infra/2-nomad-config/traefik.nomad.hcl

job "traefik" {
  group "traefik" {
    network {
      port "http" {
        static = 80
      }

      port "https" {
        static = 443
      }

      port "api" {
        static = 8081
      }
    }

    service {
      name = "traefik"
      port = "api"

      tags = [
        "traefik.enable=true",
        "traefik.http.routers.traefik.rule=Host(`traefik.othrayte.one`)",
        "traefik.http.routers.traefik.service=traefik",
        "traefik.http.routers.traefik.middlewares=auth@file",
        "traefik.http.services.traefik.loadbalancer.server.port=8081",
      ]

      check {
        name     = "alive"
        type     = "tcp"
        port     = "api"
        interval = "10s"
        timeout  = "2s"
      }
    }

    volume "traefik" {
      type      = "host"
      read_only = false
      source    = "traefik"
    }

    task "traefik" {
      driver = "docker"

      config {
        image        = "traefik:v3.3"
        network_mode = "host"

        volumes = [
          "local/traefik.yml:/etc/traefik/traefik.yml",
          "local/configs/:/etc/traefik/configs/"
        ]
      }

      volume_mount {
        volume      = "traefik"
        destination = "/opt/traefik"
        read_only   = false
      }

      template {
        data = <<EOF
entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letsencrypt
  traefik:
    address: ":8081"

api:
  dashboard: true
  insecure: true

providers:
  file:
    directory: "/etc/traefik/configs/"

  consulCatalog:
    prefix: "traefik"
    exposedByDefault: false
    defaultRule: {{"Host(`{{ .Name }}.othrayte.one`)"}}
    endpoint:
      address: "127.0.0.1:8500"
      scheme: "http"

certificatesResolvers:
  letsencrypt:
    acme:
      email: "othrayte@gmail.com"
      storage: "/opt/traefik/acme.json"
      httpChallenge:
        entryPoint: web
EOF

        destination = "local/traefik.yml"
      }

      template {
        data = <<EOF
http:
  middlewares:
    auth:
      forwardAuth:
        address: "http://192.168.1.235:9091/api/authz/forward-auth"
        trustForwardHeader: true
  routers:
    fallback:
      rule: "HostRegexp(`^.+$`)"
      entryPoints:
        - websecure
      middlewares:
        - auth
      service: noop@internal  # This router just applies middleware
      priority: 1
    nomad-ui:
      rule: "Host(`nomad.othrayte.one`)"
      service: nomad-ui
      middlewares:
        - auth
    consul-ui:
      rule: "Host(`consul.othrayte.one`)"
      service: consul-ui
      middlewares: 
        - auth
    unraid:
      rule: "Host(`unraid.othrayte.one`)"
      service: unraid
      middlewares:
        - auth
    frigate:
      rule: "Host(`frigate.othrayte.one`)"
      service: frigate
      middlewares:
        - auth

  services:
    nomad-ui:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:4646"
    consul-ui:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:8500"
    unraid:
      loadBalancer:
        servers:
          - url: "http://192.168.1.192:80"
    frigate:
      loadBalancer:
        servers:
          - url: "http://192.168.1.192:5000"
EOF

        destination = "local/configs/nomad.yml"
      }

      resources {
        cpu    = 100
        memory = 128
      }
    }
  }
}