diff --git a/hosts/m3-helios/default.nix b/hosts/m3-helios/default.nix index 3e17ab6..0d317fe 100644 --- a/hosts/m3-helios/default.nix +++ b/hosts/m3-helios/default.nix @@ -37,6 +37,7 @@ ../common ./configuration.nix ./programs.nix + ./secrets.nix ./services ]; diff --git a/hosts/m3-helios/secrets.nix b/hosts/m3-helios/secrets.nix new file mode 100644 index 0000000..9ab40c8 --- /dev/null +++ b/hosts/m3-helios/secrets.nix @@ -0,0 +1,15 @@ +{ + age = { + secrets = { + traefik = { + file = ../../secrets/traefik.age; + mode = "770"; + owner = "traefik"; + }; + m3tam3re-secrets = { + file = ../../secrets/m3tam3re-secrets.age; + owner = "m3tam3re"; + }; + }; + }; +} diff --git a/hosts/m3-helios/services/adguard.nix b/hosts/m3-helios/services/adguard.nix index 2bc68f7..0af8890 100644 --- a/hosts/m3-helios/services/adguard.nix +++ b/hosts/m3-helios/services/adguard.nix @@ -12,4 +12,6 @@ }; }; }; + networking.firewall.allowedTCPPorts = [53]; + networking.firewall.allowedUDPPorts = [53]; } diff --git a/hosts/m3-helios/services/default.nix b/hosts/m3-helios/services/default.nix index 2fed452..ea619e6 100644 --- a/hosts/m3-helios/services/default.nix +++ b/hosts/m3-helios/services/default.nix @@ -2,6 +2,7 @@ imports = [ ./adguard.nix ./containers + ./traefik.nix ]; systemd.sleep.extraConfig = '' AllowSuspend=no diff --git a/hosts/m3-helios/services/traefik.nix b/hosts/m3-helios/services/traefik.nix new file mode 100644 index 0000000..edda2d6 --- /dev/null +++ b/hosts/m3-helios/services/traefik.nix @@ -0,0 +1,78 @@ +{config, ...}: { + services.traefik = { + enable = true; + staticConfigOptions = { + log = {level = "WARN";}; + certificatesResolvers = { + godaddy = { + acme = { + email = "letsencrypt.org.btlc2@passmail.net"; + storage = "/var/lib/traefik/acme.json"; + caserver = "https://acme-v02.api.letsencrypt.org/directory"; + dnsChallenge = { + provider = "godaddy"; + }; + }; + }; + }; + api = {}; + entryPoints = { + web = { + address = ":80"; + http.redirections.entryPoint = { + to = "websecure"; + scheme = "https"; + }; + }; + websecure = {address = ":443";}; + }; + }; + dynamicConfigOptions = { + http = { + middlewares = { + auth = { + basicAuth = { + users = ["m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh."]; + }; + }; + }; + services = { + m3-prox-1.loadBalancer.servers = [{url = "http://192.168.178.200:8006";}]; + ag.loadBalancer.servers = [{url = "http://192.168.178.210:3000";}]; + }; + routers = { + api = { + rule = "Host(`traefik.l.m3tam3re.com`)"; + service = "api@internal"; + middlewares = ["auth"]; + entrypoints = ["websecure"]; + tls = { + certResolver = "godaddy"; + }; + }; + m3-prox-1 = { + rule = "Host(`m3-prox-1.l.m3tam3re.com`)"; + service = "m3-prox-1"; + entrypoints = ["websecure"]; + tls = { + certResolver = "godaddy"; + }; + }; + ag = { + rule = "Host(`ag.l.m3tam3re.com`)"; + service = "ag"; + entrypoints = ["websecure"]; + tls = { + certResolver = "godaddy"; + }; + }; + }; + }; + }; + }; + + systemd.services.traefik.serviceConfig = { + EnvironmentFile = ["${config.age.secrets.traefik.path}"]; + }; + networking.firewall.allowedTCPPorts = [80 443]; +} diff --git a/secrets.nix b/secrets.nix index 13db831..b157f18 100644 --- a/secrets.nix +++ b/secrets.nix @@ -2,14 +2,17 @@ let # SYSTEMS m3-ares = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU="; m3-kratos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDl+LtFGsk/A7BvxwiUCyq5wjRzGtQSrBJzzLGxINF4O"; + m3-helios = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIyHuLITpI+M45ZZem33wDusY2X988mBoWpD1HDeZNRJ"; systems = [ m3-ares + m3-helios m3-kratos ]; in { "secrets/m3tam3re-secrets.age".publicKeys = systems; "secrets/tailscale-key.age".publicKeys = systems; + "secrets/traefik.age".publicKeys = systems; "secrets/wg-DE.age".publicKeys = systems; "secrets/wg-NL.age".publicKeys = systems; "secrets/wg-NO.age".publicKeys = systems; diff --git a/secrets/m3tam3re-secrets.age b/secrets/m3tam3re-secrets.age index 66aab85..4d8d5b3 100644 Binary files a/secrets/m3tam3re-secrets.age and b/secrets/m3tam3re-secrets.age differ diff --git a/secrets/tailscale-key.age b/secrets/tailscale-key.age index 9ff3ac2..ea8df18 100644 Binary files a/secrets/tailscale-key.age and b/secrets/tailscale-key.age differ diff --git a/secrets/traefik.age b/secrets/traefik.age new file mode 100644 index 0000000..6c60124 Binary files /dev/null and b/secrets/traefik.age differ diff --git a/secrets/wg-BR.age b/secrets/wg-BR.age index 1018244..0205336 100644 Binary files a/secrets/wg-BR.age and b/secrets/wg-BR.age differ diff --git a/secrets/wg-DE.age b/secrets/wg-DE.age index 11ac80b..092584e 100644 Binary files a/secrets/wg-DE.age and b/secrets/wg-DE.age differ diff --git a/secrets/wg-NL.age b/secrets/wg-NL.age index 6755197..bef787c 100644 Binary files a/secrets/wg-NL.age and b/secrets/wg-NL.age differ diff --git a/secrets/wg-NO.age b/secrets/wg-NO.age index 4607ff9..e7733f2 100644 Binary files a/secrets/wg-NO.age and b/secrets/wg-NO.age differ diff --git a/secrets/wg-US.age b/secrets/wg-US.age index aa2bda3..9133d8d 100644 Binary files a/secrets/wg-US.age and b/secrets/wg-US.age differ