DejfCold · July 7, 2025 15:35
diff --git a/nomad.hcl b/nomad.hcl
 job "rabbitmq" {
  datacenters = ["dc1"]
  type        = "service"
  group "rabbitmq" {
    count = 2
    constraint {
        distinct_hosts = true
    }
    network {
      mode = "host"
      port "rabbitmq" {
        to = 5672
      }
      port "rabbitmq-management" {
        to = 15672
      }
    }
    service {
        name = "rabbitmq-management"
        tags = ["management"]
        port = "15672"
    }
    task "rabbitmq" {
      vault {
        policies = ["rabbitmq"]
      }
      resources {
        cpu    = 300
        memory = 300
      }
      template {
        data        = <<EOH
 {{ with secret "pki_int/cert/ca_chain" }}{{ .Data.certificate }}
 {{ end }}
 EOH
        destination = "local/ca_chain.pem"
      }
      template {
        data        = <<EOH
 {{ with $ip_address :=  (env "attr.unique.network.ip-address") }}
 {{ with secret "pki_int/issue/cert" "role_name=rabbitmq" "common_name=rabbitmq.service.consul" "ttl=24h" "alt_names=rabbitmq-management.service.consul,_rabbitmq_management._tcp.service.consul, _rabbitmq._tcp.service.consul,localhost" (printf "ip_sans=127.0.0.1,%s" $ip_address) }}
 {{ .Data.certificate }}
 {{ end }}{{ end }}
 EOH
        destination = "local/cert.pem"
      }
      template {
        data        = <<EOH
 {{ with $ip_address := (env "attr.unique.network.ip-address") }}
 {{ with secret "pki_int/issue/cert" "role_name=rabbitmq" "common_name=rabbitmq.service.consul" "ttl=24h" "alt_names=rabbitmq-management.service.consul,_rabbitmq_management._tcp.service.consul, _rabbitmq._tcp.service.consul,localhost" (printf "ip_sans=127.0.0.1,%s" $ip_address) }}
 {{ .Data.private_key }}
 {{ end }}{{ end }}
 EOH
        destination = "secret/key.pem"
      }
      template {
        data        = <<EOH
 [rabbitmq_management,rabbitmq_peer_discovery_consul,rabbitmq_auth_backend_ldap].
 EOH
        destination = "local/enabled_plugins"
      }
      template {
          data = <<EOH
 [
  {rabbitmq_auth_backend_ldap,
    [  {group_lookup_base, "cn=groups,cn=accounts,dc=domain,dc=com"},
       {tag_queries,
         [
           {management, {constant, true}},
           {administrator, {in_group, "cn=rabbitmq-admin,cn=groups,cn=accounts,dc=domain,dc=com"}}
         ]
       }
    ]
  }
 ].
 EOH
        destination = "local/advanced.config"
      }
      template {
        data        = <<EOH
 auth_backends.1 = ldap
 auth_backends.2 = internal
 auth_ldap.servers.1 = ipa.domain.com
 auth_ldap.timeout = 15000
 auth_ldap.use_ssl = true
 auth_ldap.port = 636
 auth_ldap.dn_lookup_bind.user_dn = uid=rabbitmq,cn=sysaccounts,cn=etc,dc=domain,dc=com
 auth_ldap.dn_lookup_bind.password = {{ with secret "secret/rabbitmq/ldap" }}{{ .Data.password }}{{ end }}
 auth_ldap.dn_lookup_attribute = uid
 auth_ldap.dn_lookup_base = cn=users,cn=accounts,dc=domain,dc=com

 management.ssl.port = 15672
 management.ssl.cacertfile = /etc/rabbitmq/ca_chain.pem
 management.ssl.certfile = /etc/rabbitmq/cert.pem
 management.ssl.keyfile = /etc/rabbitmq/key.pem
 ssl_options.cacertfile = /etc/rabbitmq/ca_chain.pem
 ssl_options.certfile = /etc/rabbitmq/cert.pem
 ssl_options.keyfile = /etc/rabbitmq/key.pem
 #ssl_options.verify = verify_peer
 ssl_options.fail_if_no_peer_cert = false
 auth_ldap.log = network

 cluster_formation.peer_discovery_backend = consul
 cluster_formation.consul.acl_token = {{ with secret "consul/creds/rabbitmq" }}{{ .Data.token }}{{ end }}
 cluster_formation.consul.host = {{ env "attr.unique.network.ip-address" }}
 cluster_formation.consul.port = 8501
 cluster_formation.consul.scheme = https
 cluster_formation.consul.svc_addr_auto = true
 cluster_formation.consul.svc_addr_nic = eth0
 cluster_formation.consul.svc_addr_use_nodename = false
 cluster_formation.consul.use_longname = true
 EOH
        destination = "local/rabbitmq.conf"
      }
      template {
          data =<<EOF
 RABBITMQ_ERLANG_COOKIE={{ with secret "secret/rabbitmq/config" }}{{ .Data.ERLANG_COOKIE }}{{ end }}
 EOF
        destination = "secret/env"
        env = true
      }
      driver = "docker"
      config {
        image = "rabbitmq:3.8-management-alpine"
        network_mode = "host"
        volumes = [
          "local/enabled_plugins:/etc/rabbitmq/enabled_plugins",
          "local/rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf",
          "local/ca_chain.pem:/etc/rabbitmq/ca_chain.pem",
          "local/cert.pem:/etc/rabbitmq/cert.pem",
          "secret/key.pem:/etc/rabbitmq/key.pem",
          "local/advanced.config:/etc/rabbitmq/advanced.config"
        ]
        ports = ["rabbitmq-management", "rabbitmq"]
      }
      volume_mount {
        volume      = "data"
        destination = "/var/lib/rabbitmq"
      }
    }
    volume "data" {
      type      = "host"
      source    = "rabbitmq"
      read_only = false
    }
  }
  group "rabbitmq-terminating" {
    network {
      mode = "bridge"
    }
    service {
      connect {
        gateway {
          proxy {}
          terminating {
            service {
              name = "rabbitmq"
            }
          }
        }
      }
    }
  }
 }
	job "rabbitmq" {
	datacenters = ["dc1"]
	type = "service"
	group "rabbitmq" {
	count = 2
	constraint {
	distinct_hosts = true
	}
	network {
	mode = "host"
	port "rabbitmq" {
	to = 5672
	}
	port "rabbitmq-management" {
	to = 15672
	}
	}
	service {
	name = "rabbitmq-management"
	tags = ["management"]
	port = "15672"
	}
	task "rabbitmq" {
	vault {
	policies = ["rabbitmq"]
	}
	resources {
	cpu = 300
	memory = 300
	}
	template {
	data = <<EOH
	{{ with secret "pki_int/cert/ca_chain" }}{{ .Data.certificate }}
	{{ end }}
	EOH
	destination = "local/ca_chain.pem"
	}
	template {
	data = <<EOH
	{{ with $ip_address := (env "attr.unique.network.ip-address") }}
	{{ with secret "pki_int/issue/cert" "role_name=rabbitmq" "common_name=rabbitmq.service.consul" "ttl=24h" "alt_names=rabbitmq-management.service.consul,_rabbitmq_management._tcp.service.consul, _rabbitmq._tcp.service.consul,localhost" (printf "ip_sans=127.0.0.1,%s" $ip_address) }}
	{{ .Data.certificate }}
	{{ end }}{{ end }}
	EOH
	destination = "local/cert.pem"
	}
	template {
	data = <<EOH
	{{ with $ip_address := (env "attr.unique.network.ip-address") }}
	{{ with secret "pki_int/issue/cert" "role_name=rabbitmq" "common_name=rabbitmq.service.consul" "ttl=24h" "alt_names=rabbitmq-management.service.consul,_rabbitmq_management._tcp.service.consul, _rabbitmq._tcp.service.consul,localhost" (printf "ip_sans=127.0.0.1,%s" $ip_address) }}
	{{ .Data.private_key }}
	{{ end }}{{ end }}
	EOH
	destination = "secret/key.pem"
	}
	template {
	data = <<EOH
	[rabbitmq_management,rabbitmq_peer_discovery_consul,rabbitmq_auth_backend_ldap].
	EOH
	destination = "local/enabled_plugins"
	}
	template {
	data = <<EOH
	[
	{rabbitmq_auth_backend_ldap,
	[ {group_lookup_base, "cn=groups,cn=accounts,dc=domain,dc=com"},
	{tag_queries,
	[
	{management, {constant, true}},
	{administrator, {in_group, "cn=rabbitmq-admin,cn=groups,cn=accounts,dc=domain,dc=com"}}
	]
	}
	]
	}
	].
	EOH
	destination = "local/advanced.config"
	}
	template {
	data = <<EOH
	auth_backends.1 = ldap
	auth_backends.2 = internal
	auth_ldap.servers.1 = ipa.domain.com
	auth_ldap.timeout = 15000
	auth_ldap.use_ssl = true
	auth_ldap.port = 636
	auth_ldap.dn_lookup_bind.user_dn = uid=rabbitmq,cn=sysaccounts,cn=etc,dc=domain,dc=com
	auth_ldap.dn_lookup_bind.password = {{ with secret "secret/rabbitmq/ldap" }}{{ .Data.password }}{{ end }}
	auth_ldap.dn_lookup_attribute = uid
	auth_ldap.dn_lookup_base = cn=users,cn=accounts,dc=domain,dc=com

	management.ssl.port = 15672
	management.ssl.cacertfile = /etc/rabbitmq/ca_chain.pem
	management.ssl.certfile = /etc/rabbitmq/cert.pem
	management.ssl.keyfile = /etc/rabbitmq/key.pem
	ssl_options.cacertfile = /etc/rabbitmq/ca_chain.pem
	ssl_options.certfile = /etc/rabbitmq/cert.pem
	ssl_options.keyfile = /etc/rabbitmq/key.pem
	#ssl_options.verify = verify_peer
	ssl_options.fail_if_no_peer_cert = false
	auth_ldap.log = network

	cluster_formation.peer_discovery_backend = consul
	cluster_formation.consul.acl_token = {{ with secret "consul/creds/rabbitmq" }}{{ .Data.token }}{{ end }}
	cluster_formation.consul.host = {{ env "attr.unique.network.ip-address" }}
	cluster_formation.consul.port = 8501
	cluster_formation.consul.scheme = https
	cluster_formation.consul.svc_addr_auto = true
	cluster_formation.consul.svc_addr_nic = eth0
	cluster_formation.consul.svc_addr_use_nodename = false
	cluster_formation.consul.use_longname = true
	EOH
	destination = "local/rabbitmq.conf"
	}
	template {
	data =<<EOF
	RABBITMQ_ERLANG_COOKIE={{ with secret "secret/rabbitmq/config" }}{{ .Data.ERLANG_COOKIE }}{{ end }}
	EOF
	destination = "secret/env"
	env = true
	}
	driver = "docker"
	config {
	image = "rabbitmq:3.8-management-alpine"
	network_mode = "host"
	volumes = [
	"local/enabled_plugins:/etc/rabbitmq/enabled_plugins",
	"local/rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf",
	"local/ca_chain.pem:/etc/rabbitmq/ca_chain.pem",
	"local/cert.pem:/etc/rabbitmq/cert.pem",
	"secret/key.pem:/etc/rabbitmq/key.pem",
	"local/advanced.config:/etc/rabbitmq/advanced.config"
	]
	ports = ["rabbitmq-management", "rabbitmq"]
	}
	volume_mount {
	volume = "data"
	destination = "/var/lib/rabbitmq"
	}
	}
	volume "data" {
	type = "host"
	source = "rabbitmq"
	read_only = false
	}
	}
	group "rabbitmq-terminating" {
	network {
	mode = "bridge"
	}
	service {
	connect {
	gateway {
	proxy {}
	terminating {
	service {
	name = "rabbitmq"
	}
	}
	}
	}
	}
	}
	}