snibox.nomad (2227B)
1 job "snibox" { 2 datacenters = ["dc1"] 3 4 vault {} 5 6 group "server" { 7 count = 1 8 9 volume "tls" { 10 type = "csi" 11 source = "certbot" 12 access_mode = "multi-node-multi-writer" 13 attachment_mode = "file-system" 14 } 15 volume "snibox" { 16 type = "csi" 17 source = "snibox" 18 access_mode = "multi-node-multi-writer" 19 attachment_mode = "file-system" 20 } 21 22 network { 23 port "server" { 24 to = 3000 25 } 26 port "https" { 27 static = 44392 28 } 29 } 30 31 task "nginx" { 32 driver = "podman" 33 34 config { 35 image = "docker.io/library/nginx:stable-alpine" 36 ports = ["https"] 37 volumes = [ 38 # mount the templated config from the task directory to the container 39 "local/snibox.conf:/etc/nginx/conf.d/snibox.conf", 40 ] 41 } 42 43 volume_mount { 44 volume = "tls" 45 destination = "/etc/letsencrypt" 46 } 47 48 template { 49 destination = "${NOMAD_TASK_DIR}/snibox.conf" 50 data = file("./templates/nginx.conf.tmpl") 51 } 52 53 resources { 54 memory = 50 55 memory_max = 128 56 cpu = 100 57 } 58 } 59 60 task "server" { 61 driver = "podman" 62 63 env { 64 RAILS_LOG_TO_STDOUT = true 65 # https://github.com/snibox/snibox/issues/25 66 RAILS_SERVE_STATIC_FILES = true 67 DB_NAME = "snibox" 68 DB_USER = "snibox" 69 DB_HOST = "postgres.lan" 70 } 71 72 template { 73 # render sensitive env vars in a template from Vault secrets 74 env = true 75 destination = "${NOMAD_SECRETS_DIR}/env" 76 data = <<EOT 77 DB_PASS = "{{with secret "kv/snibox"}}{{index .Data.data.db_password}}{{end}}" 78 SECRET_KEY_BASE = "{{with secret "kv/snibox"}}{{index .Data.data.secret_key_base}}{{end}}" 79 EOT 80 } 81 82 config { 83 image = "127.0.0.1:5000/snibox:latest" 84 force_pull = true 85 command = "/bin/sh" 86 args = ["-c", "rm -rf tmp/pids && ./bin/rails s -p 3000 -b '0.0.0.0'"] 87 ports = ["server"] 88 } 89 90 volume_mount { 91 volume = "snibox" 92 destination = "/app/public" 93 } 94 95 resources { 96 memory = 50 97 memory_max = 256 98 cpu = 200 99 } 100 } 101 } 102 }