From e2f6a71ab5f1be3babe6d98ad24c974e53f86987 Mon Sep 17 00:00:00 2001 From: sajenim Date: Sat, 18 Nov 2023 08:59:16 +0000 Subject: [PATCH] update traefik --- nixos/viridian/services/traefik/default.nix | 118 +++---------- .../viridian/services/traefik/media-stack.nix | 96 ----------- .../viridian/services/traefik/middleware.nix | 40 +++++ nixos/viridian/services/traefik/routers.nix | 160 ++++++++++++++++++ nixos/viridian/services/traefik/services.nix | 46 +++++ 5 files changed, 272 insertions(+), 188 deletions(-) delete mode 100644 nixos/viridian/services/traefik/media-stack.nix create mode 100644 nixos/viridian/services/traefik/middleware.nix create mode 100644 nixos/viridian/services/traefik/routers.nix create mode 100644 nixos/viridian/services/traefik/services.nix diff --git a/nixos/viridian/services/traefik/default.nix b/nixos/viridian/services/traefik/default.nix index 9ed50a2..de785a1 100644 --- a/nixos/viridian/services/traefik/default.nix +++ b/nixos/viridian/services/traefik/default.nix @@ -5,7 +5,9 @@ imports = [ "${inputs.nixpkgs-unstable}/nixos/modules/services/web-servers/traefik.nix" - ./media-stack.nix + ./routers.nix + ./middleware.nix + ./services.nix ]; age.secrets.traefik = { @@ -15,6 +17,13 @@ group = "traefik"; }; + systemd.services.traefik.serviceConfig = { + User = "traefik"; + Group = "traefik"; + LogsDirectory = "traefik"; + LogsDirectoryMode = "0750"; + }; + # Reverse proxy and load balancer for HTTP and TCP-based applications services.traefik = { enable = true; @@ -33,6 +42,22 @@ dashboard = true; }; + log = { + filePath = "/var/log/traefik/traefik.log"; + level = "INFO"; + }; + accessLog = { + filePath = "/var/log/traefik/access.log"; + }; + + # Install plugins + experimental.plugins = { + geoblock = { + moduleName = "github.com/PascalMinder/geoblock"; + version = "v0.2.7"; + }; + }; + # Network entry points into Traefik entryPoints = { # Hypertext Transfer Protocol @@ -90,97 +115,6 @@ insecureSkipVerify = true; }; }; - - # Fully dynamic routing configuration - dynamicConfigOptions = { - # Connect requests to services - http = { - routers = { - # Static site / blog with hugo and httpd - httpd = { - rule = "Host(`sajenim.dev`)"; - entryPoints = [ - "websecure" - ]; - middlewares = [ ]; - service = "httpd"; - }; - - # Central control system - home-assistant = { - rule = "Host(`kanto.dev`)"; - entryPoints = [ - "websecure" - ]; - middlewares = [ - "internal" - ]; - service = "home-assistant"; - }; - - # Traefik dashboard - traefik-dashboard = { - rule = "Host(`traefik.kanto.dev`)"; - entryPoints = [ - "websecure" - ]; - middlewares = [ - "internal" - ]; - service = "api@internal"; - }; - - # Adguard Home - adguard-home = { - rule = "Host(`adguard.kanto.dev`)"; - entryPoints = [ - "websecure" - ]; - middlewares = [ - "internal" - ]; - service = "adguard-home"; - }; - - # Minecraft - minecraft = { - rule = "Host(`mc.kanto.dev`)"; - entryPoints = [ - "websecure" - ]; - middlewares = [ - "internal" - ]; - service = "minecraft"; - }; - }; - - # Tweaking the requests - middlewares = { - # Restrict access to internal networks - internal.ipwhitelist.sourcerange = [ - "127.0.0.1/32" # localhost - "192.168.1.1/24" # lan - ]; - }; - - # How to reach the actual services - services = { - httpd.loadBalancer.servers = [ - { url = "http://192.168.1.102:5624"; } - ]; - home-assistant.loadBalancer.servers = [ - { url = "http://192.168.1.102:8123"; } - ]; - adguard-home.loadBalancer.servers = [ - { url = "http://192.168.1.102:3000"; } - ]; - minecraft.loadBalancer.servers = [ - { url = "http://192.168.1.102:25565"; } - ]; - }; - }; - }; }; } diff --git a/nixos/viridian/services/traefik/media-stack.nix b/nixos/viridian/services/traefik/media-stack.nix deleted file mode 100644 index 1507747..0000000 --- a/nixos/viridian/services/traefik/media-stack.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ ... }: - -{ - services.traefik.dynamicConfigOptions = { - http = { - routers = { - jellyfin = { - rule = "Host(`jellyfin.kanto.dev`)"; - entryPoints = [ - "websecure" - ]; - middlewares = [ - "internal" - ]; - service = "jellyfin"; - }; - - sonarr = { - rule = "Host(`sonarr.kanto.dev`)"; - entryPoints = [ - "websecure" - ]; - middlewares = [ - "internal" - ]; - service = "sonarr"; - }; - - radarr = { - rule = "Host(`radarr.kanto.dev`)"; - entryPoints = [ - "websecure" - ]; - middlewares = [ - "internal" - ]; - service = "radarr"; - }; - - lidarr = { - rule = "Host(`lidarr.kanto.dev`)"; - entryPoints = [ - "websecure" - ]; - middlewares = [ - "internal" - ]; - service = "lidarr"; - }; - - prowlarr = { - rule = "Host(`prowlarr.kanto.dev`)"; - entryPoints = [ - "websecure" - ]; - middlewares = [ - "internal" - ]; - service = "prowlarr"; - }; - - qbittorrent = { - rule = "Host(`qbittorrent.kanto.dev`)"; - entryPoints = [ - "websecure" - ]; - middlewares = [ - "internal" - ]; - service = "qbittorrent"; - }; - }; - - services = { - jellyfin.loadBalancer.servers = [ - { url = "http://192.168.1.102:8096"; } - ]; - sonarr.loadBalancer.servers = [ - { url = "http://192.168.1.102:8989"; } - ]; - radarr.loadBalancer.servers = [ - { url = "http://192.168.1.102:7878"; } - ]; - lidarr.loadBalancer.servers = [ - { url = "http://192.168.1.102:8686"; } - ]; - prowlarr.loadBalancer.servers = [ - { url = "http://192.168.1.102:9696"; } - ]; - qbittorrent.loadBalancer.servers = [ - { url = "http://192.168.1.102:8080"; } - ]; - }; - }; - }; -} diff --git a/nixos/viridian/services/traefik/middleware.nix b/nixos/viridian/services/traefik/middleware.nix new file mode 100644 index 0000000..99c2010 --- /dev/null +++ b/nixos/viridian/services/traefik/middleware.nix @@ -0,0 +1,40 @@ +{ ... }: + +{ + # Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service + services.traefik.dynamicConfigOptions.http.middlewares = { + # Restrict access to internal networks + internal.ipwhitelist.sourcerange = [ + "127.0.0.1/32" # localhost + "192.168.1.1/24" # lan + ]; + # Restrict access based on geo-location + geoblock.plugin.geoblock = { + silentStartUp = "true"; + allowLocalRequests = "true"; + # If set to true will show a log message + logLocalRequests = "false"; + logAllowedRequests = "false"; + logApiRequests = "false"; + # Application programming interface + api = "https://get.geojs.io/v1/ip/country/{ip}"; + apiTimeoutMs = "500"; + # Max size of least recently used cache + cacheSize = "25"; + # List of countries to allow access + countries = [ + "AU" # Australia + ]; + # Inverts filter logic + blackListMode = "false"; + # Unknown Countries (IPs with no country association) + allowUnknownCountries = "false"; + unknownCountryApiResponse = "nil"; + # Adds the X-IPCountry header to the HTTP request header. + addCountryHeader = "false"; + # Even if an IP stays in the cache for a period of a month, it must be fetch again after a month. + forceMonthlyUpdate = "true"; + }; + }; +} + diff --git a/nixos/viridian/services/traefik/routers.nix b/nixos/viridian/services/traefik/routers.nix new file mode 100644 index 0000000..44242ac --- /dev/null +++ b/nixos/viridian/services/traefik/routers.nix @@ -0,0 +1,160 @@ +{ ... }: + +{ + services.traefik.dynamicConfigOptions.http.routers = { + httpd = { + rule = "Host(`sajenim.dev`)"; + entryPoints = [ + "websecure" + ]; + middlewares = [ + "geoblock" + ]; + service = "httpd"; + }; + + microbin = { + rule = "Host(`bin.sajenim.dev`)"; + entryPoints = [ + "websecure" + ]; + middlewares = [ + "geoblock" + ]; + service = "microbin"; + }; + + homarr = { + rule = "Host(`kanto.dev`)"; + entryPoints = [ + "websecure" + ]; + middlewares = [ + "internal" + ]; + service = "homarr"; + }; + + traefik-dashboard = { + rule = "Host(`traefik.kanto.dev`)"; + entryPoints = [ + "websecure" + ]; + middlewares = [ + "internal" + ]; + service = "api@internal"; + }; + + adguard-home = { + rule = "Host(`adguard.kanto.dev`)"; + entryPoints = [ + "websecure" + ]; + middlewares = [ + "internal" + ]; + service = "adguard-home"; + }; + + home-assistant = { + rule = "Host(`home.kanto.dev`)"; + entryPoints = [ + "websecure" + ]; + middlewares = [ + "internal" + ]; + service = "home-assistant"; + }; + + minecraft = { + rule = "Host(`mc.kanto.dev`)"; + entryPoints = [ + "websecure" + ]; + middlewares = [ + "internal" + ]; + service = "minecraft"; + }; + + jellyfin = { + rule = "Host(`jf.kanto.dev`)"; + entryPoints = [ + "websecure" + ]; + middlewares = [ + "geoblock" + ]; + service = "jellyfin"; + }; + + sonarr = { + rule = "Host(`sonarr.kanto.dev`)"; + entryPoints = [ + "websecure" + ]; + middlewares = [ + "internal" + ]; + service = "sonarr"; + }; + + radarr = { + rule = "Host(`radarr.kanto.dev`)"; + entryPoints = [ + "websecure" + ]; + middlewares = [ + "internal" + ]; + service = "radarr"; + }; + + lidarr = { + rule = "Host(`lidarr.kanto.dev`)"; + entryPoints = [ + "websecure" + ]; + middlewares = [ + "internal" + ]; + service = "lidarr"; + }; + + prowlarr = { + rule = "Host(`prowlarr.kanto.dev`)"; + entryPoints = [ + "websecure" + ]; + middlewares = [ + "internal" + ]; + service = "prowlarr"; + }; + + qbittorrent = { + rule = "Host(`qbittorrent.kanto.dev`)"; + entryPoints = [ + "websecure" + ]; + middlewares = [ + "internal" + ]; + service = "qbittorrent"; + }; + + jellyseerr = { + rule ="Host(`jellyseerr.kanto.dev`)"; + entryPoints = [ + "websecure" + ]; + middlewares = [ + "internal" + ]; + service = "jellyseerr"; + }; + }; +} + diff --git a/nixos/viridian/services/traefik/services.nix b/nixos/viridian/services/traefik/services.nix new file mode 100644 index 0000000..b242a33 --- /dev/null +++ b/nixos/viridian/services/traefik/services.nix @@ -0,0 +1,46 @@ +{ ... }: + +{ + services.traefik.dynamicConfigOptions.http.services = { + httpd.loadBalancer.servers = [ + { url = "http://192.168.1.102:5624"; } + ]; + microbin.loadBalancer.servers = [ + { url = "http://192.168.1.102:8181"; } + ]; + homarr.loadBalancer.servers = [ + { url = "http://192.168.1.102:7575"; } + ]; + home-assistant.loadBalancer.servers = [ + { url = "http://192.168.1.102:8123"; } + ]; + adguard-home.loadBalancer.servers = [ + { url = "http://192.168.1.102:3000"; } + ]; + minecraft.loadBalancer.servers = [ + { url = "http://192.168.1.102:25565"; } + ]; + jellyfin.loadBalancer.servers = [ + { url = "http://192.168.1.102:8096"; } + ]; + sonarr.loadBalancer.servers = [ + { url = "http://192.168.1.102:8989"; } + ]; + radarr.loadBalancer.servers = [ + { url = "http://192.168.1.102:7878"; } + ]; + lidarr.loadBalancer.servers = [ + { url = "http://192.168.1.102:8686"; } + ]; + prowlarr.loadBalancer.servers = [ + { url = "http://192.168.1.102:9696"; } + ]; + qbittorrent.loadBalancer.servers = [ + { url = "http://192.168.1.102:8080"; } + ]; + jellyseerr.loadBalancer.servers = [ + { url = "http://192.168.1.102:5055"; } + ]; + }; +} +