jasmine/dotfiles.nix
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

migrate middlewares to entrypoint + refactor

Browse source
This commit is contained in:
♥ Minnie ♥ 2024-11-28 22:24:27 +08:00
parent 205f85271b
commit 579bf1a5db
Signed by: jasmine
GPG key ID: 8563E358D4E8040E
13 changed files with 45 additions and 48 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
nixos/viridian/multimedia/jellyfin/default.nix
View file

@ -37,9 +37,6 @@ in {
entryPoints = [ entryPoints = [
"websecure" "websecure"
]; ];
middlewares = [
"internal"
];
service = "jellyfin"; service = "jellyfin";
}; };
}; };

3
nixos/viridian/multimedia/lidarr/default.nix
View file

@ -31,9 +31,6 @@ in {
entryPoints = [ entryPoints = [
"websecure" "websecure"
]; ];
middlewares = [
"internal"
];
service = "lidarr"; service = "lidarr";
}; };
}; };

3
nixos/viridian/multimedia/prowlarr/default.nix
View file

@ -28,9 +28,6 @@ in {
entryPoints = [ entryPoints = [
"websecure" "websecure"
]; ];
middlewares = [
"internal"
];
service = "prowlarr"; service = "prowlarr";
}; };
}; };

3
nixos/viridian/multimedia/qbittorrent/default.nix
View file

@ -31,9 +31,6 @@ in {
entryPoints = [ entryPoints = [
"websecure" "websecure"
]; ];
middlewares = [
"internal"
];
service = "qbittorrent"; service = "qbittorrent";
}; };
}; };

3
nixos/viridian/multimedia/radarr/default.nix
View file

@ -30,9 +30,6 @@ in {
entryPoints = [ entryPoints = [
"websecure" "websecure"
]; ];
middlewares = [
"internal"
];
service = "radarr"; service = "radarr";
}; };
}; };

3
nixos/viridian/multimedia/sonarr/default.nix
View file

@ -31,9 +31,6 @@ in {
entryPoints = [ entryPoints = [
"websecure" "websecure"
]; ];
middlewares = [
"internal"
];
service = "sonarr"; service = "sonarr";
}; };
}; };

4
nixos/viridian/services/forgejo/default.nix
View file

@ -22,10 +22,6 @@
entryPoints = [ entryPoints = [
"websecure" "websecure"
]; ];
middlewares = [
"crowdsec"
"geoblock"
];
service = "forgejo"; service = "forgejo";
}; };
}; };

4
nixos/viridian/services/lighttpd/default.nix
View file

@ -11,10 +11,6 @@
entryPoints = [ entryPoints = [
"websecure" "websecure"
]; ];
middlewares = [
"crowdsec"
"geoblock"
];
service = "lighttpd"; service = "lighttpd";
}; };
}; };

3
nixos/viridian/services/minecraft/default.nix
View file

@ -85,9 +85,6 @@ in {
entryPoints = [ entryPoints = [
"websecure" "websecure"
]; ];
middlewares = [
"internal"
];
service = "minecraft"; service = "minecraft";
}; };
}; };

3
nixos/viridian/services/paperless-ngx/default.nix
View file

@ -22,9 +22,6 @@ in {
entryPoints = [ entryPoints = [
"websecure" "websecure"
]; ];
middlewares = [
"internal"
];
service = "paperless-ngx"; service = "paperless-ngx";
}; };
}; };

21
nixos/viridian/services/traefik/default.nix
View file

@ -18,6 +18,7 @@
group = "traefik"; group = "traefik";
}; };
# Ensure our log directory has correct permission to be accesible by crowdsec
systemd.services.traefik.serviceConfig = { systemd.services.traefik.serviceConfig = {
User = "traefik"; User = "traefik";
Group = "traefik"; Group = "traefik";
@ -43,10 +44,13 @@
dashboard = true; dashboard = true;
}; };
# Everything that happens to Traefik itself
log = { log = {
filePath = "/var/log/traefik/traefik.log"; filePath = "/var/log/traefik/traefik.log";
level = "ERROR"; level = "ERROR";
}; };
# Who Calls Whom?
accessLog = { accessLog = {
filePath = "/var/log/traefik/access.log"; filePath = "/var/log/traefik/access.log";
format = "json"; format = "json";
@ -88,21 +92,29 @@
scheme = "https"; scheme = "https";
}; };
}; };
# Hypertext Transfer Protocol Secure # Hypertext Transfer Protocol Secure
websecure = { websecure = {
address = ":443"; address = ":443";
# Enable some middlewares on all routers that use this entrypoint
http.middlewares = [
"geoblock@file"
"crowdsec@file"
];
# Requests wildcard SSL certs for our services # Requests wildcard SSL certs for our services
http.tls = { http.tls = {
certResolver = "lets-encrypt"; certResolver = "lets-encrypt";
# List of domains in our network # List of domains in our network
domains = [ domains = [
# Public services
{ {
# DevOps
main = "sajenim.dev"; main = "sajenim.dev";
sans = ["*.sajenim.dev"]; sans = ["*.sajenim.dev"];
} }
# Keyboards
{ {
# Keyboards
main = "sajkbd.io"; main = "sajkbd.io";
sans = ["*.sajkbd.io"]; sans = ["*.sajkbd.io"];
} }
@ -131,21 +143,20 @@
}; };
}; };
}; };
# Disables SSL certificate verification between our traefik instance and our backend # Disables SSL certificate verification between our traefik instance and our backend
serversTransport = { serversTransport = {
insecureSkipVerify = true; insecureSkipVerify = true;
}; };
}; };
# Setup our dashboard
dynamicConfigOptions.http.routers = { dynamicConfigOptions.http.routers = {
traefik-dashboard = { traefik-dashboard = {
rule = "Host(`traefik.home.arpa`)"; rule = "Host(`traefik.home.arpa`)";
entryPoints = [ entryPoints = [
"websecure" "websecure"
]; ];
middlewares = [
"internal"
];
service = "api@internal"; service = "api@internal";
}; };
}; };

36
nixos/viridian/services/traefik/middlewares.nix
View file

@ -1,12 +1,6 @@
{...}: { {...}: {
# Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service # Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service
services.traefik.dynamicConfigOptions.http.middlewares = { services.traefik.dynamicConfigOptions.http.middlewares = {
# Restrict access to internal networks
internal.ipwhitelist.sourcerange = [
"127.0.0.1/32" # localhost
"192.168.50.1/24" # lan
];
# Restrict access based on geo-location # Restrict access based on geo-location
geoblock.plugin.geoblock = { geoblock.plugin.geoblock = {
silentStartUp = "false"; silentStartUp = "false";
@ -20,9 +14,37 @@
apiTimeoutMs = "750"; apiTimeoutMs = "750";
# Max size of least recently used cache # Max size of least recently used cache
cacheSize = "25"; cacheSize = "25";
# List of countries to block access # OFAC (US) sanctions list
countries = [ countries = [
"AF" # Afghanistan
"AL" # Albania
"BA" # Bosnia and Herzegovina
"BY" # Belarus
"CF" # Central African Republic (the)
"CN" # China
"CD" # Congo (the Democratic Republic of the)
"CU" # Cuba
"ET" # Ethiopia
"HK" # Hong Kong
"IR" # Iran (Islamic Republic of)
"IQ" # Iraq
"KP" # Korea (the Democratic People's Republic of)
"LB" # Lebanon
"LY" # Libya
"ML" # Mali
"ME" # Montenegro
"MM" # Myanmar
"MK" # Republic of North Macedonia
"NI" # Nicaragua
"RU" # Russian Federation (the) "RU" # Russian Federation (the)
"RS" # Serbia
"SO" # Somalia
"SS" # South Sudan
"SD" # Sudan (the)
"SY" # Syrian Arab Republic
"UA" # Ukraine
"VE" # Venezuela (Bolivarian Republic of)
"YE" # Yemen
]; ];
# Inverts filter logic # Inverts filter logic
blackListMode = "true"; blackListMode = "true";

4
nixos/viridian/services/wiki-js/default.nix
View file

@ -30,10 +30,6 @@
entryPoints = [ entryPoints = [
"websecure" "websecure"
]; ];
middlewares = [
"crowdsec"
"geoblock"
];
service = "wiki-js"; service = "wiki-js";
}; };
}; };