diff options
| author | Franck Cuny <franck@fcuny.net> | 2022-03-06 11:17:18 -0800 |
|---|---|---|
| committer | Franck Cuny <franck@fcuny.net> | 2022-03-06 11:17:18 -0800 |
| commit | 1a2660e5f28b088ed43811b9534b1b86b378e644 (patch) | |
| tree | 0dfd1c7b6942aa8d82b981e7a6fe73cc7184fb86 /hosts/common/server | |
| parent | traefik: second attempt, simple (diff) | |
| download | world-1a2660e5f28b088ed43811b9534b1b86b378e644.tar.gz | |
traefik: getting a working configuration
Diffstat (limited to 'hosts/common/server')
| -rw-r--r-- | hosts/common/server/traefik.nix | 43 |
1 files changed, 21 insertions, 22 deletions
diff --git a/hosts/common/server/traefik.nix b/hosts/common/server/traefik.nix index 6cf8170..f29db72 100644 --- a/hosts/common/server/traefik.nix +++ b/hosts/common/server/traefik.nix @@ -1,4 +1,6 @@ -{ pkgs, config, lib, ... }: +{ pkgs, inputs, config, lib, ... }: + +with lib; let domain = "fcuny.xyz"; @@ -11,23 +13,14 @@ let http.services."${name}" = { loadBalancer.servers = [{ url = url; }]; }; }; in { - age.secrets.traefik_gcp_sa.file = "${inputs.self}/secrets/traefik/gcp_sa.age"; + age.secrets.traefik_gcp_sa = { + file = ../../../secrets/traefik/gcp_service_account.json.age; + owner = "traefik"; + }; services.traefik = { enable = true; - dynamicConfigOptions = { - http.middlewares.redirect-to-https.redirectscheme = { - scheme = "https"; - permanent = true; - }; - http = { - services = { - dash.loadBalancer.servers = [{ url = "http://127.0.0.1:3000"; }]; - }; - }; - }; - staticConfigOptions = { metrics.prometheus = { addEntryPointsLabels = true; @@ -43,10 +36,16 @@ in { accessLog.format = "json"; log.level = "warn"; - entryPoints.web.address = ":80"; - entryPoints.websecure.address = ":443"; + entryPoints.http.http.redirections = { + entryPoint.to = "https"; + entryPoint.scheme = "https"; + entryPoint.permanent = true; + }; + + entryPoints.http.address = ":80"; + entryPoints.https.address = ":443"; certificatesResolvers = { - le = { + le.acme = { email = "franck@fcuny.net"; storage = "/var/lib/traefik/cert.json"; dnsChallenge = { @@ -61,10 +60,10 @@ in { services.traefik.dynamicConfigOptions = mkMerge [ (mkServiceConfig "dash" "http://127.0.0.1:3000/") ]; - config.systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE = - config.age.secrets.cloudflare_api_key.path; - config.systemd.services.traefik.environment.GCE_PROJECT = "fcuny-homelab"; + systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE = + config.age.secrets.traefik_gcp_sa.path; + systemd.services.traefik.environment.GCE_PROJECT = "fcuny-homelab"; - config.networking.firewall.allowedTCPPorts = [ 80 443 ]; - config.networking.firewall.allowedUDPPorts = [ 443 ]; # QUIC + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 443 ]; # QUIC } |