From a56a7b8115de3e26389e181959289cba27e27910 Mon Sep 17 00:00:00 2001 From: Christine Elisabeth Koppel Date: Fri, 13 Feb 2026 21:09:34 +0100 Subject: [PATCH] Why... why,,, --- nix-system-configs/modules/system/traefik.nix | 120 +++++++++++------- 1 file changed, 76 insertions(+), 44 deletions(-) diff --git a/nix-system-configs/modules/system/traefik.nix b/nix-system-configs/modules/system/traefik.nix index 9bf39f4..8e192ed 100644 --- a/nix-system-configs/modules/system/traefik.nix +++ b/nix-system-configs/modules/system/traefik.nix @@ -46,37 +46,82 @@ in { # Configure Anubis service services.anubis = { - instances."" = { - enable = true; - settings = { - # Bind to TCP instead of Unix socket for Docker-style integration - BIND_NETWORK = "tcp"; - BIND = "127.0.0.1:8090"; + instances = { + "" = { + enable = true; + settings = { + # Bind to TCP instead of Unix socket for Docker-style integration + BIND_NETWORK = "tcp"; + BIND = "127.0.0.1:8090"; - # Empty TARGET for redirect mode - TARGET = " "; + # Empty TARGET for redirect mode + TARGET = " "; - # Configure redirect domains - ALL domains that should be able to redirect back after challenge - REDIRECT_DOMAINS = "prg-radio.org,git.prg-radio.org,wavelog.prg-radio.org,partdb.prg-radio.org,anubis.prg-radio.org"; + # Configure redirect domains - ALL domains that should be able to redirect back after challenge + REDIRECT_DOMAINS = "prg-radio.org,git.prg-radio.org,wavelog.prg-radio.org,partdb.prg-radio.org,anubis.prg-radio.org"; - # Public URL for Anubis - PUBLIC_URL = "https://anubis.prg-radio.org"; + # Public URL for Anubis + PUBLIC_URL = "https://anubis.prg-radio.org"; - # Cookie domain for proper scoping (leading dot for all subdomains) - COOKIE_DOMAIN = ".prg-radio.org"; + # Cookie domain for proper scoping (leading dot for all subdomains) + COOKIE_DOMAIN = ".prg-radio.org"; - # Difficulty level - DIFFICULTY = 20; + # Difficulty level + DIFFICULTY = 20; - # Optional: serve robots.txt - SERVE_ROBOTS_TXT = true; + # Optional: serve robots.txt + SERVE_ROBOTS_TXT = true; - # Optional: webmaster email for error pages - WEBMASTER_EMAIL = "dtu.prg@gmail.com"; + # Optional: webmaster email for error pages + WEBMASTER_EMAIL = "dtu.prg@gmail.com"; - # Metrics on separate port - METRICS_BIND_NETWORK = "tcp"; - METRICS_BIND = "127.0.0.1:8091"; + # Metrics on separate port + METRICS_BIND_NETWORK = "tcp"; + METRICS_BIND = "127.0.0.1:8091"; + }; + }; + + # Per-service Anubis instances (reverse-proxy mode) --------------------------- + forgejo = { + enable = true; + settings = { + BIND_NETWORK = "tcp"; + BIND = "127.0.0.1:8092"; + TARGET = "http://10.1.1.4:3000"; # Forgejo backend + DIFFICULTY = 20; + SERVE_ROBOTS_TXT = true; + WEBMASTER_EMAIL = "dtu.prg@gmail.com"; + METRICS_BIND_NETWORK = "tcp"; + METRICS_BIND = "127.0.0.1:8095"; + }; + }; + + wavelog = { + enable = true; + settings = { + BIND_NETWORK = "tcp"; + BIND = "127.0.0.1:8093"; + TARGET = "http://10.1.1.249:8086"; # Wavelog backend + DIFFICULTY = 20; + SERVE_ROBOTS_TXT = true; + WEBMASTER_EMAIL = "dtu.prg@gmail.com"; + METRICS_BIND_NETWORK = "tcp"; + METRICS_BIND = "127.0.0.1:8096"; + }; + }; + + partdb = { + enable = true; + settings = { + BIND_NETWORK = "tcp"; + BIND = "127.0.0.1:8094"; + TARGET = "http://10.1.1.249:8087"; # PartDB backend + DIFFICULTY = 20; + SERVE_ROBOTS_TXT = true; + WEBMASTER_EMAIL = "dtu.prg@gmail.com"; + METRICS_BIND_NETWORK = "tcp"; + METRICS_BIND = "127.0.0.1:8097"; + }; }; }; }; @@ -141,24 +186,14 @@ in { } ]; - # Define Anubis middleware - http.middlewares = { - anubis = { - forwardAuth = { - address = "http://127.0.0.1:8090/.within.website/x/cmd/anubis/api/check"; - trustForwardHeader = true; - }; - }; - }; - http.routers = { #anubis-api = { # rule = "Host(`anubis.prg-radio.org`) && PathPrefix(`/.within.website/x/cmd/anubis/api`)"; # service = "anubis"; - # entryPoints = ["websecure"]; + # entryPoints = ["websecure"]; # priority = 200; - # tls = {}; - # }; + # tls = {}; + # }; # Anubis router (for challenge page) anubis = { @@ -173,7 +208,6 @@ in { rule = "Host(`git.prg-radio.org`)"; service = "forgejo"; entryPoints = ["websecure"]; - middlewares = ["anubis"]; # Add Anubis protection tls = {}; }; @@ -190,22 +224,20 @@ in { rule = "Host(`wavelog.prg-radio.org`)"; service = "wavelog"; entryPoints = ["websecure"]; - middlewares = ["anubis"]; # Add Anubis protection tls = {}; }; - # Protected service: PartDB (remove middleware) + # Protected service: PartDB partdb = { rule = "Host(`partdb.prg-radio.org`)"; service = "partdb"; - middlewares = ["anubis"]; # Add Anubis protection entryPoints = ["websecure"]; tls = {}; }; }; http.services = { - # Anubis service + # Anubis service (challenge UI / redirect endpoint) anubis.loadBalancer = { servers = [ {url = "http://127.0.0.1:8090";} @@ -215,7 +247,7 @@ in { forgejo.loadBalancer = { servers = [ - {url = "http://10.1.1.4:3000";} + {url = "http://127.0.0.1:8092";} ]; }; matrix.loadBalancer = { @@ -225,13 +257,13 @@ in { }; wavelog.loadBalancer = { servers = [ - {url = "http://10.1.1.249:8086";} + {url = "http://127.0.0.1:8093";} ]; }; partdb.loadBalancer = { servers = [ - {url = "http://10.1.1.249:8087";} + {url = "http://127.0.0.1:8094";} ]; }; };