nix-config/hosts/franz/arion/infrastructure/default.nix

74 lines
1.9 KiB
Nix
Raw Normal View History

{config, ...}: let
vars = import ../../../../vars.nix;
in {
virtualisation.arion = {
projects.infrastructure.settings = {
imports = [./arion-compose.nix];
};
};
sops.secrets."cloudflared/tunnel_token" = {
owner = vars.user;
};
sops.secrets."traefik/acme_email" = {
owner = vars.user;
};
sops.secrets."traefik/cloudflare_email" = {
owner = vars.user;
};
sops.secrets."traefik/cloudflare_api_key" = {
owner = vars.user;
};
sops.templates."cloudflared.env" = {
path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env";
owner = vars.user;
mode = "0775";
content = ''
TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}"
'';
};
sops.templates."traefik.env" = {
path = "/home/${vars.user}/.docker/infrastructure/traefik.env";
owner = vars.user;
mode = "0775";
content = ''
CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}"
CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}"
'';
};
sops.templates."traefik.toml" = {
path = "/home/${vars.user}/.docker/infrastructure/traefik_data/traefik.toml";
owner = vars.user;
mode = "0775";
content = ''
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[api]
dashboard = true
insecure = true
[certificatesResolvers.letsencrypt.acme]
email = "${config.sops.placeholder."traefik/acme_email"}"
storage = "/letsencrypt/acme.json"
[certificatesResolvers.letsencrypt.acme.dnsChallenge]
provider = "cloudflare"
resolvers = ["1.1.1.1:53", "1.0.0.1:53"]
[serversTransport]
insecureSkipVerify = true
[providers.docker]
watch = true
network = "web"
exposedByDefault = false
'';
};
}