Use a template block so we can fetch values from vault

2023-10-16 13:33:52 +02:00 · 2023-10-16 13:33:52 +02:00 · 84dc3078e2
parent 6a785bd5df
commit 84dc3078e2
1 changed files with 41 additions and 32 deletions
--- a/acme-to-vault.nomad.hcl
+++ b/acme-to-vault.nomad.hcl
@ -45,39 +45,48 @@ job [[ .acme.instance | toJSON ]] {
      }

      env {
-        [[- template "common/env.tpl" $c.env ]]
-        [[- if has .acme.vault "service_name" ]]
-        VAULT_ADDR  = "http://localhost:8200"
-        [[- else ]]
-        VAULT_ADDR  = [[ .acme.vault.addr | toJSON ]]
-        [[- end ]]
        [[- template "common/proxy_env.tpl" . -]]
-        ACME_CRON   = [[ .acme.cron | toJSON ]]
-        ACME_KV_ACCOUNT_ROOT = [[ .acme.vault.kv_account_root | toJSON ]]
-        [[- range $acc_idx, $account := .acme.accounts ]]
-        ACME_[[ $acc_idx ]]_CA = [[ $account.ca | toJSON ]]
-        ACME_[[ $acc_idx ]]_EMAIL = [[ $account.email | toJSON ]]
-        ACME_[[ $acc_idx ]]_KV_CERT_ROOT = [[ $account.kv_cert_root | toJSON ]]
-          [[- if has $account "challenge" ]]
-        ACME_[[ $acc_idx ]]_CHALLENGE = [[ $account.challenge | toJSON ]]
-            [[- if eq $account.challenge "dns-01" ]]
-        ACME_[[ $acc_idx ]]_DNS_PROVIDER = [[ $account.dns_provider | toJSON ]]
-        ACME_[[ $acc_idx ]]_DNS_KEY_ENV = [[ $account.dns_key_env | toJSON ]]
-        ACME_[[ $acc_idx ]]_DNS_KEY_VALUE = [[ $account.dns_key_value | toJSON ]]
-            [[ if has $account "dns_resolvers" ]]
-        ACME_[[ $acc_idx ]]_DNS_RESOLVERS = [[ join $account.dns_resolvers "," | toJSON ]]
-            [[- end ]]
-          [[- else ]]
-        ACME_[[ $acc_idx ]]_CHALLENGE = "http-01"
-            [[- end ]]
-          [[- end ]]
-          [[- if has $account "key_type" ]]
-        ACME_[[ $acc_idx ]]_KEY_TYPE = [[ $account.key_type | toJSON ]]
-          [[- end ]]
-          [[- range $crt_idx, $crt := $account.certs ]]
-        ACME_[[ $acc_idx ]]_CERT_[[ $crt_idx ]] = [[ $crt | toJSON ]]
-          [[- end ]]
-        [[- end ]]
+      }
+
+[[- template "common/file_env.tpl" $c.env ]]
+
+      template {
+        data =<<_EOT
+[[- if has .acme.vault "service_name" ]]
+VAULT_ADDR=http://localhost:8200
+[[- else ]]
+VAULT_ADDR=[[ .acme.vault.addr ]]
+[[- end ]]
+ACME_CRON=[[ .acme.cron ]]
+ACME_KV_ACCOUNT_ROOT=[[ .acme.vault.kv_account_root ]]
+[[- range $acc_idx, $account := .acme.accounts ]]
+ACME_[[ $acc_idx ]]_CA=[[ $account.ca ]]
+ACME_[[ $acc_idx ]]_EMAIL=[[ $account.email ]]
+ACME_[[ $acc_idx ]]_KV_CERT_ROOT=[[ $account.kv_cert_root ]]
+  [[- if has $account "challenge" ]]
+ACME_[[ $acc_idx ]]_CHALLENGE=[[ $account.challenge ]]
+    [[- if eq $account.challenge "dns-01" ]]
+ACME_[[ $acc_idx ]]_DNS_PROVIDER=[[ $account.dns_provider ]]
+ACME_[[ $acc_idx ]]_DNS_KEY_ENV=[[ $account.dns_key_env ]]
+ACME_[[ $acc_idx ]]_DNS_KEY_VALUE=[[ $account.dns_key_value ]]
+    [[ if has $account "dns_resolvers" ]]
+ACME_[[ $acc_idx ]]_DNS_RESOLVERS=[[ join $account.dns_resolvers "," ]]
+    [[- end ]]
+  [[- else ]]
+ACME_[[ $acc_idx ]]_CHALLENGE=http-01
+    [[- end ]]
+  [[- end ]]
+  [[- if has $account "key_type" ]]
+ACME_[[ $acc_idx ]]_KEY_TYPE=[[ $account.key_type ]]
+  [[- end ]]
+  [[- range $crt_idx, $crt := $account.certs ]]
+ACME_[[ $acc_idx ]]_CERT_[[ $crt_idx ]]=[[ $crt ]]
+  [[- end ]]
+[[- end ]]
+_EOT
+        destination = "secrets/acm-to-vault.env"
+        perms = 0400
+        env = true
      }

 [[ template "common/resources.tpl" .acme.resources ]]