home lab init

nixos/hosts/traefik/host.nix

@@ -0,0 +1,10 @@
+{ config, pkgs, modulesPath, lib, ... }:
+
+{
+  imports = [
+    ../../templates/base.nix
+    ./networking.nix
+    ./traefik.nix
+    ./promtail.nix
+  ];
+}

nixos/hosts/traefik/networking.nix

@@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }: {
+
+  networking = {
+    hostName = "traefik";
+    interfaces.eth0 = {
+      ipv4.addresses = [{
+        address = "192.168.1.171";
+        prefixLength = 24;
+      }];
+    };
+    firewall.allowedTCPPorts = [ 80 443 8080 8082 ];
+
+    defaultGateway = {
+      address = "192.168.1.1";
+      interface = "eth0";
+    };
+  };
+}

nixos/hosts/traefik/promtail.nix

@@ -0,0 +1,27 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+  # This ensures the directory exists at boot, owned by traefik (writer) and readable by promtail.
+  systemd.tmpfiles.rules = [
+    "d /var/log/traefik 0755 traefik promtail -"
+  ];
+
+  services.promtail.configuration.scrape_configs = lib.mkAfter [
+    {
+      job_name = "traefik";
+      static_configs = [
+        {
+          targets = [ "localhost" ];
+          labels = {
+            job = "traefik";
+            host = config.networking.hostName;
+            env = "proxmox";
+            instance = "${config.networking.hostName}.local"; # prometheus scrape target
+            __path__ = "/var/log/traefik/*.log";
+          };
+        }
+      ];
+    }
+  ];
+}

nixos/hosts/traefik/traefik.nix

@@ -0,0 +1,158 @@
+{ config, lib, pkgs, ... }: {
+
+  # Traefik reverse proxy setup
+  services.traefik = {
+    enable = true;
+
+    staticConfigOptions = {
+      entryPoints = {
+        web = {
+          address = ":80";
+          asDefault = true;
+          http.redirections.entrypoint = {
+            to = "websecure";
+            scheme = "https";
+          };
+        };
+
+        websecure = {
+          address = ":443";
+          asDefault = true;
+          http.tls.certResolver = "letsencrypt";
+        };
+
+        metrics = {
+          address = ":8082";
+        };
+      };
+
+      api.dashboard = true;
+      api.insecure = true;
+
+      # Enable Let's Encrypt
+      certificatesResolvers = {
+        letsencrypt = {
+          acme = {
+            email = "david.mikael@proton.me";  # Replace with your email
+            storage = "/var/lib/traefik/acme.json";  # Location to store ACME certificates
+            httpChallenge = {
+              entryPoint = "web";  # Uses HTTP challenge (can also use DNS)
+            };
+            # Uncomment the following for staging (testing) environment
+            # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory";
+          };
+        };
+      };
+
+      # Enable Prometheus metrics
+      metrics = {
+        prometheus = {
+          entryPoint = "metrics";
+        };
+      };
+      log = {
+        level = "DEBUG";
+        filePath = "/var/log/traefik/traefik.log";
+      };
+
+      accessLog = {
+        format = "json";
+        filePath = "/var/log/traefik/access.log";
+      };
+
+      # Enable access logs (you can customize the log format)
+      # accessLog = {
+      #   filePath = "/var/log/traefik/access.log";  # Log to a file
+      #   format = "common";  # You can adjust this to `json` or `common`
+      # };
+      # tracing = {
+      #   enabled = true;
+      #   provider = "jaeger";  # or zipkin, or other
+      #   jaeger = {
+      #     apiURL = "http://localhost:5775";  # Replace with your Jaeger instance URL
+      #   };
+      # };
+    };
+
+    dynamicConfigOptions = {
+      # Add IP whitelisting middleware to restrict access to internal network only
+      http.middlewares = {
+        internal-whitelist = {
+          ipWhiteList = {
+            sourceRange = ["192.168.1.0/24"]; # Adjust to your internal network range
+            # Alternatively use `127.0.0.1/32` for localhost access
+          };
+        };
+      };
+
+      # Route to Proxmox UI
+      http.routers.proxmox = {
+        rule = "Host(`proxmox.procopius.dk`)";
+        service = "proxmox";
+        entryPoints = [ "web" "websecure" ];
+        tls = {
+          certResolver = "letsencrypt";  # Use Let's Encrypt
+        };
+      };
+      # Route to Traefik Dashboard
+      http.routers.traefik = {
+        rule = "Host(`traefik.procopius.dk`)";
+        service = "traefik";
+        entryPoints = [ "web" "websecure" ];
+        middlewares = ["internal-whitelist"];
+        tls = {
+          certResolver = "letsencrypt";  # Use Let's Encrypt
+        };
+      };
+
+      http.routers.forgejo = {
+        rule = "Host(`git.procopius.dk`)";
+        service = "forgejo";
+        entryPoints = [ "web" "websecure" ];
+        tls = {
+          certResolver = "letsencrypt";  # Use Let's Encrypt
+        };
+      };
+
+      # Route to Traefik Dashboard
+      http.routers.catchAll = {
+        # rule = "Host(`jellyfin.procopius.dk`)";
+        rule = "HostRegexp(`.+`)";
+        # rule = "HostRegexp(`{host:.+}`)";
+        service = "nginx";
+        entryPoints = [ "web" "websecure" ];
+        tls = {
+          certResolver = "letsencrypt";  # Use Let's Encrypt
+        };
+      };
+
+
+      # Define the services
+      http.services.proxmox.loadBalancer.servers = [
+        { url = "https://192.168.1.205:8006"; }  # Proxmox
+      ];
+      http.services.proxmox.loadBalancer.serversTransport = "insecureTransport";
+
+
+      http.services.traefik.loadBalancer.servers = [
+        { url = "http://traefik.local:8080"; }  # Traefik Dashboard
+      ];
+
+      http.services.forgejo.loadBalancer.servers = [
+        { url = "http://192.168.1.249:3000"; }  # forgejo
+      ];
+
+      http.services.nginx.loadBalancer.servers = [
+        { url = "https://192.168.1.226:4433"; }  # nginx
+      ];
+      http.services.nginx.loadBalancer.serversTransport = "insecureTransport";
+
+
+      http.serversTransports.insecureTransport.insecureSkipVerify = true;
+
+    };
+  };
+
+  # Optionally, you can add Docker support if using Docker Compose
+  virtualisation.docker.enable = true;
+}