*basic traefik

2024-11-17 18:29:52 +01:00 · 2024-11-17 18:29:52 +01:00 · 1864141a1b
commit 1864141a1b
parent 79df3dd5c7
14 changed files with 100 additions and 0 deletions
--- a/hosts/m3-helios/default.nix
+++ b/hosts/m3-helios/default.nix
@ -37,6 +37,7 @@
    ../common
    ./configuration.nix
    ./programs.nix
+    ./secrets.nix
    ./services
  ];

--- a/hosts/m3-helios/secrets.nix
+++ b/hosts/m3-helios/secrets.nix
@ -0,0 +1,15 @@
+{
+  age = {
+    secrets = {
+      traefik = {
+        file = ../../secrets/traefik.age;
+        mode = "770";
+        owner = "traefik";
+      };
+      m3tam3re-secrets = {
+        file = ../../secrets/m3tam3re-secrets.age;
+        owner = "m3tam3re";
+      };
+    };
+  };
+}
--- a/hosts/m3-helios/services/adguard.nix
+++ b/hosts/m3-helios/services/adguard.nix
@ -12,4 +12,6 @@
      };
    };
  };
+  networking.firewall.allowedTCPPorts = [53];
+  networking.firewall.allowedUDPPorts = [53];
 }
--- a/hosts/m3-helios/services/default.nix
+++ b/hosts/m3-helios/services/default.nix
@ -2,6 +2,7 @@
  imports = [
    ./adguard.nix
    ./containers
+    ./traefik.nix
  ];
  systemd.sleep.extraConfig = ''
    AllowSuspend=no
--- a/hosts/m3-helios/services/traefik.nix
+++ b/hosts/m3-helios/services/traefik.nix
@ -0,0 +1,78 @@
+{config, ...}: {
+  services.traefik = {
+    enable = true;
+    staticConfigOptions = {
+      log = {level = "WARN";};
+      certificatesResolvers = {
+        godaddy = {
+          acme = {
+            email = "letsencrypt.org.btlc2@passmail.net";
+            storage = "/var/lib/traefik/acme.json";
+            caserver = "https://acme-v02.api.letsencrypt.org/directory";
+            dnsChallenge = {
+              provider = "godaddy";
+            };
+          };
+        };
+      };
+      api = {};
+      entryPoints = {
+        web = {
+          address = ":80";
+          http.redirections.entryPoint = {
+            to = "websecure";
+            scheme = "https";
+          };
+        };
+        websecure = {address = ":443";};
+      };
+    };
+    dynamicConfigOptions = {
+      http = {
+        middlewares = {
+          auth = {
+            basicAuth = {
+              users = ["m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh."];
+            };
+          };
+        };
+        services = {
+          m3-prox-1.loadBalancer.servers = [{url = "http://192.168.178.200:8006";}];
+          ag.loadBalancer.servers = [{url = "http://192.168.178.210:3000";}];
+        };
+        routers = {
+          api = {
+            rule = "Host(`traefik.l.m3tam3re.com`)";
+            service = "api@internal";
+            middlewares = ["auth"];
+            entrypoints = ["websecure"];
+            tls = {
+              certResolver = "godaddy";
+            };
+          };
+          m3-prox-1 = {
+            rule = "Host(`m3-prox-1.l.m3tam3re.com`)";
+            service = "m3-prox-1";
+            entrypoints = ["websecure"];
+            tls = {
+              certResolver = "godaddy";
+            };
+          };
+          ag = {
+            rule = "Host(`ag.l.m3tam3re.com`)";
+            service = "ag";
+            entrypoints = ["websecure"];
+            tls = {
+              certResolver = "godaddy";
+            };
+          };
+        };
+      };
+    };
+  };
+
+  systemd.services.traefik.serviceConfig = {
+    EnvironmentFile = ["${config.age.secrets.traefik.path}"];
+  };
+  networking.firewall.allowedTCPPorts = [80 443];
+}
--- a/secrets.nix
+++ b/secrets.nix
@ -2,14 +2,17 @@ let
  # SYSTEMS
  m3-ares = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU=";
  m3-kratos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDl+LtFGsk/A7BvxwiUCyq5wjRzGtQSrBJzzLGxINF4O";
+  m3-helios = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIyHuLITpI+M45ZZem33wDusY2X988mBoWpD1HDeZNRJ";

  systems = [
    m3-ares
+    m3-helios
    m3-kratos
  ];
 in {
  "secrets/m3tam3re-secrets.age".publicKeys = systems;
  "secrets/tailscale-key.age".publicKeys = systems;
+  "secrets/traefik.age".publicKeys = systems;
  "secrets/wg-DE.age".publicKeys = systems;
  "secrets/wg-NL.age".publicKeys = systems;
  "secrets/wg-NO.age".publicKeys = systems;
--- a/secrets/m3tam3re-secrets.age
+++ b/secrets/m3tam3re-secrets.age
--- a/secrets/tailscale-key.age
+++ b/secrets/tailscale-key.age
--- a/secrets/traefik.age
+++ b/secrets/traefik.age
--- a/secrets/wg-BR.age
+++ b/secrets/wg-BR.age
--- a/secrets/wg-DE.age
+++ b/secrets/wg-DE.age
--- a/secrets/wg-NL.age
+++ b/secrets/wg-NL.age
--- a/secrets/wg-NO.age
+++ b/secrets/wg-NO.age
--- a/secrets/wg-US.age
+++ b/secrets/wg-US.age