notohh/snowflake
notohh/snowflake
1
0
Fork 0
Code Issues Pull requests Projects 1 Releases Packages Wiki Activity
snowflake/hosts/sora/services/traefik.nix

263 lines
8.6 KiB
Nix
Raw Blame History

{ config, ... }:
{
sops.secrets.cloudflare-api-key = { };
networking.firewall.allowedTCPPorts = [
80
443
2222
8080
];
systemd.services.traefik = {
environment = {
CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev";
};
serviceConfig = {
EnvironmentFile = [ config.sops.secrets.cloudflare-api-key.path ];
};
};
services.traefik = {
enable = true;
dynamicConfigOptions = {
tcp = {
routers = {
gitssh = {
rule = "HostSNI(`*`)";
entrypoints = [ "ssh" ];
service = "gitssh";
};
};
services = {
gitssh.loadBalancer.servers = [ { address = "100.121.201.47:2222"; } ];
};
};
http = {
middlewares = {
authelia = {
forwardauth = {
address = "http://100.121.201.47:9091/api/verify?rd=https://passport.notohh.dev/";
trustForwardHeader = true;
};
};
redirect-to-https = {
redirectscheme.scheme = "https";
redirectscheme.permanent = true;
};
cors = {
headers = {
accessControlAllowOriginList = "https://daphbot.notohh.dev";
};
};
cors-allow-all = {
headers = {
accessControlAllowOriginList = "*";
};
};
};
routers =
let
pqdn = "flake.sh";
in
{
api = {
rule = "PathPrefix(`/api/`)";
entrypoints = [ "websecure" ];
service = "api@internal";
};
authelia = {
rule = "Host(`passport.notohh.dev`)";
entrypoints = [ "websecure" ];
service = "authelia";
tls.domains = [ { main = "*.notohh.dev"; } ];
tls.certresolver = "production";
};
uptime-kuma = {
rule = "Host(`status.${pqdn}`)";
entrypoints = [ "websecure" ];
service = "uptime-kuma";
tls.domains = [ { main = "*.${pqdn}"; } ];
tls.certresolver = "production";
};
conduit = {
rule = "Host(`matrix.${pqdn}`)";
entrypoints = [ "websecure" ];
service = "conduit";
tls.domains = [ { main = "*.${pqdn}"; } ];
tls.certresolver = "production";
};
foundryvtt = {
rule = "Host(`foundry.${pqdn}`)";
entrypoints = [ "websecure" ];
service = "foundryvtt";
tls.domains = [ { main = "*.${pqdn}"; } ];
tls.certresolver = "production";
};
forgejo = {
rule = "Host(`git.${pqdn}`)";
entrypoints = [ "websecure" ];
service = "forgejo";
tls.domains = [ { main = "*.${pqdn}"; } ];
tls.certresolver = "production";
middlewares = "cors";
};
rustypaste = {
rule = "Host(`i.${pqdn}`)";
entrypoints = [ "websecure" ];
service = "rustypaste";
tls.domains = [ { main = "*.${pqdn}"; } ];
tls.certresolver = "production";
};
grafana = {
rule = "Host(`metrics.${pqdn}`)";
entrypoints = [ "websecure" ];
service = "grafana";
tls.domains = [ { main = "*.${pqdn}"; } ];
tls.certresolver = "production";
};
hedgedoc = {
rule = "Host(`scratch.${pqdn}`)";
entrypoints = [ "websecure" ];
service = "hedgedoc";
tls.domains = [ { main = "*.${pqdn}"; } ];
tls.certresolver = "production";
};
vaultwarden = {
rule = "Host(`vault.${pqdn}`)";
entrypoints = [ "websecure" ];
service = "vaultwarden";
tls.domains = [ { main = "*.${pqdn}"; } ];
tls.certresolver = "production";
};
neko = {
rule = "Host(`neko.${pqdn}`)";
entrypoints = [ "websecure" ];
service = "neko";
tls.domains = [ { main = "*.${pqdn}"; } ];
tls.certresolver = "production";
};
justlog = {
rule = "Host(`logs.${pqdn}`)";
entrypoints = [ "websecure" ];
service = "justlog";
tls.domains = [ { main = "*.${pqdn}"; } ];
tls.certresolver = "production";
};
ntfy = {
rule = "Host(`ntfy.${pqdn}`)";
entrypoints = [ "websecure" ];
service = "ntfy-sh";
tls.domains = [ { main = "*.${pqdn}"; } ];
tls.certresolver = "production";
};
attic = {
rule = "Host(`cache.${pqdn}`)";
entrypoints = [ "websecure" ];
service = "attic";
tls.domains = [ { main = "*.${pqdn}"; } ];
tls.certresolver = "production";
};
minio = {
rule = "Host(`s3.${pqdn}`)";
entrypoints = [ "websecure" ];
service = "minio";
tls.domains = [ { main = "*.${pqdn}"; } ];
tls.certresolver = "production";
middlewares = "cors-allow-all";
};
woodpecker = {
rule = "Host(`ci.${pqdn}`)";
entrypoints = [ "websecure" ];
service = "woodpecker";
tls.domains = [ { main = "*.${pqdn}"; } ];
tls.certresolver = "production";
};
};
services =
let
sakuraIp = "100.121.201.47:";
soraIp = "100.104.42.96:";
in
{
# sora
uptime-kuma.loadBalancer.servers = [ { url = "http://${soraIp}4000"; } ];
foundryvtt.loadBalancer.servers = [ { url = "http://${soraIp}30000"; } ];
ntfy-sh.loadBalancer.servers = [ { url = "http://${soraIp}8090"; } ];
attic.loadBalancer.servers = [ { url = "http://${soraIp}8200"; } ];
# sakura
forgejo.loadBalancer.servers = [ { url = "http://${sakuraIp}3200"; } ];
conduit.loadBalancer.servers = [ { url = "http://${sakuraIp}6167"; } ];
authelia.loadBalancer.servers = [ { url = "http://${sakuraIp}9091"; } ];
rustypaste.loadBalancer.servers = [ { url = "http://${sakuraIp}8000"; } ];
grafana.loadBalancer.servers = [ { url = "http://${sakuraIp}3100"; } ];
hedgedoc.loadBalancer.servers = [ { url = "http://${sakuraIp}3300"; } ];
vaultwarden.loadBalancer.servers = [ { url = "http://${sakuraIp}8222"; } ];
searxng.loadBalancer.servers = [ { url = "http://${sakuraIp}8100"; } ];
justlog.loadBalancer.servers = [ { url = "http://${sakuraIp}8025"; } ];
# kaze
minio.loadBalancer.servers = [ { url = "http://100.69.79.81:9005"; } ];
# tsuru
woodpecker.loadBalancer.servers = [ { url = "http://100.82.146.40:8200"; } ];
};
};
};
staticConfigOptions = {
log.level = "DEBUG";
api.dashboard = false;
api.insecure = false;
global = {
checkNewVersion = false;
sendAnonymousUsage = true;
};
entryPoints = {
websecure = {
address = ":443";
};
web = {
address = ":80";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
ssh = {
address = ":2222";
};
};
metrics = {
prometheus = {
addServicesLabels = true;
};
};
certificatesResolvers = {
staging.acme = {
email = "x3xr6n66@notohh.dev";
storage = "/var/lib/traefik/acme.json";
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"1.0.0.1:53"
];
delayBeforeCheck = "0";
};
};
production.acme = {
email = "x3xr6n66@notohh.dev";
storage = "/var/lib/traefik/acme.json";
caServer = "https://acme-v02.api.letsencrypt.org/directory";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"1.0.0.1:53"
];
delayBeforeCheck = "0";
};
};
};
};
};
}
Reference in a new issue View git blame Copy permalink