Arion: Add wildcard certs to traefik

hosts/franz/arion/infrastructure/arion-compose.nix

@@ -31,10 +31,16 @@
         "traefik.http.services.dashboard.loadbalancer.server.port" = "8080";
         "traefik.http.routers.dashboard.tls" = "true";
         "traefik.http.routers.dashboard.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.routers.dashboard.tls.domains[0].main" = "ghoscht.com";
+        "traefik.http.routers.dashboard.tls.domains[0].sans" = "*.ghoscht.com";
+
+        "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme" = "https";
+        "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto" = "https";
       };
       volumes = [
-        "traefik_letsencrypt:/letsencrypt"
+        "/home/ghoscht/.docker/infrastructure/traefik_config/traefik.yml:/traefik.yml:ro"
-        "/home/ghoscht/.docker/infrastructure/traefik_data:/etc/traefik"
+        "/storage/dataset/docker/infrastructure/traefik_data/acme.json:/acme.json"
         "/var/run/docker.sock:/var/run/docker.sock:ro"
       ];
       env_file = [
@@ -45,18 +51,6 @@
         "dmz"
       ];
     };
-    # cloudflared.service = {
-    #   image = "cloudflare/cloudflared:2024.2.1";
-    #   container_name = "cloudflared";
-    #   env_file = [
-    #     "/home/ghoscht/.docker/infrastructure/cloudflared.env"
-    #   ];
-    #   restart = "always";
-    #   command = "tunnel --no-autoupdate --protocol http2 run";
-    #   networks = [
-    #     "dmz"
-    #   ];
-    # };
     scrutiny.service = {
       image = "ghcr.io/analogj/scrutiny:v0.8.0-omnibus";
       container_name = "scrutiny";

hosts/franz/arion/infrastructure/default.nix

@@ -57,38 +57,50 @@ in {
     '';
   };
 
-  sops.templates."traefik.toml" = {
+  sops.templates."traefik.yml" = {
-    path = "/home/${vars.user}/.docker/infrastructure/traefik_data/traefik.toml";
+    path = "/home/${vars.user}/.docker/infrastructure/traefik_config/traefik.yml";
     owner = vars.user;
     mode = "0775";
     content = ''
-      [entryPoints]
+      api:
-        [entryPoints.web]
+        dashboard: true
-          address = ":80"
+        debug: true
-        [entryPoints.web-external]
+        insecure: true
-          address = ":81"
+      entryPoints:
-        [entryPoints.websecure]
+        web:
-          address = ":443"
+          address: ":80"
-        [entryPoints.websecure-external]
+          http:
-          address = ":444"
+            redirections:
-      [api]
+              entrypoint:
-        dashboard = true
+                to: websecure
-        insecure = true
+                scheme: https
-
+        web-external:
-      [certificatesResolvers.letsencrypt.acme]
+          address: ":81"
-        email = "${config.sops.placeholder."traefik/acme_email"}"
+          http:
-        storage = "/letsencrypt/acme.json"
+            redirections:
-        [certificatesResolvers.letsencrypt.acme.dnsChallenge]
+              entrypoint:
-          provider = "cloudflare"
+                to: websecure-external
-          resolvers = ["1.1.1.1:53", "1.0.0.1:53"]
+                scheme: https
-
+        websecure:
-      [serversTransport]
+          address: ":443"
-        insecureSkipVerify = true
+        websecure-external:
-
+          address: ":444"
-      [providers.docker]
+          providers:
-        watch = true
+      providers:
-        network = "dmz"
+        docker:
-        exposedByDefault = false # overriden by traefik.enable=true
+          watch: true
+          exposedByDefault: false
+          network: dmz
+      certificatesResolvers:
+        letsencrypt:
+          acme:
+            email: ${config.sops.placeholder."traefik/acme_email"}
+            storage: acme.json
+            dnsChallenge:
+              provider: cloudflare
+              resolvers:
+                - "1.1.1.1:53"
+                - "1.0.0.1:53"
     '';
   };
   sops.templates."diun.env" = {