diff options
author | Franck Cuny <franck@fcuny.net> | 2022-04-06 12:44:44 -0700 |
---|---|---|
committer | Franck Cuny <franck@fcuny.net> | 2022-04-06 12:44:44 -0700 |
commit | 6139430d2525211dfd7d49cb2be59064ee221609 (patch) | |
tree | 365cef3f80dd098922728daa3f2e0b2732fda276 /hosts | |
parent | refactor rclone to a module (diff) | |
download | world-6139430d2525211dfd7d49cb2be59064ee221609.tar.gz |
refactor traefik
Diffstat (limited to '')
-rw-r--r-- | hosts/common/server/traefik.nix | 96 | ||||
-rw-r--r-- | hosts/profiles/nas.nix | 2 |
2 files changed, 1 insertions, 97 deletions
diff --git a/hosts/common/server/traefik.nix b/hosts/common/server/traefik.nix deleted file mode 100644 index 2b52c1f..0000000 --- a/hosts/common/server/traefik.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ pkgs, inputs, config, lib, ... }: - -with lib; - -let - domainPublic = "fcuny.net"; - domainPrivate = "fcuny.xyz"; - mkServiceConfig = name: url: domain: certResolver: { - http.routers."${name}.${domain}" = { - rule = "Host(`${name}.${domain}`)"; - service = "${name}.${domain}"; - tls.certResolver = certResolver; - }; - http.services."${name}.${domain}" = { - loadBalancer.servers = [{ url = url; }]; - }; - }; -in { - age.secrets.traefik_gcp_sa = { - file = ../../../secrets/traefik/gcp_service_account.json.age; - owner = "traefik"; - }; - - services.traefik = { - enable = true; - - staticConfigOptions = { - metrics.prometheus = { - addEntryPointsLabels = true; - addRoutersLabels = true; - addServicesLabels = true; - }; - - global = { - checkNewVersion = false; - sendAnonymousUsage = false; - }; - - accessLog.format = "json"; - log.level = "warn"; - - entryPoints.http.http.redirections = { - entryPoint.to = "https"; - entryPoint.scheme = "https"; - entryPoint.permanent = true; - }; - - entryPoints.http.address = ":80"; - entryPoints.https.address = ":443"; - # the default is 8080, which conflict with unifi - entryPoints.traefik.address = ":8090"; - - api = { - dashboard = true; - insecure = true; - }; - - # The unifi controller runs on HTTPS with a self-signed - # certificate, as a result we need to accept insecure - # certificates. - serversTransport.insecureSkipVerify = true; - - certificatesResolvers = { - le-http.acme = { - email = "franck@fcuny.net"; - storage = "/var/lib/traefik/cert.json"; - httpChallenge = { entryPoint = "http"; }; - }; - le-dns.acme = { - email = "franck@fcuny.net"; - storage = "/var/lib/traefik/cert.json"; - dnsChallenge = { - provider = "gcloud"; - delayBeforeCheck = 0; - }; - }; - }; - }; - }; - - services.traefik.dynamicConfigOptions = mkMerge [ - (mkServiceConfig "dash" "http://127.0.0.1:3000/" domainPrivate "le-dns") - (mkServiceConfig "bt" "http://127.0.0.1:9091/" domainPrivate "le-dns") - (mkServiceConfig "unifi" "https://127.0.0.1:8443/" domainPrivate "le-dns") - (mkServiceConfig "music" "http://127.0.0.1:4533/" domainPrivate "le-dns") - (mkServiceConfig "git" "http://127.0.0.1:8002/" domainPrivate "le-dns") - (mkServiceConfig "git" "http://127.0.0.1:8002/" domainPublic "le-http") - ]; - - systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE = - config.age.secrets.traefik_gcp_sa.path; - systemd.services.traefik.environment.GCE_PROJECT = "fcuny-homelab"; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 443 ]; # QUIC -} diff --git a/hosts/profiles/nas.nix b/hosts/profiles/nas.nix index fd42eb7..9ac834f 100644 --- a/hosts/profiles/nas.nix +++ b/hosts/profiles/nas.nix @@ -2,7 +2,6 @@ imports = [ # other profiles ./server.nix - ../common/server/traefik.nix ../common/server/transmission.nix ]; @@ -30,6 +29,7 @@ stateDir = "/var/lib/gitea"; }; rclone = { enable = true; }; + traefik = { enable = true; }; }; services.restic.backups = { |