nix-config/hosts/franz/arion/infrastructure/default.nix

132 lines
3.4 KiB
Nix
Raw Normal View History

{config, ...}: let
vars = import ../../../../vars.nix;
in {
virtualisation.arion = {
projects.infrastructure.settings = {
imports = [./arion-compose.nix];
};
};
sops.secrets."cloudflared/tunnel_token" = {
owner = vars.user;
};
sops.secrets."traefik/acme_email" = {
owner = vars.user;
};
sops.secrets."traefik/cloudflare_email" = {
owner = vars.user;
};
sops.secrets."traefik/cloudflare_api_key" = {
owner = vars.user;
};
2024-08-09 16:00:58 +02:00
sops.secrets."crowdsec/traefik_bouncer_api_key" = {
2024-05-01 17:49:03 +02:00
owner = vars.user;
};
2024-06-14 13:05:19 +02:00
sops.secrets."diun/ntfy_access_token" = {
owner = vars.user;
};
sops.templates."cloudflared.env" = {
path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env";
owner = vars.user;
mode = "0775";
content = ''
TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}"
'';
};
sops.templates."traefik.env" = {
path = "/home/${vars.user}/.docker/infrastructure/traefik.env";
owner = vars.user;
mode = "0775";
content = ''
CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}"
CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}"
'';
};
2024-08-09 16:00:58 +02:00
sops.templates."traefik-bouncer.env" = {
path = "/home/${vars.user}/.docker/infrastructure/traefik-bouncer.env";
2024-05-01 17:49:03 +02:00
owner = vars.user;
mode = "0775";
content = ''
2024-08-09 16:00:58 +02:00
CROWDSEC_BOUNCER_API_KEY="${config.sops.placeholder."crowdsec/traefik_bouncer_api_key"}"
2024-05-01 17:49:03 +02:00
'';
};
2024-06-29 20:27:08 +02:00
sops.templates."traefik.yml" = {
path = "/home/${vars.user}/.docker/infrastructure/traefik_config/traefik.yml";
owner = vars.user;
mode = "0775";
content = ''
2024-06-29 20:27:08 +02:00
api:
dashboard: true
debug: true
insecure: true
entryPoints:
web:
address: ":80"
http:
redirections:
entrypoint:
to: websecure
scheme: https
2024-08-09 16:00:58 +02:00
websecure:
address: ":443"
2024-06-29 20:27:08 +02:00
web-external:
address: ":81"
http:
redirections:
entrypoint:
to: websecure-external
scheme: https
2024-08-09 16:00:58 +02:00
middlewares:
- crowdsec-bouncer@file
2024-06-29 20:27:08 +02:00
websecure-external:
address: ":444"
2024-08-09 16:00:58 +02:00
http:
middlewares:
- crowdsec-bouncer@file
2024-06-29 20:27:08 +02:00
providers:
docker:
watch: true
exposedByDefault: false
network: dmz
2024-08-09 16:00:58 +02:00
file:
filename: /config.yml
2024-06-29 20:27:08 +02:00
certificatesResolvers:
letsencrypt:
acme:
email: ${config.sops.placeholder."traefik/acme_email"}
storage: acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
2024-08-09 16:00:58 +02:00
log:
level: "INFO"
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"
'';
};
2024-06-14 13:05:19 +02:00
sops.templates."diun.env" = {
path = "/home/${vars.user}/.docker/infrastructure/diun.env";
owner = vars.user;
mode = "0775";
content = ''
DIUN_NOTIF_NTFY_TOKEN="${config.sops.placeholder."diun/ntfy_access_token"}"
'';
};
2024-08-09 16:00:58 +02:00
services.cron = {
enable = true;
systemCronJobs = [
"0 * * * * root . /etc/profile; docker exec crowdsec cscli hub update && docker exec crowdsec cscli hub upgrade >> /var/log/crowdsec-update.log"
];
};
}