174 lines
4.6 KiB
Nix
174 lines
4.6 KiB
Nix
{ inputs, config, pkgs, ... }:
|
|
|
|
{
|
|
disabledModules = [ "services/web-servers/traefik.nix" ];
|
|
|
|
imports = [
|
|
"${inputs.nixpkgs-unstable}/nixos/modules/services/web-servers/traefik.nix"
|
|
./media-stack.nix
|
|
];
|
|
|
|
age.secrets.traefik = {
|
|
# Environment variables for cloudflare dns challenge
|
|
file = inputs.self + /secrets/traefik.age;
|
|
owner = "traefik";
|
|
group = "traefik";
|
|
};
|
|
|
|
# Reverse proxy and load balancer for HTTP and TCP-based applications
|
|
services.traefik = {
|
|
enable = true;
|
|
package = pkgs.unstable.traefik;
|
|
dataDir = "/var/lib/traefik";
|
|
environmentFiles = [
|
|
config.age.secrets.traefik.path
|
|
];
|
|
|
|
# The startup configuration
|
|
staticConfigOptions = {
|
|
api = {
|
|
# Enable the API in secure mode
|
|
insecure = false;
|
|
# Enable the dashboard
|
|
dashboard = true;
|
|
};
|
|
|
|
# Network entry points into Traefik
|
|
entryPoints = {
|
|
# Hypertext Transfer Protocol
|
|
web = {
|
|
address = ":80";
|
|
# Redirect all incoming HTTP requests to HTTPS
|
|
http.redirections.entryPoint = {
|
|
to = "websecure";
|
|
scheme = "https";
|
|
};
|
|
};
|
|
# Hypertext Transfer Protocol Secure
|
|
websecure = {
|
|
address = ":443";
|
|
# Requests wildcard SSL certs for our services
|
|
http.tls = {
|
|
certResolver = "lets-encrypt";
|
|
# List of domains in our network
|
|
domains = [
|
|
# Internal services
|
|
{ main = "kanto.dev";
|
|
sans = [ "*.kanto.dev" ];
|
|
}
|
|
# Public services
|
|
{ main = "sajenim.dev";
|
|
sans = [ "*.sajenim.dev" ];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
# Retrieve certificates from an ACME server
|
|
certificatesResolvers = {
|
|
# Setup a lets-encrypt environment
|
|
lets-encrypt.acme = {
|
|
# Email address used for registration
|
|
email = "its.jassy@pm.me";
|
|
# File or key used for certificate storage
|
|
storage = "/var/lib/traefik/acme.json";
|
|
# Certificate authority server to use
|
|
caServer = "https://acme-v02.api.letsencrypt.org/directory";
|
|
# Use a DNS-01 ACME challenge
|
|
dnsChallenge = {
|
|
provider = "cloudflare";
|
|
resolvers = [
|
|
"1.1.1.1:53"
|
|
"8.8.8.8:53"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
# Disables SSL certificate verification between our traefik instance and our backend
|
|
serversTransport = {
|
|
insecureSkipVerify = true;
|
|
};
|
|
};
|
|
|
|
# Fully dynamic routing configuration
|
|
dynamicConfigOptions = {
|
|
# Connect requests to services
|
|
http = {
|
|
routers = {
|
|
# Central control system
|
|
home-assistant = {
|
|
rule = "Host(`kanto.dev`)";
|
|
entryPoints = [
|
|
"websecure"
|
|
];
|
|
middlewares = [
|
|
"internal"
|
|
];
|
|
service = "home-assistant";
|
|
};
|
|
|
|
# Traefik dashboard
|
|
traefik-dashboard = {
|
|
rule = "Host(`traefik.kanto.dev`)";
|
|
entryPoints = [
|
|
"websecure"
|
|
];
|
|
middlewares = [
|
|
"internal"
|
|
];
|
|
service = "api@internal";
|
|
};
|
|
|
|
# Adguard Home
|
|
adguard-home = {
|
|
rule = "Host(`adguard.kanto.dev`)";
|
|
entryPoints = [
|
|
"websecure"
|
|
];
|
|
middlewares = [
|
|
"internal"
|
|
];
|
|
service = "adguard-home";
|
|
};
|
|
|
|
# Minecraft
|
|
minecraft = {
|
|
rule = "Host(`mc.kanto.dev`)";
|
|
entryPoints = [
|
|
"websecure"
|
|
];
|
|
middlewares = [
|
|
"internal"
|
|
];
|
|
service = "minecraft";
|
|
};
|
|
};
|
|
|
|
# Tweaking the requests
|
|
middlewares = {
|
|
# Restrict access to internal networks
|
|
internal.ipwhitelist.sourcerange = [
|
|
"127.0.0.1/32" # localhost
|
|
"192.168.1.1/24" # lan
|
|
];
|
|
};
|
|
|
|
# How to reach the actual services
|
|
services = {
|
|
home-assistant.loadBalancer.servers = [
|
|
{ url = "http://192.168.1.102:8123"; }
|
|
];
|
|
adguard-home.loadBalancer.servers = [
|
|
{ url = "http://192.168.1.102:3000"; }
|
|
];
|
|
minecraft.loadBalancer.servers = [
|
|
{ url = "http://192.168.1.102:25565"; }
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|
|
|