m3tam3re/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
nixos-config/hosts/m3-helios/services/traefik.nix
m3tam3re ccca2ab4ff +difftastic
2024-11-21 12:50:31 +01:00

153 lines
4.2 KiB
Nix
Raw Permalink Blame History

{config, ...}: {
services.traefik = {
enable = true;
staticConfigOptions = {
log = {level = "WARN";};
certificatesResolvers = {
godaddy = {
acme = {
email = "letsencrypt.org.btlc2@passmail.net";
storage = "/var/lib/traefik/acme.json";
caserver = "https://acme-v02.api.letsencrypt.org/directory";
dnsChallenge = {
provider = "godaddy";
};
};
};
};
api = {};
entryPoints = {
web = {
address = ":80";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {address = ":443";};
};
};
dynamicConfigOptions = {
http = {
middlewares = {
auth = {
basicAuth = {
users = ["m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh."];
};
};
default-headers = {
headers = {
frameDeny = "true";
browserXssFilter = "true";
contentTypeNosniff = "true";
forceSTSHeader = "true";
stsIncludeSubdomains = true;
stsPreload = true;
stsSeconds = 15552000;
customFrameOptionsValue = "SAMEORIGIN";
customResponseHeaders = {
X-Forwarded-Proto = "https";
};
};
};
default-whitelist = {
ipAllowList = {
sourceRange = ["10.0.0.0/8" "192.168.178.0/16"];
};
};
secured = {
chain = {
middlewares = ["default-headers" "default-whitelist"];
};
};
};
services = {
m3-prox-1.loadBalancer = {
servers = [
{url = "https://192.168.178.200:8006";}
];
passHostHeader = true;
serversTransport = "pve";
};
ag.loadBalancer.servers = [
{url = "http://192.168.178.210:3000";}
];
homarr.loadBalancer.servers = [
{url = "http://192.168.178.210:7575";}
];
plex.loadBalancer.servers = [
{url = "http://192.168.178.175:32400";}
];
skynet.loadBalancer.servers = [
{url = "http://192.168.178.175:5000";}
];
};
# Skip verification for PVE servers
serversTransports = {
pve = {insecureSkipVerify = true;};
};
routers = {
api = {
rule = "Host(`traefik.l.m3tam3re.com`)";
service = "api@internal";
middlewares = ["auth"];
entrypoints = ["websecure"];
tls = {
certResolver = "godaddy";
};
};
m3-prox-1 = {
rule = "Host(`m3-prox-1.l.m3tam3re.com`)";
service = "m3-prox-1";
middlewares = ["default-headers"];
entrypoints = ["websecure"];
tls = {
certResolver = "godaddy";
};
};
ag = {
rule = "Host(`ag.l.m3tam3re.com`)";
service = "ag";
entrypoints = ["websecure"];
tls = {
certResolver = "godaddy";
};
};
homarr = {
rule = "Host(`dash.l.m3tam3re.com`)";
service = "homarr";
entrypoints = ["websecure"];
tls = {
certResolver = "godaddy";
};
};
plex = {
rule = "Host(`plex.l.m3tam3re.com`)";
service = "plex";
entrypoints = ["websecure"];
tls = {
certResolver = "godaddy";
};
};
skynet = {
rule = "Host(`skynet.l.m3tam3re.com`)";
service = "homarr";
entrypoints = ["websecure"];
tls = {
certResolver = "godaddy";
};
};
};
};
};
};
systemd.services.traefik.serviceConfig = {
EnvironmentFile = ["${config.age.secrets.traefik.path}"];
};
networking.firewall.allowedTCPPorts = [80 443];
}
Reference in New Issue View Git Blame Copy Permalink