2024-03-05 20:59:17 +01:00
|
|
|
{pkgs, ...}: {
|
|
|
|
project.name = "infrastructure";
|
|
|
|
|
|
|
|
networks.dmz = {
|
|
|
|
name = "dmz";
|
|
|
|
external = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
docker-compose.volumes = {
|
|
|
|
traefik_letsencrypt = null;
|
|
|
|
scrutiny_data = null;
|
|
|
|
scrutiny_db = null;
|
|
|
|
};
|
|
|
|
|
|
|
|
services = {
|
|
|
|
traefik.service = {
|
2024-03-31 22:05:29 +02:00
|
|
|
image = "traefik:v3.0";
|
2024-03-05 20:59:17 +01:00
|
|
|
container_name = "traefik";
|
|
|
|
useHostStore = true;
|
|
|
|
ports = [
|
|
|
|
"80:80"
|
|
|
|
"443:443"
|
|
|
|
"8421:8080"
|
|
|
|
];
|
|
|
|
labels = {
|
|
|
|
"traefik.enable" = "true";
|
|
|
|
"traefik.http.routers.dashboard.rule" = "Host(`traefik.ghoscht.com`)";
|
|
|
|
"traefik.http.routers.dashboard.entrypoints" = "websecure";
|
|
|
|
"traefik.http.services.dashboard.loadbalancer.server.port" = "8080";
|
|
|
|
"traefik.http.routers.dashboard.tls" = "true";
|
|
|
|
"traefik.http.routers.dashboard.tls.certresolver" = "letsencrypt";
|
|
|
|
};
|
|
|
|
volumes = [
|
|
|
|
"traefik_letsencrypt:/letsencrypt"
|
|
|
|
"/home/ghoscht/.docker/infrastructure/traefik_data:/etc/traefik"
|
|
|
|
"/var/run/docker.sock:/var/run/docker.sock:ro"
|
|
|
|
];
|
|
|
|
env_file = [
|
|
|
|
"/home/ghoscht/.docker/infrastructure/traefik.env"
|
|
|
|
];
|
2024-03-17 17:08:26 +01:00
|
|
|
dns = ["1.1.1.1"];
|
2024-03-05 20:59:17 +01:00
|
|
|
restart = "always";
|
|
|
|
networks = [
|
|
|
|
"dmz"
|
|
|
|
];
|
|
|
|
};
|
2024-03-17 15:18:23 +01:00
|
|
|
cloudflared.service = {
|
2024-03-31 22:05:29 +02:00
|
|
|
image = "cloudflare/cloudflared:2024.2.1";
|
2024-03-17 15:18:23 +01:00
|
|
|
container_name = "cloudflared";
|
|
|
|
env_file = [
|
|
|
|
"/home/ghoscht/.docker/infrastructure/cloudflared.env"
|
|
|
|
];
|
|
|
|
restart = "always";
|
2024-03-17 17:08:26 +01:00
|
|
|
dns = ["1.1.1.1"];
|
2024-03-17 15:18:23 +01:00
|
|
|
command = "tunnel --no-autoupdate --protocol http2 run";
|
|
|
|
networks = [
|
|
|
|
"dmz"
|
|
|
|
];
|
|
|
|
};
|
2024-03-05 20:59:17 +01:00
|
|
|
scrutiny.service = {
|
2024-03-31 22:05:29 +02:00
|
|
|
image = "ghcr.io/analogj/scrutiny:v0.8.0-omnibus";
|
2024-03-05 20:59:17 +01:00
|
|
|
container_name = "scrutiny";
|
|
|
|
restart = "always";
|
|
|
|
labels = {
|
|
|
|
"traefik.enable" = "true";
|
|
|
|
"traefik.http.routers.scrutiny.entrypoints" = "websecure";
|
|
|
|
"traefik.http.routers.scrutiny.rule" = "Host(`scrutiny.ghoscht.com`)";
|
|
|
|
"traefik.http.services.scrutiny.loadbalancer.server.port" = "8080";
|
|
|
|
"traefik.http.routers.scrutiny.tls" = "true";
|
|
|
|
"traefik.http.routers.scrutiny.tls.certresolver" = "letsencrypt";
|
|
|
|
};
|
|
|
|
capabilities = {
|
|
|
|
SYS_RAWIO = true;
|
2024-03-31 22:05:29 +02:00
|
|
|
SYS_ADMIN = true; #enables nvme support
|
2024-03-05 20:59:17 +01:00
|
|
|
};
|
|
|
|
volumes = [
|
|
|
|
"/run/udev:/run/udev:ro"
|
|
|
|
"scrutiny_data:/opt/scrutiny/config"
|
|
|
|
"scrutiny_db:/opt/scrutiny/influxdb"
|
|
|
|
];
|
2024-03-17 15:18:23 +01:00
|
|
|
devices = [
|
|
|
|
"/dev/nvme0n1"
|
2024-03-31 22:05:29 +02:00
|
|
|
"/dev/sda"
|
|
|
|
"/dev/sdb"
|
|
|
|
"/dev/sdc"
|
|
|
|
"/dev/sdd"
|
|
|
|
"/dev/sde"
|
|
|
|
"/dev/sdf"
|
2024-03-17 15:18:23 +01:00
|
|
|
];
|
2024-03-05 20:59:17 +01:00
|
|
|
networks = [
|
|
|
|
"dmz"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|