ready for runners

2025-06-06 23:32:17 +02:00 · 2025-06-06 23:32:17 +02:00 · 7dd5043b5d
commit 7dd5043b5d
parent fc9971ddc9
49 changed files with 2569 additions and 1085 deletions
--- a/nixos/hosts/traefik/traefik.nix
+++ b/nixos/hosts/traefik/traefik.nix
@ -1,158 +1,36 @@
-{ config, lib, pkgs, ... }: {
+{ config, lib, pkgs, ... }:

-  # Traefik reverse proxy setup
+let
+  staticConfig = import ./configuration/static.nix { inherit lib config; };
+  middlewaresConfig = import ./configuration/middlewares.nix { inherit lib config; };
+  routersConfig = import ./configuration/routers.nix { inherit lib config; };
+  servicesConfig = import ./configuration/services.nix { inherit lib config; };
+in
+{
  services.traefik = {
    enable = true;

-    staticConfigOptions = {
-      entryPoints = {
-        web = {
-          address = ":80";
-          asDefault = true;
-          http.redirections.entrypoint = {
-            to = "websecure";
-            scheme = "https";
-          };
-        };
+    # ==== Static Configuration ====
+    staticConfigOptions = staticConfig;

-        websecure = {
-          address = ":443";
-          asDefault = true;
-          http.tls.certResolver = "letsencrypt";
-        };
+    # ==== Dynamic Configuration ====
+    dynamicConfigOptions.http = {
+      routers = routersConfig;
+      services = servicesConfig;
+      middlewares = middlewaresConfig;

-        metrics = {
-          address = ":8082";
+      serversTransports = {
+        insecureTransport = {
+          insecureSkipVerify = true;
        };
      };
-
-      api.dashboard = true;
-      api.insecure = true;
-
-      # Enable Let's Encrypt
-      certificatesResolvers = {
-        letsencrypt = {
-          acme = {
-            email = "david.mikael@proton.me";  # Replace with your email
-            storage = "/var/lib/traefik/acme.json";  # Location to store ACME certificates
-            httpChallenge = {
-              entryPoint = "web";  # Uses HTTP challenge (can also use DNS)
-            };
-            # Uncomment the following for staging (testing) environment
-            # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory";
-          };
-        };
-      };
-
-      # Enable Prometheus metrics
-      metrics = {
-        prometheus = {
-          entryPoint = "metrics";
-        };
-      };
-      log = {
-        level = "DEBUG";
-        filePath = "/var/log/traefik/traefik.log";
-      };
-
-      accessLog = {
-        format = "json";
-        filePath = "/var/log/traefik/access.log";
-      };
-
-      # Enable access logs (you can customize the log format)
-      # accessLog = {
-      #   filePath = "/var/log/traefik/access.log";  # Log to a file
-      #   format = "common";  # You can adjust this to `json` or `common`
-      # };
-      # tracing = {
-      #   enabled = true;
-      #   provider = "jaeger";  # or zipkin, or other
-      #   jaeger = {
-      #     apiURL = "http://localhost:5775";  # Replace with your Jaeger instance URL
-      #   };
-      # };
-    };
-
-    dynamicConfigOptions = {
-      # Add IP whitelisting middleware to restrict access to internal network only
-      http.middlewares = {
-        internal-whitelist = {
-          ipWhiteList = {
-            sourceRange = ["192.168.1.0/24"]; # Adjust to your internal network range
-            # Alternatively use `127.0.0.1/32` for localhost access
-          };
-        };
-      };
-
-      # Route to Proxmox UI
-      http.routers.proxmox = {
-        rule = "Host(`proxmox.procopius.dk`)";
-        service = "proxmox";
-        entryPoints = [ "web" "websecure" ];
-        tls = {
-          certResolver = "letsencrypt";  # Use Let's Encrypt
-        };
-      };
-      # Route to Traefik Dashboard
-      http.routers.traefik = {
-        rule = "Host(`traefik.procopius.dk`)";
-        service = "traefik";
-        entryPoints = [ "web" "websecure" ];
-        middlewares = ["internal-whitelist"];
-        tls = {
-          certResolver = "letsencrypt";  # Use Let's Encrypt
-        };
-      };
-
-      http.routers.forgejo = {
-        rule = "Host(`git.procopius.dk`)";
-        service = "forgejo";
-        entryPoints = [ "web" "websecure" ];
-        tls = {
-          certResolver = "letsencrypt";  # Use Let's Encrypt
-        };
-      };
-
-      # Route to Traefik Dashboard
-      http.routers.catchAll = {
-        # rule = "Host(`jellyfin.procopius.dk`)";
-        rule = "HostRegexp(`.+`)";
-        # rule = "HostRegexp(`{host:.+}`)";
-        service = "nginx";
-        entryPoints = [ "web" "websecure" ];
-        tls = {
-          certResolver = "letsencrypt";  # Use Let's Encrypt
-        };
-      };
-
-
-      # Define the services
-      http.services.proxmox.loadBalancer.servers = [
-        { url = "https://192.168.1.205:8006"; }  # Proxmox
-      ];
-      http.services.proxmox.loadBalancer.serversTransport = "insecureTransport";
-
-
-      http.services.traefik.loadBalancer.servers = [
-        { url = "http://traefik.local:8080"; }  # Traefik Dashboard
-      ];
-
-      http.services.forgejo.loadBalancer.servers = [
-        { url = "http://192.168.1.249:3000"; }  # forgejo
-      ];
-
-      http.services.nginx.loadBalancer.servers = [
-        { url = "https://192.168.1.226:4433"; }  # nginx
-      ];
-      http.services.nginx.loadBalancer.serversTransport = "insecureTransport";
-
-
-      http.serversTransports.insecureTransport.insecureSkipVerify = true;
-
    };
  };

-  # Optionally, you can add Docker support if using Docker Compose
+  systemd.services.traefik.serviceConfig.Environment = [
+    "CLOUDFLARE_DNS_API_TOKEN=gQYyG6cRw-emp_qpsUj9TrkYgoVC1v9UUtv94ozA"
+    "CLOUDFLARE_ZONE_API_TOKEN=gQYyG6cRw-emp_qpsUj9TrkYgoVC1v9UUtv94ozA"
+  ];
+
  virtualisation.docker.enable = true;
 }