gitea container, traefik cleanup and sops

2025-04-24 14:44:47 -05:00
parent 1af719c1e2
commit ebf15f5582
5 changed files with 190 additions and 80 deletions
--- a/hosts/nas/apps/traefik/default.nix
+++ b/hosts/nas/apps/traefik/default.nix
@@ -2,6 +2,7 @@
 let
  domain = "mjallen.dev";

+  # Forward services
  authUrl = "http://10.0.1.18:9000/outpost.goauthentik.io";
  authentikUrl = "http://10.0.1.18:9000";
  onlyofficeUrl = "http://10.0.2.18:9980";
@@ -12,34 +13,87 @@ let
  openWebUIUrl = "http://10.0.1.18:8888";
  paperlessUrl = "http://10.0.1.20:28981";
  cacheUrl = "http://10.0.1.18:5000";
-  giteaUrl = "http://10.0.1.18:3000";
+  giteaUrl = "http://10.0.4.18:3000";
  actualUrl = "http://10.0.3.18:3333";
  lubeloggerUrl = "http://10.0.1.18:6754";
+
+  # Plugins
+  traefikPlugins = {
+    bouncer = {
+      moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
+      version = "v1.4.2";
+    };
+    geoblock = {
+      moduleName = "github.com/PascalMinder/geoblock";
+      version = "v0.2.5";
+    };
+  };
+
+  crowdsecAppsecHost = "10.0.1.18:7422";
+  crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec-lapi-key".path;
+
+  # Ports
+  httpPort = 80;
+  httpsPort = 443;
+  traefikPort = 8080;
+  metricsPort = 8082;
+
+  forwardPorts = [
+      httpPort
+      httpsPort
+      traefikPort
+      metricsPort
+  ];
+
+  # misc
+  letsEncryptEmail = "jalle008@proton.me";
+  dataDir = "/media/nas/ssd/nix-app-data/traefik";
+  authentikAddress = "http://10.0.1.18:9000/outpost.goauthentik.io/auth/traefik";
+  group = [ config.users.users.nix-apps.group.name ];
 in
 {
+  sops = {
+    secrets = {
+      "jallen-nas/traefik/crowdsec-lapi-key" = {
+        owner = config.users.users.traefik.name;
+        group = config.users.users.traefik.group;
+        restartUnits = [ "traefik.service" ];
+      };
+      "jallen-nas/traefik/cloudflare-dns-api-token" = { };
+      "jallen-nas/traefik/cloudflare-zone-api-token" = { };
+      "jallen-nas/traefik/cloudflare-api-key" = { };
+      "jallen-nas/traefik/cloudflare-email" = { };
+    };
+    templates = {
+      "traefik.env" = {
+        content = ''
+          CLOUDFLARE_DNS_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
+          CLOUDFLARE_ZONE_API_TOKEN =  ${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
+          CLOUDFLARE_API_KEY =  ${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
+          CLOUDFLARE_EMAIL =  ${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
+        '';
+        owner = config.users.users.traefik.name;
+        group = config.users.users.traefik.group;
+        restartUnits = [ "traefik.service" ];
+      };
+    };
+  };
+
  networking.firewall = {
-    allowedTCPPorts = [
-      80
-      443
-      8080
-    ];
-    allowedUDPPorts = [
-      80
-      443
-      8080
-    ];
+    allowedTCPPorts = forwardPorts;
+    allowedUDPPorts = forwardPorts;
  };

  services.traefik = {
    enable = true;
-    dataDir = "/media/nas/ssd/nix-app-data/traefik";
-    group = "jallen-nas";
+    dataDir = dataDir;
+    group = "jallen-nas";#group;
    environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops

    staticConfigOptions = {
      entryPoints = {
        web = {
-          address = ":80";
+          address = ":${toString httpPort}";
          asDefault = true;
          http.redirections.entrypoint = {
            to = "websecure";
@@ -48,13 +102,13 @@ in
        };

        websecure = {
-          address = ":443";
+          address = ":${toString httpsPort}";
          asDefault = true;
          http.tls.certResolver = "letsencrypt";
        };

        metrics = {
-          address = ":8082"; # Port for metrics
+          address = ":${toString metricsPort}"; # Port for metrics
        };
      };

@@ -72,7 +126,7 @@ in
      };

      certificatesResolvers.letsencrypt.acme = {
-        email = "jalle008@proton.me";
+        email = letsEncryptEmail;
        storage = "${config.services.traefik.dataDir}/acme.json";
        dnsChallenge = {
          provider = "cloudflare";
@@ -88,16 +142,7 @@ in
      api.insecure = true;

      experimental = {
-        plugins = {
-          bouncer = {
-            moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
-            version = "v1.4.2";
-          };
-          geoblock = {
-            moduleName = "github.com/PascalMinder/geoblock";
-            version = "v0.2.5";
-          };
-        };
+        plugins = traefikPlugins;
      };
    };

@@ -107,7 +152,7 @@ in
          authentik = {
            forwardAuth = {
              tls.insecureSkipVerify = true;
-              address = "http://10.0.1.18:9000/outpost.goauthentik.io/auth/traefik";
+              address = authentikAddress;
              trustForwardHeader = true;
              authResponseHeaders = [
                "X-authentik-username"
@@ -133,10 +178,10 @@ in
            plugin = {
              bouncer = {
                crowdsecAppsecEnabled = true;
-                crowdsecAppsecHost = "10.0.1.18:7422";
+                crowdsecAppsecHost = crowdsecAppsecHost;
                crowdsecAppsecFailureBlock = true;
                crowdsecAppsecUnreachableBlock = true;
-                crowdsecLapiKey = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE";
+                crowdsecLapiKeyFile = crowdsecLapiKeyFile;
              };
            };
          };