about summary refs log tree commit diff
path: root/hosts
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2022-03-09 18:50:19 -0800
committerFranck Cuny <franck@fcuny.net>2022-03-09 18:50:19 -0800
commit9cbc36f2f4df2ca9e21d140a5f4a1d893ae8ffde (patch)
tree6ea35a032f73b6034bec0688e8b7af4176a30759 /hosts
parentgitea: do a backup with restic (diff)
downloadworld-9cbc36f2f4df2ca9e21d140a5f4a1d893ae8ffde.tar.gz
traefik: handle fcuny.net and fcuny.xyz
fcuny.net is for public facing domains, while fcuny.xyz are for domains
on the tailscale network.

I need to support configuration in traefik for both. The main
difference, for traefik, is the domain name and which let's encrypt
challenge to use (DNS for TS, HTTP for public).

Refactor the function `mkServiceConfig` to accept the domain and LE
challenge as argument, and add new entries for git.fcuny.net and
git.fcuny.xyz.
Diffstat (limited to '')
-rw-r--r--hosts/common/server/traefik.nix22
1 files changed, 15 insertions, 7 deletions
diff --git a/hosts/common/server/traefik.nix b/hosts/common/server/traefik.nix
index 3bc5d26..5cfa229 100644
--- a/hosts/common/server/traefik.nix
+++ b/hosts/common/server/traefik.nix
@@ -3,12 +3,13 @@
 with lib;
 
 let
-  domain = "fcuny.xyz";
-  mkServiceConfig = name: url: {
+  domainPublic = "fcuny.net";
+  domainPrivate = "fcuny.xyz";
+  mkServiceConfig = name: url: domain: certResolver: {
     http.routers."${name}" = {
       rule = "Host(`${name}.${domain}`)";
       service = "${name}";
-      tls.certResolver = "le";
+      tls.certResolver = certResolver;
     };
     http.services."${name}" = { loadBalancer.servers = [{ url = url; }]; };
   };
@@ -58,7 +59,12 @@ in {
       serversTransport.insecureSkipVerify = true;
 
       certificatesResolvers = {
-        le.acme = {
+        le-http.acme = {
+          email = "franck@fcuny.net";
+          storage = "/var/lib/traefik/cert.json";
+          httpChallenge = { entryPoint = "http"; };
+        };
+        le-dns.acme = {
           email = "franck@fcuny.net";
           storage = "/var/lib/traefik/cert.json";
           dnsChallenge = {
@@ -71,9 +77,11 @@ in {
   };
 
   services.traefik.dynamicConfigOptions = mkMerge [
-    (mkServiceConfig "dash" "http://127.0.0.1:3000/")
-    (mkServiceConfig "bt" "http://127.0.0.1:9091/")
-    (mkServiceConfig "unifi" "https://127.0.0.1:8443/")
+    (mkServiceConfi "dash" "http://127.0.0.1:3000/" domainPrivate "le-dns")
+    (mkServiceConfi "bt" "http://127.0.0.1:9091/" domainPrivate "le-dns")
+    (mkServiceConfi "unifi" "https://127.0.0.1:8443/" domainPrivate "le-dns")
+    (mkServiceConfi "git" "http://127.0.0.1:8002/" domainPrivate "le-dns")
+    (mkServiceConfi "git" "http://127.0.0.1:8002/" domainPublic "le-http")
   ];
 
   systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE =