karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add traefik

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-03-06 08:58:00 +00:00
parent b0bc3b5184
commit 98a44e8bf6
9 changed files with 161 additions and 179 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix Normal file
View File

@@ -0,0 +1,128 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ config, pkgs, ... }:
let
hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) networks volumes containers;
in
{
boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 0;
networking.firewall.allowedTCPPorts = [
80
443
# TODO: Remove
8080
];
home-manager.users.${user} = {
sops = {
secrets."cloudflare/letsencrypt".sopsFile = ../../../../../../../../secrets/personal/secrets.yaml;
templates."traefik.env".content = ''
CF_DNS_API_TOKEN=${hmConfig.sops.placeholder."cloudflare/letsencrypt"}
'';
};
virtualisation.quadlet = {
networks.traefik.networkConfig = {
internal = true;
subnets = [ "10.89.0.0/16" ];
gateways = [ "10.89.0.1" ];
};
volumes.letsencrypt.volumeConfig = { };
containers.traefik = {
containerConfig = {
autoUpdate = "registry";
image = "docker.io/library/traefik:latest";
exec = [
# TODO: Secure
"--api.insecure=true"
"--api.dashboard=true"
"--api.disabledashboardad=true"
"--providers.docker=true"
"--providers.docker.exposedbydefault=false"
"--entryPoints.web.address=:80"
"--entrypoints.web.http.redirections.entryPoint.to=websecure"
"--entrypoints.web.http.redirections.entryPoint.scheme=https"
"--entrypoints.web.forwardedHeaders.insecure=true"
"--entryPoints.websecure.address=:443"
"--entrypoints.websecure.http.tls=true"
"--entrypoints.websecure.http.tls.domains[0].main=karaolidis.com"
"--entrypoints.websecure.http.tls.domains[0].sans=*.karaolidis.com"
"--entrypoints.websecure.http.tls.domains[1].main=krlds.com"
"--entrypoints.websecure.http.tls.domains[1].sans=*.krlds.com"
"--entrypoints.websecure.forwardedHeaders.insecure=true"
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
"--certificatesresolvers.letsencrypt.acme.email=nick@karaolidis.com"
"--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
];
networks = [ networks.traefik.ref ];
# TODO: Remove
publishPorts = [
"0.0.0.0:8080:8080"
];
volumes = [
"/run/user/${
builtins.toString config.users.users.${user}.uid
}/podman/podman.sock:/var/run/docker.sock"
"${volumes.letsencrypt.ref}:/letsencrypt"
];
environmentFiles = [ hmConfig.sops.templates."traefik.env".path ];
};
serviceConfig.Sockets = [
"traefik-http.socket"
"traefik-https.socket"
];
unitConfig = {
After = [
"traefik-http.socket"
"traefik-https.socket"
];
Requires = [
"traefik-http.socket"
"traefik-https.socket"
];
};
};
};
# https://github.com/eriksjolund/podman-traefik-socket-activation
systemd.user.sockets = {
"traefik-http" = {
Socket = {
ListenStream = "0.0.0.0:80";
FileDescriptorName = "web";
Service = "${containers.traefik._serviceName}.service";
};
Install = {
WantedBy = [ "sockets.target" ];
};
};
"traefik-https" = {
Socket = {
ListenStream = "0.0.0.0:443";
FileDescriptorName = "websecure";
Service = "${containers.traefik._serviceName}.service";
};
Install = {
WantedBy = [ "sockets.target" ];
};
};
};
};
}