diff --git a/hosts/yuki/services/default.nix b/hosts/yuki/services/default.nix index 14642b9..2e414b5 100644 --- a/hosts/yuki/services/default.nix +++ b/hosts/yuki/services/default.nix @@ -1,5 +1,6 @@ {...}: { imports = [ + ./traefik.nix ./kanboard.nix ]; } diff --git a/hosts/yuki/services/traefik.nix b/hosts/yuki/services/traefik.nix new file mode 100644 index 0000000..d86e60d --- /dev/null +++ b/hosts/yuki/services/traefik.nix @@ -0,0 +1,69 @@ +{config, ...}: { + sops.secrets.cloudflare-api-key = {}; + networking.firewall.allowedTCPPorts = [80 443]; + systemd.services.traefik = { + environment = { + CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev"; + }; + serviceConfig = { + EnvironmentFile = [config.sops.secrets.cloudflare-api-key.path]; + }; + }; + services.traefik = { + enable = true; + dynamicConfigOptions = { + http = { + routers = { + api = { + rule = "PathPrefix(`/api/`)"; + entryPoints = ["websecure"]; + service = "api@internal"; + }; + kanboard = { + rule = "Host(`kanboard.home.arpa`)"; + entryPoints = ["web"]; + service = "kanboard"; + }; + }; + services = { + kanboard.loadBalancer.servers = [{url = "http://localhost:8080";}]; + }; + }; + }; + staticConfigOptions = { + log.level = "DEBUG"; + api.dashboard = false; + api.insecure = false; + global = { + checkNewVersion = false; + sendAnonymousUsage = false; + }; + entryPoints = { + websecure.address = ":443"; + web.address = ":80"; + }; + certificatesResolvers = { + staging.acme = { + email = "x3xr6n66@notohh.dev"; + storage = "/var/lib/traefik/acme.json"; + caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"; + dnsChallenge = { + provider = "cloudflare"; + resolvers = ["1.1.1.1:53" "1.0.0.1:53"]; + delayBeforeCheck = "0"; + }; + }; + production.acme = { + email = "x3xr6n66@notohh.dev"; + storage = "/var/lib/traefik/acme.json"; + caServer = "https://acme-v02.api.letsencrypt.org/directory"; + dnsChallenge = { + provider = "cloudflare"; + resolvers = ["1.1.1.1:53" "1.0.0.1:53"]; + delayBeforeCheck = "0"; + }; + }; + }; + }; + }; +}