traefik: second attempt, simple

2 files changed, 35 insertions, 52 deletions

diff --git a/hosts/common/nas.nix b/hosts/common/nas.nix
index a45cab4..0554d40 100644
--- a/hosts/common/nas.nix
+++ b/hosts/common/nas.nix
@@ -6,18 +6,6 @@
     ./server/samba.nix
     ./server/prometheus.nix
     ./server/grafana.nix
-    ./server/backups/users.nix
     ./server/traefik.nix
   ];
-
-  age.secrets.traefik-gcp-sa = {
-    file = ../secrets/traefik/gcp_sa.age;
-    mode = "0440";
-    owner = "0";
-  };
-
-  traefik = {
-    gcpKeyFile = "/run/agenix/gcp_sa";
-    gcpProjectName = "fcuny-homelab";
-  };
 }
diff --git a/hosts/common/server/traefik.nix b/hosts/common/server/traefik.nix
index 7d0e1fa..6cf8170 100644
--- a/hosts/common/server/traefik.nix
+++ b/hosts/common/server/traefik.nix
@@ -1,61 +1,59 @@
 { pkgs, config, lib, ... }:
 
 let
+  domain = "fcuny.xyz";
   mkServiceConfig = name: url: {
     http.routers."${name}" = {
-      rule = "Host(`${domain}`) && PathPrefix(`/${name}`)";
+      rule = "Host(`${name}.${domain}`)";
       service = "${name}";
       tls.certResolver = "le";
     };
     http.services."${name}" = { loadBalancer.servers = [{ url = url; }]; };
   };
 in {
-  options.cloud.traefik = {
-    gcpKeyFile = mkOption {
-      type = types.path;
-      description = "The GCP private key file, for Let's Encrypt DNS challenge";
-    };
-
-    gcpProjectName = mkOption {
-      type = types.str;
-      description = "The GCP project name used for managing DNS";
-    };
-
-    certsPath = mkOption {
-      type = types.str;
-      default = "/var/lib/traefik/acme.json";
-      description = "The location to read and write the certificates file";
-    };
-  };
+  age.secrets.traefik_gcp_sa.file = "${inputs.self}/secrets/traefik/gcp_sa.age";
 
-  config.services.traefik = {
+  services.traefik = {
     enable = true;
 
-    staticConfigOptions = {
-      entrypoints.http.address = ":80";
-      entrypoints.http.http.redirections.entryPoint = {
-        to = "https";
+    dynamicConfigOptions = {
+      http.middlewares.redirect-to-https.redirectscheme = {
         scheme = "https";
+        permanent = true;
       };
-      entrypoints.https.address = ":443";
-
-      accessLog.format = "json";
-      log.level = "warn";
-
-      global.checkNewVersion = false;
-      global.sendAnonymousUsage = false;
+      http = {
+        services = {
+          dash.loadBalancer.servers = [{ url = "http://127.0.0.1:3000"; }];
+        };
+      };
+    };
 
+    staticConfigOptions = {
       metrics.prometheus = {
         addEntryPointsLabels = true;
         addRoutersLabels = true;
         addServicesLabels = true;
       };
 
-      certificatesResolvers.le.acme = {
-        email = "franck@fcuny.net";
-        storage = cfg.certsPath;
-        dnsChallenge.provider = "gcloud";
-        dnsChallenge.delayBeforeCheck = 10;
+      global = {
+        checkNewVersion = false;
+        sendAnonymousUsage = false;
+      };
+
+      accessLog.format = "json";
+      log.level = "warn";
+
+      entryPoints.web.address = ":80";
+      entryPoints.websecure.address = ":443";
+      certificatesResolvers = {
+        le = {
+          email = "franck@fcuny.net";
+          storage = "/var/lib/traefik/cert.json";
+          dnsChallenge = {
+            provider = "gcloud";
+            delayBeforeCheck = 0;
+          };
+        };
       };
     };
   };
@@ -63,13 +61,10 @@ in {
   services.traefik.dynamicConfigOptions =
     mkMerge [ (mkServiceConfig "dash" "http://127.0.0.1:3000/") ];
 
-  # Set up cloudflare key
   config.systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE =
-    cfg.gcpKeyFile;
-
-  config.systemd.services.traefik.environment.GCE_PROJECT = cfg.gcpProjectName;
+    config.age.secrets.cloudflare_api_key.path;
+  config.systemd.services.traefik.environment.GCE_PROJECT = "fcuny-homelab";
 
-  # Set up firewall to allow traefik traffic.
   config.networking.firewall.allowedTCPPorts = [ 80 443 ];
   config.networking.firewall.allowedUDPPorts = [ 443 ]; # QUIC
 }