From 7f3161b2bb3181c42d51765db3c15a11387ba3fd Mon Sep 17 00:00:00 2001 From: Adrian Cowan Date: Sat, 4 Oct 2025 14:36:58 +1000 Subject: [PATCH] Add magic token domain for hass to allow app access --- 2-nomad-config/secrets.enc.json | 7 +++++-- 2-nomad-config/traefik.nomad.hcl | 21 +++++++++++++++++++++ 2-nomad-config/traefik.tf | 4 +++- 3 files changed, 29 insertions(+), 3 deletions(-) diff --git a/2-nomad-config/secrets.enc.json b/2-nomad-config/secrets.enc.json index 69a7882..ed35079 100644 --- a/2-nomad-config/secrets.enc.json +++ b/2-nomad-config/secrets.enc.json @@ -23,6 +23,9 @@ "jwt_secret": "ENC[AES256_GCM,data:/dPDqJdn4Af3Wo005V7lU9b8RbN/wyF0Tx66827cdyaZfi4QPOSj23wNqw==,iv:yJW2PiAGGr97q0DoBr64X88eFNpuVPZX0SPyNDp5QjQ=,tag:p27XTUbMC0WDMTNJCscmGQ==,type:str]", "database_pw": "ENC[AES256_GCM,data:EzGPKdsX3Ib2zWrz09kUdegIxGNwg1j4msbOKUmvCGy6R9/EG1nvOC9Z5Oo=,iv:msek112FxmVAwFume6b7RnSICL/sw5CK3XzgCq9Sp1s=,tag:UcxUi2hySv54liN+Ddodpw==,type:str]" }, + "hass": { + "magic-token": "ENC[AES256_GCM,data:3mKbPFgvtX+hWYEZ0q4jBjnR8KM+E/1DqmkVzoV6ROY=,iv:9L748apqK1TcsW0Y0HvU9QHVD/eSh56c/uN/K4KNct4=,tag:ZmXiaPz7MEvaQ0yu3byiKQ==,type:str]" + }, "sops": { "age": [ { @@ -30,8 +33,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-09-06T12:15:59Z", - "mac": "ENC[AES256_GCM,data:kiyEudOTWXnF485QoODePBGNACuS6bY7KVZZe9oSPe2jnyyNn4oI3ukxsgZDEN48k4sESvSLN+yCCKx4I14oRYHMFRhLSN4YLivQOEp0XcR3w7wx3ONmNdiyMG+UgEquaCX4/lWDFUVfWkoWQeq8y+ap5LY1ocqZ9zJ+yCilCA4=,iv:qyQJi7Uf+JGDiPt0C6Ww4A7Fa6NGL0aD3B/CfB4pEG0=,tag:ci+amgE24/uiEPIT0aoc+A==,type:str]", + "lastmodified": "2025-10-04T04:09:12Z", + "mac": "ENC[AES256_GCM,data:+NnopVex61fOpxTSMhkrBQXB2Zq1Vj4a5kNrdFI2o947NCMkRxtTyYYP+7xEsk97P0z7eUCRE0xG5vMU0u+w+i+wgV5OtlSlJMoLJaXA2Rtxvd+THmzk9CEWHpxRzyZFGB5r124LANiMXb+YWEH2HYEqmk0Y0TiOGAqnN2Z0kzo=,iv:Xf49WoI27nJf3RdIaDqRdxITpizXFT3Uht/MWxjJInE=,tag:o/WS1Nk0Q9o/fB881saaOw==,type:str]", "encrypted_regex": "^(.*)$", "version": "3.10.2" } diff --git a/2-nomad-config/traefik.nomad.hcl b/2-nomad-config/traefik.nomad.hcl index b174067..b6e6669 100644 --- a/2-nomad-config/traefik.nomad.hcl +++ b/2-nomad-config/traefik.nomad.hcl @@ -114,6 +114,15 @@ http: forwardAuth: address: "http://192.168.1.235:9091/api/authz/forward-auth" trustForwardHeader: true + auth-allow-token: + chain: + middlewares: + - auth + - strip-magic-token + strip-magic-token: + stripPrefix: + prefixes: + - "/magic-token/{token:[A-Z0-9]+}" routers: fallback: rule: "HostRegexp(`^.+$`)" @@ -143,6 +152,14 @@ http: service: frigate middlewares: - auth + hass: + rule: "Host(`hass.othrayte.one`)" + service: hass + middlewares: + - auth + hass-token: + rule: "Host(`${hass_magic_token}-hass.othrayte.one`)" + service: hass services: nomad-ui: @@ -161,6 +178,10 @@ http: loadBalancer: servers: - url: "http://192.168.1.192:5000" + hass: + loadBalancer: + servers: + - url: "http://192.168.1.234:8123" EOF destination = "local/configs/nomad.yml" diff --git a/2-nomad-config/traefik.tf b/2-nomad-config/traefik.tf index 009c75d..6282975 100644 --- a/2-nomad-config/traefik.tf +++ b/2-nomad-config/traefik.tf @@ -19,5 +19,7 @@ resource "cloudflare_dns_record" "star-othrayte-one" { } resource "nomad_job" "traefik" { - jobspec = file("traefik.nomad.hcl") + jobspec = templatefile("traefik.nomad.hcl", { + hass_magic_token = nonsensitive(data.sops_file.secrets.data["hass.magic-token"]) + }) }