mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

nixfmt

Browse Source
This commit is contained in:
mjallen18
2025-07-24 11:06:08 -05:00
parent f05972d6ae
commit 3d213c8769
164 changed files with 1777 additions and 1257 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
modules/nixos/traefik/default.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, namespace, ... }:
{
config,
lib,
namespace,
...
}:
with lib;
let
cfg = config.${namespace}.services.traefik;
@@ -45,10 +50,10 @@ let
metricsPort = 8082;
forwardPorts = [
httpPort
httpsPort
traefikPort
metricsPort
httpPort
httpsPort
traefikPort
metricsPort
];
# misc
@@ -57,7 +62,7 @@ let
authentikAddress = "http://${serverIp}:9000/outpost.goauthentik.io/auth/traefik";
in
{
imports = [ ./options.nix ];
imports = [ ./options.nix ];
config = mkIf cfg.enable {
sops = {
@@ -76,7 +81,9 @@ in
"traefik.env" = {
content = ''
CLOUDFLARE_DNS_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
CLOUDFLARE_ZONE_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
CLOUDFLARE_ZONE_API_TOKEN = ${
config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"
}
CLOUDFLARE_API_KEY = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
CLOUDFLARE_EMAIL = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
'';
@@ -95,7 +102,7 @@ in
services.traefik = {
enable = true;
dataDir = dataDir;
group = "jallen-nas";#group;
group = "jallen-nas"; # group;
environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops
staticConfigOptions = {
@@ -129,7 +136,12 @@ in
entryPoint = "metrics";
addEntryPointsLabels = true;
addServicesLabels = true;
buckets = [0.1 0.3 1.2 5.0]; # Response time buckets
buckets = [
0.1
0.3
1.2
5.0
]; # Response time buckets
};
};
@@ -215,8 +227,7 @@ in
};
};
};
internal-ipallowlist =
{
internal-ipallowlist = {
ipAllowList = {
sourceRange = [
"127.0.0.1/32"
@@ -305,7 +316,10 @@ in
entryPoints = [ "websecure" ];
rule = "HostRegexp(`{subdomain:[a-z]+}.mjallen.dev`) && PathPrefix(`/outpost.goauthentik.io/`)";
service = "auth";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
priority = 15;
tls.certResolver = "letsencrypt";
};
@@ -314,21 +328,30 @@ in
entryPoints = [ "websecure" ];
rule = "Host(`actual.${domain}`)";
service = "actual";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
authentik = {
entryPoints = [ "websecure" ];
rule = "Host(`authentik.${domain}`)";
service = "authentik";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
cache = {
entryPoints = [ "websecure" ];
rule = "Host(`cache.${domain}`)";
service = "cache";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
priority = 10;
tls.certResolver = "letsencrypt";
};
@@ -336,21 +359,31 @@ in
entryPoints = [ "websecure" ];
rule = "Host(`cloud.${domain}`)";
service = "cloud";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
gitea = {
entryPoints = [ "websecure" ];
rule = "Host(`gitea.${domain}`)";
service = "gitea";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
hass = {
entryPoints = [ "websecure" ];
rule = "Host(`hass.${domain}`)";
service = "hass";
middlewares = [ "crowdsec" "whitelist-geoblock" "authentik" ];
middlewares = [
"crowdsec"
"whitelist-geoblock"
"authentik"
];
priority = 10;
tls.certResolver = "letsencrypt";
};
@@ -358,35 +391,51 @@ in
entryPoints = [ "websecure" ];
rule = "Host(`immich.${domain}`)";
service = "immich";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
jellyfin = {
entryPoints = [ "websecure" ];
rule = "Host(`jellyfin.${domain}`)";
service = "jellyfin";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
jellyseerr = {
entryPoints = [ "websecure" ];
rule = "Host(`jellyseerr.${domain}`)";
service = "jellyseerr";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
lubelogger = {
entryPoints = [ "websecure" ];
rule = "Host(`lubelogger.${domain}`)";
service = "lubelogger";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
onlyoffice = {
entryPoints = [ "websecure" ];
rule = "Host(`office.${domain}`)";
service = "onlyoffice";
middlewares = [ "crowdsec" "whitelist-geoblock" "onlyoffice-websocket" ];
middlewares = [
"crowdsec"
"whitelist-geoblock"
"onlyoffice-websocket"
];
tls.certResolver = "letsencrypt";
};
};

2
modules/nixos/traefik/options.nix
View File

@@ -4,4 +4,4 @@ with lib;
options.${namespace}.services.traefik = {
enable = mkEnableOption "enable traefik";
};
}
}