nixos/services/traefik/default.nix

56 lines
1.4 KiB
Nix
Raw Normal View History

2023-05-17 17:10:18 +01:00
{...}: {
imports = [../fail2ban/traefik.nix];
services.traefik = {
enable = true;
staticConfigOptions = {
api = {dashboard = true;};
entryPoints = {
http = {
address = ":80";
http.redirections.entryPoint = {
to = "https";
scheme = "https";
};
};
2023-05-17 17:10:18 +01:00
https = {address = ":443";};
traefik-internal = {address = ":8080";};
};
2023-05-15 07:51:06 +01:00
certificatesResolvers = {
default = {
acme = {
email = "evie@xenia.me.uk";
storage = "/var/lib/traefik/acme.json";
2023-05-17 17:10:18 +01:00
httpChallenge = {entryPoint = "http";};
2023-05-15 07:51:06 +01:00
};
};
};
};
dynamicConfigOptions.http = {
routers.api = {
2023-05-17 17:10:18 +01:00
rule = "Host(`traefik.xenia.me.uk`)";
entryPoints = ["http" "https"];
service = "api@internal";
middlewares = ["auth"];
2023-05-17 17:10:18 +01:00
tls = {certResolver = "default";};
};
routers.api-internal = {
rule = "ClientIP(`192.168.0.0/16`)";
entryPoints = ["traefik-internal"];
service = "api@internal";
middlewares = ["auth"];
};
middlewares = {
auth.basicAuth.users = ["xenia:$apr1$LB0wVd6I$BHVPIyh.F5Ewt9/7PqAtS."];
hsts.headers = {
stsSeconds = "31536000";
stsIncludeSubdomains = true;
};
};
};
};
2023-05-17 17:10:18 +01:00
networking.firewall = {
enable = true;
allowedTCPPorts = [80 443 8080];
};
}