{ config, lib, pkgs, ... }: { imports = [ ../fail2ban/traefik.nix ]; services.traefik = { enable = true; staticConfigOptions = { api = { dashboard = true; }; entryPoints = { http = { address = ":80"; http.redirections.entryPoint = { to = "https"; scheme = "https"; }; }; https.address = ":443"; traefik-internal.address = ":8080"; }; certificatesResolvers = { default = { acme = { email = "evie@xenia.me.uk"; storage = "/var/lib/traefik/acme.json"; httpChallenge = { entryPoint = "http"; }; }; }; }; }; dynamicConfigOptions = { tls.options.default.sniStrict = true; http = { routers = { api = { rule = "Host(`traefik.xenia.me.uk`)"; entryPoints = [ "http" "https" ]; service = "api@internal"; middlewares = [ "auth" ]; tls = { certResolver = "default"; }; }; api-internal = { rule = "ClientIP(`192.168.0.0/16`)"; entryPoints = [ "traefik-internal" ]; service = "api@internal"; }; }; middlewares = { auth.basicAuth.users = [ "xenia:$apr1$LB0wVd6I$BHVPIyh.F5Ewt9/7PqAtS." ]; hsts.headers = { stsSeconds = "31536000"; stsIncludeSubdomains = true; }; }; }; }; }; networking.firewall = { enable = true; allowedTCPPorts = [ 80 443 8080 ]; }; }