diff options
Diffstat (limited to 'hosts/common/server')
| -rw-r--r-- | hosts/common/server/traefik.nix | 75 |
1 files changed, 35 insertions, 40 deletions
diff --git a/hosts/common/server/traefik.nix b/hosts/common/server/traefik.nix index 7d0e1fa..6cf8170 100644 --- a/hosts/common/server/traefik.nix +++ b/hosts/common/server/traefik.nix @@ -1,61 +1,59 @@ { pkgs, config, lib, ... }: let + domain = "fcuny.xyz"; mkServiceConfig = name: url: { http.routers."${name}" = { - rule = "Host(`${domain}`) && PathPrefix(`/${name}`)"; + rule = "Host(`${name}.${domain}`)"; service = "${name}"; tls.certResolver = "le"; }; http.services."${name}" = { loadBalancer.servers = [{ url = url; }]; }; }; in { - options.cloud.traefik = { - gcpKeyFile = mkOption { - type = types.path; - description = "The GCP private key file, for Let's Encrypt DNS challenge"; - }; - - gcpProjectName = mkOption { - type = types.str; - description = "The GCP project name used for managing DNS"; - }; - - certsPath = mkOption { - type = types.str; - default = "/var/lib/traefik/acme.json"; - description = "The location to read and write the certificates file"; - }; - }; + age.secrets.traefik_gcp_sa.file = "${inputs.self}/secrets/traefik/gcp_sa.age"; - config.services.traefik = { + services.traefik = { enable = true; - staticConfigOptions = { - entrypoints.http.address = ":80"; - entrypoints.http.http.redirections.entryPoint = { - to = "https"; + dynamicConfigOptions = { + http.middlewares.redirect-to-https.redirectscheme = { scheme = "https"; + permanent = true; }; - entrypoints.https.address = ":443"; - - accessLog.format = "json"; - log.level = "warn"; - - global.checkNewVersion = false; - global.sendAnonymousUsage = false; + http = { + services = { + dash.loadBalancer.servers = [{ url = "http://127.0.0.1:3000"; }]; + }; + }; + }; + staticConfigOptions = { metrics.prometheus = { addEntryPointsLabels = true; addRoutersLabels = true; addServicesLabels = true; }; - certificatesResolvers.le.acme = { - email = "franck@fcuny.net"; - storage = cfg.certsPath; - dnsChallenge.provider = "gcloud"; - dnsChallenge.delayBeforeCheck = 10; + global = { + checkNewVersion = false; + sendAnonymousUsage = false; + }; + + accessLog.format = "json"; + log.level = "warn"; + + entryPoints.web.address = ":80"; + entryPoints.websecure.address = ":443"; + certificatesResolvers = { + le = { + email = "franck@fcuny.net"; + storage = "/var/lib/traefik/cert.json"; + dnsChallenge = { + provider = "gcloud"; + delayBeforeCheck = 0; + }; + }; }; }; }; @@ -63,13 +61,10 @@ in { services.traefik.dynamicConfigOptions = mkMerge [ (mkServiceConfig "dash" "http://127.0.0.1:3000/") ]; - # Set up cloudflare key config.systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE = - cfg.gcpKeyFile; - - config.systemd.services.traefik.environment.GCE_PROJECT = cfg.gcpProjectName; + config.age.secrets.cloudflare_api_key.path; + config.systemd.services.traefik.environment.GCE_PROJECT = "fcuny-homelab"; - # Set up firewall to allow traefik traffic. config.networking.firewall.allowedTCPPorts = [ 80 443 ]; config.networking.firewall.allowedUDPPorts = [ 443 ]; # QUIC } |