From 57434cb4663b3779805999b16456026ad50dd70a Mon Sep 17 00:00:00 2001
From: Daniel Kempkens <daniel+git@kempkens.io>
Date: Sat, 19 Nov 2022 20:58:20 +0100
Subject: [PATCH] webserver: Remove traefik

---
 container/webserver/config.nix         |  63 ---------------------
 container/webserver/default.nix        |  75 +------------------------
 hardware/hosts/sail.nix                |   1 +
 secret/container/webserver/default.nix | Bin 2316 -> 710 bytes
 4 files changed, 3 insertions(+), 136 deletions(-)

diff --git a/container/webserver/config.nix b/container/webserver/config.nix
index 8c6184e..8a6773b 100644
--- a/container/webserver/config.nix
+++ b/container/webserver/config.nix
@@ -27,69 +27,6 @@
     mode = "0644";
   };
 
-  # traefik
-
-  environment.etc."container-webserver/traefik/traefik.toml" = {
-    text = ''
-      [providers]
-        [providers.file]
-          directory = "/custom_config"
-          watch = true
-
-        [providers.docker]
-          exposedByDefault = false
-
-      [entryPoints]
-        [entryPoints.web]
-          address = ":80"
-
-        [entryPoints.websecure]
-          address = ":443"
-
-      [certificatesResolvers.cfresolver.acme]
-        email = "${secret.container.webserver.traefik.config.acme.email}"
-        storage = "/acme.json"
-        keyType = "EC384"
-
-        [certificatesResolvers.cfresolver.acme.dnsChallenge]
-          provider = "cloudflare"
-
-      [api]
-        dashboard = true
-    '';
-
-    mode = "0644";
-  };
-
-  environment.etc."container-webserver/traefik/custom/middlewares.toml" = {
-    text = ''
-      [http.middlewares]
-        [http.middlewares.non-www-redirect.redirectRegex]
-          regex = "^https://www.(.*)"
-          replacement = "https://''${1}"
-          permanent = true
-
-        [http.middlewares.https-redirect.redirectScheme]
-          scheme = "https"
-          permanent = true
-
-        [http.middlewares.content-compression.compress]
-
-        [http.middlewares.very-low-request-rate.rateLimit]
-          average = 3
-          period = "1m"
-
-        [http.middlewares.security-headers.headers]
-          frameDeny = true
-          browserXssFilter = true
-          contentTypeNosniff = true
-          referrerPolicy = "no-referrer"
-          contentSecurityPolicy = "default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; font-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'self'"
-    '';
-
-    mode = "0644";
-  };
-
   # weewx
 
   environment.etc."container-webserver/weewx/weewx.conf" = {
diff --git a/container/webserver/default.nix b/container/webserver/default.nix
index 945f557..f4a339c 100644
--- a/container/webserver/default.nix
+++ b/container/webserver/default.nix
@@ -43,29 +43,6 @@ in
         };
       };
 
-      traefik = {
-        service = {
-          image = "traefik:v2.8";
-          container_name = "traefik";
-          restart = "unless-stopped";
-          depends_on = [ "ipv6nat" ];
-          networks = [ "webserver" ];
-          ports = [
-            "80:80"
-            "443:443"
-          ];
-          command = [ "--configFile=/traefik.toml" ];
-          environment = secret.container.webserver.traefik.environment;
-          volumes = [
-            "/var/run/docker.sock:/var/run/docker.sock:ro"
-            "/etc/container-webserver/traefik/traefik.toml:/traefik.toml:ro"
-            "/etc/container-webserver/traefik/acme.json:/acme.json"
-            "/etc/container-webserver/traefik/custom:/custom_config:ro"
-          ];
-          labels = secret.container.webserver.traefik.labels;
-        };
-      };
-
       cloudflared = {
         service = {
           image = "cloudflare/cloudflared:latest";
@@ -79,49 +56,14 @@ in
         };
       };
 
-      ifconfig-sexy = {
-        service = {
-          image = "ghcr.io/nifoc/ifconfig.sexy-caddy:master";
-          restart = "unless-stopped";
-          depends_on = [
-            "ipv6nat"
-            "traefik"
-          ];
-          networks = [ "webserver" ];
-          labels = {
-            "traefik.enable" = "true";
-            "traefik.http.routers.ifconfig-sexy-http.rule" = "Host(`ifconfig.sexy`, `www.ifconfig.sexy`, `4.ifconfig.sexy`, `6.ifconfig.sexy`)";
-            "traefik.http.routers.ifconfig-sexy-http.entrypoints" = "web";
-            "traefik.http.routers.ifconfig-sexy-http.middlewares" = "https-redirect@file";
-            "traefik.http.routers.ifconfig-sexy.rule" = "Host(`ifconfig.sexy`, `www.ifconfig.sexy`, `4.ifconfig.sexy`, `6.ifconfig.sexy`)";
-            "traefik.http.routers.ifconfig-sexy.entrypoints" = "websecure";
-            "traefik.http.routers.ifconfig-sexy.tls" = "true";
-            "traefik.http.routers.ifconfig-sexy.tls.certresolver" = "cfresolver";
-            "traefik.http.routers.ifconfig-sexy.middlewares" = "non-www-redirect@file, content-compression@file";
-            "com.centurylinklabs.watchtower.enable" = "true";
-          };
-        };
-      };
-
       nifoc-pw-docs = {
         service = {
           image = "ghcr.io/nifoc/nifoc.pw-docs:master";
           container_name = "nifoc-pw-docs";
           restart = "unless-stopped";
-          depends_on = [
-            "ipv6nat"
-            "traefik"
-          ];
+          depends_on = [ "ipv6nat" ];
           networks = [ "webserver" ];
           labels = {
-            "traefik.enable" = "true";
-            "traefik.http.routers.nifoc-pw-docs.rule" = "HostRegexp(`{subdomain:[a-z_]+}.nifoc.pw`)";
-            "traefik.http.routers.nifoc-pw-docs.entrypoints" = "websecure";
-            "traefik.http.routers.nifoc-pw-docs.tls" = "true";
-            "traefik.http.routers.nifoc-pw-docs.tls.certresolver" = "cfresolver";
-            "traefik.http.routers.nifoc-pw-docs.tls.domains[0].main" = "nifoc.pw";
-            "traefik.http.routers.nifoc-pw-docs.tls.domains[0].sans" = "*.nifoc.pw";
-            "traefik.http.routers.nifoc-pw-docs.middlewares" = "content-compression@file";
             "com.centurylinklabs.watchtower.enable" = "true";
           };
         };
@@ -135,7 +77,6 @@ in
           depends_on = [
             "ipv6nat"
             "mosquitto"
-            "traefik"
           ];
           networks = [ "webserver" ];
           environment = {
@@ -155,10 +96,7 @@ in
           image = "matrixdotorg/synapse:latest";
           container_name = "synapse";
           restart = "unless-stopped";
-          depends_on = [
-            "ipv6nat"
-            "traefik"
-          ];
+          depends_on = [ "ipv6nat" ];
           networks = [ "webserver" ];
           volumes = [
             "/etc/container-matrix/synapse:/data"
@@ -167,15 +105,6 @@ in
             "/etc/container-matrix/whatsapp:/bridge-data/whatsapp:ro"
           ];
           labels = {
-            "traefik.enable" = "true";
-            "traefik.http.routers.matrix.rule" = "Host(`matrix.kempkens.io`)";
-            "traefik.http.routers.matrix.entrypoints" = "websecure";
-            "traefik.http.routers.matrix.service" = "matrix-web";
-            "traefik.http.routers.matrix.tls.certresolver" = "cfresolver";
-            "traefik.http.routers.matrix.tls.domains[0].main" = "kempkens.io";
-            "traefik.http.routers.matrix.tls.domains[0].sans" = "*.kempkens.io";
-            "traefik.http.routers.matrix.middlewares" = "content-compression@file";
-            "traefik.http.services.matrix-web.loadbalancer.server.port" = "8008";
             "com.centurylinklabs.watchtower.enable" = "true";
           };
         };
diff --git a/hardware/hosts/sail.nix b/hardware/hosts/sail.nix
index 640e354..41ee01f 100644
--- a/hardware/hosts/sail.nix
+++ b/hardware/hosts/sail.nix
@@ -16,6 +16,7 @@
     kernel.sysctl = {
       "net.core.default_qdisc" = "fq";
       "net.ipv4.tcp_congestion_control" = "bbr";
+      "net.core.rmem_max" = "2500000";
     };
   };
 
diff --git a/secret/container/webserver/default.nix b/secret/container/webserver/default.nix
index 5c56d3b03337dbfe92f340e0aedd6148a4a05902..40258a8c2a4058cd0469c1ce58b17b2c34c413d6 100644
GIT binary patch
literal 710
zcmV;%0y+HvM@dveQdv+`0J#5lI_SB6C_#Xx4>H1Ab?{V*m|Pq7b+T$@qb5$>6dH0o
zP%axCLWC5I3ZbAHs|8qN9emnf(D4wY(a17;l<O|$=8P+ZdMH%7{CBLnhSl<Mp=9W0
z_rR+2e7h0BNx(Sj<}*DKMMI4qjyE7?3ML)P6l7jKp3Kw61VQi3IkGR|L;q;0Thpb9
zV}Q(ElXMs4VQXt}YC9i4!x0kf<1^m<5Zb9J=TevMJovjM{!jmL6rV>V#2}AFr7R;7
z1NG;99alOA!2|-VUFGjA#ae<-_hf#CxoK8$v*%r6jqR5+hd#%UXGxRdgj2p7`V?z5
ze8WPw5eR&qSL3AEC*cZM&3L^Lo;Z_corT#Uu8{KUjsZA45{x<nMXmT-8euU5c#rht
zF_$0QyzC@PAifU&6g!2(Oqp2Yp_fLl+yGd$A_d)!Qy+#`*ZFov)GO%l>lFtdjkQ4*
ztU^-*(QQ^hwvK;(LS6B;IG1f11iv?`)D&^SrZA!76Z=A=BD7WlPxp=<L0Eb;UZ}<8
z!DR~@qY<b2txYf~nz5{!|A@-izI_3>hU$z|!=JHUe9h~r(WrdAJga$6P5QP{n)^}A
zGj_oQY-x2Us{UD<;JAA&$11((0CG*$-}yi-`10qu-fEHt&a0T`hw`o3Q8qk^JMu0N
z9uR(KzfQ8Y<_O<LT#|vMCiXLf;RZ3_YBhJM^4jOpwl$>55^VC)_A#N<;1)8b&E%oZ
zx2@b@-uo-o`RPexg8MbDQirbbh``aB)OU0Ygk}(u(ZiBwk<^U5ucu)3;Lnm`GcGyA
zBwzPUbI228X)(g%3=eiYQCB~jHd?}sLvssn9jz?aMa@9}VqTi<qn{<uw8Wtj7H8t1
s7FO?=y-#i;&XR)mY|7cs3A(SQ1mI1j%2K5wjeCx>D*0s|i6uJw&8L!NFaQ7m

literal 2316
zcmV+n3G?;<M@dveQdv+`0HH0w82O;dQN5eTLy4VG{pqF@%DB*;7{<x4jP&1*#L0If
zaJ*GmyQfvK;sr)nW|F}i+GUs!mOb*fTd2a}g&GLmEi(2zi^-N;mF)ujKmJkLB~Vu0
zCbC>{1!$-4UYGQSF!x1Qude~jZ+2?h<T?e(hZl*Wl=W7-S9RakflYWOI#2Y_L;|xt
z7+$~?qv6sPP4)Y8ui2Rn%vdY%ugiB_M&?+wilX`&zSe#a8f=o7*24Q)z4`~BdhWlC
zwem<#oKTrPN=3bAEg#kcA(Rx=ST}-+Wff7M0MJ%7B0FH=TukvQ+jG3%9&J=v+dHB-
z2V}@^Tvg-5-AQBw^<lz$+$tE|xg?a4yRobrdk(7yD&sEq4h<ulfw=etYN1*YwhbxJ
zVQ6>G@2{?+$u;Gox7tE9Maj#y<N#dh)gE6^nx6W8@Mmf>KL&g2psduF;dUdEB79*%
z7`SVpkD)@2x>;`LkeEyS`;71qAGsyH4e+t4_5D6dlpmck&Vr%H{;Rhb768M>%@@OF
zXo;630^#mL6J$6^xtKxpWo57c(ZkDAw27$ek#Bu4Tk_nm$?(Qyaic7rOmrR%4&f}L
zmG=;gTH3W!aBo`6ieNy^VMmjaJXVc%>H`8unEA_sfp7x2VtEb5HA$RJUv69|oZlRB
zb9>w)PRp`X#z$6%u&0S(TeOTIBkC;=s7sHcp|36Bs9&tjV+i#0PXxtv@h4j?@snWi
zHZ-kMDiCw_ic;WRXv|R}Ug{SRooHrfz^>)=rr68d@GhpCLGD6I&*NV}gvm+nJh^~v
z8UQ7JhdQw7)SivQC4&RKa-JW{J>wYuO~DFvCZ!u~(7Rq^_c=>A7sxSE*SMp##c)l_
z4!JLJpWcuB%AJw)6Ws07aZr-$uWd=5vhI>ep4I1Oiz4=iXNkH3MWd4SO|$&WOU?xP
zv%PBKhz`P4Z-36|)6wK^q!@k=HQqp^n;<)Rn4k%UlYjK<(v71`hWcx>G@}T)bC&M2
z^zU=<j_}ct-}CnUaJ`FQ3yV4rPr|r3%O+n8TjLZ}*h&1Hkig}B0Rk9I2`8x%3(WMh
z=Dx7)IpWOB|968hY>nWu9N8lqF8lDfyE&ip{-m$dP+PblXcB=Cdb`(4W5%kxaZ;Qc
zFh{JF^Dm}Iccv{_gx9<Xz(^3Gd`~Jv5O$t!nW_xI12_ne4`^N_jBsv4f5kXN(~al^
z+4e^7cpM1pXlN*#%i9?Cg}i#YgPyh23-!3qP%$ko=49TCc66btXL7NuNIW;AQkFGl
zBCgsSH&<jSuubz|g~!o=jbRp$_kGiQSrMEE>Nw@&rlB`ZGmo{u+{0sb=#;+c=7XFh
zb+NpiH*Xz34b)YPFv>U3*tAw^%N^ZW#24LOJ2?b;REixU&z+h_ZBFn&|D>gqk1)DO
z%6iIsr7JZ&!~|B-7`!Yk0q1N5VdH>i!5O@}+`T2efR0{fos60pX5@=u-}i1vKBqM9
zx!u-i9QOYmdL2P8u1PxSPSFr&tQr!2VY2_qJ!VJ`ba5HC9_!0QpwItiRKi!BHf2!x
zRAO^o<5}&;Ee@3n<UMC)T_R=%JtZXeWwx0XwHrxPoJ^)?^NvXs3M9Qe4W;6<KtZ<-
z#MrXKMPMHb#*%ibckh(z7`Xr4sv?cH7mjH2A2G83#E^7#p<>+*wZ+V(blrHsu|Wfr
z5}N#+Byy1iExjUR+7&BM?=nqN*P56Bg9so#2Di}Kypn!L$<`7T3R`@@wmrvCT5|eI
z7o;xtcvD6SQ@t+C{b-d|gHSbPqP-_&Ep?0Py!ZY#EZjk;VW#&2DBopQY#vjwY2SwP
zkr4^i>RM@p4_wRg(W72cOdI8LlPM1W-us|{Aud>ma<Aqb^gmKf-Ufy#5Nmnl66>2g
z)g0d3l`@B4EB#sS1ZUkdlu{AFNH?*c=tuS)^^+#o;WLGDyJ_62P55pZ1yd-z1ZdB~
zT3(Du&N15*Kw6mxM%<|E;nkpqXL6q9x_YxH7`v&DTh<-S6cFSquH5?giJ8a<D$b7r
zWH<yt3gT~ao>TP+OFiO>ImF^=C?cO}T80G6(1ZxUbw!S9X-?cAQ-Jna)7A`^yo7^!
zHpG_-Kh$`}Zi!?%($hRvcH8DcKejEFX4pV$Ka^<2VS#tlaI0kjRC5jm^&OhqB*s9z
zYe>=o>Oh@WZO3LqsoYdrUWHopm4=!?^hVR$3HIl(r9rm`0^zD#BX9CRZ3>QuxFcS#
zRW9!mGklJ@xdPdR2-1Z05kCE6LO(f;nt63U3sv&*Z*w}nDTgJTYTR!y1gV$-1zAXN
z)&!RJN-8x(1DAV>kogPgLLD<=yk>4k655U3y6yN51d#k)kR4_yw|EX}(iRnT+W~=7
zL&E|PZbqd;SV?hPYrXyr;&iFz8=;zY*@q10YZY2Qw&LpG(K8#Hu?TC7n2NgRs!?^6
z$;#o0G<p`>|A^`73`Q3I$0?Az!k~$}fuI-A#VIzmqO+UTzX@FC;$>@x>#VyQo;W4F
z^5eGqi4ti>F-URBmD=M4w0)i(jobr<^tle&R>ggAFy^GOS@f~;Fllkydytb$A+P9d
z$)ZJ2=ZNP^t%jo1ccJGk$?6pZ)fILzCwg#x<x6VeRcN!3ZhQSzbvE6;ERJD{J(>x7
zdqWyBdh8<D6KUBq;XuekYGNp-)RvR(3F&@2n?JZGtI*&f28o(OukfUA+jsm9tMC$+
zdjf2c)}xa!L;6qytzCt-4~ErLOLiw|{XsdoVQ@|sz3cZFMIhG&O9j~#rq{e~7tMJV
zX9JkSB*0ee#On}tzn8>`s9i>19`H;MLNqBt6mNYc>R1<Vd=CQUZt8D8--TH1XT&IS
z+523v1-lpXKQ9K;39JAj=;}G97O$(oBln9Fr424iBPmpWJOk1Ew)MWM0cjQbT3a<R
z5w}9AI{8+C2nDMx3QN<aesfU0MOhi<7~Wk;+R46;XHpttUX67U*bIQ#mg*4zm{QRU
m3A|=SE`}G^Hfh^X7anyP+M`v8LXLT8W=lddA#f^hxC47e4SF5`