alo-cluster/services/traefik.hcl

job "traefik" {
  datacenters = ["alo"]

  group "lbs" {
    network {
      port "http" {
        static = "80"
      }
      port "https" {
        static = "443"
      }
      port "ssh" {
        static = "2222"
      }
      port "admin" {
        #host_network = "tailscale"
        static = "9002"
      }
    }

    task "traefik" {
      driver = "docker"

      service {
        name = "traefik"
        port = "https"

        tags = [
          "traefik.enable=true",
          "traefik.http.routers.api.entryPoints=websecure",
          "traefik.http.routers.api.middlewares=authentik@file",
          "traefik.http.routers.api.rule=Host(`traefik.v.paler.net`)",
          "traefik.http.routers.api.service=api@internal",
        ]

        check {
          type = "http"
          port = "admin"
          path = "/ping"
          interval = "10s"
          timeout  = "2s"
        }
      }

      service {
        name = "traefik-admin"
        port = "admin"
        tags = [
          "metrics"
        ]
      }

      config {
        image = "traefik:latest"
        ports = ["http", "https", "admin"]
        network_mode = "host"
        volumes = [
          "local/traefik.yml:/etc/traefik/traefik.yml",
          "/data/compute/config/traefik:/config",
        ]
      }

      template {
data = <<EOH
global:
  checkNewVersion: false
  sendAnonymousUsage: false

#log:
#  level: debug

api:
  dashboard: true

accessLog: {}

metrics:
  prometheus:
    entryPoint: admin
#    manualrouting: true

ping:
  entryPoint: admin

serversTransport:
  insecureSkipVerify: true

providers:
  file:
    directory: /config/rules
    watch: true

  consulcatalog:
    exposedByDefault: false
    prefix: "traefik"
    defaultRule: "Host(`{{ .Name }}.v.paler.net`)"

certificatesResolvers:
  letsencrypt:
    acme:
      email: petru@paler.net
      storage: /config/acme/acme.json
      tlsChallenge: {}

entryPoints:
  web:
    address: ":{{{ env "NOMAD_PORT_http" }}}"
    http:
      redirections:
        entrypoint:
          to: websecure
          scheme: https
          permanent: true

  websecure:
    address: ":{{{ env "NOMAD_PORT_https" }}}"
    http:
      tls:
        certResolver: letsencrypt

  admin:
    address: ":{{{ env "NOMAD_PORT_admin" }}}"

  ssh:
    address: ":{{{ env "NOMAD_PORT_ssh" }}}"
EOH
        destination = "local/traefik.yml"
        change_mode = "noop"
        left_delimiter = "{{{"
        right_delimiter = "}}}"
      }

      resources {
        cpu = 100
        memory = 512
      }
    }

    task "keepalived" {
      driver = "docker"
      env {
        KEEPALIVED_INTERFACE = "eno1"
        KEEPALIVED_VIRTUAL_IPS = "192.168.1.100/24"
        KEEPALIVED_ROUTER_ID = "52" # defaults to 51
        KEEPALIVED_UNICAST_PEERS = ""
        KEEPALIVED_STATE       = "MASTER"
        KEEPALIVED_VIRTUAL_ROUTES = ""
      }
      config {
        # 2.2.8 wasn't starting, reason unknown
        image        = "visibilityspots/keepalived:2.2.7"
        network_mode = "host"
        privileged   = true
        cap_add      = ["NET_ADMIN", "NET_BROADCAST", "NET_RAW"]
      }
    }
  }
}