From af58abcf3c6e10d6a687b7a9f484fdf40c0a6006 Mon Sep 17 00:00:00 2001
From: GHOSCHT <31184695+GHOSCHT@users.noreply.github.com>
Date: Mon, 6 May 2024 19:49:27 +0200
Subject: [PATCH] Arion: Switch from Cloudflare Tunnels to port-forwarding

---
 hosts/franz/arion/git/arion-compose.nix       | 13 ++++++++--
 hosts/franz/arion/headscale/arion-compose.nix |  4 ++--
 .../arion/infrastructure/arion-compose.nix    | 24 +++++++++----------
 hosts/franz/arion/matrix/arion-compose.nix    | 20 ++++++++++++++++
 hosts/franz/arion/push/arion-compose.nix      | 10 ++++++++
 hosts/franz/arion/signal/arion-compose.nix    |  9 +++++++
 6 files changed, 64 insertions(+), 16 deletions(-)

diff --git a/hosts/franz/arion/git/arion-compose.nix b/hosts/franz/arion/git/arion-compose.nix
index 37224d0..77a8389 100644
--- a/hosts/franz/arion/git/arion-compose.nix
+++ b/hosts/franz/arion/git/arion-compose.nix
@@ -15,12 +15,21 @@
       useHostStore = true;
       labels = {
         "traefik.enable" = "true";
+        "traefik.docker.network" = "dmz";
+
+        "traefik.http.services.forgejo.loadbalancer.server.port" = "3000";
+        "traefik.http.routers.forgejo.service" = "forgejo";
         "traefik.http.routers.forgejo.entrypoints" = "websecure";
         "traefik.http.routers.forgejo.rule" = "Host(`git.ghoscht.com`)";
-        "traefik.http.services.forgejo.loadbalancer.server.port" = "3000";
-        "traefik.docker.network" = "dmz";
         "traefik.http.routers.forgejo.tls" = "true";
         "traefik.http.routers.forgejo.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.forgejo-external.loadbalancer.server.port" = "3000";
+        "traefik.http.routers.forgejo-external.service" = "forgejo-external";
+        "traefik.http.routers.forgejo-external.rule" = "Host(`git.ghoscht.com`)";
+        "traefik.http.routers.forgejo-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.forgejo-external.tls" = "true";
+        "traefik.http.routers.forgejo-external.tls.certresolver" = "letsencrypt";
       };
       volumes = [
         "/storage/dataset/docker/git/forgejo_data:/data"
diff --git a/hosts/franz/arion/headscale/arion-compose.nix b/hosts/franz/arion/headscale/arion-compose.nix
index 9a47398..7a4fae1 100644
--- a/hosts/franz/arion/headscale/arion-compose.nix
+++ b/hosts/franz/arion/headscale/arion-compose.nix
@@ -16,7 +16,7 @@
         "traefik.enable" = "true";
         "traefik.http.services.headscale.loadbalancer.server.port" = "8080";
         "traefik.http.routers.headscale.service" = "headscale";
-        "traefik.http.routers.headscale.entrypoints" = "websecure-external";
+        "traefik.http.routers.headscale.entrypoints" = "websecure";
         "traefik.http.routers.headscale.rule" = "Host(`headscale.ghoscht.com`)";
         "traefik.http.routers.headscale.tls" = "true";
         "traefik.http.routers.headscale.tls.certresolver" = "letsencrypt";
@@ -24,7 +24,7 @@
         "traefik.http.services.headscale-external.loadbalancer.server.port" = "8080";
         "traefik.http.routers.headscale-external.service" = "headscale-external";
         "traefik.http.routers.headscale-external.rule" = "Host(`headscale.ghoscht.com`)";
-        "traefik.http.routers.headscale-external.entrypoints" = "websecure";
+        "traefik.http.routers.headscale-external.entrypoints" = "websecure-external";
         "traefik.http.routers.headscale-external.tls" = "true";
         "traefik.http.routers.headscale-external.tls.certresolver" = "letsencrypt";
       };
diff --git a/hosts/franz/arion/infrastructure/arion-compose.nix b/hosts/franz/arion/infrastructure/arion-compose.nix
index afa89dc..fbf82e1 100644
--- a/hosts/franz/arion/infrastructure/arion-compose.nix
+++ b/hosts/franz/arion/infrastructure/arion-compose.nix
@@ -45,18 +45,18 @@
         "dmz"
       ];
     };
-    cloudflared.service = {
-      image = "cloudflare/cloudflared:2024.2.1";
-      container_name = "cloudflared";
-      env_file = [
-        "/home/ghoscht/.docker/infrastructure/cloudflared.env"
-      ];
-      restart = "always";
-      command = "tunnel --no-autoupdate --protocol http2 run";
-      networks = [
-        "dmz"
-      ];
-    };
+    # cloudflared.service = {
+    #   image = "cloudflare/cloudflared:2024.2.1";
+    #   container_name = "cloudflared";
+    #   env_file = [
+    #     "/home/ghoscht/.docker/infrastructure/cloudflared.env"
+    #   ];
+    #   restart = "always";
+    #   command = "tunnel --no-autoupdate --protocol http2 run";
+    #   networks = [
+    #     "dmz"
+    #   ];
+    # };
     scrutiny.service = {
       image = "ghcr.io/analogj/scrutiny:v0.8.0-omnibus";
       container_name = "scrutiny";
diff --git a/hosts/franz/arion/matrix/arion-compose.nix b/hosts/franz/arion/matrix/arion-compose.nix
index d33be7b..0927761 100644
--- a/hosts/franz/arion/matrix/arion-compose.nix
+++ b/hosts/franz/arion/matrix/arion-compose.nix
@@ -14,11 +14,21 @@
       container_name = "synapse";
       labels = {
         "traefik.enable" = "true";
+
+        "traefik.http.services.synapse.loadbalancer.server.port" = "8008";
+        "traefik.http.routers.synapse.service" = "synapse";
         "traefik.http.routers.synapse.entrypoints" = "websecure";
         "traefik.http.routers.synapse.rule" = "Host(`synapse.ghoscht.com`)";
         "traefik.docker.network" = "dmz";
         "traefik.http.routers.synapse.tls" = "true";
         "traefik.http.routers.synapse.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.synapse-external.loadbalancer.server.port" = "8008";
+        "traefik.http.routers.synapse-external.service" = "synapse-external";
+        "traefik.http.routers.synapse-external.rule" = "Host(`synapse.ghoscht.com`)";
+        "traefik.http.routers.synapse-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.synapse-external.tls" = "true";
+        "traefik.http.routers.synapse-external.tls.certresolver" = "letsencrypt";
       };
       volumes = [
         "/storage/dataset/docker/matrix/synapse_data:/data"
@@ -59,11 +69,21 @@
       ];
       labels = {
         "traefik.enable" = "true";
+
+        "traefik.http.services.matrix.loadbalancer.server.port" = "80";
+        "traefik.http.routers.matrix.service" = "matrix";
         "traefik.http.routers.matrix.entrypoints" = "websecure";
         "traefik.http.routers.matrix.rule" = "Host(`matrix.ghoscht.com`)";
         "traefik.docker.network" = "dmz";
         "traefik.http.routers.matrix.tls" = "true";
         "traefik.http.routers.matrix.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.matrix-external.loadbalancer.server.port" = "80";
+        "traefik.http.routers.matrix-external.service" = "matrix-external";
+        "traefik.http.routers.matrix-external.rule" = "Host(`matrix.ghoscht.com`)";
+        "traefik.http.routers.matrix-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.matrix-external.tls" = "true";
+        "traefik.http.routers.matrix-external.tls.certresolver" = "letsencrypt";
       };
       restart = "unless-stopped";
       networks = [
diff --git a/hosts/franz/arion/push/arion-compose.nix b/hosts/franz/arion/push/arion-compose.nix
index 81062c6..d021ad2 100644
--- a/hosts/franz/arion/push/arion-compose.nix
+++ b/hosts/franz/arion/push/arion-compose.nix
@@ -15,10 +15,20 @@
       useHostStore = true;
       labels = {
         "traefik.enable" = "true";
+
+        "traefik.http.routers.ntfy.service" = "ntfy";
+        "traefik.http.services.ntfy.loadbalancer.server.port" = "80";
         "traefik.http.routers.ntfy.entrypoints" = "websecure";
         "traefik.http.routers.ntfy.rule" = "Host(`push.ghoscht.com`)";
         "traefik.http.routers.ntfy.tls" = "true";
         "traefik.http.routers.ntfy.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.routers.ntfy-external.service" = "ntfy-external";
+        "traefik.http.services.ntfy-external.loadbalancer.server.port" = "80";
+        "traefik.http.routers.ntfy-external.rule" = "Host(`push.ghoscht.com`)";
+        "traefik.http.routers.ntfy-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.ntfy-external.tls" = "true";
+        "traefik.http.routers.ntfy-external.tls.certresolver" = "letsencrypt";
       };
       volumes = [
         "/home/ghoscht/.docker/push/ntfy_data/server.yml:/etc/ntfy/server.yml"
diff --git a/hosts/franz/arion/signal/arion-compose.nix b/hosts/franz/arion/signal/arion-compose.nix
index b1b2d39..db5564a 100644
--- a/hosts/franz/arion/signal/arion-compose.nix
+++ b/hosts/franz/arion/signal/arion-compose.nix
@@ -18,11 +18,20 @@
       working_dir = "/data";
       labels = {
         "traefik.enable" = "true";
+
         "traefik.http.routers.mollysocket.rule" = "Host(`signal.ghoscht.com`)";
+        "traefik.http.routers.mollysocket.service" = "mollysocket";
         "traefik.http.routers.mollysocket.entrypoints" = "websecure";
         "traefik.http.services.mollysocket.loadbalancer.server.port" = "8020";
         "traefik.http.routers.mollysocket.tls" = "true";
         "traefik.http.routers.mollysocket.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.mollysocket-external.loadbalancer.server.port" = "8020";
+        "traefik.http.routers.mollysocket-external.service" = "mollysocket-external";
+        "traefik.http.routers.mollysocket-external.rule" = "Host(`signal.ghoscht.com`)";
+        "traefik.http.routers.mollysocket-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.mollysocket-external.tls" = "true";
+        "traefik.http.routers.mollysocket-external.tls.certresolver" = "letsencrypt";
       };
       environment = {
         MOLLY_DB = "/data/mollysocket.db";