alo-cluster/services/traefik.hcl

job "traefik" {
  datacenters = ["alo"]

  group "lbs" {
    network {
      port "http" {
        static = "80"
      }
      port "https" {
        static = "443"
      }
      port "admin" {
        host_network = "tailscale"
        static = "9002"
      }
    }

    volume "config-volume" {
      type = "csi"
      source = "config-volume"
      access_mode = "single-node-writer"
      attachment_mode = "file-system"
    }

    task "traefik" {
      driver = "docker"

      service {
        name = "traefik"
        port = "https"

        tags = [
          "traefik.enable=true",
          "traefik.http.routers.api.entryPoints=websecure",
          "traefik.http.routers.api.rule=Host(`traefik.v.paler.net`)",
          "traefik.http.routers.api.service=api@internal",
        ]

        check {
          type = "http"
          port = "admin"
          path = "/ping"
          interval = "10s"
          timeout  = "2s"
        }
      }

      service {
        name = "traefik-admin"
        port = "admin"
        tags = [
          "metrics"
        ]
      }

      volume_mount {
        volume = "config-volume"
        destination = "/config"
      }

      config {
        image = "traefik:latest"
        ports = ["http", "https", "admin"]
        network_mode = "host"
        volumes = [
          "local/traefik.yml:/etc/traefik/traefik.yml",
        ]
      }

      template {
data = <<EOH
#log:
#  level: debug

entryPoints:
  web:
    address: ":{{{ env "NOMAD_PORT_http" }}}"
    http:
      redirections:
        entrypoint:
          to: websecure
          scheme: https
          permanent: true

  websecure:
    address: ":{{{ env "NOMAD_PORT_https" }}}"
    http:
      tls:
        certResolver: letsencrypt

  admin:
    address: ":{{{ env "NOMAD_PORT_admin" }}}"

api:
  dashboard: true

accessLog: {}

metrics:
  prometheus:
    entryPoint: admin
    manualrouting: true

ping:
  entryPoint: admin

serversTransport:
  insecureSkipVerify: true

providers:
  file:
    directory: /config/traefik/rules
    watch: true

  consulcatalog:
    exposedByDefault: false
    prefix: "traefik"
    defaultRule: "Host(`{{ .Name }}.v.paler.net`)"

certificatesResolvers:
  letsencrypt:
    acme:
      email: petru@paler.net
      storage: /config/traefik/acme/acme.json
      tlsChallenge: {}

global:
  checkNewVersion: false
  sendAnonymousUsage: false
EOH
        destination = "local/traefik.yml"
        change_mode = "noop"
        left_delimiter = "{{{"
        right_delimiter = "}}}"
      }

      resources {
        cpu = 100
        memory = 512
      }
    }
    task "keepalived" {
      driver = "docker"
      env {
        KEEPALIVED_INTERFACE = "eno1"
        KEEPALIVED_VIRTUAL_IPS = "192.168.1.100/24"
        KEEPALIVED_UNICAST_PEERS = ""
        KEEPALIVED_STATE       = "MASTER"
        KEEPALIVED_VIRTUAL_ROUTES = ""
      }
      config {
        image        = "visibilityspots/keepalived"
        network_mode = "host"
        privileged   = true
        cap_add      = ["NET_ADMIN", "NET_BROADCAST", "NET_RAW"]
      }
    }
  }
}