Get letsencrypt certs working with Traefik

nomad/traefik/traefik.nomad

@@ -54,10 +54,8 @@ job "traefik" {
 
       tags = [
         "traefik.enable=true",
-        "traefik.http.routers.traefik_dashboard.entryPoints=websecure",
+        "traefik.http.routers.traefik.entryPoints=websecure",
-        "traefik.http.routers.traefik_dashboard.rule=Host(`traefik.${var.base_hostname}`)",
+        "traefik.http.routers.traefik.service=api@internal",
-        "traefik.http.routers.traefik_dashboard.service=api@internal",
-        "traefik.http.routers.traefik_dashboard.tls=true",
       ]
     }
 
@@ -107,7 +105,9 @@ job "traefik" {
   [entryPoints.websecure]
     address = ":443"
     [entryPoints.websecure.http.tls]
-      # certResolver = "letsEncrypt"
+    << if keyExists "traefik/acme/email" ->>
+      certResolver = "letsEncrypt"
+    << end ->>
 
   [entryPoints.metrics]
     address = ":8989"
@@ -131,13 +131,34 @@ job "traefik" {
   connectAware = true
   connectByDefault = true
   exposedByDefault = false
-  defaultRule = "Host(`{{normalize .Name}}.${var.base_hostname}`)"
+  defaultRule = "Host(`{{normalize .Name}}.<< keyOrDefault "global/base_hostname" "${var.base_hostname}" >>`)"
   [providers.consulCatalog.endpoint]
     address = "http://<< env "CONSUL_HTTP_ADDR" >>"
+
+<< if keyExists "traefik/acme/email" ->>
+[certificatesResolvers.letsEncrypt.acme]
+  email = "<< key "traefik/acme/email" >>"
+  storage = "acme.json"
+  [certificatesResolvers.letsEncrypt.acme.dnsChallenge]
+    provider = "cloudflare"
+    resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
+    delayBeforeCheck = 0
+<< end ->>
         EOH
         destination = "local/config/traefik.toml"
       }
 
+      template {
+        data = <<EOH
+{{ with secret "kv/data/cloudflare" }}
+CF_DNS_API_TOKEN={{ .Data.data.api_token_dns_edit }}
+CF_ZONE_API_TOKEN={{ .Data.data.api_token_zone_read }}
+{{ end }}
+        EOH
+        destination = "secrets/cloudflare.env"
+        env = true
+      }
+
       template {
         data = <<EOH
 [http]