Priliminary support for traefik

2021-10-31 17:37:04 -04:00 · 2021-10-31 17:37:04 -04:00 · 181f6bc408
commit 181f6bc408
parent 6efb74062b
4 changed files with 92 additions and 4 deletions
--- a/modules/cloud/postgresql/default.nix
+++ b/modules/cloud/postgresql/default.nix
@ -0,0 +1,42 @@
+{ pkgs, config, lib, ... } :
+
+with lib;
+let
+  cfg = config.cloud.postgresql;
+
+  # From a database name, create an "ensureUser"
+  # entry with the same name and assign all permissions
+  # to that database.
+  userFromDatabase = databaseName : {
+    name = databaseName;
+    ensurePermissions = {
+      "DATABASE ${databaseName}" = "ALL PRIVILEGES";
+    };
+  };
+in
+{
+  options.cloud.postgresql.databases = mkOption {
+    type = types.listOf types.str;
+    default = [];
+    description = ''
+      The list of databases to be created.
+      An user with the same name
+      and full access to the database will be created.
+    '';
+  };
+
+  # PostgreSQL settings.
+  config.services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_13;
+
+    ensureDatabases = cfg.databases;
+
+    ensureUsers = map userFromDatabase cfg.databases;
+  };
+
+  # Backup settings
+  config.services.postgresqlBackup = {
+    enable = true;
+  };
+}
--- a/modules/cloud/traefik/default.nix
+++ b/modules/cloud/traefik/default.nix
@ -0,0 +1,82 @@
+{ pkgs, config, lib, ... } :
+
+with lib;
+let
+  # Copied from traefik.nix
+  jsonValue = with types;
+    let
+      valueType = nullOr (oneOf [
+        bool
+        int
+        float
+        str
+        (lazyAttrsOf valueType)
+        (listOf valueType)
+      ]) // {
+        description = "JSON value";
+        emptyValue.value = { };
+      };
+    in valueType;
+
+  cfg = config.cloud.traefik;
+in
+{
+  options.cloud.traefik = {
+    cloudflareKeyFile = mkOption {
+      type = types.path;
+      description = "The cloudflake private key file, for Let's Encrypt DNS challenge";
+    };
+
+    config = mkOption {
+      type = jsonValue;
+      default = {};
+      description = "The dynamic configuration to be passed to traefik";
+    };
+  };
+  
+  config.services.traefik = {
+    enable = true;
+
+    staticConfigOptions = {
+      # Entrypoints
+      # ------------
+      ## HTTP entrypoint: always redirect to 443
+      entrypoints.http.address = ":80";
+      entrypoints.http.http.redirections.entryPoint = {
+        to = "https";
+        scheme = "https";
+      };
+      ## HTTPS entrypoint: ok!
+      entrypoints.https.address = ":443";
+      ## IMAP and SMTP
+      entrypoints.imap.address = ":993";
+      entrypoints.smtp-submission.address = ":587";
+
+      # Logging
+      # -------
+      accessLog = {};
+      log.level = "info";
+
+      # Dashboard
+      # ---------
+      api.dashboard = true;
+
+      # ACME Automatic SSL
+      # ------------------
+      certificatesResolvers.le.acme = {
+        email = "natsukagami@gmail.com";
+        storage = "/var/lib/traefik/acme.json";
+        dnsChallenge.provider = "cloudflare";
+        dnsChallenge.delayBeforeCheck = 10;
+      };
+    };
+
+    dynamicConfigOptions = {};
+  };
+  # Set up cloudflare key
+  config.systemd.services.traefik.environment.CF_DNS_API_TOKEN_FILE = cfg.cloudflareKeyFile;
+
+  # Set up firewall to allow traefik traffic.
+  config.networking.firewall.allowedTCPPorts = [ 80 443 993 587 ];
+  config.networking.firewall.allowedUDPPorts = [ 443 ]; # QUIC
+}