nix-home/modules/cloud/traefik/certs-dumper.nix

47 lines
1.5 KiB
Nix
Raw Permalink Normal View History

2021-11-01 19:50:30 +00:00
{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.cloud.traefik.certsDumper;
in
{
options.cloud.traefik.certsDumper = {
enable = mkEnableOption "Dump certs onto a given directory ";
package = mkOption {
type = types.package;
default = pkgs.traefik-certs-dumper;
2021-11-01 19:50:30 +00:00
description = "The certs dumper package to use";
};
destination = mkOption {
type = types.str;
default = "/var/lib/traefik-certs";
description = "The destination folder to dump certs onto";
};
};
config.systemd.services.traefik-certs-dumper = mkIf cfg.enable {
after = [ "traefik.service" ];
path = with pkgs; [ openssl ];
wantedBy = [ "multi-user.target" ];
description = "Dump certificates generated by traefik to a destination folder";
serviceConfig =
2022-05-31 16:45:33 +00:00
let
user = config.systemd.services.traefik.serviceConfig.User;
group = config.systemd.services.traefik.serviceConfig.Group;
certsPath = config.cloud.traefik.certsPath;
in
{
User = user;
Group = group;
ExecStart = "${cfg.package}/bin/traefik-certs-dumper file --watch --domain-subdir=true --version v2 --source ${certsPath} --dest ${cfg.destination} --post-hook 'chmod -R +r ${cfg.destination}'";
LimitNOFILE = "1048576";
PrivateTmp = "true";
PrivateDevices = "true";
ProtectHome = "true";
ProtectSystem = "strict";
StateDirectory = "traefik-certs";
};
2021-11-01 19:50:30 +00:00
};
}