refactor traefik

2 files changed, 1 insertions, 97 deletions

diff --git a/hosts/common/server/traefik.nix b/hosts/common/server/traefik.nix
deleted file mode 100644
index 2b52c1f..0000000
--- a/hosts/common/server/traefik.nix
+++ /dev/null
@@ -1,96 +0,0 @@
-{ pkgs, inputs, config, lib, ... }:
-
-with lib;
-
-let
-  domainPublic = "fcuny.net";
-  domainPrivate = "fcuny.xyz";
-  mkServiceConfig = name: url: domain: certResolver: {
-    http.routers."${name}.${domain}" = {
-      rule = "Host(`${name}.${domain}`)";
-      service = "${name}.${domain}";
-      tls.certResolver = certResolver;
-    };
-    http.services."${name}.${domain}" = {
-      loadBalancer.servers = [{ url = url; }];
-    };
-  };
-in {
-  age.secrets.traefik_gcp_sa = {
-    file = ../../../secrets/traefik/gcp_service_account.json.age;
-    owner = "traefik";
-  };
-
-  services.traefik = {
-    enable = true;
-
-    staticConfigOptions = {
-      metrics.prometheus = {
-        addEntryPointsLabels = true;
-        addRoutersLabels = true;
-        addServicesLabels = true;
-      };
-
-      global = {
-        checkNewVersion = false;
-        sendAnonymousUsage = false;
-      };
-
-      accessLog.format = "json";
-      log.level = "warn";
-
-      entryPoints.http.http.redirections = {
-        entryPoint.to = "https";
-        entryPoint.scheme = "https";
-        entryPoint.permanent = true;
-      };
-
-      entryPoints.http.address = ":80";
-      entryPoints.https.address = ":443";
-      # the default is 8080, which conflict with unifi
-      entryPoints.traefik.address = ":8090";
-
-      api = {
-        dashboard = true;
-        insecure = true;
-      };
-
-      # The unifi controller runs on HTTPS with a self-signed
-      # certificate, as a result we need to accept insecure
-      # certificates.
-      serversTransport.insecureSkipVerify = true;
-
-      certificatesResolvers = {
-        le-http.acme = {
-          email = "franck@fcuny.net";
-          storage = "/var/lib/traefik/cert.json";
-          httpChallenge = { entryPoint = "http"; };
-        };
-        le-dns.acme = {
-          email = "franck@fcuny.net";
-          storage = "/var/lib/traefik/cert.json";
-          dnsChallenge = {
-            provider = "gcloud";
-            delayBeforeCheck = 0;
-          };
-        };
-      };
-    };
-  };
-
-  services.traefik.dynamicConfigOptions = mkMerge [
-    (mkServiceConfig "dash" "http://127.0.0.1:3000/" domainPrivate "le-dns")
-    (mkServiceConfig "bt" "http://127.0.0.1:9091/" domainPrivate "le-dns")
-    (mkServiceConfig "unifi" "https://127.0.0.1:8443/" domainPrivate "le-dns")
-    (mkServiceConfig "music" "http://127.0.0.1:4533/" domainPrivate "le-dns")
-    (mkServiceConfig "git" "http://127.0.0.1:8002/" domainPrivate "le-dns")
-    (mkServiceConfig "git" "http://127.0.0.1:8002/" domainPublic "le-http")
-  ];
-
-  systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE =
-    config.age.secrets.traefik_gcp_sa.path;
-  systemd.services.traefik.environment.GCE_PROJECT = "fcuny-homelab";
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-  networking.firewall.allowedUDPPorts = [ 443 ]; # QUIC
-}
diff --git a/hosts/profiles/nas.nix b/hosts/profiles/nas.nix
index fd42eb7..9ac834f 100644
--- a/hosts/profiles/nas.nix
+++ b/hosts/profiles/nas.nix
@@ -2,7 +2,6 @@
   imports = [
     # other profiles
     ./server.nix
-    ../common/server/traefik.nix
     ../common/server/transmission.nix
   ];
 
@@ -30,6 +29,7 @@
       stateDir = "/var/lib/gitea";
     };
     rclone = { enable = true; };
+    traefik = { enable = true; };
   };
 
   services.restic.backups = {