homelab-nomad/services/service/main.tf

resource "nomad_job" "service" {
  jobspec = templatefile("${path.module}/service_template.nomad", {
    name               = var.name
    count              = var.instance_count
    priority           = var.priority
    image              = var.image
    image_pull_timeout = var.image_pull_timeout
    args               = var.args
    env                = var.env
    task_meta          = var.task_meta
    task_identity      = var.task_identity
    group_meta         = var.group_meta
    job_meta           = var.job_meta
    constraints        = var.constraints
    docker_devices     = var.docker_devices

    service_port        = var.service_port
    service_port_static = var.service_port_static
    service_check       = var.service_check
    ports               = var.ports
    sticky_disk         = var.sticky_disk
    resources           = var.resources
    stunnel_resources   = var.stunnel_resources
    service_tags        = var.service_tags
    custom_services     = var.custom_services
    use_wesher          = var.use_wesher

    ingress             = var.ingress
    ingress_rule        = var.ingress_rule
    ingress_middlewares = var.ingress_middlewares
    prometheus          = var.prometheus

    templates    = var.templates
    host_volumes = var.host_volumes

    use_mysql    = var.use_mysql || var.mysql_bootstrap != null
    use_postgres = var.use_postgres || var.postgres_bootstrap != null
    use_redis    = var.use_redis
    use_ldap     = var.use_ldap

    mysql_bootstrap    = var.mysql_bootstrap
    postgres_bootstrap = var.postgres_bootstrap
  })

  detach = var.detach
}

resource "nomad_acl_policy" "secrets_mysql" {
  count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0

  name        = "${var.name}-secrets-mysql"
  description = "Give access to MySQL secrets"
  rules_hcl   = <<EOH
namespace "default" {
  variables {
    path "secrets/mysql" {
      capabilities = ["read"]
    }
  }
}
EOH

  job_acl {
    job_id = resource.nomad_job.service.id
    group  = var.name
    task   = "mysql-bootstrap"
  }
}

resource "random_password" "mysql_psk" {
  count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0

  length           = 32
  override_special = "!@#%&*-_="
}

resource "nomad_variable" "mysql_psk" {
  count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0

  path = "secrets/mysql/allowed_psks/${var.name}"
  items = {
    psk = "${var.name}:${resource.random_password.mysql_psk[0].result}"
  }
}

resource "nomad_acl_policy" "mysql_psk" {
  count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0

  name        = "${var.name}-secrets-mysql-psk"
  description = "Give access to MySQL PSK secrets"
  rules_hcl   = <<EOH
namespace "default" {
  variables {
    path "secrets/mysql/allowed_psks/${var.name}" {
      capabilities = ["read"]
    }
  }
}
EOH

  job_acl {
    job_id = resource.nomad_job.service.id
    group  = var.name
    task   = "stunnel"
  }
}

resource "nomad_acl_policy" "secrets_postgres" {
  count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0

  name        = "${var.name}-secrets-postgres"
  description = "Give access to Postgres secrets"
  rules_hcl   = <<EOH
namespace "default" {
  variables {
    path "secrets/postgres" {
      capabilities = ["read"]
    }
  }
}
EOH

  job_acl {
    job_id = resource.nomad_job.service.id
    group  = var.name
    task   = "postgres-bootstrap"
  }
}

resource "random_password" "postgres_psk" {
  count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0

  length           = 32
  override_special = "!@#%&*-_="
}

resource "nomad_variable" "postgres_psk" {
  count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0

  path = "secrets/postgres/allowed_psks/${var.name}"
  items = {
    psk = "${var.name}:${resource.random_password.postgres_psk[0].result}"
  }
}

resource "nomad_acl_policy" "postgres_psk" {
  count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0

  name        = "${var.name}-secrets-postgres-psk"
  description = "Give access to Postgres PSK secrets"
  rules_hcl   = <<EOH
namespace "default" {
  variables {
    path "secrets/postgres/allowed_psks/${var.name}" {
      capabilities = ["read"]
    }
  }
}
EOH

  job_acl {
    job_id = resource.nomad_job.service.id
    group  = var.name
    task   = "stunnel"
  }
}

resource "random_password" "ldap_psk" {
  count = var.use_ldap ? 1 : 0

  length           = 32
  override_special = "!@#%&*-_="
}

resource "nomad_variable" "ldap_psk" {
  count = var.use_ldap ? 1 : 0

  path = "secrets/ldap/allowed_psks/${var.name}"
  items = {
    psk = "${var.name}:${resource.random_password.ldap_psk[0].result}"
  }
}

resource "nomad_acl_policy" "ldap_psk" {
  count = var.use_ldap ? 1 : 0

  name        = "${var.name}-secrets-ldap-psk"
  description = "Give access to ldap PSK secrets"
  rules_hcl   = <<EOH
namespace "default" {
  variables {
    path "secrets/ldap/allowed_psks/${var.name}" {
      capabilities = ["read"]
    }
  }
}
EOH

  job_acl {
    job_id = resource.nomad_job.service.id
    group  = var.name
    task   = "stunnel"
  }
}

resource "nomad_acl_policy" "secrets_smtp" {
  count = var.use_smtp ? 1 : 0

  name        = "${var.name}-secrets-smtp"
  description = "Give access to SMTP secrets"
  rules_hcl   = <<EOH
namespace "default" {
  variables {
    path "secrets/smtp" {
      capabilities = ["read"]
    }
  }
}
EOH

  job_acl {
    job_id = resource.nomad_job.service.id
    group  = var.name
    task   = var.name
  }
}