jasmine/dotfiles.nix
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
dotfiles.nix/nixos/viridian/services/traefik/default.nix

174 lines
4.6 KiB
Nix
Raw Blame History

{ inputs, config, pkgs, ... }:
{
disabledModules = [ "services/web-servers/traefik.nix" ];
imports = [
"${inputs.nixpkgs-unstable}/nixos/modules/services/web-servers/traefik.nix"
./media-stack.nix
];
age.secrets.traefik = {
# Environment variables for cloudflare dns challenge
file = inputs.self + /secrets/traefik.age;
owner = "traefik";
group = "traefik";
};
# Reverse proxy and load balancer for HTTP and TCP-based applications
services.traefik = {
enable = true;
package = pkgs.unstable.traefik;
dataDir = "/var/lib/traefik";
environmentFiles = [
config.age.secrets.traefik.path
];
# The startup configuration
staticConfigOptions = {
api = {
# Enable the API in secure mode
insecure = false;
# Enable the dashboard
dashboard = true;
};
# Network entry points into Traefik
entryPoints = {
# Hypertext Transfer Protocol
web = {
address = ":80";
# Redirect all incoming HTTP requests to HTTPS
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
# Hypertext Transfer Protocol Secure
websecure = {
address = ":443";
# Requests wildcard SSL certs for our services
http.tls = {
certResolver = "lets-encrypt";
# List of domains in our network
domains = [
# Internal services
{ main = "kanto.dev";
sans = [ "*.kanto.dev" ];
}
# Public services
{ main = "sajenim.dev";
sans = [ "*.sajenim.dev" ];
}
];
};
};
};
# Retrieve certificates from an ACME server
certificatesResolvers = {
# Setup a lets-encrypt environment
lets-encrypt.acme = {
# Email address used for registration
email = "its.jassy@pm.me";
# File or key used for certificate storage
storage = "/var/lib/traefik/acme.json";
# Certificate authority server to use
caServer = "https://acme-v02.api.letsencrypt.org/directory";
# Use a DNS-01 ACME challenge
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"8.8.8.8:53"
];
};
};
};
# Disables SSL certificate verification between our traefik instance and our backend
serversTransport = {
insecureSkipVerify = true;
};
};
# Fully dynamic routing configuration
dynamicConfigOptions = {
# Connect requests to services
http = {
routers = {
# Central control system
home-assistant = {
rule = "Host(`kanto.dev`)";
entryPoints = [
"websecure"
];
middlewares = [
"internal"
];
service = "home-assistant";
};
# Traefik dashboard
traefik-dashboard = {
rule = "Host(`traefik.kanto.dev`)";
entryPoints = [
"websecure"
];
middlewares = [
"internal"
];
service = "api@internal";
};
# Adguard Home
adguard-home = {
rule = "Host(`adguard.kanto.dev`)";
entryPoints = [
"websecure"
];
middlewares = [
"internal"
];
service = "adguard-home";
};
# Minecraft
minecraft = {
rule = "Host(`mc.kanto.dev`)";
entryPoints = [
"websecure"
];
middlewares = [
"internal"
];
service = "minecraft";
};
};
# Tweaking the requests
middlewares = {
# Restrict access to internal networks
internal.ipwhitelist.sourcerange = [
"127.0.0.1/32" # localhost
"192.168.1.1/24" # lan
];
};
# How to reach the actual services
services = {
home-assistant.loadBalancer.servers = [
{ url = "http://192.168.1.102:8123"; }
];
adguard-home.loadBalancer.servers = [
{ url = "http://192.168.1.102:3000"; }
];
minecraft.loadBalancer.servers = [
{ url = "http://192.168.1.102:25565"; }
];
};
};
};
};
}
Reference in a new issue View git blame Copy permalink