nixin-krops/modules/reverse-proxy-traefik.nix

86 lines
2.2 KiB
Nix

{ config, lib, pkgs, ... }:
let
inherit (lib) mkOption mkDefault;
localCertificationDirectory = config.security.localCertification.directory;
in
{
options = {
nixin.traefik = {
dashboard-domain = mkOption { type = lib.types.str; };
};
};
config = {
# Enable Traefik
services.traefik.enable = true;
# Let Traefik interact with Docker
services.traefik.group = "docker";
virtualisation.docker.enable = true;
virtualisation.oci-containers = {
backend = "docker";
};
# Traefik static configuration options
services.traefik.staticConfigOptions = {
api.dashboard = true;
api.insecure = false;
# Enable logs
log = {
level = "INFO";
filePath = "${config.services.traefik.dataDir}/traefik.log";
format = "json";
};
accessLog.filePath = "${config.services.traefik.dataDir}/accessLog.log";
# Enable Docker provider
providers.docker = {
endpoint = "unix:///run/docker.sock";
watch = true;
exposedByDefault = false;
};
# Configure entrypoints, i.e the ports
entryPoints = {
web = {
address = ":80";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":443";
asDefault = true;
http.tls.certResolver = "acme-challenge";
};
};
# Configure certification
certificatesResolvers.acme-challenge.acme = {
email = "contact@distrilab.fr";
storage = "${config.services.traefik.dataDir}/acme.json";
httpChallenge.entryPoint = "web";
};
};
# Whitelist middleware to limit access to the wireguard network
services.traefik.dynamicConfigOptions.http.middlewares.wg-whitelist.ipwhitelist = {
sourceRange = [ "192.168.12.0/24" ];
};
# Dashboard
services.traefik.dynamicConfigOptions.http.routers.dashboard = {
rule = lib.mkDefault "Host(`${config.nixin.traefik.dashboard-domain}`)";
service = "api@internal";
# restrict access to the dashboard
middlewares = [ "wg-whitelist" ];
entryPoints = [ "websecure" ];
};
};
}