{ config, lib, pkgs, ... }: let inherit (lib) mkOption mkDefault; localCertificationDirectory = config.security.localCertification.directory; in { options = { nixin.traefik = { dashboard-domain = mkOption { type = lib.types.str; }; }; }; config = { # Enable Traefik services.traefik.enable = true; # Let Traefik interact with Docker services.traefik.group = "docker"; virtualisation.docker.enable = true; virtualisation.oci-containers = { backend = "docker"; }; # Traefik static configuration options services.traefik.staticConfigOptions = { api.dashboard = true; api.insecure = false; # Enable logs log = { level = "INFO"; filePath = "${config.services.traefik.dataDir}/traefik.log"; format = "json"; }; accessLog.filePath = "${config.services.traefik.dataDir}/accessLog.log"; # Enable Docker provider providers.docker = { endpoint = "unix:///run/docker.sock"; watch = true; exposedByDefault = false; }; # Configure entrypoints, i.e the ports entryPoints = { web = { address = ":80"; http.redirections.entryPoint = { to = "websecure"; scheme = "https"; }; }; websecure = { address = ":443"; asDefault = true; http.tls.certResolver = "acme-challenge"; }; }; # Configure certification certificatesResolvers.acme-challenge.acme = { email = "contact@distrilab.fr"; storage = "${config.services.traefik.dataDir}/acme.json"; httpChallenge.entryPoint = "web"; }; }; # Whitelist middleware to limit access to the wireguard network services.traefik.dynamicConfigOptions.http.middlewares.wg-whitelist.ipwhitelist = { sourceRange = [ "192.168.12.0/24" ]; }; # Dashboard services.traefik.dynamicConfigOptions.http.routers.dashboard = { rule = lib.mkDefault "Host(`${config.nixin.traefik.dashboard-domain}`)"; service = "api@internal"; # restrict access to the dashboard middlewares = [ "wg-whitelist" ]; entryPoints = [ "websecure" ]; }; }; }