jasmine/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix crowdsec/traefik

Browse source
This commit is contained in:
♥ Minnie ♥ 2024-11-23 20:18:08 +08:00
parent d496f1259d
commit 3df22f9eb0
Signed by: jasmine
GPG key ID: 8563E358D4E8040E
9 changed files with 77 additions and 72 deletions
Download patch file Download diff file Expand all files Collapse all files

38
nixos/viridian/services/traefik/middlewares.nix
View file

@ -1,11 +1,4 @@
{config, ...}: {
# Crowdsec Local API key for the bouncer.
age.secrets.traefik-bouncer-key = {
rekeyFile = ../crowdsec/traefik-bouncer-key.age;
owner = "traefik";
group = "traefik";
};
{...}: {
# Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service
services.traefik.dynamicConfigOptions.http.middlewares = {
# Restrict access to internal networks
@ -42,16 +35,31 @@
forceMonthlyUpdate = "true";
};
# Disable Crowdsec IP checking but apply Crowdsec Appsec checking.
# This mode is intended to be used when Crowdsec IP checking is applied at the Firewall Level.
# Intrusion Prevention System
crowdsec.plugin.bouncer = {
enabled = "true";
crowdsecMode = "appsec";
crowdsecLapiKeyFile = config.age.secrets.traefik-bouncer-key.path;
crowdsecLapiScheme = "http";
crowdsecLapiHost = "127.0.0.1:8080";
defaultDecisionSeconds = "60";
crowdsecMode = "live";
crowdsecAppsecEnabled = "true";
crowdsecAppsecHost = "127.0.0.1:7422";
crowdsecAppsecHost = "localhost:7422";
crowdsecAppsecFailureBlock = "true";
crowdsecAppsecUnreachableBlock = "true";
crowdsecLapiKey = "18c725d5-3a22-4331-a8e8-abfd3018a7c0";
crowdsecLapiHost = "localhost:8080";
crowdsecLapiScheme = "http";
crowdsecLapiTLSInsecureVerify = "false";
forwardedHeadersTrustedIPs = [
# private class ranges
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
];
clientTrustedIPs = [
# private class ranges
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
];
};
};
}