shoenig/pebble.nomad.hcl

## pebble.nomad.hcl
job "pebble" {
  type = "service"

  group "pebble" {
    network {
      mode = "host"
      port "acme" {
        static = 6666
      }
      port "mgmt" {
        static = 1500
      }
    }

    service {
      name     = "pebble"
      port     = "acme"
      provider = "nomad"
    }

    task "pebble" {
      driver = "raw_exec"
      user   = "nobody"

      artifact {
        source      = "https://github.com/letsencrypt/pebble/releases/download/v2.3.1/pebble_linux-amd64"
        mode        = "file"
        destination = "local/pebble"
      }

      artifact {
        source      = "https://raw.githubusercontent.com/letsencrypt/pebble/main/test/certs/localhost/cert.pem"
        mode        = "file"
        destination = "secrets/pebble-cert.pem"
      }

      artifact {
        source      = "https://raw.githubusercontent.com/letsencrypt/pebble/main/test/certs/localhost/key.pem"
        mode        = "file"
        destination = "secrets/pebble-key.pem"
      }

      template {
        # ACME directory requests at
        # https://localhost:6666/dir
        data = <<EOH
{
  "pebble": {
    "listenAddress": "0.0.0.0:{{env "NOMAD_PORT_acme"}}",
    "managementListenAddress": "127.0.0.1:{{env "NOMAD_PORT_mgmt"}}",
    "certificate": "secrets/pebble-cert.pem",
    "privateKey": "secrets/pebble-key.pem",
    "httpPort": 80,
    "tlsPort": 443,
    "ocspResponderURL": "",
    "externalAccountBindingRequired": false,
    "domainBlocklist": [],
    "retryAfter": {
        "authz": 3,
        "order": 5
    }
  }
}
        EOH

        destination = "local/config.json"
      }

      config {
        command = "bash"
        args    = ["-c", "chmod +x local/pebble && local/pebble -config local/config.json"]
      }

      resources {
        cpu    = 100
        memory = 128
      }
    }
  }
}

## py.nomad.hcl
job "py" {

  group "group" {
    network {
      mode = "bridge"
      port "http" {
        to = 9000
      }
    }

    service {
      name     = "py1"
      port     = "http"
      provider = "nomad"
      tags = [
        "traefik.enable=true",
        "traefik.http.routers.http.rule=Host(`py1.localhost`)",
        "traefik.http.routers.http.tls.certresolver=le",
        "traefik.http.routers.http.entrypoints=py",
      ]
      check {
        path     = "/"
        type     = "http"
        interval = "5s"
        timeout  = "1s"
      }
    }

    task "python" {
      driver = "raw_exec"

      config {
        command = "python3"
        args    = ["-m", "http.server", "9000", "--bind", "0.0.0.0", "--directory", "local/"]
      }

      template {
        destination = "local/index.html"
        data        = <<EOH
        <html><body>hi</body></html>
EOH
      }

      resources {
        cpu    = 100
        memory = 128
      }
    }
  }
}

## traefik.nomad.hcl
job "traefik" {

  group "group" {
    network {
      port "http" {
        static = 8080
      }

      port "admin" {
        static = 9999
      }
    }

    service {
      name = "traefik"
      port = "admin"
      provider = "nomad"
      check {
        type = "tcp"
        interval = "10s"
        timeout = "1s"
      }
    }

    task "traefik" {
      driver = "raw_exec"

      identity {
        env  = true
      }

      artifact {
        source = "https://raw.githubusercontent.com/letsencrypt/pebble/main/test/certs/pebble.minica.pem"
        mode = "file"
        destination = "secrets/pebble.minica.pem"
      }

      env {
        LEGO_CA_SERVER_NAME = "pebble"
        LEGO_CA_CERTIFICATES = "${NOMAD_SECRETS_DIR}/pebble.minica.pem"
      }

      config {
        # our dev build of traefik (go install)
        command = "/opt/bin/traefik"

        args = [
          "--log.level=DEBUG",
          "--api.dashboard=true",
          "--api.insecure=true",
          "--entrypoints.web.address=:${NOMAD_PORT_http}",
          "--entrypoints.traefik.address=:${NOMAD_PORT_admin}",

          # nomad
          "--providers.nomad=true",
          # --providers.nomad.endpoint.address=http://localhost:4646
          # --providers.nomad.endpoint.token=abc123
          # --providers.nomad.endpoint.tls.cert=/path/to/cert
          # --providers.nomad.endpoint.tls.key=/path/to/key
          # --providers.nomad.endpoint.ca=/path/to/key

          # our service
          "--entrypoints.py=true",
          "--entrypoints.py.address=:443",

          # http -> https redirect
          "--entrypoints.http=true",
          "--entrypoints.http.address=:80",
          "--entrypoints.http.http.redirections.entrypoint.to=py",
          "--entrypoints.http.http.redirections.entrypoint.scheme=https",

          # tls
          # "--serversTransport.insecureSkipVerify=true", # needed?

          # acme
          "--certificatesresolvers.le.acme.email=test@example.com",
          "--certificatesresolvers.le.acme.caserver=https://localhost:6666/dir",
          "--certificatesresolvers.le.acme.httpchallenge.entrypoint=http",
          "--certificatesresolvers.le.acme.httpchallenge=true",
          "--certificatesresolvers.le.acme.storage=nomad://",
          # "--certificatesresolvers.le.acme.storage=nomad://traefik/acme",
          # "--certificatesresolvers.le.acme.storage=local/acme.json",
        ]
      }

      resources {
        cpu    = 100
        memory = 128
      }
    }
  }
}
	job "pebble" {
	type = "service"

	group "pebble" {
	network {
	mode = "host"
	port "acme" {
	static = 6666
	}
	port "mgmt" {
	static = 1500
	}
	}

	service {
	name = "pebble"
	port = "acme"
	provider = "nomad"
	}

	task "pebble" {
	driver = "raw_exec"
	user = "nobody"

	artifact {
	source = "https://github.com/letsencrypt/pebble/releases/download/v2.3.1/pebble_linux-amd64"
	mode = "file"
	destination = "local/pebble"
	}

	artifact {
	source = "https://raw.githubusercontent.com/letsencrypt/pebble/main/test/certs/localhost/cert.pem"
	mode = "file"
	destination = "secrets/pebble-cert.pem"
	}

	artifact {
	source = "https://raw.githubusercontent.com/letsencrypt/pebble/main/test/certs/localhost/key.pem"
	mode = "file"
	destination = "secrets/pebble-key.pem"
	}

	template {
	# ACME directory requests at
	# https://localhost:6666/dir
	data = <<EOH
	{
	"pebble": {
	"listenAddress": "0.0.0.0:{{env "NOMAD_PORT_acme"}}",
	"managementListenAddress": "127.0.0.1:{{env "NOMAD_PORT_mgmt"}}",
	"certificate": "secrets/pebble-cert.pem",
	"privateKey": "secrets/pebble-key.pem",
	"httpPort": 80,
	"tlsPort": 443,
	"ocspResponderURL": "",
	"externalAccountBindingRequired": false,
	"domainBlocklist": [],
	"retryAfter": {
	"authz": 3,
	"order": 5
	}
	}
	}
	EOH

	destination = "local/config.json"
	}

	config {
	command = "bash"
	args = ["-c", "chmod +x local/pebble && local/pebble -config local/config.json"]
	}

	resources {
	cpu = 100
	memory = 128
	}
	}
	}
	}
	job "py" {

	group "group" {
	network {
	mode = "bridge"
	port "http" {
	to = 9000
	}
	}

	service {
	name = "py1"
	port = "http"
	provider = "nomad"
	tags = [
	"traefik.enable=true",
	"traefik.http.routers.http.rule=Host(`py1.localhost`)",
	"traefik.http.routers.http.tls.certresolver=le",
	"traefik.http.routers.http.entrypoints=py",
	]
	check {
	path = "/"
	type = "http"
	interval = "5s"
	timeout = "1s"
	}
	}

	task "python" {
	driver = "raw_exec"

	config {
	command = "python3"
	args = ["-m", "http.server", "9000", "--bind", "0.0.0.0", "--directory", "local/"]
	}

	template {
	destination = "local/index.html"
	data = <<EOH
	<html><body>hi</body></html>
	EOH
	}

	resources {
	cpu = 100
	memory = 128
	}
	}
	}
	}
	job "traefik" {

	group "group" {
	network {
	port "http" {
	static = 8080
	}

	port "admin" {
	static = 9999
	}
	}

	service {
	name = "traefik"
	port = "admin"
	provider = "nomad"
	check {
	type = "tcp"
	interval = "10s"
	timeout = "1s"
	}
	}

	task "traefik" {
	driver = "raw_exec"

	identity {
	env = true
	}

	artifact {
	source = "https://raw.githubusercontent.com/letsencrypt/pebble/main/test/certs/pebble.minica.pem"
	mode = "file"
	destination = "secrets/pebble.minica.pem"
	}

	env {
	LEGO_CA_SERVER_NAME = "pebble"
	LEGO_CA_CERTIFICATES = "${NOMAD_SECRETS_DIR}/pebble.minica.pem"
	}

	config {
	# our dev build of traefik (go install)
	command = "/opt/bin/traefik"

	args = [
	"--log.level=DEBUG",
	"--api.dashboard=true",
	"--api.insecure=true",
	"--entrypoints.web.address=:${NOMAD_PORT_http}",
	"--entrypoints.traefik.address=:${NOMAD_PORT_admin}",

	# nomad
	"--providers.nomad=true",
	# --providers.nomad.endpoint.address=http://localhost:4646
	# --providers.nomad.endpoint.token=abc123
	# --providers.nomad.endpoint.tls.cert=/path/to/cert
	# --providers.nomad.endpoint.tls.key=/path/to/key
	# --providers.nomad.endpoint.ca=/path/to/key

	# our service
	"--entrypoints.py=true",
	"--entrypoints.py.address=:443",

	# http -> https redirect
	"--entrypoints.http=true",
	"--entrypoints.http.address=:80",
	"--entrypoints.http.http.redirections.entrypoint.to=py",
	"--entrypoints.http.http.redirections.entrypoint.scheme=https",

	# tls
	# "--serversTransport.insecureSkipVerify=true", # needed?

	# acme
	"--certificatesresolvers.le.acme.email=test@example.com",
	"--certificatesresolvers.le.acme.caserver=https://localhost:6666/dir",
	"--certificatesresolvers.le.acme.httpchallenge.entrypoint=http",
	"--certificatesresolvers.le.acme.httpchallenge=true",
	"--certificatesresolvers.le.acme.storage=nomad://",
	# "--certificatesresolvers.le.acme.storage=nomad://traefik/acme",
	# "--certificatesresolvers.le.acme.storage=local/acme.json",
	]
	}

	resources {
	cpu = 100
	memory = 128
	}
	}
	}
	}