From 0a43a381cc80bbf589195cd645cae7e8958c8a00 Mon Sep 17 00:00:00 2001
From: smayzy <smayzy@smayzy.ovh>
Date: Mon, 22 Sep 2025 22:04:36 +0200
Subject: [PATCH] add auth to traefik and mv it to server1

---
 modules/nix/containers/nixos/traefik.nix | 44 ++++++++++++++++++------
 secrets/secrets.nix                      |  3 +-
 secrets/traefik-cf-tk.age                | 16 ++++-----
 secrets/traefik-dashboard-auth.age       | 11 ++++++
 4 files changed, 55 insertions(+), 19 deletions(-)
 create mode 100644 secrets/traefik-dashboard-auth.age

diff --git a/modules/nix/containers/nixos/traefik.nix b/modules/nix/containers/nixos/traefik.nix
index e335ae1..f084b6d 100644
--- a/modules/nix/containers/nixos/traefik.nix
+++ b/modules/nix/containers/nixos/traefik.nix
@@ -18,18 +18,29 @@ in
   };
   
   config = mkIf cfg.enable {
-    age.secrets.traefik-cf-tk = {
-      file = ../../../../secrets/traefik-cf-tk.age;
-      owner = "root";
-      group = "root";
-      mode = "0400";
+    age.secrets = {
+      traefik-cf-tk = {
+        file = ../../../../secrets/traefik-cf-tk.age;
+        owner = "root";
+        group = "root";
+        mode = "0400";
+      };
+      traefik-dashboard-auth = {
+        file = ../../../../secrets/traefik-dashboard-auth.age;
+        mode = "0444";
+      };
     };
-
     
     containers.traefik = {
-      bindMounts."/run/secrets/traefik-cf-tk" = {
-        hostPath = config.age.secrets.traefik-cf-tk.path;
-        isReadOnly = true;
+      bindMounts = {
+        "/run/secrets/traefik-cf-tk" = {
+          hostPath = config.age.secrets.traefik-cf-tk.path;
+          isReadOnly = true;
+        };
+        "/run/secrets/traefik-dashboard-auth" = {
+          hostPath = config.age.secrets.traefik-dashboard-auth.path;
+          isReadOnly = true;
+        };
       };
 
       autoStart = true;
@@ -50,11 +61,16 @@ in
         services.traefik = {
           enable = true;
           staticConfigOptions = {
+            global = {
+              checkNewVersion = false;
+              sendAnonymousUsage = false;
+            };
             log = {
               level = "WARN";
             };
             api = {
               dashboard = true;
+              disabledashboardad = true;
             };
             entryPoints = {
               local = {
@@ -89,10 +105,11 @@ in
             http = {
               routers = {
                 traefik = {
-                  rule = "Host(`traefik.internal.smayzy.ovh`)";
+                  rule = "Host(`traefik.internal.smayzy.ovh`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))";
                   entryPoints = [ "localSec" ];
                   service = "api@internal";
                   tls.certResolver = "cloudflare";
+                  middlewares = [ "dashboard-auth" ];
                 };
                 httpd = {
                   rule = "Host(`httpd.internal.smayzy.ovh`)";
@@ -215,6 +232,13 @@ in
                   serverName = "srv2-proxmox.internal.smayzy.ovh";
                 };
               };
+              middlewares ={
+                dashboard-auth = {
+                  basicAuth = {
+                    usersFile = "/run/secrets/traefik-dashboard-auth";
+                  };
+                };
+              };
             }; # http
           }; # dyna config
         }; # services.traefik
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index c21d10d..2c9450e 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -47,5 +47,6 @@ in
 
   "systems.age" = mkKey systems;
 
-  "traefik-cf-tk.age" = mkKey desktop1;
+  "traefik-cf-tk.age" = mkKey server1;
+  "traefik-dashboard-auth.age" = mkKey server1;
 }
diff --git a/secrets/traefik-cf-tk.age b/secrets/traefik-cf-tk.age
index 041d821..417d8d2 100644
--- a/secrets/traefik-cf-tk.age
+++ b/secrets/traefik-cf-tk.age
@@ -1,10 +1,10 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IExwTFA3dyBaZTRB
-UmhMWGEzTXVsbVg1cEI4a2NGOG01bDZINUtNWlhyemFRUUZWYjI4Cjh0b1ladXli
-dmV6d0d6V1hmTk02YU8wVHpMNFNQMW1uVlNYeEx0SE1nUjAKLT4gc3NoLWVkMjU1
-MTkgR3Q0b2R3IFZCUUdKcGY2TTRSSWhqWllkd2RsVmw1M2h4RllZU0ZSM1N6eThG
-UXVleXcKRUp0V0h2djdEMnpVVUlwUThXMENYWFhlM1I0R1FBcVNuWDRUNDFKazho
-bwotLS0gTXJCQ2dDZkJod2Ezc3Y3VThXNGhpVHlkbHZGUlJOU1Q0SDZVTGFnZ1FB
-awpkI4uVSv1v7+/Ad7Up8Uo6v7O8NRmLClI/08IzXPL0RrTvj55SO3Adct1qnknW
-GPsNHiMUgWxAfYMAKjsoz95zxPmzLJrV6Fm5penyyRC8X3ssZgH8HLoBueQ=
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDk3Sk1jZyBPMkFi
+bGxHQkNrME44NlB0QWRHT283d1dPbXA0VWRHV0FveGpNR2IrS2h3CnBZektGaVZt
+WTFVRXg1bG5rTW5Samw1dEVsaVZRL3A1MkNIY0V1MkdYNnMKLT4gc3NoLWVkMjU1
+MTkgR3Q0b2R3IHB1eWNOdGIrajBnOUIvSS96NUFCdE5LZjE2b1NwYXZwS0VpZGsr
+MTBNRDgKdCtjaGVBTHRJQnFTWmRKR0d4RTNzblpYb1huZlJyOU9TcmVlamZwY2tW
+cwotLS0gdU1sbWlRSnFEVTdoUFpwTUl6bTcyK3pwVTBLYVViUW9IZUF6a2RWUmpx
+Ywq7lU5FOEWKU8yaciB+s6IFwcOGJuoNvpPym+K95+pl8Oq3CoBVqq3ZZbNl+nqR
+7LSM7NAAhhwU8vu2e04gKgDLHzeGQv4xS59ldkQ0QS8zlU/UPJAqRi8jV9s=
 -----END AGE ENCRYPTED FILE-----
diff --git a/secrets/traefik-dashboard-auth.age b/secrets/traefik-dashboard-auth.age
new file mode 100644
index 0000000..6f48200
--- /dev/null
+++ b/secrets/traefik-dashboard-auth.age
@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDk3Sk1jZyAyTGp2
+TGVZWldKNS9idFVxenJXME1aeGE1NUxGenc1UjA5OXlGSFNhOW04Ck5HajZLa25r
+OWNhWlREV3JtTVQ5R2dVenI2cW8veGczU1VYakF5QzZzMlEKLT4gc3NoLWVkMjU1
+MTkgR3Q0b2R3IDY4c1dabVZ3aEQrTjk2M2h6TFovNWJMeTBBNXBrV2RzL1NTVkxi
+TVJOUVEKZ1VGMEtqcWhZOUg3SStQSmpoOFRhQmUzRlFBMy80U3FTSFZrV0V6SVpp
+awotLS0gdGNCTmIvRkhPT2YzY3RDYlVNTGRoZFg2S1NJZ2orMTdPYzlKeGtiTXlT
+Ywrs/+S9kNW8OYUOcu2yBblmPYkiObXm4+zFVA9bfxR3pAjstdB/6BOa/3lRqm2l
+T8Y1ZCOHuiZAtlSWB8kKsSL1GCpDnQC/51aeQkQXTnPs77e8LCuxf2xyKeYoy/3j
+eE7mEgEI
+-----END AGE ENCRYPTED FILE-----