nixos/traefik: add environmentFiles option

2023-03-05 00:12:06 +01:00 · 2023-03-05 00:12:06 +01:00 · d568766fc7
commit d568766fc7
parent 67faa3e9b3
2 changed files with 27 additions and 3 deletions
--- a/nixos/modules/services/web-servers/traefik.nix
+++ b/nixos/modules/services/web-servers/traefik.nix
@ -48,6 +48,11 @@ let
    ''
  else
    cfg.staticConfigFile;
+
+  finalStaticConfigFile =
+    if cfg.environmentFiles == []
+    then staticConfigFile
+    else "/run/traefik/config.toml";
 in {
  options.services.traefik = {
    enable = mkEnableOption (lib.mdDoc "Traefik web server");
@ -127,6 +132,16 @@ in {
      type = types.package;
      description = lib.mdDoc "Traefik package to use.";
    };
+
+    environmentFiles = mkOption {
+      default = [];
+      type = types.listOf types.path;
+      example = [ "/run/secrets/traefik.env" ];
+      description = lib.mdDoc ''
+        Files to load as environment file. Environment variables from this file
+        will be substituted into the static configuration file using envsubst.
+      '';
+    };
  };

  config = mkIf cfg.enable {
@ -139,8 +154,13 @@ in {
      startLimitIntervalSec = 86400;
      startLimitBurst = 5;
      serviceConfig = {
-        ExecStart =
-          "${cfg.package}/bin/traefik --configfile=${staticConfigFile}";
+        EnvironmentFile = cfg.environmentFiles;
+        ExecStartPre = lib.optional (cfg.environmentFiles != [])
+          (pkgs.writeShellScript "pre-start" ''
+            umask 077
+            ${pkgs.envsubst}/bin/envsubst -i "${staticConfigFile}" > "${finalStaticConfigFile}"
+          '');
+        ExecStart = "${cfg.package}/bin/traefik --configfile=${finalStaticConfigFile}";
        Type = "simple";
        User = "traefik";
        Group = cfg.group;
@ -155,6 +175,7 @@ in {
        ProtectHome = true;
        ProtectSystem = "full";
        ReadWriteDirectories = cfg.dataDir;
+        RuntimeDirectory = "traefik";
      };
    };

--- a/nixos/tests/traefik.nix
+++ b/nixos/tests/traefik.nix
@ -52,10 +52,13 @@ import ./make-test-python.nix ({ pkgs, ... }: {
            sendAnonymousUsage = false;
          };

-          entryPoints.web.address = ":80";
+          entryPoints.web.address = ":\${HTTP_PORT}";

          providers.docker.exposedByDefault = false;
        };
+        environmentFiles = [(pkgs.writeText "traefik.env" ''
+          HTTP_PORT=80
+        '')];
      };

      systemd.services.simplehttp = {