machines/magenta: add traefik

This commit is contained in:
Dmitriy Pleshevskiy 2023-03-04 23:22:03 +03:00
parent 3adae25870
commit 7c2fec71ae
Signed by: pleshevskiy
GPG key ID: 79C4487B44403985
8 changed files with 101 additions and 4 deletions

Binary file not shown.

View file

@ -10,9 +10,10 @@ in
../modules/common.nix
../modules/nix.nix
../modules/nginx.nix
../modules/fail2ban.nix
./services/nginx.nix
./services/traefik.nix
./services/mailserver.nix
./services/gitea.nix
];

View file

@ -9,6 +9,8 @@ let
User-agent: *
Disallow: /github
'';
magentaData = import ../data.secret.nix;
in
{
services.postgresql.package = pkgs.postgresql_14;
@ -104,11 +106,35 @@ in
cp -f ${robotsTxt} ${giteaCfg.stateDir}/custom/robots.txt
'';
services.nginx.virtualHosts.${hostname} = {
services.traefik.dynamicConfigOptions.http = {
routers = {
to_gitea_http = {
rule = "Host(`${hostname}`)";
entryPoints = [ "http" ];
middlewares = [ "https_redirect" ];
service = "noop@internal";
};
to_gitea_https = {
rule = "Host(`${hostname}`)";
entryPoints = [ "https" ];
tls.certResolver = "le";
service = "gitea";
};
};
services.gitea = {
loadBalancer.servers = [
{ url = "http://localhost:${toString giteaCfg.httpPort}"; }
];
};
};
/*
services.nginx.virtualHosts.${hostname} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:${toString giteaCfg.httpPort}/";
};
};
*/
age.secrets.gitea-smtp-passfile = {
file = ../../../secrets/gitea-smtp-passfile.age;

View file

@ -15,4 +15,18 @@
hierarchySeparator = "/";
};
# required for certificateScheme = 3
# TODO: Try to use traefik
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
defaultHTTPListenPort = 10080;
defaultSSLListenPort = 10443;
};
networking.firewall.allowedTCPPorts = [ 10080 10443 ];
}

View file

@ -5,7 +5,9 @@
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
defaultHTTPListenPort = 10080;
defaultSSLListenPort = 10443;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedTCPPorts = [ 10080 10443 ];
}

View file

@ -0,0 +1,54 @@
{ config, ... }:
let
traefikCfg = config.services.traefik;
magentaData = import ../data.secret.nix;
in
{
networking.firewall.allowedTCPPorts = [ 80 443 8080 ];
age.secrets.traefik-dashboard-basicauth-users = {
file = ../../../secrets/traefik-dashboard-basicauth-users.age;
owner = "traefik";
inherit (traefikCfg) group;
};
services.traefik = {
enable = true;
staticConfigOptions = {
entryPoints = {
http.address = ":80";
https.address = ":443";
dashboard.address = ":8080";
};
api = { };
log = { };
accessLog = { };
certificatesResolvers.le.acme = {
storage = "${traefikCfg.dataDir}/acme.json";
email = "dmitriy@pleshevski.ru";
tlschallenge = true;
};
};
dynamicConfigOptions = {
http = {
routers.to_traefik_dashboard = {
rule = "Host(`${magentaData.addr}`)";
entryPoints = [ "dashboard" ];
middlewares = [ "traefik_dashboard_auth" ];
service = "api@internal";
};
middlewares = {
https_redirect.redirectScheme = {
scheme = "https";
permanent = true;
};
traefik_dashboard_auth.basicAuth = {
usersFile = config.age.secrets.traefik-dashboard-basicauth-users.path;
};
};
};
};
};
}

Binary file not shown.