From 6139430d2525211dfd7d49cb2be59064ee221609 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Wed, 6 Apr 2022 12:44:44 -0700 Subject: refactor traefik --- hosts/common/server/traefik.nix | 96 -------------------------------- hosts/profiles/nas.nix | 2 +- modules/services/default.nix | 1 + modules/services/traefik/default.nix | 103 +++++++++++++++++++++++++++++++++++ 4 files changed, 105 insertions(+), 97 deletions(-) delete mode 100644 hosts/common/server/traefik.nix create mode 100644 modules/services/traefik/default.nix diff --git a/hosts/common/server/traefik.nix b/hosts/common/server/traefik.nix deleted file mode 100644 index 2b52c1f..0000000 --- a/hosts/common/server/traefik.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ pkgs, inputs, config, lib, ... }: - -with lib; - -let - domainPublic = "fcuny.net"; - domainPrivate = "fcuny.xyz"; - mkServiceConfig = name: url: domain: certResolver: { - http.routers."${name}.${domain}" = { - rule = "Host(`${name}.${domain}`)"; - service = "${name}.${domain}"; - tls.certResolver = certResolver; - }; - http.services."${name}.${domain}" = { - loadBalancer.servers = [{ url = url; }]; - }; - }; -in { - age.secrets.traefik_gcp_sa = { - file = ../../../secrets/traefik/gcp_service_account.json.age; - owner = "traefik"; - }; - - services.traefik = { - enable = true; - - staticConfigOptions = { - metrics.prometheus = { - addEntryPointsLabels = true; - addRoutersLabels = true; - addServicesLabels = true; - }; - - global = { - checkNewVersion = false; - sendAnonymousUsage = false; - }; - - accessLog.format = "json"; - log.level = "warn"; - - entryPoints.http.http.redirections = { - entryPoint.to = "https"; - entryPoint.scheme = "https"; - entryPoint.permanent = true; - }; - - entryPoints.http.address = ":80"; - entryPoints.https.address = ":443"; - # the default is 8080, which conflict with unifi - entryPoints.traefik.address = ":8090"; - - api = { - dashboard = true; - insecure = true; - }; - - # The unifi controller runs on HTTPS with a self-signed - # certificate, as a result we need to accept insecure - # certificates. - serversTransport.insecureSkipVerify = true; - - certificatesResolvers = { - le-http.acme = { - email = "franck@fcuny.net"; - storage = "/var/lib/traefik/cert.json"; - httpChallenge = { entryPoint = "http"; }; - }; - le-dns.acme = { - email = "franck@fcuny.net"; - storage = "/var/lib/traefik/cert.json"; - dnsChallenge = { - provider = "gcloud"; - delayBeforeCheck = 0; - }; - }; - }; - }; - }; - - services.traefik.dynamicConfigOptions = mkMerge [ - (mkServiceConfig "dash" "http://127.0.0.1:3000/" domainPrivate "le-dns") - (mkServiceConfig "bt" "http://127.0.0.1:9091/" domainPrivate "le-dns") - (mkServiceConfig "unifi" "https://127.0.0.1:8443/" domainPrivate "le-dns") - (mkServiceConfig "music" "http://127.0.0.1:4533/" domainPrivate "le-dns") - (mkServiceConfig "git" "http://127.0.0.1:8002/" domainPrivate "le-dns") - (mkServiceConfig "git" "http://127.0.0.1:8002/" domainPublic "le-http") - ]; - - systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE = - config.age.secrets.traefik_gcp_sa.path; - systemd.services.traefik.environment.GCE_PROJECT = "fcuny-homelab"; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 443 ]; # QUIC -} diff --git a/hosts/profiles/nas.nix b/hosts/profiles/nas.nix index fd42eb7..9ac834f 100644 --- a/hosts/profiles/nas.nix +++ b/hosts/profiles/nas.nix @@ -2,7 +2,6 @@ imports = [ # other profiles ./server.nix - ../common/server/traefik.nix ../common/server/transmission.nix ]; @@ -30,6 +29,7 @@ stateDir = "/var/lib/gitea"; }; rclone = { enable = true; }; + traefik = { enable = true; }; }; services.restic.backups = { diff --git a/modules/services/default.nix b/modules/services/default.nix index 6dfc4fb..95c5f21 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -13,6 +13,7 @@ ./tailscale ./thermald ./tlp + ./traefik ./unifi ]; } diff --git a/modules/services/traefik/default.nix b/modules/services/traefik/default.nix new file mode 100644 index 0000000..980faee --- /dev/null +++ b/modules/services/traefik/default.nix @@ -0,0 +1,103 @@ +{ pkgs, inputs, config, lib, ... }: + +with lib; + +let + cfg = config.my.services.navidrome; + domainPublic = "fcuny.net"; + domainPrivate = "fcuny.xyz"; + mkServiceConfig = name: url: domain: certResolver: { + http.routers."${name}.${domain}" = { + rule = "Host(`${name}.${domain}`)"; + service = "${name}.${domain}"; + tls.certResolver = certResolver; + }; + http.services."${name}.${domain}" = { + loadBalancer.servers = [{ url = url; }]; + }; + }; +in { + options.my.services.traefik = with lib; { + enable = mkEnableOption "traefik router"; + }; + + config = lib.mkIf cfg.enable { + age.secrets.traefik_gcp_sa = { + file = ../../../secrets/traefik/gcp_service_account.json.age; + owner = "traefik"; + }; + + services.traefik = { + enable = true; + + staticConfigOptions = { + metrics.prometheus = { + addEntryPointsLabels = true; + addRoutersLabels = true; + addServicesLabels = true; + }; + + global = { + checkNewVersion = false; + sendAnonymousUsage = false; + }; + + accessLog.format = "json"; + log.level = "warn"; + + entryPoints.http.http.redirections = { + entryPoint.to = "https"; + entryPoint.scheme = "https"; + entryPoint.permanent = true; + }; + + entryPoints.http.address = ":80"; + entryPoints.https.address = ":443"; + # the default is 8080, which conflict with unifi + entryPoints.traefik.address = ":8090"; + + api = { + dashboard = true; + insecure = true; + }; + + # The unifi controller runs on HTTPS with a self-signed + # certificate, as a result we need to accept insecure + # certificates. + serversTransport.insecureSkipVerify = true; + + certificatesResolvers = { + le-http.acme = { + email = "franck@fcuny.net"; + storage = "/var/lib/traefik/cert.json"; + httpChallenge = { entryPoint = "http"; }; + }; + le-dns.acme = { + email = "franck@fcuny.net"; + storage = "/var/lib/traefik/cert.json"; + dnsChallenge = { + provider = "gcloud"; + delayBeforeCheck = 0; + }; + }; + }; + }; + }; + + services.traefik.dynamicConfigOptions = mkMerge [ + (mkServiceConfig "dash" "http://127.0.0.1:3000/" domainPrivate "le-dns") + (mkServiceConfig "bt" "http://127.0.0.1:9091/" domainPrivate "le-dns") + (mkServiceConfig "unifi" "https://127.0.0.1:8443/" domainPrivate "le-dns") + (mkServiceConfig "music" "http://127.0.0.1:4533/" domainPrivate "le-dns") + (mkServiceConfig "git" "http://127.0.0.1:8002/" domainPrivate "le-dns") + (mkServiceConfig "git" "http://127.0.0.1:8002/" domainPublic "le-http") + ]; + + systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE = + config.age.secrets.traefik_gcp_sa.path; + systemd.services.traefik.environment.GCE_PROJECT = "fcuny-homelab"; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 443 ]; # QUIC + }; +} -- cgit 1.4.1