diff --git a/config/arachnide/configuration.nix b/config/arachnide/configuration.nix index 8af596f..2c85e65 100644 --- a/config/arachnide/configuration.nix +++ b/config/arachnide/configuration.nix @@ -38,6 +38,10 @@ ipv6 = "2a01:4f9:1a:9a05::2/128"; }; + nixin.traefik = { + dashboard-domain = "traefik.lab12.fr"; + }; + nixin.web = { domain = "nixin.lab12.fr"; http-port = 8081; diff --git a/modules/reverse-proxy.nix b/modules/reverse-proxy.nix index 5d66075..c1f2c5e 100644 --- a/modules/reverse-proxy.nix +++ b/modules/reverse-proxy.nix @@ -1,95 +1,103 @@ { config, lib, pkgs, ... }: let - localCertificationDirectory = config.security.localCertification.directory; + inherit (lib) mkOption mkDefault; + localCertificationDirectory = config.security.localCertification.directory; in { - # Enable Traefik - services.traefik.enable = true; - - # Let Traefik interact with Docker - services.traefik.group = "docker"; - - virtualisation.docker.enable = true; - - virtualisation.oci-containers = { - backend = "docker"; + options = { + nixin.traefik = { + dashboard-domain = mkOption { type = lib.types.str; }; + }; }; - # Traefik static configuration options - services.traefik.staticConfigOptions = { - api.dashboard = true; - api.insecure = false; + config = { + # Enable Traefik + services.traefik.enable = true; - # Enable logs - log = { - level = "INFO"; - filePath = "${config.services.traefik.dataDir}/traefik.log"; - format = "json"; - }; - accessLog.filePath = "${config.services.traefik.dataDir}/accessLog.log"; + # Let Traefik interact with Docker + services.traefik.group = "docker"; - # Enable Docker provider - providers.docker = { - endpoint = "unix:///run/docker.sock"; - watch = true; - exposedByDefault = false; + virtualisation.docker.enable = true; + + virtualisation.oci-containers = { + backend = "docker"; }; - # Configure entrypoints, i.e the ports - entryPoints = { - web = { - address = ":80"; - http.redirections.entryPoint = { - to = "websecure"; - scheme = "https"; + # Traefik static configuration options + services.traefik.staticConfigOptions = { + api.dashboard = true; + api.insecure = false; + + # Enable logs + log = { + level = "INFO"; + filePath = "${config.services.traefik.dataDir}/traefik.log"; + format = "json"; + }; + accessLog.filePath = "${config.services.traefik.dataDir}/accessLog.log"; + + # Enable Docker provider + providers.docker = { + endpoint = "unix:///run/docker.sock"; + watch = true; + exposedByDefault = false; + }; + + # Configure entrypoints, i.e the ports + entryPoints = { + web = { + address = ":80"; + http.redirections.entryPoint = { + to = "websecure"; + scheme = "https"; + }; + }; + websecure = { + address = ":443"; + asDefault = true; + http.tls.certResolver = "acme-challenge"; }; }; - websecure = { - address = ":443"; - asDefault = true; - http.tls.certResolver = "acme-challenge"; + + # Configure certification + certificatesResolvers.acme-challenge.acme = { + email = "contact@distrilab.fr"; + storage = "${config.services.traefik.dataDir}/acme.json"; + httpChallenge.entryPoint = "web"; }; + }; - # Configure certification - certificatesResolvers.acme-challenge.acme = { - email = "contact@distrilab.fr"; - storage = "${config.services.traefik.dataDir}/acme.json"; - httpChallenge.entryPoint = "web"; + # Whitelist middleware to limit access to the wireguard network + services.traefik.dynamicConfigOptions.http.middlewares.wg-whitelist.ipwhitelist = { + sourceRange = [ "192.168.12.0/24" ]; }; + # Dashboard + services.traefik.dynamicConfigOptions.http.routers.dashboard = { + rule = lib.mkDefault "Host(`${config.nixin.traefik.dashboard-domain}`)"; + service = "api@internal"; + # restrict access to the dashboard + middlewares = [ "wg-whitelist" ]; + entryPoints = [ "websecure" ]; + }; + + + # You can find and example proxy for a non-docker service in the nixin-web.nix module + + # Example docker service with traefik proxy enabled through labels + # virtualisation.oci-containers.containers.whoami = { + # autoStart = true; + # image = "jwilder/whoami"; + # extraOptions = [ + # "--label=traefik.enable=true" + # "--label=traefik.http.routers.whoami.entrypoints=websecure" + # "--label=traefik.http.routers.whoami.rule=Host(`whoami.domain.tld`)" + # "--label=traefik.http.routers.whoami.tls=true" + # "--label=traefik.http.services.whoami.loadbalancer.server.port=8000" + # "--label=traefik.http.routers.whoami.tls.certresolver=acme-challenge" + # ]; + # }; }; - - # Whitelist middleware to limit access to the wireguard network - services.traefik.dynamicConfigOptions.http.middlewares.wg-whitelist.ipwhitelist = { - sourceRange = [ "192.168.12.0/24" ]; - }; - - # Dashboard - services.traefik.dynamicConfigOptions.http.routers.dashboard = { - rule = lib.mkDefault "Host(`traefik.lab12.fr`)"; - service = "api@internal"; - # restrict access to the dashboard - middlewares = [ "wg-whitelist" ]; - entryPoints = [ "websecure" ]; - }; - - - # You can find and example proxy for a non-docker service in the nixin-web.nix module - - # Example docker service with traefik proxy enabled through labels - virtualisation.oci-containers.containers.whoami = { - autoStart = true; - image = "jwilder/whoami"; - extraOptions = [ - "--label=traefik.enable=true" - "--label=traefik.http.routers.whoami.entrypoints=websecure" - "--label=traefik.http.routers.whoami.rule=Host(`whoami.lab12.fr`)" - "--label=traefik.http.routers.whoami.tls=true" - "--label=traefik.http.services.whoami.loadbalancer.server.port=8000" - "--label=traefik.http.routers.whoami.tls.certresolver=acme-challenge" - ]; - }; - }