replaced caddy with traefik / minor optimizations

2023-01-24 19:19:28 +01:00 · 2023-01-24 19:19:28 +01:00 · 870fc6a73b
parent 08f65884a3
commit 870fc6a73b
11 changed files with 147 additions and 32 deletions
--- a/home/features/cli/default.nix
+++ b/home/features/cli/default.nix
@ -11,6 +11,7 @@
  home.packages = with pkgs; [
    autojump
    bc
+    busybox
    comma
    direnv
    exa
--- a/hosts/common/base/default.nix
+++ b/hosts/common/base/default.nix
@ -11,5 +11,6 @@

  environment.systemPackages = [
    inputs.agenix.defaultPackage."x86_64-linux"
+    pkgs.busybox
  ];
 }
--- a/hosts/lkk-nix-1/default.nix
+++ b/hosts/lkk-nix-1/default.nix
@ -14,16 +14,16 @@
  services.openssh.passwordAuthentication = false;
  networking = {
    hostName = "lkk-nix-1";
-    firewall.enable = false;
+    firewall.enable = true;
    firewall.allowedTCPPortRanges = [{
      from = 3000;
      to = 3100;
    }];
    firewall.allowedTCPPorts = [ 80 443 5432 3478 ];
-    firewall.allowedUDPPortRanges = [ {
+    firewall.allowedUDPPortRanges = [{
      from = 3478;
      to = 3481;
-    } ];
+    }];
  };

  age = {
@ -31,7 +31,22 @@
      mj-smtp-user.file = ../../secrets/mj-smtp-user.age;
      mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age;

-      billbee-api-key.file = ../../secrets/billbee-api-key.age;
+      billbee-api-key = {
+        file = ../../secrets/billbee-api-key.age;
+        mode = "770";
+        owner = "n8n";
+      };
+
+      godaddy-api-key = {
+        file = ../../secrets/godaddy-api-key.age;
+        mode = "770";
+        owner = "traefik";
+      };
+      godaddy-api-secret = {
+        file = ../../secrets/godaddy-api-secret.age;
+        mode = "770";
+        owner = "traefik";
+      };
    };
    identityPaths = [ "/home/m3tam3re/.ssh/lkk-nix-1" ];
  };
--- a/hosts/lkk-nix-1/services/caddy.nix
+++ b/hosts/lkk-nix-1/services/caddy.nix
@ -1,13 +0,0 @@
-{
-  services.caddy = {
-    enable = true;
-    extraConfig = ''
-            code.lanakk.com {
-                       reverse_proxy localhost:3000
-                       tls {
-      		                 issuer zerossl
-      	               }	
-            }
-    '';
-  };
-}
--- a/hosts/lkk-nix-1/services/containers/baserow.nix
+++ b/hosts/lkk-nix-1/services/containers/baserow.nix
@ -13,10 +13,4 @@
      volumes = [ "baserow_data:/baserow/data" ];
      extraOptions = [ "--add-host=postgres:10.88.0.1" ];
  };
-  services.caddy.extraConfig = ''
-            db.lanakk.com {
-                          reverse_proxy localhost:3001
-            }
-'';
-  
 }
--- a/hosts/lkk-nix-1/services/default.nix
+++ b/hosts/lkk-nix-1/services/default.nix
@ -1,9 +1,9 @@
 {
  imports = [
-    ./caddy.nix
    ./container.nix
    ./gitea.nix
    ./n8n.nix
    ./postgres.nix
+    ./traefik.nix
  ];
 }
--- a/hosts/lkk-nix-1/services/n8n.nix
+++ b/hosts/lkk-nix-1/services/n8n.nix
@ -9,12 +9,6 @@
    };
  };
  systemd.services.n8n.environment = {
-    BILLBEE_API_KEY = config.age.secrets.billbee-api-key.path;
+    BILLBEE_API_KEY = config.age.secrets.billbee-api-key.path; # TODO env file for systemd service
  };
-  services.caddy.extraConfig = ''
-    wf.lanakk.com {
-                  reverse_proxy localhost:5678
-    }
-  '';
-
 }
--- a/hosts/lkk-nix-1/services/traefik.nix
+++ b/hosts/lkk-nix-1/services/traefik.nix
@ -0,0 +1,88 @@
+{ config, ... }: {
+  services.traefik = {
+    enable = true;
+    staticConfigOptions = {
+      log = { level = "WARN"; };
+      certificatesResolvers = {
+        godaddy = {
+          acme = {
+            email = "dev@lanakk.com";
+            storage = "/var/lib/traefik/acme.json";
+            dnsChallenge = { provider = "godaddy"; };
+          };
+        };
+      };
+      api = { };
+      entryPoints = {
+        web = {
+          address = ":80";
+          http.redirections.entryPoint = {
+            to = "websecure";
+            scheme = "https";
+          };
+        };
+        websecure = { address = ":443"; };
+      };
+    };
+    dynamicConfigOptions = {
+      http = {
+        middlewares = {
+          auth = {
+            basicAuth = {
+              users = [ "m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh." ];
+            };
+          };
+        };
+        services = {
+          baserow.loadBalancer.servers = [{ url = "http://localhost:3001/"; }];
+          gitea.loadBalancer.servers = [{ url = "http://localhost:3000/"; }];
+          n8n.loadBalancer.servers = [{ url = "http://localhost:5678/"; }];
+        };
+        routers = {
+          api = {
+            rule = "Host(`r.lanakk.com`)";
+            tls = { certResolver = "godaddy"; };
+            service = "api@internal";
+            middlewares = "auth";
+            entrypoints = "websecure";
+          };
+          baserow = {
+            rule = "Host(`db.lanakk.com`)";
+            tls = { certResolver = "godaddy"; };
+            service = "baserow";
+            entrypoints = "websecure";
+          };
+          gitea = {
+            rule = "Host(`code.lanakk.com`)";
+            tls = {
+              certResolver = "godaddy";
+              domains = "code.lanakk.com";
+            };
+            service = "gitea";
+            entrypoints = "websecure";
+          };
+          n8n = {
+            rule = "Host(`wf.lanakk.com`)";
+            tls = {
+              certResolver = "godaddy";
+              domains = "wf.lanakk.com";
+            };
+            service = "n8n";
+            entrypoints = "websecure";
+          };
+        };
+      };
+    };
+  };
+
+  systemd.services.traefik.environment = {
+    GODADDY_API_KEY_FILE = config.age.secrets.godaddy-api-key.path;
+    GODADDY_API_SECRET_FILE = config.age.secrets.godaddy-api-secret.path;
+  }; # TODO put all the variables into an env file
+  systemd.services.traefik.postStart = ''
+
+    /run/current-system/sw/bin/bash -c GODADDY_API_KEY=`cat $GODADDY_API_KEY_FILE` && export GODADDY_API_KEY
+
+    /run/current-system/sw/bin/bash -c GODADDY_API_SECRET=`cat $GODADDY_API_SECRET_FILE` && export GODADDY_API_SECRET
+  '';
+}
--- a/secrets.nix
+++ b/secrets.nix
@ -5,4 +5,7 @@ in {
  "mj-smtp-pass.age".publicKeys = [ root ];

  "billbee-api-key.age".publicKeys = [ root ];
+
+  "godaddy-api-key.age".publicKeys = [ root ];
+  "godaddy-api-secret.age".publicKeys = [ root ];
 }
--- a/secrets/godaddy-api-key.age
+++ b/secrets/godaddy-api-key.age
@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-rsa DQlE7w
+qGTWBFuZm/sDdGs+eE6L7RWjb5FtITdX8SI6TmkR03wtT8tQVNNOx/QGZGSXdaiU
+IXSFIuV0Scp6xa8WMNusY3/7IhNGjVqLkC6Fq7UpmsRtCHMlATGs4vYVDkQ2wg/W
+Zh2e6IOKJi4X1eTHNmVsrBueAVtwr3tZYG2aDMedse6YA2qaEfbfWIOVfbQABVhU
+0DyCcws5Crf2ziLc2dGLR5PO89zhHPubwiBEtPLqFF8n+E9kSOQE+mcLzaTBIlRI
+qoamyrIdzTtt8ucP2o32mc33gPR5c7X4orzCetgSXTU3N/AsQmUUV/Y0pUChR+FJ
+ZfrXi6UY+b8JM68a53QXMaMntMZgR4rg6gKjP7idSoL3X8dHKWGADXTDpeqFjgPR
+gdN6TfGKQShcYVFpmtcjz7ZyVa78FVHFGf4N7MWPkfdB6511WTgM1puWwAJyePpK
+a4GoV2RaysZjYGtsUFHpyBzXi7YO+XUj1SmgYNIuV3S17soMnvVuynhhO/ay7RvL
+
+-> L7R2f-grease 4ILC 'm6r ?@ IO7~E4:
+8/3HXdMjZdytuWSIN4QsX5oxzZA3yAk9owoN/DctLHJY+o62Wx0ieX+oGiXQmQlq
+2R9qyDQPVVsYlmUEwCcPTL6r9sU
+--- xZbC6RcmS2NKOABU90HS9IxRX71dw2K4ezFqmQCx1Rc
+|˜Ý©
˜‡GÏÔ©ó«&
Û5˜„ü<E2809E>nðDÂÆ=Ÿ!•SyÉ*Nèw¹X†×é£ùA©œÏÿÜ»ba•\/¾Sª
--- a/secrets/godaddy-api-secret.age
+++ b/secrets/godaddy-api-secret.age
@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-rsa DQlE7w
+QkdCC22ZrirDnNc5SxzeXw8c5L3VRvvmv/xpegV3qi5Q/UmpjwSNin/i3/94UEKS
+Ql8Vrgj8IC2xnWC+dj+pXgzAIqDIKlqdCsq2IwwjdlT9hezH+t+huQNYS2j7ppYn
+Qgjo+bHMb0oDjxEP+ZMrXLIRmtE379aWGfBb2wzJyAxQBS7Hvqs7Gmc8ZUdklwjY
+bN6AH7OKNRMUC8N9XenMkMHJ7IViu6XNfJvniPqsV0ZM1JY2icEdN4zAudo72iDa
+1uw/s/CZQ07woZEE1bhJG7uPtRj7EIykAQyjkxkvCG3bIjXJKvkWT9BgPQu9U9ha
+D5u2KSEamEZ7+RiLKSk6DkbBYXXed5KPBtGhGAe2BtJO3HocsE/zcPocQCGwT5Ga
+FD576gRfkd+jEg6CSvuZH1ru/adGFbLG2/kbSVJyW2YtR7ViXsxQJcsBbI04XVyX
+sc8iIBE7rwJCykIAMGaVa7xlk9a4p4nwgDuqAakehiUzMa9hnc9ib3oSFybt06EX
+
+-> yY7{-grease HYjC1A [Am
+4Gmr6n6e9AnqQbfjMcPTXxoAxOdsY79uXjoT2DhDWasp32p7NdHYBIhb1c4xqcg0
+d8rPIyeU/yh0WsrM
+--- 72/rzIIngDXVFlG+nyrCHmztUGwU94DSShk+XIGOw08
+¢?zºÀDHB +ó<>snÇŽ@<40>£hXúÃà{d9Z¢W<C2A2>ŸãvŒ_‡p5.|0ˆ|¡<>