dotfiles.nix/nixos/viridian/services/traefik/middlewares.nix

{ ... }:

{
  # Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service
  services.traefik.dynamicConfigOptions.http.middlewares = {
    # Restrict access to admin devices only
    admin.ipwhitelist.sourcerange = [
      "127.0.0.1/32"    # localhost
      "192.168.1.101"   # fuchsia
      "10.100.0.2"      # Pixel 6 Pro
    ];
    # Restrict access to internal networks
    internal.ipwhitelist.sourcerange = [
      "127.0.0.1/32"    # localhost
      "192.168.1.1/24"  # lan
      "10.100.0.0/24"   # wireguard clients
    ];
    # Restrict access based on geo-location
    geoblock.plugin.geoblock = {
      silentStartUp = "true";
      allowLocalRequests = "true";
      # If set to true will show a log message
      logLocalRequests = "false";
      logAllowedRequests = "false";
      logApiRequests = "false";
      # Application programming interface
      api = "https://get.geojs.io/v1/ip/country/{ip}";
      apiTimeoutMs = "750";
      # Max size of least recently used cache
      cacheSize = "25";
      # List of countries to allow access
      countries = [
        "AU" # Australia
      ];
      # Inverts filter logic
      blackListMode = "false";
      # Unknown Countries (IPs with no country association)
      allowUnknownCountries = "false";
      unknownCountryApiResponse = "nil";
      # Adds the X-IPCountry header to the HTTP request header.
      addCountryHeader = "false";
      # Even if an IP stays in the cache for a period of a month, it must be fetch again after a month.
      forceMonthlyUpdate = "true";
    };
    # Secure headers for nextcloud
    nextcloud-secure-headers = {
      headers = {
        hostsProxyHeaders = [ "X-Forwarded-Host" ];
        referrerPolicy = "same-origin";
      };
    };
    # Redirect HTTPS
    https-redirect = {
      redirectscheme.scheme = "https";
    };
    # Nextcloud chain
    nextcloud-chain = {
      chain.middlewares = [
        "https-redirect"
        "nextcloud-secure-headers"
      ];
    };
  };
}
update traefik 2023-11-18 16:59:16 +08:00			`{ ... }:`

			`{`
			`# Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service`
			`services.traefik.dynamicConfigOptions.http.middlewares = {`
update whitelists 2023-11-20 06:41:07 +08:00			`# Restrict access to admin devices only`
			`admin.ipwhitelist.sourcerange = [`
			`"127.0.0.1/32" # localhost`
			`"192.168.1.101" # fuchsia`
			`"10.100.0.2" # Pixel 6 Pro`
			`];`
update traefik 2023-11-18 16:59:16 +08:00			`# Restrict access to internal networks`
			`internal.ipwhitelist.sourcerange = [`
			`"127.0.0.1/32" # localhost`
			`"192.168.1.1/24" # lan`
update whitelists 2023-11-20 06:41:07 +08:00			`"10.100.0.0/24" # wireguard clients`
update traefik 2023-11-18 16:59:16 +08:00			`];`
			`# Restrict access based on geo-location`
			`geoblock.plugin.geoblock = {`
			`silentStartUp = "true";`
			`allowLocalRequests = "true";`
			`# If set to true will show a log message`
			`logLocalRequests = "false";`
			`logAllowedRequests = "false";`
			`logApiRequests = "false";`
			`# Application programming interface`
			`api = "https://get.geojs.io/v1/ip/country/{ip}";`
increase timeout 2023-11-20 12:06:37 +08:00			`apiTimeoutMs = "750";`
update traefik 2023-11-18 16:59:16 +08:00			`# Max size of least recently used cache`
			`cacheSize = "25";`
			`# List of countries to allow access`
			`countries = [`
			`"AU" # Australia`
			`];`
			`# Inverts filter logic`
			`blackListMode = "false";`
			`# Unknown Countries (IPs with no country association)`
			`allowUnknownCountries = "false";`
			`unknownCountryApiResponse = "nil";`
			`# Adds the X-IPCountry header to the HTTP request header.`
			`addCountryHeader = "false";`
			`# Even if an IP stays in the cache for a period of a month, it must be fetch again after a month.`
			`forceMonthlyUpdate = "true";`
			`};`
fix middlewares name, remove httpd, add nextcloud 2023-12-19 09:21:05 +08:00			`# Secure headers for nextcloud`
			`nextcloud-secure-headers = {`
			`headers = {`
			`hostsProxyHeaders = [ "X-Forwarded-Host" ];`
			`referrerPolicy = "same-origin";`
			`};`
			`};`
			`# Redirect HTTPS`
			`https-redirect = {`
			`redirectscheme.scheme = "https";`
			`};`
			`# Nextcloud chain`
			`nextcloud-chain = {`
			`chain.middlewares = [`
			`"https-redirect"`
			`"nextcloud-secure-headers"`
			`];`
			`};`
update traefik 2023-11-18 16:59:16 +08:00			`};`
			`}`