Added back config-files that were lost.

config-files/docker/hass/mosquitto.conf

@@ -0,0 +1,8 @@
+persistence true
+persistence_location /mosquitto/data/
+log_dest file /mosquitto/log/mosquitto.log
+listener 1883
+
+## Authentication ##
+allow_anonymous false
+password_file /mosquitto/config/password.txt

config-files/docker/traefik/headers.yaml

@@ -0,0 +1,20 @@
+http:
+  middlewares:
+    passbolt:
+      headers:
+        FrameDeny: true
+        AccessControlAllowMethods: 'GET,OPTIONS,PUT'
+        AccessControlAllowOriginList:
+          - origin-list-or-null
+        AccessControlMaxAge: 100
+        AddVaryHeader: true
+        BrowserXssFilter: true
+        ContentTypeNosniff: true
+        ForceSTSHeader: true
+        STSIncludeSubdomains: true
+        STSPreload: true
+        ContentSecurityPolicy: default-src 'self' 'unsafe-inline'
+        CustomFrameOptionsValue: SAMEORIGIN
+        ReferrerPolicy: same-origin
+        PermissionsPolicy: vibrate 'self'
+        STSSeconds: 315360000

config-files/docker/traefik/nextcloud.yaml

@@ -0,0 +1,41 @@
+http:
+  routers:
+    nextcloud:
+      rule: "Host(`nextcloud.${DOMAIN_NAME}`)"
+      entrypoints:
+        - "websecure"
+      service: nextcloud
+      middlewares:
+        - nextcloud-chain
+      tls:
+        certresolver: "cloudflare"
+
+  services:
+    nextcloud:
+      loadBalancer:
+        servers:
+          - url: "http://nextcloud-aio-apache:11000"
+
+  middlewares:
+    nextcloud-secure-headers:
+      headers:
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        referrerPolicy: "same-origin"
+        BrowserXssFilter: true
+        ContentTypeNosniff: true
+        ForceSTSHeader: true
+        STSIncludeSubdomains: true
+        STSPreload: true
+        STSSeconds: 315360000
+
+    https-redirect:
+      redirectscheme:
+        scheme: https
+
+    nextcloud-chain:
+      chain:
+        middlewares:
+          # - ... (e.g. rate limiting middleware)
+          - https-redirect
+          - nextcloud-secure-headers

config-files/docker/traefik/tls.yaml

@@ -0,0 +1,12 @@
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      sniStrict: true
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

config-files/docker/traefik/traefik.yaml

@@ -0,0 +1,54 @@
+global:
+  checkNewVersion: false
+  sendAnonymousUsage: false
+
+#     - level: [TRACE, DEBUG, INFO, WARN, ERROR, FATAL]
+log:
+  level: ERROR
+
+accesslog: {}
+
+api:
+  dashboard: true
+  insecure: true
+
+entryPoints:
+  web:
+    address: :80
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: :443
+    forwardedHeaders:
+      trustedIPs:
+        # Local IPs
+        - "127.0.0.1/32"
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"
+
+certificatesResolvers:
+  cloudflare:
+    acme:
+      email: ${EMAIL_ADDRESS}
+      storage: /var/traefik/certs/cloudflare-acme.json
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+      dnsChallenge:
+        provider: cloudflare
+        resolvers:
+          - "1.1.1.1:53"
+          - "9.9.9.9:53"
+
+serversTransport:
+  insecureSkipVerify: true
+
+providers:
+  docker:
+    exposedByDefault: false
+    network: nextcloud-aio, passbolt_frontend, pihole, hass_frontend, immich_frontend
+  file:
+    directory: "/etc/traefik/conf/"
+    watch: true

deploy.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p gum openssl sops ssh-to-age age sshpass envsubst pciutils usbutils
+#!nix-shell -i bash -p gum openssl sops ssh-to-age age sshpass envsubst pciutils usbutils mosquitto
 
 prerun_action() {
   echo -e "$1"
@@ -161,11 +161,11 @@ files_generation() {
   echo -e "\n\n  ✅ Generating necessary folder tree..."
   mkdir -p extra-files/var/lib/sops-nix/
   mkdir -p extra-files/etc/nixos/secrets/
-  mkdir -p extra-files/mnt/config-storage/traefik/config/conf
-  mkdir -p extra-files/mnt/config-storage/hass/mqtt/config
-  mkdir -p extra-files/mnt/config-storage/hass/mqtt/data
-  mkdir -p extra-files/mnt/data-storage/nextcloud
-  mkdir -p extra-files/mnt/data-storage/immich
+  mkdir -p extra-files/mnt/config-storage/traefik/config/conf/
+  mkdir -p extra-files/mnt/config-storage/hass/mqtt/config/
+  mkdir -p extra-files/mnt/config-storage/hass/mqtt/data/
+  mkdir -p extra-files/mnt/data-storage/nextcloud/
+  mkdir -p extra-files/mnt/data-storage/immich/
 
   echo -e "\n\n  ✅ Generating sops-nix keys..."
   ssh-to-age -private-key -i extra-files/home/numbus-admin/.ssh/id_ed25519 > extra-files/var/lib/sops-nix/key.txt
@@ -231,14 +231,14 @@ files_generation() {
     done
 
   echo -e  "\n\n  ✅ Writing docker configuration files..."
-  envsubst < config-files/traefik/headers.yaml > extra-files/mnt/config-storage/traefik/config/conf/headers.yaml
-  envsubst < config-files/traefik/nextcloud.yaml > extra-files/mnt/config-storage/traefik/config/conf/nextcloud.yaml
-  envsubst < config-files/traefik/tls.yaml > extra-files/mnt/config-storage/traefik/config/conf/tls.yaml
-  envsubst < config-files/traefik/traefik.yaml > extra-files/mnt/config-storage/traefik/config/traefik.yaml
-  envsubst < config-files/hass/mosquitto.conf > extra-files/mnt/config-storage/hass/mqtt/config/mosquitto.conf
+  envsubst < config-files/docker/traefik/headers.yaml > extra-files/mnt/config-storage/traefik/config/conf/headers.yaml
+  envsubst < config-files/docker/traefik/nextcloud.yaml > extra-files/mnt/config-storage/traefik/config/conf/nextcloud.yaml
+  envsubst < config-files/docker/traefik/tls.yaml > extra-files/mnt/config-storage/traefik/config/conf/tls.yaml
+  envsubst < config-files/docker/traefik/traefik.yaml > extra-files/mnt/config-storage/traefik/config/traefik.yaml
+  envsubst < config-files/docker/hass/mosquitto.conf > extra-files/mnt/config-storage/hass/mqtt/config/mosquitto.conf
   touch extra-files/mnt/config-storage/hass/mqtt/config/password.txt
   chmod 0700 extra-files/mnt/config-storage/hass/mqtt/config/password.txt
-  nix shell nixpkgs#mosquitto -c mosquitto_passwd -b extra-files/mnt/config-storage/hass/mqtt/config/password.txt $HOME_ASSISTANT_MQTT_USER $HOME_ASSISTANT_MQTT_PASSWORD
+  mosquitto_passwd -b extra-files/mnt/config-storage/hass/mqtt/config/password.txt $HOME_ASSISTANT_MQTT_USER $HOME_ASSISTANT_MQTT_PASSWORD
 }
 
 disk_config_generation() {