crony/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(tyr): setup local ssl certs finally.

Browse source
This commit is contained in:
CronyAkatsuki 2025-10-11 19:06:20 +02:00
parent d5ec26a17a
commit 082c6a7e3a
7 changed files with 110 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/servers/tyr/default.nix
View file

@ -7,5 +7,6 @@
./secrets.nix ./secrets.nix
./nfs-server.nix ./nfs-server.nix
./dns.nix ./dns.nix
./traefik.nix
]; ];
} }

8
modules/servers/tyr/dns.nix
View file

@ -64,6 +64,14 @@
cache-max-ttl = 60; cache-max-ttl = 60;
cache-max-negative-ttl = 60; cache-max-negative-ttl = 60;
serve-original-ttl = true; serve-original-ttl = true;
local-zone = [''"home.cronyakatsuki.xyz." transparent''];
local-data = [
''"glance.home.cronyakatsuki.xyz IN A 192.168.0.5"''
''"syncthing.home.cronyakatsuki.xyz IN A 192.168.0.5"''
''"wallos.home.cronyakatsuki.xyz IN A 192.168.0.5"''
];
}; };
}; };
}; };

19
modules/servers/tyr/glance.nix
View file

@ -1,7 +1,7 @@
{config, ...}: { {config, ...}: {
services.glance = { services.glance = {
enable = true; enable = true;
openFirewall = true; openFirewall = false;
settings = { settings = {
server = { server = {
host = "0.0.0.0"; host = "0.0.0.0";
@ -594,4 +594,21 @@
systemd.services.glance.serviceConfig = { systemd.services.glance.serviceConfig = {
EnvironmentFile = ["${config.age.secrets.glance.path}"]; EnvironmentFile = ["${config.age.secrets.glance.path}"];
}; };
services.traefik.dynamicConfigOptions.http = {
services.glance.loadBalancer.servers = [
{
url = "http://localhost:8080";
}
];
routers.glance = {
rule = "Host(`glance.home.cronyakatsuki.xyz`)";
tls = {
certResolver = "porkbun";
};
service = "glance";
entrypoints = "websecure";
};
};
} }

4
modules/servers/tyr/secrets.nix
View file

@ -22,6 +22,10 @@
glance = { glance = {
file = ../../../secrets/glance.age; file = ../../../secrets/glance.age;
}; };
traefik = {
file = ../../../secrets/traefik.age;
owner = "traefik";
};
}; };
}; };
} }

21
modules/servers/tyr/syncthing.nix
View file

@ -5,12 +5,25 @@
guiAddress = "0.0.0.0:8384"; guiAddress = "0.0.0.0:8384";
}; };
networking.firewall = {
allowedTCPPorts = [8384];
};
services.restic.backups = { services.restic.backups = {
local.paths = ["/var/lib/syncthing"]; local.paths = ["/var/lib/syncthing"];
server.paths = ["/var/lib/syncthing"]; server.paths = ["/var/lib/syncthing"];
}; };
services.traefik.dynamicConfigOptions.http = {
services.syncthing.loadBalancer.servers = [
{
url = "http://localhost:8384";
}
];
routers.syncthing = {
rule = "Host(`syncthing.home.cronyakatsuki.xyz`)";
tls = {
certResolver = "porkbun";
};
service = "syncthing";
entrypoints = "websecure";
};
};
} }

45
modules/servers/tyr/traefik.nix Normal file
View file

@ -0,0 +1,45 @@
{config, ...}: {
services.traefik = {
enable = true;
staticConfigOptions = {
serversTransport.insecureSkipVerify = true;
log = {level = "DEBUG";};
certificatesResolvers = {
porkbun = {
acme = {
email = "crony@cronyakatsuki.xyz";
storage = "/var/lib/traefik/acme.json";
caserver = "https://acme-v02.api.letsencrypt.org/directory";
dnsChallenge = {
provider = "porkbun";
resolvers = ["127.0.0.1"];
propagation = {
delayBeforeChecks = 60;
disableChecks = true;
};
};
};
};
};
api = {};
entryPoints = {
web = {
address = ":80";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":443";
};
};
};
};
systemd.services.traefik.serviceConfig = {
EnvironmentFile = ["${config.age.secrets.traefik.path}"];
};
networking.firewall.allowedTCPPorts = [80 443];
}

21
modules/servers/tyr/wallos.nix
View file

@ -11,12 +11,25 @@
]; ];
}; };
networking.firewall = {
allowedTCPPorts = [8282];
};
services.restic.backups = { services.restic.backups = {
local.paths = ["/var/lib/wallos"]; local.paths = ["/var/lib/wallos"];
server.paths = ["/var/lib/wallos"]; server.paths = ["/var/lib/wallos"];
}; };
services.traefik.dynamicConfigOptions.http = {
services.wallos.loadBalancer.servers = [
{
url = "http://localhost:8282";
}
];
routers.wallos = {
rule = "Host(`wallos.home.cronyakatsuki.xyz`)";
tls = {
certResolver = "porkbun";
};
service = "wallos";
entrypoints = "websecure";
};
};
} }