2024-02-08 12:04:15 -05:00
|
|
|
{ config, ... }:
|
|
|
|
|
{
|
|
|
|
|
sops.secrets.cloudflare-api-key = { };
|
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
|
|
|
80
|
|
|
|
|
443
|
|
|
|
|
2222
|
|
|
|
|
8080
|
|
|
|
|
];
|
2023-06-24 19:11:16 -04:00
|
|
|
systemd.services.traefik = {
|
|
|
|
|
environment = {
|
|
|
|
|
CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev";
|
|
|
|
|
};
|
|
|
|
|
serviceConfig = {
|
2024-02-08 12:04:15 -05:00
|
|
|
EnvironmentFile = [ config.sops.secrets.cloudflare-api-key.path ];
|
2023-06-24 19:11:16 -04:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
services.traefik = {
|
|
|
|
|
enable = true;
|
|
|
|
|
dynamicConfigOptions = {
|
2023-10-07 17:06:51 -04:00
|
|
|
tcp = {
|
|
|
|
|
routers = {
|
|
|
|
|
gitssh = {
|
|
|
|
|
rule = "HostSNI(`*`)";
|
2024-02-08 12:04:15 -05:00
|
|
|
entrypoints = [ "ssh" ];
|
2023-10-07 17:06:51 -04:00
|
|
|
service = "gitssh";
|
|
|
|
|
};
|
|
|
|
|
};
|
2023-12-29 14:27:17 -05:00
|
|
|
services = {
|
2024-02-08 12:04:15 -05:00
|
|
|
gitssh.loadBalancer.servers = [ { address = "100.121.201.47:2222"; } ];
|
2023-12-29 14:27:17 -05:00
|
|
|
};
|
2023-10-07 17:06:51 -04:00
|
|
|
};
|
2023-06-24 19:11:16 -04:00
|
|
|
http = {
|
2023-10-12 02:16:22 -04:00
|
|
|
middlewares = {
|
|
|
|
|
authelia = {
|
|
|
|
|
forwardauth = {
|
|
|
|
|
address = "http://100.121.201.47:9091/api/verify?rd=https://passport.notohh.dev/";
|
|
|
|
|
trustForwardHeader = true;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
redirect-to-https = {
|
|
|
|
|
redirectscheme.scheme = "https";
|
|
|
|
|
redirectscheme.permanent = true;
|
2023-06-24 19:11:16 -04:00
|
|
|
};
|
2023-10-27 12:33:05 -04:00
|
|
|
cors = {
|
|
|
|
|
headers = {
|
|
|
|
|
accessControlAllowOriginList = "https://daphbot.notohh.dev";
|
|
|
|
|
};
|
|
|
|
|
};
|
2024-01-04 14:41:38 -05:00
|
|
|
cors-allow-all = {
|
|
|
|
|
headers = {
|
|
|
|
|
accessControlAllowOriginList = "*";
|
|
|
|
|
};
|
|
|
|
|
};
|
2023-06-24 19:11:16 -04:00
|
|
|
};
|
2024-02-08 12:04:15 -05:00
|
|
|
routers =
|
|
|
|
|
let
|
|
|
|
|
pqdn = "flake.sh";
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
api = {
|
|
|
|
|
rule = "PathPrefix(`/api/`)";
|
|
|
|
|
entrypoints = [ "websecure" ];
|
|
|
|
|
service = "api@internal";
|
|
|
|
|
};
|
|
|
|
|
authelia = {
|
|
|
|
|
rule = "Host(`passport.notohh.dev`)";
|
|
|
|
|
entrypoints = [ "websecure" ];
|
|
|
|
|
service = "authelia";
|
|
|
|
|
tls.domains = [ { main = "*.notohh.dev"; } ];
|
|
|
|
|
tls.certresolver = "production";
|
|
|
|
|
};
|
|
|
|
|
uptime-kuma = {
|
|
|
|
|
rule = "Host(`status.${pqdn}`)";
|
|
|
|
|
entrypoints = [ "websecure" ];
|
|
|
|
|
service = "uptime-kuma";
|
|
|
|
|
tls.domains = [ { main = "*.${pqdn}"; } ];
|
|
|
|
|
tls.certresolver = "production";
|
|
|
|
|
};
|
|
|
|
|
conduit = {
|
|
|
|
|
rule = "Host(`matrix.${pqdn}`)";
|
|
|
|
|
entrypoints = [ "websecure" ];
|
|
|
|
|
service = "conduit";
|
|
|
|
|
tls.domains = [ { main = "*.${pqdn}"; } ];
|
|
|
|
|
tls.certresolver = "production";
|
|
|
|
|
};
|
|
|
|
|
foundryvtt = {
|
|
|
|
|
rule = "Host(`foundry.${pqdn}`)";
|
|
|
|
|
entrypoints = [ "websecure" ];
|
|
|
|
|
service = "foundryvtt";
|
|
|
|
|
tls.domains = [ { main = "*.${pqdn}"; } ];
|
|
|
|
|
tls.certresolver = "production";
|
|
|
|
|
};
|
|
|
|
|
forgejo = {
|
|
|
|
|
rule = "Host(`git.${pqdn}`)";
|
|
|
|
|
entrypoints = [ "websecure" ];
|
|
|
|
|
service = "forgejo";
|
|
|
|
|
tls.domains = [ { main = "*.${pqdn}"; } ];
|
|
|
|
|
tls.certresolver = "production";
|
|
|
|
|
middlewares = "cors";
|
|
|
|
|
};
|
|
|
|
|
rustypaste = {
|
|
|
|
|
rule = "Host(`i.${pqdn}`)";
|
|
|
|
|
entrypoints = [ "websecure" ];
|
|
|
|
|
service = "rustypaste";
|
|
|
|
|
tls.domains = [ { main = "*.${pqdn}"; } ];
|
|
|
|
|
tls.certresolver = "production";
|
|
|
|
|
};
|
|
|
|
|
grafana = {
|
|
|
|
|
rule = "Host(`metrics.${pqdn}`)";
|
|
|
|
|
entrypoints = [ "websecure" ];
|
|
|
|
|
service = "grafana";
|
|
|
|
|
tls.domains = [ { main = "*.${pqdn}"; } ];
|
|
|
|
|
tls.certresolver = "production";
|
|
|
|
|
};
|
|
|
|
|
hedgedoc = {
|
|
|
|
|
rule = "Host(`scratch.${pqdn}`)";
|
|
|
|
|
entrypoints = [ "websecure" ];
|
|
|
|
|
service = "hedgedoc";
|
|
|
|
|
tls.domains = [ { main = "*.${pqdn}"; } ];
|
|
|
|
|
tls.certresolver = "production";
|
|
|
|
|
};
|
|
|
|
|
vaultwarden = {
|
|
|
|
|
rule = "Host(`vault.${pqdn}`)";
|
|
|
|
|
entrypoints = [ "websecure" ];
|
|
|
|
|
service = "vaultwarden";
|
|
|
|
|
tls.domains = [ { main = "*.${pqdn}"; } ];
|
|
|
|
|
tls.certresolver = "production";
|
|
|
|
|
};
|
|
|
|
|
neko = {
|
|
|
|
|
rule = "Host(`neko.${pqdn}`)";
|
|
|
|
|
entrypoints = [ "websecure" ];
|
|
|
|
|
service = "neko";
|
|
|
|
|
tls.domains = [ { main = "*.${pqdn}"; } ];
|
|
|
|
|
tls.certresolver = "production";
|
|
|
|
|
};
|
|
|
|
|
justlog = {
|
|
|
|
|
rule = "Host(`logs.${pqdn}`)";
|
|
|
|
|
entrypoints = [ "websecure" ];
|
|
|
|
|
service = "justlog";
|
|
|
|
|
tls.domains = [ { main = "*.${pqdn}"; } ];
|
|
|
|
|
tls.certresolver = "production";
|
|
|
|
|
};
|
|
|
|
|
ntfy = {
|
|
|
|
|
rule = "Host(`ntfy.${pqdn}`)";
|
|
|
|
|
entrypoints = [ "websecure" ];
|
|
|
|
|
service = "ntfy-sh";
|
|
|
|
|
tls.domains = [ { main = "*.${pqdn}"; } ];
|
|
|
|
|
tls.certresolver = "production";
|
|
|
|
|
};
|
|
|
|
|
attic = {
|
|
|
|
|
rule = "Host(`cache.${pqdn}`)";
|
|
|
|
|
entrypoints = [ "websecure" ];
|
|
|
|
|
service = "attic";
|
|
|
|
|
tls.domains = [ { main = "*.${pqdn}"; } ];
|
|
|
|
|
tls.certresolver = "production";
|
|
|
|
|
};
|
|
|
|
|
minio = {
|
|
|
|
|
rule = "Host(`s3.${pqdn}`)";
|
|
|
|
|
entrypoints = [ "websecure" ];
|
|
|
|
|
service = "minio";
|
|
|
|
|
tls.domains = [ { main = "*.${pqdn}"; } ];
|
|
|
|
|
tls.certresolver = "production";
|
|
|
|
|
middlewares = "cors-allow-all";
|
|
|
|
|
};
|
|
|
|
|
woodpecker = {
|
|
|
|
|
rule = "Host(`ci.${pqdn}`)";
|
|
|
|
|
entrypoints = [ "websecure" ];
|
|
|
|
|
service = "woodpecker";
|
|
|
|
|
tls.domains = [ { main = "*.${pqdn}"; } ];
|
|
|
|
|
tls.certresolver = "production";
|
|
|
|
|
};
|
2024-01-23 21:25:10 -05:00
|
|
|
};
|
2024-02-08 12:04:15 -05:00
|
|
|
services =
|
|
|
|
|
let
|
|
|
|
|
sakuraIp = "100.121.201.47:";
|
|
|
|
|
soraIp = "100.104.42.96:";
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
# sora
|
|
|
|
|
uptime-kuma.loadBalancer.servers = [ { url = "http://${soraIp}4000"; } ];
|
|
|
|
|
foundryvtt.loadBalancer.servers = [ { url = "http://${soraIp}30000"; } ];
|
|
|
|
|
ntfy-sh.loadBalancer.servers = [ { url = "http://${soraIp}8090"; } ];
|
|
|
|
|
attic.loadBalancer.servers = [ { url = "http://${soraIp}8200"; } ];
|
2024-02-06 13:40:38 -05:00
|
|
|
|
2024-02-08 12:04:15 -05:00
|
|
|
# sakura
|
|
|
|
|
forgejo.loadBalancer.servers = [ { url = "http://${sakuraIp}3200"; } ];
|
|
|
|
|
conduit.loadBalancer.servers = [ { url = "http://${sakuraIp}6167"; } ];
|
|
|
|
|
authelia.loadBalancer.servers = [ { url = "http://${sakuraIp}9091"; } ];
|
|
|
|
|
rustypaste.loadBalancer.servers = [ { url = "http://${sakuraIp}8000"; } ];
|
|
|
|
|
grafana.loadBalancer.servers = [ { url = "http://${sakuraIp}3100"; } ];
|
|
|
|
|
hedgedoc.loadBalancer.servers = [ { url = "http://${sakuraIp}3300"; } ];
|
|
|
|
|
vaultwarden.loadBalancer.servers = [ { url = "http://${sakuraIp}8222"; } ];
|
|
|
|
|
searxng.loadBalancer.servers = [ { url = "http://${sakuraIp}8100"; } ];
|
|
|
|
|
justlog.loadBalancer.servers = [ { url = "http://${sakuraIp}8025"; } ];
|
2024-02-06 13:40:38 -05:00
|
|
|
|
2024-02-08 12:04:15 -05:00
|
|
|
# kaze
|
|
|
|
|
minio.loadBalancer.servers = [ { url = "http://100.69.79.81:9005"; } ];
|
2024-02-06 13:40:38 -05:00
|
|
|
|
2024-02-08 12:04:15 -05:00
|
|
|
# tsuru
|
|
|
|
|
woodpecker.loadBalancer.servers = [ { url = "http://100.82.146.40:8200"; } ];
|
|
|
|
|
};
|
2023-06-24 19:11:16 -04:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
staticConfigOptions = {
|
|
|
|
|
log.level = "DEBUG";
|
2024-01-25 09:35:18 -05:00
|
|
|
api.dashboard = false;
|
2024-01-31 09:41:25 -05:00
|
|
|
api.insecure = false;
|
2023-06-24 19:11:16 -04:00
|
|
|
global = {
|
|
|
|
|
checkNewVersion = false;
|
2024-01-31 09:41:25 -05:00
|
|
|
sendAnonymousUsage = true;
|
2023-06-24 19:11:16 -04:00
|
|
|
};
|
|
|
|
|
entryPoints = {
|
|
|
|
|
websecure = {
|
|
|
|
|
address = ":443";
|
|
|
|
|
};
|
|
|
|
|
web = {
|
|
|
|
|
address = ":80";
|
2023-12-29 15:03:46 -05:00
|
|
|
http.redirections.entryPoint = {
|
|
|
|
|
to = "websecure";
|
|
|
|
|
scheme = "https";
|
|
|
|
|
};
|
2023-06-24 19:11:16 -04:00
|
|
|
};
|
2023-12-29 14:27:17 -05:00
|
|
|
ssh = {
|
2023-10-07 17:06:51 -04:00
|
|
|
address = ":2222";
|
|
|
|
|
};
|
2023-06-24 19:11:16 -04:00
|
|
|
};
|
|
|
|
|
metrics = {
|
|
|
|
|
prometheus = {
|
|
|
|
|
addServicesLabels = true;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
certificatesResolvers = {
|
|
|
|
|
staging.acme = {
|
|
|
|
|
email = "x3xr6n66@notohh.dev";
|
|
|
|
|
storage = "/var/lib/traefik/acme.json";
|
|
|
|
|
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
|
|
|
dnsChallenge = {
|
|
|
|
|
provider = "cloudflare";
|
2024-02-08 12:04:15 -05:00
|
|
|
resolvers = [
|
|
|
|
|
"1.1.1.1:53"
|
|
|
|
|
"1.0.0.1:53"
|
|
|
|
|
];
|
2023-06-24 19:11:16 -04:00
|
|
|
delayBeforeCheck = "0";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
production.acme = {
|
|
|
|
|
email = "x3xr6n66@notohh.dev";
|
|
|
|
|
storage = "/var/lib/traefik/acme.json";
|
|
|
|
|
caServer = "https://acme-v02.api.letsencrypt.org/directory";
|
|
|
|
|
dnsChallenge = {
|
|
|
|
|
provider = "cloudflare";
|
2024-02-08 12:04:15 -05:00
|
|
|
resolvers = [
|
|
|
|
|
"1.1.1.1:53"
|
|
|
|
|
"1.0.0.1:53"
|
|
|
|
|
];
|
2023-06-24 19:11:16 -04:00
|
|
|
delayBeforeCheck = "0";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
