers:\n          - url: \"http://192.168.1.192:80\"\nEOF\n\n        destination = \"local/configs/nomad.yml\"\n      }\n\n      resources {\n        cpu    = 100\n        memory = 128\n      }\n    }\n  }\n}\n",
+            "jobspec": "job \"traefik\" {\n  group \"traefik\" {\n    network {\n      port \"http\" {\n        static = 80\n      }\n\n      port \"https\" {\n        static = 443\n      }\n\n      port \"api\" {\n        static = 8081\n      }\n    }\n\n    service {\n      name = \"traefik\"\n\n      tags = [\n        \"traefik.enable=true\",\n        \"traefik.http.routers.traefik.rule=Host(`traefik.othrayte.one`)\",\n        \"traefik.http.routers.traefik.service=traefik\",\n        \"traefik.http.routers.traefik.middlewares=authelia@file\",\n        \"traefik.http.services.traefik.loadbalancer.server.port=8081\",\n      ]\n\n      check {\n        name     = \"alive\"\n        type     = \"tcp\"\n        port     = \"http\"\n        interval = \"10s\"\n        timeout  = \"2s\"\n      }\n    }\n\n    volume \"traefik\" {\n      type      = \"host\"\n      read_only = false\n      source    = \"traefik\"\n    }\n\n    task \"traefik\" {\n      driver = \"docker\"\n\n      config {\n        image        = \"traefik:v3.3\"\n        network_mode = \"host\"\n\n        volumes = [\n          \"local/traefik.yml:/etc/traefik/traefik.yml\",\n          \"local/configs/:/etc/traefik/configs/\"\n        ]\n      }\n\n      volume_mount {\n        volume      = \"traefik\"\n        destination = \"/opt/traefik\"\n        read_only   = false\n      }\n\n      template {\n        data = \u003c\u003cEOF\nentryPoints:\n  web:\n    address: \":80\"\n    http:\n      redirections:\n        entryPoint:\n          to: websecure\n          scheme: https\n  websecure:\n    address: \":443\"\n    http:\n      tls:\n        certResolver: letsencrypt\n  traefik:\n    address: \":8081\"\n\napi:\n  dashboard: true\n  insecure: true\n\nproviders:\n  file:\n    directory: \"/etc/traefik/configs/\"\n\n  consulCatalog:\n    prefix: \"traefik\"\n    exposedByDefault: false\n    defaultRule: {{\"Host(`{{ .Name }}.othrayte.one`)\"}}\n    endpoint:\n      address: \"127.0.0.1:8500\"\n      scheme: \"http\"\n\ncertificatesResolvers:\n  letsencrypt:\n    acme:\n      email: \"othrayte@gmail.com\"\n      storage: \"/opt/traefik/acme.json\"\n      httpChallenge:\n        entryPoint: web\nEOF\n\n        destination = \"local/traefik.yml\"\n      }\n\n      template {\n        data = \u003c\u003cEOF\nhttp:\n  middlewares:\n    auth:\n      forwardAuth:\n        address: \"http://192.168.1.235:9091/api/authz/forward-auth\"\n        trustForwardHeader: true\n  routers:\n    fallback:\n      rule: \"HostRegexp(`^.+$`)\"\n      entryPoints:\n        - websecure\n      middlewares:\n        - auth\n      service: noop@internal  # This router just applies middleware\n      priority: 1\n    nomad-ui:\n      rule: \"Host(`nomad.othrayte.one`)\"\n      service: nomad-ui\n      middlewares:\n        - auth\n    consul-ui:\n      rule: \"Host(`consul.othrayte.one`)\"\n      service: consul-ui\n      middlewares:\n        - auth\n    unraid:\n      rule: \"Host(`unraid.othrayte.one`)\"\n      service: unraid\n      middlewares:\n        - auth\n\n  services:\n    nomad-ui:\n      loadBalancer:\n        servers:\n          - url: \"http://127.0.0.1:4646\"\n    consul-ui:\n      loadBalancer:\n        servers:\n          - url: \"http://127.0.0.1:8500\"\n    unraid:\n      loadBalancer:\n        servers:\n          - url: \"http://192.168.1.192:80\"\nEOF\n\n        destination = \"local/configs/nomad.yml\"\n      }\n\n      resources {\n        cpu    = 100\n        memory = 128\n      }\n    }\n  }\n}\n",
             "json": null,
-            "modify_index": "10880",
+            "modify_index": "17991",
             "name": "traefik",
             "namespace": "default",
             "policy_override": null,
@@ -258,9 +343,9 @@
             "detach": true,
             "hcl2": [],
             "id": "volume-test",
-            "jobspec": "job \"volume-test\" {\n  group \"web\" {\n    network {\n      port \"www\" {\n        to = 80\n      }\n    }\n\n    volume \"unraid_transfer_use\" {\n      type            = \"csi\"\n      source          = \"unraid_transfer_id5\"\n      access_mode     = \"single-node-writer\"\n      attachment_mode = \"file-system\"\n      read_only       = true\n\n      mount_options {\n        fs_type     = \"ext4\"\n        mount_flags = [\"noatime\"]\n      }\n    }\n\n    service {\n      name = \"volume-test\"\n      port = \"www\"\n    \n      tags = [\n        \"traefik.enable=true\",\n      ]\n\n      check {\n        name     = \"alive\"\n        type     = \"tcp\"\n        port     = \"www\"\n        interval = \"10s\"\n        timeout  = \"2s\"\n      }\n    }\n\n    task \"webserver\" {\n      driver = \"docker\"\n\n      config {\n        image = \"nginx:latest\"\n\n        ports = [\"www\"]\n        # volumes = [\n        #   \"local:/usr/share/nginx/html:ro\"\n        # ]\n      }\n\n      volume_mount {\n        volume      = \"unraid_transfer_use\"\n\t      destination = \"/usr/share/nginx/html/transfer\"\n        read_only   = true\n      }\n\n      # template {\n      #   data        = \"\u003ch1\u003eVolume Test 1\u003c/h1\u003e\"\n      #   destination = \"local/index.html\"\n      # }\n\n      resources {\n        cpu    = 500\n        memory = 256\n      }\n    }\n\n    # volume \"local\" {\n    #   type      = \"csi\"\n    #   source    = \"unraid_transfer\"\n    #   read_only = true\n    #   access_mode     = \"single-node-writer\"\n    #   attachment_mode = \"file-system\"\n    # }\n  }\n}",
+            "jobspec": "job \"volume-test\" {\n  group \"web\" {\n    network {\n      port \"www\" {\n        to = 80\n      }\n    }\n\n    volume \"unraid_transfer_use\" {\n      type            = \"csi\"\n      source          = \"unraid_transfer_id5\"\n      access_mode     = \"single-node-writer\"\n      attachment_mode = \"file-system\"\n      read_only       = true\n\n      mount_options {\n        fs_type     = \"ext4\"\n        mount_flags = [\"noatime\"]\n      }\n    }\n\n    service {\n      name = \"volume-test\"\n      port = \"www\"\n    \n      tags = [\n        \"traefik.enable=true\",\n        \"traefik.http.routers.volume-test.middlewares=auth@file\",\n      ]\n\n      check {\n        name     = \"alive\"\n        type     = \"tcp\"\n        port     = \"www\"\n        interval = \"10s\"\n        timeout  = \"2s\"\n      }\n    }\n\n    task \"webserver\" {\n      driver = \"docker\"\n\n      config {\n        image = \"nginx:latest\"\n\n        ports = [\"www\"]\n        # volumes = [\n        #   \"local:/usr/share/nginx/html:ro\"\n        # ]\n      }\n\n      volume_mount {\n        volume      = \"unraid_transfer_use\"\n\t      destination = \"/usr/share/nginx/html/transfer\"\n        read_only   = true\n      }\n\n      # template {\n      #   data        = \"\u003ch1\u003eVolume Test 1\u003c/h1\u003e\"\n      #   destination = \"local/index.html\"\n      # }\n\n      resources {\n        cpu    = 500\n        memory = 256\n      }\n    }\n\n    # volume \"local\" {\n    #   type      = \"csi\"\n    #   source    = \"unraid_transfer\"\n    #   read_only = true\n    #   access_mode     = \"single-node-writer\"\n    #   attachment_mode = \"file-system\"\n    # }\n  }\n}",
             "json": null,
-            "modify_index": "12190",
+            "modify_index": "17705",
             "name": "volume-test",
             "namespace": "default",
             "policy_override": null,
@@ -268,7 +353,7 @@
             "read_allocation_ids": false,
             "region": "global",
             "rerun_if_dead": false,
-            "status": "pending",
+            "status": "running",
             "task_groups": [
               {
                 "count": 1,
@@ -326,9 +411,9 @@
             "detach": true,
             "hcl2": [],
             "id": "demo-webapp",
-            "jobspec": "job \"demo-webapp\" {\n  group \"demo\" {\n    count = 3\n\n    network {\n      port \"http\"{\n        to = -1\n      }\n    }\n\n    service {\n      name = \"demo-webapp\"\n      port = \"http\"\n\n      tags = [\n        \"traefik.enable=true\",\n      ]\n\n      check {\n        type     = \"http\"\n        path     = \"/\"\n        interval = \"2s\"\n        timeout  = \"2s\"\n      }\n    }\n\n    task \"server\" {\n      env {\n        PORT    = \"${NOMAD_PORT_http}\"\n        NODE_IP = \"${NOMAD_IP_http}\"\n      }\n\n      driver = \"docker\"\n\n      config {\n        image = \"hashicorp/demo-webapp-lb-guide\"\n        ports = [\"http\"]\n      }\n    }\n  }\n}",
+            "jobspec": "job \"demo-webapp\" {\n  group \"demo\" {\n    count = 3\n\n    network {\n      port \"http\"{\n        to = -1\n      }\n    }\n\n    service {\n      name = \"demo-webapp\"\n      port = \"http\"\n\n      tags = [\n        \"traefik.enable=true\",\n        \"traefik.http.routers.demo-webapp.middlewares=auth@file\",\n      ]\n\n      check {\n        type     = \"http\"\n        path     = \"/\"\n        interval = \"2s\"\n        timeout  = \"2s\"\n      }\n    }\n\n    task \"server\" {\n      env {\n        PORT    = \"${NOMAD_PORT_http}\"\n        NODE_IP = \"${NOMAD_IP_http}\"\n      }\n\n      driver = \"docker\"\n\n      config {\n        image = \"hashicorp/demo-webapp-lb-guide\"\n        ports = [\"http\"]\n      }\n    }\n  }\n}",
             "json": null,
-            "modify_index": "8567",
+            "modify_index": "17707",
             "name": "demo-webapp",
             "namespace": "default",
             "policy_override": null,
@@ -418,7 +503,10 @@
               }
             ]
           ],
-          "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ=="
+          "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==",
+          "dependencies": [
+            "data.nomad_plugin.smb"
+          ]
         }
       ]
     }
diff --git a/2-nomad-config/traefik.nomad.hcl b/2-nomad-config/traefik.nomad.hcl
index 045fb04..8ef3bb1 100644
--- a/2-nomad-config/traefik.nomad.hcl
+++ b/2-nomad-config/traefik.nomad.hcl
@@ -21,6 +21,7 @@ job "traefik" {
         "traefik.enable=true",
         "traefik.http.routers.traefik.rule=Host(`traefik.othrayte.one`)",
         "traefik.http.routers.traefik.service=traefik",
+        "traefik.http.routers.traefik.middlewares=auth@file",
         "traefik.http.services.traefik.loadbalancer.server.port=8081",
       ]
 
@@ -71,8 +72,6 @@ entryPoints:
   websecure:
     address: ":443"
     http:
-      middlewares:
-        - auth@file
       tls:
         certResolver: letsencrypt
   traefik:
@@ -111,20 +110,33 @@ EOF
 http:
   middlewares:
     auth:
-      basicAuth:
-        users:
-          - "othrayte:$apr1$7PqVUfNm$Go/SNo6y331KYDnQdOLIt/"
- 
+      forwardAuth:
+        address: "http://192.168.1.235:9091/api/authz/forward-auth"
+        trustForwardHeader: true
   routers:
+    fallback:
+      rule: "HostRegexp(`^.+$`)"
+      entryPoints:
+        - websecure
+      middlewares:
+        - auth
+      service: noop@internal  # This router just applies middleware
+      priority: 1
     nomad-ui:
       rule: "Host(`nomad.othrayte.one`)"
       service: nomad-ui
+      middlewares:
+        - auth
     consul-ui:
       rule: "Host(`consul.othrayte.one`)"
       service: consul-ui
+      middlewares:
+        - auth
     unraid:
       rule: "Host(`unraid.othrayte.one`)"
       service: unraid
+      middlewares:
+        - auth
 
   services:
     nomad-ui:
diff --git a/2-nomad-config/volume-test.nomad.hcl b/2-nomad-config/volume-test.nomad.hcl
index 1793dc7..92d7957 100644
--- a/2-nomad-config/volume-test.nomad.hcl
+++ b/2-nomad-config/volume-test.nomad.hcl
@@ -25,6 +25,7 @@ job "volume-test" {
     
       tags = [
         "traefik.enable=true",
+        "traefik.http.routers.volume-test.middlewares=auth@file",
       ]
 
       check {
diff --git a/2-nomad-config/webapp.nomad.hcl b/2-nomad-config/webapp.nomad.hcl
index 16d0ab9..2a23e1f 100644
--- a/2-nomad-config/webapp.nomad.hcl
+++ b/2-nomad-config/webapp.nomad.hcl
@@ -14,6 +14,7 @@ job "demo-webapp" {
 
       tags = [
         "traefik.enable=true",
+        "traefik.http.routers.demo-webapp.middlewares=auth@file",
       ]
 
       check {