diff --git a/hosts/sora/services/default.nix b/hosts/sora/services/default.nix index 39f2da1..9eeb66f 100644 --- a/hosts/sora/services/default.nix +++ b/hosts/sora/services/default.nix @@ -1,5 +1,6 @@ {...}: { imports = [ + ./traefik.nix ./uptimekuma.nix ]; } diff --git a/hosts/sora/services/traefik.nix b/hosts/sora/services/traefik.nix new file mode 100644 index 0000000..c1232df --- /dev/null +++ b/hosts/sora/services/traefik.nix @@ -0,0 +1,86 @@ +{config, ...}: { + sops.secrets.cloudflare-api-key = {}; + networking.firewall.allowedTCPPorts = [80 443]; + systemd.services.traefik = { + environment = { + CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev"; + }; + serviceConfig = { + EnvironmentFile = [config.sops.secrets.cloudflare-api-key.path]; + }; + }; + services.traefik = { + enable = true; + dynamicConfigOptions = { + http = { + middlewares.authelia = { + forwardauth = { + address = "http://100.121.201.47:9091/api/verify?rd=https://passport.notohh.dev/"; + trustForwardHeader = true; + }; + }; + routers = { + api = { + rule = "PathPrefix(`/api/`)"; + entrypoints = ["websecure"]; + service = "api@internal"; + }; + uptime-kuma = { + rule = "Host(`status.notohh.dev`)"; + entrypoints = ["websecure"]; + service = "uptime-kuma"; + tls.domains = [{main = "*.notohh.dev";}]; + tls.certresolver = "production"; + }; + }; + services = { + uptime-kuma.loadBalancer.servers = [{url = "http://100.87.54.48:4000";}]; + }; + }; + }; + staticConfigOptions = { + log.level = "DEBUG"; + api.dashboard = false; + api.insecure = false; + global = { + checkNewVersion = false; + sendAnonymousUsage = false; + }; + entryPoints = { + websecure = { + address = ":443"; + }; + web = { + address = ":80"; + }; + }; + metrics = { + prometheus = { + addServicesLabels = true; + }; + }; + certificatesResolvers = { + staging.acme = { + email = "x3xr6n66@notohh.dev"; + storage = "/var/lib/traefik/acme.json"; + caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"; + dnsChallenge = { + provider = "cloudflare"; + resolvers = ["1.1.1.1:53" "1.0.0.1:53"]; + delayBeforeCheck = "0"; + }; + }; + production.acme = { + email = "x3xr6n66@notohh.dev"; + storage = "/var/lib/traefik/acme.json"; + caServer = "https://acme-v02.api.letsencrypt.org/directory"; + dnsChallenge = { + provider = "cloudflare"; + resolvers = ["1.1.1.1:53" "1.0.0.1:53"]; + delayBeforeCheck = "0"; + }; + }; + }; + }; + }; +} diff --git a/hosts/sora/services/uptimekuma.nix b/hosts/sora/services/uptimekuma.nix index 4122bbc..4bdb837 100644 --- a/hosts/sora/services/uptimekuma.nix +++ b/hosts/sora/services/uptimekuma.nix @@ -1,5 +1,4 @@ _: { - networking.firewall.allowedTCPPorts = [4000]; services.uptime-kuma = { enable = true; settings = {