dev.fron.io rc / ce63bc3
traefik: complete profile Tony Olagbaiye 1 year, 7 months ago
3 changed file(s) with 111 addition(s) and 106 deletion(s). Raw diff Collapse all Expand all
2222 certs = genAttrs (builtins.attrValues domains) mkCertFor;
2323 };
2424
25 systemd.services.haproxy.serviceConfig = {
25 systemd.services.haproxy.serviceConfig = lib.mkIf config.services.haproxy.enable {
2626 SupplementaryGroups = "keys";
2727 };
2828 }
0 { config, pkgs, domains, ... }:
0 { config, lib, pkgs, domains, hosts, ... }:
11
22 {
3 systemd.services.traefik.serviceConfig.LimitNPROC = lib.mkForce null; # Ridiculous and broken
4 users.users.traefik.extraGroups = [ "keys" ]; # For acme certificates
5
36 services.traefik = {
47 enable = true;
58
69 dynamicConfigOptions = {
710 http = {
8 routers = {
11 routers = rec {
912 ping = {
1013 entryPoints = [ "http" "https" ];
1114 rule = "Host(`ping.${domains.home}`)";
1518 entryPoints = [ "http" "https" ];
1619 rule = "Host(`traefik.${domains.home}`)";
1720 service = "api@internal";
18 middlewares = [ "auth" ];
19 tls = {
20 domains = [
21 {
22 main = "foobar";
23 sans = [ "foobar" "foobar" ];
24 }
25 {
26 main = "foobar";
27 sans = [ "foobar" "foobar" ];
28 }
29 ];
30 options = "foobar";
31 };
21 #middlewares = [ "auth" ];
22 #tls = {
23 # domains = [
24 # {
25 # main = "foobar";
26 # sans = [ "foobar" "foobar" ];
27 # }
28 # {
29 # main = "foobar";
30 # sans = [ "foobar" "foobar" ];
31 # }
32 # ];
33 # options = "foobar";
34 #};
3235 };
3336 auth-request = {
3437 entryPoints = [ "http" "https" ];
5558 rule = "Host(`gpx.${domains.home}`)";
5659 service = "gpx";
5760 };
58 mastodon = {
59 entryPoints = [ "http" "https" ];
60 rule = "Host(`mastodon.${domains.home}`)";
61 mastodon-http = {
62 entryPoints = [ "http" ];
63 rule = "Host(`u.${domains.srvc}`)";
6164 service = "mastodon";
6265 };
63 construct = {
64 entryPoints = [ "http" "https" ];
65 rule = "Host(`construct.${domains.home}`)";
66 mastodon-https = mastodon-http // {
67 entryPoints = [ "https" ];
68 tls.domains = [
69 { main = "u.${domains.srvc}"; }
70 ];
71 };
72 construct-http = {
73 entryPoints = [ "http" ];
74 rule = "Host(`cs.${domains.srvc}`)";
6675 service = "construct";
76 };
77 construct-https = construct-http // {
78 entryPoints = [ "https" "construct" ];
79 tls.domains = [
80 { main = "cs.${domains.srvc}"; }
81 ];
6782 };
6883 certauth = {
6984 entryPoints = [ "http" "https" ];
295310 };
296311
297312 services = {
298 auth-request.loadBalancer = {
313 auth.loadBalancer = {
299314 healthCheck = {
300315 #followRedirects = true;
301316 #headers = {
310325 #timeout = "foobar";
311326 };
312327 passHostHeader = true;
313 responseForwarding = { flushInterval = 100; };
328 responseForwarding = { flushInterval = "100ms"; };
314329 servers = [
315330 { url = "http://10.1.0.2:4010/auth"; }
316331 ];
342357 };
343358 construct.loadBalancer = {
344359 servers = [
345 { url = "http://10.7.0.2:4004"; }
360 { url = "https://10.7.0.2:4004"; }
346361 ];
347362 };
348363 certauth.loadBalancer = {
373388
374389 tcp = {
375390 routers = {
376 ssh = {
377 entryPoints = [ "ssh" ];
378 service = "ssh";
379 tls = {
380 passthrough = true;
381 };
382 };
383 irc = {
384 entryPoints = [ "ircs" ];
385 service = "irc";
386 tls = {
387 passthrough = true;
388 };
389 };
391 #ssh = {
392 # entryPoints = [ "ssh" ];
393 # service = "ssh";
394 # tls = {
395 # passthrough = true;
396 # };
397 #};
398 #irc = {
399 # entryPoints = [ "ircs" ];
400 # service = "irc";
401 # tls = {
402 # passthrough = true;
403 # };
404 #};
390405 };
391406 services = {
392407 ssh.loadBalancer = {
446461 };
447462 };
448463
449 tls = {
450 certificates = [
451 {
452 certFile = "foobar";
453 keyFile = "foobar";
454 stores = [ "foobar" "foobar" ];
455 }
456 {
457 certFile = "foobar";
458 keyFile = "foobar";
459 stores = [ "foobar" "foobar" ];
460 }
461 ];
464 tls = with config.security.acme; {
465 certificates = lib.mapAttrsToList (_: { directory, ... }: {
466 certFile = "${directory}/cert.pem";
467 keyFile = "${directory}/key.pem";
468 #stores = [ "default" ];
469 }) certs;
462470 options = {
463 Options0 = {
464 cipherSuites = [ "foobar" "foobar" ];
471 default = {
472 #minVersion = "VersionTLS12";
473 #maxVersion = "VersionTLS13";
474 #cipherSuites = [ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" ];
475 #curvePreferences = [ "CurveP521", "CurveP384" ];
476 #sniStrict = true;
477 #preferServerCipherSuites = true;
465478 clientAuth = {
466 caFiles = [ "foobar" "foobar" ];
467 clientAuthType = "foobar";
479 clientAuthType = "RequestClientCert";
480 #caFiles = [ "clientCA.crt" ]; # PEM files
468481 };
469 curvePreferences = [ "foobar" "foobar" ];
470 maxVersion = "foobar";
471 minVersion = "foobar";
472 preferServerCipherSuites = true;
473 sniStrict = true;
474 };
475 Options1 = {
476 cipherSuites = [ "foobar" "foobar" ];
477 clientAuth = {
478 caFiles = [ "foobar" "foobar" ];
479 clientAuthType = "foobar";
480 };
481 curvePreferences = [ "foobar" "foobar" ];
482 maxVersion = "foobar";
483 minVersion = "foobar";
484 preferServerCipherSuites = true;
485 sniStrict = true;
486 };
482 };
483 #hardened = {
484 # cipherSuites = [ "foobar" "foobar" ];
485 # clientAuth = {
486 # caFiles = [ "foobar" "foobar" ];
487 # clientAuthType = "foobar";
488 # };
489 # curvePreferences = [ "foobar" "foobar" ];
490 # maxVersion = "foobar";
491 # minVersion = "foobar";
492 # preferServerCipherSuites = true;
493 # sniStrict = true;
494 #};
487495 };
488496 stores = {
489 Store0 = {
490 defaultCertificate = {
491 certFile = "foobar";
492 keyFile = "foobar";
493 };
494 };
495 Store1 = {
496 defaultCertificate = {
497 certFile = "foobar";
498 keyFile = "foobar";
499 };
497 default = {
498 #defaultCertificate = {
499 # certFile = "foobar";
500 # keyFile = "foobar";
501 #};
500502 };
501503 };
502504 };
529531 insecure = true;
530532 trustedIPs = [ "127.0.0.1" "${hosts.wireguard.zeta}/8" ];
531533 };
532 http = {
533 #middlewares = [ "auth@file" "strip@file" ];
534 #tls = {
535 # certResolver = "foobar";
536 # domains = [
537 # {
538 # main = "foobar";
539 # sans = [ "foobar" "foobar" ];
540 # }
541 # {
542 # main = "foobar";
543 # sans = [ "foobar" "foobar" ];
544 # }
545 # ];
546 # options = "foobar";
547 #};
548 };
534 #http = {
535 # #middlewares = [ "auth@file" "strip@file" ];
536 # #tls = {
537 # # certResolver = "foobar";
538 # # domains = [
539 # # {
540 # # main = "foobar";
541 # # sans = [ "foobar" "foobar" ];
542 # # }
543 # # {
544 # # main = "foobar";
545 # # sans = [ "foobar" "foobar" ];
546 # # }
547 # # ];
548 # # options = "foobar";
549 # #};
550 #};
549551 proxyProtocol = {
550552 insecure = true;
551553 trustedIPs = [ "127.0.0.1" "${hosts.wireguard.zeta}/8" ];
562564 };
563565 };
564566 };
565 ssh = {
566 address = ":22/tcp";
567 #ssh = {
568 # address = "${hosts.ipv4.zeta}:22/tcp";
569 #};
570 construct = {
571 address = ":4004/tcp";
567572 };
568573 irc = {
569574 address = ":6667/tcp";
576581 providers = {
577582 providersThrottleDuration = 10;
578583
579 docker.exposedByDefault = false;
584 #docker.exposedByDefault = false;
580585 file = {
581586 debugLogGeneratedTemplate = true;
582587 #directory = "foobar";