Arion: Switch from Cloudflare Tunnels to port-forwarding

hosts/franz/arion/git/arion-compose.nix

@@ -15,12 +15,21 @@
       useHostStore = true;
       labels = {
         "traefik.enable" = "true";
+        "traefik.docker.network" = "dmz";
+
+        "traefik.http.services.forgejo.loadbalancer.server.port" = "3000";
+        "traefik.http.routers.forgejo.service" = "forgejo";
         "traefik.http.routers.forgejo.entrypoints" = "websecure";
         "traefik.http.routers.forgejo.rule" = "Host(`git.ghoscht.com`)";
-        "traefik.http.services.forgejo.loadbalancer.server.port" = "3000";
-        "traefik.docker.network" = "dmz";
         "traefik.http.routers.forgejo.tls" = "true";
         "traefik.http.routers.forgejo.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.forgejo-external.loadbalancer.server.port" = "3000";
+        "traefik.http.routers.forgejo-external.service" = "forgejo-external";
+        "traefik.http.routers.forgejo-external.rule" = "Host(`git.ghoscht.com`)";
+        "traefik.http.routers.forgejo-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.forgejo-external.tls" = "true";
+        "traefik.http.routers.forgejo-external.tls.certresolver" = "letsencrypt";
       };
       volumes = [
         "/storage/dataset/docker/git/forgejo_data:/data"

hosts/franz/arion/headscale/arion-compose.nix

@@ -16,7 +16,7 @@
         "traefik.enable" = "true";
         "traefik.http.services.headscale.loadbalancer.server.port" = "8080";
         "traefik.http.routers.headscale.service" = "headscale";
-        "traefik.http.routers.headscale.entrypoints" = "websecure-external";
+        "traefik.http.routers.headscale.entrypoints" = "websecure";
         "traefik.http.routers.headscale.rule" = "Host(`headscale.ghoscht.com`)";
         "traefik.http.routers.headscale.tls" = "true";
         "traefik.http.routers.headscale.tls.certresolver" = "letsencrypt";
@@ -24,7 +24,7 @@
         "traefik.http.services.headscale-external.loadbalancer.server.port" = "8080";
         "traefik.http.routers.headscale-external.service" = "headscale-external";
         "traefik.http.routers.headscale-external.rule" = "Host(`headscale.ghoscht.com`)";
-        "traefik.http.routers.headscale-external.entrypoints" = "websecure";
+        "traefik.http.routers.headscale-external.entrypoints" = "websecure-external";
         "traefik.http.routers.headscale-external.tls" = "true";
         "traefik.http.routers.headscale-external.tls.certresolver" = "letsencrypt";
       };

hosts/franz/arion/infrastructure/arion-compose.nix

@@ -45,18 +45,18 @@
         "dmz"
       ];
     };
-    cloudflared.service = {
+    # cloudflared.service = {
-      image = "cloudflare/cloudflared:2024.2.1";
+    #   image = "cloudflare/cloudflared:2024.2.1";
-      container_name = "cloudflared";
+    #   container_name = "cloudflared";
-      env_file = [
+    #   env_file = [
-        "/home/ghoscht/.docker/infrastructure/cloudflared.env"
+    #     "/home/ghoscht/.docker/infrastructure/cloudflared.env"
-      ];
+    #   ];
-      restart = "always";
+    #   restart = "always";
-      command = "tunnel --no-autoupdate --protocol http2 run";
+    #   command = "tunnel --no-autoupdate --protocol http2 run";
-      networks = [
+    #   networks = [
-        "dmz"
+    #     "dmz"
-      ];
+    #   ];
-    };
+    # };
     scrutiny.service = {
       image = "ghcr.io/analogj/scrutiny:v0.8.0-omnibus";
       container_name = "scrutiny";

hosts/franz/arion/matrix/arion-compose.nix

@@ -14,11 +14,21 @@
       container_name = "synapse";
       labels = {
         "traefik.enable" = "true";
+
+        "traefik.http.services.synapse.loadbalancer.server.port" = "8008";
+        "traefik.http.routers.synapse.service" = "synapse";
         "traefik.http.routers.synapse.entrypoints" = "websecure";
         "traefik.http.routers.synapse.rule" = "Host(`synapse.ghoscht.com`)";
         "traefik.docker.network" = "dmz";
         "traefik.http.routers.synapse.tls" = "true";
         "traefik.http.routers.synapse.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.synapse-external.loadbalancer.server.port" = "8008";
+        "traefik.http.routers.synapse-external.service" = "synapse-external";
+        "traefik.http.routers.synapse-external.rule" = "Host(`synapse.ghoscht.com`)";
+        "traefik.http.routers.synapse-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.synapse-external.tls" = "true";
+        "traefik.http.routers.synapse-external.tls.certresolver" = "letsencrypt";
       };
       volumes = [
         "/storage/dataset/docker/matrix/synapse_data:/data"
@@ -59,11 +69,21 @@
       ];
       labels = {
         "traefik.enable" = "true";
+
+        "traefik.http.services.matrix.loadbalancer.server.port" = "80";
+        "traefik.http.routers.matrix.service" = "matrix";
         "traefik.http.routers.matrix.entrypoints" = "websecure";
         "traefik.http.routers.matrix.rule" = "Host(`matrix.ghoscht.com`)";
         "traefik.docker.network" = "dmz";
         "traefik.http.routers.matrix.tls" = "true";
         "traefik.http.routers.matrix.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.matrix-external.loadbalancer.server.port" = "80";
+        "traefik.http.routers.matrix-external.service" = "matrix-external";
+        "traefik.http.routers.matrix-external.rule" = "Host(`matrix.ghoscht.com`)";
+        "traefik.http.routers.matrix-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.matrix-external.tls" = "true";
+        "traefik.http.routers.matrix-external.tls.certresolver" = "letsencrypt";
       };
       restart = "unless-stopped";
       networks = [

hosts/franz/arion/push/arion-compose.nix

@@ -15,10 +15,20 @@
       useHostStore = true;
       labels = {
         "traefik.enable" = "true";
+
+        "traefik.http.routers.ntfy.service" = "ntfy";
+        "traefik.http.services.ntfy.loadbalancer.server.port" = "80";
         "traefik.http.routers.ntfy.entrypoints" = "websecure";
         "traefik.http.routers.ntfy.rule" = "Host(`push.ghoscht.com`)";
         "traefik.http.routers.ntfy.tls" = "true";
         "traefik.http.routers.ntfy.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.routers.ntfy-external.service" = "ntfy-external";
+        "traefik.http.services.ntfy-external.loadbalancer.server.port" = "80";
+        "traefik.http.routers.ntfy-external.rule" = "Host(`push.ghoscht.com`)";
+        "traefik.http.routers.ntfy-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.ntfy-external.tls" = "true";
+        "traefik.http.routers.ntfy-external.tls.certresolver" = "letsencrypt";
       };
       volumes = [
         "/home/ghoscht/.docker/push/ntfy_data/server.yml:/etc/ntfy/server.yml"

hosts/franz/arion/signal/arion-compose.nix

@@ -18,11 +18,20 @@
       working_dir = "/data";
       labels = {
         "traefik.enable" = "true";
+
         "traefik.http.routers.mollysocket.rule" = "Host(`signal.ghoscht.com`)";
+        "traefik.http.routers.mollysocket.service" = "mollysocket";
         "traefik.http.routers.mollysocket.entrypoints" = "websecure";
         "traefik.http.services.mollysocket.loadbalancer.server.port" = "8020";
         "traefik.http.routers.mollysocket.tls" = "true";
         "traefik.http.routers.mollysocket.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.mollysocket-external.loadbalancer.server.port" = "8020";
+        "traefik.http.routers.mollysocket-external.service" = "mollysocket-external";
+        "traefik.http.routers.mollysocket-external.rule" = "Host(`signal.ghoscht.com`)";
+        "traefik.http.routers.mollysocket-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.mollysocket-external.tls" = "true";
+        "traefik.http.routers.mollysocket-external.tls.certresolver" = "letsencrypt";
       };
       environment = {
         MOLLY_DB = "/data/mollysocket.db";