diff --git a/home/features/cli/default.nix b/home/features/cli/default.nix index e6a7307..b24c5ae 100644 --- a/home/features/cli/default.nix +++ b/home/features/cli/default.nix @@ -11,6 +11,7 @@ home.packages = with pkgs; [ autojump bc + busybox comma direnv exa diff --git a/hosts/common/base/default.nix b/hosts/common/base/default.nix index e91cdff..19537dc 100644 --- a/hosts/common/base/default.nix +++ b/hosts/common/base/default.nix @@ -11,5 +11,6 @@ environment.systemPackages = [ inputs.agenix.defaultPackage."x86_64-linux" + pkgs.busybox ]; } diff --git a/hosts/lkk-nix-1/default.nix b/hosts/lkk-nix-1/default.nix index 184b738..528b5b8 100644 --- a/hosts/lkk-nix-1/default.nix +++ b/hosts/lkk-nix-1/default.nix @@ -14,24 +14,39 @@ services.openssh.passwordAuthentication = false; networking = { hostName = "lkk-nix-1"; - firewall.enable = false; + firewall.enable = true; firewall.allowedTCPPortRanges = [{ from = 3000; to = 3100; }]; firewall.allowedTCPPorts = [ 80 443 5432 3478 ]; - firewall.allowedUDPPortRanges = [ { + firewall.allowedUDPPortRanges = [{ from = 3478; to = 3481; - } ]; + }]; }; age = { secrets = { mj-smtp-user.file = ../../secrets/mj-smtp-user.age; mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age; - - billbee-api-key.file = ../../secrets/billbee-api-key.age; + + billbee-api-key = { + file = ../../secrets/billbee-api-key.age; + mode = "770"; + owner = "n8n"; + }; + + godaddy-api-key = { + file = ../../secrets/godaddy-api-key.age; + mode = "770"; + owner = "traefik"; + }; + godaddy-api-secret = { + file = ../../secrets/godaddy-api-secret.age; + mode = "770"; + owner = "traefik"; + }; }; identityPaths = [ "/home/m3tam3re/.ssh/lkk-nix-1" ]; }; diff --git a/hosts/lkk-nix-1/services/caddy.nix b/hosts/lkk-nix-1/services/caddy.nix deleted file mode 100644 index f0c9eb5..0000000 --- a/hosts/lkk-nix-1/services/caddy.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - services.caddy = { - enable = true; - extraConfig = '' - code.lanakk.com { - reverse_proxy localhost:3000 - tls { - issuer zerossl - } - } - ''; - }; -} diff --git a/hosts/lkk-nix-1/services/containers/baserow.nix b/hosts/lkk-nix-1/services/containers/baserow.nix index efe7182..3a2719a 100644 --- a/hosts/lkk-nix-1/services/containers/baserow.nix +++ b/hosts/lkk-nix-1/services/containers/baserow.nix @@ -13,10 +13,4 @@ volumes = [ "baserow_data:/baserow/data" ]; extraOptions = [ "--add-host=postgres:10.88.0.1" ]; }; - services.caddy.extraConfig = '' - db.lanakk.com { - reverse_proxy localhost:3001 - } -''; - } diff --git a/hosts/lkk-nix-1/services/default.nix b/hosts/lkk-nix-1/services/default.nix index b5eaa21..851b476 100644 --- a/hosts/lkk-nix-1/services/default.nix +++ b/hosts/lkk-nix-1/services/default.nix @@ -1,9 +1,9 @@ { imports = [ - ./caddy.nix ./container.nix ./gitea.nix ./n8n.nix ./postgres.nix + ./traefik.nix ]; } diff --git a/hosts/lkk-nix-1/services/n8n.nix b/hosts/lkk-nix-1/services/n8n.nix index bd60bc2..216d903 100644 --- a/hosts/lkk-nix-1/services/n8n.nix +++ b/hosts/lkk-nix-1/services/n8n.nix @@ -9,12 +9,6 @@ }; }; systemd.services.n8n.environment = { - BILLBEE_API_KEY = config.age.secrets.billbee-api-key.path; + BILLBEE_API_KEY = config.age.secrets.billbee-api-key.path; # TODO env file for systemd service }; - services.caddy.extraConfig = '' - wf.lanakk.com { - reverse_proxy localhost:5678 - } - ''; - } diff --git a/hosts/lkk-nix-1/services/traefik.nix b/hosts/lkk-nix-1/services/traefik.nix new file mode 100644 index 0000000..5842d28 --- /dev/null +++ b/hosts/lkk-nix-1/services/traefik.nix @@ -0,0 +1,88 @@ +{ config, ... }: { + services.traefik = { + enable = true; + staticConfigOptions = { + log = { level = "WARN"; }; + certificatesResolvers = { + godaddy = { + acme = { + email = "dev@lanakk.com"; + storage = "/var/lib/traefik/acme.json"; + dnsChallenge = { provider = "godaddy"; }; + }; + }; + }; + api = { }; + entryPoints = { + web = { + address = ":80"; + http.redirections.entryPoint = { + to = "websecure"; + scheme = "https"; + }; + }; + websecure = { address = ":443"; }; + }; + }; + dynamicConfigOptions = { + http = { + middlewares = { + auth = { + basicAuth = { + users = [ "m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh." ]; + }; + }; + }; + services = { + baserow.loadBalancer.servers = [{ url = "http://localhost:3001/"; }]; + gitea.loadBalancer.servers = [{ url = "http://localhost:3000/"; }]; + n8n.loadBalancer.servers = [{ url = "http://localhost:5678/"; }]; + }; + routers = { + api = { + rule = "Host(`r.lanakk.com`)"; + tls = { certResolver = "godaddy"; }; + service = "api@internal"; + middlewares = "auth"; + entrypoints = "websecure"; + }; + baserow = { + rule = "Host(`db.lanakk.com`)"; + tls = { certResolver = "godaddy"; }; + service = "baserow"; + entrypoints = "websecure"; + }; + gitea = { + rule = "Host(`code.lanakk.com`)"; + tls = { + certResolver = "godaddy"; + domains = "code.lanakk.com"; + }; + service = "gitea"; + entrypoints = "websecure"; + }; + n8n = { + rule = "Host(`wf.lanakk.com`)"; + tls = { + certResolver = "godaddy"; + domains = "wf.lanakk.com"; + }; + service = "n8n"; + entrypoints = "websecure"; + }; + }; + }; + }; + }; + + systemd.services.traefik.environment = { + GODADDY_API_KEY_FILE = config.age.secrets.godaddy-api-key.path; + GODADDY_API_SECRET_FILE = config.age.secrets.godaddy-api-secret.path; + }; # TODO put all the variables into an env file + systemd.services.traefik.postStart = '' + + /run/current-system/sw/bin/bash -c GODADDY_API_KEY=`cat $GODADDY_API_KEY_FILE` && export GODADDY_API_KEY + + /run/current-system/sw/bin/bash -c GODADDY_API_SECRET=`cat $GODADDY_API_SECRET_FILE` && export GODADDY_API_SECRET + ''; +} diff --git a/secrets.nix b/secrets.nix index 967defc..633b528 100644 --- a/secrets.nix +++ b/secrets.nix @@ -5,4 +5,7 @@ in { "mj-smtp-pass.age".publicKeys = [ root ]; "billbee-api-key.age".publicKeys = [ root ]; + + "godaddy-api-key.age".publicKeys = [ root ]; + "godaddy-api-secret.age".publicKeys = [ root ]; } diff --git a/secrets/godaddy-api-key.age b/secrets/godaddy-api-key.age new file mode 100644 index 0000000..4cb95f5 --- /dev/null +++ b/secrets/godaddy-api-key.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-rsa DQlE7w +qGTWBFuZm/sDdGs+eE6L7RWjb5FtITdX8SI6TmkR03wtT8tQVNNOx/QGZGSXdaiU +IXSFIuV0Scp6xa8WMNusY3/7IhNGjVqLkC6Fq7UpmsRtCHMlATGs4vYVDkQ2wg/W +Zh2e6IOKJi4X1eTHNmVsrBueAVtwr3tZYG2aDMedse6YA2qaEfbfWIOVfbQABVhU +0DyCcws5Crf2ziLc2dGLR5PO89zhHPubwiBEtPLqFF8n+E9kSOQE+mcLzaTBIlRI +qoamyrIdzTtt8ucP2o32mc33gPR5c7X4orzCetgSXTU3N/AsQmUUV/Y0pUChR+FJ +ZfrXi6UY+b8JM68a53QXMaMntMZgR4rg6gKjP7idSoL3X8dHKWGADXTDpeqFjgPR +gdN6TfGKQShcYVFpmtcjz7ZyVa78FVHFGf4N7MWPkfdB6511WTgM1puWwAJyePpK +a4GoV2RaysZjYGtsUFHpyBzXi7YO+XUj1SmgYNIuV3S17soMnvVuynhhO/ay7RvL + +-> L7R2f-grease 4ILC 'm6r ?@ IO7~E4: +8/3HXdMjZdytuWSIN4QsX5oxzZA3yAk9owoN/DctLHJY+o62Wx0ieX+oGiXQmQlq +2R9qyDQPVVsYlmUEwCcPTL6r9sU +--- xZbC6RcmS2NKOABU90HS9IxRX71dw2K4ezFqmQCx1Rc +|ݩ Gԩ& 5nD=!Sy*NwXAܻba\/S \ No newline at end of file diff --git a/secrets/godaddy-api-secret.age b/secrets/godaddy-api-secret.age new file mode 100644 index 0000000..fbb49d6 --- /dev/null +++ b/secrets/godaddy-api-secret.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-rsa DQlE7w +QkdCC22ZrirDnNc5SxzeXw8c5L3VRvvmv/xpegV3qi5Q/UmpjwSNin/i3/94UEKS +Ql8Vrgj8IC2xnWC+dj+pXgzAIqDIKlqdCsq2IwwjdlT9hezH+t+huQNYS2j7ppYn +Qgjo+bHMb0oDjxEP+ZMrXLIRmtE379aWGfBb2wzJyAxQBS7Hvqs7Gmc8ZUdklwjY +bN6AH7OKNRMUC8N9XenMkMHJ7IViu6XNfJvniPqsV0ZM1JY2icEdN4zAudo72iDa +1uw/s/CZQ07woZEE1bhJG7uPtRj7EIykAQyjkxkvCG3bIjXJKvkWT9BgPQu9U9ha +D5u2KSEamEZ7+RiLKSk6DkbBYXXed5KPBtGhGAe2BtJO3HocsE/zcPocQCGwT5Ga +FD576gRfkd+jEg6CSvuZH1ru/adGFbLG2/kbSVJyW2YtR7ViXsxQJcsBbI04XVyX +sc8iIBE7rwJCykIAMGaVa7xlk9a4p4nwgDuqAakehiUzMa9hnc9ib3oSFybt06EX + +-> yY7{-grease HYjC1A [Am +4Gmr6n6e9AnqQbfjMcPTXxoAxOdsY79uXjoT2DhDWasp32p7NdHYBIhb1c4xqcg0 +d8rPIyeU/yh0WsrM +--- 72/rzIIngDXVFlG+nyrCHmztUGwU94DSShk+XIGOw08 +?zDHB +snǎ@hX{d9ZWv_p5.|0| \ No newline at end of file