2024-12-19 22:39:49 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
let
|
|
|
|
localCertificationDirectory = config.security.localCertification.directory;
|
|
|
|
in
|
|
|
|
{
|
|
|
|
# Enable Traefik
|
|
|
|
services.traefik.enable = true;
|
|
|
|
|
|
|
|
# Let Traefik interact with Docker
|
|
|
|
services.traefik.group = "docker";
|
|
|
|
|
|
|
|
virtualisation.docker.enable = true;
|
|
|
|
|
|
|
|
virtualisation.oci-containers = {
|
|
|
|
backend = "docker";
|
|
|
|
};
|
|
|
|
|
|
|
|
# Traefik static configuration options
|
|
|
|
services.traefik.staticConfigOptions = {
|
|
|
|
api.dashboard = true;
|
|
|
|
api.insecure = false;
|
|
|
|
|
|
|
|
# Enable logs
|
|
|
|
#log.filePath = "/var/log/traefik/traefik.log";
|
|
|
|
log = {
|
|
|
|
level = "INFO";
|
|
|
|
filePath = "${config.services.traefik.dataDir}/traefik.log";
|
|
|
|
format = "json";
|
|
|
|
};
|
|
|
|
accessLog.filePath = "/var/log/traefik/accessLog.log";
|
|
|
|
|
|
|
|
# Enable Docker provider
|
|
|
|
providers.docker = {
|
|
|
|
endpoint = "unix:///run/docker.sock";
|
|
|
|
watch = true;
|
|
|
|
exposedByDefault = false;
|
|
|
|
};
|
|
|
|
|
|
|
|
# Configure entrypoints, i.e the ports
|
|
|
|
entryPoints = {
|
|
|
|
web = {
|
|
|
|
address = ":80";
|
|
|
|
http.redirections.entryPoint = {
|
|
|
|
to = "websecure";
|
|
|
|
scheme = "https";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
websecure = {
|
|
|
|
address = ":443";
|
|
|
|
asDefault = true;
|
|
|
|
http.tls.certResolver = "acme-challenge";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# Configure certification
|
|
|
|
certificatesResolvers.acme-challenge.acme = {
|
|
|
|
email = "contact@distrilab.fr";
|
|
|
|
storage = "${config.services.traefik.dataDir}/acme.json";
|
|
|
|
httpChallenge.entryPoint = "web";
|
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
# Whitelist middleware to limit access to the wireguard network
|
|
|
|
services.traefik.dynamicConfigOptions.http.middlewares.wg-whitelist.ipwhitelist = {
|
|
|
|
sourceRange = [ "192.168.12.0/24" ];
|
|
|
|
};
|
|
|
|
|
|
|
|
# Dashboard
|
|
|
|
services.traefik.dynamicConfigOptions.http.routers.dashboard = {
|
|
|
|
rule = lib.mkDefault "Host(`traefik.lab12.fr`)";
|
|
|
|
service = "api@internal";
|
|
|
|
# restrict access to the dashboard
|
|
|
|
middlewares = [ "wg-whitelist" ];
|
|
|
|
entryPoints = [ "websecure" ];
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2024-12-20 09:45:32 +00:00
|
|
|
# You can find and example proxy for a non-docker service in the nixin-web.nix module
|
2024-12-19 22:39:49 +00:00
|
|
|
|
|
|
|
# Example docker service with traefik proxy enabled through labels
|
|
|
|
virtualisation.oci-containers.containers.whoami = {
|
|
|
|
autoStart = true;
|
|
|
|
image = "jwilder/whoami";
|
|
|
|
extraOptions = [
|
|
|
|
"--label=traefik.enable=true"
|
|
|
|
"--label=traefik.http.routers.whoami.entrypoints=websecure"
|
|
|
|
"--label=traefik.http.routers.whoami.rule=Host(`whoami.lab12.fr`)"
|
|
|
|
"--label=traefik.http.routers.whoami.tls=true"
|
|
|
|
"--label=traefik.http.services.whoami.loadbalancer.server.port=8000"
|
|
|
|
"--label=traefik.http.routers.whoami.tls.certresolver=acme-challenge"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
}
|