feat(traefik): setup traefik with agenix for secrets.

2025-05-04 09:09:14 +02:00 · 2025-05-04 09:09:14 +02:00 · 3a0f504534
commit 3a0f504534
parent 8202be48ab
7 changed files with 208 additions and 27 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,8 +1,29 @@
 {
  "nodes": {
    "agenix": {
      "inputs": {
        "darwin": "darwin",
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs",
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1745630506,
        "narHash": "sha256-bHCFgGeu8XjWlVuaWzi3QONjDW3coZDqSHvnd4l7xus=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "96e078c646b711aee04b82ba01aefbff87004ded",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "auto-cpufreq": {
      "inputs": {
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
        "lastModified": 1745403023,
@ -85,10 +106,32 @@
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1744478979,
        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
        "utils": "utils"
      },
      "locked": {
@ -304,7 +347,7 @@
    },
    "flake-utils": {
      "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1731533236,
@ -322,7 +365,7 @@
    },
    "flake-utils_2": {
      "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_5"
      },
      "locked": {
        "lastModified": 1731533236,
@ -551,6 +594,27 @@
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1745494811,
        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
@ -570,7 +634,7 @@
        "type": "github"
      }
    },
-    "home-manager_2": {
+    "home-manager_3": {
      "inputs": {
        "nixpkgs": [
          "stylix",
@ -594,7 +658,7 @@
    "iamb": {
      "inputs": {
        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_4",
        "rust-overlay": "rust-overlay"
      },
      "locked": {
@ -628,7 +692,7 @@
    },
    "nbfc-linux": {
      "inputs": {
-        "nixpkgs": "nixpkgs_5",
+        "nixpkgs": "nixpkgs_6",
        "utils": "utils_2"
      },
      "locked": {
@ -653,7 +717,7 @@
        "git-hooks": "git-hooks_2",
        "hercules-ci-effects": "hercules-ci-effects",
        "neovim-src": "neovim-src",
-        "nixpkgs": "nixpkgs_6",
+        "nixpkgs": "nixpkgs_7",
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
@ -801,16 +865,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1746206129,
+        "lastModified": 1745391562,
-        "narHash": "sha256-JA4DynBKhY7t4DdJZTuomRLAiXFDUgCGGwxgt+XGiik=",
+        "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9a7caecf30a0494c88b7daeeed29244cd9a52e7d",
+        "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -863,6 +927,22 @@
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1746206129,
        "narHash": "sha256-JA4DynBKhY7t4DdJZTuomRLAiXFDUgCGGwxgt+XGiik=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "9a7caecf30a0494c88b7daeeed29244cd9a52e7d",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1702272962,
        "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
@ -878,7 +958,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_3": {
+    "nixpkgs_4": {
      "locked": {
        "lastModified": 1746141548,
        "narHash": "sha256-IgBWhX7A2oJmZFIrpRuMnw5RAufVnfvOgHWgIdds+hc=",
@ -894,7 +974,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_4": {
+    "nixpkgs_5": {
      "locked": {
        "lastModified": 1736320768,
        "narHash": "sha256-nIYdTAiKIGnFNugbomgBJR+Xv5F1ZQU+HfaBqJKroC0=",
@ -910,7 +990,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_5": {
+    "nixpkgs_6": {
      "locked": {
        "lastModified": 1705957679,
        "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=",
@ -926,7 +1006,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_6": {
+    "nixpkgs_7": {
      "locked": {
        "lastModified": 1746061036,
        "narHash": "sha256-OxYwCGJf9VJ2KnUO+w/hVJVTjOgscdDg/lPv8Eus07Y=",
@ -942,7 +1022,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_7": {
+    "nixpkgs_8": {
      "locked": {
        "lastModified": 1746141548,
        "narHash": "sha256-IgBWhX7A2oJmZFIrpRuMnw5RAufVnfvOgHWgIdds+hc=",
@ -958,7 +1038,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_8": {
+    "nixpkgs_9": {
      "locked": {
        "lastModified": 1746206129,
        "narHash": "sha256-JA4DynBKhY7t4DdJZTuomRLAiXFDUgCGGwxgt+XGiik=",
@ -1057,8 +1137,8 @@
        "flake-utils": "flake-utils_2",
        "mnw": "mnw",
        "nil": "nil",
-        "nixpkgs": "nixpkgs_8",
+        "nixpkgs": "nixpkgs_9",
-        "systems": "systems_5"
+        "systems": "systems_6"
      },
      "locked": {
        "lastModified": 1746052492,
@ -1076,25 +1156,26 @@
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "auto-cpufreq": "auto-cpufreq",
        "deploy-rs": "deploy-rs",
        "disko": "disko",
        "git-hooks": "git-hooks",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
        "iamb": "iamb",
        "nbfc-linux": "nbfc-linux",
        "neovim-nightly-overlay": "neovim-nightly-overlay",
        "nix-flatpak": "nix-flatpak",
        "nix-index-database": "nix-index-database",
        "nix-on-droid": "nix-on-droid",
-        "nixpkgs": "nixpkgs_7",
+        "nixpkgs": "nixpkgs_8",
        "nvf": "nvf",
        "stylix": "stylix"
      }
    },
    "rust-overlay": {
      "inputs": {
-        "nixpkgs": "nixpkgs_4"
+        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
        "lastModified": 1736994333,
@ -1159,12 +1240,12 @@
        "flake-utils": "flake-utils_3",
        "git-hooks": "git-hooks_3",
        "gnome-shell": "gnome-shell",
-        "home-manager": "home-manager_2",
+        "home-manager": "home-manager_3",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nur": "nur",
-        "systems": "systems_6",
+        "systems": "systems_7",
        "tinted-foot": "tinted-foot",
        "tinted-kitty": "tinted-kitty",
        "tinted-schemes": "tinted-schemes",
@ -1275,6 +1356,21 @@
        "type": "github"
      }
    },
    "systems_7": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "tinted-foot": {
      "flake": false,
      "locked": {
@ -1402,7 +1498,7 @@
    },
    "utils": {
      "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1701680307,
@ -1420,7 +1516,7 @@
    },
    "utils_2": {
      "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1710146030,
--- a/flake.nix
+++ b/flake.nix
@ -70,6 +70,9 @@
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # secrets management
    agenix.url = "github:ryantm/agenix";
  };
  outputs = {
@ -81,6 +84,7 @@
    nix-on-droid,
    deploy-rs,
    disko,
    agenix,
    ...
  } @ inputs: {
    deploy.nodes = {
@ -151,6 +155,7 @@
        system = "x86_64-linux";
        modules = [
          disko.nixosModules.disko
          agenix.nixosModules.default
          ./hosts/heimdall/configuration.nix
          ./modules/servers/general
        ];
--- a/modules/servers/general/default.nix
+++ b/modules/servers/general/default.nix
@ -2,5 +2,7 @@
  imports = [
    ./openssh.nix
    ./user.nix
    ./traefik.nix
    ./secrets.nix
  ];
 }
--- a/modules/servers/general/secrets.nix
+++ b/modules/servers/general/secrets.nix
@ -0,0 +1,10 @@
 {
  age = {
    secrets = {
      traefik = {
        file = ../../../secrets/traefik.age;
        owner = "traefik";
      };
    };
  };
 }
--- a/modules/servers/general/traefik.nix
+++ b/modules/servers/general/traefik.nix
@ -0,0 +1,44 @@
 {config, ...}: {
  services.traefik = {
    enable = true;
    staticConfigOptions = {
      log = {level = "WARN";};
      certifiedResolvers = {
        porkbun = {
          acme = {
            email = "crony@cronyakatsuki.xyz";
            storage = "/var/lib/traefik/acme.json";
            caserver = "https://acme-v02.api.letsencrypt.org/directory";
            dnsChallenge = {
              provider = "porkbun";
              resolvers = ["1.1.1.1" "8.8.8.8"];
              propagation = {
                delayBeforeChecks = 60;
                disableChecks = true;
              };
            };
          };
        };
      };
      api = {};
      entryPoints = {
        web = {
          address = ":80";
          http.redirections.entryPoint = {
            to = "websecure";
            scheme = "https";
          };
        };
        websecure = {
          address = ":443";
        };
      };
    };
  };
  systemd.services.traefik.serviceConfig = {
    EnvironmentFile = ["${config.age.secrets.traefik.path}"];
  };
  networking.firewall.allowedTCPPorts = [80 443];
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,14 @@
 let
  # SYSTEMS
  heimdall = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBs+qYjpeAEHPFUQeatNkhKbXz8+A1VAl21jgifDYJK8";
  # USERS
  root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJLduAXHWJiglmfRfkBGKffzVWkJP6porxIzw6+Zz3W crony@cronyakatsuki.xyz";
  users = [
    root
  ];
  systems = [heimdall];
 in {
  "traefik.age".publicKeys = systems ++ users;
 }
--- a/secrets/traefik.age
+++ b/secrets/traefik.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 2P4nKw CaE3sUgbIClEZY6Xkrnsr26t2eGMuJPlJoD4ixffW0M
 kU5M5TBIHh8xArHBr87utkRoYse+gHCEf42H2EmVU1c
 -> ssh-ed25519 fd/ZLQ yAREQd2/RBMUUbs6Lc+QphbauMCiRH+2yokiGgYW5h0
 LC0I8VUGBRv7yjLOOw+nBqyHIdx1GpKK25CkVW9hNA4
 -> ssh-ed25519 fd/ZLQ /2mIrJ2wNqM2tN/QrlLYYkqBexcNxAKNMdIozJ9oxHY
 1c7FAlidX1ryL5NoEMCXoeBacLydSyxrkbbm+fVOdOk
 --- /EGBdabi8vFSbWYUKQwMUWlndJ5jQUcYIGl43a4/bFk
 Q'"×Ó´4ñ½OAËÙŽJçÁ	§S_È2|½\Œqã“¢c®øÞ<Ì{ýY(ÐÊ±˜ì¤Ð“þx'åîÜÛŒ1XÑ‚6aE¿¨3ÇŠfj%FÖ<46>òˆ~ôos%¾päLuX`ü‹“Ÿ>btDCBD<42>]jÊåÀð/€sË‚óôÕ$}®
Ð²¼nJR¦þþŽh”€?ã1x’O
Œk%"Ò³¶gÒ´°Ó¶›“ˆ\Úl_<6C>~'<½%Ýl§ÇóÙ½ô¾
 M¶ô
ŸlyzökÑi™éúÝãŠÄÒš¶€Ìo