diff --git a/hosts/m3-helios/services/traefik.nix b/hosts/m3-helios/services/traefik.nix index edda2d6..ed0cbe6 100644 --- a/hosts/m3-helios/services/traefik.nix +++ b/hosts/m3-helios/services/traefik.nix @@ -35,11 +35,50 @@ users = ["m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh."]; }; }; + default-headers = { + headers = { + frameDeny = "true"; + browserXssFilter = "true"; + contentTypeNosniff = "true"; + forceSTSHeader = "true"; + stsIncludeSubdomains = true; + stsPreload = true; + stsSeconds = 15552000; + customFrameOptionsValue = "SAMEORIGIN"; + customResponseHeaders = { + X-Forwarded-Proto = "https"; + }; + }; + }; + default-whitelist = { + ipAllowList = { + sourceRange = ["10.0.0.0/8" "192.168.178.0/16"]; + }; + }; + secured = { + chain = { + middlewares = ["default-headers" "default-whitelist"]; + }; + }; }; + services = { - m3-prox-1.loadBalancer.servers = [{url = "http://192.168.178.200:8006";}]; - ag.loadBalancer.servers = [{url = "http://192.168.178.210:3000";}]; + m3-prox-1.loadBalancer = { + servers = [ + {url = "https://192.168.178.200:8006";} + ]; + passHostHeader = true; + serversTransport = "pve"; + }; + ag.loadBalancer.servers = [ + {url = "http://192.168.178.210:3000";} + ]; }; + # Skip verification for PVE servers + serversTransports = { + pve = {insecureSkipVerify = true;}; + }; + routers = { api = { rule = "Host(`traefik.l.m3tam3re.com`)"; @@ -53,6 +92,7 @@ m3-prox-1 = { rule = "Host(`m3-prox-1.l.m3tam3re.com`)"; service = "m3-prox-1"; + middlewares = ["default-headers"]; entrypoints = ["websecure"]; tls = { certResolver = "godaddy"; @@ -74,5 +114,6 @@ systemd.services.traefik.serviceConfig = { EnvironmentFile = ["${config.age.secrets.traefik.path}"]; }; + networking.firewall.allowedTCPPorts = [80 443]; }