nixos/services/traefik/default.nix

63 lines
1.6 KiB
Nix
Raw Normal View History

{ config, lib, pkgs, ... }:
{
imports = [ ../fail2ban/traefik.nix ];
services.traefik = {
enable = true;
staticConfigOptions = {
api = { dashboard = true; };
entryPoints = {
http = {
address = ":80";
http.redirections.entryPoint = {
to = "https";
scheme = "https";
};
};
https.address = ":443";
traefik-internal.address = ":8080";
};
2023-05-15 07:51:06 +01:00
certificatesResolvers = {
default = {
acme = {
email = "evie@xenia.me.uk";
storage = "/var/lib/traefik/acme.json";
httpChallenge = { entryPoint = "http"; };
2023-05-15 07:51:06 +01:00
};
};
};
};
dynamicConfigOptions = {
tls.options.default.sniStrict = true;
http = {
routers = {
api = {
rule = "Host(`traefik.xenia.me.uk`)";
entryPoints = [ "http" "https" ];
service = "api@internal";
middlewares = [ "auth" ];
tls = { certResolver = "default"; };
};
api-internal = {
rule = "ClientIP(`192.168.0.0/16`)";
entryPoints = [ "traefik-internal" ];
service = "api@internal";
};
};
middlewares = {
auth.basicAuth.users =
[ "xenia:$apr1$LB0wVd6I$BHVPIyh.F5Ewt9/7PqAtS." ];
hsts.headers = {
stsSeconds = "31536000";
stsIncludeSubdomains = true;
};
};
};
};
};
2023-05-17 17:10:18 +01:00
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 8080 ];
};
}