95 lines
2.3 KiB
Nix
95 lines
2.3 KiB
Nix
# Module: roles/appserver
|
|
# Enables the usage of a appserver with Docker, traefik and web services
|
|
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
pkgsUnstable,
|
|
inputs,
|
|
...
|
|
}:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.appserver;
|
|
traefikPrometheusPort = 8082;
|
|
in
|
|
{
|
|
options.appserver = {
|
|
enable = mkEnableOption "Enables appserver role";
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
dockerserver.enable = true;
|
|
|
|
# Needed for traefik to be able to proxy traffic via the Docker socket
|
|
users.users.traefik.extraGroups = [ "docker" ];
|
|
|
|
# Needed to be able to access internal-only services with tailscale
|
|
services.tailscale.permitCertUid = "traefik";
|
|
|
|
systemd.services.traefik.serviceConfig = {
|
|
BindReadOnlyPaths = [ "/run/docker.sock" ];
|
|
};
|
|
|
|
services.traefik = {
|
|
enable = true;
|
|
package = pkgsUnstable.traefik;
|
|
|
|
staticConfigOptions = {
|
|
entryPoints = {
|
|
web = {
|
|
address = ":80";
|
|
asDefault = true;
|
|
forwardedHeaders.trustedIPs = [ "100.64.10.0/23" ];
|
|
proxyProtocol.trustedIPs = [ "100.64.10.0/23" ];
|
|
http.middlewares = [ "limiter@file" ];
|
|
};
|
|
|
|
websecure = {
|
|
address = ":443";
|
|
proxyProtocol.trustedIPs = [ "100.64.10.0/23" ];
|
|
http.tls.certResolver = "tailscale";
|
|
http3 = {
|
|
advertisedPort = 443;
|
|
};
|
|
};
|
|
|
|
prometheus = {
|
|
address = ":${toString traefikPrometheusPort}";
|
|
};
|
|
};
|
|
|
|
providers.docker = {
|
|
endpoint = "unix:///run/docker.sock";
|
|
exposedByDefault = false;
|
|
network = "proxy";
|
|
watch = true;
|
|
};
|
|
|
|
certificatesResolvers.tailscale."tailscale" = { };
|
|
};
|
|
|
|
dynamicConfigOptions = {
|
|
http.middlewares = {
|
|
limiter.circuitBreaker.expression = "LatencyAtQuantileMS(50.0) > 750 || ResponseCodeRatio(500, 600, 0, 600) > 0.30";
|
|
};
|
|
};
|
|
};
|
|
|
|
environment.etc."alloy/traefik.alloy".text = ''
|
|
prometheus.scrape "traefik_scrape" {
|
|
targets = [
|
|
{
|
|
"__address__" = "127.0.0.1:${toString traefikPrometheusPort}",
|
|
},
|
|
]
|
|
|
|
forward_to = [prometheus.remote_write.default.receiver]
|
|
job_name = "traefik"
|
|
}
|
|
'';
|
|
};
|
|
}
|