add traefik reverse proxy on arachnide server

2024-12-19 23:39:49 +01:00 · 2024-12-19 23:39:49 +01:00 · ad46a99a19
commit ad46a99a19
parent ecefb8c4c8
2 changed files with 102 additions and 0 deletions
--- a/config/arachnide/configuration.nix
+++ b/config/arachnide/configuration.nix
@ -7,6 +7,7 @@
      /var/src/modules/nixin.nix
      /var/src/modules/users.nix
      /var/src/modules/wireguard-client.nix
+      /var/src/modules/reverse-proxy.nix
    ];

  # Bootloader.
--- a/modules/reverse-proxy.nix
+++ b/modules/reverse-proxy.nix
@ -0,0 +1,101 @@
+{ config, lib, pkgs, ... }:
+
+let
+    localCertificationDirectory = config.security.localCertification.directory;
+in
+{
+  # Enable Traefik
+  services.traefik.enable = true;
+
+  # Let Traefik interact with Docker
+  services.traefik.group = "docker";
+
+  virtualisation.docker.enable = true;
+
+  virtualisation.oci-containers = {
+    backend = "docker";
+  };
+
+  # Traefik static configuration options 
+  services.traefik.staticConfigOptions = {
+    api.dashboard = true;
+    api.insecure = false;
+
+    # Enable logs
+    #log.filePath = "/var/log/traefik/traefik.log";
+    log = {
+      level = "INFO";
+      filePath = "${config.services.traefik.dataDir}/traefik.log";
+      format = "json";
+    };
+    accessLog.filePath = "/var/log/traefik/accessLog.log";
+
+    # Enable Docker provider
+    providers.docker = {
+        endpoint = "unix:///run/docker.sock";
+        watch = true;
+        exposedByDefault = false;
+    };
+
+    # Configure entrypoints, i.e the ports
+    entryPoints = {
+      web = {
+        address = ":80";
+        http.redirections.entryPoint = {
+          to = "websecure";
+          scheme = "https";
+        };
+      };
+      websecure = {
+        address = ":443";
+        asDefault = true;
+        http.tls.certResolver = "acme-challenge";
+      };
+    };
+
+    # Configure certification
+    certificatesResolvers.acme-challenge.acme = {
+      email = "contact@distrilab.fr";
+      storage = "${config.services.traefik.dataDir}/acme.json";
+      httpChallenge.entryPoint = "web";
+    };
+
+  };
+
+  # Whitelist middleware to limit access to the wireguard network
+  services.traefik.dynamicConfigOptions.http.middlewares.wg-whitelist.ipwhitelist = {
+    sourceRange = [ "192.168.12.0/24" ];
+  };
+
+  # Dashboard
+  services.traefik.dynamicConfigOptions.http.routers.dashboard = {
+    rule = lib.mkDefault "Host(`traefik.lab12.fr`)";
+    service = "api@internal";
+    # restrict access to the dashboard
+    middlewares = [ "wg-whitelist" ];
+    entryPoints = [ "websecure" ];
+  };
+
+
+  # Example proxy for a local service listening on port 8012
+  services.traefik.dynamicConfigOptions.http.services."example.lab12.fr" = {
+    loadBalancer.servers = [
+      { url = "http://127.0.0.1:8012"; }
+    ];
+  };
+
+  # Example docker service with traefik proxy enabled through labels
+  virtualisation.oci-containers.containers.whoami = {
+    autoStart = true;
+    image = "jwilder/whoami";
+    extraOptions = [
+      "--label=traefik.enable=true"
+      "--label=traefik.http.routers.whoami.entrypoints=websecure"
+      "--label=traefik.http.routers.whoami.rule=Host(`whoami.lab12.fr`)"
+      "--label=traefik.http.routers.whoami.tls=true"
+      "--label=traefik.http.services.whoami.loadbalancer.server.port=8000"
+      "--label=traefik.http.routers.whoami.tls.certresolver=acme-challenge"
+    ];
+  };
+
+}