nixin-krops/modules/reverse-proxy-traefik.nix

104 lines
2.9 KiB
Nix
Raw Permalink Normal View History

{ config, lib, pkgs, ... }:
let
2024-12-21 23:00:31 +00:00
inherit (lib) mkOption mkDefault;
localCertificationDirectory = config.security.localCertification.directory;
in
{
2024-12-21 23:00:31 +00:00
options = {
nixin.traefik = {
dashboard-domain = mkOption { type = lib.types.str; };
};
};
2024-12-21 23:00:31 +00:00
config = {
# Enable Traefik
services.traefik.enable = true;
2024-12-21 23:00:31 +00:00
# Let Traefik interact with Docker
services.traefik.group = "docker";
2024-12-21 23:00:31 +00:00
virtualisation.docker.enable = true;
2024-12-21 23:00:31 +00:00
virtualisation.oci-containers = {
backend = "docker";
};
2024-12-21 23:00:31 +00:00
# Traefik static configuration options
services.traefik.staticConfigOptions = {
api.dashboard = true;
api.insecure = false;
2024-12-21 23:00:31 +00:00
# Enable logs
log = {
level = "INFO";
filePath = "${config.services.traefik.dataDir}/traefik.log";
format = "json";
};
accessLog.filePath = "${config.services.traefik.dataDir}/accessLog.log";
# Enable Docker provider
providers.docker = {
endpoint = "unix:///run/docker.sock";
watch = true;
exposedByDefault = false;
};
# Configure entrypoints, i.e the ports
entryPoints = {
web = {
address = ":80";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":443";
asDefault = true;
http.tls.certResolver = "acme-challenge";
};
};
2024-12-21 23:00:31 +00:00
# Configure certification
certificatesResolvers.acme-challenge.acme = {
email = "contact@distrilab.fr";
storage = "${config.services.traefik.dataDir}/acme.json";
httpChallenge.entryPoint = "web";
};
};
2024-12-21 23:00:31 +00:00
# Whitelist middleware to limit access to the wireguard network
services.traefik.dynamicConfigOptions.http.middlewares.wg-whitelist.ipwhitelist = {
sourceRange = [ "192.168.12.0/24" ];
};
2024-12-21 23:00:31 +00:00
# Dashboard
services.traefik.dynamicConfigOptions.http.routers.dashboard = {
rule = lib.mkDefault "Host(`${config.nixin.traefik.dashboard-domain}`)";
service = "api@internal";
# restrict access to the dashboard
middlewares = [ "wg-whitelist" ];
entryPoints = [ "websecure" ];
};
2024-12-21 23:00:31 +00:00
# You can find and example proxy for a non-docker service in the nixin-web.nix module
# Example docker service with traefik proxy enabled through labels
# virtualisation.oci-containers.containers.whoami = {
# autoStart = true;
# image = "jwilder/whoami";
# extraOptions = [
# "--label=traefik.enable=true"
# "--label=traefik.http.routers.whoami.entrypoints=websecure"
# "--label=traefik.http.routers.whoami.rule=Host(`whoami.domain.tld`)"
# "--label=traefik.http.routers.whoami.tls=true"
# "--label=traefik.http.services.whoami.loadbalancer.server.port=8000"
# "--label=traefik.http.routers.whoami.tls.certresolver=acme-challenge"
# ];
# };
};
}