[Unit]
Description=Tang Service
After=network-online.target container-build@%N.service container-secrets.service
Wants=network-online.target container-build@%N.service container-secrets.service
# wait until unbound is active
After=dns-is-ready.service
Requires=dns-is-ready.service
[Service]
# environment loaded here is available in systemd-quadlet scope
EnvironmentFile=-/etc/containers/environment/%N-systemd.env
Restart=on-failure
[Container]
Image=localhost/%N:latest
Volume=tang.volume:/var/db/tang
# environment loaded here is available for container scope, mind quadlet bug "=-"
# EnvironmentFile=/etc/containers/environment/%N.env
HealthStartPeriod=5s
HealthTimeout=3s
HealthCmd=wget -qSO /dev/null http://127.0.0.1:9090/adv
# frontend config
Label=traefik.enable=true
# make service available on https port, needs matching hostname
# do mandatory mutal TLS authentification
Label=traefik.http.routers.%N-sni.entrypoints=https
Label=traefik.http.routers.%N-sni.rule=Host(`${HOSTNAME}`)
Label=traefik.http.routers.%N-sni.tls.options=mtls@file
Label=traefik.http.routers.%N-sni.middlewares=passtlsclientcert@file
Label=traefik.http.routers.%N-sni.service=systemd-%N
# make service also available on tang-mtls-nosni port via
# ignore any send hostname over ip:port connection, do mandatory mtls
Label=traefik.http.routers.%N-direct.entrypoints=internal-tang-http
Label=traefik.http.routers.%N-direct.rule=PathPrefix(`/`)
Label=traefik.http.routers.%N-direct.middlewares=passtlsclientcert@file
Label=traefik.http.routers.%N-direct.service=systemd-%N
[Install]
WantedBy=multi-user.target