dotfiles.nix/nixos/viridian/services/traefik/default.nix

187 lines
4.8 KiB
Nix
Raw Normal View History

2023-11-05 22:10:23 +08:00
{
2024-08-08 09:02:42 +08:00
inputs,
config,
pkgs,
...
}: {
disabledModules = ["services/web-servers/traefik.nix"];
2023-11-05 22:10:23 +08:00
imports = [
"${inputs.nixpkgs-unstable}/nixos/modules/services/web-servers/traefik.nix"
./middlewares.nix
2023-11-05 22:10:23 +08:00
];
age.secrets.traefik = {
2024-06-03 21:18:56 +08:00
# Environment variables for porkbun dns challenge
2024-01-21 21:00:06 +08:00
rekeyFile = ./environment.age;
2023-11-05 22:10:23 +08:00
owner = "traefik";
group = "traefik";
};
# Ensure our log directory has correct permission to be accesible by crowdsec
2023-11-18 16:59:16 +08:00
systemd.services.traefik.serviceConfig = {
User = "traefik";
Group = "traefik";
LogsDirectory = "traefik";
2024-11-23 20:18:08 +08:00
LogsDirectoryMode = "0755";
2023-11-18 16:59:16 +08:00
};
2023-11-05 22:10:23 +08:00
# Reverse proxy and load balancer for HTTP and TCP-based applications
services.traefik = {
enable = true;
package = pkgs.unstable.traefik;
dataDir = "/var/lib/traefik";
environmentFiles = [
config.age.secrets.traefik.path
];
# The startup configuration
staticConfigOptions = {
api = {
# Enable the API in secure mode
insecure = false;
# Enable the dashboard
dashboard = true;
};
# Everything that happens to Traefik itself
2023-11-18 16:59:16 +08:00
log = {
filePath = "/var/log/traefik/traefik.log";
2024-03-03 09:57:30 +08:00
level = "ERROR";
2023-11-18 16:59:16 +08:00
};
# Who Calls Whom?
2023-11-18 16:59:16 +08:00
accessLog = {
filePath = "/var/log/traefik/access.log";
2023-11-20 12:06:51 +08:00
format = "json";
2024-11-23 20:18:08 +08:00
filters.statusCodes = [
"200-299" # log successful http requests
"400-599" # log failed http requests
];
# collect logs in-memory buffer before writing into log file
bufferingSize = "0";
fields.headers = {
defaultMode = "drop"; # drop all headers per default
names.User-Agent = "keep"; # log user agent strings
};
2023-11-18 16:59:16 +08:00
};
# Install plugins
experimental.plugins = {
# Block or allow requests based on their country of origin.
2023-11-18 16:59:16 +08:00
geoblock = {
moduleName = "github.com/PascalMinder/geoblock";
version = "v0.2.7";
};
# Authorize or block requests from IPs based on there reputation and behaviour.
bouncer = {
moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
2024-11-23 20:18:08 +08:00
version = "v1.3.5";
};
2023-11-18 16:59:16 +08:00
};
2023-11-05 22:10:23 +08:00
# Network entry points into Traefik
entryPoints = {
# Hypertext Transfer Protocol
web = {
address = ":80";
# Redirect all incoming HTTP requests to HTTPS
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
2023-11-05 22:10:23 +08:00
# Hypertext Transfer Protocol Secure
websecure = {
address = ":443";
# Enable some middlewares on all routers that use this entrypoint
http.middlewares = [
"geoblock@file"
"crowdsec@file"
];
2023-11-05 22:10:23 +08:00
# Requests wildcard SSL certs for our services
http.tls = {
certResolver = "lets-encrypt";
# List of domains in our network
domains = [
2024-08-08 09:02:42 +08:00
{
# DevOps
2024-08-08 09:02:42 +08:00
main = "sajenim.dev";
sans = ["*.sajenim.dev"];
2023-11-05 22:10:23 +08:00
}
2024-10-16 04:59:59 +08:00
{
# Keyboards
2024-10-16 04:59:59 +08:00
main = "sajkbd.io";
sans = ["*.sajkbd.io"];
}
2023-11-05 22:10:23 +08:00
];
};
};
};
# Retrieve certificates from an ACME server
certificatesResolvers = {
# Setup a lets-encrypt environment
lets-encrypt.acme = {
# Email address used for registration
email = "its.jassy@pm.me";
# File or key used for certificate storage
storage = "/var/lib/traefik/acme.json";
# Certificate authority server to use
caServer = "https://acme-v02.api.letsencrypt.org/directory";
# Use a DNS-01 ACME challenge
dnsChallenge = {
2024-06-03 21:18:56 +08:00
provider = "porkbun";
2023-11-05 22:10:23 +08:00
resolvers = [
"1.1.1.1:53"
"8.8.8.8:53"
];
};
};
};
2023-11-05 22:10:23 +08:00
# Disables SSL certificate verification between our traefik instance and our backend
serversTransport = {
insecureSkipVerify = true;
};
};
2024-01-21 21:00:06 +08:00
# Setup our dashboard
2024-11-23 20:18:08 +08:00
dynamicConfigOptions.http.routers = {
traefik-dashboard = {
rule = "Host(`traefik.home.arpa`)";
entryPoints = [
"websecure"
];
service = "api@internal";
};
};
};
2024-06-06 20:45:31 +08:00
2024-01-21 21:00:06 +08:00
# Persist our traefik data & logs
environment.persistence."/persist" = {
directories = [
2024-08-08 09:02:42 +08:00
{
directory = "/var/lib/traefik";
user = "traefik";
group = "traefik";
}
{
directory = "/var/log/traefik";
user = "traefik";
group = "traefik";
}
{
directory = "/plugins-storage";
user = "traefik";
group = "traefik";
}
2024-01-21 21:00:06 +08:00
];
hideMounts = true;
2024-01-21 21:00:06 +08:00
};
2023-11-05 22:10:23 +08:00
}