Add traefik service.

services/traefik.hcl

@@ -0,0 +1,120 @@
+job "traefik" {
+  datacenters = ["alo"]
+
+  group "lbs" {
+    network {
+      port "http" {
+        static = "80"
+      }
+      port "https" {
+        static = "443"
+      }
+      port "admin" {
+        #host_network = "tailscale"
+        static = "9002"
+      }
+    }
+
+    volume "config-volume" {
+      type = "csi"
+      source = "config-volume"
+      access_mode = "single-node-writer"
+      attachment_mode = "file-system"
+    }
+
+    task "traefik" {
+      driver = "docker"
+      service {
+        name = "traefik-secure"
+        port = "https"
+
+        check {
+          type     = "tcp"
+          interval = "10s"
+          timeout  = "2s"
+        }
+      }
+      service {
+        name = "traefik"
+        port = "admin"
+        tags = [
+          "metrics"
+        ]
+      }
+
+      volume_mount {
+        volume = "config-volume"
+        destination = "/config"
+      }
+
+      config {
+        image = "traefik:latest"
+        ports = ["http", "https", "admin"]
+        network_mode = "host"
+        volumes = [
+          "local/traefik.yml:/etc/traefik/traefik.yml",
+        ]
+      }
+
+      template {
+data = <<EOH
+#log:
+#  level: debug
+
+entryPoints:
+  web:
+    address: ":{{{ env "NOMAD_PORT_http" }}}"
+    http:
+      redirections:
+        entrypoint:
+          to: websecure
+          scheme: https
+          permanent: true
+
+  traefik:
+    address: ":{{{ env "NOMAD_PORT_admin" }}}"
+
+  websecure:
+    address: ":{{{ env "NOMAD_PORT_https" }}}"
+
+api:
+  dashboard: true
+  insecure: true
+
+serversTransport:
+  insecureSkipVerify: true
+
+providers:
+  file:
+    directory: /config/traefik/rules
+    watch: true
+
+  consulcatalog:
+    exposedByDefault: false
+    prefix: "traefik"
+    defaultRule: "Host(`{{ .Name }}.v.paler.net`)"
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: petru@paler.net
+      storage: /config/traefik/acme/acme.json
+      tlsChallenge: {}
+
+global:
+  checkNewVersion: false
+  sendAnonymousUsage: false
+EOH
+        destination = "local/traefik.yml"
+        change_mode = "noop"
+        left_delimiter = "{{{"
+        right_delimiter = "}}}"
+      }
+
+      resources {
+        cpu = 100
+        memory = 512
+      }
+    }
+  }
+}

storage/config-volume.hcl

@@ -0,0 +1,26 @@
+id        = "config-volume"
+name      = "config-volume"
+type      = "csi"
+plugin_id = "seaweedfs"
+
+capacity_min = "1GiB"
+capacity_max = "2GiB"
+
+capability {
+  access_mode     = "multi-node-single-writer"
+  attachment_mode = "file-system"
+}
+
+# Optional: for 'nomad volume create', specify mount options to validate for
+# 'attachment_mode = "file-system". Registering an existing volume will record
+# but ignore these fields.
+mount_options {
+  mount_flags = ["rw"]
+}
+
+parameters {
+  # Available options: https://github.com/seaweedfs/seaweedfs-csi-driver/blob/master/pkg/driver/mounter_seaweedfs.go
+  collection = "config"
+  replication = "001"
+  path = "/config"
+}