diff options
| author | Franck Cuny <franck@fcuny.net> | 2022-03-09 18:50:19 -0800 |
|---|---|---|
| committer | Franck Cuny <franck@fcuny.net> | 2022-03-09 18:50:19 -0800 |
| commit | 9cbc36f2f4df2ca9e21d140a5f4a1d893ae8ffde (patch) | |
| tree | 6ea35a032f73b6034bec0688e8b7af4176a30759 | |
| parent | gitea: do a backup with restic (diff) | |
| download | infra-9cbc36f2f4df2ca9e21d140a5f4a1d893ae8ffde.tar.gz | |
traefik: handle fcuny.net and fcuny.xyz
fcuny.net is for public facing domains, while fcuny.xyz are for domains
on the tailscale network.
I need to support configuration in traefik for both. The main
difference, for traefik, is the domain name and which let's encrypt
challenge to use (DNS for TS, HTTP for public).
Refactor the function `mkServiceConfig` to accept the domain and LE
challenge as argument, and add new entries for git.fcuny.net and
git.fcuny.xyz.
| -rw-r--r-- | hosts/common/server/traefik.nix | 22 |
1 files changed, 15 insertions, 7 deletions
diff --git a/hosts/common/server/traefik.nix b/hosts/common/server/traefik.nix index 3bc5d26..5cfa229 100644 --- a/hosts/common/server/traefik.nix +++ b/hosts/common/server/traefik.nix @@ -3,12 +3,13 @@ with lib; let - domain = "fcuny.xyz"; - mkServiceConfig = name: url: { + domainPublic = "fcuny.net"; + domainPrivate = "fcuny.xyz"; + mkServiceConfig = name: url: domain: certResolver: { http.routers."${name}" = { rule = "Host(`${name}.${domain}`)"; service = "${name}"; - tls.certResolver = "le"; + tls.certResolver = certResolver; }; http.services."${name}" = { loadBalancer.servers = [{ url = url; }]; }; }; @@ -58,7 +59,12 @@ in { serversTransport.insecureSkipVerify = true; certificatesResolvers = { - le.acme = { + le-http.acme = { + email = "franck@fcuny.net"; + storage = "/var/lib/traefik/cert.json"; + httpChallenge = { entryPoint = "http"; }; + }; + le-dns.acme = { email = "franck@fcuny.net"; storage = "/var/lib/traefik/cert.json"; dnsChallenge = { @@ -71,9 +77,11 @@ in { }; services.traefik.dynamicConfigOptions = mkMerge [ - (mkServiceConfig "dash" "http://127.0.0.1:3000/") - (mkServiceConfig "bt" "http://127.0.0.1:9091/") - (mkServiceConfig "unifi" "https://127.0.0.1:8443/") + (mkServiceConfi "dash" "http://127.0.0.1:3000/" domainPrivate "le-dns") + (mkServiceConfi "bt" "http://127.0.0.1:9091/" domainPrivate "le-dns") + (mkServiceConfi "unifi" "https://127.0.0.1:8443/" domainPrivate "le-dns") + (mkServiceConfi "git" "http://127.0.0.1:8002/" domainPrivate "le-dns") + (mkServiceConfi "git" "http://127.0.0.1:8002/" domainPublic "le-http") ]; systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE = |