dev.fron.io rc / 850580a
traefik: create profile Tony Olagbaiye 1 year, 8 months ago
8 changed file(s) with 597 addition(s) and 24 deletion(s). Raw diff Collapse all Expand all
3636 let
3737 inherit (builtins) listToAttrs baseNameOf attrNames attrValues readDir trace concatStringsSep;
3838 inherit (master.lib) fold recursiveUpdate setAttrByPath mapAttrs genAttrs filterAttrs;
39 inherit (master.lib) removeSuffix removePrefix splitString const;
39 inherit (master.lib) removeSuffix removePrefix splitString const flatten;
4040 forAllSystems = genAttrs [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
4141 diffTrace = left: right: string: value: if left != right then trace string value else value;
4242
106106 napalm = pkgs.callPackage inputs.napalm;
107107
108108 domains = import ./secrets/domains.nix;
109 hosts = import ./secrets/hosts.nix;
109110 fetchPullRequest = fetchPullRequestForSystem system;
110111 };
111112 };
151152
152153 secrets = concatStringsSep "\n" ([]
153154 ++ (attrValues (import ./secrets/domains.nix))
155 ++ (flatten (map attrValues (attrValues (import ./secrets/hosts.nix))))
154156 );
155157 };
156158 }
0 { nixpkgs, home, nur, self, config, lib, pkgs, system, ... }:
0 { nixpkgs, home, nur, self, config, lib, pkgs, system, hosts, ... }:
11
22 {
33 imports = [
113113
114114 nix.buildMachines = lib.optional false [
115115 {
116 hostName = "10.0.0.1";
116 hostName = hosts.wireguard.zeta;
117117 sshUser = "nix-ssh";
118118 sshKey = "/root/.ssh/nix_remote";
119119 #system = "x86_64-linux";
0 { config, lib, pkgs, ... }:
0 { config, lib, pkgs, hosts, ... }:
11
22 {
33 imports = [
145145 host ${mastodon.name} ${mastodon.user} 10.6.0.0/24 trust
146146 host matrix-synapse matrix-synapse 10.7.0.0/24 trust
147147 host mx-puppet-discord mx-puppet-discord 10.7.0.0/24 trust
148 host lemmy lemmy 10.0.0.3/32 trust
148 host lemmy lemmy ${hosts.wireguard.delta}/32 trust
149149 '');
150150 services.postgresql.ensureUsers = [
151151 {
161161 services.openssh.permitRootLogin = "without-password";
162162 services.openssh.listenAddresses = [
163163 { addr = "127.0.0.1"; port = 22; }
164 { addr = "10.0.0.1"; port = 22; }
164 { addr = hosts.wireguard.zeta; port = 22; }
165165 { addr = "10.1.0.1"; port = 22; }
166166 ];
167167 services.openssh.passwordAuthentication = false;
0 { config, lib, pkgs, ... }:
0 { config, lib, pkgs, hosts, ... }:
11
22 let
33 wanInterface = "eno1";
2222 in {
2323 networking.interfaces.${wanInterface} = {
2424 ipv4.addresses = [
25 { address = "163.172.7.233"; prefixLength = 24; }
25 { address = hosts.ipv4.zeta; prefixLength = 24; }
2626 ];
2727 ipv6.addresses = let
2828 morph = block: { address = block.addr; prefixLength = block.prefix; };
117117 proto = proto: "-p ${proto} -m ${proto}";
118118 icmp-echo = "--icmp-type 8";
119119 from-failover = "-d 195.154.56.65";
120 to-delta = "--to-destination 10.0.0.3";
120 to-delta = "--to-destination ${hosts.wireguard.delta}";
121121 lanInterface = "wg0";
122122 in ''
123123 # Enable packet forwarding to/from the target for established/related connections
125125 #iptables -A FORWARD -i ${lanInterface} -o ${wanInterface} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
126126
127127 # Enable masquerade on the target
128 #${nat} -A nixos-nat-post -o ${lanInterface} -s 10.0.0.3 -j MASQUERADE
128 #${nat} -A nixos-nat-post -o ${lanInterface} -s ${hosts.wireguard.delta} -j MASQUERADE
129129
130130 # Forward from source to target
131131 #${nat} -A nixos-nat-pre -i ${wanInterface} ${proto "tcp" } ${from-failover} -j DNAT ${to-delta}
Binary diff not shown
0 { config, pkgs, domains, ... }:
1
2 {
3 services.traefik = {
4 enable = true;
5
6 dynamicConfigOptions = {
7 http = {
8 routers = {
9 ping = {
10 entryPoints = [ "http" "https" ];
11 rule = "Host(`ping.${domains.home}`)";
12 service = "ping@internal";
13 };
14 api = {
15 entryPoints = [ "http" "https" ];
16 rule = "Host(`traefik.${domains.home}`)";
17 service = "api@internal";
18 middlewares = [ "auth" ];
19 tls = {
20 domains = [
21 {
22 main = "foobar";
23 sans = [ "foobar" "foobar" ];
24 }
25 {
26 main = "foobar";
27 sans = [ "foobar" "foobar" ];
28 }
29 ];
30 options = "foobar";
31 };
32 };
33 Router1 = {
34 entryPoints = [ "foobar" "foobar" ];
35 middlewares = [ "foobar" "foobar" ];
36 priority = 42;
37 rule = "foobar";
38 service = "foobar";
39 tls = {
40 certResolver = "foobar";
41 domains = [
42 {
43 main = "foobar";
44 sans = [ "foobar" "foobar" ];
45 }
46 {
47 main = "foobar";
48 sans = [ "foobar" "foobar" ];
49 }
50 ];
51 options = "foobar";
52 };
53 };
54 };
55
56 middlewares = {
57 #Middleware00 = { addPrefix = { prefix = "foobar"; }; };
58 #Middleware01 = {
59 # basicAuth = {
60 # headerField = "foobar";
61 # realm = "foobar";
62 # removeHeader = true;
63 # users = [ "foobar" "foobar" ];
64 # usersFile = "foobar";
65 # };
66 #};
67 #Middleware02 = {
68 # buffering = {
69 # maxRequestBodyBytes = 42;
70 # maxResponseBodyBytes = 42;
71 # memRequestBodyBytes = 42;
72 # memResponseBodyBytes = 42;
73 # retryExpression = "foobar";
74 # };
75 #};
76 #Middleware03 = {
77 # chain = { middlewares = [ "foobar" "foobar" ]; };
78 #};
79 #Middleware04 = { circuitBreaker = { expression = "foobar"; }; };
80 #Middleware05 = {
81 # compress = { excludedContentTypes = [ "foobar" "foobar" ]; };
82 #};
83 #Middleware06 = { contentType = { autoDetect = true; }; };
84 #Middleware07 = {
85 # digestAuth = {
86 # headerField = "foobar";
87 # realm = "foobar";
88 # removeHeader = true;
89 # users = [ "foobar" "foobar" ];
90 # usersFile = "foobar";
91 # };
92 #};
93 #Middleware08 = {
94 # errors = {
95 # query = "foobar";
96 # service = "foobar";
97 # status = [ "foobar" "foobar" ];
98 # };
99 #};
100 #Middleware09 = {
101 # forwardAuth = {
102 # address = "foobar";
103 # authResponseHeaders = [ "foobar" "foobar" ];
104 # tls = {
105 # ca = "foobar";
106 # caOptional = true;
107 # cert = "foobar";
108 # insecureSkipVerify = true;
109 # key = "foobar";
110 # };
111 # trustForwardHeader = true;
112 # };
113 #};
114 #Middleware10 = {
115 # headers = {
116 # accessControlAllowCredentials = true;
117 # accessControlAllowHeaders = [ "foobar" "foobar" ];
118 # accessControlAllowMethods = [ "foobar" "foobar" ];
119 # accessControlAllowOrigin = "foobar";
120 # accessControlAllowOriginList = [ "foobar" "foobar" ];
121 # accessControlExposeHeaders = [ "foobar" "foobar" ];
122 # accessControlMaxAge = 42;
123 # addVaryHeader = true;
124 # allowedHosts = [ "foobar" "foobar" ];
125 # browserXssFilter = true;
126 # contentSecurityPolicy = "foobar";
127 # contentTypeNosniff = true;
128 # customBrowserXSSValue = "foobar";
129 # customFrameOptionsValue = "foobar";
130 # customRequestHeaders = {
131 # name0 = "foobar";
132 # name1 = "foobar";
133 # };
134 # customResponseHeaders = {
135 # name0 = "foobar";
136 # name1 = "foobar";
137 # };
138 # featurePolicy = "foobar";
139 # forceSTSHeader = true;
140 # frameDeny = true;
141 # hostsProxyHeaders = [ "foobar" "foobar" ];
142 # isDevelopment = true;
143 # publicKey = "foobar";
144 # referrerPolicy = "foobar";
145 # sslForceHost = true;
146 # sslHost = "foobar";
147 # sslProxyHeaders = {
148 # name0 = "foobar";
149 # name1 = "foobar";
150 # };
151 # sslRedirect = true;
152 # sslTemporaryRedirect = true;
153 # stsIncludeSubdomains = true;
154 # stsPreload = true;
155 # stsSeconds = 42;
156 # };
157 #};
158 #Middleware11 = {
159 # ipWhiteList = {
160 # ipStrategy = {
161 # depth = 42;
162 # excludedIPs = [ "foobar" "foobar" ];
163 # };
164 # sourceRange = [ "foobar" "foobar" ];
165 # };
166 #};
167 #Middleware12 = {
168 # inFlightReq = {
169 # amount = 42;
170 # sourceCriterion = {
171 # ipstrategy = {
172 # depth = 42;
173 # excludedIPs = [ "foobar" "foobar" ];
174 # };
175 # requestHeaderName = "foobar";
176 # requestHost = true;
177 # };
178 # };
179 #};
180 #Middleware13 = {
181 # passTLSClientCert = {
182 # info = {
183 # issuer = {
184 # commonName = true;
185 # country = true;
186 # domainComponent = true;
187 # locality = true;
188 # organization = true;
189 # province = true;
190 # serialNumber = true;
191 # };
192 # notAfter = true;
193 # notBefore = true;
194 # sans = true;
195 # serialNumber = true;
196 # subject = {
197 # commonName = true;
198 # country = true;
199 # domainComponent = true;
200 # locality = true;
201 # organization = true;
202 # province = true;
203 # serialNumber = true;
204 # };
205 # };
206 # pem = true;
207 # };
208 #};
209 #Middleware14 = {
210 # rateLimit = {
211 # average = 42;
212 # burst = 42;
213 # period = 42;
214 # sourceCriterion = {
215 # ipstrategy = {
216 # depth = 42;
217 # excludedIPs = [ "foobar" "foobar" ];
218 # };
219 # requestHeaderName = "foobar";
220 # requestHost = true;
221 # };
222 # };
223 #};
224 #Middleware15 = {
225 # redirectRegex = {
226 # permanent = true;
227 # regex = "foobar";
228 # replacement = "foobar";
229 # };
230 #};
231 #Middleware16 = {
232 # redirectScheme = {
233 # permanent = true;
234 # port = "foobar";
235 # scheme = "foobar";
236 # };
237 #};
238 #Middleware17 = { replacePath = { path = "foobar"; }; };
239 #Middleware18 = {
240 # replacePathRegex = {
241 # regex = "foobar";
242 # replacement = "foobar";
243 # };
244 #};
245 #Middleware19 = { retry = { attempts = 42; }; };
246 #Middleware20 = {
247 # stripPrefix = {
248 # forceSlash = true;
249 # prefixes = [ "foobar" "foobar" ];
250 # };
251 #};
252 #Middleware21 = {
253 # stripPrefixRegex = { regex = [ "foobar" "foobar" ]; };
254 #};
255 };
256
257 services = {
258 auth-request.loadBalancer = {
259 servers = [
260 { url = "http://10.1.0.2:4010/auth"; }
261 ];
262 };
263 torrent.loadBalancer = {
264 healthCheck = {
265 followRedirects = true;
266 headers = {
267 name0 = "foobar";
268 name1 = "foobar";
269 };
270 hostname = "foobar";
271 interval = "foobar";
272 path = "foobar";
273 port = 42;
274 scheme = "foobar";
275 timeout = "foobar";
276 };
277 passHostHeader = true;
278 responseForwarding = { flushInterval = "foobar"; };
279 servers = [
280 { url = "http://10.1.0.2:3000"; }
281 ];
282 };
283 sync.loadBalancer = {
284 servers = [
285 { url = "http://127.0.0.1:8384"; }
286 ];
287 };
288 search.loadBalancer = {
289 servers = [
290 { url = "http://10.5.0.2:8090"; }
291 ];
292 };
293 gpx.loadBalancer = {
294 servers = [
295 { url = "http://10.1.0.2:2777"; }
296 ];
297 };
298 mastodon.loadBalancer = {
299 servers = [
300 { url = "https://10.6.0.2:443"; }
301 ];
302 };
303 construct.loadBalancer = {
304 servers = [
305 { url = "http://10.7.0.2:4004"; }
306 ];
307 };
308 acme.loadBalancer = {
309 servers = [
310 { url = "http://10.3.0.2:80"; }
311 ];
312 };
313 certauth.loadBalancer = {
314 servers = [
315 { url = "https://10.4.0.2:443"; }
316 ];
317 };
318 #mirror-sample.mirroring = {
319 # maxBodySize = 42;
320 # mirrors = [
321 # { name = "http://127.0.0.1:8384"; percent = 42; }
322 # ];
323 # service = "foobar";
324 #};
325 #weighted-sample.weighted = {
326 # services = [
327 # { name = "foobar"; weight = 42; }
328 # ];
329 # sticky.cookie = {
330 # httpOnly = true;
331 # name = "foobar";
332 # sameSite = "foobar";
333 # secure = true;
334 # };
335 #};
336 };
337 };
338
339 tcp = {
340 routers = {
341 TCPRouter0 = {
342 entryPoints = [ "foobar" "foobar" ];
343 rule = "foobar";
344 service = "foobar";
345 tls = {
346 certResolver = "foobar";
347 domains = [
348 {
349 main = "foobar";
350 sans = [ "foobar" "foobar" ];
351 }
352 {
353 main = "foobar";
354 sans = [ "foobar" "foobar" ];
355 }
356 ];
357 options = "foobar";
358 passthrough = true;
359 };
360 };
361 };
362 services = {
363 ssh.loadBalancer = {
364 servers = [
365 { address = "${hosts.ipv4.zeta}:22"; }
366 ];
367 terminationDelay = 42;
368 };
369 irc.loadBalancer = {
370 servers = [
371 { address = "${hosts.wireguard.delta}:6697"; }
372 ];
373 terminationDelay = 42;
374 };
375 #weighted-sample.weighted = {
376 # services = [
377 # {
378 # name = "foobar";
379 # weight = 42;
380 # }
381 # ];
382 #};
383 };
384 };
385
386 tls = {
387 certificates = [
388 {
389 certFile = "foobar";
390 keyFile = "foobar";
391 stores = [ "foobar" "foobar" ];
392 }
393 {
394 certFile = "foobar";
395 keyFile = "foobar";
396 stores = [ "foobar" "foobar" ];
397 }
398 ];
399 options = {
400 Options0 = {
401 cipherSuites = [ "foobar" "foobar" ];
402 clientAuth = {
403 caFiles = [ "foobar" "foobar" ];
404 clientAuthType = "foobar";
405 };
406 curvePreferences = [ "foobar" "foobar" ];
407 maxVersion = "foobar";
408 minVersion = "foobar";
409 preferServerCipherSuites = true;
410 sniStrict = true;
411 };
412 Options1 = {
413 cipherSuites = [ "foobar" "foobar" ];
414 clientAuth = {
415 caFiles = [ "foobar" "foobar" ];
416 clientAuthType = "foobar";
417 };
418 curvePreferences = [ "foobar" "foobar" ];
419 maxVersion = "foobar";
420 minVersion = "foobar";
421 preferServerCipherSuites = true;
422 sniStrict = true;
423 };
424 };
425 stores = {
426 Store0 = {
427 defaultCertificate = {
428 certFile = "foobar";
429 keyFile = "foobar";
430 };
431 };
432 Store1 = {
433 defaultCertificate = {
434 certFile = "foobar";
435 keyFile = "foobar";
436 };
437 };
438 };
439 };
440
441 udp = {
442 routers = {
443 UDPRouter0 = {
444 entryPoints = [ "foobar" "foobar" ];
445 service = "foobar";
446 };
447 UDPRouter1 = {
448 entryPoints = [ "foobar" "foobar" ];
449 service = "foobar";
450 };
451 };
452 services = {
453 UDPService01 = {
454 loadBalancer = {
455 servers = [ { address = "foobar"; } { address = "foobar"; } ];
456 };
457 };
458 UDPService02 = {
459 weighted = {
460 services = [
461 {
462 name = "foobar";
463 weight = 42;
464 }
465 {
466 name = "foobar";
467 weight = 42;
468 }
469 ];
470 };
471 };
472 };
473 };
474 };
475
476 staticConfigOptions = {
477 global = {
478 checkNewVersion = false;
479 sendAnonymousUsage = false;
480 };
481
482 serversTransport = {
483 insecureSkipVerify = true;
484 rootCAs = [ ];
485 maxIdleConnsPerHost = 7;
486 forwardingTimeouts = {
487 dialTimeout = 30;
488 responseHeaderTimeout = 600;
489 idleConnTimeout = 90;
490 };
491 };
492
493 entryPoints = {
494 http = {
495 address = ":80/tcp";
496 };
497 https = {
498 address = ":443/tcp";
499 forwardedHeaders = {
500 insecure = true;
501 trustedIPs = [ "127.0.0.1" "${hosts.wireguard.zeta}/8" ];
502 };
503 http = {
504 #middlewares = [ "auth@file" "strip@file" ];
505 #tls = {
506 # certResolver = "foobar";
507 # domains = [
508 # {
509 # main = "foobar";
510 # sans = [ "foobar" "foobar" ];
511 # }
512 # {
513 # main = "foobar";
514 # sans = [ "foobar" "foobar" ];
515 # }
516 # ];
517 # options = "foobar";
518 #};
519 };
520 proxyProtocol = {
521 insecure = true;
522 trustedIPs = [ "127.0.0.1" "${hosts.wireguard.zeta}/8" ];
523 };
524 transport = {
525 lifeCycle = {
526 requestAcceptGraceTimeout = 0;
527 graceTimeOut = 5;
528 };
529 respondingTimeouts = {
530 readTimeout = 0;
531 writeTimeout = 0;
532 idleTimeout = 180;
533 };
534 };
535 };
536 streaming = {
537 address = ":1704/udp";
538 };
539 };
540
541 providers = {
542 providersThrottleDuration = 10;
543
544 docker.exposedByDefault = false;
545 file = {
546 debugLogGeneratedTemplate = true;
547 #directory = "foobar";
548 #filename = "foobar";
549 watch = true;
550 };
551 };
552
553 api = {
554 dashboard = true;
555 debug = true;
556 insecure = true;
557 };
558
559 ping = {
560 manualRouting = true;
561 };
562
563 accessLog = {
564 filePath = "/var/log/access";
565 format = "json";
566 bufferingSize = 100;
567 };
568 };
569 };
570 }
0 { config, lib, ... }:
0 { config, lib, hosts, ... }:
11
22 let
33 network = 24;
4 hosts = {
4 peers = {
55 zeta = {
6 ip = "10.0.0.1";
6 ip = hosts.wireguard.zeta;
77
88 # Note: Wireguard won't retry DNS resolution if it fails
9 endpoint = "163.172.7.233";
9 endpoint = hosts.ipv4.zeta;
1010 port = 51820;
1111 publicKey = "WbZqPcgSxWf+mNsWVbS+0JylysN9FKrRG9783wn1JAg=";
1212 };
1313
1414 theta = {
15 ip = "10.0.0.2";
15 ip = hosts.wireguard.theta;
1616 #endpoint = "0.0.0.0";
1717 port = 51820;
1818 publicKey = "Itld9S83/URY8CR1ZsIfYRGK74/T0O5YbsHWcNpn2gE=";
1919 };
2020
2121 delta = {
22 ip = "10.0.0.3";
22 ip = hosts.wireguard.delta;
2323 #endpoint = "0.0.0.0";
2424 port = 51820;
2525 publicKey = "Y/SRDGEQfFLUGqx6vMnO1pxHs9zn//NpwdSGQ2Sm+Dg=";
2626 };
2727
2828 mu = {
29 ip = "10.0.0.4";
29 ip = hosts.wireguard.mu;
3030 endpoint = "192.168.0.19";
3131 port = 51820;
3232 publicKey = "0000000000000000000000000000000000000000000=";
3333 };
3434
3535 nu = {
36 ip = "10.0.0.5";
36 ip = hosts.wireguard.nu;
3737 endpoint = "192.168.0.15";
3838 port = 51820;
3939 publicKey = "0000000000000000000000000000000000000000000=";
4040 };
4141 };
4242
43 currentHost = hosts."${config.networking.hostName}";
44 peerable = from: to: (from != to) && (hosts."${to}" ? "publicKey");
43 currentPeer = peers."${config.networking.hostName}";
44 peerable = from: to: (from != to) && (peers."${to}" ? "publicKey");
4545 in {
4646 networking.firewall.allowedUDPPorts =
47 lib.mkIf (currentHost ? "port") [ currentHost.port ];
47 lib.mkIf (currentPeer ? "port") [ currentPeer.port ];
4848
4949 networking.wg-quick = { };
5050
5151 networking.wireguard = {
5252 enable = true;
5353 interfaces.wg0 = {
54 ips = [ "${currentHost.ip}/${toString network}" ];
54 ips = [ "${currentPeer.ip}/${toString network}" ];
5555 privateKeyFile = "/etc/wireguard/private.key";
5656 generatePrivateKeyFile = true;
57 listenPort = currentHost.port or null;
57 listenPort = currentPeer.port or null;
5858
5959 peers = lib.mapAttrsToList (hostname: hostcfg: {
6060 inherit (hostcfg) publicKey;
6464 persistentKeepalive = 60;
6565 })) (lib.filterAttrs (hostname: _:
6666 peerable config.networking.hostName hostname
67 ) hosts);
67 ) peers);
6868 };
6969 };
7070 }
Binary diff not shown