machines/magenta: use docker traefik to connect to swarm network

This commit is contained in:
Dmitriy Pleshevskiy 2023-03-11 09:07:24 +03:00
parent 6fd22d8d33
commit d2bcfa801e
Signed by: pleshevskiy
GPG key ID: 79C4487B44403985
4 changed files with 82 additions and 11 deletions

View file

@ -114,7 +114,7 @@ in
};
services.gitea = {
loadBalancer.servers = [
{ url = "http://localhost:${toString giteaCfg.httpPort}"; }
{ url = "http://host.docker.internal:${toString giteaCfg.httpPort}"; }
];
};
};

View file

@ -1,23 +1,93 @@
{ config, lib, ... }:
{ config, lib, pkgs, ... }:
let
magentaData = import ../data.secret.nix;
dataDir = "/var/lib/traefik";
traefikCfg = config.services.traefik;
magentaData = import ../data.secret.nix;
user = "traefik";
group = "traefik";
dynamicConfigFile = pkgs.runCommand "config.toml"
{
buildInputs = [ pkgs.remarshal ];
preferLocalBuild = true;
}
''
remarshal -if json -of toml \
< ${pkgs.writeText "dynamic_config.json" (builtins.toJSON traefikCfg.dynamicConfigOptions)} \
> $out
'';
staticConfigFile = pkgs.runCommand "config.toml"
{
buildInputs = [ pkgs.yj ];
preferLocalBuild = true;
}
''
yj -jt -i \
< ${
pkgs.writeText "static_config.json" (builtins.toJSON
(lib.recursiveUpdate traefikCfg.staticConfigOptions {
providers.file.filename = "${dynamicConfigFile}";
}))
} \
> $out
'';
mirrorVolume = path: "${path}:${path}";
in
{
networking.firewall.allowedTCPPorts = [ 80 443 8080 ];
users.users.${user} = {
isSystemUser = true;
createHome = true;
home = dataDir;
inherit group;
};
users.groups.${group} = { };
users.groups.docker.members = [ user ];
systemd.tmpfiles.rules = [ "d '${dataDir}' 0700 ${user} ${group} - -" ];
age.secrets.traefik-dashboard-basicauth-users = {
file = ../../../secrets/traefik-dashboard-basicauth-users.age;
owner = "traefik";
inherit (traefikCfg) group;
owner = user;
inherit group;
};
users.groups.docker.members = [ "traefik" ];
virtualisation.oci-containers = {
backend = "docker";
containers.traefik = {
image = "traefik:v2.9";
cmd = [
"--configFile=${staticConfigFile}"
];
extraOptions = [
# enable host.docker.internal
"--add-host=host.docker.internal:host-gateway"
# attach to overlay network
"--network=traefik_public"
];
ports = [
"80:80"
"443:443"
"8080:8080"
];
volumes = [
"${mirrorVolume "/var/run/docker.sock"}:ro"
"${mirrorVolume dataDir}"
"${mirrorVolume staticConfigFile}:ro"
"${mirrorVolume dynamicConfigFile}:ro"
"${mirrorVolume config.age.secrets.traefik-dashboard-basicauth-users.path}:ro"
];
};
};
services.traefik = {
enable = true;
staticConfigOptions = {
entryPoints = {
http = {
@ -34,17 +104,18 @@ in
log = { };
accessLog = { };
certificatesResolvers.le.acme = {
storage = "${traefikCfg.dataDir}/acme.json";
storage = "${dataDir}/acme.json";
email = "dmitriy@pleshevski.ru";
tlschallenge = true;
};
providers.docker = {
network = "rp_public";
network = "traefik_public";
constraints = "Label(`traefik.constraint-label`, `${config.networking.hostName}_public`)";
exposedByDefault = false;
swarmMode = true;
};
};
dynamicConfigOptions.http = {
routers.to_traefik_dashboard = {
rule = "Host(`${magentaData.addr}`)";
@ -59,5 +130,4 @@ in
};
};
};
}

View file

@ -62,7 +62,7 @@ in
};
services.woodpecker_server = {
loadBalancer.servers = [
{ url = "http://localhost:${toString port}"; }
{ url = "http://host.docker.internal:${toString port}"; }
];
};
};

View file

@ -10,5 +10,6 @@
networking.firewall = {
allowedTCPPorts = [ 2376 2377 7946 ];
allowedUDPPorts = [ 7946 4789 ];
trustedInterfaces = [ "docker0" "docker_gwbridge" ];
};
}