homelab-nomad/core/lego.nomad

variable "lego_version" {
  default = "4.14.2"
  type = string
}

variable "nomad_var_dirsync_version" {
  default = "0.0.2"
  type = string
}

job "lego" {

  type = "batch"

  periodic {
    cron = "@weekly"
    prohibit_overlap = true
  }

  group "main" {

    network {
      dns {
        servers = ["1.1.1.1", "1.0.0.1"]
      }
    }

    task "main" {
      driver = "exec"

      config {
        # image = "alpine:3"
        command = "/bin/bash"
        args = ["${NOMAD_TASK_DIR}/start.sh"]
      }

      artifact {
        source = "https://github.com/go-acme/lego/releases/download/v${var.lego_version}/lego_v${var.lego_version}_linux_${attr.cpu.arch}.tar.gz"
      }

      artifact {
        source = "https://git.iamthefij.com/iamthefij/nomad-var-dirsync/releases/download/v${var.nomad_var_dirsync_version}/nomad-var-dirsync-linux-${attr.cpu.arch}.tar.gz"
      }

      template {
        data = <<EOH
#! /bin/sh
set -ex

cd ${NOMAD_TASK_DIR}

echo "Read certs from nomad vars"
${NOMAD_TASK_DIR}/nomad-var-dirsync-linux-{{ env "attr.cpu.arch" }} -root-var=secrets/certs read .

action=run
if [ -f /.lego/certificates/_.thefij.rocks.crt ]; then
    action=renew
fi

echo "Attempt to $action certificates"
${NOMAD_TASK_DIR}/lego \
    --accept-tos --pem \
    --email=iamthefij@gmail.com \
    --domains="*.thefij.rocks" \
    --dns="cloudflare" \
    $action \
    --$action-hook="${NOMAD_TASK_DIR}/nomad-var-dirsync-linux-{{ env "attr.cpu.arch" }} -root-var=secrets/certs write .lego" \
EOH
        destination = "${NOMAD_TASK_DIR}/start.sh"
      }

      template {
        data = <<EOH
{{ with nomadVar "nomad/jobs/lego" -}}
CF_DNS_API_TOKEN={{ .domain_lego_dns }}
CF_ZONE_API_TOKEN={{ .domain_lego_dns }}
{{- end }}
        EOH
        destination = "secrets/cloudflare.env"
        env = true
      }

      env = {
        NOMAD_ADDR = "unix:///secrets/api.sock"
      }

      identity {
        env = true
      }

      resources {
        cpu = 50
        memory = 100
      }
    }
  }
}