crony/nix-conf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(traefik): setup traefik with agenix for secrets.

Browse Source
This commit is contained in:
CronyAkatsuki 2025-05-04 09:09:14 +02:00
parent 8202be48ab
commit 3a0f504534
7 changed files with 208 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

150
flake.lock generated
View File

@ -1,8 +1,29 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"systems": "systems"
},
"locked": {
"lastModified": 1745630506,
"narHash": "sha256-bHCFgGeu8XjWlVuaWzi3QONjDW3coZDqSHvnd4l7xus=",
"owner": "ryantm",
"repo": "agenix",
"rev": "96e078c646b711aee04b82ba01aefbff87004ded",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"auto-cpufreq": {
"inputs": {
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1745403023,
@ -85,10 +106,32 @@
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs_2",
"nixpkgs": "nixpkgs_3",
"utils": "utils"
},
"locked": {
@ -304,7 +347,7 @@
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
@ -322,7 +365,7 @@
},
"flake-utils_2": {
"inputs": {
"systems": "systems_4"
"systems": "systems_5"
},
"locked": {
"lastModified": 1731533236,
@ -551,6 +594,27 @@
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
@ -570,7 +634,7 @@
"type": "github"
}
},
"home-manager_2": {
"home-manager_3": {
"inputs": {
"nixpkgs": [
"stylix",
@ -594,7 +658,7 @@
"iamb": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_4",
"rust-overlay": "rust-overlay"
},
"locked": {
@ -628,7 +692,7 @@
},
"nbfc-linux": {
"inputs": {
"nixpkgs": "nixpkgs_5",
"nixpkgs": "nixpkgs_6",
"utils": "utils_2"
},
"locked": {
@ -653,7 +717,7 @@
"git-hooks": "git-hooks_2",
"hercules-ci-effects": "hercules-ci-effects",
"neovim-src": "neovim-src",
"nixpkgs": "nixpkgs_6",
"nixpkgs": "nixpkgs_7",
"treefmt-nix": "treefmt-nix"
},
"locked": {
@ -801,16 +865,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1746206129,
"narHash": "sha256-JA4DynBKhY7t4DdJZTuomRLAiXFDUgCGGwxgt+XGiik=",
"lastModified": 1745391562,
"narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9a7caecf30a0494c88b7daeeed29244cd9a52e7d",
"rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
@ -863,6 +927,22 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1746206129,
"narHash": "sha256-JA4DynBKhY7t4DdJZTuomRLAiXFDUgCGGwxgt+XGiik=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9a7caecf30a0494c88b7daeeed29244cd9a52e7d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1702272962,
"narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
@ -878,7 +958,7 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs_4": {
"locked": {
"lastModified": 1746141548,
"narHash": "sha256-IgBWhX7A2oJmZFIrpRuMnw5RAufVnfvOgHWgIdds+hc=",
@ -894,7 +974,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_5": {
"locked": {
"lastModified": 1736320768,
"narHash": "sha256-nIYdTAiKIGnFNugbomgBJR+Xv5F1ZQU+HfaBqJKroC0=",
@ -910,7 +990,7 @@
"type": "github"
}
},
"nixpkgs_5": {
"nixpkgs_6": {
"locked": {
"lastModified": 1705957679,
"narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=",
@ -926,7 +1006,7 @@
"type": "github"
}
},
"nixpkgs_6": {
"nixpkgs_7": {
"locked": {
"lastModified": 1746061036,
"narHash": "sha256-OxYwCGJf9VJ2KnUO+w/hVJVTjOgscdDg/lPv8Eus07Y=",
@ -942,7 +1022,7 @@
"type": "github"
}
},
"nixpkgs_7": {
"nixpkgs_8": {
"locked": {
"lastModified": 1746141548,
"narHash": "sha256-IgBWhX7A2oJmZFIrpRuMnw5RAufVnfvOgHWgIdds+hc=",
@ -958,7 +1038,7 @@
"type": "github"
}
},
"nixpkgs_8": {
"nixpkgs_9": {
"locked": {
"lastModified": 1746206129,
"narHash": "sha256-JA4DynBKhY7t4DdJZTuomRLAiXFDUgCGGwxgt+XGiik=",
@ -1057,8 +1137,8 @@
"flake-utils": "flake-utils_2",
"mnw": "mnw",
"nil": "nil",
"nixpkgs": "nixpkgs_8",
"systems": "systems_5"
"nixpkgs": "nixpkgs_9",
"systems": "systems_6"
},
"locked": {
"lastModified": 1746052492,
@ -1076,25 +1156,26 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"auto-cpufreq": "auto-cpufreq",
"deploy-rs": "deploy-rs",
"disko": "disko",
"git-hooks": "git-hooks",
"home-manager": "home-manager",
"home-manager": "home-manager_2",
"iamb": "iamb",
"nbfc-linux": "nbfc-linux",
"neovim-nightly-overlay": "neovim-nightly-overlay",
"nix-flatpak": "nix-flatpak",
"nix-index-database": "nix-index-database",
"nix-on-droid": "nix-on-droid",
"nixpkgs": "nixpkgs_7",
"nixpkgs": "nixpkgs_8",
"nvf": "nvf",
"stylix": "stylix"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": "nixpkgs_4"
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1736994333,
@ -1159,12 +1240,12 @@
"flake-utils": "flake-utils_3",
"git-hooks": "git-hooks_3",
"gnome-shell": "gnome-shell",
"home-manager": "home-manager_2",
"home-manager": "home-manager_3",
"nixpkgs": [
"nixpkgs"
],
"nur": "nur",
"systems": "systems_6",
"systems": "systems_7",
"tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty",
"tinted-schemes": "tinted-schemes",
@ -1275,6 +1356,21 @@
"type": "github"
}
},
"systems_7": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tinted-foot": {
"flake": false,
"locked": {
@ -1402,7 +1498,7 @@
},
"utils": {
"inputs": {
"systems": "systems"
"systems": "systems_2"
},
"locked": {
"lastModified": 1701680307,
@ -1420,7 +1516,7 @@
},
"utils_2": {
"inputs": {
"systems": "systems_3"
"systems": "systems_4"
},
"locked": {
"lastModified": 1710146030,

5
flake.nix
View File

@ -70,6 +70,9 @@
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
# secrets management
agenix.url = "github:ryantm/agenix";
};
outputs = {
@ -81,6 +84,7 @@
nix-on-droid,
deploy-rs,
disko,
agenix,
...
} @ inputs: {
deploy.nodes = {
@ -151,6 +155,7 @@
system = "x86_64-linux";
modules = [
disko.nixosModules.disko
agenix.nixosModules.default
./hosts/heimdall/configuration.nix
./modules/servers/general
];

2
modules/servers/general/default.nix
View File

@ -2,5 +2,7 @@
imports = [
./openssh.nix
./user.nix
./traefik.nix
./secrets.nix
];
}

10
modules/servers/general/secrets.nix Normal file
View File

@ -0,0 +1,10 @@
{
age = {
secrets = {
traefik = {
file = ../../../secrets/traefik.age;
owner = "traefik";
};
};
};
}

44
modules/servers/general/traefik.nix Normal file
View File

@ -0,0 +1,44 @@
{config, ...}: {
services.traefik = {
enable = true;
staticConfigOptions = {
log = {level = "WARN";};
certifiedResolvers = {
porkbun = {
acme = {
email = "crony@cronyakatsuki.xyz";
storage = "/var/lib/traefik/acme.json";
caserver = "https://acme-v02.api.letsencrypt.org/directory";
dnsChallenge = {
provider = "porkbun";
resolvers = ["1.1.1.1" "8.8.8.8"];
propagation = {
delayBeforeChecks = 60;
disableChecks = true;
};
};
};
};
};
api = {};
entryPoints = {
web = {
address = ":80";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":443";
};
};
};
};
systemd.services.traefik.serviceConfig = {
EnvironmentFile = ["${config.age.secrets.traefik.path}"];
};
networking.firewall.allowedTCPPorts = [80 443];
}

14
secrets/secrets.nix Normal file
View File

@ -0,0 +1,14 @@
let
# SYSTEMS
heimdall = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBs+qYjpeAEHPFUQeatNkhKbXz8+A1VAl21jgifDYJK8";
# USERS
root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJLduAXHWJiglmfRfkBGKffzVWkJP6porxIzw6+Zz3W crony@cronyakatsuki.xyz";
users = [
root
];
systems = [heimdall];
in {
"traefik.age".publicKeys = systems ++ users;
}

10
secrets/traefik.age Normal file
View File

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 2P4nKw CaE3sUgbIClEZY6Xkrnsr26t2eGMuJPlJoD4ixffW0M
kU5M5TBIHh8xArHBr87utkRoYse+gHCEf42H2EmVU1c
-> ssh-ed25519 fd/ZLQ yAREQd2/RBMUUbs6Lc+QphbauMCiRH+2yokiGgYW5h0
LC0I8VUGBRv7yjLOOw+nBqyHIdx1GpKK25CkVW9hNA4
-> ssh-ed25519 fd/ZLQ /2mIrJ2wNqM2tN/QrlLYYkqBexcNxAKNMdIozJ9oxHY
1c7FAlidX1ryL5NoEMCXoeBacLydSyxrkbbm+fVOdOk
--- /EGBdabi8vFSbWYUKQwMUWlndJ5jQUcYIGl43a4/bFk
Q'"×Ó´4ñ½OAËÙŽJçÁ §S_È2|½\Œqã“¢c®øÞ<Ì{ýY(Ðʱ˜ì¤Ð“þx'åîÜÛŒ1XÑ6aE¿¨3ÇŠfj%FÖ<46>òˆ~ôos%¾päLuX`ü‹“Ÿ>btDCBD<42>]jÊåÀð/€sËó­ôÕ$}® в¼nJR¦þþŽh”€?ã1xO Œk%"Ò³¶gÒ´°Ó¶ˆ\Úl_<6C>~'<½%Ýl§ÇóÙ½ô¾
M¶ô ŸlyzökÑi™éúÝ㊠ÄÒš¶€Ìo