m3tam3re/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

traefik config

Browse Source
This commit is contained in:
m3tam3re 2024-11-18 10:29:41 +01:00
parent 1864141a1b
commit 657df4e92b
1 changed files with 43 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
hosts/m3-helios/services/traefik.nix
View File

@ -35,11 +35,50 @@
users = ["m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh."]; users = ["m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh."];
}; };
}; };
default-headers = {
headers = {
frameDeny = "true";
browserXssFilter = "true";
contentTypeNosniff = "true";
forceSTSHeader = "true";
stsIncludeSubdomains = true;
stsPreload = true;
stsSeconds = 15552000;
customFrameOptionsValue = "SAMEORIGIN";
customResponseHeaders = {
X-Forwarded-Proto = "https";
}; };
};
};
default-whitelist = {
ipAllowList = {
sourceRange = ["10.0.0.0/8" "192.168.178.0/16"];
};
};
secured = {
chain = {
middlewares = ["default-headers" "default-whitelist"];
};
};
};
services = { services = {
m3-prox-1.loadBalancer.servers = [{url = "http://192.168.178.200:8006";}]; m3-prox-1.loadBalancer = {
ag.loadBalancer.servers = [{url = "http://192.168.178.210:3000";}]; servers = [
{url = "https://192.168.178.200:8006";}
];
passHostHeader = true;
serversTransport = "pve";
}; };
ag.loadBalancer.servers = [
{url = "http://192.168.178.210:3000";}
];
};
# Skip verification for PVE servers
serversTransports = {
pve = {insecureSkipVerify = true;};
};
routers = { routers = {
api = { api = {
rule = "Host(`traefik.l.m3tam3re.com`)"; rule = "Host(`traefik.l.m3tam3re.com`)";
@ -53,6 +92,7 @@
m3-prox-1 = { m3-prox-1 = {
rule = "Host(`m3-prox-1.l.m3tam3re.com`)"; rule = "Host(`m3-prox-1.l.m3tam3re.com`)";
service = "m3-prox-1"; service = "m3-prox-1";
middlewares = ["default-headers"];
entrypoints = ["websecure"]; entrypoints = ["websecure"];
tls = { tls = {
certResolver = "godaddy"; certResolver = "godaddy";
@ -74,5 +114,6 @@
systemd.services.traefik.serviceConfig = { systemd.services.traefik.serviceConfig = {
EnvironmentFile = ["${config.age.secrets.traefik.path}"]; EnvironmentFile = ["${config.age.secrets.traefik.path}"];
}; };
networking.firewall.allowedTCPPorts = [80 443]; networking.firewall.allowedTCPPorts = [80 443];
} }