nki/nix-home
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity

Set up firezone

Browse source
This commit is contained in:
Natsu Kagami 2023-04-27 02:32:10 +02:00
parent 8d8052c5cc
commit 09b62faa4a
Signed by: nki
GPG key ID: 7306B3D3C3AD6E51
6 changed files with 157 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

12
modules/cloud/traefik/config.nix
View file

@ -48,7 +48,7 @@ let
description = "The port that the service is listening on";
};
entrypoints = mkOption {
type = listOf (enum [ "http" "https" "smtp-submission" "smtp-submission-ssl" "imap" ]);
type = listOf (enum [ "http" "https" "smtp-submission" "smtp-submission-ssl" "imap" "wireguard" ]);
default = [ "https" ];
description = "The entrypoints that will serve the host";
};
@ -58,7 +58,7 @@ let
description = "The middlewares to be used with the host.";
};
protocol = mkOption {
type = enum [ "http" "tcp" ];
type = enum [ "http" "tcp" "udp" ];
default = "http";
description = "The protocol of the router and service";
};
@ -82,18 +82,18 @@ let
# Turns a host configuration into dynamic traefik configuration
hostToConfig = name: host: {
"${host.protocol}" = {
routers."${name}-router" = {
routers."${name}-router" = (if (host.protocol != "udp") then {
rule = filterOfHost host;
entryPoints = host.entrypoints;
tls = { certResolver = "le"; } // (if host.protocol == "tcp" then { passthrough = if (host ? tlsPassthrough) then host.tlsPassthrough else true; } else { });
} else { }) // {
entryPoints = host.entrypoints;
service = "${name}-service";
} // (
if host.protocol == "http" then
{ middlewares = lists.imap0 (id: m: "${name}-middleware-${toString id}") host.middlewares; }
else if host.middlewares == [ ] then
{ }
else abort "Cannot have middlewares on tcp routers"
else abort "Cannot have middlewares on non-http routers"
);
services."${name}-service".loadBalancer.servers = [
(

7
modules/cloud/traefik/default.nix
View file

@ -61,6 +61,8 @@ in
entrypoints.imap.address = ":993";
entrypoints.smtp-submission.address = ":587";
entrypoints.smtp-submission-ssl.address = ":465";
## Wireguard
entrypoints.wireguard.address = ":51820/udp";
# Logging
# -------
@ -84,5 +86,8 @@ in
# Set up firewall to allow traefik traffic.
config.networking.firewall.allowedTCPPorts = [ 80 443 993 587 465 ];
config.networking.firewall.allowedUDPPorts = [ 443 ]; # QUIC
config.networking.firewall.allowedUDPPorts = [
443 # QUIC
51820 # Wireguard
];
}