machines/magenta: add traefik

machines/magenta/default.nix

@@ -10,9 +10,10 @@ in
 
     ../modules/common.nix
     ../modules/nix.nix
-    ../modules/nginx.nix
     ../modules/fail2ban.nix
 
+    ./services/nginx.nix
+    ./services/traefik.nix
     ./services/mailserver.nix
     ./services/gitea.nix
   ];

machines/magenta/services/gitea.nix

@@ -9,6 +9,8 @@ let
     User-agent: *
     Disallow: /github
   '';
+
+  magentaData = import ../data.secret.nix;
 in
 {
   services.postgresql.package = pkgs.postgresql_14;
@@ -104,11 +106,35 @@ in
     cp -f ${robotsTxt} ${giteaCfg.stateDir}/custom/robots.txt
   '';
 
-  services.nginx.virtualHosts.${hostname} = {
+  services.traefik.dynamicConfigOptions.http = {
+    routers = {
+      to_gitea_http = {
+        rule = "Host(`${hostname}`)";
+        entryPoints = [ "http" ];
+        middlewares = [ "https_redirect" ];
+        service = "noop@internal";
+      };
+      to_gitea_https = {
+        rule = "Host(`${hostname}`)";
+        entryPoints = [ "https" ];
+        tls.certResolver = "le";
+        service = "gitea";
+      };
+    };
+    services.gitea = {
+      loadBalancer.servers = [
+        { url = "http://localhost:${toString giteaCfg.httpPort}"; }
+      ];
+    };
+  };
+
+  /*
+    services.nginx.virtualHosts.${hostname} = {
     enableACME = true;
     forceSSL = true;
     locations."/".proxyPass = "http://localhost:${toString giteaCfg.httpPort}/";
-  };
+    };
+  */
 
   age.secrets.gitea-smtp-passfile = {
     file = ../../../secrets/gitea-smtp-passfile.age;

machines/magenta/services/mailserver.nix

@@ -15,4 +15,18 @@
 
     hierarchySeparator = "/";
   };
+
+  # required for certificateScheme = 3
+  # TODO: Try to use traefik
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    defaultHTTPListenPort = 10080;
+    defaultSSLListenPort = 10443;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 10080 10443 ];
 }

machines/magenta/services/nginx.nix

@@ -5,7 +5,9 @@
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
+    defaultHTTPListenPort = 10080;
+    defaultSSLListenPort = 10443;
   };
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedTCPPorts = [ 10080 10443 ];
 }

machines/magenta/services/traefik.nix

@@ -0,0 +1,54 @@
+{ config, ... }:
+
+let
+  traefikCfg = config.services.traefik;
+
+  magentaData = import ../data.secret.nix;
+in
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 8080 ];
+
+  age.secrets.traefik-dashboard-basicauth-users = {
+    file = ../../../secrets/traefik-dashboard-basicauth-users.age;
+    owner = "traefik";
+    inherit (traefikCfg) group;
+  };
+
+  services.traefik = {
+    enable = true;
+    staticConfigOptions = {
+      entryPoints = {
+        http.address = ":80";
+        https.address = ":443";
+        dashboard.address = ":8080";
+      };
+      api = { };
+      log = { };
+      accessLog = { };
+      certificatesResolvers.le.acme = {
+        storage = "${traefikCfg.dataDir}/acme.json";
+        email = "dmitriy@pleshevski.ru";
+        tlschallenge = true;
+      };
+    };
+    dynamicConfigOptions = {
+      http = {
+        routers.to_traefik_dashboard = {
+          rule = "Host(`${magentaData.addr}`)";
+          entryPoints = [ "dashboard" ];
+          middlewares = [ "traefik_dashboard_auth" ];
+          service = "api@internal";
+        };
+        middlewares = {
+          https_redirect.redirectScheme = {
+            scheme = "https";
+            permanent = true;
+          };
+          traefik_dashboard_auth.basicAuth = {
+            usersFile = config.age.secrets.traefik-dashboard-basicauth-users.path;
+          };
+        };
+      };
+    };
+  };
+}