replaced caddy with traefik / minor optimizations
This commit is contained in:
parent
08f65884a3
commit
870fc6a73b
|
@ -11,6 +11,7 @@
|
||||||
home.packages = with pkgs; [
|
home.packages = with pkgs; [
|
||||||
autojump
|
autojump
|
||||||
bc
|
bc
|
||||||
|
busybox
|
||||||
comma
|
comma
|
||||||
direnv
|
direnv
|
||||||
exa
|
exa
|
||||||
|
|
|
@ -11,5 +11,6 @@
|
||||||
|
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
inputs.agenix.defaultPackage."x86_64-linux"
|
inputs.agenix.defaultPackage."x86_64-linux"
|
||||||
|
pkgs.busybox
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,24 +14,39 @@
|
||||||
services.openssh.passwordAuthentication = false;
|
services.openssh.passwordAuthentication = false;
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "lkk-nix-1";
|
hostName = "lkk-nix-1";
|
||||||
firewall.enable = false;
|
firewall.enable = true;
|
||||||
firewall.allowedTCPPortRanges = [{
|
firewall.allowedTCPPortRanges = [{
|
||||||
from = 3000;
|
from = 3000;
|
||||||
to = 3100;
|
to = 3100;
|
||||||
}];
|
}];
|
||||||
firewall.allowedTCPPorts = [ 80 443 5432 3478 ];
|
firewall.allowedTCPPorts = [ 80 443 5432 3478 ];
|
||||||
firewall.allowedUDPPortRanges = [ {
|
firewall.allowedUDPPortRanges = [{
|
||||||
from = 3478;
|
from = 3478;
|
||||||
to = 3481;
|
to = 3481;
|
||||||
} ];
|
}];
|
||||||
};
|
};
|
||||||
|
|
||||||
age = {
|
age = {
|
||||||
secrets = {
|
secrets = {
|
||||||
mj-smtp-user.file = ../../secrets/mj-smtp-user.age;
|
mj-smtp-user.file = ../../secrets/mj-smtp-user.age;
|
||||||
mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age;
|
mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age;
|
||||||
|
|
||||||
billbee-api-key.file = ../../secrets/billbee-api-key.age;
|
billbee-api-key = {
|
||||||
|
file = ../../secrets/billbee-api-key.age;
|
||||||
|
mode = "770";
|
||||||
|
owner = "n8n";
|
||||||
|
};
|
||||||
|
|
||||||
|
godaddy-api-key = {
|
||||||
|
file = ../../secrets/godaddy-api-key.age;
|
||||||
|
mode = "770";
|
||||||
|
owner = "traefik";
|
||||||
|
};
|
||||||
|
godaddy-api-secret = {
|
||||||
|
file = ../../secrets/godaddy-api-secret.age;
|
||||||
|
mode = "770";
|
||||||
|
owner = "traefik";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
identityPaths = [ "/home/m3tam3re/.ssh/lkk-nix-1" ];
|
identityPaths = [ "/home/m3tam3re/.ssh/lkk-nix-1" ];
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,13 +0,0 @@
|
||||||
{
|
|
||||||
services.caddy = {
|
|
||||||
enable = true;
|
|
||||||
extraConfig = ''
|
|
||||||
code.lanakk.com {
|
|
||||||
reverse_proxy localhost:3000
|
|
||||||
tls {
|
|
||||||
issuer zerossl
|
|
||||||
}
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -13,10 +13,4 @@
|
||||||
volumes = [ "baserow_data:/baserow/data" ];
|
volumes = [ "baserow_data:/baserow/data" ];
|
||||||
extraOptions = [ "--add-host=postgres:10.88.0.1" ];
|
extraOptions = [ "--add-host=postgres:10.88.0.1" ];
|
||||||
};
|
};
|
||||||
services.caddy.extraConfig = ''
|
|
||||||
db.lanakk.com {
|
|
||||||
reverse_proxy localhost:3001
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./caddy.nix
|
|
||||||
./container.nix
|
./container.nix
|
||||||
./gitea.nix
|
./gitea.nix
|
||||||
./n8n.nix
|
./n8n.nix
|
||||||
./postgres.nix
|
./postgres.nix
|
||||||
|
./traefik.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,12 +9,6 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
systemd.services.n8n.environment = {
|
systemd.services.n8n.environment = {
|
||||||
BILLBEE_API_KEY = config.age.secrets.billbee-api-key.path;
|
BILLBEE_API_KEY = config.age.secrets.billbee-api-key.path; # TODO env file for systemd service
|
||||||
};
|
};
|
||||||
services.caddy.extraConfig = ''
|
|
||||||
wf.lanakk.com {
|
|
||||||
reverse_proxy localhost:5678
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,88 @@
|
||||||
|
{ config, ... }: {
|
||||||
|
services.traefik = {
|
||||||
|
enable = true;
|
||||||
|
staticConfigOptions = {
|
||||||
|
log = { level = "WARN"; };
|
||||||
|
certificatesResolvers = {
|
||||||
|
godaddy = {
|
||||||
|
acme = {
|
||||||
|
email = "dev@lanakk.com";
|
||||||
|
storage = "/var/lib/traefik/acme.json";
|
||||||
|
dnsChallenge = { provider = "godaddy"; };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
api = { };
|
||||||
|
entryPoints = {
|
||||||
|
web = {
|
||||||
|
address = ":80";
|
||||||
|
http.redirections.entryPoint = {
|
||||||
|
to = "websecure";
|
||||||
|
scheme = "https";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
websecure = { address = ":443"; };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
dynamicConfigOptions = {
|
||||||
|
http = {
|
||||||
|
middlewares = {
|
||||||
|
auth = {
|
||||||
|
basicAuth = {
|
||||||
|
users = [ "m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh." ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services = {
|
||||||
|
baserow.loadBalancer.servers = [{ url = "http://localhost:3001/"; }];
|
||||||
|
gitea.loadBalancer.servers = [{ url = "http://localhost:3000/"; }];
|
||||||
|
n8n.loadBalancer.servers = [{ url = "http://localhost:5678/"; }];
|
||||||
|
};
|
||||||
|
routers = {
|
||||||
|
api = {
|
||||||
|
rule = "Host(`r.lanakk.com`)";
|
||||||
|
tls = { certResolver = "godaddy"; };
|
||||||
|
service = "api@internal";
|
||||||
|
middlewares = "auth";
|
||||||
|
entrypoints = "websecure";
|
||||||
|
};
|
||||||
|
baserow = {
|
||||||
|
rule = "Host(`db.lanakk.com`)";
|
||||||
|
tls = { certResolver = "godaddy"; };
|
||||||
|
service = "baserow";
|
||||||
|
entrypoints = "websecure";
|
||||||
|
};
|
||||||
|
gitea = {
|
||||||
|
rule = "Host(`code.lanakk.com`)";
|
||||||
|
tls = {
|
||||||
|
certResolver = "godaddy";
|
||||||
|
domains = "code.lanakk.com";
|
||||||
|
};
|
||||||
|
service = "gitea";
|
||||||
|
entrypoints = "websecure";
|
||||||
|
};
|
||||||
|
n8n = {
|
||||||
|
rule = "Host(`wf.lanakk.com`)";
|
||||||
|
tls = {
|
||||||
|
certResolver = "godaddy";
|
||||||
|
domains = "wf.lanakk.com";
|
||||||
|
};
|
||||||
|
service = "n8n";
|
||||||
|
entrypoints = "websecure";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.traefik.environment = {
|
||||||
|
GODADDY_API_KEY_FILE = config.age.secrets.godaddy-api-key.path;
|
||||||
|
GODADDY_API_SECRET_FILE = config.age.secrets.godaddy-api-secret.path;
|
||||||
|
}; # TODO put all the variables into an env file
|
||||||
|
systemd.services.traefik.postStart = ''
|
||||||
|
|
||||||
|
/run/current-system/sw/bin/bash -c GODADDY_API_KEY=`cat $GODADDY_API_KEY_FILE` && export GODADDY_API_KEY
|
||||||
|
|
||||||
|
/run/current-system/sw/bin/bash -c GODADDY_API_SECRET=`cat $GODADDY_API_SECRET_FILE` && export GODADDY_API_SECRET
|
||||||
|
'';
|
||||||
|
}
|
|
@ -5,4 +5,7 @@ in {
|
||||||
"mj-smtp-pass.age".publicKeys = [ root ];
|
"mj-smtp-pass.age".publicKeys = [ root ];
|
||||||
|
|
||||||
"billbee-api-key.age".publicKeys = [ root ];
|
"billbee-api-key.age".publicKeys = [ root ];
|
||||||
|
|
||||||
|
"godaddy-api-key.age".publicKeys = [ root ];
|
||||||
|
"godaddy-api-secret.age".publicKeys = [ root ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-rsa DQlE7w
|
||||||
|
qGTWBFuZm/sDdGs+eE6L7RWjb5FtITdX8SI6TmkR03wtT8tQVNNOx/QGZGSXdaiU
|
||||||
|
IXSFIuV0Scp6xa8WMNusY3/7IhNGjVqLkC6Fq7UpmsRtCHMlATGs4vYVDkQ2wg/W
|
||||||
|
Zh2e6IOKJi4X1eTHNmVsrBueAVtwr3tZYG2aDMedse6YA2qaEfbfWIOVfbQABVhU
|
||||||
|
0DyCcws5Crf2ziLc2dGLR5PO89zhHPubwiBEtPLqFF8n+E9kSOQE+mcLzaTBIlRI
|
||||||
|
qoamyrIdzTtt8ucP2o32mc33gPR5c7X4orzCetgSXTU3N/AsQmUUV/Y0pUChR+FJ
|
||||||
|
ZfrXi6UY+b8JM68a53QXMaMntMZgR4rg6gKjP7idSoL3X8dHKWGADXTDpeqFjgPR
|
||||||
|
gdN6TfGKQShcYVFpmtcjz7ZyVa78FVHFGf4N7MWPkfdB6511WTgM1puWwAJyePpK
|
||||||
|
a4GoV2RaysZjYGtsUFHpyBzXi7YO+XUj1SmgYNIuV3S17soMnvVuynhhO/ay7RvL
|
||||||
|
|
||||||
|
-> L7R2f-grease 4ILC 'm6r ?@ IO7~E4:
|
||||||
|
8/3HXdMjZdytuWSIN4QsX5oxzZA3yAk9owoN/DctLHJY+o62Wx0ieX+oGiXQmQlq
|
||||||
|
2R9qyDQPVVsYlmUEwCcPTL6r9sU
|
||||||
|
--- xZbC6RcmS2NKOABU90HS9IxRX71dw2K4ezFqmQCx1Rc
|
||||||
|
|˜Ý©
˜‡GÏÔ©ó«&
Û5˜„ü<E2809E>nðDÂÆ=Ÿ!•SyÉ*Nèw¹X†×é£ùA©œÏÿÜ»ba•\/¾Sª
|
|
@ -0,0 +1,16 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-rsa DQlE7w
|
||||||
|
QkdCC22ZrirDnNc5SxzeXw8c5L3VRvvmv/xpegV3qi5Q/UmpjwSNin/i3/94UEKS
|
||||||
|
Ql8Vrgj8IC2xnWC+dj+pXgzAIqDIKlqdCsq2IwwjdlT9hezH+t+huQNYS2j7ppYn
|
||||||
|
Qgjo+bHMb0oDjxEP+ZMrXLIRmtE379aWGfBb2wzJyAxQBS7Hvqs7Gmc8ZUdklwjY
|
||||||
|
bN6AH7OKNRMUC8N9XenMkMHJ7IViu6XNfJvniPqsV0ZM1JY2icEdN4zAudo72iDa
|
||||||
|
1uw/s/CZQ07woZEE1bhJG7uPtRj7EIykAQyjkxkvCG3bIjXJKvkWT9BgPQu9U9ha
|
||||||
|
D5u2KSEamEZ7+RiLKSk6DkbBYXXed5KPBtGhGAe2BtJO3HocsE/zcPocQCGwT5Ga
|
||||||
|
FD576gRfkd+jEg6CSvuZH1ru/adGFbLG2/kbSVJyW2YtR7ViXsxQJcsBbI04XVyX
|
||||||
|
sc8iIBE7rwJCykIAMGaVa7xlk9a4p4nwgDuqAakehiUzMa9hnc9ib3oSFybt06EX
|
||||||
|
|
||||||
|
-> yY7{-grease HYjC1A [Am
|
||||||
|
4Gmr6n6e9AnqQbfjMcPTXxoAxOdsY79uXjoT2DhDWasp32p7NdHYBIhb1c4xqcg0
|
||||||
|
d8rPIyeU/yh0WsrM
|
||||||
|
--- 72/rzIIngDXVFlG+nyrCHmztUGwU94DSShk+XIGOw08
|
||||||
|
¢?zºÀDHB +ó<>snÇŽ@<40>£hXúÃà{d9Z¢W<C2A2>ŸãvŒ_‡p5.|0ˆ|¡<>
|
Loading…
Reference in New Issue