13 changed files with 98 additions and 65 deletions
--- a/.justfile
+++ b/.justfile
@ -19,8 +19,8 @@ update-input input:
    nix flake lock --update-input {{input}}

@edit-secrets:
-    git clone ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets.git /tmp/secrets
-    sed -i 's\git+ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets\/tmp/secrets\g' flake.nix
+    git clone ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets.git /tmp/secrets
+    sed -i 's\git+ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets\/tmp/secrets\g' flake.nix
    just -q update-input secrets
    echo "{{bold}}All done!"
    echo "{{normal}}Remember to restore flake.nix"
--- a/flake.lock
+++ b/flake.lock
@ -527,11 +527,11 @@
        "rev": "08944755d22a7499b0b3fd39d48fdf1dabf4c83f",
        "revCount": 19,
        "type": "git",
-        "url": "ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets"
+        "url": "ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets"
      },
      "original": {
        "type": "git",
-        "url": "ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets"
+        "url": "ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets"
      }
    },
    "systems": {
--- a/flake.nix
+++ b/flake.nix
@ -3,7 +3,7 @@

  inputs = {
    secrets = {
-      url = "git+ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets";
+      url = "git+ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets";
      flake = false;
    };
    nixpkgs-raw.url = "nixpkgs/nixos-24.05";
--- a/roles/common/programs/git.nix
+++ b/roles/common/programs/git.nix
@ -1,6 +1,6 @@
 {...}: {
  programs.ssh.knownHosts = {
-    "[git.everest.tailscale]:4222".publicKey = ''
+    "[git.everest.sable-pancake.ts.net]:4222".publicKey = ''
      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoUcWx56NZ3kqydN3d0gLNz6SlBm1ArkHhqR9Fwd8qs
    '';
  };
--- a/roles/desktop/programs/ssh.nix
+++ b/roles/desktop/programs/ssh.nix
@ -2,7 +2,7 @@
  programs.ssh.knownHosts = {
    everest = {
      hostNames = [
-        "everest.tailscale"
+        "everest.sable-pancake.ts.net"
        "toast003.xyz"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqfABZKnF5YYGZTOKuT7m+sOnUqBQSvLke9c3JDsF5s";
@ -15,7 +15,7 @@
      matchBlocks = {
        "everest" = {
          host = "everest";
-          hostname = "everest.tailscale";
+          hostname = "everest.sable-pancake.ts.net";
          forwardAgent = true;
          sendEnv = ["COLORTERM"];
        };
--- a/roles/server/caddy.nix
+++ b/roles/server/caddy.nix
@ -1,22 +0,0 @@
-{config, ...}: let
-  manualHostname = "manual.everest.tailscale";
-in {
-  services.caddy = {
-    enable = true;
-    extraConfig = ''
-      (tailscale) {
-        tls internal
-        bind 100.73.96.48
-      }
-    '';
-    virtualHosts.nixos-manual = {
-      hostName = manualHostname;
-      extraConfig = ''
-        import tailscale
-        file_server
-        root * ${config.system.build.manual.manualHTML}/share/doc/nixos
-      '';
-    };
-  };
-  services.dnsmasq.settings.cname = ["${manualHostname},everest"];
-}
--- a/roles/server/default.nix
+++ b/roles/server/default.nix
@ -11,7 +11,7 @@
    ./ddclient.nix
    ./beep.nix
    ./tailscale.nix
-    ./caddy.nix
+    ./traefik.nix
    ./dns.nix
    ./rust_motd.nix
  ];
--- a/roles/server/dns.nix
+++ b/roles/server/dns.nix
@ -16,18 +16,18 @@
      dns-loop-detect = true;

      host-record = [
-        "winmax2,winmax2.tailscale,100.106.73.20"
-        "everest,everest.tailscale,100.73.96.48"
-        "archie,archie.tailscale,100.113.139.93"
-        "steamdeck,steamdeck.tailscale,100.85.48.85"
-        "surfacego,surfacego.tailscale,100.96.92.13"
+        "winmax2,winmax2.sable-pancake.ts.net,100.106.73.20"
+        "everest,everest.sable-pancake.ts.net,100.73.96.48"
+        "archie,archie.sable-pancake.ts.net,100.113.139.93"
+        "steamdeck,steamdeck.sable-pancake.ts.net,100.85.48.85"
+        "surfacego,surfacego.sable-pancake.ts.net,100.96.92.13"
      ];

      # If this isn't set a cname that targets a host might return the wrong ip
      localise-queries = true;
      ## IPv6 is not a thing in Spain so I'm guaranteed to not use it
      filter-AAAA = true;
-      domain = "tailscale";
+      domain = "sable-pancake.ts.net";
      domain-needed = true;
    };
  };
--- a/roles/server/forgejo.nix
+++ b/roles/server/forgejo.nix
@ -30,7 +30,7 @@ in {
      };
      server = {
        OFFLINE_MODE = false;
-        ROOT_URL = "http://git.everest.tailscale";
+        ROOT_URL = "http://git.everest.sable-pancake.ts.net";
        START_SSH_SERVER = true;
        SSH_PORT = 4222;
        SSH_SERVER_HOST_KEYS = config.age.secrets.forgejo-host-key.path;
@ -45,14 +45,22 @@ in {
  };

  # Add a cname for forgejo
-  services.dnsmasq.settings.cname = ["git.everest.tailscale,everest"];
+  services.dnsmasq.settings.cname = ["git.everest.sable-pancake.ts.net,everest"];

-  # Set up caddy as the reverse proxy for Forgejo
-  services.caddy.virtualHosts.forgejo = {
-    hostName = "git.everest.tailscale";
-    extraConfig = ''
-      import tailscale
-      reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
-    '';
+  # Set up traefik as the reverse proxy for Forgejo
+  services.traefik = {
+    dynamicConfigOptions = {
+      http = {
+        routers = {
+          forgejo-subpath = {
+            rule = "Host(`git.everest.sable-pancake.ts.net`)";
+            service = "forgejo";
+          };
+        };
+        services.forgejo.loadBalancer.servers = [
+          {url = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";}
+        ];
+      };
+    };
  };
 }
--- a/roles/server/nfs.nix
+++ b/roles/server/nfs.nix
@ -2,7 +2,7 @@
  services = {
    nfs.server = {
      enable = true;
-      exports = "/srv/nfs *.tailscale(ro,fsid=root)";
+      exports = "/srv/nfs *.sable-pancake.ts.net(ro,fsid=root)";
      # NFSv3 uses random ports, so you need to make them static to be able to pass though the firewall
      statdPort = 4000;
      lockdPort = 4001;
--- a/roles/server/syncthing.nix
+++ b/roles/server/syncthing.nix
@ -34,14 +34,22 @@
  };

  # Add a cname for syncthing
-  services.dnsmasq.settings.cname = ["sync.everest.tailscale,everest"];
+  services.dnsmasq.settings.cname = ["sync.everest.sable-pancake.ts.net,everest"];

-  # Set up caddy as the reverse proxy for syncthing
-  services.caddy.virtualHosts.syncthing = {
-    hostName = "sync.everest.tailscale";
-    extraConfig = ''
-      import tailscale
-      reverse_proxy localhost:8384
-    '';
+  # Set up traefik as the reverse proxy for syncthing
+  services.traefik = {
+    dynamicConfigOptions = {
+      http = {
+        routers = {
+          syncthing-subdomain = {
+            rule = "Host(`sync.everest.sable-pancake.ts.net`)";
+            service = "syncthing";
+          };
+        };
+        services.syncthing.loadBalancer.servers = [
+          {url = "http://localhost:8384";}
+        ];
+      };
+    };
  };
 }
--- a/roles/server/traefik.nix
+++ b/roles/server/traefik.nix
@ -0,0 +1,31 @@
+{...}: {
+  specialisation.traefikEnableWebUI.configuration.services.traefik = {
+    staticConfigOptions = {
+      api = {
+        # Enable the web ui
+        insecure = true;
+        dashboard = true;
+      };
+    };
+  };
+
+  services.traefik = {
+    enable = true;
+    staticConfigOptions = {
+      entryPoints = {
+        http = {address = "100.73.96.48:80";};
+      };
+    };
+  };
+
+  systemd = {
+    units.tailscaled.requiredBy = ["traefik.service"];
+    # We have somewhat frequent power outages, and our ISP router takes
+    # ages to boot up. If I don't add a delay, traefik tries to bind to
+    # the tailscale interface before it's ready, making it crash too much
+    # in too little time
+    services.traefik.serviceConfig.RestartSec = 120;
+  };
+
+  networking.firewall.allowedTCPPorts = [80 8080];
+}
--- a/roles/server/transmission.nix
+++ b/roles/server/transmission.nix
@ -9,7 +9,7 @@ in {
    settings = {
      incomplete-dir-enabled = false;
      rpc-bind-address = "0.0.0.0";
-      rpc-host-whitelist = "transmission.everest.tailscale";
+      rpc-host-whitelist = "transmission.everest.sable-pancake.ts.net";
      rpc-whitelist = "127.0.0.1";
    };
  };
@ -20,7 +20,7 @@ in {
    mountPoint = "/srv/nfs/transmission";
    options = ["bind"];
  };
-  services.nfs.server.exports = "${mountPoint} *.tailscale(ro,all_squash,anonuid=${transmissionUid},anongid=${transmissionGid})";
+  services.nfs.server.exports = "${mountPoint} *.sable-pancake.ts.net(ro,all_squash,anonuid=${transmissionUid},anongid=${transmissionGid})";

  services.avahi.extraServiceFiles = {
    Transmission-downloads-nfs = ''
@ -38,14 +38,22 @@ in {
  };

  # Add a cname for transmission
-  services.dnsmasq.settings.cname = ["transmission.everest.tailscale,everest"];
+  services.dnsmasq.settings.cname = ["transmission.everest.sable-pancake.ts.net,everest"];

-  # Set up caddy as the reverse proxy for transmission
-  services.caddy.virtualHosts.transmission = {
-    hostName = "transmission.everest.tailscale";
-    extraConfig = ''
-      import tailscale
-      reverse_proxy localhost:${toString config.services.transmission.settings.rpc-port}
-    '';
+  # Set up traefik as the reverse proxy for transmission
+  services.traefik = {
+    dynamicConfigOptions = {
+      http = {
+        routers = {
+          transmission-subdomain = {
+            rule = "Host(`transmission.everest.sable-pancake.ts.net`)";
+            service = "transmission";
+          };
+        };
+        services.transmission.loadBalancer.servers = [
+          {url = "http://localhost:${toString config.services.transmission.settings.rpc-port}";}
+        ];
+      };
+    };
  };
 }