jasmine/dotfiles.nix
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

migrate middlewares to entrypoint + refactor

Browse source
This commit is contained in:
♥ Minnie ♥ 2024-11-28 22:24:27 +08:00
parent 205f85271b
commit 579bf1a5db
Signed by: jasmine
GPG key ID: 8563E358D4E8040E
13 changed files with 45 additions and 48 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
nixos/viridian/multimedia/jellyfin/default.nix
View file

@ -37,9 +37,6 @@ in {
entryPoints = [
"websecure"
];
middlewares = [
"internal"
];
service = "jellyfin";
};
};

3
nixos/viridian/multimedia/lidarr/default.nix
View file

@ -31,9 +31,6 @@ in {
entryPoints = [
"websecure"
];
middlewares = [
"internal"
];
service = "lidarr";
};
};

3
nixos/viridian/multimedia/prowlarr/default.nix
View file

@ -28,9 +28,6 @@ in {
entryPoints = [
"websecure"
];
middlewares = [
"internal"
];
service = "prowlarr";
};
};

3
nixos/viridian/multimedia/qbittorrent/default.nix
View file

@ -31,9 +31,6 @@ in {
entryPoints = [
"websecure"
];
middlewares = [
"internal"
];
service = "qbittorrent";
};
};

3
nixos/viridian/multimedia/radarr/default.nix
View file

@ -30,9 +30,6 @@ in {
entryPoints = [
"websecure"
];
middlewares = [
"internal"
];
service = "radarr";
};
};

3
nixos/viridian/multimedia/sonarr/default.nix
View file

@ -31,9 +31,6 @@ in {
entryPoints = [
"websecure"
];
middlewares = [
"internal"
];
service = "sonarr";
};
};

4
nixos/viridian/services/forgejo/default.nix
View file

@ -22,10 +22,6 @@
entryPoints = [
"websecure"
];
middlewares = [
"crowdsec"
"geoblock"
];
service = "forgejo";
};
};

4
nixos/viridian/services/lighttpd/default.nix
View file

@ -11,10 +11,6 @@
entryPoints = [
"websecure"
];
middlewares = [
"crowdsec"
"geoblock"
];
service = "lighttpd";
};
};

3
nixos/viridian/services/minecraft/default.nix
View file

@ -85,9 +85,6 @@ in {
entryPoints = [
"websecure"
];
middlewares = [
"internal"
];
service = "minecraft";
};
};

3
nixos/viridian/services/paperless-ngx/default.nix
View file

@ -22,9 +22,6 @@ in {
entryPoints = [
"websecure"
];
middlewares = [
"internal"
];
service = "paperless-ngx";
};
};

21
nixos/viridian/services/traefik/default.nix
View file

@ -18,6 +18,7 @@
group = "traefik";
};
# Ensure our log directory has correct permission to be accesible by crowdsec
systemd.services.traefik.serviceConfig = {
User = "traefik";
Group = "traefik";
@ -43,10 +44,13 @@
dashboard = true;
};
# Everything that happens to Traefik itself
log = {
filePath = "/var/log/traefik/traefik.log";
level = "ERROR";
};
# Who Calls Whom?
accessLog = {
filePath = "/var/log/traefik/access.log";
format = "json";
@ -88,21 +92,29 @@
scheme = "https";
};
};
# Hypertext Transfer Protocol Secure
websecure = {
address = ":443";
# Enable some middlewares on all routers that use this entrypoint
http.middlewares = [
"geoblock@file"
"crowdsec@file"
];
# Requests wildcard SSL certs for our services
http.tls = {
certResolver = "lets-encrypt";
# List of domains in our network
domains = [
# Public services
{
# DevOps
main = "sajenim.dev";
sans = ["*.sajenim.dev"];
}
# Keyboards
{
# Keyboards
main = "sajkbd.io";
sans = ["*.sajkbd.io"];
}
@ -131,21 +143,20 @@
};
};
};
# Disables SSL certificate verification between our traefik instance and our backend
serversTransport = {
insecureSkipVerify = true;
};
};
# Setup our dashboard
dynamicConfigOptions.http.routers = {
traefik-dashboard = {
rule = "Host(`traefik.home.arpa`)";
entryPoints = [
"websecure"
];
middlewares = [
"internal"
];
service = "api@internal";
};
};

36
nixos/viridian/services/traefik/middlewares.nix
View file

@ -1,12 +1,6 @@
{...}: {
# Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service
services.traefik.dynamicConfigOptions.http.middlewares = {
# Restrict access to internal networks
internal.ipwhitelist.sourcerange = [
"127.0.0.1/32" # localhost
"192.168.50.1/24" # lan
];
# Restrict access based on geo-location
geoblock.plugin.geoblock = {
silentStartUp = "false";
@ -20,9 +14,37 @@
apiTimeoutMs = "750";
# Max size of least recently used cache
cacheSize = "25";
# List of countries to block access
# OFAC (US) sanctions list
countries = [
"AF" # Afghanistan
"AL" # Albania
"BA" # Bosnia and Herzegovina
"BY" # Belarus
"CF" # Central African Republic (the)
"CN" # China
"CD" # Congo (the Democratic Republic of the)
"CU" # Cuba
"ET" # Ethiopia
"HK" # Hong Kong
"IR" # Iran (Islamic Republic of)
"IQ" # Iraq
"KP" # Korea (the Democratic People's Republic of)
"LB" # Lebanon
"LY" # Libya
"ML" # Mali
"ME" # Montenegro
"MM" # Myanmar
"MK" # Republic of North Macedonia
"NI" # Nicaragua
"RU" # Russian Federation (the)
"RS" # Serbia
"SO" # Somalia
"SS" # South Sudan
"SD" # Sudan (the)
"SY" # Syrian Arab Republic
"UA" # Ukraine
"VE" # Venezuela (Bolivarian Republic of)
"YE" # Yemen
];
# Inverts filter logic
blackListMode = "true";

4
nixos/viridian/services/wiki-js/default.nix
View file

@ -30,10 +30,6 @@
entryPoints = [
"websecure"
];
middlewares = [
"crowdsec"
"geoblock"
];
service = "wiki-js";
};
};