{pkgs, ...}: { project.name = "infrastructure"; networks.dmz = { name = "dmz"; external = true; }; docker-compose.volumes = { traefik_letsencrypt = null; scrutiny_data = null; scrutiny_db = null; }; services = { traefik.service = { image = "traefik"; container_name = "traefik"; useHostStore = true; ports = [ "80:80" "443:443" "8421:8080" ]; labels = { "traefik.enable" = "true"; "traefik.http.routers.dashboard.rule" = "Host(`traefik.ghoscht.com`)"; "traefik.http.routers.dashboard.entrypoints" = "websecure"; "traefik.http.services.dashboard.loadbalancer.server.port" = "8080"; "traefik.http.routers.dashboard.tls" = "true"; "traefik.http.routers.dashboard.tls.certresolver" = "letsencrypt"; }; volumes = [ "traefik_letsencrypt:/letsencrypt" "/home/ghoscht/.docker/infrastructure/traefik_data:/etc/traefik" "/var/run/docker.sock:/var/run/docker.sock:ro" ]; env_file = [ "/home/ghoscht/.docker/infrastructure/traefik.env" ]; restart = "always"; networks = [ "dmz" ]; }; cloudflared.service = { image = "cloudflare/cloudflared:latest"; container_name = "cloudflared"; env_file = [ "/home/ghoscht/.docker/infrastructure/cloudflared.env" ]; restart = "always"; command = "tunnel --no-autoupdate --protocol http2 run"; networks = [ "dmz" ]; }; scrutiny.service = { image = "ghcr.io/analogj/scrutiny:master-omnibus"; container_name = "scrutiny"; restart = "always"; labels = { "traefik.enable" = "true"; "traefik.http.routers.scrutiny.entrypoints" = "websecure"; "traefik.http.routers.scrutiny.rule" = "Host(`scrutiny.ghoscht.com`)"; "traefik.http.services.scrutiny.loadbalancer.server.port" = "8080"; "traefik.http.routers.scrutiny.tls" = "true"; "traefik.http.routers.scrutiny.tls.certresolver" = "letsencrypt"; }; capabilities = { SYS_RAWIO = true; }; volumes = [ "/run/udev:/run/udev:ro" "scrutiny_data:/opt/scrutiny/config" "scrutiny_db:/opt/scrutiny/influxdb" ]; devices = [ "/dev/sda" "/dev/nvme0n1" ]; networks = [ "dmz" ]; }; }; }