add auth to traefik and mv it to server1

2025-09-22 22:04:36 +02:00 · 2025-09-22 22:04:36 +02:00 · 0a43a381cc
commit 0a43a381cc
parent d3f7fe76d8
4 changed files with 55 additions and 19 deletions
--- a/modules/nix/containers/nixos/traefik.nix
+++ b/modules/nix/containers/nixos/traefik.nix
@ -18,18 +18,29 @@ in
  };
  
  config = mkIf cfg.enable {
-    age.secrets.traefik-cf-tk = {
-      file = ../../../../secrets/traefik-cf-tk.age;
-      owner = "root";
-      group = "root";
-      mode = "0400";
+    age.secrets = {
+      traefik-cf-tk = {
+        file = ../../../../secrets/traefik-cf-tk.age;
+        owner = "root";
+        group = "root";
+        mode = "0400";
+      };
+      traefik-dashboard-auth = {
+        file = ../../../../secrets/traefik-dashboard-auth.age;
+        mode = "0444";
+      };
    };
-
    
    containers.traefik = {
-      bindMounts."/run/secrets/traefik-cf-tk" = {
-        hostPath = config.age.secrets.traefik-cf-tk.path;
-        isReadOnly = true;
+      bindMounts = {
+        "/run/secrets/traefik-cf-tk" = {
+          hostPath = config.age.secrets.traefik-cf-tk.path;
+          isReadOnly = true;
+        };
+        "/run/secrets/traefik-dashboard-auth" = {
+          hostPath = config.age.secrets.traefik-dashboard-auth.path;
+          isReadOnly = true;
+        };
      };

      autoStart = true;
@ -50,11 +61,16 @@ in
        services.traefik = {
          enable = true;
          staticConfigOptions = {
+            global = {
+              checkNewVersion = false;
+              sendAnonymousUsage = false;
+            };
            log = {
              level = "WARN";
            };
            api = {
              dashboard = true;
+              disabledashboardad = true;
            };
            entryPoints = {
              local = {
@ -89,10 +105,11 @@ in
            http = {
              routers = {
                traefik = {
-                  rule = "Host(`traefik.internal.smayzy.ovh`)";
+                  rule = "Host(`traefik.internal.smayzy.ovh`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))";
                  entryPoints = [ "localSec" ];
                  service = "api@internal";
                  tls.certResolver = "cloudflare";
+                  middlewares = [ "dashboard-auth" ];
                };
                httpd = {
                  rule = "Host(`httpd.internal.smayzy.ovh`)";
@ -215,6 +232,13 @@ in
                  serverName = "srv2-proxmox.internal.smayzy.ovh";
                };
              };
+              middlewares ={
+                dashboard-auth = {
+                  basicAuth = {
+                    usersFile = "/run/secrets/traefik-dashboard-auth";
+                  };
+                };
+              };
            }; # http
          }; # dyna config
        }; # services.traefik
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -47,5 +47,6 @@ in

  "systems.age" = mkKey systems;

-  "traefik-cf-tk.age" = mkKey desktop1;
+  "traefik-cf-tk.age" = mkKey server1;
+  "traefik-dashboard-auth.age" = mkKey server1;
 }
--- a/secrets/traefik-cf-tk.age
+++ b/secrets/traefik-cf-tk.age
@ -1,10 +1,10 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IExwTFA3dyBaZTRB
-UmhMWGEzTXVsbVg1cEI4a2NGOG01bDZINUtNWlhyemFRUUZWYjI4Cjh0b1ladXli
-dmV6d0d6V1hmTk02YU8wVHpMNFNQMW1uVlNYeEx0SE1nUjAKLT4gc3NoLWVkMjU1
-MTkgR3Q0b2R3IFZCUUdKcGY2TTRSSWhqWllkd2RsVmw1M2h4RllZU0ZSM1N6eThG
-UXVleXcKRUp0V0h2djdEMnpVVUlwUThXMENYWFhlM1I0R1FBcVNuWDRUNDFKazho
-bwotLS0gTXJCQ2dDZkJod2Ezc3Y3VThXNGhpVHlkbHZGUlJOU1Q0SDZVTGFnZ1FB
-awpkI4uVSv1v7+/Ad7Up8Uo6v7O8NRmLClI/08IzXPL0RrTvj55SO3Adct1qnknW
-GPsNHiMUgWxAfYMAKjsoz95zxPmzLJrV6Fm5penyyRC8X3ssZgH8HLoBueQ=
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDk3Sk1jZyBPMkFi
+bGxHQkNrME44NlB0QWRHT283d1dPbXA0VWRHV0FveGpNR2IrS2h3CnBZektGaVZt
+WTFVRXg1bG5rTW5Samw1dEVsaVZRL3A1MkNIY0V1MkdYNnMKLT4gc3NoLWVkMjU1
+MTkgR3Q0b2R3IHB1eWNOdGIrajBnOUIvSS96NUFCdE5LZjE2b1NwYXZwS0VpZGsr
+MTBNRDgKdCtjaGVBTHRJQnFTWmRKR0d4RTNzblpYb1huZlJyOU9TcmVlamZwY2tW
+cwotLS0gdU1sbWlRSnFEVTdoUFpwTUl6bTcyK3pwVTBLYVViUW9IZUF6a2RWUmpx
+Ywq7lU5FOEWKU8yaciB+s6IFwcOGJuoNvpPym+K95+pl8Oq3CoBVqq3ZZbNl+nqR
+7LSM7NAAhhwU8vu2e04gKgDLHzeGQv4xS59ldkQ0QS8zlU/UPJAqRi8jV9s=
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/traefik-dashboard-auth.age
+++ b/secrets/traefik-dashboard-auth.age
@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDk3Sk1jZyAyTGp2
+TGVZWldKNS9idFVxenJXME1aeGE1NUxGenc1UjA5OXlGSFNhOW04Ck5HajZLa25r
+OWNhWlREV3JtTVQ5R2dVenI2cW8veGczU1VYakF5QzZzMlEKLT4gc3NoLWVkMjU1
+MTkgR3Q0b2R3IDY4c1dabVZ3aEQrTjk2M2h6TFovNWJMeTBBNXBrV2RzL1NTVkxi
+TVJOUVEKZ1VGMEtqcWhZOUg3SStQSmpoOFRhQmUzRlFBMy80U3FTSFZrV0V6SVpp
+awotLS0gdGNCTmIvRkhPT2YzY3RDYlVNTGRoZFg2S1NJZ2orMTdPYzlKeGtiTXlT
+Ywrs/+S9kNW8OYUOcu2yBblmPYkiObXm4+zFVA9bfxR3pAjstdB/6BOa/3lRqm2l
+T8Y1ZCOHuiZAtlSWB8kKsSL1GCpDnQC/51aeQkQXTnPs77e8LCuxf2xyKeYoy/3j
+eE7mEgEI
+-----END AGE ENCRYPTED FILE-----