nki/nix-home
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity

Add cert-resolver

Browse source
This commit is contained in:
Natsu Kagami 2021-11-01 15:50:30 -04:00
parent 0842bd53a2
commit 071889c976
Signed by: nki
GPG key ID: 7306B3D3C3AD6E51
7 changed files with 475 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

46
modules/cloud/traefik/certs-dumper.nix Normal file
View file

@ -0,0 +1,46 @@
{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.cloud.traefik.certsDumper;
in
{
options.cloud.traefik.certsDumper = {
enable = mkEnableOption "Dump certs onto a given directory ";
package = mkOption {
type = types.package;
default = pkgs.unstable.traefik-certs-dumper;
description = "The certs dumper package to use";
};
destination = mkOption {
type = types.str;
default = "/var/lib/traefik-certs";
description = "The destination folder to dump certs onto";
};
};
config.systemd.services.traefik-certs-dumper = mkIf cfg.enable {
after = [ "traefik.service" ];
path = with pkgs; [ openssl ];
wantedBy = [ "multi-user.target" ];
description = "Dump certificates generated by traefik to a destination folder";
serviceConfig =
let
user = config.systemd.services.traefik.serviceConfig.User;
group = config.systemd.services.traefik.serviceConfig.Group;
certsPath = config.cloud.traefik.certsPath;
in
{
User = user;
Group = group;
ExecStart = "${cfg.package}/bin/traefik-certs-dumper file --watch --domain-subdir=true --version v2 --source ${certsPath} --dest ${cfg.destination} --post-hook 'chmod -R +r ${cfg.destination}'";
LimitNOFILE = "1048576";
PrivateTmp = "true";
PrivateDevices = "true";
ProtectHome = "true";
ProtectSystem = "strict";
StateDirectory = "traefik-certs";
};
};
}