plasmagoat/homelab
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

dump
All checks were successful
Hello World / test (push) Successful in 12s
Details

Browse source
This commit is contained in:
plasmagoat 2025-07-05 11:12:20 +02:00
parent 4ed9ba0d24
commit a90630ecb6
98 changed files with 2063 additions and 729 deletions
Download patch file Download diff file Expand all files Collapse all files

24
nixos/hosts/traefik/configuration/auth/routers.nix Normal file
View file

@ -0,0 +1,24 @@
{
keycloak = {
rule = "Host(`keycloak.procopius.dk`)";
service = "keycloak";
entryPoints = ["websecure"];
tls.certResolver = "letsencrypt";
};
oauth2proxy = {
rule = "Host(`radarr.procopius.dk`) && PathPrefix(`/oauth2/`)";
service = "oauth2proxy";
entryPoints = ["websecure"];
middlewares = ["auth-headers"];
tls.certResolver = "letsencrypt";
};
oauth2route = {
rule = "Host(`oauth.procopius.dk`)";
service = "oauth2proxy";
entryPoints = ["websecure"];
middlewares = ["auth-headers"];
tls.certResolver = "letsencrypt";
};
}

5
nixos/hosts/traefik/configuration/auth/services.nix Normal file
View file

@ -0,0 +1,5 @@
{
authentik.loadBalancer.servers = [{url = "http://authentik.lab:9000";}];
keycloak.loadBalancer.servers = [{url = "http://keycloak.lab:8080";}];
oauth2proxy.loadBalancer.servers = [{url = "http://localhost:4180";}];
}

43
nixos/hosts/traefik/configuration/infra/routers.nix Normal file
View file

@ -0,0 +1,43 @@
{
traefik = {
rule = "Host(`traefik.procopius.dk`)";
service = "traefik";
entryPoints = ["websecure"];
middlewares = ["oauth-auth"];
tls.certResolver = "letsencrypt";
};
mail-acme = {
rule = "Host(`mail.procopius.dk`) && PathPrefix(`/.well-known/acme-challenge/`)";
service = "mail-acme";
entryPoints = ["web"];
priority = 1000;
middlewares = [];
};
forgejo = {
rule = "Host(`git.procopius.dk`)";
service = "forgejo";
entryPoints = ["websecure"];
tls.certResolver = "letsencrypt";
};
proxmox = {
rule = "Host(`proxmox.procopius.dk`)";
service = "proxmox";
entryPoints = ["websecure"];
middlewares = ["oauth-auth"];
tls.certResolver = "letsencrypt";
};
nas = {
rule = "Host(`nas.procopius.dk`)";
service = "nas";
entryPoints = ["websecure"];
tls.certResolver = "letsencrypt";
};
catchAll = {
rule = "HostRegexp(`.+`)";
service = "nginx";
entryPoints = ["websecure"];
tls.certResolver = "letsencrypt";
};
}

13
nixos/hosts/traefik/configuration/infra/services.nix Normal file
View file

@ -0,0 +1,13 @@
{
traefik.loadBalancer.servers = [{url = "http://localhost:8080";}];
mail-acme.loadBalancer.servers = [{url = "http://mail.lab:80";}];
forgejo.loadBalancer.servers = [{url = "http://forgejo.lab:3000";}];
proxmox.loadBalancer.servers = [{url = "https://192.168.1.205:8006";}];
proxmox.loadBalancer.serversTransport = "insecureTransport";
nas.loadBalancer.servers = [{url = "https://192.168.1.226:5001";}];
nas.loadBalancer.serversTransport = "insecureTransport";
nginx.loadBalancer.servers = [{url = "https://192.168.1.226:4433";}];
nginx.loadBalancer.serversTransport = "insecureTransport";
}

35
nixos/hosts/traefik/configuration/media-center/routers.nix Normal file
View file

@ -0,0 +1,35 @@
{
jellyfin = {
rule = "Host(`jellyfin.procopius.dk`)";
service = "jellyfin";
entryPoints = ["websecure"];
tls.certResolver = "letsencrypt";
};
radarr = {
rule = "Host(`radarr.procopius.dk`)";
service = "radarr";
entryPoints = ["websecure"];
middlewares = [
"oauth-auth"
"restrict-admin"
];
tls.certResolver = "letsencrypt";
};
sonarr = {
rule = "Host(`sonarr.procopius.dk`)";
service = "sonarr";
entryPoints = ["websecure"];
middlewares = ["oauth-auth"];
tls.certResolver = "letsencrypt";
};
jellyseerr = {
rule = "Host(`jellyseerr.procopius.dk`)";
service = "jellyseerr";
entryPoints = ["websecure"];
# middlewares = ["oauth-auth"];
tls.certResolver = "letsencrypt";
};
}

6
nixos/hosts/traefik/configuration/media-center/services.nix Normal file
View file

@ -0,0 +1,6 @@
{
jellyfin.loadBalancer.servers = [{url = "http://media.lab:8096";}];
radarr.loadBalancer.servers = [{url = "http://media.lab:7878";}];
sonarr.loadBalancer.servers = [{url = "http://media.lab:8989";}];
jellyseerr.loadBalancer.servers = [{url = "http://media.lab:5055";}];
}

43
nixos/hosts/traefik/configuration/middlewares.nix
View file

@ -1,10 +1,43 @@
{ lib, config, ... }:
let
internalNetwork = "192.168.1.0/24";
in
{
in {
internal-whitelist = {
ipWhiteList.sourceRange = [ internalNetwork ];
ipWhiteList.sourceRange = [internalNetwork];
};
auth-headers = {
headers = {
sslRedirect = true;
stsSeconds = 315360000;
browserXssFilter = true;
contentTypeNosniff = true;
forceSTSHeader = true;
sslHost = "procopius.dk";
stsIncludeSubdomains = true;
stsPreload = true;
frameDeny = true;
};
};
oauth-auth = {
forwardAuth = {
address = "http://localhost:4180/";
trustForwardHeader = true;
authResponseHeaders = [
"Authorization"
"X-Auth-Request-Access-Token"
"X-Auth-Request-User"
"X-Auth-Request-Email"
"X-Auth-Request-Preferred-Username" # Recommended
"X-Auth-Request-Access-Token" # If you want to pass the token
"X-Auth-Request-Groups" # If you configured a mapper in Keycloak to emit groups
];
};
};
restrict-admin = {
forwardAuth = {
address = "http://localhost:4180/oauth2/auth?allowed_groups=role:admin";
};
};
}

8
nixos/hosts/traefik/configuration/misc/routers.nix Normal file
View file

@ -0,0 +1,8 @@
{
mesterjakob = {
rule = "Host(`mester.jakobblum.dk`)";
service = "mesterjakob";
entryPoints = ["websecure"];
tls.certResolver = "letsencrypt";
};
}

3
nixos/hosts/traefik/configuration/misc/services.nix Normal file
View file

@ -0,0 +1,3 @@
{
mesterjakob.loadBalancer.servers = [{url = "http://192.168.1.226:4200";}];
}

28
nixos/hosts/traefik/configuration/monitoring/routers.nix Normal file
View file

@ -0,0 +1,28 @@
{
prometheus = {
rule = "Host(`prometheus.procopius.dk`)";
service = "prometheus";
entryPoints = ["websecure"];
middlewares = ["oauth-auth"];
tls.certResolver = "letsencrypt";
};
grafana = {
rule = "Host(`grafana.procopius.dk`)";
service = "grafana";
entryPoints = ["websecure"];
tls.certResolver = "letsencrypt";
};
alertmanager = {
rule = "Host(`alertmanager.procopius.dk`)";
service = "alertmanager";
entryPoints = ["websecure"];
middlewares = ["oauth-auth"];
tls.certResolver = "letsencrypt";
};
umami = {
rule = "Host(`umami.procopius.dk`)";
service = "umami";
entryPoints = ["websecure"];
tls.certResolver = "letsencrypt";
};
}

6
nixos/hosts/traefik/configuration/monitoring/services.nix Normal file
View file

@ -0,0 +1,6 @@
{
prometheus.loadBalancer.servers = [{url = "http://monitor.lab:9090";}];
grafana.loadBalancer.servers = [{url = "http://monitor.lab:3000";}];
alertmanager.loadBalancer.servers = [{url = "http://monitor.lab:9093";}];
umami.loadBalancer.servers = [{url = "http://192.168.1.226:3333";}];
}

35
nixos/hosts/traefik/configuration/photos/routers.nix Normal file
View file

@ -0,0 +1,35 @@
{
ente = {
rule = "Host(`ente.procopius.dk`)";
service = "ente";
entryPoints = ["websecure"];
tls.certResolver = "letsencrypt";
};
photos = {
rule = "Host(`photos.procopius.dk`)";
service = "photos";
entryPoints = ["websecure"];
tls.certResolver = "letsencrypt";
};
account = {
rule = "Host(`account.procopius.dk`)";
service = "account";
entryPoints = ["websecure"];
tls.certResolver = "letsencrypt";
};
minio = {
rule = "Host(`minio.procopius.dk`)";
service = "minio";
entryPoints = ["websecure"];
tls.certResolver = "letsencrypt";
};
minio-api = {
rule = "Host(`minio-api.procopius.dk`)";
service = "minio-api";
entryPoints = ["websecure"];
tls.certResolver = "letsencrypt";
};
}

7
nixos/hosts/traefik/configuration/photos/services.nix Normal file
View file

@ -0,0 +1,7 @@
{
ente.loadBalancer.servers = [{url = "http://192.168.1.226:8087";}];
photos.loadBalancer.servers = [{url = "http://192.168.1.226:3000";}];
account.loadBalancer.servers = [{url = "http://192.168.1.226:3001";}];
minio.loadBalancer.servers = [{url = "http://192.168.1.226:3201";}];
minio-api.loadBalancer.servers = [{url = "http://192.168.1.226:3200";}];
}

140
nixos/hosts/traefik/configuration/routers.nix
View file

@ -1,140 +0,0 @@
{ lib, config, ... }:
{
traefik = {
rule = "Host(`traefik.procopius.dk`)";
service = "traefik";
entryPoints = [ "websecure" ];
middlewares = [ "internal-whitelist" ];
tls = { certResolver = "letsencrypt"; };
};
proxmox = {
rule = "Host(`proxmox.procopius.dk`)";
service = "proxmox";
entryPoints = [ "websecure" ];
tls = { certResolver = "letsencrypt"; };
};
forgejo = {
rule = "Host(`git.procopius.dk`)";
service = "forgejo";
entryPoints = [ "websecure" ];
tls = { certResolver = "letsencrypt"; };
};
prometheus = {
rule = "Host(`prometheus.procopius.dk`)";
service = "prometheus";
entryPoints = [ "websecure" ];
middlewares = [ "internal-whitelist" ];
tls = { certResolver = "letsencrypt"; };
};
grafana = {
rule = "Host(`grafana.procopius.dk`)";
service = "grafana";
entryPoints = [ "websecure" ];
middlewares = [ "internal-whitelist" ];
tls = { certResolver = "letsencrypt"; };
};
alertmanager = {
rule = "Host(`alertmanager.procopius.dk`)";
service = "alertmanager";
entryPoints = [ "websecure" ];
middlewares = [ "internal-whitelist" ];
tls = { certResolver = "letsencrypt"; };
};
jellyfin = {
rule = "Host(`jellyfin.procopius.dk`)";
service = "jellyfin";
entryPoints = [ "websecure" ];
tls = { certResolver = "letsencrypt"; };
};
sonarr = {
rule = "Host(`sonarr.procopius.dk`)";
service = "sonarr";
entryPoints = [ "websecure" ];
tls = { certResolver = "letsencrypt"; };
};
radarr = {
rule = "Host(`radarr.procopius.dk`)";
service = "radarr";
entryPoints = [ "websecure" ];
tls = { certResolver = "letsencrypt"; };
};
ente = {
rule = "Host(`ente.procopius.dk`)";
service = "ente";
entryPoints = [ "websecure" ];
tls = { certResolver = "letsencrypt"; };
};
photos = {
rule = "Host(`photos.procopius.dk`)";
service = "photos";
entryPoints = [ "websecure" ];
tls = { certResolver = "letsencrypt"; };
};
minio = {
rule = "Host(`minio.procopius.dk`)";
service = "minio";
entryPoints = [ "websecure" ];
tls = { certResolver = "letsencrypt"; };
};
minio-api = {
rule = "Host(`minio-api.procopius.dk`)";
service = "minio-api";
entryPoints = [ "websecure" ];
tls = { certResolver = "letsencrypt"; };
};
account = {
rule = "Host(`account.procopius.dk`)";
service = "account";
entryPoints = [ "websecure" ];
tls = { certResolver = "letsencrypt"; };
};
auth = {
rule = "Host(`auth.procopius.dk`)";
service = "auth";
entryPoints = [ "websecure" ];
tls = { certResolver = "letsencrypt"; };
};
nas = {
rule = "Host(`nas.procopius.dk`)";
service = "nas";
entryPoints = [ "websecure" ];
tls = { certResolver = "letsencrypt"; };
};
umami = {
rule = "Host(`umami.procopius.dk`)";
service = "umami";
entryPoints = [ "websecure" ];
tls = { certResolver = "letsencrypt"; };
};
mesterjakob = {
rule = "Host(`mester.jakobblum.dk`)";
service = "mesterjakob";
entryPoints = [ "websecure" ];
tls = { certResolver = "letsencrypt"; };
};
catchAll = {
rule = "HostRegexp(`.+`)";
service = "nginx";
entryPoints = [ "websecure" ];
tls = { certResolver = "letsencrypt"; };
};
}

38
nixos/hosts/traefik/configuration/services.nix
View file

@ -1,38 +0,0 @@
{ lib, config, ... }:
{
proxmox.loadBalancer.servers = [ { url = "https://192.168.1.205:8006"; } ];
proxmox.loadBalancer.serversTransport = "insecureTransport";
traefik.loadBalancer.servers = [ { url = "http://localhost:8080"; } ];
forgejo.loadBalancer.servers = [ { url = "http://forgejo.lab:3000"; } ];
nginx.loadBalancer.servers = [ { url = "https://192.168.1.226:4433"; } ];
nginx.loadBalancer.serversTransport = "insecureTransport";
prometheus.loadBalancer.servers = [ { url = "http://monitor.lab:9090"; } ];
grafana.loadBalancer.servers = [ { url = "http://monitor.lab:3000"; } ];
alertmanager.loadBalancer.servers = [ { url = "http://monitor.lab:9093"; } ];
# from nginx
account.loadBalancer.servers = [ { url = "http://192.168.1.226:3001"; } ];
auth.loadBalancer.servers = [ { url = "http://192.168.1.226:3005"; } ];
ente.loadBalancer.servers = [ { url = "http://192.168.1.226:8087"; } ];
photos.loadBalancer.servers = [ { url = "http://192.168.1.226:3000"; } ];
minio.loadBalancer.servers = [ { url = "http://192.168.1.226:3201"; } ];
minio-api.loadBalancer.servers = [ { url = "http://192.168.1.226:3200"; } ];
nas.loadBalancer.servers = [ { url = "https://192.168.1.226:5001"; } ];
nas.loadBalancer.serversTransport = "insecureTransport";
jellyfin.loadBalancer.servers = [ { url = "http://192.168.1.226:8096"; } ];
radarr.loadBalancer.servers = [ { url = "http://192.168.1.226:7878"; } ];
sonarr.loadBalancer.servers = [ { url = "http://192.168.1.226:8989"; } ];
umami.loadBalancer.servers = [ { url = "http://192.168.1.226:3333"; } ];
mesterjakob.loadBalancer.servers = [ { url = "http://192.168.1.226:4200"; } ];
}

8
nixos/hosts/traefik/configuration/static.nix
View file

@ -1,11 +1,11 @@
{ lib, config, ... }:
{
entryPoints = {
web = {
address = ":80";
asDefault = true;
allowACMEByPass = true;
http.redirections.entrypoint = {
priority = 10;
to = "websecure";
scheme = "https";
};
@ -21,6 +21,8 @@
};
};
providers.file.watch = true;
api = {
dashboard = true;
insecure = true;
@ -37,7 +39,7 @@
dnsChallenge = {
provider = "cloudflare";
delayBeforeCheck = 10;
resolvers = [ "1.1.1.1:53" "8.8.8.8:53" ];
resolvers = ["1.1.1.1:53" "8.8.8.8:53"];
};
};
};