machines/magenta: use docker traefik to connect to swarm network
This commit is contained in:
parent
6fd22d8d33
commit
d2bcfa801e
4 changed files with 82 additions and 11 deletions
|
@ -114,7 +114,7 @@ in
|
|||
};
|
||||
services.gitea = {
|
||||
loadBalancer.servers = [
|
||||
{ url = "http://localhost:${toString giteaCfg.httpPort}"; }
|
||||
{ url = "http://host.docker.internal:${toString giteaCfg.httpPort}"; }
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,23 +1,93 @@
|
|||
{ config, lib, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
magentaData = import ../data.secret.nix;
|
||||
|
||||
dataDir = "/var/lib/traefik";
|
||||
|
||||
traefikCfg = config.services.traefik;
|
||||
|
||||
magentaData = import ../data.secret.nix;
|
||||
user = "traefik";
|
||||
group = "traefik";
|
||||
|
||||
dynamicConfigFile = pkgs.runCommand "config.toml"
|
||||
{
|
||||
buildInputs = [ pkgs.remarshal ];
|
||||
preferLocalBuild = true;
|
||||
}
|
||||
''
|
||||
remarshal -if json -of toml \
|
||||
< ${pkgs.writeText "dynamic_config.json" (builtins.toJSON traefikCfg.dynamicConfigOptions)} \
|
||||
> $out
|
||||
'';
|
||||
|
||||
staticConfigFile = pkgs.runCommand "config.toml"
|
||||
{
|
||||
buildInputs = [ pkgs.yj ];
|
||||
preferLocalBuild = true;
|
||||
}
|
||||
''
|
||||
yj -jt -i \
|
||||
< ${
|
||||
pkgs.writeText "static_config.json" (builtins.toJSON
|
||||
(lib.recursiveUpdate traefikCfg.staticConfigOptions {
|
||||
providers.file.filename = "${dynamicConfigFile}";
|
||||
}))
|
||||
} \
|
||||
> $out
|
||||
'';
|
||||
|
||||
mirrorVolume = path: "${path}:${path}";
|
||||
in
|
||||
{
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 8080 ];
|
||||
|
||||
users.users.${user} = {
|
||||
isSystemUser = true;
|
||||
createHome = true;
|
||||
home = dataDir;
|
||||
inherit group;
|
||||
};
|
||||
users.groups.${group} = { };
|
||||
users.groups.docker.members = [ user ];
|
||||
|
||||
systemd.tmpfiles.rules = [ "d '${dataDir}' 0700 ${user} ${group} - -" ];
|
||||
|
||||
age.secrets.traefik-dashboard-basicauth-users = {
|
||||
file = ../../../secrets/traefik-dashboard-basicauth-users.age;
|
||||
owner = "traefik";
|
||||
inherit (traefikCfg) group;
|
||||
owner = user;
|
||||
inherit group;
|
||||
};
|
||||
|
||||
users.groups.docker.members = [ "traefik" ];
|
||||
virtualisation.oci-containers = {
|
||||
backend = "docker";
|
||||
containers.traefik = {
|
||||
image = "traefik:v2.9";
|
||||
cmd = [
|
||||
"--configFile=${staticConfigFile}"
|
||||
];
|
||||
extraOptions = [
|
||||
# enable host.docker.internal
|
||||
"--add-host=host.docker.internal:host-gateway"
|
||||
# attach to overlay network
|
||||
"--network=traefik_public"
|
||||
];
|
||||
ports = [
|
||||
"80:80"
|
||||
"443:443"
|
||||
"8080:8080"
|
||||
];
|
||||
volumes = [
|
||||
"${mirrorVolume "/var/run/docker.sock"}:ro"
|
||||
"${mirrorVolume dataDir}"
|
||||
"${mirrorVolume staticConfigFile}:ro"
|
||||
"${mirrorVolume dynamicConfigFile}:ro"
|
||||
"${mirrorVolume config.age.secrets.traefik-dashboard-basicauth-users.path}:ro"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.traefik = {
|
||||
enable = true;
|
||||
staticConfigOptions = {
|
||||
entryPoints = {
|
||||
http = {
|
||||
|
@ -34,17 +104,18 @@ in
|
|||
log = { };
|
||||
accessLog = { };
|
||||
certificatesResolvers.le.acme = {
|
||||
storage = "${traefikCfg.dataDir}/acme.json";
|
||||
storage = "${dataDir}/acme.json";
|
||||
email = "dmitriy@pleshevski.ru";
|
||||
tlschallenge = true;
|
||||
};
|
||||
providers.docker = {
|
||||
network = "rp_public";
|
||||
network = "traefik_public";
|
||||
constraints = "Label(`traefik.constraint-label`, `${config.networking.hostName}_public`)";
|
||||
exposedByDefault = false;
|
||||
swarmMode = true;
|
||||
};
|
||||
};
|
||||
|
||||
dynamicConfigOptions.http = {
|
||||
routers.to_traefik_dashboard = {
|
||||
rule = "Host(`${magentaData.addr}`)";
|
||||
|
@ -59,5 +130,4 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -62,7 +62,7 @@ in
|
|||
};
|
||||
services.woodpecker_server = {
|
||||
loadBalancer.servers = [
|
||||
{ url = "http://localhost:${toString port}"; }
|
||||
{ url = "http://host.docker.internal:${toString port}"; }
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
@ -10,5 +10,6 @@
|
|||
networking.firewall = {
|
||||
allowedTCPPorts = [ 2376 2377 7946 ];
|
||||
allowedUDPPorts = [ 7946 4789 ];
|
||||
trustedInterfaces = [ "docker0" "docker_gwbridge" ];
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue