From 6139430d2525211dfd7d49cb2be59064ee221609 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Wed, 6 Apr 2022 12:44:44 -0700 Subject: refactor traefik --- modules/services/default.nix | 1 + modules/services/traefik/default.nix | 103 +++++++++++++++++++++++++++++++++++ 2 files changed, 104 insertions(+) create mode 100644 modules/services/traefik/default.nix (limited to 'modules') diff --git a/modules/services/default.nix b/modules/services/default.nix index 6dfc4fb..95c5f21 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -13,6 +13,7 @@ ./tailscale ./thermald ./tlp + ./traefik ./unifi ]; } diff --git a/modules/services/traefik/default.nix b/modules/services/traefik/default.nix new file mode 100644 index 0000000..980faee --- /dev/null +++ b/modules/services/traefik/default.nix @@ -0,0 +1,103 @@ +{ pkgs, inputs, config, lib, ... }: + +with lib; + +let + cfg = config.my.services.navidrome; + domainPublic = "fcuny.net"; + domainPrivate = "fcuny.xyz"; + mkServiceConfig = name: url: domain: certResolver: { + http.routers."${name}.${domain}" = { + rule = "Host(`${name}.${domain}`)"; + service = "${name}.${domain}"; + tls.certResolver = certResolver; + }; + http.services."${name}.${domain}" = { + loadBalancer.servers = [{ url = url; }]; + }; + }; +in { + options.my.services.traefik = with lib; { + enable = mkEnableOption "traefik router"; + }; + + config = lib.mkIf cfg.enable { + age.secrets.traefik_gcp_sa = { + file = ../../../secrets/traefik/gcp_service_account.json.age; + owner = "traefik"; + }; + + services.traefik = { + enable = true; + + staticConfigOptions = { + metrics.prometheus = { + addEntryPointsLabels = true; + addRoutersLabels = true; + addServicesLabels = true; + }; + + global = { + checkNewVersion = false; + sendAnonymousUsage = false; + }; + + accessLog.format = "json"; + log.level = "warn"; + + entryPoints.http.http.redirections = { + entryPoint.to = "https"; + entryPoint.scheme = "https"; + entryPoint.permanent = true; + }; + + entryPoints.http.address = ":80"; + entryPoints.https.address = ":443"; + # the default is 8080, which conflict with unifi + entryPoints.traefik.address = ":8090"; + + api = { + dashboard = true; + insecure = true; + }; + + # The unifi controller runs on HTTPS with a self-signed + # certificate, as a result we need to accept insecure + # certificates. + serversTransport.insecureSkipVerify = true; + + certificatesResolvers = { + le-http.acme = { + email = "franck@fcuny.net"; + storage = "/var/lib/traefik/cert.json"; + httpChallenge = { entryPoint = "http"; }; + }; + le-dns.acme = { + email = "franck@fcuny.net"; + storage = "/var/lib/traefik/cert.json"; + dnsChallenge = { + provider = "gcloud"; + delayBeforeCheck = 0; + }; + }; + }; + }; + }; + + services.traefik.dynamicConfigOptions = mkMerge [ + (mkServiceConfig "dash" "http://127.0.0.1:3000/" domainPrivate "le-dns") + (mkServiceConfig "bt" "http://127.0.0.1:9091/" domainPrivate "le-dns") + (mkServiceConfig "unifi" "https://127.0.0.1:8443/" domainPrivate "le-dns") + (mkServiceConfig "music" "http://127.0.0.1:4533/" domainPrivate "le-dns") + (mkServiceConfig "git" "http://127.0.0.1:8002/" domainPrivate "le-dns") + (mkServiceConfig "git" "http://127.0.0.1:8002/" domainPublic "le-http") + ]; + + systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE = + config.age.secrets.traefik_gcp_sa.path; + systemd.services.traefik.environment.GCE_PROJECT = "fcuny-homelab"; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 443 ]; # QUIC + }; +} -- cgit 1.4.1