nix-config/hosts/franz/arion/infrastructure/default.nix
2024-08-09 16:00:58 +02:00

131 lines
3.4 KiB
Nix

{config, ...}: let
vars = import ../../../../vars.nix;
in {
virtualisation.arion = {
projects.infrastructure.settings = {
imports = [./arion-compose.nix];
};
};
sops.secrets."cloudflared/tunnel_token" = {
owner = vars.user;
};
sops.secrets."traefik/acme_email" = {
owner = vars.user;
};
sops.secrets."traefik/cloudflare_email" = {
owner = vars.user;
};
sops.secrets."traefik/cloudflare_api_key" = {
owner = vars.user;
};
sops.secrets."crowdsec/traefik_bouncer_api_key" = {
owner = vars.user;
};
sops.secrets."diun/ntfy_access_token" = {
owner = vars.user;
};
sops.templates."cloudflared.env" = {
path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env";
owner = vars.user;
mode = "0775";
content = ''
TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}"
'';
};
sops.templates."traefik.env" = {
path = "/home/${vars.user}/.docker/infrastructure/traefik.env";
owner = vars.user;
mode = "0775";
content = ''
CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}"
CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}"
'';
};
sops.templates."traefik-bouncer.env" = {
path = "/home/${vars.user}/.docker/infrastructure/traefik-bouncer.env";
owner = vars.user;
mode = "0775";
content = ''
CROWDSEC_BOUNCER_API_KEY="${config.sops.placeholder."crowdsec/traefik_bouncer_api_key"}"
'';
};
sops.templates."traefik.yml" = {
path = "/home/${vars.user}/.docker/infrastructure/traefik_config/traefik.yml";
owner = vars.user;
mode = "0775";
content = ''
api:
dashboard: true
debug: true
insecure: true
entryPoints:
web:
address: ":80"
http:
redirections:
entrypoint:
to: websecure
scheme: https
websecure:
address: ":443"
web-external:
address: ":81"
http:
redirections:
entrypoint:
to: websecure-external
scheme: https
middlewares:
- crowdsec-bouncer@file
websecure-external:
address: ":444"
http:
middlewares:
- crowdsec-bouncer@file
providers:
docker:
watch: true
exposedByDefault: false
network: dmz
file:
filename: /config.yml
certificatesResolvers:
letsencrypt:
acme:
email: ${config.sops.placeholder."traefik/acme_email"}
storage: acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
log:
level: "INFO"
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"
'';
};
sops.templates."diun.env" = {
path = "/home/${vars.user}/.docker/infrastructure/diun.env";
owner = vars.user;
mode = "0775";
content = ''
DIUN_NOTIF_NTFY_TOKEN="${config.sops.placeholder."diun/ntfy_access_token"}"
'';
};
services.cron = {
enable = true;
systemCronJobs = [
"0 * * * * root . /etc/profile; docker exec crowdsec cscli hub update && docker exec crowdsec cscli hub upgrade >> /var/log/crowdsec-update.log"
];
};
}