From 3a0f504534bf2d2ddfb94f1c386f26cd985bdce4 Mon Sep 17 00:00:00 2001 From: Crony Akatsuki Date: Sun, 4 May 2025 09:09:14 +0200 Subject: [PATCH] feat(traefik): setup traefik with agenix for secrets. --- flake.lock | 150 +++++++++++++++++++++++----- flake.nix | 5 + modules/servers/general/default.nix | 2 + modules/servers/general/secrets.nix | 10 ++ modules/servers/general/traefik.nix | 44 ++++++++ secrets/secrets.nix | 14 +++ secrets/traefik.age | 10 ++ 7 files changed, 208 insertions(+), 27 deletions(-) create mode 100644 modules/servers/general/secrets.nix create mode 100644 modules/servers/general/traefik.nix create mode 100644 secrets/secrets.nix create mode 100644 secrets/traefik.age diff --git a/flake.lock b/flake.lock index a668715..dd1f927 100644 --- a/flake.lock +++ b/flake.lock @@ -1,8 +1,29 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1745630506, + "narHash": "sha256-bHCFgGeu8XjWlVuaWzi3QONjDW3coZDqSHvnd4l7xus=", + "owner": "ryantm", + "repo": "agenix", + "rev": "96e078c646b711aee04b82ba01aefbff87004ded", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "auto-cpufreq": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1745403023, @@ -85,10 +106,32 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "utils": "utils" }, "locked": { @@ -304,7 +347,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1731533236, @@ -322,7 +365,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1731533236, @@ -551,6 +594,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -570,7 +634,7 @@ "type": "github" } }, - "home-manager_2": { + "home-manager_3": { "inputs": { "nixpkgs": [ "stylix", @@ -594,7 +658,7 @@ "iamb": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "rust-overlay": "rust-overlay" }, "locked": { @@ -628,7 +692,7 @@ }, "nbfc-linux": { "inputs": { - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_6", "utils": "utils_2" }, "locked": { @@ -653,7 +717,7 @@ "git-hooks": "git-hooks_2", "hercules-ci-effects": "hercules-ci-effects", "neovim-src": "neovim-src", - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_7", "treefmt-nix": "treefmt-nix" }, "locked": { @@ -801,16 +865,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1746206129, - "narHash": "sha256-JA4DynBKhY7t4DdJZTuomRLAiXFDUgCGGwxgt+XGiik=", + "lastModified": 1745391562, + "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9a7caecf30a0494c88b7daeeed29244cd9a52e7d", + "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -863,6 +927,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1746206129, + "narHash": "sha256-JA4DynBKhY7t4DdJZTuomRLAiXFDUgCGGwxgt+XGiik=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9a7caecf30a0494c88b7daeeed29244cd9a52e7d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1702272962, "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=", @@ -878,7 +958,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1746141548, "narHash": "sha256-IgBWhX7A2oJmZFIrpRuMnw5RAufVnfvOgHWgIdds+hc=", @@ -894,7 +974,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1736320768, "narHash": "sha256-nIYdTAiKIGnFNugbomgBJR+Xv5F1ZQU+HfaBqJKroC0=", @@ -910,7 +990,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1705957679, "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", @@ -926,7 +1006,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1746061036, "narHash": "sha256-OxYwCGJf9VJ2KnUO+w/hVJVTjOgscdDg/lPv8Eus07Y=", @@ -942,7 +1022,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1746141548, "narHash": "sha256-IgBWhX7A2oJmZFIrpRuMnw5RAufVnfvOgHWgIdds+hc=", @@ -958,7 +1038,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_9": { "locked": { "lastModified": 1746206129, "narHash": "sha256-JA4DynBKhY7t4DdJZTuomRLAiXFDUgCGGwxgt+XGiik=", @@ -1057,8 +1137,8 @@ "flake-utils": "flake-utils_2", "mnw": "mnw", "nil": "nil", - "nixpkgs": "nixpkgs_8", - "systems": "systems_5" + "nixpkgs": "nixpkgs_9", + "systems": "systems_6" }, "locked": { "lastModified": 1746052492, @@ -1076,25 +1156,26 @@ }, "root": { "inputs": { + "agenix": "agenix", "auto-cpufreq": "auto-cpufreq", "deploy-rs": "deploy-rs", "disko": "disko", "git-hooks": "git-hooks", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "iamb": "iamb", "nbfc-linux": "nbfc-linux", "neovim-nightly-overlay": "neovim-nightly-overlay", "nix-flatpak": "nix-flatpak", "nix-index-database": "nix-index-database", "nix-on-droid": "nix-on-droid", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_8", "nvf": "nvf", "stylix": "stylix" } }, "rust-overlay": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1736994333, @@ -1159,12 +1240,12 @@ "flake-utils": "flake-utils_3", "git-hooks": "git-hooks_3", "gnome-shell": "gnome-shell", - "home-manager": "home-manager_2", + "home-manager": "home-manager_3", "nixpkgs": [ "nixpkgs" ], "nur": "nur", - "systems": "systems_6", + "systems": "systems_7", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -1275,6 +1356,21 @@ "type": "github" } }, + "systems_7": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tinted-foot": { "flake": false, "locked": { @@ -1402,7 +1498,7 @@ }, "utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1701680307, @@ -1420,7 +1516,7 @@ }, "utils_2": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1710146030, diff --git a/flake.nix b/flake.nix index 01e4132..418f18f 100644 --- a/flake.nix +++ b/flake.nix @@ -70,6 +70,9 @@ url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; }; + + # secrets management + agenix.url = "github:ryantm/agenix"; }; outputs = { @@ -81,6 +84,7 @@ nix-on-droid, deploy-rs, disko, + agenix, ... } @ inputs: { deploy.nodes = { @@ -151,6 +155,7 @@ system = "x86_64-linux"; modules = [ disko.nixosModules.disko + agenix.nixosModules.default ./hosts/heimdall/configuration.nix ./modules/servers/general ]; diff --git a/modules/servers/general/default.nix b/modules/servers/general/default.nix index 3f83ec3..ebb1a57 100644 --- a/modules/servers/general/default.nix +++ b/modules/servers/general/default.nix @@ -2,5 +2,7 @@ imports = [ ./openssh.nix ./user.nix + ./traefik.nix + ./secrets.nix ]; } diff --git a/modules/servers/general/secrets.nix b/modules/servers/general/secrets.nix new file mode 100644 index 0000000..edf22d0 --- /dev/null +++ b/modules/servers/general/secrets.nix @@ -0,0 +1,10 @@ +{ + age = { + secrets = { + traefik = { + file = ../../../secrets/traefik.age; + owner = "traefik"; + }; + }; + }; +} diff --git a/modules/servers/general/traefik.nix b/modules/servers/general/traefik.nix new file mode 100644 index 0000000..6fbd6a4 --- /dev/null +++ b/modules/servers/general/traefik.nix @@ -0,0 +1,44 @@ +{config, ...}: { + services.traefik = { + enable = true; + staticConfigOptions = { + log = {level = "WARN";}; + certifiedResolvers = { + porkbun = { + acme = { + email = "crony@cronyakatsuki.xyz"; + storage = "/var/lib/traefik/acme.json"; + caserver = "https://acme-v02.api.letsencrypt.org/directory"; + dnsChallenge = { + provider = "porkbun"; + resolvers = ["1.1.1.1" "8.8.8.8"]; + propagation = { + delayBeforeChecks = 60; + disableChecks = true; + }; + }; + }; + }; + }; + api = {}; + entryPoints = { + web = { + address = ":80"; + http.redirections.entryPoint = { + to = "websecure"; + scheme = "https"; + }; + }; + websecure = { + address = ":443"; + }; + }; + }; + }; + + systemd.services.traefik.serviceConfig = { + EnvironmentFile = ["${config.age.secrets.traefik.path}"]; + }; + + networking.firewall.allowedTCPPorts = [80 443]; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..7d9c34a --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,14 @@ +let + # SYSTEMS + heimdall = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBs+qYjpeAEHPFUQeatNkhKbXz8+A1VAl21jgifDYJK8"; + + # USERS + root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJLduAXHWJiglmfRfkBGKffzVWkJP6porxIzw6+Zz3W crony@cronyakatsuki.xyz"; + + users = [ + root + ]; + systems = [heimdall]; +in { + "traefik.age".publicKeys = systems ++ users; +} diff --git a/secrets/traefik.age b/secrets/traefik.age new file mode 100644 index 0000000..9904f2a --- /dev/null +++ b/secrets/traefik.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 2P4nKw CaE3sUgbIClEZY6Xkrnsr26t2eGMuJPlJoD4ixffW0M +kU5M5TBIHh8xArHBr87utkRoYse+gHCEf42H2EmVU1c +-> ssh-ed25519 fd/ZLQ yAREQd2/RBMUUbs6Lc+QphbauMCiRH+2yokiGgYW5h0 +LC0I8VUGBRv7yjLOOw+nBqyHIdx1GpKK25CkVW9hNA4 +-> ssh-ed25519 fd/ZLQ /2mIrJ2wNqM2tN/QrlLYYkqBexcNxAKNMdIozJ9oxHY +1c7FAlidX1ryL5NoEMCXoeBacLydSyxrkbbm+fVOdOk +--- /EGBdabi8vFSbWYUKQwMUWlndJ5jQUcYIGl43a4/bFk +Q'"Ӵ4OAَJ S_2|\q㓢c<{Y(Гx'ی1Xт6aE3NJfj%F֐~os%pLuX`>btDCBD]j/s˂$} вnJRh?1xO k%"ҳgҴӶ\l_~'<%lٽ +M lyzki Қo \ No newline at end of file