2023-10-21 17:55:11 +01:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
{
|
|
|
|
imports = [ ../fail2ban/traefik.nix ];
|
2023-05-11 11:54:42 +01:00
|
|
|
services.traefik = {
|
|
|
|
enable = true;
|
|
|
|
staticConfigOptions = {
|
2023-10-21 17:55:11 +01:00
|
|
|
api = { dashboard = true; };
|
2023-05-11 11:54:42 +01:00
|
|
|
entryPoints = {
|
2023-05-25 17:05:25 +01:00
|
|
|
http = {
|
|
|
|
address = ":80";
|
|
|
|
http.redirections.entryPoint = {
|
|
|
|
to = "https";
|
|
|
|
scheme = "https";
|
|
|
|
};
|
|
|
|
};
|
2023-05-30 10:08:26 +01:00
|
|
|
https.address = ":443";
|
|
|
|
traefik-internal.address = ":8080";
|
2023-05-11 11:54:42 +01:00
|
|
|
};
|
2023-05-15 07:51:06 +01:00
|
|
|
certificatesResolvers = {
|
|
|
|
default = {
|
|
|
|
acme = {
|
|
|
|
email = "evie@xenia.me.uk";
|
|
|
|
storage = "/var/lib/traefik/acme.json";
|
2023-10-21 17:55:11 +01:00
|
|
|
httpChallenge = { entryPoint = "http"; };
|
2023-05-15 07:51:06 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2023-05-30 12:13:03 +01:00
|
|
|
dynamicConfigOptions = {
|
|
|
|
tls.options.default.sniStrict = true;
|
|
|
|
http = {
|
|
|
|
routers = {
|
|
|
|
api = {
|
|
|
|
rule = "Host(`traefik.xenia.me.uk`)";
|
2023-10-21 17:55:11 +01:00
|
|
|
entryPoints = [ "http" "https" ];
|
2023-05-30 12:13:03 +01:00
|
|
|
service = "api@internal";
|
2023-10-21 17:55:11 +01:00
|
|
|
middlewares = [ "auth" ];
|
|
|
|
tls = { certResolver = "default"; };
|
2023-05-30 12:13:03 +01:00
|
|
|
};
|
|
|
|
api-internal = {
|
|
|
|
rule = "ClientIP(`192.168.0.0/16`)";
|
2023-10-21 17:55:11 +01:00
|
|
|
entryPoints = [ "traefik-internal" ];
|
2023-05-30 12:13:03 +01:00
|
|
|
service = "api@internal";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
middlewares = {
|
2023-10-21 17:55:11 +01:00
|
|
|
auth.basicAuth.users =
|
|
|
|
[ "xenia:$apr1$LB0wVd6I$BHVPIyh.F5Ewt9/7PqAtS." ];
|
2023-05-30 12:13:03 +01:00
|
|
|
hsts.headers = {
|
|
|
|
stsSeconds = "31536000";
|
|
|
|
stsIncludeSubdomains = true;
|
|
|
|
};
|
2023-05-26 10:21:38 +01:00
|
|
|
};
|
|
|
|
};
|
2023-05-11 11:54:42 +01:00
|
|
|
};
|
|
|
|
};
|
2023-05-17 17:10:18 +01:00
|
|
|
networking.firewall = {
|
|
|
|
enable = true;
|
2023-10-21 17:55:11 +01:00
|
|
|
allowedTCPPorts = [ 80 443 8080 ];
|
2023-05-25 17:05:25 +01:00
|
|
|
};
|
2023-05-11 11:54:42 +01:00
|
|
|
}
|