From 5a9cf4c15c77155fb19b652dbc92b2445f86a4bf Mon Sep 17 00:00:00 2001 From: GHOSCHT <31184695+GHOSCHT@users.noreply.github.com> Date: Sat, 29 Jun 2024 20:27:08 +0200 Subject: [PATCH] Arion: Add wildcard certs to traefik --- .../arion/infrastructure/arion-compose.nix | 22 +++--- hosts/franz/arion/infrastructure/default.nix | 70 +++++++++++-------- 2 files changed, 49 insertions(+), 43 deletions(-) diff --git a/hosts/franz/arion/infrastructure/arion-compose.nix b/hosts/franz/arion/infrastructure/arion-compose.nix index a12350d..6f454b7 100644 --- a/hosts/franz/arion/infrastructure/arion-compose.nix +++ b/hosts/franz/arion/infrastructure/arion-compose.nix @@ -31,10 +31,16 @@ "traefik.http.services.dashboard.loadbalancer.server.port" = "8080"; "traefik.http.routers.dashboard.tls" = "true"; "traefik.http.routers.dashboard.tls.certresolver" = "letsencrypt"; + + "traefik.http.routers.dashboard.tls.domains[0].main" = "ghoscht.com"; + "traefik.http.routers.dashboard.tls.domains[0].sans" = "*.ghoscht.com"; + + "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme" = "https"; + "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto" = "https"; }; volumes = [ - "traefik_letsencrypt:/letsencrypt" - "/home/ghoscht/.docker/infrastructure/traefik_data:/etc/traefik" + "/home/ghoscht/.docker/infrastructure/traefik_config/traefik.yml:/traefik.yml:ro" + "/storage/dataset/docker/infrastructure/traefik_data/acme.json:/acme.json" "/var/run/docker.sock:/var/run/docker.sock:ro" ]; env_file = [ @@ -45,18 +51,6 @@ "dmz" ]; }; - # cloudflared.service = { - # image = "cloudflare/cloudflared:2024.2.1"; - # container_name = "cloudflared"; - # env_file = [ - # "/home/ghoscht/.docker/infrastructure/cloudflared.env" - # ]; - # restart = "always"; - # command = "tunnel --no-autoupdate --protocol http2 run"; - # networks = [ - # "dmz" - # ]; - # }; scrutiny.service = { image = "ghcr.io/analogj/scrutiny:v0.8.0-omnibus"; container_name = "scrutiny"; diff --git a/hosts/franz/arion/infrastructure/default.nix b/hosts/franz/arion/infrastructure/default.nix index 141ec28..9891caa 100644 --- a/hosts/franz/arion/infrastructure/default.nix +++ b/hosts/franz/arion/infrastructure/default.nix @@ -57,38 +57,50 @@ in { ''; }; - sops.templates."traefik.toml" = { - path = "/home/${vars.user}/.docker/infrastructure/traefik_data/traefik.toml"; + sops.templates."traefik.yml" = { + path = "/home/${vars.user}/.docker/infrastructure/traefik_config/traefik.yml"; owner = vars.user; mode = "0775"; content = '' - [entryPoints] - [entryPoints.web] - address = ":80" - [entryPoints.web-external] - address = ":81" - [entryPoints.websecure] - address = ":443" - [entryPoints.websecure-external] - address = ":444" - [api] - dashboard = true - insecure = true - - [certificatesResolvers.letsencrypt.acme] - email = "${config.sops.placeholder."traefik/acme_email"}" - storage = "/letsencrypt/acme.json" - [certificatesResolvers.letsencrypt.acme.dnsChallenge] - provider = "cloudflare" - resolvers = ["1.1.1.1:53", "1.0.0.1:53"] - - [serversTransport] - insecureSkipVerify = true - - [providers.docker] - watch = true - network = "dmz" - exposedByDefault = false # overriden by traefik.enable=true + api: + dashboard: true + debug: true + insecure: true + entryPoints: + web: + address: ":80" + http: + redirections: + entrypoint: + to: websecure + scheme: https + web-external: + address: ":81" + http: + redirections: + entrypoint: + to: websecure-external + scheme: https + websecure: + address: ":443" + websecure-external: + address: ":444" + providers: + providers: + docker: + watch: true + exposedByDefault: false + network: dmz + certificatesResolvers: + letsencrypt: + acme: + email: ${config.sops.placeholder."traefik/acme_email"} + storage: acme.json + dnsChallenge: + provider: cloudflare + resolvers: + - "1.1.1.1:53" + - "1.0.0.1:53" ''; }; sops.templates."diun.env" = {