-
Notifications
You must be signed in to change notification settings - Fork 0
/
nomad.tf
64 lines (53 loc) · 1.4 KB
/
nomad.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
resource "nomad_acl_policy" "read_all_jobs" {
name = "read-all-jobs"
description = "Has the `read-job` capability in all namespaces"
rules_hcl = <<HCL
namespace "*" {
capabilities = ["read-job"]
}
HCL
}
resource "nomad_acl_token" "traefik" {
name = "traefik"
policies = [nomad_acl_policy.read_all_jobs.name]
type = "client"
provisioner "local-exec" {
command = <<BASH
rm nomad-traefik-acl-token.env.age
echo NOMAD_TOKEN=${self.secret_id} | \
agenix -e nomad-traefik-acl-token.env.age
BASH
working_dir = "./secrets"
}
}
# Mattermost
resource "nomad_namespace" "mattermost" {
name = "mattermost"
}
resource "nomad_job" "mattermost" {
jobspec = file("${path.module}/jobs/mattermost.nomad.hcl")
}
# Vault
variable "vault_db_password" {
sensitive = true
}
resource "nomad_namespace" "vault" {
name = "vault"
}
resource "nomad_job" "vault" {
jobspec = file("${path.module}/jobs/vaultwarden.nomad.hcl")
}
resource "nomad_variable" "jobs_vault" {
path = "nomad/jobs/vault"
namespace = "vault"
items = {
db_password = var.vault_db_password
smtp_username = aws_iam_access_key.vaultwarden_smtp.id
smtp_password = aws_iam_access_key.vaultwarden_smtp.ses_smtp_password_v4
}
}
# Auth
resource "nomad_namespace" "auth" {
name = "auth"
description = "Contains jobs that provide auth{entication,orization} for other jobs"
}