services/nomad/infrastructure: Pull certificates from nomad variables

the-maldridge · the-maldridge · commit fe46e6c94413 · 2025-04-12T18:46:59.000-05:00
diff --git a/services/nomad/infrastructure/nginx-control.nomad b/services/nomad/infrastructure/nginx-control.nomad
@@ -11,28 +11,24 @@ job "nginx-control" {
     task "nginx" {
       driver = "docker"
 
-      vault {
-        policies = ["void-secrets-tls"]
-      }
-
       config {
         image = "ghcr.io/void-linux/infra-nginx:20221230RC01"
         network_mode = "host"
         dns_servers = ["127.0.0.1"]
       }
 
-      dynamic "template" {
-        for_each = [
-          "voidlinux.org.crt",
-          "voidlinux.org.key",
-        ]
+      template {
+        data = "{{ with nomadVar \"nomad/jobs/nginx-control\" }}{{ .certificate }}{{ end }}"
+        destination = "secrets/certs/voidlinux.org.crt"
+        perms = 400
+        change_mode = "signal"
+      }
 
-        content {
-          data = file("nginx-sites/${template.value}")
-          destination = "secrets/certs/${template.value}"
-          perms = 400
-          change_mode = "signal"
-        }
+      template {
+        data = "{{ with nomadVar \"nomad/jobs/nginx-control\" }}{{ .key }}{{ end }}"
+        destination = "secrets/certs/voidlinux.org.key"
+        perms = 400
+        change_mode = "signal"
       }
 
       dynamic "template" {
diff --git a/services/nomad/infrastructure/nginx-mirror.nomad b/services/nomad/infrastructure/nginx-mirror.nomad
@@ -22,10 +22,6 @@ job "nginx" {
     task "nginx" {
       driver = "docker"
 
-      vault {
-        policies = ["void-secrets-tls"]
-      }
-
       config {
         image = "ghcr.io/void-linux/infra-nginx:20221230RC01"
         network_mode = "host"
diff --git a/services/nomad/infrastructure/nginx-sites/voidlinux.org.crt b/services/nomad/infrastructure/nginx-sites/voidlinux.org.crt
@@ -1,3 +1,3 @@
-{{- with secret "secret/lego/data/certificates/_.voidlinux.org.crt" -}}
-{{.Data.contents}}
+{{- with nomadVar "nomad/jobs/nginx" -}}
+{{ .certificate }}
 {{- end -}}
diff --git a/services/nomad/infrastructure/nginx-sites/voidlinux.org.key b/services/nomad/infrastructure/nginx-sites/voidlinux.org.key
@@ -1,3 +1,3 @@
-{{- with secret "secret/lego/data/certificates/_.voidlinux.org.key" -}}
-{{.Data.contents}}
+{{- with nomadVar "nomad/jobs/nginx" -}}
+{{ .key }}
 {{- end -}}
