{...}: { imports = [../fail2ban/traefik.nix]; services.traefik = { enable = true; staticConfigOptions = { api = {dashboard = true;}; entryPoints = { http = { address = ":80"; http.redirections.entryPoint = { to = "https"; scheme = "https"; }; }; https = {address = ":443";}; traefik-internal = {address = ":8080";}; }; certificatesResolvers = { default = { acme = { email = "evie@xenia.me.uk"; storage = "/var/lib/traefik/acme.json"; httpChallenge = {entryPoint = "http";}; }; }; }; }; dynamicConfigOptions.http = { routers.api = { rule = "Host(`traefik.xenia.me.uk`)"; entryPoints = ["http" "https"]; service = "api@internal"; middlewares = ["auth"]; tls = {certResolver = "default";}; }; routers.api-internal = { rule = "ClientIP(`192.168.0.0/16`)"; entryPoints = ["traefik-internal"]; service = "api@internal"; middlewares = ["auth"]; }; middlewares = { auth.basicAuth.users = ["xenia:$apr1$LB0wVd6I$BHVPIyh.F5Ewt9/7PqAtS."]; hsts.headers = { stsSeconds = "31536000"; stsIncludeSubdomains = true; }; }; }; }; networking.firewall = { enable = true; allowedTCPPorts = [80 443 8080]; }; }