74 lines
1.9 KiB
Nix
74 lines
1.9 KiB
Nix
|
{config, ...}: let
|
||
|
vars = import ../../../../vars.nix;
|
||
|
in {
|
||
|
virtualisation.arion = {
|
||
|
projects.infrastructure.settings = {
|
||
|
imports = [./arion-compose.nix];
|
||
|
};
|
||
|
};
|
||
|
|
||
|
sops.secrets."cloudflared/tunnel_token" = {
|
||
|
owner = vars.user;
|
||
|
};
|
||
|
|
||
|
sops.secrets."traefik/acme_email" = {
|
||
|
owner = vars.user;
|
||
|
};
|
||
|
sops.secrets."traefik/cloudflare_email" = {
|
||
|
owner = vars.user;
|
||
|
};
|
||
|
sops.secrets."traefik/cloudflare_api_key" = {
|
||
|
owner = vars.user;
|
||
|
};
|
||
|
|
||
|
sops.templates."cloudflared.env" = {
|
||
|
path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env";
|
||
|
owner = vars.user;
|
||
|
mode = "0775";
|
||
|
content = ''
|
||
|
TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}"
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
sops.templates."traefik.env" = {
|
||
|
path = "/home/${vars.user}/.docker/infrastructure/traefik.env";
|
||
|
owner = vars.user;
|
||
|
mode = "0775";
|
||
|
content = ''
|
||
|
CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}"
|
||
|
CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}"
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
sops.templates."traefik.toml" = {
|
||
|
path = "/home/${vars.user}/.docker/infrastructure/traefik_data/traefik.toml";
|
||
|
owner = vars.user;
|
||
|
mode = "0775";
|
||
|
content = ''
|
||
|
[entryPoints]
|
||
|
[entryPoints.web]
|
||
|
address = ":80"
|
||
|
[entryPoints.websecure]
|
||
|
address = ":443"
|
||
|
[api]
|
||
|
dashboard = true
|
||
|
insecure = true
|
||
|
|
||
|
[certificatesResolvers.letsencrypt.acme]
|
||
|
email = "${config.sops.placeholder."traefik/acme_email"}"
|
||
|
storage = "/letsencrypt/acme.json"
|
||
|
[certificatesResolvers.letsencrypt.acme.dnsChallenge]
|
||
|
provider = "cloudflare"
|
||
|
resolvers = ["1.1.1.1:53", "1.0.0.1:53"]
|
||
|
|
||
|
[serversTransport]
|
||
|
insecureSkipVerify = true
|
||
|
|
||
|
[providers.docker]
|
||
|
watch = true
|
||
|
network = "web"
|
||
|
exposedByDefault = false
|
||
|
'';
|
||
|
};
|
||
|
}
|