mgmt/components/traefik/jobs/traefik-cloudflare-git4ta-live.nomad

job "traefik-cloudflare-v2" {
  datacenters = ["dc1"]
  type = "service"

  group "traefik" {
    count = 1

    constraint {
      attribute = "${node.unique.name}"
      operator  = "="
      value     = "hcp1"
    }

    volume "traefik-certs" {
      type      = "host"
      read_only = false
      source    = "traefik-certs"
    }

    network {
      mode = "host"
      port "http" {
        static = 80
      }
      port "https" {
        static = 443
      }
      port "traefik" {
        static = 8080
      }
    }

    task "traefik" {
      driver = "exec"
      
      config {
        command = "/usr/local/bin/traefik"
        args = [
          "--configfile=/local/traefik.yml"
        ]
      }

      env {
        CLOUDFLARE_EMAIL = "houzhongxu.houzhongxu@gmail.com"
        CLOUDFLARE_DNS_API_TOKEN = "HYT-cfZTP_jq6Xd9g3tpFMwxopOyIrf8LZpmGAI3"
        CLOUDFLARE_ZONE_API_TOKEN = "HYT-cfZTP_jq6Xd9g3tpFMwxopOyIrf8LZpmGAI3"
      }

      volume_mount {
        volume      = "traefik-certs"
        destination = "/opt/traefik/certs"
        read_only   = false
      }

      template {
        data = <<EOF
api:
  dashboard: true
  insecure: true
  debug: true

entryPoints:
  web:
    address: "0.0.0.0:80"
    http:
      redirections:
        entrypoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: "0.0.0.0:443"
  traefik:
    address: "0.0.0.0:8080"

providers:
  consulCatalog:
    endpoint:
      address: "warden.tailnet-68f9.ts.net:8500"
      scheme: "http"
    watch: true
    exposedByDefault: false
    prefix: "traefik"
    defaultRule: "Host(`{{ .Name }}.git-4ta.live`)"
  file:
    filename: /local/dynamic.yml
    watch: true

certificatesResolvers:
  cloudflare:
    acme:
      email: {{ env "CLOUDFLARE_EMAIL" }}
      storage: /opt/traefik/certs/acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 30s
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

log:
  level: DEBUG
EOF
        destination = "local/traefik.yml"
      }

      template {
        data = <<EOF
http:
  serversTransports:
    waypoint-insecure:
      insecureSkipVerify: true
    authentik-insecure:
      insecureSkipVerify: true
  
  middlewares:
    consul-stripprefix:
      stripPrefix:
        prefixes:
          - "/consul"
    waypoint-auth:
      replacePathRegex:
        regex: "^/auth/token(.*)$"
        replacement: "/auth/token$1"

  services:
    consul-cluster:
      loadBalancer:
        servers:
          - url: "http://ch4.tailnet-68f9.ts.net:8500"     # 韩国，Leader
          - url: "http://warden.tailnet-68f9.ts.net:8500"  # 北京，Follower
          - url: "http://ash3c.tailnet-68f9.ts.net:8500"   # 美国，Follower
        healthCheck:
          path: "/v1/status/leader"
          interval: "30s"
          timeout: "15s"

    nomad-cluster:
      loadBalancer:
        servers:
          - url: "http://ch2.tailnet-68f9.ts.net:4646"     # 韩国，Leader
          - url: "http://warden.tailnet-68f9.ts.net:4646"  # 北京，Follower
          - url: "http://ash3c.tailnet-68f9.ts.net:4646"   # 美国，Follower
        healthCheck:
          path: "/v1/status/leader"
          interval: "30s"
          timeout: "15s"

    waypoint-cluster:
      loadBalancer:
        servers:
          - url: "https://hcp1.tailnet-68f9.ts.net:9701"  # hcp1 节点 HTTPS API
        serversTransport: waypoint-insecure

    vault-cluster:
      loadBalancer:
        servers:
          - url: "http://warden.tailnet-68f9.ts.net:8200"  # 北京，单节点
        healthCheck:
          path: "/ui/"
          interval: "30s"
          timeout: "15s"

    authentik-cluster:
      loadBalancer:
        servers:
          - url: "https://authentik.tailnet-68f9.ts.net:9443"  # Authentik容器HTTPS端口
        serversTransport: authentik-insecure
        healthCheck:
          path: "/flows/-/default/authentication/"
          interval: "30s"
          timeout: "15s"

  routers:
    consul-api:
      rule: "Host(`consul.git-4ta.live`)"
      service: consul-cluster
      middlewares:
        - consul-stripprefix
      entryPoints:
        - websecure
      tls:
        certResolver: cloudflare
    
    traefik-dashboard:
      rule: "Host(`traefik.git-4ta.live`)"
      service: dashboard@internal
      middlewares:
        - dashboard_redirect@internal
        - dashboard_stripprefix@internal
      entryPoints:
        - websecure
      tls:
        certResolver: cloudflare

    nomad-ui:
      rule: "Host(`nomad.git-4ta.live`)"
      service: nomad-cluster
      entryPoints:
        - websecure
      tls:
        certResolver: cloudflare

    waypoint-ui:
      rule: "Host(`waypoint.git-4ta.live`)"
      service: waypoint-cluster
      entryPoints:
        - websecure
      tls:
        certResolver: cloudflare

    vault-ui:
      rule: "Host(`vault.git-4ta.live`)"
      service: vault-cluster
      entryPoints:
        - websecure
      tls:
        certResolver: cloudflare

    authentik-ui:
      rule: "Host(`authentik.git-4ta.live`)"
      service: authentik-cluster
      entryPoints:
        - websecure
      tls:
        certResolver: cloudflare
EOF
        destination = "local/dynamic.yml"
      }

        template {
          data = <<EOF
CLOUDFLARE_EMAIL={{ env "CLOUDFLARE_EMAIL" }}
CLOUDFLARE_DNS_API_TOKEN={{ env "CLOUDFLARE_DNS_API_TOKEN" }}
CLOUDFLARE_ZONE_API_TOKEN={{ env "CLOUDFLARE_ZONE_API_TOKEN" }}
EOF
          destination = "local/cloudflare.env"
          env = true
        }
      
      # 测试证书权限控制
      template {
        data = "-----BEGIN CERTIFICATE-----\nTEST CERTIFICATE FOR PERMISSION CONTROL\n-----END CERTIFICATE-----"
        destination = "/opt/traefik/certs/test-cert.pem"
        perms = 600
      }

      resources {
        cpu = 500
        memory = 512
      }
    }
  }
}