about summary refs log tree commit diff
path: root/hosts/common/server
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2022-03-06 08:09:06 -0800
committerFranck Cuny <franck@fcuny.net>2022-03-06 08:09:06 -0800
commit86a82a5e4eaf1db45e72182e8dc14ca85e9988cc (patch)
treed7160df4509c5227e2fd247e8e9f78cdb77bdbd5 /hosts/common/server
parentbackups: unit to run maintenance on my backups (diff)
downloadworld-86a82a5e4eaf1db45e72182e8dc14ca85e9988cc.tar.gz
traefik: initial configuration
I want to run traefik on the NAS, so I can reach grafana and other
future services running on that host.

To manage TLS, we use let's encrypt with a DNS challenge. For this to
work we need a service account configuration, that is encrypted with
age.
Diffstat (limited to '')
-rw-r--r--hosts/common/server/traefik.nix75
1 files changed, 75 insertions, 0 deletions
diff --git a/hosts/common/server/traefik.nix b/hosts/common/server/traefik.nix
new file mode 100644
index 0000000..7d0e1fa
--- /dev/null
+++ b/hosts/common/server/traefik.nix
@@ -0,0 +1,75 @@
+{ pkgs, config, lib, ... }:
+
+let
+  mkServiceConfig = name: url: {
+    http.routers."${name}" = {
+      rule = "Host(`${domain}`) && PathPrefix(`/${name}`)";
+      service = "${name}";
+      tls.certResolver = "le";
+    };
+    http.services."${name}" = { loadBalancer.servers = [{ url = url; }]; };
+  };
+in {
+  options.cloud.traefik = {
+    gcpKeyFile = mkOption {
+      type = types.path;
+      description = "The GCP private key file, for Let's Encrypt DNS challenge";
+    };
+
+    gcpProjectName = mkOption {
+      type = types.str;
+      description = "The GCP project name used for managing DNS";
+    };
+
+    certsPath = mkOption {
+      type = types.str;
+      default = "/var/lib/traefik/acme.json";
+      description = "The location to read and write the certificates file";
+    };
+  };
+
+  config.services.traefik = {
+    enable = true;
+
+    staticConfigOptions = {
+      entrypoints.http.address = ":80";
+      entrypoints.http.http.redirections.entryPoint = {
+        to = "https";
+        scheme = "https";
+      };
+      entrypoints.https.address = ":443";
+
+      accessLog.format = "json";
+      log.level = "warn";
+
+      global.checkNewVersion = false;
+      global.sendAnonymousUsage = false;
+
+      metrics.prometheus = {
+        addEntryPointsLabels = true;
+        addRoutersLabels = true;
+        addServicesLabels = true;
+      };
+
+      certificatesResolvers.le.acme = {
+        email = "franck@fcuny.net";
+        storage = cfg.certsPath;
+        dnsChallenge.provider = "gcloud";
+        dnsChallenge.delayBeforeCheck = 10;
+      };
+    };
+  };
+
+  services.traefik.dynamicConfigOptions =
+    mkMerge [ (mkServiceConfig "dash" "http://127.0.0.1:3000/") ];
+
+  # Set up cloudflare key
+  config.systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE =
+    cfg.gcpKeyFile;
+
+  config.systemd.services.traefik.environment.GCE_PROJECT = cfg.gcpProjectName;
+
+  # Set up firewall to allow traefik traffic.
+  config.networking.firewall.allowedTCPPorts = [ 80 443 ];
+  config.networking.firewall.allowedUDPPorts = [ 443 ]; # QUIC
+}