diff options
author | Franck Cuny <franck@fcuny.net> | 2022-03-09 18:50:19 -0800 |
---|---|---|
committer | Franck Cuny <franck@fcuny.net> | 2022-03-09 18:50:19 -0800 |
commit | 9cbc36f2f4df2ca9e21d140a5f4a1d893ae8ffde (patch) | |
tree | 6ea35a032f73b6034bec0688e8b7af4176a30759 /hosts/common | |
parent | gitea: do a backup with restic (diff) | |
download | world-9cbc36f2f4df2ca9e21d140a5f4a1d893ae8ffde.tar.gz |
traefik: handle fcuny.net and fcuny.xyz
fcuny.net is for public facing domains, while fcuny.xyz are for domains on the tailscale network. I need to support configuration in traefik for both. The main difference, for traefik, is the domain name and which let's encrypt challenge to use (DNS for TS, HTTP for public). Refactor the function `mkServiceConfig` to accept the domain and LE challenge as argument, and add new entries for git.fcuny.net and git.fcuny.xyz.
Diffstat (limited to 'hosts/common')
-rw-r--r-- | hosts/common/server/traefik.nix | 22 |
1 files changed, 15 insertions, 7 deletions
diff --git a/hosts/common/server/traefik.nix b/hosts/common/server/traefik.nix index 3bc5d26..5cfa229 100644 --- a/hosts/common/server/traefik.nix +++ b/hosts/common/server/traefik.nix @@ -3,12 +3,13 @@ with lib; let - domain = "fcuny.xyz"; - mkServiceConfig = name: url: { + domainPublic = "fcuny.net"; + domainPrivate = "fcuny.xyz"; + mkServiceConfig = name: url: domain: certResolver: { http.routers."${name}" = { rule = "Host(`${name}.${domain}`)"; service = "${name}"; - tls.certResolver = "le"; + tls.certResolver = certResolver; }; http.services."${name}" = { loadBalancer.servers = [{ url = url; }]; }; }; @@ -58,7 +59,12 @@ in { serversTransport.insecureSkipVerify = true; certificatesResolvers = { - le.acme = { + le-http.acme = { + email = "franck@fcuny.net"; + storage = "/var/lib/traefik/cert.json"; + httpChallenge = { entryPoint = "http"; }; + }; + le-dns.acme = { email = "franck@fcuny.net"; storage = "/var/lib/traefik/cert.json"; dnsChallenge = { @@ -71,9 +77,11 @@ in { }; services.traefik.dynamicConfigOptions = mkMerge [ - (mkServiceConfig "dash" "http://127.0.0.1:3000/") - (mkServiceConfig "bt" "http://127.0.0.1:9091/") - (mkServiceConfig "unifi" "https://127.0.0.1:8443/") + (mkServiceConfi "dash" "http://127.0.0.1:3000/" domainPrivate "le-dns") + (mkServiceConfi "bt" "http://127.0.0.1:9091/" domainPrivate "le-dns") + (mkServiceConfi "unifi" "https://127.0.0.1:8443/" domainPrivate "le-dns") + (mkServiceConfi "git" "http://127.0.0.1:8002/" domainPrivate "le-dns") + (mkServiceConfi "git" "http://127.0.0.1:8002/" domainPublic "le-http") ]; systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE = |