From db869ea59c18d176b702293f5e9b4d4e787279dd Mon Sep 17 00:00:00 2001 From: James Walker Date: Sat, 3 Dec 2022 23:14:48 -0500 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=A7=20plato:=20clean=20up=20traefik=20?= =?UTF-8?q?config?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- flake.lock | 36 ++++++++++++------------ hosts/plato/configuration.nix | 47 +------------------------------ modules/traefik/default.nix | 53 +++++++++++++++++++++++++++++++++++ secrets/secrets.yaml | 5 ++-- 4 files changed, 75 insertions(+), 66 deletions(-) create mode 100644 modules/traefik/default.nix diff --git a/flake.lock b/flake.lock index d36acc0..6052f5b 100644 --- a/flake.lock +++ b/flake.lock @@ -141,11 +141,11 @@ "utils": "utils_2" }, "locked": { - "lastModified": 1669328018, - "narHash": "sha256-aJRMobnNDEXKwoSZFS4hGjGU1WDNxkQ82BVKAEohOfY=", + "lastModified": 1670058827, + "narHash": "sha256-T+yyncPpZWeIkFrG/Cgj21iopULY3BZGWIhcT5ZmCgM=", "owner": "nix-community", "repo": "home-manager", - "rev": "62cb5bcf93896e4dd6b4507dac7ba2e2e3abc9d7", + "rev": "eb3598cf44aa10f2a16fe38488a102c0f474d766", "type": "github" }, "original": { @@ -156,11 +156,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1669146234, - "narHash": "sha256-HEby7EG1yaq1oT2Ze6Cvok9CFju1XHkSvVHmkptLW9U=", + "lastModified": 1669650994, + "narHash": "sha256-uwASLUfedIQ5q01TtMwZDEV2HCZr5nVPZjzVgCG+D5I=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "0099253ad0b5283f06ffe31cf010af3f9ad7837d", + "rev": "7883883d135ce5b7eae5dce4bfa12262b85c1c46", "type": "github" }, "original": { @@ -188,11 +188,11 @@ }, "nixpkgs-22_05": { "locked": { - "lastModified": 1668908668, - "narHash": "sha256-oimCE4rY7Btuo/VYmA8khIyTHSMV7qUWTpz9w8yc9LQ=", + "lastModified": 1669513802, + "narHash": "sha256-AmTRNi8bHgJlmaNe3r5k+IMFbbXERM/KarqveMAZmsY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b68a6a27adb452879ab66c0eaac0c133e32823b2", + "rev": "6649e08812f579581bfb4cada3ba01e30485c891", "type": "github" }, "original": { @@ -204,11 +204,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1667629849, - "narHash": "sha256-P+v+nDOFWicM4wziFK9S/ajF2lc0N2Rg9p6Y35uMoZI=", + "lastModified": 1669542132, + "narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3bacde6273b09a21a8ccfba15586fb165078fb62", + "rev": "a115bb9bd56831941be3776c8a94005867f316a7", "type": "github" }, "original": { @@ -220,11 +220,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1669387357, - "narHash": "sha256-z1azVj/5Em5kGhh9OgBOsjTEgMab7hXL/aRilH9tzyI=", + "lastModified": 1670086663, + "narHash": "sha256-hT8C8AQB74tdoCPwz4nlJypLMD7GI2F5q+vn+VE/qQk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "55b3f68bda6d4f4dc6092eed0508063f154fa4fd", + "rev": "813836d64fa57285d108f0dbf2356457ccd304e3", "type": "github" }, "original": { @@ -256,11 +256,11 @@ "nixpkgs-22_05": "nixpkgs-22_05" }, "locked": { - "lastModified": 1668915833, - "narHash": "sha256-7VYPiDJZdGct8Nl3kKhg580XZfoRcViO+zUGPkfBsqM=", + "lastModified": 1669714206, + "narHash": "sha256-9aiMbzRL8REsyi9U0eZ+lT4s7HaILA1gh9n2apKzLxU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "f72e050c3ef148b1131a0d2df55385c045e4166b", + "rev": "8295b8139ef7baadeb90c5cad7a40c4c9297ebf7", "type": "github" }, "original": { diff --git a/hosts/plato/configuration.nix b/hosts/plato/configuration.nix index 9bcc6dd..351f95d 100644 --- a/hosts/plato/configuration.nix +++ b/hosts/plato/configuration.nix @@ -15,6 +15,7 @@ ../../modules/pleroma ../../modules/postgresql ../../modules/sops + ../../modules/traefik ]; # Use the systemd-boot EFI boot loader. @@ -105,52 +106,6 @@ networking.firewall.enable = false; walkah.coredns = { enable = true; }; - services.traefik = { - enable = true; - group = "docker"; - staticConfigOptions = { - api = { - dashboard = true; - insecure = true; - }; - certificatesResolvers = { - myresolver = { - acme = { - email = "walkah@walkah.net"; - storage = "/var/lib/traefik/acme.json"; - dnsChallenge = { - provider = "cloudflare"; - }; - }; - }; - }; - entryPoints = { - web = { - address = ":80"; - http = { - redirections = { - entryPoint = { - to = "websecure"; - scheme = "https"; - }; - }; - }; - }; - websecure = { - address = ":443"; - }; - }; - providers = { - docker = { }; - }; - }; - }; - systemd.services.traefik = { - serviceConfig = { - EnvironmentFile = "/var/lib/traefik/env"; - }; - }; - services = { borgbackup.jobs."borgbase" = { paths = [ diff --git a/modules/traefik/default.nix b/modules/traefik/default.nix new file mode 100644 index 0000000..417ae26 --- /dev/null +++ b/modules/traefik/default.nix @@ -0,0 +1,53 @@ +{ config, lib, pkgs, ... }: + +{ + services.traefik = { + enable = true; + group = "docker"; + staticConfigOptions = { + api = { + dashboard = true; + insecure = true; + }; + certificatesResolvers = { + myresolver = { + acme = { + email = "walkah@walkah.net"; + storage = "/var/lib/traefik/acme.json"; + dnsChallenge = { + provider = "cloudflare"; + }; + }; + }; + }; + entryPoints = { + web = { + address = ":80"; + http = { + redirections = { + entryPoint = { + to = "websecure"; + scheme = "https"; + }; + }; + }; + }; + websecure = { + address = ":443"; + }; + }; + providers = { + docker = { }; + }; + }; + }; + systemd.services.traefik = { + serviceConfig = { + EnvironmentFile = config.sops.secrets.traefik.path; + }; + }; + + sops.secrets.traefik = { + owner = "traefik"; + }; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 3f7de3e..dc81181 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -1,6 +1,7 @@ matrix-registration-secret: ENC[AES256_GCM,data:Sn3pGBq4U3Tgw0pYaetnBLRiNdFGnMxAxyfrxhF9kFDMFijKSy9XBj71M5XxV4shYQyPvu2WDnPR1YvyoQVlv8cEoXhX7++JlYsp/2ZfKIzp4iMxh24z57Cw8vg=,iv:/zxlIeI9gWWCHbejYgz8pjjOrukKome0/bmcXuG3/yE=,tag:3fc3c96H3pO1FUO7p3T4gw==,type:str] ipfs-cluster-secret: ENC[AES256_GCM,data:Z9i7ZLhlXw4m8myNUSiY5ej2/6UIwCwIe0bvbCttVLdv8cAHwzR2f22poKD6KnPBe9yaym+X3YtrHTCM4pVIbiSzMsHwYZ00vRQi35ZmYg==,iv:9PBz/olzA4X7JEL1xG8ACUaH1WDHSzApzlG5q0ZqSYk=,tag:9I4PGf91MHAKNeG4fVKIow==,type:str] drone: ENC[AES256_GCM,data:UKh2qyZq5eTiEpdbGve+fCQZzSx/j+wUv9eHT/ToU9b51rwA7XJQC4g3rvljBL9X7DFVVdsWOdG6y1eRGImdelJ5hwxa8oK5CBpaGLGjd9+Hm8SS+Q+PAFDW6fdsPtDDgK5jjykcIlJ7u9mjCffFsCGw3UWfHxnniCnIba9e499XU+VR6l96U3oGOsrr0XO/d2zwrOm3mvXQL1P3cE+se4/UDKrdABGfKWyGqZ9xgi6Q7PTSmRv4AtpwpgF1URBvPVqs6yoexWetksLv+Xk5H50EeucbMOA+oUSJ06fUMECFRF9thRrdUbtK,iv:CiZz6NSksNMGmZxWS7uE69O6UnvTkRWbeBwC1bUqR9o=,tag:qcLmseQgkjMVv2uNXPFHzw==,type:str] +traefik: ENC[AES256_GCM,data:SEjgraDDpdJnaOEZVi/0Vtr3J/jQ3zC2kZaMmMRKhRd77EkXC6eeSbOaORv30QSXcfipm8INT45TKZfRSdbnoV6XbgAqLyLmef3LkmMt+eA=,iv:bbns12ZiqeBha0eWEARMixFfPDHzF8PBjUEeEdkwf6Q=,tag:ft2k2CQk7VmfWiGhhyHVfQ==,type:str] sops: kms: [] gcp_kms: [] @@ -61,8 +62,8 @@ sops: alB4LzZGSTJmUEt0TFBkUTdzR1pOOTQKG8T65JhLKx602YnEmG/Gqi/rY8X/9XgF 61ejhZ1DucTrM3sfUKjTFwaNVJLJgGEoPRioZW0SJkckjm5NNlutLw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-06-30T20:47:05Z" - mac: ENC[AES256_GCM,data:S/DfCcsk7oURR8zHW5jkLsDExNBl8G4gPJ5CQzS1R6i38ncEP7yT0pMiwizvZEVHHLP8lxTqsnyquEWhQfcKxojOysgiuGOl/SiiuXGBA91vWzURNN1ricJ+g5SXp593+0cMnkpC8ej6Bkja/QX/DORn74BF+dKLFT3InRi0ucI=,iv:btU0YLRTSnqlOIFzlI0Xbd6IX0noOo0ORqG7+nd8qHs=,tag:JUEWkaaFt0lm5YyW73q7ug==,type:str] + lastmodified: "2022-12-04T04:02:03Z" + mac: ENC[AES256_GCM,data:LceCSjhcE6XKS62XydiWq4JcaNYPjP7VU2EFtd1lAkS4vi4KiFgchBCmv8vqIHQLOoXLyI5RkZbn78z0M5FqA/Pc2ApEo/Wx4eHogmW+r3qojTTqrlpfS5ssXK3Svk8hppz1MpWGQOI8rMY1jEUYgkmqq6ClKDUc8+v59wNHHvY=,iv:XyQBSKekk5e5UDTVVWXtc/nyCmWTCKcAvl7QDXZOgmA=,tag:cGnc2ZqEJBQ8kiOqLX6kLw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3