From ad1e50345c285241207dcfe8015811e0acfc3f47 Mon Sep 17 00:00:00 2001
From: Matt Layher <mdlayher@gmail.com>
Date: Fri, 18 Aug 2023 11:15:01 -0400
Subject: [PATCH] nixos/routnerr-3: switch traefik for caddy

---
 nixos/routnerr-3/caddy.nix         | 38 +++++++++++++
 nixos/routnerr-3/configuration.nix | 14 +----
 nixos/routnerr-3/networking.nix    |  1 +
 nixos/routnerr-3/traefik.nix       | 88 ------------------------------
 4 files changed, 40 insertions(+), 101 deletions(-)
 create mode 100644 nixos/routnerr-3/caddy.nix
 delete mode 100644 nixos/routnerr-3/traefik.nix

diff --git a/nixos/routnerr-3/caddy.nix b/nixos/routnerr-3/caddy.nix
new file mode 100644
index 0000000..da8d339
--- /dev/null
+++ b/nixos/routnerr-3/caddy.nix
@@ -0,0 +1,38 @@
+{ ... }:
+
+let
+  secrets = import ./lib/secrets.nix;
+  vars = import ./lib/vars.nix;
+
+in {
+  services.caddy = {
+    enable = true;
+    virtualHosts = {
+      "alertmanager.servnerr.com".extraConfig = ''
+        reverse_proxy http://servnerr-4.${vars.domain}:9093
+        basicauth {
+          ${secrets.caddy.alertmanager_auth}
+        } 
+      '';
+
+      "grafana.servnerr.com".extraConfig = ''
+        reverse_proxy http://servnerr-4.${vars.domain}:3000
+      '';
+
+      "hass.servnerr.com".extraConfig = ''
+        reverse_proxy http://servnerr-4.${vars.domain}:8123
+      '';
+
+      "plex.servnerr.com".extraConfig = ''
+        reverse_proxy http://servnerr-4.${vars.domain}:32400
+      '';
+
+      "prometheus.servnerr.com".extraConfig = ''
+        reverse_proxy http://servnerr-4.${vars.domain}:9090
+        basicauth {
+          ${secrets.caddy.prometheus_auth}
+        }
+      '';
+    };
+  };
+}
diff --git a/nixos/routnerr-3/configuration.nix b/nixos/routnerr-3/configuration.nix
index 6d774ce..afd6d3e 100644
--- a/nixos/routnerr-3/configuration.nix
+++ b/nixos/routnerr-3/configuration.nix
@@ -19,7 +19,7 @@ in {
     # Networking daemons.
     ./coredns.nix
     ./corerad.nix
-    ./traefik.nix
+    ./caddy.nix
 
     # Unstable or out-of-tree modules.
     ./lib/modules/wireguard_exporter.nix
@@ -79,18 +79,6 @@ in {
     wireguard_exporter
   ];
 
-  # Use server as a remote builder.
-  nix = {
-    distributedBuilds = true;
-    buildMachines = [{
-      hostName = "servnerr-4";
-      system = "x86_64-linux";
-      maxJobs = 16;
-      speedFactor = 4;
-      supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
-    }];
-  };
-
   services = {
     # Allow mDNS to reflect between VLANs where necessary for devices such as
     # Google Home and Chromecast.
diff --git a/nixos/routnerr-3/networking.nix b/nixos/routnerr-3/networking.nix
index ba74430..11f716d 100644
--- a/nixos/routnerr-3/networking.nix
+++ b/nixos/routnerr-3/networking.nix
@@ -245,6 +245,7 @@ in {
     enable = true;
     package = unstable.tailscale;
     interfaceName = "ts0";
+    permitCertUid = "caddy";
     useRoutingFeatures = "server";
   };
 
diff --git a/nixos/routnerr-3/traefik.nix b/nixos/routnerr-3/traefik.nix
deleted file mode 100644
index 9b62eb3..0000000
--- a/nixos/routnerr-3/traefik.nix
+++ /dev/null
@@ -1,88 +0,0 @@
-{ ... }:
-
-let
-  secrets = import ./lib/secrets.nix;
-  vars = import ./lib/vars.nix;
-
-in {
-  services.traefik = {
-    enable = true;
-
-    staticConfigOptions = {
-      certificatesResolvers.letsencrypt.acme = {
-        email = "mdlayher@gmail.com";
-        storage = "/var/lib/traefik/acme.json";
-        httpChallenge.entryPoint = "http";
-      };
-
-      entryPoints = {
-        # External entry points.
-        http = {
-          address = ":80";
-          http.redirections.entryPoint = {
-            to = "https";
-            scheme = "https";
-          };
-        };
-        https.address = ":443";
-      };
-    };
-
-    dynamicConfigOptions = {
-      http = {
-        routers = {
-          alertmanager = {
-            rule = "Host(`alertmanager.servnerr.com`)";
-            middlewares = [ "alertmanager" ];
-            service = "alertmanager";
-            tls.certResolver = "letsencrypt";
-          };
-
-          grafana = {
-            rule = "Host(`grafana.servnerr.com`)";
-            service = "grafana";
-            tls.certResolver = "letsencrypt";
-          };
-
-          hass = {
-            rule = "Host(`hass.servnerr.com`)";
-            service = "hass";
-            tls.certResolver = "letsencrypt";
-          };
-
-          plex = {
-            rule = "Host(`plex.servnerr.com`)";
-            service = "plex";
-            tls.certResolver = "letsencrypt";
-          };
-
-          prometheus = {
-            rule = "Host(`prometheus.servnerr.com`)";
-            middlewares = [ "prometheus" ];
-            service = "prometheus";
-            tls.certResolver = "letsencrypt";
-          };
-        };
-
-        middlewares = {
-          alertmanager.basicAuth.users =
-            [ "${secrets.traefik.alertmanager_auth}" ];
-          prometheus.basicAuth.users = [ "${secrets.traefik.prometheus_auth}" ];
-        };
-
-        services = {
-          alertmanager.loadBalancer.servers =
-            [{ url = "http://servnerr-4.${vars.domain}:9093"; }];
-          grafana.loadBalancer.servers =
-            [{ url = "http://servnerr-4.${vars.domain}:3000"; }];
-          hass.loadBalancer.servers =
-            [{ url = "http://servnerr-4.${vars.domain}:8123"; }];
-          plex.loadBalancer.servers =
-            [{ url = "http://servnerr-4.${vars.domain}:32400"; }];
-          prometheus.loadBalancer.servers =
-            [{ url = "http://servnerr-4.${vars.domain}:9090"; }];
-        };
-      };
-    };
-  };
-}