diff --git a/homelab/stacks/traefik/config/ai.yaml b/homelab/stacks/traefik/config/ai.yaml deleted file mode 100644 index 8b97fc2f..00000000 --- a/homelab/stacks/traefik/config/ai.yaml +++ /dev/null @@ -1,123 +0,0 @@ -tcp: - routers: - dungeon-master: - entrypoints: - - "websecure" - - "web" - rule: HostSNIRegexp(`^.+\.ai\.jafner\.(net|dev)$`) - service: "dungeon-master@file" - tls: - passthrough: true - - services: - dungeon-master: - loadBalancer: - servers: - - address: "192.168.1.135:443" - -http: - routers: - dungeon-master: - entrypoints: - - "websecure" - - "web" - rule: HostRegexp(`^.+\.ai\.jafner\.(net|dev)$`) - service: "dungeon-master@file" - - services: - dungeon-master: - loadBalancer: - passHostHeader: true - servers: - - url: "https://192.168.1.135" - - -# http: -# routers: -# ollama: -# rule: "Host(`ollama.jafner.net`)" -# entryPoints: "websecure" -# middlewares: -# - "lan-only@file" -# service: "ollama@file" -# tls: -# certResolver: "lets-encrypt" -# open-webui: -# rule: "Host(`openwebui.jafner.net`)" -# entryPoints: "websecure" -# middlewares: -# - "lan-only@file" -# service: "open-webui@file" -# tls: -# certResolver: "lets-encrypt" -# sillytavern: -# rule: "Host(`sillytavern.jafner.net`)" -# entryPoints: "websecure" -# middlewares: -# - "lan-only@file" -# service: "sillytavern@file" -# tls: -# certResolver: "lets-encrypt" -# sdwebui: -# rule: "Host(`sdwebui.jafner.net`)" -# entryPoints: "websecure" -# middlewares: -# - "lan-only@file" -# service: "sdwebui@file" -# tls: -# certResolver: "lets-encrypt" -# oobabooga: -# rule: "Host(`oobabooga.jafner.net`)" -# entryPoints: "websecure" -# middlewares: -# - "lan-only@file" -# service: "oobabooga@file" -# tls: -# certResolver: "lets-encrypt" -# oobabooga-api: -# rule: "Host(`oobabooga-api.jafner.net`)" -# entryPoints: "websecure" -# middlewares: -# - "lan-only@file" -# service: "oobabooga-api@file" -# tls: -# certResolver: "lets-encrypt" -# exui: -# rule: "Host(`exui.jafner.net`)" -# entryPoints: "websecure" -# middlewares: -# - "lan-only@file" -# service: "exui@file" -# tls: -# certResolver: "lets-encrypt" - -# services: -# ollama: -# loadBalancer: -# servers: -# - url: "http://192.168.1.135:11434" -# open-webui: -# loadBalancer: -# servers: -# - url: "http://192.168.1.135:3000" -# sillytavern: -# loadBalancer: -# servers: -# - url: "http://192.168.1.135:8000" -# sdwebui: -# loadBalancer: -# servers: -# - url: "http://192.168.1.135:7868" -# oobabooga: -# loadBalancer: -# servers: -# - url: "http://192.168.1.135:7860" -# oobabooga-api: -# loadBalancer: -# servers: -# - url: "http://192.168.1.135:5010" -# exui: -# loadBalancer: -# servers: -# - url: "http://192.168.1.135:5030" - \ No newline at end of file diff --git a/homelab/stacks/traefik/config/config.yaml b/homelab/stacks/traefik/config/config.yaml new file mode 100644 index 00000000..ce538d34 --- /dev/null +++ b/homelab/stacks/traefik/config/config.yaml @@ -0,0 +1,298 @@ +tls: + options: + tls12: + minVersion: VersionTLS12 + +http: + routers: + api: + rule: "Host(`traefik.jafner.net`)" + entryPoints: "websecure" + middlewares: + - "lan-only@file" + service: "api@internal" + tls: + certResolver: "lets-encrypt" + barbarian: + rule: "Host(`barbarian.nas.jafner.net`)" + entryPoints: "websecure" + middlewares: + - "lan-only@file" + service: "barbarian@file" + tls: + certResolver: "lets-encrypt" + monk: + rule: "Host(`monk.nas.jafner.net`)" + entryPoints: "websecure" + middlewares: + - "lan-only@file" + service: "monk@file" + tls: + certResolver: "lets-encrypt" + paladin: + rule: "Host(`paladin.nas.jafner.net`)" + entryPoints: "websecure" + middlewares: + - "lan-only@file" + service: "paladin@file" + tls: + certResolver: "lets-encrypt" + ranger: + rule: "Host(`pihole.jafner.net`)" + entryPoints: "websecure" + middlewares: + - "lan-only@file" + service: "ranger@file" + tls: + certResolver: "lets-encrypt" + silver-hand: + entrypoints: + - "websecure" + - "web" + rule: HostRegexp(`^.+\.jafner\.dev$`) + service: "silver-hand@file" + desktop: + entrypoints: + - "websecure" + - "web" + rule: HostRegexp(`^.+\.ai\.jafner\.(net|dev)$`) + service: "desktop@file" + toes-day: + rule: "Host(`day.toes.tasmota.jafner.net`)" + entryPoints: "websecure" + middlewares: + - "lan-only@file" + service: "toes-day@file" + tls: + certResolver: "lets-encrypt" + toes-night: + rule: "Host(`night.toes.tasmota.jafner.net`)" + entryPoints: "websecure" + middlewares: + - "lan-only@file" + service: "toes-night@file" + tls: + certResolver: "lets-encrypt" + lab-rack: + rule: "Host(`rack.tasmota.jafner.net`)" + entryPoints: "websecure" + middlewares: + - "lan-only@file" + service: "lab-rack@file" + tls: + certResolver: "lets-encrypt" + sprout-day: + rule: "Host(`day.sprout.tasmota.jafner.net`)" + entryPoints: "websecure" + middlewares: + - "lan-only@file" + service: "sprout-day@file" + tls: + certResolver: "lets-encrypt" + figment-day: + rule: "Host(`day.figment.tasmota.jafner.net`)" + entryPoints: "websecure" + middlewares: + - "lan-only@file" + service: "figment-day@file" + tls: + certResolver: "lets-encrypt" + figment-night: + rule: "Host(`night.figment.tasmota.jafner.net`)" + entryPoints: "websecure" + middlewares: + - "lan-only@file" + service: "figment-night@file" + tls: + certResolver: "lets-encrypt" + president-day: + rule: "Host(`day.president.tasmota.jafner.net`)" + entryPoints: "websecure" + middlewares: + - "lan-only@file" + service: "president-day@file" + tls: + certResolver: "lets-encrypt" + cowboy-day: + rule: "Host(`day.cowboy.tasmota.jafner.net`)" + entryPoints: "websecure" + middlewares: + - "lan-only@file" + service: "cowboy-day@file" + tls: + certResolver: "lets-encrypt" + + middlewares: + lan-only: + ipWhiteList: + sourceRange: + - "127.0.0.1/32" + - "192.168.1.1/24" + simple-auth: + basicAuth: + usersFile: "/.htpasswd" + securityheaders: + headers: + customResponseHeaders: + X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex" + server: "" + sslProxyHeaders: + X-Forwarded-Proto: https + referrerPolicy: "same-origin" + hostsProxyHeaders: + - "X-Forwarded-Host" + customRequestHeaders: + X-Forwarded-Proto: "https" + X-Scheme: https + contentTypeNosniff: true + browserXssFilter: true + forceSTSHeader: true + stsIncludeSubdomains: true + stsSeconds: 63072000 + stsPreload: true + pihole: + addprefix: + prefix: "/admin" + traefik-forward-auth: + forwardauth: + address: http://forwardauth:4181 + trustForwardHeader: true + authResponseHeaders: + - X-Forwarded-User + traefik-forward-auth-privileged: + forwardauth: + address: http://forwardauth-privileged:4181 + trustForwardHeader: true + authResponseHeaders: + - X-Forwarded-User + nextcloud-headers: + headers: + accessControlMaxAge: 100 + sslRedirect: true + stsSeconds: 63072000 + stsIncludeSubdomains: true + stsPreload: true + forceSTSHeader: true + customFrameOptionsValue: "SAMEORIGIN" #CSP takes care of this but may be needed for organizr. + contentTypeNosniff: true + browserXssFilter: true + sslForceHost: true + sslHost: "nextcloud.jafner.net" + referrerPolicy: "no-referrer" + #contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';" + featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';" + customResponseHeaders: + X-Robots-Tag: "noindex, nofollow" + server: "" + nextcloud-redirect: + redirectRegex: + permanent: true + regex: "https://(.*)/.well-known/(card|cal)dav" + replacement: "https://${1}/remote.php/dav/" + keycloak: + headers: + customResponseHeaders: + X-Robots-Tag: "noindex, nofollow" + referrerPolicy: "same-origin" + hostsProxyHeaders: + - "X-Forwarded-Host" + customRequestHeaders: + X-Forwarded-Proto: "https" + X-Scheme: https + + serversTransports: + insecureskipverify: + insecureSkipVerify: true + + services: + barbarian: + loadBalancer: + servers: + - url: "http://192.168.1.10/" + monk: + loadBalancer: + servers: + - url: "http://192.168.1.11/" + paladin: + loadBalancer: + servers: + - url: "http://192.168.1.12/" + ranger: + loadBalancer: + servers: + - url: "http://192.168.1.32/" + silver-hand: + loadBalancer: + passHostHeader: true + servers: + - url: "https://192.168.1.31" + - url: "https://192.168.1.32" + - url: "https://192.168.1.33" + desktop: + loadBalancer: + passHostHeader: true + servers: + - url: "https://192.168.1.135" + toes-day: + loadBalancer: + servers: + - url: "http://192.168.1.50/" + lab-rack: + loadBalancer: + servers: + - url: "http://192.168.1.51/" + cowboy-day: + loadBalancer: + servers: + - url: "http://192.168.1.52/" + figment-day: + loadBalancer: + servers: + - url: "http://192.168.1.53/" + figment-night: + loadBalancer: + servers: + - url: "http://192.168.1.54/" + president-day: + loadBalancer: + servers: + - url: "http://192.168.1.55/" + toes-night: + loadBalancer: + servers: + - url: "http://192.168.1.56" + sprout-day: + loadBalancer: + servers: + - url: "http://192.168.1.57/" + +tcp: + routers: + silver-hand: + entrypoints: + - "websecure" + - "web" + rule: HostSNIRegexp(`^.+\.jafner\.dev$`) + service: "silver-hand@file" + tls: + passthrough: true + desktop: + entrypoints: + - "websecure" + - "web" + rule: HostSNIRegexp(`^.+\.ai\.jafner\.(net|dev)$`) + service: "desktop@file" + tls: + passthrough: true + + services: + silver-hand: + loadBalancer: + servers: + - address: "192.168.1.31:443" + - address: "192.168.1.32:443" + - address: "192.168.1.33:443" + desktop: + loadBalancer: + servers: + - address: "192.168.1.135:443" \ No newline at end of file diff --git a/homelab/stacks/traefik/config/config_addons.yaml b/homelab/stacks/traefik/config/config_addons.yaml deleted file mode 100644 index a56731e0..00000000 --- a/homelab/stacks/traefik/config/config_addons.yaml +++ /dev/null @@ -1,82 +0,0 @@ -http: - middlewares: - lan-only: - ipWhiteList: - sourceRange: - - "127.0.0.1/32" - - "192.168.1.1/24" - simple-auth: - basicAuth: - usersFile: "/.htpasswd" - securityheaders: - headers: - customResponseHeaders: - X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex" - server: "" - sslProxyHeaders: - X-Forwarded-Proto: https - referrerPolicy: "same-origin" - hostsProxyHeaders: - - "X-Forwarded-Host" - customRequestHeaders: - X-Forwarded-Proto: "https" - X-Scheme: https - contentTypeNosniff: true - browserXssFilter: true - forceSTSHeader: true - stsIncludeSubdomains: true - stsSeconds: 63072000 - stsPreload: true - pihole: - addprefix: - prefix: "/admin" - traefik-forward-auth: - forwardauth: - address: http://forwardauth:4181 - trustForwardHeader: true - authResponseHeaders: - - X-Forwarded-User - traefik-forward-auth-privileged: - forwardauth: - address: http://forwardauth-privileged:4181 - trustForwardHeader: true - authResponseHeaders: - - X-Forwarded-User - nextcloud-headers: - headers: - accessControlMaxAge: 100 - sslRedirect: true - stsSeconds: 63072000 - stsIncludeSubdomains: true - stsPreload: true - forceSTSHeader: true - customFrameOptionsValue: "SAMEORIGIN" #CSP takes care of this but may be needed for organizr. - contentTypeNosniff: true - browserXssFilter: true - sslForceHost: true - sslHost: "nextcloud.jafner.net" - referrerPolicy: "no-referrer" - #contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';" - featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';" - customResponseHeaders: - X-Robots-Tag: "noindex, nofollow" - server: "" - nextcloud-redirect: - redirectRegex: - permanent: true - regex: "https://(.*)/.well-known/(card|cal)dav" - replacement: "https://${1}/remote.php/dav/" - keycloak: - headers: - customResponseHeaders: - X-Robots-Tag: "noindex, nofollow" - referrerPolicy: "same-origin" - hostsProxyHeaders: - - "X-Forwarded-Host" - customRequestHeaders: - X-Forwarded-Proto: "https" - X-Scheme: https - - serversTransports: - insecureskipverify: - insecureSkipVerify: true \ No newline at end of file diff --git a/homelab/stacks/traefik/config/nas.yaml b/homelab/stacks/traefik/config/nas.yaml deleted file mode 100644 index def1fef5..00000000 --- a/homelab/stacks/traefik/config/nas.yaml +++ /dev/null @@ -1,40 +0,0 @@ -http: - routers: - barbarian: - rule: "Host(`barbarian.nas.jafner.net`)" - entryPoints: "websecure" - middlewares: - - "lan-only@file" - service: "barbarian@file" - tls: - certResolver: "lets-encrypt" - monk: - rule: "Host(`monk.nas.jafner.net`)" - entryPoints: "websecure" - middlewares: - - "lan-only@file" - service: "monk@file" - tls: - certResolver: "lets-encrypt" - paladin: - rule: "Host(`paladin.nas.jafner.net`)" - entryPoints: "websecure" - middlewares: - - "lan-only@file" - service: "paladin@file" - tls: - certResolver: "lets-encrypt" - - services: - barbarian: - loadBalancer: - servers: - - url: "http://192.168.1.10/" - monk: - loadBalancer: - servers: - - url: "http://192.168.1.11/" - paladin: - loadBalancer: - servers: - - url: "http://192.168.1.12/" \ No newline at end of file diff --git a/homelab/stacks/traefik/config/ranger.yaml b/homelab/stacks/traefik/config/ranger.yaml deleted file mode 100644 index dfc65176..00000000 --- a/homelab/stacks/traefik/config/ranger.yaml +++ /dev/null @@ -1,17 +0,0 @@ -http: - routers: - ranger: - rule: "Host(`pihole.jafner.net`)" - entryPoints: "websecure" - middlewares: - - "lan-only@file" - service: "ranger@file" - tls: - certResolver: "lets-encrypt" - - - services: - ranger: - loadBalancer: - servers: - - url: "http://192.168.1.32/" \ No newline at end of file diff --git a/homelab/stacks/traefik/config/silver-hand.yaml b/homelab/stacks/traefik/config/silver-hand.yaml deleted file mode 100644 index 4d035679..00000000 --- a/homelab/stacks/traefik/config/silver-hand.yaml +++ /dev/null @@ -1,36 +0,0 @@ -tcp: - routers: - silver-hand: - entrypoints: - - "websecure" - - "web" - rule: HostSNIRegexp(`^.+\.jafner\.dev$`) - service: "silver-hand@file" - tls: - passthrough: true - - services: - silver-hand: - loadBalancer: - servers: - - address: "192.168.1.31:443" - - address: "192.168.1.32:443" - - address: "192.168.1.33:443" - -http: - routers: - silver-hand: - entrypoints: - - "websecure" - - "web" - rule: HostRegexp(`^.+\.jafner\.dev$`) - service: "silver-hand@file" - - services: - silver-hand: - loadBalancer: - passHostHeader: true - servers: - - url: "https://192.168.1.31" - - url: "https://192.168.1.32" - - url: "https://192.168.1.33" \ No newline at end of file diff --git a/homelab/stacks/traefik/config/tasmota.yaml b/homelab/stacks/traefik/config/tasmota.yaml deleted file mode 100644 index f367bc70..00000000 --- a/homelab/stacks/traefik/config/tasmota.yaml +++ /dev/null @@ -1,100 +0,0 @@ -http: - routers: - toes-day: - rule: "Host(`day.toes.tasmota.jafner.net`)" - entryPoints: "websecure" - middlewares: - - "lan-only@file" - service: "toes-day@file" - tls: - certResolver: "lets-encrypt" - toes-night: - rule: "Host(`night.toes.tasmota.jafner.net`)" - entryPoints: "websecure" - middlewares: - - "lan-only@file" - service: "toes-night@file" - tls: - certResolver: "lets-encrypt" - lab-rack: - rule: "Host(`rack.tasmota.jafner.net`)" - entryPoints: "websecure" - middlewares: - - "lan-only@file" - service: "lab-rack@file" - tls: - certResolver: "lets-encrypt" - sprout-day: - rule: "Host(`day.sprout.tasmota.jafner.net`)" - entryPoints: "websecure" - middlewares: - - "lan-only@file" - service: "sprout-day@file" - tls: - certResolver: "lets-encrypt" - figment-day: - rule: "Host(`day.figment.tasmota.jafner.net`)" - entryPoints: "websecure" - middlewares: - - "lan-only@file" - service: "figment-day@file" - tls: - certResolver: "lets-encrypt" - figment-night: - rule: "Host(`night.figment.tasmota.jafner.net`)" - entryPoints: "websecure" - middlewares: - - "lan-only@file" - service: "figment-night@file" - tls: - certResolver: "lets-encrypt" - president-day: - rule: "Host(`day.president.tasmota.jafner.net`)" - entryPoints: "websecure" - middlewares: - - "lan-only@file" - service: "president-day@file" - tls: - certResolver: "lets-encrypt" - cowboy-day: - rule: "Host(`day.cowboy.tasmota.jafner.net`)" - entryPoints: "websecure" - middlewares: - - "lan-only@file" - service: "cowboy-day@file" - tls: - certResolver: "lets-encrypt" - - services: - toes-day: - loadBalancer: - servers: - - url: "http://192.168.1.50/" - lab-rack: - loadBalancer: - servers: - - url: "http://192.168.1.51/" - cowboy-day: - loadBalancer: - servers: - - url: "http://192.168.1.52/" - figment-day: - loadBalancer: - servers: - - url: "http://192.168.1.53/" - figment-night: - loadBalancer: - servers: - - url: "http://192.168.1.54/" - president-day: - loadBalancer: - servers: - - url: "http://192.168.1.55/" - toes-night: - loadBalancer: - servers: - - url: "http://192.168.1.56" - sprout-day: - loadBalancer: - servers: - - url: "http://192.168.1.57/" \ No newline at end of file diff --git a/homelab/stacks/traefik/config/tls.yaml b/homelab/stacks/traefik/config/tls.yaml deleted file mode 100644 index 17fc206d..00000000 --- a/homelab/stacks/traefik/config/tls.yaml +++ /dev/null @@ -1,4 +0,0 @@ -tls: - options: - tls12: - minVersion: VersionTLS12 \ No newline at end of file diff --git a/homelab/stacks/traefik/config/traefik_api.yaml b/homelab/stacks/traefik/config/traefik_api.yaml deleted file mode 100644 index d0c5dfdb..00000000 --- a/homelab/stacks/traefik/config/traefik_api.yaml +++ /dev/null @@ -1,11 +0,0 @@ -http: - routers: - api: - rule: "Host(`traefik.jafner.net`)" - entryPoints: "websecure" - middlewares: - - "lan-only@file" - #- "traefik-forward-auth@file" - service: "api@internal" - tls: - certResolver: "lets-encrypt" diff --git a/homelab/stacks/traefik/stack.nix b/homelab/stacks/traefik/stack.nix index 4351dcb9..727e359b 100644 --- a/homelab/stacks/traefik/stack.nix +++ b/homelab/stacks/traefik/stack.nix @@ -1,16 +1,15 @@ { sys, ... }: let stack = "traefik"; in { home-manager.users."${sys.username}".home.file = { - "${stack}" = { - enable = true; - recursive = true; - source = ./.; - target = "stacks/${stack}/"; - }; "${stack}/.env" = { enable = true; text = ''APPDATA=${sys.dataDirs.appdata}/${stack}''; target = "stacks/${stack}/.env"; }; + "${stack}/config/config.yaml" = { + enable = true; + source = ./config/config.yaml; + target = "stacks/${stack}/config/config.yaml"; + }; }; sops.secrets."${stack}" = { sopsFile = ./traefik.secrets;