Smayzy/nix-config
1
1
Fork 0
Code Issues Pull Requests Actions Wiki Activity

add auth to traefik and mv it to server1
All checks were successful
nixos config pipeline / show-flake (push) Successful in 32s
Details
nixos config pipeline / deploy (push) Successful in 43s
Details

Browse Source
This commit is contained in:
smayzy 2025-09-22 22:04:36 +02:00
parent d3f7fe76d8
commit 0a43a381cc
4 changed files with 55 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
modules/nix/containers/nixos/traefik.nix
View File

@ -18,18 +18,29 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
age.secrets.traefik-cf-tk = { age.secrets = {
file = ../../../../secrets/traefik-cf-tk.age; traefik-cf-tk = {
owner = "root"; file = ../../../../secrets/traefik-cf-tk.age;
group = "root"; owner = "root";
mode = "0400"; group = "root";
mode = "0400";
};
traefik-dashboard-auth = {
file = ../../../../secrets/traefik-dashboard-auth.age;
mode = "0444";
};
}; };
containers.traefik = { containers.traefik = {
bindMounts."/run/secrets/traefik-cf-tk" = { bindMounts = {
hostPath = config.age.secrets.traefik-cf-tk.path; "/run/secrets/traefik-cf-tk" = {
isReadOnly = true; hostPath = config.age.secrets.traefik-cf-tk.path;
isReadOnly = true;
};
"/run/secrets/traefik-dashboard-auth" = {
hostPath = config.age.secrets.traefik-dashboard-auth.path;
isReadOnly = true;
};
}; };
autoStart = true; autoStart = true;
@ -50,11 +61,16 @@ in
services.traefik = { services.traefik = {
enable = true; enable = true;
staticConfigOptions = { staticConfigOptions = {
global = {
checkNewVersion = false;
sendAnonymousUsage = false;
};
log = { log = {
level = "WARN"; level = "WARN";
}; };
api = { api = {
dashboard = true; dashboard = true;
disabledashboardad = true;
}; };
entryPoints = { entryPoints = {
local = { local = {
@ -89,10 +105,11 @@ in
http = { http = {
routers = { routers = {
traefik = { traefik = {
rule = "Host(`traefik.internal.smayzy.ovh`)"; rule = "Host(`traefik.internal.smayzy.ovh`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))";
entryPoints = [ "localSec" ]; entryPoints = [ "localSec" ];
service = "api@internal"; service = "api@internal";
tls.certResolver = "cloudflare"; tls.certResolver = "cloudflare";
middlewares = [ "dashboard-auth" ];
}; };
httpd = { httpd = {
rule = "Host(`httpd.internal.smayzy.ovh`)"; rule = "Host(`httpd.internal.smayzy.ovh`)";
@ -215,6 +232,13 @@ in
serverName = "srv2-proxmox.internal.smayzy.ovh"; serverName = "srv2-proxmox.internal.smayzy.ovh";
}; };
}; };
middlewares ={
dashboard-auth = {
basicAuth = {
usersFile = "/run/secrets/traefik-dashboard-auth";
};
};
};
}; # http }; # http
}; # dyna config }; # dyna config
}; # services.traefik }; # services.traefik

3
secrets/secrets.nix
View File

@ -47,5 +47,6 @@ in
"systems.age" = mkKey systems; "systems.age" = mkKey systems;
"traefik-cf-tk.age" = mkKey desktop1; "traefik-cf-tk.age" = mkKey server1;
"traefik-dashboard-auth.age" = mkKey server1;
} }

16
secrets/traefik-cf-tk.age
View File

@ -1,10 +1,10 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IExwTFA3dyBaZTRB YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDk3Sk1jZyBPMkFi
UmhMWGEzTXVsbVg1cEI4a2NGOG01bDZINUtNWlhyemFRUUZWYjI4Cjh0b1ladXli bGxHQkNrME44NlB0QWRHT283d1dPbXA0VWRHV0FveGpNR2IrS2h3CnBZektGaVZt
dmV6d0d6V1hmTk02YU8wVHpMNFNQMW1uVlNYeEx0SE1nUjAKLT4gc3NoLWVkMjU1 WTFVRXg1bG5rTW5Samw1dEVsaVZRL3A1MkNIY0V1MkdYNnMKLT4gc3NoLWVkMjU1
MTkgR3Q0b2R3IFZCUUdKcGY2TTRSSWhqWllkd2RsVmw1M2h4RllZU0ZSM1N6eThG MTkgR3Q0b2R3IHB1eWNOdGIrajBnOUIvSS96NUFCdE5LZjE2b1NwYXZwS0VpZGsr
UXVleXcKRUp0V0h2djdEMnpVVUlwUThXMENYWFhlM1I0R1FBcVNuWDRUNDFKazho MTBNRDgKdCtjaGVBTHRJQnFTWmRKR0d4RTNzblpYb1huZlJyOU9TcmVlamZwY2tW
bwotLS0gTXJCQ2dDZkJod2Ezc3Y3VThXNGhpVHlkbHZGUlJOU1Q0SDZVTGFnZ1FB cwotLS0gdU1sbWlRSnFEVTdoUFpwTUl6bTcyK3pwVTBLYVViUW9IZUF6a2RWUmpx
awpkI4uVSv1v7+/Ad7Up8Uo6v7O8NRmLClI/08IzXPL0RrTvj55SO3Adct1qnknW Ywq7lU5FOEWKU8yaciB+s6IFwcOGJuoNvpPym+K95+pl8Oq3CoBVqq3ZZbNl+nqR
GPsNHiMUgWxAfYMAKjsoz95zxPmzLJrV6Fm5penyyRC8X3ssZgH8HLoBueQ= 7LSM7NAAhhwU8vu2e04gKgDLHzeGQv4xS59ldkQ0QS8zlU/UPJAqRi8jV9s=
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

11
secrets/traefik-dashboard-auth.age Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDk3Sk1jZyAyTGp2
TGVZWldKNS9idFVxenJXME1aeGE1NUxGenc1UjA5OXlGSFNhOW04Ck5HajZLa25r
OWNhWlREV3JtTVQ5R2dVenI2cW8veGczU1VYakF5QzZzMlEKLT4gc3NoLWVkMjU1
MTkgR3Q0b2R3IDY4c1dabVZ3aEQrTjk2M2h6TFovNWJMeTBBNXBrV2RzL1NTVkxi
TVJOUVEKZ1VGMEtqcWhZOUg3SStQSmpoOFRhQmUzRlFBMy80U3FTSFZrV0V6SVpp
awotLS0gdGNCTmIvRkhPT2YzY3RDYlVNTGRoZFg2S1NJZ2orMTdPYzlKeGtiTXlT
Ywrs/+S9kNW8OYUOcu2yBblmPYkiObXm4+zFVA9bfxR3pAjstdB/6BOa/3lRqm2l
T8Y1ZCOHuiZAtlSWB8kKsSL1GCpDnQC/51aeQkQXTnPs77e8LCuxf2xyKeYoy/3j
eE7mEgEI
-----END AGE ENCRYPTED FILE-----