From 7c2fec71ae3be2d60753023c6e10d0088f43a836 Mon Sep 17 00:00:00 2001
From: Dmitriy Pleshevskiy <dmitriy@pleshevski.ru>
Date: Sat, 4 Mar 2023 23:22:03 +0300
Subject: [PATCH] machines/magenta: add traefik

---
 .agenix_config.nix                            | Bin 4017 -> 4123 bytes
 machines/magenta/default.nix                  |   3 +-
 machines/magenta/services/gitea.nix           |  30 +++++++++-
 .../services/mailserver-accounts.secret.nix   | Bin 1087 -> 1122 bytes
 machines/magenta/services/mailserver.nix      |  14 +++++
 .../{modules => magenta/services}/nginx.nix   |   4 +-
 machines/magenta/services/traefik.nix         |  54 ++++++++++++++++++
 secrets/traefik-dashboard-basicauth-users.age | Bin 0 -> 1366 bytes
 8 files changed, 101 insertions(+), 4 deletions(-)
 rename machines/{modules => magenta/services}/nginx.nix (60%)
 create mode 100644 machines/magenta/services/traefik.nix
 create mode 100644 secrets/traefik-dashboard-basicauth-users.age

diff --git a/.agenix_config.nix b/.agenix_config.nix
index 70914c7cfa4c8fcd36506151100ae72a9bc93999..13c7930e42be92a31f72595f0899ca576e40c68a 100644
GIT binary patch
literal 4123
zcmV+$5ajOwM@dveQdv+`0J*DJ(&lTf?`z~$rF*|DcPE`==nQg68Se4XNPl!POoYy!
z7j!>Y+1j7P!Xp;<W7;(@5Fc7%xhuGw!E+hkPnP8h>dw6+Y(`7Pu(^q~d6|nRdGkm7
z=&!bb<~>4h8InC<J+g>V2uYR)s6~Pc?I&arn$W5NAz6pSK+i(OPSfp~Ci}6Xmt7K|
zIJw;TO>rPqE==*Y74)bAByCnPFDbUr_h(4q4myzr0$#CeNGXrUqlIUZNe1jMQ4`Xv
zCbri<Om*L{nP18(6c{^%xU^Z&%`w}MK|IZ^ziRv>K}HHL^zV4ER&A;f3n&XnT?~!y
z-P)IB6SJBWU=6Ytq^p_zpQ}LLTLFh71N>^<zU{w>Q!w*;JJy>?u>HM|-s2H5I9}eL
z%rq?h*LyZ7{jiAF3hy*3)SWb2sF;*zpkj>Gx}DQx2QrrTt&3)ZL;@)6H8~O2m&SMG
z7ef9M{+qDNs_jp|^I=k6%97{(6f>|$4GBX+lA;i%k!@UR0CI8g0SgHdNaYEH|FcgO
z5uXy7z(TNuUp%TWs<-oGpV_}6@+(Dfb<lYCZI14NZOk585FfuEN2(xb#B%|pu(VIF
zSEe)|24r#V$yq|{?llVvXi>IAebbiv0L-pL6fuH&_2zCI4=lx}zTJsGO&8R?`-%1Z
z#Uql*QRhV_c24WN=lcmU*(!P*l{hr*grRarx7r&U2wKO@4<$BDN4KId`YsUw<O$aV
zXaPxf?gCeQw8X^G94>0o`M)&B1hjowU*TiIW9~#4Er`$yb1_`Y=^NO6Oo%)iq#6M^
zLCm}|`{U%}@qO{jGcCfW)uNZ}`KCZVu2Nq|ENP65B4f=~{;4Z+Dtt*F<qHsn(FE?l
zxZ;el&5;Pl7*#i$B)4#g1D|4vMS^t!bXy!m-Ny!_T0gMnRvuF6?G?N|+q)Grry@Xf
zgsG5%$0tL^2cIqu&`CydwSscTjda$2CPGQk=^K_0tW?2jPhBd8SE!Re*f9NH@cP8i
zWsEx8r%=;LT<U=4TUHPxgsp_m+$(^7;N(&+yCclDLff)ENAe2)Y$Og~iZ?gM%cM9w
zXw`E71l5@5(X;A)D~6FCB>bG=5=2!F5{HIB$VqhTu9Uru4f4Du8Z>F|%6-dslP467
zdaA6$wOE*OmmTQu<TT<i5{t`AddcD=omg&kD~>_y<s{4}2-vq<D?9iT;erUA4D6D9
zu8mSCz+(`x<?@QXYYiVxSGRkb#^x-GKrAk^SG4EpntJB~=~hiuR{ZD=iG)7vPo>!l
z<8ew${;glz1KP!6#UrkDy0z5nPF@BwGHQjEwZixy-<m^}vP=g!GVYA2&l^Ec&=dSf
zg-Z?Y;*Ri;q{)CcJZ~1MybD{IuoyMRG$(_Td4iabj{lA~k>?WTw|;L`QD$o-V2n|Q
z`!*HLcRH8oV3W*E?Z*6Q{<+8T+=D$m`zE&)+J`{?zKXFw*ka9MV{m^}c#6(k(%BN6
z!tQ$6xDS;?lDOA}@kn@{X+Kzw8DyY(tE?+Q@sr)fr%J#Qu*1=^8J|OC_^hTGnQm6V
zO<9S<$5}Jyg2?@Iv9aK(ESf-scDIflSp49L3-9pwOJEK&s-n*A2CPTB<gMSUfi%}P
zzL-Qgax*cIwUJ!=UC|>3UnlZafik*-B&8ZS<gw%?v@l}`*z2UOfCDv==7ET!t2Aqy
z7jk^Wqn0pRi3*gwrCv?&;Ug1yW#N5Spgo@%=#68vs;o%xw2%LFyk^OhCbBN{?H~&W
zN`4vhu^^zL$_N|;EvCEv^f+!8$AuA>>EiIxqwS5GrG3^8&@7mh|I0{1Zmy9X;nPOW
z{ApuypA8kXN{1QLadm{2qFM=Ug}NUU+`0Qkclz4=wS$9)6KJ+wt`p~gb#6AX^&o>|
zegicbw-gbCG^*_7h0`injdkkIh&Tm!d?E+FL;6o|O2(%KFoD~B3m3*5$x)Fk1p8>d
z;Nw9si32538!Q%IYrA|gnA@a<0}?cve5z~#l4X?lAInOR6ti7*N)->8b{oDS;0zJ(
zmHO9lU)Ucn)JBgY5~4zvO{kldwlVwtrCV~n<J=;<Ug_qaM7-cZzf}Pqj^j*b6Dk0S
zu19GqHO8b3VdAG;=-09d*%0lWQsz2#@T5G(HOx6hRD5=#{Nn5R5KJ;;G&}07d^?~t
zT}v2|De7sv>Z$XX1gUK)yXm&O`kCF0)WysLSKWcc)#1O5*b4XpvFh!mr!A!r-aI#+
z&9Sj1?*B^xmb|ojJq;gQa|GM9>qH9}E2hfQ-OAX>Pq&h}!*_X|yb#ZTJnR<dz6hBa
zOI+pcLFrrDNMD9`$@c^q28$a|0>yIqprWp%J9-yiy-h?JI>3N>tWNdIkhKGndk}HF
z(6Ic@H1L*5nE)R-hRP0Xp0w<Q=}`)xKcHe4Kzu{;MiSI?HKj1aKyzO6I^~+Si#}@L
zj;jS^yFUWLG|c<C66Rb5La1B`9O}5Jyd(8X3iqj3QjlTT+7kUx5e(XE9^=*tW9=ce
zM6k**f`a=YmlJ>y&r7|1+8d5qW^DP<@P>t{@dIT^>g<?7gOczW39^uJle*Mx$IUd6
z-1pe(x3EAO{itb{UTzJT+?#3eroX;+9_UE$x@Km!BROANWzns(YyNo`T)ObSz>j1f
zzE=bVQRsZFiu_6F460RI$$`?ayR)5lS!n^X@W@N>Qa)TOLwUS{xua`LtmC4oWOZuc
zV!qL5+qAbEC;b$gJ0iMGFw;zy$gf*n>~ZYeZdlB8T?%)8PsOwd4@V;0;H0MXA*8wZ
z<`k~4E(3YN>lBu_GFwvK#u4lq+7d_TyX>Q4&FiyQKhlnbE;AGH6p2wO?txCM%Ci+X
z;_0<iTq=g$FMJ{)0Lpnrr;H;m{nygUqpv36BJT$NA3`K;<rT@A8TBfY_ou!D`FsL`
z=9=nWcet(qMV5NYq}WzeoSbGD8@<)PsTt=e1KKi?ADz2c6_W`}lFTWsiD?-jfZX$2
ze&dqlSmFs0V}|roCj#8X8mh*Q<8`WvmI%rR2q`pI4x9>K?dD|JC(P5T#pw>O{!%}T
zF?2O_q*_g@5tRuw^QehUe=wd7CGqp*mehse&iFxzN-51+BT-n%M`k-J(vmco4yrxo
zLM~N_PY?Kx;^=NJK$bzHx7kN=PT-B{)fru4ku-M^0$a$km<t=49;_G;9nC2Y_yPf~
z%$|QUga&w!B_x;vfyc^mGL-mt&Pcp$X8As3D2KW!cpM4$PDY2e%QONvibwkMCjNml
zeD`R8$xjov_15T#ylHiBLo`p;bP_K)wvWf2?b1tn)S#s!FsH_5lds4~jmBJ5j}Yb3
z+iC!v6?tRk#K#Ggbx=a6hV|xj+4e3;V5%zCn56$UULxx>+<^|WCu#IXSIaQCZ|JiQ
z2r9jvdY8*QbfnVcW?1K#tLZbbV892-xJX`~M71guG|3(w`V6CmMBhUEiQ}Uk9lMGP
zzE)mi4<=&oxml5V_P||YpkCGmZcB!zYNLB)D=1%Hh#Sq~xltS5fsTljH74VPThb*5
z8b`?*F=CgT&KkN2!t)sbOBvAxgqbosz!VE|pY*+n!x9}5k3X2ZK_1z1W|oAuGw*84
zx9ZY+6f^U=&`H-s&odJ>Go$@)TjuIQU;a$c+5)8bP;8r|ZsLe~07MwFa&WC$r~-Ta
z11Xw8^w@#p#{CE#n<J`qkB?Fl&NEd#B47TiY1{#|ixTal8!Ny-+D@rGnL+zZ`i(r4
zAvc+Z4`^Lh+}w2kp^n^YZVML4oM;TigTU+>fIo6I?{|u433R&OEuZaAzKMqXkS%O#
zEFc(ogCk0k?lIQnjbM>QNSbVPpLl)`8x_?Ee#X1~VpzJ+7$Q`?$kB*@fZ$qHytBj1
zhREzV17-YgUNTS_AWyeRhI7v=C{c08n=37KG1Iu?pDiqR$J8k~?yI_5Uv0n#zt8`(
z6s18($$VTEPF=d?+YLe?$Z$y{x^cCtC46WdlMwee5s4R0d-L#fxEj&5pkw9<Y8&&%
z$i^-v3Lav>z0UIo9!sK@E~jBP;@o0|XwHx1>}DH0aKBnanIBVojC*k~jTkwiUXL5(
zgMnRmr#7U7_B)h&(jGVht$`xZ$qe2mz83Q4U2-9+nB_GUxUv<7)QxmQHyMk$ULgET
zWe&om1*Wvg{JQM);w;kIrvuGq(w#%ez%8{#CrN0$IHKbX>=i<Yd-71CO;eiT4qJ3T
zelr>lQ|lXN1R_&z8?O46XTW$!%1(?;Re5DAG3z^?($_mC*ei#2D9kT^UPO+Xv3B-O
zYtR9|Zh;tb952U60xyQm<f@qzGd@VLyap}`@z;WhCqL4^0xp=6PjdbNmljR8_K?h|
z!n!FPd@Y=uY~A}jVtDla193&H9oW#f>_OOFgTX&eN!j!mgxkh<ADJu!iP&jCbrUfD
zU@9Xl$bSO=UF<xX8R^KHb^KOQk0i7i3DGC&ERbcdkcAncugu}IIN{|cQ}5lZix{*I
zIOaU^Ubk`lc(CCmVzex}1j%MaiDpTkea3r*+RRgl9NjEmxZ(U{Yja(xN`*&HRSY1G
zq4xXEz@hWE0MyXK#tRGiF!l8KFZoBz*|Y50W8*i;>PR&z^TmW3dSoDLA!?$E#jMLL
z$4I7!slt0`kd*N&oM-9{a}Io^n4U27pC`{#67xuaIJo!4xu*h+q#GCgB0ER9(c&A2
z%0l(>@eLyFx`lWT7;w6+p=8;NMR!t1V-f1I;T#l@sAy+DnRJyX7*#cq6qW&Q&-(3Q
zvvOMd4=QN*3Smtvz-NW@x<NmFzs^6bTkXDCc&@IKpt=H?NV~DJ+^H$GB5P(GPt%VK
z$bTw0l!ba>sx>o1xmTiV{goCWof?uL)U6ad+6${`X;sGYTvCZ!J!|wye<oyZJK^Si
zl!03<3XVV8)Gd1jHv;M^o%r(QlU$M>fq`3!?<j#lWQHG#kGIR59>^dPkK&}S9DVu7
z-o<yJ>WbhmR>XCtAq625JPPo1wu;<tZ((X@K(vH7B4XYvx56=Ik$8=gIJj$Y6X^7z
zjW6xafm|OEK6;l2X~W6*I%_cP*D@V=T)kivveTv;Bx)3vF(vB4GgT~y@Z|kRF}0Kw
z=dk^jg0hnVoddf`(VlIL<4tZSs9h>40LI9x&^^W08ztvIC(&YpT0a8b<?7Pd1Ef%U
zy!4v`RN?bh^OO<rVsEiUmWkVZslIudhDq@%PsiYb92Z_r+Y--clnbH9(ap8Ul@LBD
zI2=M<I3I6=$7eeg$4nT~XIk?bD*}%EOBCo802TRiOu{8gT%^Y5<ZW{Pdb-oGw&(iI
zE(MRv@NA3YP`*A8R)C-x2_>G;Mt)MdxW2)*%2yN+zM*<u9=I}{o{`ii(5MAVc2z|d
ZpNOzw6aw>HE;ce~CJUOkz942zK)hHy`EmdN

literal 4017
zcmV;i4^Hp^M@dveQdv+`0A^yTtI|a&NG@zLpOs3(DcaF?NukGfYkXDF$cs~AR3$$R
ztoP%Q3SmkV_k+^V0=FE<?HCD+EBn`ie{a{z2p)%BbPqr~zm8K(f~QTWYC$;NSo+!M
ziUiRR?(K1<81zDer$w6wg3rh4ou8PSe5MmhQX-2WXJbM$;##x#tLsh5<46Nc$YIc?
zY6-*QM#&M2ei(=j2E#^ryn7QW<m0xaqFzzW!4*+L{BvIU0Wae=j?3%)bF7E;Ve9Yb
zF-t7m&7vQDsB&7or<@n0T1FYJKxwL$9Vz52hFkDexX>@)ItX5fpt0ZVgs^foUz2LN
z*)*wRaa??)JOKaZ(7XUGu<<p);hdx375}WfT<ZTbbsL393Hs=4HJYy&80V5>gQr7U
zgZ5UHc!?r7n@kC_pOul*_JSPcZ~=pnXuLcPjj?7*^<7FcR(}i)f@cZtBd(f%-Ad4u
zMsZzvaBbe!ZlvwTwPcFB#pxtAam?F`{5Gk8YYEZUM5D;FTKFvfOoUClOPX4^MW5HW
zPBhK}^Poi_7f^e^Q?*Y$HS6S_>Yu}{et*aTqOb@b88a|Utvy}53w+{JXcjdnmJ=g?
zRluKg>LLLGp-eMjjY53=PI(8Ir`!7FdNn_m)pgLczAPUw)3*u<aA{;~x2O8qU|_=q
zSO(o7ED+P@i=9@j{nl5vKR{(wQH_J{q^ub%5QcCC#U<bj*~V2vJwRHjcW1ASPr(LI
zPr67vAgoUJ$03ygb?E~>dAVflIoS@z%fLS^lac5a3l206nf!bFE^~5e@y;OGxg~n&
zRXin)`p4LK`H|<~o>=#QthS86mzds@X+#mXgSgM`@Fh<xHR>6l>Y_jYn9+cvvBZ@j
zO_OYt#V7_{TMi&L1|r?c6cM3du+F7cS&y|0hDHMOdi3Hew*GBjjU1PWSTG-hf5#uk
z&HHrOz<$+Mwb&;;W4R9sVM!sT8ZCGO@<$SL2PU8_<BXC!5>Db5XgTfa#%*7kwFpl(
z@mt>_wY)`@fHRu>mL{u^PwIYkpmN`G*b{zQax-wxZZ?Hygw3C9iX7HEawNncl^hL&
zPr|&S>Oflb&#&@nTujBY4$Z{If<08UyJW1>5K=E!m8eg$oX%UUN_VQQ(5cU-rcH9$
zgSm9K>b1FpmO_w383Jq<fpX(=ff(jC3cGojcn+K@jbmqQ7y+Pflsn8ay~?Z(?+Z;N
z3ya=>+xkGo#LB1o=K~z{6Q&t!-2?%kHNu4rlUlJarMXpBkFd<32`AKI^9HAOVD}@d
z%;YCMO!?68>#A=^i20fH8~#QHNK4v((L<Edft@Lz9%q=-BY(gLlf<K@rx(WB0f>{$
z;l8qnEF%;{{G4x=EFJRi6m5JRc}ai<Z~&VaVWzDowr9aPy)LzBm}^u8K}NB$ZyZ^5
z6IO0rkq~CeSG-IfEC1hEJT=qkU$YlP8W|eAQNLLWR)mH@b4#2M$`}18$Xzr8=MJR@
z|C+81|A`;ASZ@sn%~w_v9pXIU?wh&YP8~mLUd5G75YH&O*#XNQbtI{IG1xWEc7NCI
z@y=su$*%GQG6m=!FS;LJF1-2t1*b_mIq^yJcSdhFY-@j)V6I*q{Rv3G?+kM=a#ZjF
z9R-zK<?cgaO%!Rd{G`r%L0kg!al$jxGt$L}IDuJ0vyLnzp`Y$dw@K0>e-oc(qIW6^
zi|P!G{?O2#qxqWGWv1&=k!YK2MnV(xR+m0K>O0(*lws?A6z}ZD#_nzhz7OzM<pkH$
za#)po^E6)=>d&BfM~sE+*<-~Sf5sf^Y-hpw=!4!ZgfUdTjG2czQh}HF{2&1AS)kV(
z_p568O}5LX75f<tdxH?CD4u@9bzoe!83hNfhO`|3Nam5H;EOe_0Sp>eJ13q|{Nx{<
zsfL@>9pi$7W^KT8z?zH*6*G0SKQq7)HJ&(-vG4aqs1_rC!;=w^Z3=RN)O=Mt0Lt)<
z_Ey{Ka;I#kgw_#>+mXpkcFtd+Zw(J}PArZVg=iLQWw`;{V-2Yk^P>V@D=?!B4X^Js
zVIxOn$B5D^1-VfuS3`DLO(VdT`sN1<m|-*7{k3B|Fqp14bS`!BIvimq8%dN)3SDUV
z$C{y#PocvwlL$7+m(nv+-CRCoCfWDVGaS2AehgW7_-rmL!Xjk}DJ++tmx&ANaKWrE
zt;{1@&B9_JeM*#oC1s$-*`;BaOUO#ND;u<d_!nm!uppGS+lG4%b4G#NN&aGRpOJ3E
zp))+wu24EM!)i>0LA8~B!@G^_XhijRep8LrIl){6?;KMqSbI6v{PL~h&PJhXPYz7#
z=UA)92{XD$q2XZOAh#3`*@K76GNP741?oR8Y%%3<EEFvkJ125)L{5B;$xQhc{ZG+X
z&Rb}RgUMI$wC#{FFUm&pknaf*XxYbfr0`bZ@){lzt-^yIO<TQ-Tgn!sf_>&fYdIJ5
z_jb+obMSiCZW0{G)Y&d<yhMW)mXIfVG0v*RKB-hvRK)E1AtysTBLXywrT`lt^XdKF
z#YN>`?PgJ<J2?;Xn#<b2*b&@+K_#A;P{CDjON?m+by;Jh_F5k18XVW07vP15WRL;{
zss0cx32?urhZqtY<+sJh{bNv}NlIenu>Lo@aidw#-`-f0k~x9@fJA&^y($(azUxwZ
z|BIjsDoY>a1?erz3Uw2T(<NoOTkS>Oe>1b`kVKq@n<$H0Bq8XPl@pOT-juN%@kZ32
z;8rOB!E>Xv+9KwPY42<*Hu@Iqxb#T*$}XiY{#hZn-&Oh<i1sfaK;M{o$ySyB(GcG0
z;{tYdufO@~;lFDz)?@@{{~0QvFQ&9Hp#82eipa;oI@4FGyByFFTVZ0`iKrz(#Jyhq
z52Mv=I^eP`?citK4|-?D>4X*UiZ4{TgTUE`?0qIBo7gs3;oM#tU7UdFsdg&OWM3Hl
zZw{X%5IL{s^?Tu0muY6b03KvuM)~UG(K}=78Q4tRa{+l7Z$&~0;sH}G7nzgBJi~)&
z45>Q}cl#N^BE6B1Dr$ti7ju)(#e$ox+v11zH|omBYMmwf48v>l%Uk;BM4o!V9&}UB
z-2vS5mQ{BcAc2r5!Gp`uE;POUbC&+6k2tqOD_bhhoJX_WK7~u`?UZDt_9XSb{O0Y0
zlmuNdFGEQ36=w_PL_5TkW*jpusq#x2OwXT5A%G8fZTU`1-L|V>=JQBxHk$%nYwYt4
z+{SIR-l^I$Da;aj`1q-L^T~hp*Z#V`weUESkWv<IvS+L4us1Gx9C}@XvfZIVINg~f
z^4P{uFuf_oRp}IaA~-^YSpU}h()bA9r<T|Xr)DiGa5%+!kf6xen;1Qu5!nx>)N3Ud
zK(*Y$^V_2|9`c4Vjv|nU?r)9Mmahn1{cl3?Wlb3GP#z(|sf@rlIAS`OsN|!6G;N0m
zIn|gM7+_jSU8ke0*Ow?gE_ksetE&H9y}@u~@)AXSRD%v!1M!II_&O}RzV7z08G&*Y
zh8ZLQ7>5prg-d-*sgC*K2<-OGi|Xd6#(r_uawAI0$A-l)Pntc9qU<l8z#<g6zQ;zH
z5fgR|NnXaUjiXiotF2%2U!=Vlqma23t>ZtlrJE20|Al_XHXu%#U7aVeHsr*(Hz6k_
zN)7j_+ocMoCh88vgYt=Hz0QbQKVewtD~i&DVXiLpl~NfHTmo8~@1>ODe3bBL?zzh}
zKG~hNL;K#ET@x>k*Ovs4;mttJT5$CJ2s{)87pE%(V)<H3|0}5vE&ZsywL?93kEUEW
zqeTWx!x~z*lHZ#UHy?M+^&U6u{rEHI-umAShe?h()ZM&Ls8L!@?M<}h1$%Od`*VGA
z5r@k@QssW{%^6G-O5l33*l{FsB<h7<9wx5<Q2CQo;!?moORG}3HI9dUUlVhr`O!>_
zm(O$GEyZcSb%y-DpH*ppq=fm1sBl(h6rlCry{_E(gQPp)*>=j9jlSSBOPj(z@<fNE
ztBDFl3Wp|?bik0y_{>{RbeD^yZKO1R&p}xmI{hK}`nZo8mI$V-Oh=(bUqe_SF>j+z
zgfGfu*=%tD1J(8Wb?5V*&`Y54#+2t!s{C(21K{ZMzAz-@iFzE-vKV(qF0Ya}*yW3t
zqFzp}$LEW^PE@opm1Xs2b2c%Xr&D;J7U~^p9#J0tb)Jyja*Xj7xrz@+1x~^PZ{5vQ
z;92dbU6BzK9Rrfp4#f28fw(MK>|6Mnf$YALkJvB$sv?R50H#cFDLf?jI<L(TNu<c?
z^unM8cl)?E!{((svwQeL$TKJ~{)n{k9$9R$V$!qQlNR$6zJ6|Oll!$<up8@}V|^`p
zkTaUEDkD#~dhcUEq<7gfgU#H<Epz{Ubh}h`6z-PiN(1u&3N8^C{L!xc`?b1M-w;eP
zNo28bVC^>EB`G8{7i0<I=sK^fcvx!d*N2GC_@Lf{MaFQe3fp;m#k><7BE!(7hsx)S
zD>;raR_11t*`AFHeJ)A;Y~^hhE4)706Cv){E~bZ*S|dgHl%lp?rZ9WOJWwbDYfg_V
z0nyO(tbdAq`~=wPrCL)AwC3Mc-k79r_>4&}tL(vxQ5`m)p#K(Zu8iA%Ch%R0)Dv3x
z#_(eRscqU6{E8eviGJctkx{)5ZYA`bT0l7S9LA?O8M0ey-BaYFSNcY4o*L=a(?tIL
z1?0~=c(>hZU2l87XDm64u+Wvaxr!K3O>6l3ddN|UG~n4GC=q=VVplg^O_ESnR!N7D
z{Zb>VIi(#Lz0hU<BV9!u;aaO@!q<p_Mdx&u)vV$f7QZ*C52$(&O@x?RmG_CbT${e;
z9$wlpqaIh-RkR#G=jMoOzq`KppU^1GWdUm8G3ZGgV&kWO!7&bQEOvFWE+{;Lqa?O9
zCW-=U;$E0*c1bj4LXdKUJ`zLsCVaS@*dFS&oV%5X-}LS5J1D&>LU)onDWMSszMN0#
z{`ofm@D$d~dLzb159@ZSq1xFNKcgi--AW(?8x9;1PKZX`1>%V?o-e!Coa%9~Z@=%C
zoi(hv2DmciAzjiUCd=!pc$8_8_tS%+ag8&;Tk=nD&g1mSCr>dJS6dy&L6Q%i&?B<r
zFB0gCAl3CSl_~2IP{l}xcEKtZ@U5#I1<czswH)H({nNJjr{fQ&AfCNZFwdHE(W$Zg
zyCK}U8t)6}Hzd=|0y^X{uHq1v(@-npI{aPZ981h^VlCA%RTb+beu8}NAY<uWiHOw^
zF`e{XZ3>Q}N=c9*9@>DswCZR@H}J);A!bYNK|NPssdeJQ2CyR}%6{||jl6kiZ<%(K
Xdq>YUMJO@z^+nh#H@CV5$p{4jB#hHG

diff --git a/machines/magenta/default.nix b/machines/magenta/default.nix
index 7a4ec9c..c1a206d 100644
--- a/machines/magenta/default.nix
+++ b/machines/magenta/default.nix
@@ -10,9 +10,10 @@ in
 
     ../modules/common.nix
     ../modules/nix.nix
-    ../modules/nginx.nix
     ../modules/fail2ban.nix
 
+    ./services/nginx.nix
+    ./services/traefik.nix
     ./services/mailserver.nix
     ./services/gitea.nix
   ];
diff --git a/machines/magenta/services/gitea.nix b/machines/magenta/services/gitea.nix
index 206fba2..c478924 100644
--- a/machines/magenta/services/gitea.nix
+++ b/machines/magenta/services/gitea.nix
@@ -9,6 +9,8 @@ let
     User-agent: *
     Disallow: /github
   '';
+
+  magentaData = import ../data.secret.nix;
 in
 {
   services.postgresql.package = pkgs.postgresql_14;
@@ -104,11 +106,35 @@ in
     cp -f ${robotsTxt} ${giteaCfg.stateDir}/custom/robots.txt
   '';
 
-  services.nginx.virtualHosts.${hostname} = {
+  services.traefik.dynamicConfigOptions.http = {
+    routers = {
+      to_gitea_http = {
+        rule = "Host(`${hostname}`)";
+        entryPoints = [ "http" ];
+        middlewares = [ "https_redirect" ];
+        service = "noop@internal";
+      };
+      to_gitea_https = {
+        rule = "Host(`${hostname}`)";
+        entryPoints = [ "https" ];
+        tls.certResolver = "le";
+        service = "gitea";
+      };
+    };
+    services.gitea = {
+      loadBalancer.servers = [
+        { url = "http://localhost:${toString giteaCfg.httpPort}"; }
+      ];
+    };
+  };
+
+  /*
+    services.nginx.virtualHosts.${hostname} = {
     enableACME = true;
     forceSSL = true;
     locations."/".proxyPass = "http://localhost:${toString giteaCfg.httpPort}/";
-  };
+    };
+  */
 
   age.secrets.gitea-smtp-passfile = {
     file = ../../../secrets/gitea-smtp-passfile.age;
diff --git a/machines/magenta/services/mailserver-accounts.secret.nix b/machines/magenta/services/mailserver-accounts.secret.nix
index ccc70baab04dbebdc6770d0f2f18e93c18b67485..d26568644cacf7049a6676fa6fc60b48b6e46d6d 100644
GIT binary patch
literal 1122
zcmV-o1fBZ;M@dveQdv+`0Pve>kef#r;4Am0iXq=TspE)AUQ*9(OzgXGioniidSg2$
z?aO)R91_;iQqCL4i;}9TRWwvXOzdVssDT=<q@mC{@^{X#I-#$Gd&I^fK$^iBG<a^G
z^lV70Q*wI(Ost40Q-{^7eH=fg7c<!#vT4!jIChDg*u0gHDq=wiW5P_a2;O+&>2NY^
zS?~gDVK@9F*GV5O)j_jTFvwe2@(Nq2!)`#4PegxY+V3#*fkb3>zFf(ax?9`bQv*>O
zLH79@FWVMl&1)5d%17F~53UyqCNI<e$Wf(PTFB!k<=uj=zPX&z$&PF-nca^x*6(^S
z?DqhN()BGplWVUOaWkl*w`|*IZtfENA;LsstH<1Woh3BQW#`bSki~5gP+=(_c`{dR
zo_ck5T1zsgTfk&e(mcaTxxK_9kjfr#1I|OkFydzg3-32(A)%i42WOCDC~ABIyWBnn
zrG796C5NcWnc`M$HG;|Fj6aekoB^E$SZF;W%y!MBRCZEXt;_NVO2O=4&eon)DiWs|
zeL$uLCAlR;kSz5OIyH7691U`QpOX<zvixvQq{4$Budl>Dc)(D_wqUI2F!xA#C`6mI
zg6M*zgolSrydMnZ9%@0~Dam2>ijD*I`s8FDS*K^mYcg87Z_A$1t3J~UL&cDl(5Cq;
z-D(#a!j~;8O1E)2Q)01w>Y$Ie+)I_a2qs*G*ueP9A=hM%>VL?i{2HO1zfqhUgaNqL
z#W)Vhr&D5VwS@HJbn!h_Dqhd#z%e0juoI4Bd-!ITptC<+D{(9W-Jm=2KH?G0p4pZZ
zC_3ksf;QR++3=I<bqcb5WNC}#mZ_naQ0f@ZwPQ>B`*QO6Zms)IdFvcYCVQ09=@-_D
z4(b#jET_YmQ~FP_%h(4$$p8Goai^Gf#nqDeS*LDRnj=L)t2u`-JuhU}wqmLqP?^h9
zLFj%3Om^YNeHe<Vy#|b9uPfXiQ-2j_vWI-Gzz*r$oT#?LiGzC%F4QDSJkXx@G*XV`
z7}I`E?zC5^b8ndDp{EEnwn2(E1dnlYDj23T-!Y0<hY<x^qo*&@Mol#>FACE4(r|>%
zfxHrn0zrg`weVn<zOZkhH1>$jVeCfRQ!2vTY7ovOq29nMnGJ|H!}7oS!m-($777Wu
z&vrsLvb2}Kls#O-yx0$XGUp0>sQi=A0!@nq>Ex4$ED^!qg>=<_)Fs{u2kzY=#&`5x
zm)v1E;ktB%%r?`%nL7KAP15ouz*>oI1}6kO{+|8PwQ5^7Ce|`!J&E7p1YRcmxmDF5
zDI#j|nu5oRZ>qChBd_~f|4g5s3=YVL6LH`js>7ERX6O$ny(1*1W31K=Ler4BM(GQz
zf3~BSu9s7@{MBoU%)0rdfqJn(QJ;0meKQb2(}5LormzG<0fPrPa82Fa7u8U!fPs{#
on4y3kFM~Ps`rKywE($+oSx6s!Qg@RKM1es|J1u?K9=6X-U%+55dH?_b

literal 1087
zcmV-F1i<?MM@dveQdv+`0Hh%Z>OhmgJa@N9lifOMTE&K7_Gu2$d)MqiP5c|UMYdd+
z%*%w8Y=9wP^cSqr2OoK+bl{4@8|(PCi%`?`CN{Zw<Z^#h1eyh~?JbjclX&7w6AcEz
zSWDN)we@MUHStsVeBS1AwnDh)K7WEaZ00Q#HSaMAWI-fc=L)VIagttMfWlBREy=$&
z#3wb$K15j-hS4QE{v$9Q>2>@7;p`LS?znmV-^qGA^+XO9q#&IS3DMnX)Hl*RnE$k`
z+(kGtq1?6eMDdSPwDz>T_Z1r4e)Y=>W2}7i%)_3?JnmzmfP_kEfv%t9=z3>#ka+fD
zBarE?ynA4;D6%-$1D5J<X~#^?!AnLN5zJ0SfyV>2-A@oxvzp<C^faD@SPZKmDQGop
z_RU;Y#HN_zfwb^;N2c+|pq}T$=2nGcEgS2L!A|jYhok;O7`Iy1Qo2m53sLQa<p;wY
zJuWhLrmI>q!@H@z{qg!lD`?^_hKXpMf_&vB7f~~UC@h2g^uls6ap|RYwuGp!;F0>u
zhePxJGIBL6zPYnGj@XdrqvRZopYjWzNsR4_Hcp;Uv=c84<NLXmC7o)(p`yf=BcDL?
zmhRAJ*B&*yXr*{Q_wxFR9PD^*RYIP(=WFs`m18oJ75Mx3F3139XQW2RpgsdLcwtbU
zwMCXx2@J=RLADNYwxByjqJcKcpx3U;A$kI|t9IN;rV`}u!W8LU`6Nbap$ZuKd7jTx
z`Z%k^9{g<*{z#$5LbFd&_T~DK*5}zkJGX5plEKFESeT2t0<^=##?FJAZ1R<N>`0eK
z+(dS0huAq)cdpS%Bza70K>G1>c6IKR4=k>Sr1Z*4QtnhRFUaEKtG`Xrk{GH;tq@gA
zgOp1v5JW9($>aE24sg~l3sUbg%4i7CzLOUZA=SYrt#Ry=%Q^V!veLNBX51oI&xEUK
zNz?-#cq5FHkHXb^%}k04?R{ty$8;|+CRi1pV>KPGb=`7N6BN({Lw<bg7dSFQO*U82
zTD$Nx?zAb|lkJp8utv(Vg@R82ckM&I9@mx*iX8@LXQ?5cI&pJnpN<IkX^_l7k5R+`
z=2F-n4~wpx-uh<Gv8TJYS?^#2n{#MB-~<o$0RSwyOL5kO(%~#%$gmy3Kr#x&IH}Cw
zHgctFz^9X<P;`V4C=5AHBtAM$$`imHMn6csq#Ex5PPS#c@C!w4bWsQkJpTt|;*$m+
z^@~+Ov8(mGG}faZP81fb9P--@(<jZ>zPg!eaoJbIPKR96>k-y}<w@N^lRO8{A{2Q>
ziMDF1E~<nSv9;j!T2MI<7gW$-9oK6@Q@jP$G&zQjr@=?&skMXhmxp6=FYqXgCwZQk
z$QC0rVgVG22{eaI(fBf=QnD#z%0rs{d<}_k=CC%2OT0SKXu6%QQR@_Lh0Zm{GOqN#
F_^BegB`E*^

diff --git a/machines/magenta/services/mailserver.nix b/machines/magenta/services/mailserver.nix
index 25e1a03..f73f028 100644
--- a/machines/magenta/services/mailserver.nix
+++ b/machines/magenta/services/mailserver.nix
@@ -15,4 +15,18 @@
 
     hierarchySeparator = "/";
   };
+
+  # required for certificateScheme = 3
+  # TODO: Try to use traefik
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    defaultHTTPListenPort = 10080;
+    defaultSSLListenPort = 10443;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 10080 10443 ];
 }
diff --git a/machines/modules/nginx.nix b/machines/magenta/services/nginx.nix
similarity index 60%
rename from machines/modules/nginx.nix
rename to machines/magenta/services/nginx.nix
index 185498d..3aadbe3 100644
--- a/machines/modules/nginx.nix
+++ b/machines/magenta/services/nginx.nix
@@ -5,7 +5,9 @@
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
+    defaultHTTPListenPort = 10080;
+    defaultSSLListenPort = 10443;
   };
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedTCPPorts = [ 10080 10443 ];
 }
diff --git a/machines/magenta/services/traefik.nix b/machines/magenta/services/traefik.nix
new file mode 100644
index 0000000..2cb4118
--- /dev/null
+++ b/machines/magenta/services/traefik.nix
@@ -0,0 +1,54 @@
+{ config, ... }:
+
+let
+  traefikCfg = config.services.traefik;
+
+  magentaData = import ../data.secret.nix;
+in
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 8080 ];
+
+  age.secrets.traefik-dashboard-basicauth-users = {
+    file = ../../../secrets/traefik-dashboard-basicauth-users.age;
+    owner = "traefik";
+    inherit (traefikCfg) group;
+  };
+
+  services.traefik = {
+    enable = true;
+    staticConfigOptions = {
+      entryPoints = {
+        http.address = ":80";
+        https.address = ":443";
+        dashboard.address = ":8080";
+      };
+      api = { };
+      log = { };
+      accessLog = { };
+      certificatesResolvers.le.acme = {
+        storage = "${traefikCfg.dataDir}/acme.json";
+        email = "dmitriy@pleshevski.ru";
+        tlschallenge = true;
+      };
+    };
+    dynamicConfigOptions = {
+      http = {
+        routers.to_traefik_dashboard = {
+          rule = "Host(`${magentaData.addr}`)";
+          entryPoints = [ "dashboard" ];
+          middlewares = [ "traefik_dashboard_auth" ];
+          service = "api@internal";
+        };
+        middlewares = {
+          https_redirect.redirectScheme = {
+            scheme = "https";
+            permanent = true;
+          };
+          traefik_dashboard_auth.basicAuth = {
+            usersFile = config.age.secrets.traefik-dashboard-basicauth-users.path;
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/secrets/traefik-dashboard-basicauth-users.age b/secrets/traefik-dashboard-basicauth-users.age
new file mode 100644
index 0000000000000000000000000000000000000000..09a42f657d4ebb6adf4f4651b3ae820e2af1f25e
GIT binary patch
literal 1366
zcmV-c1*!S~M@dveQdv+`08qSymChUHczwf-3lrrJHV>Dm{R!(4&|3;w67=0#j!nYR
zrRDpwWCm=LovVY*enuWsSaI&gm#r>-3{aKyj9|e~#!t?%9C0;0<{_Lmym%<aiXwt1
zZY=G9!Gmi{rfMg9jFS+%vN<i9Up5n@a&zw1T+qzdFnuz>(us&Tv|L-k4or(Wrxn}m
zGyurEF~)=r>EgYIl0-J7NtVHFYm66}U?i9N**4!q`e3AtkSH-GcQ9UDO0>k1=jBlI
zc<x>su8H|xFNk%6Q_7<=3zh-I*OCIiF^1*G?*kSXWdzpQf`K#RAk=tEQFE^<{@dj8
z8`%(l$LdIX`7E4UYDIw;tFYo(fOq(!=}$)y=p1!r?KVE;_StyNF%B!b`rFjjPes<x
z5h*c+nD1(`rYPf;I|vpKt{RHQ({er*8=+df8yW})VwO-uz7Wuo`H4;Jf2(4`O2*&Q
zd?;$5EPF=#_yq=+M=-(09f4!qeIRRE?`WEaW*J6Q{JSkBS;Q6s42_%M0rQ);$FWY*
zQ9o6vessp<Uck`r%HgL+r7fqgY5;Y~+1zs>@tn|WoGDm?#is?kdEH#Yh95Hl6wBPa
zXEKehV35OR)@sLY!2}Ye>;S#jMpu6%H#r%kQJgA*Iz!B9;%4!1#2tK34X5mEnDYgq
zm9}^oGFqGoM7awyiy+%Uv|Qi?aRqApKBd$iT<jAbYi>??u^l$fO4tpHTgs*znIzQG
zY%eKjj`sPY%*_~CPPYKn&TGR2Vn3Mo6!_jG0{N8%#cC8)7vrPfH`p}hscAZ}u5Oyn
zx?<C<1Ycs0^g%+?4FqrYX&myj=L7-3ee(#_Q)ZlFy6_^(l4qyL{?7gyg<nF80E_H?
z=-P16a@+!<crlWik|@y*Q<QhysVUg0<u*K9I>^f~DK9qiX;qJfLtAfS*M=ZcwlGxo
z-al#bNoz2kCxMyY!%<K%zW8#yFNI+!m|VdwicaBxwkXutCyeOi;lhH8RL0*dqPwLg
zUg*UaXUZyQzY9&xah<APee&bT{rM07<h~Hvp>+cqYxG1&5c^j)-)I}YI7Uvz!GI65
zeIj6hU59Y^D1>7lP&?tbCtS($R42P+?fEzMz2u4+psWCuE5SH{YA2bwQ0Q6U%4(Qy
z>*Q{gesVt^WyzrM-y;b=<^i$8ya*c`w);c*ETVt9#HyWCyQ~2w2rtxB!q+6Dflm&>
zkHXU7h*L0$t&n!eB!{-Eqo^FskC7kh)J+Rwxp**{@Web3bH`UbvF|u9h^0>y)=~_6
zVS}Dph4BO22yC+-P4E@)gR=p|$sQ!+j}TNZoCzItWZHqhgVyGS&gpNd;SGvAXH0cw
z_V7VAb;>99tow9!SprKF$;k%dJ8!HA;9Df*Qa|zqRd<*laLEB6sC+a|gsY}d;rbSh
z><|Cad~iO~#^ZC6H0)S4f%0XZL&7q2>Kbb5mDK4*R(EQwQ<%vyh|!ECVpy!YIT8?)
zyPwUDuuzB%V0$C(K!*+-$BO<pIDBu|>Tz|{#N8p<=tj`T+w$|undjjK4g<-=;^;YK
zJ`(ZEV3Qm`9JzH$4cHqZjOC6U1I7*IVxZ1tp8@hVl+Sc5_=oa#Jz^bod*ly#lB5<Y
z$ro51=G7!GH&MjkC4U*G7Pc6$hDwOBVO1NSVw<qexCHMvb!2_?`6cDowz?I80aFG8
z1-2Lu*_R;2E1N)kDLwszA)ms*T?aPh-Q*URR%TCeA&i<!60StoO?qnujegfUBBJK>
Y0=gKAt%DjjBNEwzf~ISO+1aWl)uEcAr~m)}

literal 0
HcmV?d00001