Use Nomad Provider in Traefik

Table of Contents

I run Traefik in a dedicated LXC container in my homelab to securely serve all my internal applications. Recently, I started using Nomad to run certain containerized applications and services.

To simplify the setup, I use the Nomad Provider to automatically configure my existing Traefik instance with the services I run on Nomad. Here is a short guide on how to set up the provider.

Prerequisites #

A running Nomad cluster
- Including Docker driver
- Including ACL
A running Traefik instance

Create a Nomad Token for Traefik #

Create a new policy with the name read-job.policy.hcl:

# Give read access to all jobs in the default namespace
namespace "default" {
  capabilities = ["read-job"]
}

Apply the policy:

$ nomad acl policy apply -description "Read Job Policy" read-job read-job.policy.hcl

Create a new token with the policy and save the secret ID:

$ nomad acl token create -name="traefik-acl-token" -policy="read-job" -type="client"

Add the Nomad Provider to Traefik #

Add the Nomad Provider to your Traefik configuration file:

Note: This example is based on my Traefik configuration which uses Let’s Encrypt wildcard certificates.

---
certificatesResolvers:
  letsEncrypt:
    acme:
      email: YOUR_EMAIL # Change this
      storage: /var/lib/traefik/acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: "30"
        resolvers:
          - "coraline.ns.cloudflare.com:53"
          - "kyrie.ns.cloudflare.com:53"

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          scheme: https
          to: https
  https:
    address: ":443"

api:
  dashboard: true

metrics:
  prometheus: {}

providers:
  file:
    filename: /var/lib/traefik/dynamic.yml

  nomad:
    endpoint:
      address: http://YOUR_NOMAD_SERVER:4646 # Change this to your Nomad server address
      token: YOUR_SECRET_ID # Change this to the secret ID from the previous step

Restart Traefik

Deploy a service for Nomad to be served by Traefik #

Note: Change home.example.tld to your own domain name.

Create a new job file whoami.nomad.hcl:

job "whoami" {
  datacenters = ["homelab"]

  type = "service"

  group "whoami" {
    count = 1

    network {
       port "http" {
         to = 80
       }
    }

    service {
      name = "whoami"
      port = "http"
      provider = "nomad"

      tags = [
        "traefik.enable=true",
        "traefik.http.routers.whoami.rule=Host(`whoami.home.example.tld`)", # Change this to your domain
        "traefik.http.routers.whoami.entrypoints=http,https",
        "traefik.http.routers.whoami.tls.certresolver=letsEncrypt",
        "traefik.http.routers.whoami.tls.domains[0].main=home.example.tld", # Change this to your domain
        "traefik.http.routers.whoami.tls.domains[0].sans=*.home.example.tld", # Change this to your domain
      ]

      check {
        type     = "http"
        port     = "http"
        path     = "/health"
        interval = "15s"
        timeout  = "15s"
      }
    }

    task "server" {
      driver = "docker"

      resources {
        cpu    = 100
        memory = 128
      }

      env {
        WHOAMI_PORT_NUMBER = "${NOMAD_PORT_http}"
      }

      config {
        image = "traefik/whoami:v1.10"
        ports = ["http"]
      }
    }
  }
}

Deploy the job:

$ nomad job run whoami.nomad.hcl

Open https://whoami.home.example.tld in your browser and you should see the Traefik whoami service.
Bonus: Check the Traefik dashboard and you should also see the whoami service provided by the Nomad Provider.