machines/magenta: add traefik
This commit is contained in:
parent
3adae25870
commit
7c2fec71ae
8 changed files with 101 additions and 4 deletions
Binary file not shown.
|
@ -10,9 +10,10 @@ in
|
||||||
|
|
||||||
../modules/common.nix
|
../modules/common.nix
|
||||||
../modules/nix.nix
|
../modules/nix.nix
|
||||||
../modules/nginx.nix
|
|
||||||
../modules/fail2ban.nix
|
../modules/fail2ban.nix
|
||||||
|
|
||||||
|
./services/nginx.nix
|
||||||
|
./services/traefik.nix
|
||||||
./services/mailserver.nix
|
./services/mailserver.nix
|
||||||
./services/gitea.nix
|
./services/gitea.nix
|
||||||
];
|
];
|
||||||
|
|
|
@ -9,6 +9,8 @@ let
|
||||||
User-agent: *
|
User-agent: *
|
||||||
Disallow: /github
|
Disallow: /github
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
magentaData = import ../data.secret.nix;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.postgresql.package = pkgs.postgresql_14;
|
services.postgresql.package = pkgs.postgresql_14;
|
||||||
|
@ -104,11 +106,35 @@ in
|
||||||
cp -f ${robotsTxt} ${giteaCfg.stateDir}/custom/robots.txt
|
cp -f ${robotsTxt} ${giteaCfg.stateDir}/custom/robots.txt
|
||||||
'';
|
'';
|
||||||
|
|
||||||
services.nginx.virtualHosts.${hostname} = {
|
services.traefik.dynamicConfigOptions.http = {
|
||||||
|
routers = {
|
||||||
|
to_gitea_http = {
|
||||||
|
rule = "Host(`${hostname}`)";
|
||||||
|
entryPoints = [ "http" ];
|
||||||
|
middlewares = [ "https_redirect" ];
|
||||||
|
service = "noop@internal";
|
||||||
|
};
|
||||||
|
to_gitea_https = {
|
||||||
|
rule = "Host(`${hostname}`)";
|
||||||
|
entryPoints = [ "https" ];
|
||||||
|
tls.certResolver = "le";
|
||||||
|
service = "gitea";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services.gitea = {
|
||||||
|
loadBalancer.servers = [
|
||||||
|
{ url = "http://localhost:${toString giteaCfg.httpPort}"; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
services.nginx.virtualHosts.${hostname} = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."/".proxyPass = "http://localhost:${toString giteaCfg.httpPort}/";
|
locations."/".proxyPass = "http://localhost:${toString giteaCfg.httpPort}/";
|
||||||
};
|
};
|
||||||
|
*/
|
||||||
|
|
||||||
age.secrets.gitea-smtp-passfile = {
|
age.secrets.gitea-smtp-passfile = {
|
||||||
file = ../../../secrets/gitea-smtp-passfile.age;
|
file = ../../../secrets/gitea-smtp-passfile.age;
|
||||||
|
|
Binary file not shown.
|
@ -15,4 +15,18 @@
|
||||||
|
|
||||||
hierarchySeparator = "/";
|
hierarchySeparator = "/";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# required for certificateScheme = 3
|
||||||
|
# TODO: Try to use traefik
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
defaultHTTPListenPort = 10080;
|
||||||
|
defaultSSLListenPort = 10443;
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 10080 10443 ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,7 +5,9 @@
|
||||||
recommendedOptimisation = true;
|
recommendedOptimisation = true;
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
recommendedTlsSettings = true;
|
recommendedTlsSettings = true;
|
||||||
|
defaultHTTPListenPort = 10080;
|
||||||
|
defaultSSLListenPort = 10443;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
networking.firewall.allowedTCPPorts = [ 10080 10443 ];
|
||||||
}
|
}
|
54
machines/magenta/services/traefik.nix
Normal file
54
machines/magenta/services/traefik.nix
Normal file
|
@ -0,0 +1,54 @@
|
||||||
|
{ config, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
traefikCfg = config.services.traefik;
|
||||||
|
|
||||||
|
magentaData = import ../data.secret.nix;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 8080 ];
|
||||||
|
|
||||||
|
age.secrets.traefik-dashboard-basicauth-users = {
|
||||||
|
file = ../../../secrets/traefik-dashboard-basicauth-users.age;
|
||||||
|
owner = "traefik";
|
||||||
|
inherit (traefikCfg) group;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.traefik = {
|
||||||
|
enable = true;
|
||||||
|
staticConfigOptions = {
|
||||||
|
entryPoints = {
|
||||||
|
http.address = ":80";
|
||||||
|
https.address = ":443";
|
||||||
|
dashboard.address = ":8080";
|
||||||
|
};
|
||||||
|
api = { };
|
||||||
|
log = { };
|
||||||
|
accessLog = { };
|
||||||
|
certificatesResolvers.le.acme = {
|
||||||
|
storage = "${traefikCfg.dataDir}/acme.json";
|
||||||
|
email = "dmitriy@pleshevski.ru";
|
||||||
|
tlschallenge = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
dynamicConfigOptions = {
|
||||||
|
http = {
|
||||||
|
routers.to_traefik_dashboard = {
|
||||||
|
rule = "Host(`${magentaData.addr}`)";
|
||||||
|
entryPoints = [ "dashboard" ];
|
||||||
|
middlewares = [ "traefik_dashboard_auth" ];
|
||||||
|
service = "api@internal";
|
||||||
|
};
|
||||||
|
middlewares = {
|
||||||
|
https_redirect.redirectScheme = {
|
||||||
|
scheme = "https";
|
||||||
|
permanent = true;
|
||||||
|
};
|
||||||
|
traefik_dashboard_auth.basicAuth = {
|
||||||
|
usersFile = config.age.secrets.traefik-dashboard-basicauth-users.path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
BIN
secrets/traefik-dashboard-basicauth-users.age
Normal file
BIN
secrets/traefik-dashboard-basicauth-users.age
Normal file
Binary file not shown.
Loading…
Reference in a new issue