[traefik] Moves traefik config into the repo

[email] WIP
2025-04-07 14:45:58 -07:00 · 2025-04-07 13:48:25 -07:00
6 changed files with 121 additions and 29 deletions
--- a/home-manager/features/development/nix.nix
+++ b/home-manager/features/development/nix.nix
@@ -10,7 +10,8 @@

  home.shellAliases = {
    # This assumes that the repository is in ~/system-config
-    rebuild = "sudo nixos-rebuild switch --flake ~/system-config --show-trace --print-build-logs --verbose";
+    rebuild-switch = "sudo nixos-rebuild switch --flake ~/system-config --show-trace --print-build-logs --verbose";
+    rebuild-boot = "sudo nixos-rebuild boot --flake ~/system-config --show-trace --print-build-logs --verbose";
  };
 }
 
--- a/system/hosts/mcp/containers.nix
+++ b/system/hosts/mcp/containers.nix
@@ -4,6 +4,7 @@
  # Additional configuration
  imports = [
    ./containers/bookstack.nix
+    ./containers/email.nix
    ./containers/gitea.nix
    ./containers/grafana.nix
    ./containers/jobhunt.nix
@@ -16,6 +17,7 @@
    ./containers/searxng.nix
    ./containers/shared-postgres.nix
    ./containers/synapse.nix
+    ./containers/traefik.nix
  ];

  # Enable common container config files in /etc/containers
@@ -71,34 +73,6 @@
        havenisms;
    in
    {
-      traefik = {
-        image = "traefik";
-        autoStart = true;
-        cmd = [ ];
-        extraOptions = [
-          # Proxying Traefik itself
-          "-l=traefik.enable=true"
-          "-l=traefik.http.routers.traefik.rule=${localHostRuleHavenisms "proxy"}"
-          "-l=traefik.http.services.traefik.loadbalancer.server.port=8080"
-          "-l=homepage.group=Infra"
-          "-l=homepage.name=Traefik"
-          "-l=homepage.icon=traefik.svg"
-          "-l=homepage.href=https://proxy.${havenisms}"
-          "-l=homepage.description=Reverse proxy"
-          "-l=homepage.widget.type=traefik"
-          "-l=homepage.widget.url=http://traefik:8080"
-        ];
-        ports = [
-          "443:443"
-          "80:80"
-        ];
-        environmentFiles = [
-        ];
-        volumes = [
-          "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
-          "/tank/config/traefik:/etc/traefik"
-        ];
-      };
      jellyfin = {
        image = "lscr.io/linuxserver/jellyfin";
        autoStart = true;
--- a/system/hosts/mcp/containers/email.nix
+++ b/system/hosts/mcp/containers/email.nix
@@ -0,0 +1,36 @@
+{ config, ... }:
+let
+  inherit (import ./lib.nix config) blazestar;
+in {
+  
+  virtualisation.oci-containers.containers.docker-mailserver = {
+    image = "ghcr.io/docker-mailserver/docker-mailserver:latest";
+    hostname = "mail.${blazestar}";
+    autoStart = true;
+    ports = [
+      "465:465"
+      "587:587"
+      "993:993"
+    ];
+    volumes = [
+      "/tank/mailserver/mail-data:/var/mail"
+      "/tank/mailserver/mail-state:/var/mail-state"
+      "/tank/mailserver/mail-logs:/var/log/mail"
+      "/tank/mailserver/config:/tmp/docker-mailserver"
+      "/etc/localtime:/etc/localtime:ro"
+    ];
+    environment = {
+      ENABLE_RSPAMD="1";
+      ENABLE_CLAMAV="1";
+      ENABLE_FAIL2BAN="1";
+    };
+    extraOptions = [
+      # add network admin capability for Fail2Ban
+      "--cap-add=NET_ADMIN"
+    ];
+    labels = {
+      "traefik.enable" = "true";
+      "traefik.tcp.routers.mail.service" = "mailserver";
+    };
+  };
+}
--- a/system/hosts/mcp/containers/traefik.nix
+++ b/system/hosts/mcp/containers/traefik.nix
@@ -0,0 +1,32 @@
+{ config, ... }:
+let
+  inherit (import ./lib.nix config) mkContainer blazestar;
+  traefikConfigDir = builtins.path {
+    name = "traefik-config";
+    path = ./traefik;
+  };
+in {
+  virtualisation.oci-containers.containers.traefik = mkContainer {
+      image = "traefik";
+      hostName = "proxy";
+      port = 8080;
+      domain = blazestar;
+      public = false;
+      ports = [
+        "443:443"
+        "80:80"
+      ];
+      volumes =
+      [
+        "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
+        "${traefikConfigDir}:/etc/traefik"
+        "/tank/config/traefik/acme:/etc/traefik/acme"
+      ];
+      homepageOpts = {
+        name = "Traefik";
+        icon = "traefik.svg";
+        group = "Infra";
+        description = "Reverse Proxy";
+      };
+    };
+  }
--- a/system/hosts/mcp/containers/traefik/static/dockerRegistry.yaml
+++ b/system/hosts/mcp/containers/traefik/static/dockerRegistry.yaml
@@ -0,0 +1,10 @@
+http:
+  services:
+    dockerRegistry:
+      loadBalancer:
+        servers:
+          - url: "http://10.88.0.1:5000/"
+  routers:
+    dockerRegistry:
+      service: dockerRegistry
+      rule: "ClientIP(`192.168.1.0/24`) && Host(`docker.havenisms.com`)"
--- a/system/hosts/mcp/containers/traefik/traefik.yaml
+++ b/system/hosts/mcp/containers/traefik/traefik.yaml
@@ -0,0 +1,39 @@
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entrypoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: letsencrypt
+  metrics:
+    address: ":8082"
+
+api:
+  insecure: true
+
+providers:
+  docker:
+    exposedByDefault: false
+  file:
+    directory: /etc/traefik/static
+    watch: true
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: drew.haven@gmail.com
+      storage: /etc/traefik/acme/acme.json
+      httpChallenge:
+        entryPoint: web
+
+metrics:
+  prometheus:
+    addEntryPointsLabels: true
+    addServicesLabels: true
+    entryPoint: "metrics"
Author	SHA1	Message	Date
Drew Haven	b07b34b66a	[traefik] Moves traefik config into the repo	2025-04-07 14:45:58 -07:00
Drew Haven	a0987c0e11	[email] WIP	2025-04-07 13:48:25 -07:00