job "traefik" {
  datacenters = ["dc1"]
  type = "service"
  priority = 100

  constraint {
    attribute = "${node.class}"
    value = "ingress"
  }

  constraint {
    distinct_hosts = true
  }

  update {
    max_parallel = 1
    canary = 1
    auto_promote = false
    auto_revert = true
    min_healthy_time = "30s"
    healthy_deadline = "5m"
  }

  group "traefik" {
    count = 2

    network  {
      port "web" {
        static = 80
      }

      port "websecure" {
        static = 443
      }

      port "syslog" {
        static = 514
      }

      port "gitssh" {
        static = 2222
      }

      port "metrics" {}

      dns {
        servers = [
          "192.168.2.101",
          "192.168.2.102",
          "192.168.2.30",
        ]
      }
    }

    ephemeral_disk {
      migrate = true
      sticky = true
    }

    task "traefik" {
      driver = "docker"

      service {
        name = "traefik"
        provider = "nomad"
        port = "web"

        check {
          type = "http"
          path = "/ping"
          interval = "10s"
          timeout = "2s"
        }

        tags = [
          "traefik.enable=true",
          "traefik.http.routers.traefik.entryPoints=websecure",
          "traefik.http.routers.traefik.service=api@internal",
        ]
      }

      service {
        name = "traefik-metrics"
        provider = "nomad"
        port = "metrics"

        tags = [
          "prometheus.scrape",
        ]
      }

      config {
        image = "traefik:3.0"

        ports = ["web", "websecure", "syslog", "gitssh", "metrics"]
        network_mode = "host"

        mount {
          type = "bind"
          target = "/etc/traefik"
          source = "local/config"
        }

        mount {
          type = "bind"
          target = "/etc/traefik/usersfile"
          source = "secrets/usersfile"
        }

        mount {
          type = "bind"
          target = "/etc/traefik/certs"
          source = "secrets/certs"
        }
      }

      env = {
        TRAEFIK_PROVIDERS_NOMAD_ENDPOINT_TOKEN = "${NOMAD_TOKEN}"
      }

      identity {
        env = true
      }

      template {
        # Avoid conflict with TOML lists [[ ]] and Go templates {{ }}
        left_delimiter = "<<"
        right_delimiter = ">>"
        data = <<EOH
[log]
  level = "DEBUG"

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http]
      [entryPoints.web.http.redirections]
        [entryPoints.web.http.redirections.entrypoint]
          to = "websecure"
          scheme = "https"

  [entryPoints.websecure]
    address = ":443"
    [entryPoints.websecure.http.tls]

  [entryPoints.metrics]
    address = ":<< env "NOMAD_PORT_metrics" >>"

  [entryPoints.syslogtcp]
    address = ":514"

  [entryPoints.syslogudp]
    address = ":514/udp"

  [entryPoints.gitssh]
    address = ":2222"

[api]
  dashboard = true

[ping]
  entrypoint = "web"

[metrics]
  [metrics.prometheus]
    entrypoint = "metrics"
    # manualRouting = true

[providers.file]
  directory = "/etc/traefik/conf"
  watch = true

[providers.nomad]
  exposedByDefault = false
  defaultRule = "Host(`{{normalize .Name}}.<< with nomadVar "nomad/jobs" >><< .base_hostname >><< end >>`)"
  [providers.nomad.endpoint]
  address = "unix:///secrets/api.sock"
        EOH
        destination = "${NOMAD_TASK_DIR}/config/traefik.toml"
      }

      template {
        data = <<EOH
[http]
  [http.routers]
    [http.routers.nomad]
      entryPoints = ["websecure"]
      service = "nomad"
      rule = "Host(`nomad.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}`)"

    {{ with nomadVar "nomad/jobs/traefik" }}{{ with .external }}{{ with .Value | parseYAML -}}
    {{ range $service, $url := . }}
    [http.routers.{{ $service }}]
      entryPoints = ["websecure"]
      service = "{{ $service }}"
      rule = "Host(`{{ $service }}.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}`)"
    {{ end }}
    {{- end }}{{ end }}{{ end }}

  [http.services]
    [http.services.nomad]
      [http.services.nomad.loadBalancer]
        [[http.services.nomad.loadBalancer.servers]]
          url = "http://127.0.0.1:4646"

    {{ with nomadVar "nomad/jobs/traefik" }}{{ with .external }}{{ with .Value | parseYAML -}}
    {{ range $service, $url := . }}
    [http.services.{{ $service }}]
      [http.services.{{ $service }}.loadBalancer]
        [[http.services.{{ $service }}.loadBalancer.servers]]
          url = "{{ $url }}"
    {{ end }}
    {{- end }}{{ end }}{{ end }}
        EOH
        destination = "${NOMAD_TASK_DIR}/config/conf/route-hashi.toml"
        change_mode = "noop"
        splay = "1m"

        wait {
          min = "10s"
          max = "20s"
        }
      }

      template {
        data = <<EOH
{{ with nomadService "syslogng" -}}
[tcp.routers]
  [tcp.routers.syslogtcp]
    entryPoints = ["syslogtcp"]
    service = "syslogngtcp"
    rule = "HostSNI(`*`)"

[tcp.services]
  [tcp.services.syslogngtcp]
    [tcp.services.syslogngtcp.loadBalancer]
      {{ range . -}}
      [[tcp.services.syslogngtcp.loadBalancer.servers]]
        address = "{{ .Address }}:{{ .Port }}"
      {{ end -}}
{{- end }}

{{ with nomadService "syslogng" -}}
[udp.routers]
  [udp.routers.syslogudp]
    entryPoints = ["syslogudp"]
    service = "syslogngudp"

[udp.services]
  [udp.services.syslogngudp]
    [udp.services.syslogngudp.loadBalancer]
      {{ range . -}}
      [[udp.services.syslogngudp.loadBalancer.servers]]
        address = "{{ .Address }}:{{ .Port }}"
      {{ end -}}
{{- end }}
        EOH
        destination = "${NOMAD_TASK_DIR}/config/conf/route-syslog-ng.toml"
        change_mode = "noop"
        splay = "1m"

        wait {
          min = "10s"
          max = "20s"
        }
      }

      template {
        data = <<EOF
{{- with nomadVar "secrets/certs/_lego/certificates/__thefij_rocks_crt" }}{{ .contents }}{{ end -}}"
EOF
        destination = "${NOMAD_SECRETS_DIR}/certs/_.thefij.rocks.crt"
        change_mode = "noop"
      }

      template {
        data = <<EOF
{{- with nomadVar "secrets/certs/_lego/certificates/__thefij_rocks_key" }}{{ .contents }}{{ end -}}"
EOF
        destination = "${NOMAD_SECRETS_DIR}/certs/_.thefij.rocks.key"
        change_mode = "noop"
      }

      template {
        data = <<EOH
[[tls.certificates]]
  certFile = "/etc/traefik/certs/_.thefij.rocks.crt"
  keyFile = "/etc/traefik/certs/_.thefij.rocks.key"
        EOH
        destination = "${NOMAD_TASK_DIR}/config/conf/dynamic-tls.toml"
        change_mode = "noop"
      }

      template {
        data = <<EOH
[http.middlewares]
{{ with nomadVar "nomad/jobs/traefik" }}
{{ if .usersfile }}
  [http.middlewares.basic-auth.basicAuth]
    usersFile = "/etc/traefik/usersfile"
{{- end }}
{{- end }}
        EOH
        destination = "${NOMAD_TASK_DIR}/config/conf/middlewares.toml"
        change_mode = "noop"
      }

      template {
        data = <<EOH
{{ with nomadVar "nomad/jobs/traefik" -}}
{{ .usersfile }}
{{- end }}
        EOH
        destination = "${NOMAD_SECRETS_DIR}/usersfile"
        change_mode = "noop"
      }

      resources {
        cpu = 100
        memory = 150
      }
    }
  }
}