From 9cbc36f2f4df2ca9e21d140a5f4a1d893ae8ffde Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Wed, 9 Mar 2022 18:50:19 -0800 Subject: traefik: handle fcuny.net and fcuny.xyz fcuny.net is for public facing domains, while fcuny.xyz are for domains on the tailscale network. I need to support configuration in traefik for both. The main difference, for traefik, is the domain name and which let's encrypt challenge to use (DNS for TS, HTTP for public). Refactor the function `mkServiceConfig` to accept the domain and LE challenge as argument, and add new entries for git.fcuny.net and git.fcuny.xyz. --- hosts/common/server/traefik.nix | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) (limited to 'hosts/common/server') diff --git a/hosts/common/server/traefik.nix b/hosts/common/server/traefik.nix index 3bc5d26..5cfa229 100644 --- a/hosts/common/server/traefik.nix +++ b/hosts/common/server/traefik.nix @@ -3,12 +3,13 @@ with lib; let - domain = "fcuny.xyz"; - mkServiceConfig = name: url: { + domainPublic = "fcuny.net"; + domainPrivate = "fcuny.xyz"; + mkServiceConfig = name: url: domain: certResolver: { http.routers."${name}" = { rule = "Host(`${name}.${domain}`)"; service = "${name}"; - tls.certResolver = "le"; + tls.certResolver = certResolver; }; http.services."${name}" = { loadBalancer.servers = [{ url = url; }]; }; }; @@ -58,7 +59,12 @@ in { serversTransport.insecureSkipVerify = true; certificatesResolvers = { - le.acme = { + le-http.acme = { + email = "franck@fcuny.net"; + storage = "/var/lib/traefik/cert.json"; + httpChallenge = { entryPoint = "http"; }; + }; + le-dns.acme = { email = "franck@fcuny.net"; storage = "/var/lib/traefik/cert.json"; dnsChallenge = { @@ -71,9 +77,11 @@ in { }; services.traefik.dynamicConfigOptions = mkMerge [ - (mkServiceConfig "dash" "http://127.0.0.1:3000/") - (mkServiceConfig "bt" "http://127.0.0.1:9091/") - (mkServiceConfig "unifi" "https://127.0.0.1:8443/") + (mkServiceConfi "dash" "http://127.0.0.1:3000/" domainPrivate "le-dns") + (mkServiceConfi "bt" "http://127.0.0.1:9091/" domainPrivate "le-dns") + (mkServiceConfi "unifi" "https://127.0.0.1:8443/" domainPrivate "le-dns") + (mkServiceConfi "git" "http://127.0.0.1:8002/" domainPrivate "le-dns") + (mkServiceConfi "git" "http://127.0.0.1:8002/" domainPublic "le-http") ]; systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE = -- cgit 1.4.1