nomad/jobs/ingress/traefik.hcl

job "traefik" {
  datacenters = ["aperture"]
  node_pool   = "ingress"
  type        = "service"

  group "traefik" {
    network {
      port "http" {
        static = 80
      }
      port "https" {
        static = 443
      }
      port "admin" {
        static = 8080
      }
      port "ssh" {
        static = 22
      }
      port "smtp" {
        static = 25
      }
      port "submission" {
        static = 587
      }
      port "submissions" {
        static = 465
      }
      port "imap" {
        static = 143
      }
      port "imaps" {
        static = 993
      }
      port "pop3" {
        static = 110
      }
      port "pop3s" {
        static = 995
      }
      port "managesieve" {
        static = 4190
      }
      port "voice-tcp" {
        static = 4502
      }
      port "voice-udp" {
        static = 4503
      }
    }

    service {
      name     = "traefik-http"
      provider = "nomad"
      port     = "https"
    }

    task "traefik" {
      driver = "docker"
      config {
        image        = "traefik"
        network_mode = "host"

        volumes = [
          "local/traefik.toml:/etc/traefik/traefik.toml",
          "/storage/nomad/traefik/acme/acme.json:/acme.json",
          "/storage/nomad/traefik/access.log:/access.log",
        ]
      }

      template {
        data        = <<EOF
[entryPoints]
  [entryPoints.web]
  address = ":80"
  [entryPoints.web.http.redirections.entryPoint]
    to = "websecure"
    scheme = "https"

  [entryPoints.websecure]
  address = ":443"

  [entryPoints.traefik]
  address = ":8080"

  [entryPoints.ssh]
  address = ":22"

  [entryPoints.smtp]
  address = ":25"

  [entryPoints.submission]
  address = ":587"

  [entryPoints.submissions]
  address = ":465"

  [entryPoints.imap]
  address = ":143"

  [entryPoints.imaps]
  address = ":993"

  [entryPoints.pop3]
  address = ":110"

  [entryPoints.pop3s]
  address = ":995"

  [entryPoints.managesieve]
  address = ":4190"

  [entryPoints.voice-tcp]
  address = ":4502"

  [entryPoints.voice-udp]
    address = ":4503/udp"
    [entryPoints.voice-udp.udp]
      timeout = "15s" # this will help reduce random dropouts in audio https://github.com/mumble-voip/mumble/issues/3550#issuecomment-441495977

[tls.options]
  [tls.options.default]
    minVersion = "VersionTLS12"
    cipherSuites = [
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
    ]

[api]
    dashboard = true
    insecure  = true

# Enable Consul Catalog configuration backend.
[providers.consulCatalog]
    prefix           = "traefik"
    exposedByDefault = false

    [providers.consulCatalog.endpoint]
      address = "127.0.0.1:8500"
      scheme  = "http"

#[providers.nomad]
#  [providers.nomad.endpoint]
#    address = "127.0.0.1:4646"
#    scheme = "http"

[certificatesResolvers.lets-encrypt.acme]
  email = "elected-admins@redbrick.dcu.ie"
  storage = "acme.json"
  [certificatesResolvers.lets-encrypt.acme.tlsChallenge]

[tracing]

[accessLog]
  filePath = "/access.log"
EOF
        destination = "/local/traefik.toml"
      }
    }
  }
}