mynix/system
1
1
Fork 0
Code Issues 2 Pull requests Activity

magenta/mailserver: dump traefik certificate instead of nginx

Browse source
This commit is contained in:
Dmitriy Pleshevskiy 2023-04-23 09:47:36 +03:00
parent 0699b7a8ac
commit 1a3335831d
Signed by: pleshevskiy
GPG key ID: 79C4487B44403985
1 changed files with 56 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

65
nixos/hosts/magenta/services/mailserver.nix
View file

@ -1,5 +1,17 @@
{ ... }: { config, pkgs, ... }:
let
cfg = config.mailserver;
certsDir = "/var/certs";
dumpTraefikMailCerts = pkgs.writeScript "dump-mail-certs" ''
#!/bin/sh
${pkgs.jq}/bin/jq -r '.le.Certificates[] | select(.domain.main=="${cfg.fqdn}") | .certificate' /var/lib/traefik/acme.json | base64 -d > ${cfg.certificateFile}
${pkgs.jq}/bin/jq -r '.le.Certificates[] | select(.domain.main=="${cfg.fqdn}") | .key' /var/lib/traefik/acme.json | base64 -d > ${cfg.keyFile}
'';
in
{ {
imports = [ ./mailserver-accounts.secret.nix ]; imports = [ ./mailserver-accounts.secret.nix ];
@ -9,17 +21,52 @@
fqdn = "mail.pleshevski.ru"; fqdn = "mail.pleshevski.ru";
domains = [ "pleshevski.ru" ]; domains = [ "pleshevski.ru" ];
# Use Let's Encrypt certificates. Note that this needs to set up a stripped # We use traefik to generate certificates
# down nginx and opens port 80. certificateScheme = 1;
certificateScheme = 3; certificateFile = "${certsDir}/cert-${cfg.fqdn}.pem";
keyFile = "${certsDir}/key-${cfg.fqdn}.pem";
hierarchySeparator = "/"; hierarchySeparator = "/";
}; };
# required for certificateScheme = 3 services.traefik.dynamicConfigOptions.http = {
# TODO: Try to use traefik routers.mailserver_acme = {
services.nginx = { rule = "Host(`${cfg.fqdn}`)";
defaultHTTPListenPort = 10080; entryPoints = [ "http" ];
defaultSSLListenPort = 10443; tls = {
certResolver = "le";
domains = [
{
main = cfg.fqdn;
sans = cfg.domains;
}
];
};
service = "noop@internal";
};
}; };
systemd = {
services.dump-traefik-mail-cert = {
unitConfig = {
Description = "Restart mail cert service";
After = [ "network.target" ];
};
serviceConfig = {
Type = "oneshot";
ExecStart = "${dumpTraefikMailCerts}";
};
wantedBy = [ "multi-user.target" ];
};
paths.dump-traefik-mail-cert = {
wantedBy = [ "multi-user.target" ];
pathConfig.PathChanged = "/var/lib/traefik/acme.json";
};
};
} }