1 files changed, 21 insertions, 22 deletions

diff --git a/hosts/common/server/traefik.nix b/hosts/common/server/traefik.nix
index 6cf8170..f29db72 100644
--- a/hosts/common/server/traefik.nix
+++ b/hosts/common/server/traefik.nix
@@ -1,4 +1,6 @@
-{ pkgs, config, lib, ... }:
+{ pkgs, inputs, config, lib, ... }:
+
+with lib;
 
 let
   domain = "fcuny.xyz";
@@ -11,23 +13,14 @@ let
     http.services."${name}" = { loadBalancer.servers = [{ url = url; }]; };
   };
 in {
-  age.secrets.traefik_gcp_sa.file = "${inputs.self}/secrets/traefik/gcp_sa.age";
+  age.secrets.traefik_gcp_sa = {
+    file = ../../../secrets/traefik/gcp_service_account.json.age;
+    owner = "traefik";
+  };
 
   services.traefik = {
     enable = true;
 
-    dynamicConfigOptions = {
-      http.middlewares.redirect-to-https.redirectscheme = {
-        scheme = "https";
-        permanent = true;
-      };
-      http = {
-        services = {
-          dash.loadBalancer.servers = [{ url = "http://127.0.0.1:3000"; }];
-        };
-      };
-    };
-
     staticConfigOptions = {
       metrics.prometheus = {
         addEntryPointsLabels = true;
@@ -43,10 +36,16 @@ in {
       accessLog.format = "json";
       log.level = "warn";
 
-      entryPoints.web.address = ":80";
-      entryPoints.websecure.address = ":443";
+      entryPoints.http.http.redirections = {
+        entryPoint.to = "https";
+        entryPoint.scheme = "https";
+        entryPoint.permanent = true;
+      };
+
+      entryPoints.http.address = ":80";
+      entryPoints.https.address = ":443";
       certificatesResolvers = {
-        le = {
+        le.acme = {
           email = "franck@fcuny.net";
           storage = "/var/lib/traefik/cert.json";
           dnsChallenge = {
@@ -61,10 +60,10 @@ in {
   services.traefik.dynamicConfigOptions =
     mkMerge [ (mkServiceConfig "dash" "http://127.0.0.1:3000/") ];
 
-  config.systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE =
-    config.age.secrets.cloudflare_api_key.path;
-  config.systemd.services.traefik.environment.GCE_PROJECT = "fcuny-homelab";
+  systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE =
+    config.age.secrets.traefik_gcp_sa.path;
+  systemd.services.traefik.environment.GCE_PROJECT = "fcuny-homelab";
 
-  config.networking.firewall.allowedTCPPorts = [ 80 443 ];
-  config.networking.firewall.allowedUDPPorts = [ 443 ]; # QUIC
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedUDPPorts = [ 443 ]; # QUIC
 }