47 lines
1.5 KiB
Nix
47 lines
1.5 KiB
Nix
{ pkgs, config, lib, ... }:
|
|
|
|
with lib;
|
|
let
|
|
cfg = config.cloud.traefik.certsDumper;
|
|
in
|
|
{
|
|
options.cloud.traefik.certsDumper = {
|
|
enable = mkEnableOption "Dump certs onto a given directory ";
|
|
package = mkOption {
|
|
type = types.package;
|
|
default = pkgs.traefik-certs-dumper;
|
|
description = "The certs dumper package to use";
|
|
};
|
|
destination = mkOption {
|
|
type = types.str;
|
|
default = "/var/lib/traefik-certs";
|
|
description = "The destination folder to dump certs onto";
|
|
};
|
|
};
|
|
|
|
config.systemd.services.traefik-certs-dumper = mkIf cfg.enable {
|
|
after = [ "traefik.service" ];
|
|
path = with pkgs; [ openssl ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
description = "Dump certificates generated by traefik to a destination folder";
|
|
serviceConfig =
|
|
let
|
|
user = config.systemd.services.traefik.serviceConfig.User;
|
|
group = config.systemd.services.traefik.serviceConfig.Group;
|
|
certsPath = config.cloud.traefik.certsPath;
|
|
in
|
|
{
|
|
User = user;
|
|
Group = group;
|
|
ExecStart = "${cfg.package}/bin/traefik-certs-dumper file --watch --domain-subdir=true --version v2 --source ${certsPath} --dest ${cfg.destination} --post-hook 'chmod -R +r ${cfg.destination}'";
|
|
LimitNOFILE = "1048576";
|
|
PrivateTmp = "true";
|
|
PrivateDevices = "true";
|
|
ProtectHome = "true";
|
|
ProtectSystem = "strict";
|
|
StateDirectory = "traefik-certs";
|
|
};
|
|
};
|
|
}
|