jasmine/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix crowdsec/traefik

Browse source
This commit is contained in:
♥ Minnie ♥ 2024-11-23 20:18:08 +08:00
parent d496f1259d
commit 3df22f9eb0
Signed by: jasmine
GPG key ID: 8563E358D4E8040E
9 changed files with 77 additions and 72 deletions
Download patch file Download diff file Expand all files Collapse all files

54
nixos/viridian/services/traefik/default.nix
View file

@ -22,7 +22,7 @@
User = "traefik";
Group = "traefik";
LogsDirectory = "traefik";
LogsDirectoryMode = "0750";
LogsDirectoryMode = "0755";
};
# Reverse proxy and load balancer for HTTP and TCP-based applications
@ -50,6 +50,16 @@
accessLog = {
filePath = "/var/log/traefik/access.log";
format = "json";
filters.statusCodes = [
"200-299" # log successful http requests
"400-599" # log failed http requests
];
# collect logs in-memory buffer before writing into log file
bufferingSize = "0";
fields.headers = {
defaultMode = "drop"; # drop all headers per default
names.User-Agent = "keep"; # log user agent strings
};
};
# Install plugins
@ -63,7 +73,7 @@
# Authorize or block requests from IPs based on there reputation and behaviour.
bouncer = {
moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
version = "v1.3.2";
version = "v1.3.5";
};
};
@ -99,21 +109,6 @@
];
};
};
# Used to expose metrics
metrics = {
address = ":8082";
};
};
# Provide metrics for the prometheus backend
metrics = {
prometheus = {
entryPoint = "metrics";
buckets = ["0.1" "0.3" "1.2" "5.0"];
addEntryPointsLabels = true;
addRoutersLabels = true;
addServicesLabels = true;
};
};
# Retrieve certificates from an ACME server
@ -141,19 +136,20 @@
insecureSkipVerify = true;
};
};
};
# Scrape our traefik metrics
services.prometheus.scrapeConfigs = [
{
job_name = "traefik";
static_configs = [
{
targets = ["127.0.0.1:8082"];
}
];
}
];
dynamicConfigOptions.http.routers = {
traefik-dashboard = {
rule = "Host(`traefik.home.arpa`)";
entryPoints = [
"websecure"
];
middlewares = [
"internal"
];
service = "api@internal";
};
};
};
# Persist our traefik data & logs
environment.persistence."/persist" = {

38
nixos/viridian/services/traefik/middlewares.nix
View file

@ -1,11 +1,4 @@
{config, ...}: {
# Crowdsec Local API key for the bouncer.
age.secrets.traefik-bouncer-key = {
rekeyFile = ../crowdsec/traefik-bouncer-key.age;
owner = "traefik";
group = "traefik";
};
{...}: {
# Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service
services.traefik.dynamicConfigOptions.http.middlewares = {
# Restrict access to internal networks
@ -42,16 +35,31 @@
forceMonthlyUpdate = "true";
};
# Disable Crowdsec IP checking but apply Crowdsec Appsec checking.
# This mode is intended to be used when Crowdsec IP checking is applied at the Firewall Level.
# Intrusion Prevention System
crowdsec.plugin.bouncer = {
enabled = "true";
crowdsecMode = "appsec";
crowdsecLapiKeyFile = config.age.secrets.traefik-bouncer-key.path;
crowdsecLapiScheme = "http";
crowdsecLapiHost = "127.0.0.1:8080";
defaultDecisionSeconds = "60";
crowdsecMode = "live";
crowdsecAppsecEnabled = "true";
crowdsecAppsecHost = "127.0.0.1:7422";
crowdsecAppsecHost = "localhost:7422";
crowdsecAppsecFailureBlock = "true";
crowdsecAppsecUnreachableBlock = "true";
crowdsecLapiKey = "18c725d5-3a22-4331-a8e8-abfd3018a7c0";
crowdsecLapiHost = "localhost:8080";
crowdsecLapiScheme = "http";
crowdsecLapiTLSInsecureVerify = "false";
forwardedHeadersTrustedIPs = [
# private class ranges
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
];
clientTrustedIPs = [
# private class ranges
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
];
};
};
}