2024-12-19 22:39:49 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
let
|
2024-12-21 23:00:31 +00:00
|
|
|
inherit (lib) mkOption mkDefault;
|
|
|
|
localCertificationDirectory = config.security.localCertification.directory;
|
2024-12-19 22:39:49 +00:00
|
|
|
in
|
|
|
|
{
|
2024-12-21 23:00:31 +00:00
|
|
|
options = {
|
|
|
|
nixin.traefik = {
|
|
|
|
dashboard-domain = mkOption { type = lib.types.str; };
|
|
|
|
};
|
|
|
|
};
|
2024-12-19 22:39:49 +00:00
|
|
|
|
2024-12-21 23:00:31 +00:00
|
|
|
config = {
|
|
|
|
# Enable Traefik
|
|
|
|
services.traefik.enable = true;
|
2024-12-19 22:39:49 +00:00
|
|
|
|
2024-12-21 23:00:31 +00:00
|
|
|
# Let Traefik interact with Docker
|
|
|
|
services.traefik.group = "docker";
|
2024-12-19 22:39:49 +00:00
|
|
|
|
2024-12-21 23:00:31 +00:00
|
|
|
virtualisation.docker.enable = true;
|
2024-12-19 22:39:49 +00:00
|
|
|
|
2024-12-21 23:00:31 +00:00
|
|
|
virtualisation.oci-containers = {
|
|
|
|
backend = "docker";
|
2024-12-19 22:39:49 +00:00
|
|
|
};
|
|
|
|
|
2024-12-21 23:00:31 +00:00
|
|
|
# Traefik static configuration options
|
|
|
|
services.traefik.staticConfigOptions = {
|
|
|
|
api.dashboard = true;
|
|
|
|
api.insecure = false;
|
2024-12-19 22:39:49 +00:00
|
|
|
|
2024-12-21 23:00:31 +00:00
|
|
|
# Enable logs
|
|
|
|
log = {
|
|
|
|
level = "INFO";
|
|
|
|
filePath = "${config.services.traefik.dataDir}/traefik.log";
|
|
|
|
format = "json";
|
|
|
|
};
|
|
|
|
accessLog.filePath = "${config.services.traefik.dataDir}/accessLog.log";
|
|
|
|
|
|
|
|
# Enable Docker provider
|
|
|
|
providers.docker = {
|
|
|
|
endpoint = "unix:///run/docker.sock";
|
|
|
|
watch = true;
|
|
|
|
exposedByDefault = false;
|
|
|
|
};
|
|
|
|
|
|
|
|
# Configure entrypoints, i.e the ports
|
|
|
|
entryPoints = {
|
|
|
|
web = {
|
|
|
|
address = ":80";
|
|
|
|
http.redirections.entryPoint = {
|
|
|
|
to = "websecure";
|
|
|
|
scheme = "https";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
websecure = {
|
|
|
|
address = ":443";
|
|
|
|
asDefault = true;
|
|
|
|
http.tls.certResolver = "acme-challenge";
|
2024-12-19 22:39:49 +00:00
|
|
|
};
|
|
|
|
};
|
2024-12-21 23:00:31 +00:00
|
|
|
|
|
|
|
# Configure certification
|
|
|
|
certificatesResolvers.acme-challenge.acme = {
|
|
|
|
email = "contact@distrilab.fr";
|
|
|
|
storage = "${config.services.traefik.dataDir}/acme.json";
|
|
|
|
httpChallenge.entryPoint = "web";
|
2024-12-19 22:39:49 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
|
2024-12-21 23:00:31 +00:00
|
|
|
# Whitelist middleware to limit access to the wireguard network
|
|
|
|
services.traefik.dynamicConfigOptions.http.middlewares.wg-whitelist.ipwhitelist = {
|
|
|
|
sourceRange = [ "192.168.12.0/24" ];
|
|
|
|
};
|
2024-12-19 22:39:49 +00:00
|
|
|
|
2024-12-21 23:00:31 +00:00
|
|
|
# Dashboard
|
|
|
|
services.traefik.dynamicConfigOptions.http.routers.dashboard = {
|
|
|
|
rule = lib.mkDefault "Host(`${config.nixin.traefik.dashboard-domain}`)";
|
|
|
|
service = "api@internal";
|
|
|
|
# restrict access to the dashboard
|
|
|
|
middlewares = [ "wg-whitelist" ];
|
|
|
|
entryPoints = [ "websecure" ];
|
|
|
|
};
|
2024-12-19 22:39:49 +00:00
|
|
|
};
|
|
|
|
}
|