Jafner/Jafner.net
1
0
Fork 0
Code Issues 16 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Jafner:ac989c2ad23306c64b89aac6947e0e8adbf9df28
Branches Tags
Jafner:main
...
compare: Jafner:5e9029196e8c1e4b8e333f133333e76e9e1548ce
Branches Tags
Jafner:main

2 Commits
ac989c2ad2 ... 5e9029196e

Author SHA1 Message Date
Joey Hafner
5e9029196e
Prune flatpaks, add protonup-ng
Some checks are pending
SSH and echo to file / ssh (push) Waiting to run
Details
2024-10-22 19:36:10 -07:00
Joey Hafner
225516608e
#14 Create Traefik stack 2024-10-22 19:35:09 -07:00
14 changed files with 559 additions and 8 deletions
Show Stats Expand all files Collapse all files

1
homelab/stacks/traefik/.env Normal file
View File

@ -0,0 +1 @@
DOCKER_DATA=/home/admin/data/traefik

17
homelab/stacks/traefik/README.md Normal file
View File

@ -0,0 +1,17 @@
### The `web` Network
Created with `docker network create --driver=bridge --subnet=172.20.0.0/23 --ip-range=172.20.1.0/24 web`
Previous version was naive, and had a subnet equal in size to the IP range. This meant that we would occasionally encounter address colisions between services which needed static IPs, and those handed IPs automatically.
### Useful Labels
Basic web-facing service:
- `traefik.http.routers.<router-name>.rule=Host(\`<subdomain>.jafner.net\`)`
- `traefik.http.routers.<router-name>.tls.certresolver=lets-encrypt`
Restrict access to IPs in list defined in [`./config/config_addons.yaml`](./config/config_addons.yaml):
- `traefik.http.routers.<router-name>.middlewares=lan-only@file`
Explicitly set the container-side port Traefik should route traffic to:
- `traefik.http.services.<service-name>.loadbalancer.server.port=1234`

123
homelab/stacks/traefik/config/ai.yaml Normal file
View File

@ -0,0 +1,123 @@
tcp:
routers:
dungeon-master:
entrypoints:
- "websecure"
- "web"
rule: HostSNIRegexp(`^.+\.ai\.jafner\.(net|dev)$`)
service: "dungeon-master@file"
tls:
passthrough: true
services:
dungeon-master:
loadBalancer:
servers:
- address: "192.168.1.135:443"
http:
routers:
dungeon-master:
entrypoints:
- "websecure"
- "web"
rule: HostRegexp(`^.+\.ai\.jafner\.(net|dev)$`)
service: "dungeon-master@file"
services:
dungeon-master:
loadBalancer:
passHostHeader: true
servers:
- url: "https://192.168.1.135"
# http:
# routers:
# ollama:
# rule: "Host(`ollama.jafner.net`)"
# entryPoints: "websecure"
# middlewares:
# - "lan-only@file"
# service: "ollama@file"
# tls:
# certResolver: "lets-encrypt"
# open-webui:
# rule: "Host(`openwebui.jafner.net`)"
# entryPoints: "websecure"
# middlewares:
# - "lan-only@file"
# service: "open-webui@file"
# tls:
# certResolver: "lets-encrypt"
# sillytavern:
# rule: "Host(`sillytavern.jafner.net`)"
# entryPoints: "websecure"
# middlewares:
# - "lan-only@file"
# service: "sillytavern@file"
# tls:
# certResolver: "lets-encrypt"
# sdwebui:
# rule: "Host(`sdwebui.jafner.net`)"
# entryPoints: "websecure"
# middlewares:
# - "lan-only@file"
# service: "sdwebui@file"
# tls:
# certResolver: "lets-encrypt"
# oobabooga:
# rule: "Host(`oobabooga.jafner.net`)"
# entryPoints: "websecure"
# middlewares:
# - "lan-only@file"
# service: "oobabooga@file"
# tls:
# certResolver: "lets-encrypt"
# oobabooga-api:
# rule: "Host(`oobabooga-api.jafner.net`)"
# entryPoints: "websecure"
# middlewares:
# - "lan-only@file"
# service: "oobabooga-api@file"
# tls:
# certResolver: "lets-encrypt"
# exui:
# rule: "Host(`exui.jafner.net`)"
# entryPoints: "websecure"
# middlewares:
# - "lan-only@file"
# service: "exui@file"
# tls:
# certResolver: "lets-encrypt"
# services:
# ollama:
# loadBalancer:
# servers:
# - url: "http://192.168.1.135:11434"
# open-webui:
# loadBalancer:
# servers:
# - url: "http://192.168.1.135:3000"
# sillytavern:
# loadBalancer:
# servers:
# - url: "http://192.168.1.135:8000"
# sdwebui:
# loadBalancer:
# servers:
# - url: "http://192.168.1.135:7868"
# oobabooga:
# loadBalancer:
# servers:
# - url: "http://192.168.1.135:7860"
# oobabooga-api:
# loadBalancer:
# servers:
# - url: "http://192.168.1.135:5010"
# exui:
# loadBalancer:
# servers:
# - url: "http://192.168.1.135:5030"

82
homelab/stacks/traefik/config/config_addons.yaml Normal file
View File

@ -0,0 +1,82 @@
http:
middlewares:
lan-only:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.1/24"
simple-auth:
basicAuth:
usersFile: "/.htpasswd"
securityheaders:
headers:
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
server: ""
sslProxyHeaders:
X-Forwarded-Proto: https
referrerPolicy: "same-origin"
hostsProxyHeaders:
- "X-Forwarded-Host"
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Scheme: https
contentTypeNosniff: true
browserXssFilter: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsSeconds: 63072000
stsPreload: true
pihole:
addprefix:
prefix: "/admin"
traefik-forward-auth:
forwardauth:
address: http://forwardauth:4181
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-User
traefik-forward-auth-privileged:
forwardauth:
address: http://forwardauth-privileged:4181
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-User
nextcloud-headers:
headers:
accessControlMaxAge: 100
sslRedirect: true
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
customFrameOptionsValue: "SAMEORIGIN" #CSP takes care of this but may be needed for organizr.
contentTypeNosniff: true
browserXssFilter: true
sslForceHost: true
sslHost: "nextcloud.jafner.net"
referrerPolicy: "no-referrer"
#contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
customResponseHeaders:
X-Robots-Tag: "noindex, nofollow"
server: ""
nextcloud-redirect:
redirectRegex:
permanent: true
regex: "https://(.*)/.well-known/(card|cal)dav"
replacement: "https://${1}/remote.php/dav/"
keycloak:
headers:
customResponseHeaders:
X-Robots-Tag: "noindex, nofollow"
referrerPolicy: "same-origin"
hostsProxyHeaders:
- "X-Forwarded-Host"
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Scheme: https
serversTransports:
insecureskipverify:
insecureSkipVerify: true

40
homelab/stacks/traefik/config/nas.yaml Normal file
View File

@ -0,0 +1,40 @@
http:
routers:
barbarian:
rule: "Host(`barbarian.nas.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "barbarian@file"
tls:
certResolver: "lets-encrypt"
monk:
rule: "Host(`monk.nas.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "monk@file"
tls:
certResolver: "lets-encrypt"
paladin:
rule: "Host(`paladin.nas.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "paladin@file"
tls:
certResolver: "lets-encrypt"
services:
barbarian:
loadBalancer:
servers:
- url: "http://192.168.1.10/"
monk:
loadBalancer:
servers:
- url: "http://192.168.1.11/"
paladin:
loadBalancer:
servers:
- url: "http://192.168.1.12/"

17
homelab/stacks/traefik/config/ranger.yaml Normal file
View File

@ -0,0 +1,17 @@
http:
routers:
ranger:
rule: "Host(`pihole.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "ranger@file"
tls:
certResolver: "lets-encrypt"
services:
ranger:
loadBalancer:
servers:
- url: "http://192.168.1.32/"

36
homelab/stacks/traefik/config/silver-hand.yaml Normal file
View File

@ -0,0 +1,36 @@
tcp:
routers:
silver-hand:
entrypoints:
- "websecure"
- "web"
rule: HostSNIRegexp(`^.+\.jafner\.dev$`)
service: "silver-hand@file"
tls:
passthrough: true
services:
silver-hand:
loadBalancer:
servers:
- address: "192.168.1.31:443"
- address: "192.168.1.32:443"
- address: "192.168.1.33:443"
http:
routers:
silver-hand:
entrypoints:
- "websecure"
- "web"
rule: HostRegexp(`^.+\.jafner\.dev$`)
service: "silver-hand@file"
services:
silver-hand:
loadBalancer:
passHostHeader: true
servers:
- url: "https://192.168.1.31"
- url: "https://192.168.1.32"
- url: "https://192.168.1.33"

100
homelab/stacks/traefik/config/tasmota.yaml Normal file
View File

@ -0,0 +1,100 @@
http:
routers:
toes-day:
rule: "Host(`day.toes.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "toes-day@file"
tls:
certResolver: "lets-encrypt"
toes-night:
rule: "Host(`night.toes.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "toes-night@file"
tls:
certResolver: "lets-encrypt"
lab-rack:
rule: "Host(`rack.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "lab-rack@file"
tls:
certResolver: "lets-encrypt"
sprout-day:
rule: "Host(`day.sprout.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "sprout-day@file"
tls:
certResolver: "lets-encrypt"
figment-day:
rule: "Host(`day.figment.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "figment-day@file"
tls:
certResolver: "lets-encrypt"
figment-night:
rule: "Host(`night.figment.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "figment-night@file"
tls:
certResolver: "lets-encrypt"
president-day:
rule: "Host(`day.president.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "president-day@file"
tls:
certResolver: "lets-encrypt"
cowboy-day:
rule: "Host(`day.cowboy.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "cowboy-day@file"
tls:
certResolver: "lets-encrypt"
services:
toes-day:
loadBalancer:
servers:
- url: "http://192.168.1.50/"
lab-rack:
loadBalancer:
servers:
- url: "http://192.168.1.51/"
cowboy-day:
loadBalancer:
servers:
- url: "http://192.168.1.52/"
figment-day:
loadBalancer:
servers:
- url: "http://192.168.1.53/"
figment-night:
loadBalancer:
servers:
- url: "http://192.168.1.54/"
president-day:
loadBalancer:
servers:
- url: "http://192.168.1.55/"
toes-night:
loadBalancer:
servers:
- url: "http://192.168.1.56"
sprout-day:
loadBalancer:
servers:
- url: "http://192.168.1.57/"

4
homelab/stacks/traefik/config/tls.yaml Normal file
View File

@ -0,0 +1,4 @@
tls:
options:
tls12:
minVersion: VersionTLS12

11
homelab/stacks/traefik/config/traefik_api.yaml Normal file
View File

@ -0,0 +1,11 @@
http:
routers:
api:
rule: "Host(`traefik.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
#- "traefik-forward-auth@file"
service: "api@internal"
tls:
certResolver: "lets-encrypt"

28
homelab/stacks/traefik/docker-compose.yml Normal file
View File

@ -0,0 +1,28 @@
services:
traefik:
image: traefik:latest
container_name: traefik_traefik
restart: "no"
networks:
web:
ipv4_address: 172.20.0.10
monitoring:
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yaml:/traefik.yaml
- ./config:/config
- $DOCKER_DATA/acme.json:/acme.json
- $DOCKER_DATA/acme-dns01.json:/acme-dns01.json
env_file:
- path: ./secrets.env
required: true
networks:
web:
external: true
monitoring:
external: true

58
homelab/stacks/traefik/secrets.env Normal file
View File

@ -0,0 +1,58 @@
{
"CLOUDFLARE_DNS_API_TOKEN": "ENC[AES256_GCM,data:a6lmKl8tnLyH2xX/JqT9plOVsXWez6HZUOtuVwlmmyzMpPGiCLs+vg==,iv:YgMs4vHeNsebfq8ipu8fHxE+q/dUlcoW6dm0dco1nt4=,tag:3i+5sOwKTDCLJFDzspdv4g==,type:str]",
"sops": {
"shamir_threshold": 2,
"key_groups": [
{
"hc_vault": null,
"age": [
{
"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2cUdzZ1Vtd1ByVFloQkhE\nMzRPRGxZMjlRWUk5WUw5OVpOWitESUFUc0VBCmt2M2hXV0k5MW9VNGRmUDN3eGZ2\nMmxkVWpyTmhEenFmYWpnZEFGTStsYUEKLS0tIEs4QldKcEw2NDFVSjRiWUtHNG5J\nejd2MUFVcEdONUYrbXdsSFBJY1hHVDgK/VOvPFpGTac1IxiVgReVrKi/FEg4DZCr\n/KsUpdnz5df134BHgPsFmSjwDn9F7K8s1vG6Itn5xALAVJ5qfXDD5Mg=\n-----END AGE ENCRYPTED FILE-----\n"
}
]
},
{
"hc_vault": null,
"age": [
{
"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5SnBvVUlnQkc3ZmV4K0JE\nSmdWQnY0MnNaRmE4NDlNa0JCK1dFMVBYNjNvCnRqY29ucEx4SVlCK0lXS0diRFdI\nNDFuVlJNUG5xOWRBcVBkSUxNekNnLzQKLS0tIDA2T0lXVWh4cy9ncnYzNzVwZmtJ\ncVVSY0dPbkNoNWdwY0hQajYzQnBIbGsK5TtnCAfwMh/nUVRdTAdzI7cQrW0s71rG\nLEPFzSc2uUQLurPjfiUzI1cSqp6FUEKEqKrcyZY2E+v6U6a97P7JGj8=\n-----END AGE ENCRYPTED FILE-----\n"
}
]
},
{
"hc_vault": null,
"age": [
{
"recipient": "age193t908fjxl8ekl77p5xqnpj4xmw3y0khvyzlrw22hdzjduk6l53q05spq3",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4NTQ2eU9RNHZvdVl2ZE1w\nQTQ5OHJwWmJ2aEwzbmt5L1RNc0thUGpMT21FCnVRWEx4YkQzUUtsWHNOS1dKTmto\neWdrRG5nMGk2Smo0UDBUMzJKRGxtN0kKLS0tIG16MEl3OVdrOTdwcURybzFzb05N\neDVmNS80K1hsUlNEZjNDUmdxaUVGeFkKIRA6Too6OIRCDEU/SbhwZyOUCxjszVE4\nwbIHo6HpA9cPZQZAlgJoxElBiclJaEjV8sJAYh1tBx27a1G2vftAXG4=\n-----END AGE ENCRYPTED FILE-----\n"
}
]
},
{
"hc_vault": null,
"age": [
{
"recipient": "age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIUnJBUGRXMFl4RHlDMTJr\nNnA0RjVPanVLcUJSQjltTFRaWk5kcUNUNG1rCjAvTGltRTU0ZzV4ZEhiUVp2RSs1\nSklqaUVoV0N0NXJVelYrZVVqSnRXYlkKLS0tIGFtVlFadGlwa1pyaGZ6aXd2RVdH\nWmEvSENaMUUxenZ6V1FxSUpSVkcyVUUKU/aEZ/DXnyUmmwC22VGioxhZ+G/H8hR3\nRYRjqzDSwT1U2oIpIVeib0S+RO2VmuYI84EHK3NBSkomJUkX8aurQ/k=\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1n20krynrj75jqfy2muvhrygvzd4ee8ngamljqavsrk033zwx0ses2tdtfe",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsZmZIbStHZzJLTU91OExu\nc29TTFozaERWMkErS05Xd1VjNmF5b2hFUVNnCjdpUWtJRUxMQ2hMU0VKZGFuSC9Q\neWZwQmk5ZGtueWxkNUFJY1B1VkEyUUUKLS0tIFdxZjlUYXhwZENxcjEvcGhUTGJv\nN2FxdENpMzRSUlVmVHhDTTZ6NWhtOVEKz6hp5uZR3MoD9j21JPMhSpKnB3qwYCtz\nVn6h9wAbdZ/WVEnlP+2uxyhvFSXsPHwn+9qcQPX/VcHcBX/f1P3YXj4=\n-----END AGE ENCRYPTED FILE-----\n"
}
]
}
],
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": null,
"lastmodified": "2024-10-23T02:31:58Z",
"mac": "ENC[AES256_GCM,data:zyuSNesEgByj3izqj6vrbXHWNazWkjNytCfWP8jxeLid93kJfChk0XTkd8tu4Dnr6l0YOCo9UEkcODg+0/h4n7zzQDhSwh66+mAbmLeZ3d8wYcvYiq3r8kfrAj2mtSeW2cF/XN5tYY3AS1uK1KvVomGsbvocRLedMuKEz29gG+0=,iv:k7uQ/2kVx8gS4gunUISF65ZXdRxtUQJpW4fFw/MF0n0=,tag:bFX1zB8KFDC707QsXiqGQQ==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.0"
}
}

41
homelab/stacks/traefik/traefik.yaml Normal file
View File

@ -0,0 +1,41 @@
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
certificatesResolvers:
lets-encrypt:
acme:
email: jafner425@gmail.com
storage: acme.json
tlsChallenge: {}
lets-encrypt-dns01:
acme:
email: jafner425@gmail.com
storage: acme-dns01.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
api:
insecure: true
dashboard: true
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
watch: true
network: web
file:
directory: /config

9
nix/dungeon-master/home-manager/home.nix
View File

@ -51,8 +51,6 @@
{ name = "fedora"; location = "oci+https://registry.fedoraproject.org"; }
];
packages = [
"com.obsproject.Studio/x86_64/stable"
"com.obsproject.Studio.Plugin.OBSVkCapture/x86_64/stable"
"com.usebottles.bottles/x86_64/stable"
"dev.vencord.Vesktop/x86_64/stable"
"io.github.zen_browser.zen/x86_64/stable"
@ -70,9 +68,6 @@
"org.freedesktop.Platform.GL.default/x86_64/24.08extra"
"org.freedesktop.Platform.GL32.default/x86_64/23.08"
"org.freedesktop.Platform.VulkanLayer.MangoHud/x86_64/23.08"
"org.freedesktop.Platform.VulkanLayer.OBSVkCapture/x86_64/23.08"
"org.freedesktop.Platform.VulkanLayer.gamescope/x86_64/22.08"
"org.freedesktop.Platform.VulkanLayer.gamescope/x86_64/23.08"
"org.freedesktop.Platform.VulkanLayer.vkBasalt/x86_64/23.08"
"org.freedesktop.Platform.ffmpeg-full/x86_64/23.08"
"org.freedesktop.Platform.ffmpeg-full/x86_64/24.08"
@ -80,8 +75,6 @@
"org.freedesktop.Platform.openh264/x86_64/2.2.0"
"org.freedesktop.Platform.openh264/x86_64/2.4.1"
"org.freedesktop.Sdk/x86_64/23.08"
"org.gnome.Boxes/x86_64/stable"
"org.gnome.Boxes.Extension.OsinfoDb/x86_64/stable"
"org.gnome.Platform/x86_64/45"
"org.gnome.Platform/x86_64/46"
"org.gnome.Platform/x86_64/47"
@ -110,7 +103,6 @@
{ appId = "org.gimp.GIMP/x86_64/stable"; origin = "fedora"; }
{ appId = "org.kde.kontact/x86_64/stable"; origin = "fedora"; }
{ appId = "org.kde.neochat/x86_64/stable"; origin = "fedora"; }
{ appId = "org.mozilla.Thunderbird/x86_64/stable"; origin = "fedora"; }
{ appId = "org.fedoraproject.KDE6Platform/x86_64/f40"; origin = "fedora"; }
{ appId = "org.fedoraproject.Platform/x86_64/f40"; origin = "fedora"; }
];
@ -275,6 +267,7 @@
wl-clipboard
base16-schemes
ollama
protonup-ng
pkgs-unstable.fzf
inputs.deploy-rs.defaultPackage.x86_64-linux
];