machines/magenta: add traefik
This commit is contained in:
parent
3adae25870
commit
7c2fec71ae
8 changed files with 101 additions and 4 deletions
Binary file not shown.
|
@ -10,9 +10,10 @@ in
|
|||
|
||||
../modules/common.nix
|
||||
../modules/nix.nix
|
||||
../modules/nginx.nix
|
||||
../modules/fail2ban.nix
|
||||
|
||||
./services/nginx.nix
|
||||
./services/traefik.nix
|
||||
./services/mailserver.nix
|
||||
./services/gitea.nix
|
||||
];
|
||||
|
|
|
@ -9,6 +9,8 @@ let
|
|||
User-agent: *
|
||||
Disallow: /github
|
||||
'';
|
||||
|
||||
magentaData = import ../data.secret.nix;
|
||||
in
|
||||
{
|
||||
services.postgresql.package = pkgs.postgresql_14;
|
||||
|
@ -104,11 +106,35 @@ in
|
|||
cp -f ${robotsTxt} ${giteaCfg.stateDir}/custom/robots.txt
|
||||
'';
|
||||
|
||||
services.nginx.virtualHosts.${hostname} = {
|
||||
services.traefik.dynamicConfigOptions.http = {
|
||||
routers = {
|
||||
to_gitea_http = {
|
||||
rule = "Host(`${hostname}`)";
|
||||
entryPoints = [ "http" ];
|
||||
middlewares = [ "https_redirect" ];
|
||||
service = "noop@internal";
|
||||
};
|
||||
to_gitea_https = {
|
||||
rule = "Host(`${hostname}`)";
|
||||
entryPoints = [ "https" ];
|
||||
tls.certResolver = "le";
|
||||
service = "gitea";
|
||||
};
|
||||
};
|
||||
services.gitea = {
|
||||
loadBalancer.servers = [
|
||||
{ url = "http://localhost:${toString giteaCfg.httpPort}"; }
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
/*
|
||||
services.nginx.virtualHosts.${hostname} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://localhost:${toString giteaCfg.httpPort}/";
|
||||
};
|
||||
};
|
||||
*/
|
||||
|
||||
age.secrets.gitea-smtp-passfile = {
|
||||
file = ../../../secrets/gitea-smtp-passfile.age;
|
||||
|
|
Binary file not shown.
|
@ -15,4 +15,18 @@
|
|||
|
||||
hierarchySeparator = "/";
|
||||
};
|
||||
|
||||
# required for certificateScheme = 3
|
||||
# TODO: Try to use traefik
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
defaultHTTPListenPort = 10080;
|
||||
defaultSSLListenPort = 10443;
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 10080 10443 ];
|
||||
}
|
||||
|
|
|
@ -5,7 +5,9 @@
|
|||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
defaultHTTPListenPort = 10080;
|
||||
defaultSSLListenPort = 10443;
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
networking.firewall.allowedTCPPorts = [ 10080 10443 ];
|
||||
}
|
54
machines/magenta/services/traefik.nix
Normal file
54
machines/magenta/services/traefik.nix
Normal file
|
@ -0,0 +1,54 @@
|
|||
{ config, ... }:
|
||||
|
||||
let
|
||||
traefikCfg = config.services.traefik;
|
||||
|
||||
magentaData = import ../data.secret.nix;
|
||||
in
|
||||
{
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 8080 ];
|
||||
|
||||
age.secrets.traefik-dashboard-basicauth-users = {
|
||||
file = ../../../secrets/traefik-dashboard-basicauth-users.age;
|
||||
owner = "traefik";
|
||||
inherit (traefikCfg) group;
|
||||
};
|
||||
|
||||
services.traefik = {
|
||||
enable = true;
|
||||
staticConfigOptions = {
|
||||
entryPoints = {
|
||||
http.address = ":80";
|
||||
https.address = ":443";
|
||||
dashboard.address = ":8080";
|
||||
};
|
||||
api = { };
|
||||
log = { };
|
||||
accessLog = { };
|
||||
certificatesResolvers.le.acme = {
|
||||
storage = "${traefikCfg.dataDir}/acme.json";
|
||||
email = "dmitriy@pleshevski.ru";
|
||||
tlschallenge = true;
|
||||
};
|
||||
};
|
||||
dynamicConfigOptions = {
|
||||
http = {
|
||||
routers.to_traefik_dashboard = {
|
||||
rule = "Host(`${magentaData.addr}`)";
|
||||
entryPoints = [ "dashboard" ];
|
||||
middlewares = [ "traefik_dashboard_auth" ];
|
||||
service = "api@internal";
|
||||
};
|
||||
middlewares = {
|
||||
https_redirect.redirectScheme = {
|
||||
scheme = "https";
|
||||
permanent = true;
|
||||
};
|
||||
traefik_dashboard_auth.basicAuth = {
|
||||
usersFile = config.age.secrets.traefik-dashboard-basicauth-users.path;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
BIN
secrets/traefik-dashboard-basicauth-users.age
Normal file
BIN
secrets/traefik-dashboard-basicauth-users.age
Normal file
Binary file not shown.
Loading…
Reference in a new issue