dump

2025-11-18 20:00:39 +01:00 · 2025-11-18 20:00:39 +01:00 · 0f49c6c37c
commit 0f49c6c37c
parent 6ba25b90a9
35 changed files with 747 additions and 120 deletions
--- a/nixos/hosts/dns/host.nix
+++ b/nixos/hosts/dns/host.nix
@ -1,6 +1,10 @@
-{ config, pkgs, modulesPath, lib, ... }:
-
 {
+  config,
+  pkgs,
+  modulesPath,
+  lib,
+  ...
+}: {
  imports = [
    ../../templates/base.nix
    ./networking.nix
--- a/nixos/hosts/dns/networking.nix
+++ b/nixos/hosts/dns/networking.nix
@ -2,18 +2,20 @@
  networking.hostName = "dns";
  # networking.useHostResolvConf = false;
  # networking.interfaces.eth0.useDHCP = true;
-  networking.interfaces.eth0.ipv4.addresses = [{
-    address = "192.168.1.53";
-    prefixLength = 24;
-  }];
+  networking.interfaces.eth0.ipv4.addresses = [
+    {
+      address = "192.168.1.53";
+      prefixLength = 24;
+    }
+  ];

  networking.defaultGateway = "192.168.1.1"; # your router
-  networking.nameservers = [ "8.8.8.8" ]; # fallback resolvers
+  networking.nameservers = ["8.8.8.8"]; # fallback resolvers

-  networking.firewall.allowedTCPPorts = [ 53 67 80 443 ];
-  networking.firewall.allowedUDPPorts = [ 53 67 ];
+  networking.firewall.allowedTCPPorts = [53 67 80 443];
+  networking.firewall.allowedUDPPorts = [53 67];

  networking.hosts = {
-    "192.168.1.53" = [ "dns" "dns.lab" ];
+    "192.168.1.53" = ["dns" "dns.lab"];
  };
 }
--- a/nixos/hosts/forgejo-runner/networking.nix
+++ b/nixos/hosts/forgejo-runner/networking.nix
@ -1,4 +1,9 @@
-{ config, lib, pkgs, runnerId, ... }:
 {
+  config,
+  lib,
+  pkgs,
+  runnerId,
+  ...
+}: {
  networking.hostName = "forgejo-runner-${runnerId}";
 }
--- a/nixos/hosts/forgejo-runner/sops.nix
+++ b/nixos/hosts/forgejo-runner/sops.nix
@ -1,5 +1,8 @@
-{ config, lib, ... }:
 {
+  config,
+  lib,
+  ...
+}: {
  sops.secrets."forgejo-runner-registration-token" = {
    sopsFile = ../../secrets/forgejo/runner-secrets.yml;
    mode = "0440";
--- a/nixos/hosts/forgejo/host.nix
+++ b/nixos/hosts/forgejo/host.nix
@ -1,6 +1,10 @@
-{ config, pkgs, modulesPath, lib, ... }:
-
 {
+  config,
+  pkgs,
+  modulesPath,
+  lib,
+  ...
+}: {
  imports = [
    ../../templates/base.nix
    ../../secrets/shared-sops.nix
--- a/nixos/hosts/forgejo/networking.nix
+++ b/nixos/hosts/forgejo/networking.nix
@ -1,4 +1,8 @@
-{ config, lib, pkgs, ... }:
 {
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
  networking.hostName = "forgejo";
 }
--- a/nixos/hosts/monitoring/loki.nix
+++ b/nixos/hosts/monitoring/loki.nix
@ -1,5 +1,5 @@
 {
-  networking.firewall.allowedTCPPorts = [ 3100 ];
+  networking.firewall.allowedTCPPorts = [3100];

  services.loki = {
    enable = true;
--- a/nixos/hosts/monitoring/networking.nix
+++ b/nixos/hosts/monitoring/networking.nix
@ -1,4 +1,8 @@
-{ config, lib, pkgs, ... }:
 {
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
  networking.hostName = "monitor";
 }
--- a/nixos/hosts/traefik/configuration/infra/routers.nix
+++ b/nixos/hosts/traefik/configuration/infra/routers.nix
@ -41,4 +41,11 @@
    entryPoints = ["websecure"];
    tls.certResolver = "letsencrypt";
  };
+
+  caddy = {
+    rule = "PathPrefix(`/`)";
+    service = "caddy";
+    entryPoints = ["web"];
+    priority = 15;
+  };
 }
--- a/nixos/hosts/traefik/configuration/infra/services.nix
+++ b/nixos/hosts/traefik/configuration/infra/services.nix
@ -9,4 +9,6 @@
  proxmox.loadBalancer.serversTransport = "insecureTransport";
  nas.loadBalancer.servers = [{url = "https://192.168.1.226:5001";}];
  nas.loadBalancer.serversTransport = "insecureTransport";
+
+  caddy.loadBalancer.servers = [{url = "http://sandbox.lab:80";}];
 }
--- a/nixos/hosts/traefik/networking.nix
+++ b/nixos/hosts/traefik/networking.nix
@ -1,13 +1,19 @@
-{ config, lib, pkgs, ... }: {
-
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
  networking.hostName = "traefik";
-  networking.interfaces.eth0.ipv4.addresses = [{
-    address = "192.168.1.80";
-    prefixLength = 24;
-  }];
+  networking.interfaces.eth0.ipv4.addresses = [
+    {
+      address = "192.168.1.80";
+      prefixLength = 24;
+    }
+  ];

-  networking.firewall.allowedTCPPorts = [ 80 443 8080 8082 ];
+  networking.firewall.allowedTCPPorts = [80 443 8080 8082];

-  networking.nameservers = [ "192.168.1.53" ];
+  networking.nameservers = ["192.168.1.53"];
  networking.defaultGateway = "192.168.1.1";
 }
--- a/nixos/hosts/traefik/traefik.nix
+++ b/nixos/hosts/traefik/traefik.nix
@ -50,14 +50,41 @@ in {

    staticConfigOptions = staticConfig;

-    dynamicConfigOptions.http = {
-      routers = allRouters;
-      services = allServices;
-      middlewares = middlewares;
+    dynamicConfigOptions = {
+      # HTTP configuration (your existing setup)
+      http = {
+        routers = allRouters;
+        services = allServices;
+        middlewares = middlewares;
+        serversTransports = {
+          insecureTransport = {
+            insecureSkipVerify = true;
+          };
+        };
+      };

-      serversTransports = {
-        insecureTransport = {
-          insecureSkipVerify = true;
+      tcp = {
+        routers = {
+          caddy-fallback = {
+            rule = "HostSNI(`*`)"; # Matches any SNI
+            service = "caddy-tls";
+            entryPoints = ["websecure"];
+            priority = 1; # Lowest priority - only if no HTTP router matches
+            tls = {
+              passthrough = true;
+            };
+          };
+        };
+        services = {
+          caddy-tls = {
+            loadBalancer = {
+              servers = [
+                {
+                  address = "sandbox.lab:443";
+                }
+              ];
+            };
+          };
        };
      };
    };