dotfiles.nix/nixos/viridian/services/traefik/middlewares.nix

{ config, ... }:

{
  # Crowdsec Local API key for the bouncer.
  age.secrets.traefik-bouncer-key = {
    rekeyFile = ../crowdsec/traefik-bouncer-key.age;
    owner = "traefik";
    group = "traefik";
  };

  # Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service
  services.traefik.dynamicConfigOptions.http.middlewares = {
    # Restrict access to admin devices only
    admin.ipwhitelist.sourcerange = [
      "127.0.0.1/32"    # localhost
      "192.168.1.101"   # fuchsia
      "10.100.0.2"      # Pixel 6 Pro
    ];

    # Restrict access to internal networks
    internal.ipwhitelist.sourcerange = [
      "127.0.0.1/32"    # localhost
      "192.168.1.1/24"  # lan
      "10.100.0.0/24"   # wireguard clients
    ];

    # Restrict access based on geo-location
    geoblock.plugin.geoblock = {
      silentStartUp = "false";
      allowLocalRequests = "true";
      # If set to true will show a log message
      logLocalRequests = "false";
      logAllowedRequests = "false";
      logApiRequests = "false";
      # Application programming interface
      api = "https://get.geojs.io/v1/ip/country/{ip}";
      apiTimeoutMs = "750";
      # Max size of least recently used cache
      cacheSize = "25";
      # List of countries to block access
      countries = [
        "RU" # Russian Federation (the)
      ];
      # Inverts filter logic
      blackListMode = "true";
      # Unknown Countries (IPs with no country association)
      allowUnknownCountries = "false";
      unknownCountryApiResponse = "nil";
      # Adds the X-IPCountry header to the HTTP request header.
      addCountryHeader = "false";
      # Even if an IP stays in the cache for a period of a month, it must be fetch again after a month.
      forceMonthlyUpdate = "true";
    };

    # Disable Crowdsec IP checking but apply Crowdsec Appsec checking. This mode is intended to be used when Crowdsec IP checking is applied at the Firewall Level.
    crowdsec.plugin.bouncer = {
      enabled = "true";
      crowdsecMode = "appsec";
      crowdsecLapiKeyFile = config.age.secrets.traefik-bouncer-key.path; 
      crowdsecLapiScheme = "http";
      crowdsecLapiHost = "127.0.0.1:8080";
      crowdsecAppsecEnabled = "true";
      crowdsecAppsecHost = "127.0.0.1:7422";
    };
  };
}
Setup crowdsec with ssh/firewall/traefik 2024-06-20 22:16:50 +08:00			`{ config, ... }:`
update traefik 2023-11-18 16:59:16 +08:00
			`{`
Setup crowdsec with ssh/firewall/traefik 2024-06-20 22:16:50 +08:00			`# Crowdsec Local API key for the bouncer.`
			`age.secrets.traefik-bouncer-key = {`
			`rekeyFile = ../crowdsec/traefik-bouncer-key.age;`
			`owner = "traefik";`
			`group = "traefik";`
			`};`

update traefik 2023-11-18 16:59:16 +08:00			`# Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service`
			`services.traefik.dynamicConfigOptions.http.middlewares = {`
update whitelists 2023-11-20 06:41:07 +08:00			`# Restrict access to admin devices only`
			`admin.ipwhitelist.sourcerange = [`
			`"127.0.0.1/32" # localhost`
			`"192.168.1.101" # fuchsia`
			`"10.100.0.2" # Pixel 6 Pro`
			`];`
Setup crowdsec with ssh/firewall/traefik 2024-06-20 22:16:50 +08:00
update traefik 2023-11-18 16:59:16 +08:00			`# Restrict access to internal networks`
			`internal.ipwhitelist.sourcerange = [`
			`"127.0.0.1/32" # localhost`
			`"192.168.1.1/24" # lan`
update whitelists 2023-11-20 06:41:07 +08:00			`"10.100.0.0/24" # wireguard clients`
update traefik 2023-11-18 16:59:16 +08:00			`];`
Setup crowdsec with ssh/firewall/traefik 2024-06-20 22:16:50 +08:00
update traefik 2023-11-18 16:59:16 +08:00			`# Restrict access based on geo-location`
			`geoblock.plugin.geoblock = {`
update allowed countries 2024-03-03 09:58:47 +08:00			`silentStartUp = "false";`
update traefik 2023-11-18 16:59:16 +08:00			`allowLocalRequests = "true";`
			`# If set to true will show a log message`
			`logLocalRequests = "false";`
			`logAllowedRequests = "false";`
			`logApiRequests = "false";`
			`# Application programming interface`
			`api = "https://get.geojs.io/v1/ip/country/{ip}";`
increase timeout 2023-11-20 12:06:37 +08:00			`apiTimeoutMs = "750";`
update traefik 2023-11-18 16:59:16 +08:00			`# Max size of least recently used cache`
			`cacheSize = "25";`
blacklist russia 2024-04-01 10:03:27 +08:00			`# List of countries to block access`
update traefik 2023-11-18 16:59:16 +08:00			`countries = [`
blacklist russia 2024-04-01 10:03:27 +08:00			`"RU" # Russian Federation (the)`
update traefik 2023-11-18 16:59:16 +08:00			`];`
			`# Inverts filter logic`
blacklist russia 2024-04-01 10:03:27 +08:00			`blackListMode = "true";`
update traefik 2023-11-18 16:59:16 +08:00			`# Unknown Countries (IPs with no country association)`
			`allowUnknownCountries = "false";`
			`unknownCountryApiResponse = "nil";`
			`# Adds the X-IPCountry header to the HTTP request header.`
			`addCountryHeader = "false";`
			`# Even if an IP stays in the cache for a period of a month, it must be fetch again after a month.`
			`forceMonthlyUpdate = "true";`
			`};`
Setup crowdsec with ssh/firewall/traefik 2024-06-20 22:16:50 +08:00
			`# Disable Crowdsec IP checking but apply Crowdsec Appsec checking. This mode is intended to be used when Crowdsec IP checking is applied at the Firewall Level.`
			`crowdsec.plugin.bouncer = {`
			`enabled = "true";`
			`crowdsecMode = "appsec";`
			`crowdsecLapiKeyFile = config.age.secrets.traefik-bouncer-key.path;`
			`crowdsecLapiScheme = "http";`
			`crowdsecLapiHost = "127.0.0.1:8080";`
			`crowdsecAppsecEnabled = "true";`
			`crowdsecAppsecHost = "127.0.0.1:7422";`
			`};`
update traefik 2023-11-18 16:59:16 +08:00			`};`
			`}`