m3tam3re/nixos-config
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
7c5b92c37784414a71055ffa745af5802bc82b67
nixos-config/hosts/m3-atlas/services/traefik.nix
T
m3ta-chiron a957fd1372 fix(m3-atlas): remove netbird-only middleware from dashboard router 
Access control is handled at DNS level — dash.m3ta.dev resolves to
Netbird IP (100.81.142.56) which is unreachable from the public internet.
No need for IP whitelist middleware.
2026-05-11 17:15:16 +02:00

117 lines
3.2 KiB
Nix
Raw Blame History

{config, ...}: {
services.traefik = {
enable = true;
staticConfigOptions = {
log = {level = "WARN";};
certificatesResolvers = {
godaddy = {
acme = {
email = "letsencrypt.org.btlc2@passmail.net";
storage = "/var/lib/traefik/acme.json";
caserver = "https://acme-v02.api.letsencrypt.org/directory";
dnsChallenge = {
provider = "godaddy";
resolvers = ["1.1.1.1:53" "8.8.8.8:53"];
propagation = {
delayBeforeChecks = 60;
disableChecks = true;
};
};
};
};
};
api = {};
entryPoints = {
web = {
address = ":80";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
rtmp = {
address = ":1935";
};
rtmps = {
address = ":1945";
};
websecure = {
address = ":443";
};
};
};
dynamicConfigOptions = {
http = {
services = {
# ── Hermes Dashboard (m3-hermes over Netbird) ────────────────
hermes-dashboard = {
loadBalancer.servers = [
{url = "http://100.81.231.152:9119";}
];
};
dummy = {
loadBalancer.servers = [
{url = "http://192.168.0.1";} # Diese URL wird nie verwendet
];
};
};
middlewares = {
domain-redirect = {
redirectRegex = {
regex = "^https://www\\.m3tam3re\\.com(.*)";
replacement = "https://m3ta.dev$1";
permanent = true;
};
};
strip-www = {
redirectRegex = {
regex = "^https://www\\.(.+)";
replacement = "https://$1";
permanent = true;
};
};
subdomain-redirect = {
redirectRegex = {
regex = "^https://([a-zA-Z0-9-]+)\\.m3tam3re\\.com(.*)";
replacement = "https://$1.m3ta.dev$2";
permanent = true;
};
};
auth = {
basicAuth = {
users = ["m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh."];
};
};
};
routers = {
# ── Hermes Dashboard — Netbird mesh only ─────────────────────
hermes-dashboard = {
rule = "Host(`dash.m3ta.dev`)";
service = "hermes-dashboard";
entrypoints = ["websecure"];
tls = {
certResolver = "godaddy";
};
};
api = {
rule = "Host(`r.m3tam3re.com`)";
service = "api@internal";
middlewares = ["auth"];
entrypoints = ["websecure"];
tls = {
certResolver = "godaddy";
};
};
};
};
};
};
systemd.services.traefik.serviceConfig = {
EnvironmentFile = ["${config.age.secrets.traefik.path}"];
};
networking.firewall.allowedTCPPorts = [80 443];
}
Reference in New Issue View Git Blame Copy Permalink