Sort parts of the nomad intra into folders

This should make finding things easier
2025-10-22 22:02:25 +11:00
parent 8869bd1cb2
commit 92f60a7572
15 changed files with 176 additions and 25 deletions
--- a/2-nomad-config/2-ingress/traefik.nomad.hcl
+++ b/2-nomad-config/2-ingress/traefik.nomad.hcl
@@ -0,0 +1,248 @@
+job "traefik" {
+  group "traefik" {
+    count = 2
+
+    network {
+      mode = "bridge"
+      port "http" {
+        static = 80
+      }
+
+      port "https" {
+        static = 443
+      }
+
+      port "api" {
+        static = 8081
+      }
+    }
+    service {
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              destination_name = "auth"
+              local_bind_port  = 9091
+            }
+          }
+        }
+      }
+    }
+
+    service {
+      name = "traefik"
+      port = "api"
+
+      check {
+        name     = "alive"
+        type     = "tcp"
+        port     = "api"
+        interval = "10s"
+        timeout  = "2s"
+      }
+    }
+
+    task "traefik" {
+      driver = "docker"
+
+      config {
+        image = "traefik:v3.3"
+        ports = ["http", "https", "api"]
+
+        volumes = [
+          "local/traefik.yml:/etc/traefik/traefik.yml",
+          "local/configs/:/etc/traefik/configs/"
+        ]
+      }
+
+      volume_mount {
+        volume      = "unraid_appdata_traefik"
+        destination = "/opt/traefik"
+        read_only   = false
+      }
+
+      template {
+        data = <<EOF
+log:
+  level: INFO
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: letsencrypt
+  traefik:
+    address: ":8081"
+
+api:
+  dashboard: true
+  insecure: true
+
+providers:
+  file:
+    directory: "/etc/traefik/configs/"
+
+  consulCatalog:
+    prefix: "traefik"
+    exposedByDefault: false
+    defaultRule: {{"Host(`{{ .Name }}.othrayte.one`)"}}
+    endpoint:
+      address: "{{ env "NOMAD_HOST_IP_http" }}:8500"
+      scheme: "http"
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: "othrayte@gmail.com"
+      storage: "/opt/traefik/acme.json"
+      httpChallenge:
+        entryPoint: web
+EOF
+
+        destination = "local/traefik.yml"
+      }
+
+      template {
+        data = <<EOF
+http:
+  middlewares:
+    auth:
+      forwardAuth:
+        address: "http://localhost:9091/api/authz/forward-auth"
+        trustForwardHeader: true
+    auth-allow-token:
+      chain:
+        middlewares:
+          - auth
+    inject-kopia-basic-auth:
+      headers:
+        customRequestHeaders:
+          Authorization: "Basic {{ with nomadVar "nomad/jobs/traefik" }}{{ .kopia_basic_auth }}{{ end }}"
+  routers:
+    fallback:
+      rule: "HostRegexp(`^.+$`)"
+      entryPoints:
+        - websecure
+      middlewares:
+        - auth
+      service: noop@internal  # This router just applies middleware
+      priority: 1
+    traefik:
+      rule: "Host(`traefik.othrayte.one`)"
+      service: traefik
+      middlewares:
+        - auth
+    nomad-ui:
+      rule: "Host(`nomad.othrayte.one`)"
+      service: nomad-ui
+      middlewares:
+        - auth
+    consul-ui:
+      rule: "Host(`consul.othrayte.one`)"
+      service: consul-ui
+      middlewares: 
+        - auth
+    unraid:
+      rule: "Host(`unraid.othrayte.one`)"
+      service: unraid
+      middlewares:
+        - auth
+    frigate:
+      rule: "Host(`frigate.othrayte.one`)"
+      service: frigate
+      middlewares:
+        - auth
+    kopia:
+      rule: "Host(`kopia.othrayte.one`)"
+      service: kopia
+      middlewares:
+        - auth
+        - inject-kopia-basic-auth
+    hass:
+      rule: "Host(`hass.othrayte.one`)"
+      service: hass
+      middlewares:
+        - auth
+    hass-token:
+      rule: "Host(`${hass_magic_token}-hass.othrayte.one`)"
+      service: hass
+
+  services:
+    traefik:
+      loadBalancer:
+        servers:
+          - url: "http://localhost:8081"
+    nomad-ui:
+      loadBalancer:
+        servers:
+          - url: "http://{{ env "NOMAD_HOST_IP_http" }}:4646"
+    consul-ui:
+      loadBalancer:
+        servers:
+          - url: "http://{{ env "NOMAD_HOST_IP_http" }}:8500"
+    unraid:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.192:80"
+    frigate:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.192:5000"
+    kopia:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.192:51515"
+    hass:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.234:8123"
+EOF
+
+        destination = "local/configs/nomad.yml"
+      }
+
+      resources {
+        cpu    = 100
+        memory = 128
+      }
+    }
+
+    volume "unraid_appdata_traefik" {
+      type            = "csi"
+      read_only       = false
+      source          = "unraid_appdata_traefik"
+      access_mode     = "multi-node-multi-writer"
+      attachment_mode = "file-system"
+
+      mount_options {
+        mount_flags = ["file_mode=0600", "uid=1000", "gid=1000"]
+      }
+    }
+
+    task "cloudflared" {
+      driver = "docker"
+
+      config {
+        image = "cloudflare/cloudflared:latest"
+        args = [
+          "tunnel", "--no-autoupdate", "run"
+        ]
+      }
+
+      template {
+        data        = <<EOH
+TUNNEL_TOKEN="{{ with nomadVar "nomad/jobs/traefik" }}{{ .cf_tunnel_token }}{{ end }}"
+EOH
+        destination = "secrets/tunnel.env"
+        env         = true # Load the file as environment variables
+      }
+    }
+  }
+}