From 3473f8647fac379e37cf1aee6f5fb1c17f362d9d Mon Sep 17 00:00:00 2001
From: Kaybee <kb01@kb-one.de>
Date: Thu, 24 Jul 2025 15:06:02 +0200
Subject: [PATCH] Restructured, Configured Traefik for Mailcow

---
 .../nixos/services/forgejo-runner/default.nix | 87 -------------------
 systems/x86_64-linux/pkpnafs/default.nix      | 14 +--
 systems/x86_64-linux/pkpnafs/forgejo.nix      | 21 +++++
 systems/x86_64-linux/pkpnafs/traefik.nix      | 41 +++++++++
 4 files changed, 70 insertions(+), 93 deletions(-)
 delete mode 100644 modules/nixos/services/forgejo-runner/default.nix
 create mode 100644 systems/x86_64-linux/pkpnafs/forgejo.nix
 create mode 100644 systems/x86_64-linux/pkpnafs/traefik.nix

diff --git a/modules/nixos/services/forgejo-runner/default.nix b/modules/nixos/services/forgejo-runner/default.nix
deleted file mode 100644
index 0888183..0000000
--- a/modules/nixos/services/forgejo-runner/default.nix
+++ /dev/null
@@ -1,87 +0,0 @@
-{ inputs, config, lib, pkgs, ... }:
-let
-  cfg = config.services.forgejo-runner;
-in
-{
-  options.services.forgejo-runner = {
-    enable = lib.mkOption {
-      type = with lib.types; uniq bool;
-      default = false;
-      description = "Enable Forgejo Runners";
-    };
-  };
-  config = lib.mkIf (cfg.enable) {
-    # services.gitea-actions-runner.package = pkgs.forgejo-runner;
-    # services.gitea-actions-runner.instances."kb-one-runner@games-01" = {
-    #   enable = true;
-    #   name = "kb-one-runner@games-01";
-    #   url = "https://git.kb-one.de/";
-    #   tokenFile = "/opt/secrets/kb-one-runner@games-01_token";
-    #   labels = [
-    #     # provide a debian base with nodejs for actions
-    #     "debian-latest:docker://node:18-bullseye"
-    #     # fake the ubuntu name, because node provides no ubuntu builds
-    #     "ubuntu-latest:docker://node:18-bullseye"
-    #     # provide native execution on the host
-    #     "native:host"
-    #   ];
-    #   hostPackages = with pkgs; [
-    #     bash
-    #     coreutils
-    #     curl
-    #     gawk
-    #     gitMinimal
-    #     gnused
-    #     nodejs
-    #     wget
-    #     nix
-    #   ];
-    # };
-
-    # systemd.services.forgejo-runner = {
-    #   wantedBy = [ "multi-user.target" ];
-    #   after = [ "docker.service" ];
-    #   description = "";
-    #   serviceConfig = {
-    #     Type = "notify";
-    #     User = "runner";
-    #     WorkingDirectory = "/home/runner";
-    #     ExecStart = ''${pkgs.forgejo-runner}/bin/forgejo-runner deamon''; 
-    #     ExecStop = ''/bin/kill -s HUP $MAINPID'';
-    #     Restart = "on-failure";
-    #     TimeoutSec = 0;
-    #     RestartSec = 10;
-    #   };
-    # };
-
-    # users.users.runner = {
-    #   isNormalUser = true;
-    # };
-
-    # environment.systemPackages = [ pkgs.forgejo-runner ];
-
-    # virtualisation.podman.enable = true;
-    # virtualisation.podman.defaultNetwork.settings.dns_enabled = true;
-    # virtualisation.podman.dockerCompat = true;
-
-    virtualisation.docker.enable = true;
-    virtualisation.oci-containers.backend = "docker";
-
-    virtualisation.oci-containers.containers."docker-in-docker" = {
-      image = "docker:dind";
-      hostname = "docker";
-      extraOptions = [ "--privileged" "--network=kb-forgejo-runner" ];
-      cmd = [ "dockerd" "-H" "tcp://docker:42349" "--tls=false" ];
-    };
-    virtualisation.oci-containers.containers."forgejo-runner" = {
-      image = "code.forgejo.org/forgejo/runner:4.0.0";
-      hostname = "forgejo-runner";
-      extraOptions = [ "--network=kb-forgejo-runner" ];
-      environment.DOCKER_HOST = "tcp://docker:42349";
-      user = "1001:1001";
-      volumes = [ "forgejo-runner-data:/data" ];
-      cmd = [ "/bin/sh" "-c" "sleep 5; forgejo-runner daemon" ];
-    };
-  };
-}
-
diff --git a/systems/x86_64-linux/pkpnafs/default.nix b/systems/x86_64-linux/pkpnafs/default.nix
index a1d1dcf..b9e73b5 100644
--- a/systems/x86_64-linux/pkpnafs/default.nix
+++ b/systems/x86_64-linux/pkpnafs/default.nix
@@ -3,6 +3,8 @@
 {
   imports = [ # Include the results of the hardware scan.
     ./hardware.nix
+    ./forgejo.nix
+    ./traefik.nix
   ];
 
   # Configure Nix
@@ -74,6 +76,9 @@
   sops.defaultSopsFormat = "yaml";
   sops.age.keyFile = "/home/master/.config/sops/age/keys.txt";
 
+  # Firewall
+  networking.firewall.allowedTCPPorts = [ 80 443 25 465 587 143 993 110 995 4190 ];
+
   # SSH and Mosh
   services.openssh = {
     enable = true;
@@ -86,16 +91,13 @@
 
   # Minecraft Servers
   services.minecraft = {
-    enable = true;
+    enable = false;
     servers.velocity.enable = true;
     servers.survival.enable = true;
   };
 
-  # Forgejo Runner
-  services.forgejo-runner.enable = true;
-
-  # Binary Cache 
-  services.binary-cache.enable = false; # No Binary-Cache, when there are Secrets in the /nix/store
+  # Docker
+  virtualisation.docker.enable = true;
 
   # Do NOT change this value 
   system.stateVersion = "24.05"; # Did you read the comment?
diff --git a/systems/x86_64-linux/pkpnafs/forgejo.nix b/systems/x86_64-linux/pkpnafs/forgejo.nix
new file mode 100644
index 0000000..ff4c1d0
--- /dev/null
+++ b/systems/x86_64-linux/pkpnafs/forgejo.nix
@@ -0,0 +1,21 @@
+{ config, lib, pkgs, inputs, ... }:
+{
+  virtualisation.oci-containers.backend = "docker";
+  virtualisation.oci-containers.containers."docker-in-docker" = {
+    image = "docker:dind";
+    hostname = "docker";
+    extraOptions = [ "--privileged" "--network=kb-forgejo-runner" ];
+    cmd = [ "dockerd" "-H" "tcp://docker:42349" "--tls=false" ];
+  };
+  virtualisation.oci-containers.containers."forgejo-runner" = {
+    image = "code.forgejo.org/forgejo/runner:4.0.0";
+    hostname = "forgejo-runner";
+    extraOptions = [ "--network=kb-forgejo-runner" ];
+    environment.DOCKER_HOST = "tcp://docker:42349";
+    user = "1001:1001";
+    volumes = [ "forgejo-runner-data:/data" ];
+    cmd = [ "/bin/sh" "-c" "sleep 5; forgejo-runner daemon" ];
+  };
+}
+
+
diff --git a/systems/x86_64-linux/pkpnafs/traefik.nix b/systems/x86_64-linux/pkpnafs/traefik.nix
new file mode 100644
index 0000000..485defa
--- /dev/null
+++ b/systems/x86_64-linux/pkpnafs/traefik.nix
@@ -0,0 +1,41 @@
+{ config, lib, pkgs, inputs, ... }:
+{
+  services.traefik = {
+    enable = true;
+    staticConfigOptions = {
+      api = {
+        dashboard = false;
+        insecure = false;
+      }; 
+      entryPoints = {
+        http = {
+          address = ":80";
+          http.redirections.entrypoint = {
+            to = "https";
+            scheme = "https";
+          };
+        };
+        https = {
+          address = ":443";
+        };
+      };
+      certificatesResolvers.letsencrypt.acme = {
+        storage = "/run/secrets/acme.json";
+        httpchallenge.entrypoint = "http";
+      };
+    }; 
+  };
+
+  services.traefik.dynamicConfigOptions = {
+    # Traefik Dashbaord
+    http.routers.dashboard.rule = "Host(`traefik.pkpnafs.kb-one.de`)";
+    http.routers.dashboard.service = "api@internal";
+    # Mailcow
+    http.services.nginx-mailcow.loadbalancer.servers = [ { url = "http://localhost:8080/"; } ];
+    http.routers.nginx-mailcow.entrypoints = "https";
+    http.routers.nginx-mailcow.tls.certresolver = "letsencrypt";
+    http.routers.nginx-mailcow.rule = "Host(`mail.kb-one.de`)";
+    http.routers.nginx-mailcow.service = "nginx-mailcow";
+  };
+
+}