nix-config/hosts/franz/arion/infrastructure/default.nix

{config, ...}: let
  vars = import ../../../../vars.nix;
in {
  virtualisation.arion = {
    projects.infrastructure.settings = {
      imports = [./arion-compose.nix];
    };
  };

  sops.secrets."cloudflared/tunnel_token" = {
    owner = vars.user;
  };

  sops.secrets."traefik/acme_email" = {
    owner = vars.user;
  };
  sops.secrets."traefik/cloudflare_email" = {
    owner = vars.user;
  };
  sops.secrets."traefik/cloudflare_api_key" = {
    owner = vars.user;
  };

  sops.secrets."dyndns/cloudflare_api_key" = {
    owner = vars.user;
  };

  sops.templates."cloudflared.env" = {
    path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}"
    '';
  };

  sops.templates."traefik.env" = {
    path = "/home/${vars.user}/.docker/infrastructure/traefik.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}"
      CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}"
    '';
  };

  sops.templates."dyndns.env" = {
    path = "/home/${vars.user}/.docker/infrastructure/dyndns.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      CLOUDFLARE_API_TOKEN="${config.sops.placeholder."dyndns/cloudflare_api_key"}"
    '';
  };

  sops.templates."traefik.toml" = {
    path = "/home/${vars.user}/.docker/infrastructure/traefik_data/traefik.toml";
    owner = vars.user;
    mode = "0775";
    content = ''
      [entryPoints]
        [entryPoints.web]
          address = ":80"
        [entryPoints.web-external]
          address = ":81"
        [entryPoints.websecure]
          address = ":443"
        [entryPoints.websecure-external]
          address = ":444"
      [api]
        dashboard = true
        insecure = true

      [certificatesResolvers.letsencrypt.acme]
        email = "${config.sops.placeholder."traefik/acme_email"}"
        storage = "/letsencrypt/acme.json"
        [certificatesResolvers.letsencrypt.acme.dnsChallenge]
          provider = "cloudflare"
          resolvers = ["1.1.1.1:53", "1.0.0.1:53"]

      [serversTransport]
        insecureSkipVerify = true

      [providers.docker]
        watch = true
        network = "dmz"
        exposedByDefault = false # overriden by traefik.enable=true
    '';
  };
}
Split sops secrets management into separate files for each arion subdir 2024-03-06 11:35:13 +01:00			`{config, ...}: let`
			`vars = import ../../../../vars.nix;`
			`in {`
			`virtualisation.arion = {`
			`projects.infrastructure.settings = {`
			`imports = [./arion-compose.nix];`
			`};`
			`};`

			`sops.secrets."cloudflared/tunnel_token" = {`
			`owner = vars.user;`
			`};`

			`sops.secrets."traefik/acme_email" = {`
			`owner = vars.user;`
			`};`
			`sops.secrets."traefik/cloudflare_email" = {`
			`owner = vars.user;`
			`};`
			`sops.secrets."traefik/cloudflare_api_key" = {`
			`owner = vars.user;`
			`};`

Arion: Add Headscale 2024-05-01 17:49:03 +02:00			`sops.secrets."dyndns/cloudflare_api_key" = {`
			`owner = vars.user;`
			`};`

Split sops secrets management into separate files for each arion subdir 2024-03-06 11:35:13 +01:00			`sops.templates."cloudflared.env" = {`
			`path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env";`
			`owner = vars.user;`
			`mode = "0775";`
			`content = ''`
			`TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}"`
			`'';`
			`};`

			`sops.templates."traefik.env" = {`
			`path = "/home/${vars.user}/.docker/infrastructure/traefik.env";`
			`owner = vars.user;`
			`mode = "0775";`
			`content = ''`
			`CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}"`
			`CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}"`
			`'';`
			`};`

Arion: Add Headscale 2024-05-01 17:49:03 +02:00			`sops.templates."dyndns.env" = {`
			`path = "/home/${vars.user}/.docker/infrastructure/dyndns.env";`
			`owner = vars.user;`
			`mode = "0775";`
			`content = ''`
			`CLOUDFLARE_API_TOKEN="${config.sops.placeholder."dyndns/cloudflare_api_key"}"`
			`'';`
			`};`

Split sops secrets management into separate files for each arion subdir 2024-03-06 11:35:13 +01:00			`sops.templates."traefik.toml" = {`
			`path = "/home/${vars.user}/.docker/infrastructure/traefik_data/traefik.toml";`
			`owner = vars.user;`
			`mode = "0775";`
			`content = ''`
			`[entryPoints]`
			`[entryPoints.web]`
			`address = ":80"`
Arion: Add Headscale 2024-05-01 17:49:03 +02:00			`[entryPoints.web-external]`
			`address = ":81"`
Split sops secrets management into separate files for each arion subdir 2024-03-06 11:35:13 +01:00			`[entryPoints.websecure]`
			`address = ":443"`
Arion: Add Headscale 2024-05-01 17:49:03 +02:00			`[entryPoints.websecure-external]`
			`address = ":444"`
Split sops secrets management into separate files for each arion subdir 2024-03-06 11:35:13 +01:00			`[api]`
			`dashboard = true`
			`insecure = true`

			`[certificatesResolvers.letsencrypt.acme]`
			`email = "${config.sops.placeholder."traefik/acme_email"}"`
			`storage = "/letsencrypt/acme.json"`
			`[certificatesResolvers.letsencrypt.acme.dnsChallenge]`
			`provider = "cloudflare"`
			`resolvers = ["1.1.1.1:53", "1.0.0.1:53"]`

			`[serversTransport]`
			`insecureSkipVerify = true`

			`[providers.docker]`
			`watch = true`
Arion: Add Headscale 2024-05-01 17:49:03 +02:00			`network = "dmz"`
			`exposedByDefault = false # overriden by traefik.enable=true`
Split sops secrets management into separate files for each arion subdir 2024-03-06 11:35:13 +01:00			`'';`
			`};`
			`}`