replaced caddy with traefik / minor optimizations

This commit is contained in:
m3tam3re 2023-01-24 19:19:28 +01:00
parent 08f65884a3
commit 870fc6a73b
11 changed files with 147 additions and 32 deletions

View File

@ -11,6 +11,7 @@
home.packages = with pkgs; [ home.packages = with pkgs; [
autojump autojump
bc bc
busybox
comma comma
direnv direnv
exa exa

View File

@ -11,5 +11,6 @@
environment.systemPackages = [ environment.systemPackages = [
inputs.agenix.defaultPackage."x86_64-linux" inputs.agenix.defaultPackage."x86_64-linux"
pkgs.busybox
]; ];
} }

View File

@ -14,24 +14,39 @@
services.openssh.passwordAuthentication = false; services.openssh.passwordAuthentication = false;
networking = { networking = {
hostName = "lkk-nix-1"; hostName = "lkk-nix-1";
firewall.enable = false; firewall.enable = true;
firewall.allowedTCPPortRanges = [{ firewall.allowedTCPPortRanges = [{
from = 3000; from = 3000;
to = 3100; to = 3100;
}]; }];
firewall.allowedTCPPorts = [ 80 443 5432 3478 ]; firewall.allowedTCPPorts = [ 80 443 5432 3478 ];
firewall.allowedUDPPortRanges = [ { firewall.allowedUDPPortRanges = [{
from = 3478; from = 3478;
to = 3481; to = 3481;
} ]; }];
}; };
age = { age = {
secrets = { secrets = {
mj-smtp-user.file = ../../secrets/mj-smtp-user.age; mj-smtp-user.file = ../../secrets/mj-smtp-user.age;
mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age; mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age;
billbee-api-key.file = ../../secrets/billbee-api-key.age; billbee-api-key = {
file = ../../secrets/billbee-api-key.age;
mode = "770";
owner = "n8n";
};
godaddy-api-key = {
file = ../../secrets/godaddy-api-key.age;
mode = "770";
owner = "traefik";
};
godaddy-api-secret = {
file = ../../secrets/godaddy-api-secret.age;
mode = "770";
owner = "traefik";
};
}; };
identityPaths = [ "/home/m3tam3re/.ssh/lkk-nix-1" ]; identityPaths = [ "/home/m3tam3re/.ssh/lkk-nix-1" ];
}; };

View File

@ -1,13 +0,0 @@
{
services.caddy = {
enable = true;
extraConfig = ''
code.lanakk.com {
reverse_proxy localhost:3000
tls {
issuer zerossl
}
}
'';
};
}

View File

@ -13,10 +13,4 @@
volumes = [ "baserow_data:/baserow/data" ]; volumes = [ "baserow_data:/baserow/data" ];
extraOptions = [ "--add-host=postgres:10.88.0.1" ]; extraOptions = [ "--add-host=postgres:10.88.0.1" ];
}; };
services.caddy.extraConfig = ''
db.lanakk.com {
reverse_proxy localhost:3001
}
'';
} }

View File

@ -1,9 +1,9 @@
{ {
imports = [ imports = [
./caddy.nix
./container.nix ./container.nix
./gitea.nix ./gitea.nix
./n8n.nix ./n8n.nix
./postgres.nix ./postgres.nix
./traefik.nix
]; ];
} }

View File

@ -9,12 +9,6 @@
}; };
}; };
systemd.services.n8n.environment = { systemd.services.n8n.environment = {
BILLBEE_API_KEY = config.age.secrets.billbee-api-key.path; BILLBEE_API_KEY = config.age.secrets.billbee-api-key.path; # TODO env file for systemd service
}; };
services.caddy.extraConfig = ''
wf.lanakk.com {
reverse_proxy localhost:5678
}
'';
} }

View File

@ -0,0 +1,88 @@
{ config, ... }: {
services.traefik = {
enable = true;
staticConfigOptions = {
log = { level = "WARN"; };
certificatesResolvers = {
godaddy = {
acme = {
email = "dev@lanakk.com";
storage = "/var/lib/traefik/acme.json";
dnsChallenge = { provider = "godaddy"; };
};
};
};
api = { };
entryPoints = {
web = {
address = ":80";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
websecure = { address = ":443"; };
};
};
dynamicConfigOptions = {
http = {
middlewares = {
auth = {
basicAuth = {
users = [ "m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh." ];
};
};
};
services = {
baserow.loadBalancer.servers = [{ url = "http://localhost:3001/"; }];
gitea.loadBalancer.servers = [{ url = "http://localhost:3000/"; }];
n8n.loadBalancer.servers = [{ url = "http://localhost:5678/"; }];
};
routers = {
api = {
rule = "Host(`r.lanakk.com`)";
tls = { certResolver = "godaddy"; };
service = "api@internal";
middlewares = "auth";
entrypoints = "websecure";
};
baserow = {
rule = "Host(`db.lanakk.com`)";
tls = { certResolver = "godaddy"; };
service = "baserow";
entrypoints = "websecure";
};
gitea = {
rule = "Host(`code.lanakk.com`)";
tls = {
certResolver = "godaddy";
domains = "code.lanakk.com";
};
service = "gitea";
entrypoints = "websecure";
};
n8n = {
rule = "Host(`wf.lanakk.com`)";
tls = {
certResolver = "godaddy";
domains = "wf.lanakk.com";
};
service = "n8n";
entrypoints = "websecure";
};
};
};
};
};
systemd.services.traefik.environment = {
GODADDY_API_KEY_FILE = config.age.secrets.godaddy-api-key.path;
GODADDY_API_SECRET_FILE = config.age.secrets.godaddy-api-secret.path;
}; # TODO put all the variables into an env file
systemd.services.traefik.postStart = ''
/run/current-system/sw/bin/bash -c GODADDY_API_KEY=`cat $GODADDY_API_KEY_FILE` && export GODADDY_API_KEY
/run/current-system/sw/bin/bash -c GODADDY_API_SECRET=`cat $GODADDY_API_SECRET_FILE` && export GODADDY_API_SECRET
'';
}

View File

@ -5,4 +5,7 @@ in {
"mj-smtp-pass.age".publicKeys = [ root ]; "mj-smtp-pass.age".publicKeys = [ root ];
"billbee-api-key.age".publicKeys = [ root ]; "billbee-api-key.age".publicKeys = [ root ];
"godaddy-api-key.age".publicKeys = [ root ];
"godaddy-api-secret.age".publicKeys = [ root ];
} }

View File

@ -0,0 +1,16 @@
age-encryption.org/v1
-> ssh-rsa DQlE7w
qGTWBFuZm/sDdGs+eE6L7RWjb5FtITdX8SI6TmkR03wtT8tQVNNOx/QGZGSXdaiU
IXSFIuV0Scp6xa8WMNusY3/7IhNGjVqLkC6Fq7UpmsRtCHMlATGs4vYVDkQ2wg/W
Zh2e6IOKJi4X1eTHNmVsrBueAVtwr3tZYG2aDMedse6YA2qaEfbfWIOVfbQABVhU
0DyCcws5Crf2ziLc2dGLR5PO89zhHPubwiBEtPLqFF8n+E9kSOQE+mcLzaTBIlRI
qoamyrIdzTtt8ucP2o32mc33gPR5c7X4orzCetgSXTU3N/AsQmUUV/Y0pUChR+FJ
ZfrXi6UY+b8JM68a53QXMaMntMZgR4rg6gKjP7idSoL3X8dHKWGADXTDpeqFjgPR
gdN6TfGKQShcYVFpmtcjz7ZyVa78FVHFGf4N7MWPkfdB6511WTgM1puWwAJyePpK
a4GoV2RaysZjYGtsUFHpyBzXi7YO+XUj1SmgYNIuV3S17soMnvVuynhhO/ay7RvL
-> L7R2f-grease 4ILC 'm6r ?@ IO7~E4:
8/3HXdMjZdytuWSIN4QsX5oxzZA3yAk9owoN/DctLHJY+o62Wx0ieX+oGiXQmQlq
2R9qyDQPVVsYlmUEwCcPTL6r9sU
--- xZbC6RcmS2NKOABU90HS9IxRX71dw2K4ezFqmQCx1Rc
|˜Ý© ˜‡Ô©ó«& Û5˜„ü<E2809E>nðDÂÆ=Ÿ!•SyÉ*Nèw¹X†×é£ùA©œÏÿÜ»ba•\/¾

View File

@ -0,0 +1,16 @@
age-encryption.org/v1
-> ssh-rsa DQlE7w
QkdCC22ZrirDnNc5SxzeXw8c5L3VRvvmv/xpegV3qi5Q/UmpjwSNin/i3/94UEKS
Ql8Vrgj8IC2xnWC+dj+pXgzAIqDIKlqdCsq2IwwjdlT9hezH+t+huQNYS2j7ppYn
Qgjo+bHMb0oDjxEP+ZMrXLIRmtE379aWGfBb2wzJyAxQBS7Hvqs7Gmc8ZUdklwjY
bN6AH7OKNRMUC8N9XenMkMHJ7IViu6XNfJvniPqsV0ZM1JY2icEdN4zAudo72iDa
1uw/s/CZQ07woZEE1bhJG7uPtRj7EIykAQyjkxkvCG3bIjXJKvkWT9BgPQu9U9ha
D5u2KSEamEZ7+RiLKSk6DkbBYXXed5KPBtGhGAe2BtJO3HocsE/zcPocQCGwT5Ga
FD576gRfkd+jEg6CSvuZH1ru/adGFbLG2/kbSVJyW2YtR7ViXsxQJcsBbI04XVyX
sc8iIBE7rwJCykIAMGaVa7xlk9a4p4nwgDuqAakehiUzMa9hnc9ib3oSFybt06EX
-> yY7{-grease HYjC1A [Am
4Gmr6n6e9AnqQbfjMcPTXxoAxOdsY79uXjoT2DhDWasp32p7NdHYBIhb1c4xqcg0
d8rPIyeU/yh0WsrM
--- 72/rzIIngDXVFlG+nyrCHmztUGwU94DSShk+XIGOw08
¢?zºÀDHB +ó<>snÇŽ@<40>£hXúÃà{d9Z¢W<C2A2>ŸãvŒ_‡p5.|0ˆ<>