magenta/mailserver: dump traefik certificate instead of nginx

2023-04-23 09:47:36 +03:00 · 2023-04-23 09:47:36 +03:00 · 1a3335831d
parent 0699b7a8ac
commit 1a3335831d
1 changed files with 56 additions and 9 deletions
--- a/nixos/hosts/magenta/services/mailserver.nix
+++ b/nixos/hosts/magenta/services/mailserver.nix
@ -1,5 +1,17 @@
-{ ... }:
+{ config, pkgs, ... }:

+let
+  cfg = config.mailserver;
+
+  certsDir = "/var/certs";
+
+  dumpTraefikMailCerts = pkgs.writeScript "dump-mail-certs" ''
+    #!/bin/sh
+    ${pkgs.jq}/bin/jq -r '.le.Certificates[] | select(.domain.main=="${cfg.fqdn}") | .certificate' /var/lib/traefik/acme.json | base64 -d > ${cfg.certificateFile}
+    ${pkgs.jq}/bin/jq -r '.le.Certificates[] | select(.domain.main=="${cfg.fqdn}") | .key' /var/lib/traefik/acme.json | base64 -d > ${cfg.keyFile}
+  '';
+
+in
 {
  imports = [ ./mailserver-accounts.secret.nix ];

@ -9,17 +21,52 @@
    fqdn = "mail.pleshevski.ru";
    domains = [ "pleshevski.ru" ];

-    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
-    # down nginx and opens port 80.
-    certificateScheme = 3;
+    # We use traefik to generate certificates
+    certificateScheme = 1;
+    certificateFile = "${certsDir}/cert-${cfg.fqdn}.pem";
+    keyFile = "${certsDir}/key-${cfg.fqdn}.pem";

    hierarchySeparator = "/";
  };

-  # required for certificateScheme = 3
-  # TODO: Try to use traefik
-  services.nginx = {
-    defaultHTTPListenPort = 10080;
-    defaultSSLListenPort = 10443;
+  services.traefik.dynamicConfigOptions.http = {
+    routers.mailserver_acme = {
+      rule = "Host(`${cfg.fqdn}`)";
+      entryPoints = [ "http" ];
+      tls = {
+        certResolver = "le";
+        domains = [
+          {
+            main = cfg.fqdn;
+            sans = cfg.domains;
+          }
+        ];
+      };
+      service = "noop@internal";
+    };
  };
+
+  systemd = {
+    services.dump-traefik-mail-cert = {
+      unitConfig = {
+        Description = "Restart mail cert service";
+        After = [ "network.target" ];
+      };
+
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${dumpTraefikMailCerts}";
+      };
+
+      wantedBy = [ "multi-user.target" ];
+
+    };
+
+    paths.dump-traefik-mail-cert = {
+      wantedBy = [ "multi-user.target" ];
+      pathConfig.PathChanged = "/var/lib/traefik/acme.json";
+    };
+  };
+
+
 }