Add magic token domain for hass to allow app access

2-nomad-config/secrets.enc.json

@@ -23,6 +23,9 @@
 		"jwt_secret": "ENC[AES256_GCM,data:/dPDqJdn4Af3Wo005V7lU9b8RbN/wyF0Tx66827cdyaZfi4QPOSj23wNqw==,iv:yJW2PiAGGr97q0DoBr64X88eFNpuVPZX0SPyNDp5QjQ=,tag:p27XTUbMC0WDMTNJCscmGQ==,type:str]",
 		"database_pw": "ENC[AES256_GCM,data:EzGPKdsX3Ib2zWrz09kUdegIxGNwg1j4msbOKUmvCGy6R9/EG1nvOC9Z5Oo=,iv:msek112FxmVAwFume6b7RnSICL/sw5CK3XzgCq9Sp1s=,tag:UcxUi2hySv54liN+Ddodpw==,type:str]"
 	},
+	"hass": {
+		"magic-token": "ENC[AES256_GCM,data:3mKbPFgvtX+hWYEZ0q4jBjnR8KM+E/1DqmkVzoV6ROY=,iv:9L748apqK1TcsW0Y0HvU9QHVD/eSh56c/uN/K4KNct4=,tag:ZmXiaPz7MEvaQ0yu3byiKQ==,type:str]"
+	},
 	"sops": {
 		"age": [
 			{
@@ -30,8 +33,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-09-06T12:15:59Z",
-		"mac": "ENC[AES256_GCM,data:kiyEudOTWXnF485QoODePBGNACuS6bY7KVZZe9oSPe2jnyyNn4oI3ukxsgZDEN48k4sESvSLN+yCCKx4I14oRYHMFRhLSN4YLivQOEp0XcR3w7wx3ONmNdiyMG+UgEquaCX4/lWDFUVfWkoWQeq8y+ap5LY1ocqZ9zJ+yCilCA4=,iv:qyQJi7Uf+JGDiPt0C6Ww4A7Fa6NGL0aD3B/CfB4pEG0=,tag:ci+amgE24/uiEPIT0aoc+A==,type:str]",
+		"lastmodified": "2025-10-04T04:09:12Z",
+		"mac": "ENC[AES256_GCM,data:+NnopVex61fOpxTSMhkrBQXB2Zq1Vj4a5kNrdFI2o947NCMkRxtTyYYP+7xEsk97P0z7eUCRE0xG5vMU0u+w+i+wgV5OtlSlJMoLJaXA2Rtxvd+THmzk9CEWHpxRzyZFGB5r124LANiMXb+YWEH2HYEqmk0Y0TiOGAqnN2Z0kzo=,iv:Xf49WoI27nJf3RdIaDqRdxITpizXFT3Uht/MWxjJInE=,tag:o/WS1Nk0Q9o/fB881saaOw==,type:str]",
 		"encrypted_regex": "^(.*)$",
 		"version": "3.10.2"
 	}

2-nomad-config/traefik.nomad.hcl

@@ -114,6 +114,15 @@ http:
       forwardAuth:
         address: "http://192.168.1.235:9091/api/authz/forward-auth"
         trustForwardHeader: true
+    auth-allow-token:
+      chain:
+        middlewares:
+          - auth
+          - strip-magic-token
+    strip-magic-token:
+      stripPrefix:
+        prefixes:
+          - "/magic-token/{token:[A-Z0-9]+}"
   routers:
     fallback:
       rule: "HostRegexp(`^.+$`)"
@@ -143,6 +152,14 @@ http:
       service: frigate
       middlewares:
         - auth
+    hass:
+      rule: "Host(`hass.othrayte.one`)"
+      service: hass
+      middlewares:
+        - auth
+    hass-token:
+      rule: "Host(`${hass_magic_token}-hass.othrayte.one`)"
+      service: hass
 
   services:
     nomad-ui:
@@ -161,6 +178,10 @@ http:
       loadBalancer:
         servers:
           - url: "http://192.168.1.192:5000"
+    hass:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.234:8123"
 EOF
 
         destination = "local/configs/nomad.yml"

2-nomad-config/traefik.tf

@@ -19,5 +19,7 @@ resource "cloudflare_dns_record" "star-othrayte-one" {
 }
 
 resource "nomad_job" "traefik" {
-  jobspec = file("traefik.nomad.hcl")
+  jobspec = templatefile("traefik.nomad.hcl", {
+    hass_magic_token = nonsensitive(data.sops_file.secrets.data["hass.magic-token"])
+  })
 }