{ config, lib, pkgs, ... }: let localCertificationDirectory = config.security.localCertification.directory; in { # Enable Traefik services.traefik.enable = true; # Let Traefik interact with Docker services.traefik.group = "docker"; virtualisation.docker.enable = true; virtualisation.oci-containers = { backend = "docker"; }; # Traefik static configuration options services.traefik.staticConfigOptions = { api.dashboard = true; api.insecure = false; # Enable logs #log.filePath = "/var/log/traefik/traefik.log"; log = { level = "INFO"; filePath = "${config.services.traefik.dataDir}/traefik.log"; format = "json"; }; accessLog.filePath = "/var/log/traefik/accessLog.log"; # Enable Docker provider providers.docker = { endpoint = "unix:///run/docker.sock"; watch = true; exposedByDefault = false; }; # Configure entrypoints, i.e the ports entryPoints = { web = { address = ":80"; http.redirections.entryPoint = { to = "websecure"; scheme = "https"; }; }; websecure = { address = ":443"; asDefault = true; http.tls.certResolver = "acme-challenge"; }; }; # Configure certification certificatesResolvers.acme-challenge.acme = { email = "contact@distrilab.fr"; storage = "${config.services.traefik.dataDir}/acme.json"; httpChallenge.entryPoint = "web"; }; }; # Whitelist middleware to limit access to the wireguard network services.traefik.dynamicConfigOptions.http.middlewares.wg-whitelist.ipwhitelist = { sourceRange = [ "192.168.12.0/24" ]; }; # Dashboard services.traefik.dynamicConfigOptions.http.routers.dashboard = { rule = lib.mkDefault "Host(`traefik.lab12.fr`)"; service = "api@internal"; # restrict access to the dashboard middlewares = [ "wg-whitelist" ]; entryPoints = [ "websecure" ]; }; # Example proxy for a local service listening on port 8012 services.traefik.dynamicConfigOptions.http.services."example.lab12.fr" = { loadBalancer.servers = [ { url = "http://127.0.0.1:8012"; } ]; }; # Example docker service with traefik proxy enabled through labels virtualisation.oci-containers.containers.whoami = { autoStart = true; image = "jwilder/whoami"; extraOptions = [ "--label=traefik.enable=true" "--label=traefik.http.routers.whoami.entrypoints=websecure" "--label=traefik.http.routers.whoami.rule=Host(`whoami.lab12.fr`)" "--label=traefik.http.routers.whoami.tls=true" "--label=traefik.http.services.whoami.loadbalancer.server.port=8000" "--label=traefik.http.routers.whoami.tls.certresolver=acme-challenge" ]; }; }