From 6139430d2525211dfd7d49cb2be59064ee221609 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Wed, 6 Apr 2022 12:44:44 -0700 Subject: refactor traefik --- hosts/common/server/traefik.nix | 96 ----------------------------------------- 1 file changed, 96 deletions(-) delete mode 100644 hosts/common/server/traefik.nix (limited to 'hosts/common/server') diff --git a/hosts/common/server/traefik.nix b/hosts/common/server/traefik.nix deleted file mode 100644 index 2b52c1f..0000000 --- a/hosts/common/server/traefik.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ pkgs, inputs, config, lib, ... }: - -with lib; - -let - domainPublic = "fcuny.net"; - domainPrivate = "fcuny.xyz"; - mkServiceConfig = name: url: domain: certResolver: { - http.routers."${name}.${domain}" = { - rule = "Host(`${name}.${domain}`)"; - service = "${name}.${domain}"; - tls.certResolver = certResolver; - }; - http.services."${name}.${domain}" = { - loadBalancer.servers = [{ url = url; }]; - }; - }; -in { - age.secrets.traefik_gcp_sa = { - file = ../../../secrets/traefik/gcp_service_account.json.age; - owner = "traefik"; - }; - - services.traefik = { - enable = true; - - staticConfigOptions = { - metrics.prometheus = { - addEntryPointsLabels = true; - addRoutersLabels = true; - addServicesLabels = true; - }; - - global = { - checkNewVersion = false; - sendAnonymousUsage = false; - }; - - accessLog.format = "json"; - log.level = "warn"; - - entryPoints.http.http.redirections = { - entryPoint.to = "https"; - entryPoint.scheme = "https"; - entryPoint.permanent = true; - }; - - entryPoints.http.address = ":80"; - entryPoints.https.address = ":443"; - # the default is 8080, which conflict with unifi - entryPoints.traefik.address = ":8090"; - - api = { - dashboard = true; - insecure = true; - }; - - # The unifi controller runs on HTTPS with a self-signed - # certificate, as a result we need to accept insecure - # certificates. - serversTransport.insecureSkipVerify = true; - - certificatesResolvers = { - le-http.acme = { - email = "franck@fcuny.net"; - storage = "/var/lib/traefik/cert.json"; - httpChallenge = { entryPoint = "http"; }; - }; - le-dns.acme = { - email = "franck@fcuny.net"; - storage = "/var/lib/traefik/cert.json"; - dnsChallenge = { - provider = "gcloud"; - delayBeforeCheck = 0; - }; - }; - }; - }; - }; - - services.traefik.dynamicConfigOptions = mkMerge [ - (mkServiceConfig "dash" "http://127.0.0.1:3000/" domainPrivate "le-dns") - (mkServiceConfig "bt" "http://127.0.0.1:9091/" domainPrivate "le-dns") - (mkServiceConfig "unifi" "https://127.0.0.1:8443/" domainPrivate "le-dns") - (mkServiceConfig "music" "http://127.0.0.1:4533/" domainPrivate "le-dns") - (mkServiceConfig "git" "http://127.0.0.1:8002/" domainPrivate "le-dns") - (mkServiceConfig "git" "http://127.0.0.1:8002/" domainPublic "le-http") - ]; - - systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE = - config.age.secrets.traefik_gcp_sa.path; - systemd.services.traefik.environment.GCE_PROJECT = "fcuny-homelab"; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 443 ]; # QUIC -} -- cgit 1.4.1