From 579bf1a5dba2e6424586dc6ba5a5d16d5ffde04a Mon Sep 17 00:00:00 2001 From: jasmine Date: Thu, 28 Nov 2024 22:24:27 +0800 Subject: [PATCH] migrate middlewares to entrypoint + refactor --- .../viridian/multimedia/jellyfin/default.nix | 3 -- nixos/viridian/multimedia/lidarr/default.nix | 3 -- .../viridian/multimedia/prowlarr/default.nix | 3 -- .../multimedia/qbittorrent/default.nix | 3 -- nixos/viridian/multimedia/radarr/default.nix | 3 -- nixos/viridian/multimedia/sonarr/default.nix | 3 -- nixos/viridian/services/forgejo/default.nix | 4 --- nixos/viridian/services/lighttpd/default.nix | 4 --- nixos/viridian/services/minecraft/default.nix | 3 -- .../services/paperless-ngx/default.nix | 3 -- nixos/viridian/services/traefik/default.nix | 21 ++++++++--- .../viridian/services/traefik/middlewares.nix | 36 +++++++++++++++---- nixos/viridian/services/wiki-js/default.nix | 4 --- 13 files changed, 45 insertions(+), 48 deletions(-) diff --git a/nixos/viridian/multimedia/jellyfin/default.nix b/nixos/viridian/multimedia/jellyfin/default.nix index 9258775..c118e40 100644 --- a/nixos/viridian/multimedia/jellyfin/default.nix +++ b/nixos/viridian/multimedia/jellyfin/default.nix @@ -37,9 +37,6 @@ in { entryPoints = [ "websecure" ]; - middlewares = [ - "internal" - ]; service = "jellyfin"; }; }; diff --git a/nixos/viridian/multimedia/lidarr/default.nix b/nixos/viridian/multimedia/lidarr/default.nix index 12c8001..b7d28e3 100644 --- a/nixos/viridian/multimedia/lidarr/default.nix +++ b/nixos/viridian/multimedia/lidarr/default.nix @@ -31,9 +31,6 @@ in { entryPoints = [ "websecure" ]; - middlewares = [ - "internal" - ]; service = "lidarr"; }; }; diff --git a/nixos/viridian/multimedia/prowlarr/default.nix b/nixos/viridian/multimedia/prowlarr/default.nix index 821b817..1c44653 100644 --- a/nixos/viridian/multimedia/prowlarr/default.nix +++ b/nixos/viridian/multimedia/prowlarr/default.nix @@ -28,9 +28,6 @@ in { entryPoints = [ "websecure" ]; - middlewares = [ - "internal" - ]; service = "prowlarr"; }; }; diff --git a/nixos/viridian/multimedia/qbittorrent/default.nix b/nixos/viridian/multimedia/qbittorrent/default.nix index e2573c2..81a3ed8 100644 --- a/nixos/viridian/multimedia/qbittorrent/default.nix +++ b/nixos/viridian/multimedia/qbittorrent/default.nix @@ -31,9 +31,6 @@ in { entryPoints = [ "websecure" ]; - middlewares = [ - "internal" - ]; service = "qbittorrent"; }; }; diff --git a/nixos/viridian/multimedia/radarr/default.nix b/nixos/viridian/multimedia/radarr/default.nix index 3232d14..6c3531c 100644 --- a/nixos/viridian/multimedia/radarr/default.nix +++ b/nixos/viridian/multimedia/radarr/default.nix @@ -30,9 +30,6 @@ in { entryPoints = [ "websecure" ]; - middlewares = [ - "internal" - ]; service = "radarr"; }; }; diff --git a/nixos/viridian/multimedia/sonarr/default.nix b/nixos/viridian/multimedia/sonarr/default.nix index 84368f8..2e4d51f 100644 --- a/nixos/viridian/multimedia/sonarr/default.nix +++ b/nixos/viridian/multimedia/sonarr/default.nix @@ -31,9 +31,6 @@ in { entryPoints = [ "websecure" ]; - middlewares = [ - "internal" - ]; service = "sonarr"; }; }; diff --git a/nixos/viridian/services/forgejo/default.nix b/nixos/viridian/services/forgejo/default.nix index 119d348..bc53a56 100644 --- a/nixos/viridian/services/forgejo/default.nix +++ b/nixos/viridian/services/forgejo/default.nix @@ -22,10 +22,6 @@ entryPoints = [ "websecure" ]; - middlewares = [ - "crowdsec" - "geoblock" - ]; service = "forgejo"; }; }; diff --git a/nixos/viridian/services/lighttpd/default.nix b/nixos/viridian/services/lighttpd/default.nix index b5ef007..0aed61b 100644 --- a/nixos/viridian/services/lighttpd/default.nix +++ b/nixos/viridian/services/lighttpd/default.nix @@ -11,10 +11,6 @@ entryPoints = [ "websecure" ]; - middlewares = [ - "crowdsec" - "geoblock" - ]; service = "lighttpd"; }; }; diff --git a/nixos/viridian/services/minecraft/default.nix b/nixos/viridian/services/minecraft/default.nix index d5d1070..749f983 100644 --- a/nixos/viridian/services/minecraft/default.nix +++ b/nixos/viridian/services/minecraft/default.nix @@ -85,9 +85,6 @@ in { entryPoints = [ "websecure" ]; - middlewares = [ - "internal" - ]; service = "minecraft"; }; }; diff --git a/nixos/viridian/services/paperless-ngx/default.nix b/nixos/viridian/services/paperless-ngx/default.nix index 64f9faf..9235f07 100644 --- a/nixos/viridian/services/paperless-ngx/default.nix +++ b/nixos/viridian/services/paperless-ngx/default.nix @@ -22,9 +22,6 @@ in { entryPoints = [ "websecure" ]; - middlewares = [ - "internal" - ]; service = "paperless-ngx"; }; }; diff --git a/nixos/viridian/services/traefik/default.nix b/nixos/viridian/services/traefik/default.nix index 8014440..ec33a17 100644 --- a/nixos/viridian/services/traefik/default.nix +++ b/nixos/viridian/services/traefik/default.nix @@ -18,6 +18,7 @@ group = "traefik"; }; + # Ensure our log directory has correct permission to be accesible by crowdsec systemd.services.traefik.serviceConfig = { User = "traefik"; Group = "traefik"; @@ -43,10 +44,13 @@ dashboard = true; }; + # Everything that happens to Traefik itself log = { filePath = "/var/log/traefik/traefik.log"; level = "ERROR"; }; + + # Who Calls Whom? accessLog = { filePath = "/var/log/traefik/access.log"; format = "json"; @@ -88,21 +92,29 @@ scheme = "https"; }; }; + # Hypertext Transfer Protocol Secure websecure = { address = ":443"; + + # Enable some middlewares on all routers that use this entrypoint + http.middlewares = [ + "geoblock@file" + "crowdsec@file" + ]; + # Requests wildcard SSL certs for our services http.tls = { certResolver = "lets-encrypt"; # List of domains in our network domains = [ - # Public services { + # DevOps main = "sajenim.dev"; sans = ["*.sajenim.dev"]; } - # Keyboards { + # Keyboards main = "sajkbd.io"; sans = ["*.sajkbd.io"]; } @@ -131,21 +143,20 @@ }; }; }; + # Disables SSL certificate verification between our traefik instance and our backend serversTransport = { insecureSkipVerify = true; }; }; + # Setup our dashboard dynamicConfigOptions.http.routers = { traefik-dashboard = { rule = "Host(`traefik.home.arpa`)"; entryPoints = [ "websecure" ]; - middlewares = [ - "internal" - ]; service = "api@internal"; }; }; diff --git a/nixos/viridian/services/traefik/middlewares.nix b/nixos/viridian/services/traefik/middlewares.nix index 6cbdc43..0f2f474 100644 --- a/nixos/viridian/services/traefik/middlewares.nix +++ b/nixos/viridian/services/traefik/middlewares.nix @@ -1,12 +1,6 @@ {...}: { # Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service services.traefik.dynamicConfigOptions.http.middlewares = { - # Restrict access to internal networks - internal.ipwhitelist.sourcerange = [ - "127.0.0.1/32" # localhost - "192.168.50.1/24" # lan - ]; - # Restrict access based on geo-location geoblock.plugin.geoblock = { silentStartUp = "false"; @@ -20,9 +14,37 @@ apiTimeoutMs = "750"; # Max size of least recently used cache cacheSize = "25"; - # List of countries to block access + # OFAC (US) sanctions list countries = [ + "AF" # Afghanistan + "AL" # Albania + "BA" # Bosnia and Herzegovina + "BY" # Belarus + "CF" # Central African Republic (the) + "CN" # China + "CD" # Congo (the Democratic Republic of the) + "CU" # Cuba + "ET" # Ethiopia + "HK" # Hong Kong + "IR" # Iran (Islamic Republic of) + "IQ" # Iraq + "KP" # Korea (the Democratic People's Republic of) + "LB" # Lebanon + "LY" # Libya + "ML" # Mali + "ME" # Montenegro + "MM" # Myanmar + "MK" # Republic of North Macedonia + "NI" # Nicaragua "RU" # Russian Federation (the) + "RS" # Serbia + "SO" # Somalia + "SS" # South Sudan + "SD" # Sudan (the) + "SY" # Syrian Arab Republic + "UA" # Ukraine + "VE" # Venezuela (Bolivarian Republic of) + "YE" # Yemen ]; # Inverts filter logic blackListMode = "true"; diff --git a/nixos/viridian/services/wiki-js/default.nix b/nixos/viridian/services/wiki-js/default.nix index f6453f6..6ba23f0 100644 --- a/nixos/viridian/services/wiki-js/default.nix +++ b/nixos/viridian/services/wiki-js/default.nix @@ -30,10 +30,6 @@ entryPoints = [ "websecure" ]; - middlewares = [ - "crowdsec" - "geoblock" - ]; service = "wiki-js"; }; };