166 lines
7.7 KiB
Nix
166 lines
7.7 KiB
Nix
|
{ config, pkgs, ... }:
|
||
|
|
|
||
|
|
{
|
||
|
|
imports =
|
||
|
|
[ ./hardware-configuration.nix ];
|
||
|
|
networking.hostName = "blogbox";
|
||
|
|
boot.initrd.enable = true;
|
||
|
|
boot.loader = {
|
||
|
|
systemd-boot = {
|
||
|
|
enable = true;
|
||
|
|
}; # end loader.systemd-boot
|
||
|
|
}; # end boot
|
||
|
|
networking.firewall = {
|
||
|
|
enable = true;
|
||
|
|
allowedTCPPorts = [ 22 80 443 ];
|
||
|
|
allowedUDPPorts = [ 443 ];
|
||
|
|
};
|
||
|
|
systemd = {
|
||
|
|
services = {
|
||
|
|
"pull-blog" = {
|
||
|
|
script = ''
|
||
|
|
|
||
|
|
'';
|
||
|
|
serviceConfig = {
|
||
|
|
type = "oneshot";
|
||
|
|
user = "root"
|
||
|
|
};
|
||
|
|
};
|
||
|
|
};
|
||
|
|
timers = {
|
||
|
|
"pull-blog" = {
|
||
|
|
wantedBy = [ "timers.target" ];
|
||
|
|
timerConfig = {
|
||
|
|
OnCalendar = "*:0/5";
|
||
|
|
Persistent = true;
|
||
|
|
};
|
||
|
|
};
|
||
|
|
};
|
||
|
|
};
|
||
|
|
|
||
|
|
environment = {
|
||
|
|
etc = {
|
||
|
|
"blogbox/blogbox.env" = {
|
||
|
|
text = "";
|
||
|
|
mode = "644";
|
||
|
|
};
|
||
|
|
"blogbox/acme.json" = {
|
||
|
|
text = "";
|
||
|
|
mode = "600";
|
||
|
|
};
|
||
|
|
}; # end etc
|
||
|
|
};
|
||
|
|
|
||
|
|
virtualisation = {
|
||
|
|
podman.dockerSocket.enable = true;
|
||
|
|
oci-containers = {
|
||
|
|
backend = "podman";
|
||
|
|
containers = {
|
||
|
|
traefik = {
|
||
|
|
image = "docker.io/library/traefik:beaufort";
|
||
|
|
autoStart = true;
|
||
|
|
autoRemoveOnStop = true;
|
||
|
|
privileged = true;
|
||
|
|
networks = [ "Containet" ];
|
||
|
|
ports = [ "80:80" "443:443" "443:443/udp" ];
|
||
|
|
volumes = [
|
||
|
|
"${pkgs.podman}/run/podman/podman.sock:/var/run/docker.sock:ro"
|
||
|
|
"/etc/traefik/acme.json:/acme.json"
|
||
|
|
];
|
||
|
|
environmentFiles = [ "/etc/traefik/blogbox.env" ];
|
||
|
|
labels = {
|
||
|
|
"traefik.enable" = "true";
|
||
|
|
"traefik.http.routers.http-catchall.rule" = "hostregexp(`{host:.+}`)";
|
||
|
|
"traefik.http.routers.http-catchall.entrypoints" = "web";
|
||
|
|
};
|
||
|
|
cmd = ''
|
||
|
|
--accesslog \
|
||
|
|
--accesslog.format=json \
|
||
|
|
--accesslog.fields.headers.names.User-Agent=keep \
|
||
|
|
--log.level=INFO \
|
||
|
|
--providers.docker=true \
|
||
|
|
--providers.docker.network=Containet \
|
||
|
|
--providers.docker.exposedbydefault=false \
|
||
|
|
--entryPoints.web.forwardedHeaders.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
|
||
|
|
--entryPoints.web.proxyProtocol.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
|
||
|
|
--entryPoints.web.forwardedHeaders.insecure=false \
|
||
|
|
--entryPoints.web.proxyProtocol.insecure=false \
|
||
|
|
--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
|
||
|
|
--entryPoints.websecure.proxyProtocol.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
|
||
|
|
--entryPoints.websecure.forwardedHeaders.insecure=false \
|
||
|
|
--entryPoints.websecure.proxyProtocol.insecure=false \
|
||
|
|
--entrypoints.web.address=:80 \
|
||
|
|
--entrypoints.websecure.address=:443 \
|
||
|
|
--entryPoints.metrics.address=:8082 \
|
||
|
|
--entrypoints.web.http.redirections.entryPoint.to=websecure \
|
||
|
|
--entrypoints.web.http.redirections.entryPoint.scheme=https \
|
||
|
|
--entrypoints.web.http.redirections.entrypoint.permanent=true \
|
||
|
|
--entrypoints.websecure.http3 \
|
||
|
|
--entrypoints.name.http3.advertisedport=443 \
|
||
|
|
--entrypoints.websecure.http.tls.certResolver=leresolver \
|
||
|
|
--entrypoints.websecure.http.tls.domains[0].main=$DOMAIN \
|
||
|
|
--entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAIN \
|
||
|
|
--certificatesresolvers.leresolver.acme.dnschallenge=true \
|
||
|
|
--certificatesresolvers.leresolver.acme.dnschallenge.provider=namecheap \
|
||
|
|
--certificatesresolvers.leresolver.acme.storage=./acme.json \
|
||
|
|
--certificatesresolvers.leresolver.acme.dnschallenge.resolvers=dns1.registrar-servers.com:53,dns2.registrar-servers.com:53 \
|
||
|
|
--metrics.prometheus=true \
|
||
|
|
--metrics.prometheus.addrouterslabels=true \
|
||
|
|
--metrics.prometheus.entryPoint=metrics
|
||
|
|
''
|
||
|
|
}; # end traefik
|
||
|
|
hugo = {
|
||
|
|
labels = {
|
||
|
|
"traefik.enable" = true;
|
||
|
|
"traefik.http.routers.hugo-router.rule" = "Host(`alisceon.com`)";
|
||
|
|
"traefik.http.routers.hugo-router.entrypoints" = "websecure";
|
||
|
|
"traefik.http.services.hugo-router.loadbalancer.server.port" = "8080";
|
||
|
|
"traefik.http.routers.hugo-router.service" = "hugo-router";
|
||
|
|
"traefik.http.middlewares.compression.compress" = "true";
|
||
|
|
"traefik.http.middlewares.retry.retry.attempts" = "8";
|
||
|
|
"traefik.http.middlewares.retry.retry.initialInterval" = "2";
|
||
|
|
"traefik.http.routers.hugo-router.middlewares" = "/home/alisceon/Projects/cloud/stacks/alisceondotcom/compose.yml";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.customresponseheaders.server" = "";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.isdevelopment" = "false";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.stsincludesubdomains" = "true";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.stspreload" = "true";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.stsseconds" = "31536000";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.forcestsheader" = "true";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.contentSecurityPolicy" = "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self';";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.framedeny" = "true";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.contenttypenosniff" = "true";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.referrerpolicy" = "same-origin";
|
||
|
|
};
|
||
|
|
}; # end hugo
|
||
|
|
cats = {
|
||
|
|
labels = {
|
||
|
|
"traefik.http.routers.cats-router.priority"="1";
|
||
|
|
"traefik.http.middlewares.cats.errors.status"="400-599";
|
||
|
|
"traefik.http.middlewares.cats.errors.service"="cats-router";
|
||
|
|
"traefik.http.middlewares.cats.errors.query"="/{status}.html";
|
||
|
|
"traefik.enable" = true;
|
||
|
|
"traefik.http.routers.hugo-router.rule" = "Host(`alisceon.com`)";
|
||
|
|
"traefik.http.routers.hugo-router.entrypoints" = "websecure";
|
||
|
|
"traefik.http.services.hugo-router.loadbalancer.server.port" = "8080";
|
||
|
|
"traefik.http.routers.hugo-router.service" = "hugo-router";
|
||
|
|
"traefik.http.middlewares.compression.compress" = "true";
|
||
|
|
"traefik.http.middlewares.retry.retry.attempts" = "8";
|
||
|
|
"traefik.http.middlewares.retry.retry.initialInterval" = "2";
|
||
|
|
"traefik.http.routers.hugo-router.middlewares" = "/home/alisceon/Projects/cloud/stacks/alisceondotcom/compose.yml";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.customresponseheaders.server" = "";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.isdevelopment" = "false";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.stsincludesubdomains" = "true";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.stspreload" = "true";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.stsseconds" = "31536000";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.forcestsheader" = "true";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.contentSecurityPolicy" = "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self';";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.framedeny" = "true";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.contenttypenosniff" = "true";
|
||
|
|
"traefik.http.middlewares.hugo-headers.headers.referrerpolicy" = "same-origin";
|
||
|
|
};
|
||
|
|
}; # end cats
|
||
|
|
}; # end containers
|
||
|
|
}; # end oci-containers
|
||
|
|
}; # end virtualisation
|
||
|
|
} # end file
|