2023-05-17 17:10:18 +01:00
|
|
|
{...}: {
|
2023-05-26 08:52:46 +01:00
|
|
|
imports = [../fail2ban/traefik.nix];
|
2023-05-11 11:54:42 +01:00
|
|
|
services.traefik = {
|
|
|
|
enable = true;
|
|
|
|
staticConfigOptions = {
|
2023-05-25 17:17:23 +01:00
|
|
|
api = {dashboard = true;};
|
2023-05-11 11:54:42 +01:00
|
|
|
entryPoints = {
|
2023-05-25 17:05:25 +01:00
|
|
|
http = {
|
|
|
|
address = ":80";
|
|
|
|
http.redirections.entryPoint = {
|
|
|
|
to = "https";
|
|
|
|
scheme = "https";
|
|
|
|
};
|
|
|
|
};
|
2023-05-17 17:10:18 +01:00
|
|
|
https = {address = ":443";};
|
2023-05-27 16:27:21 +01:00
|
|
|
traefik-internal = {address = ":8080";};
|
2023-05-11 11:54:42 +01:00
|
|
|
};
|
2023-05-15 07:51:06 +01:00
|
|
|
certificatesResolvers = {
|
|
|
|
default = {
|
|
|
|
acme = {
|
|
|
|
email = "evie@xenia.me.uk";
|
|
|
|
storage = "/var/lib/traefik/acme.json";
|
2023-05-17 17:10:18 +01:00
|
|
|
httpChallenge = {entryPoint = "http";};
|
2023-05-15 07:51:06 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
dynamicConfigOptions.http = {
|
2023-05-25 17:17:23 +01:00
|
|
|
routers.api = {
|
2023-05-17 17:10:18 +01:00
|
|
|
rule = "Host(`traefik.xenia.me.uk`)";
|
2023-05-25 17:05:25 +01:00
|
|
|
entryPoints = ["http" "https"];
|
2023-05-25 17:17:23 +01:00
|
|
|
service = "api@internal";
|
|
|
|
middlewares = ["auth"];
|
2023-05-17 17:10:18 +01:00
|
|
|
tls = {certResolver = "default";};
|
|
|
|
};
|
2023-05-27 16:27:21 +01:00
|
|
|
routers.api-internal = {
|
|
|
|
rule = "ClientIP(`192.168.0.0/16`)";
|
|
|
|
entryPoints = ["traefik-internal"];
|
|
|
|
service = "api@internal";
|
|
|
|
middlewares = ["auth"];
|
|
|
|
};
|
2023-05-26 10:21:38 +01:00
|
|
|
middlewares = {
|
|
|
|
auth.basicAuth.users = ["xenia:$apr1$LB0wVd6I$BHVPIyh.F5Ewt9/7PqAtS."];
|
|
|
|
hsts.headers = {
|
|
|
|
stsSeconds = "31536000";
|
|
|
|
stsIncludeSubdomains = true;
|
|
|
|
};
|
|
|
|
};
|
2023-05-11 11:54:42 +01:00
|
|
|
};
|
|
|
|
};
|
2023-05-17 17:10:18 +01:00
|
|
|
networking.firewall = {
|
|
|
|
enable = true;
|
2023-05-28 19:58:05 +01:00
|
|
|
allowedTCPPorts = [80 443 8080];
|
2023-05-25 17:05:25 +01:00
|
|
|
};
|
2023-05-11 11:54:42 +01:00
|
|
|
}
|