1
0
Fork 0

webserver: Add traefik container

This commit is contained in:
Daniel Kempkens 2022-07-31 12:23:30 +02:00
parent e59b059f7c
commit 70381b00e0
5 changed files with 99 additions and 12 deletions

View file

@ -1,6 +1,5 @@
let
secret = import ../../../secret/container/webserver.nix;
in
{ secret, ... }:
{
environment.etc."container-webserver/mosquitto/mosquitto.conf" = {
text = ''
@ -9,14 +8,10 @@ in
'';
mode = "0644";
uid = 1883;
gid = 1883;
};
environment.etc."container-webserver/mosquitto/users.conf" = {
text = secret.container.webserver.mosquitto.users;
mode = "0644";
uid = 1883;
gid = 1883;
};
}

View file

@ -0,0 +1,64 @@
{ secret, ... }:
{
environment.etc."container-webserver/traefik/traefik.toml" = {
text = ''
[providers]
[providers.file]
directory = "/custom_config"
watch = true
[providers.docker]
exposedByDefault = false
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[certificatesResolvers.cfresolver.acme]
email = "${secret.container.webserver.traefik.config.acme.email}"
storage = "/acme.json"
keyType = "EC384"
[certificatesResolvers.cfresolver.acme.dnsChallenge]
provider = "cloudflare"
[api]
dashboard = true
'';
mode = "0644";
};
environment.etc."container-webserver/traefik/custom/middlewares.toml" = {
text = ''
[http.middlewares]
[http.middlewares.non-www-redirect.redirectRegex]
regex = "^https://www.(.*)"
replacement = "https://${1}"
permanent = true
[http.middlewares.https-redirect.redirectScheme]
scheme = "https"
permanent = true
[http.middlewares.content-compression.compress]
[http.middlewares.very-low-request-rate.rateLimit]
average = 3
period = "1m"
[http.middlewares.security-headers.headers]
frameDeny = true
browserXssFilter = true
contentTypeNosniff = true
referrerPolicy = "no-referrer"
contentSecurityPolicy = "default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; font-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'self'"
'';
mode = "0644";
};
}

View file

@ -1,5 +1,7 @@
let
config-mosquitto = import ./config/mosquitto.nix;
secret = import ../../secret/container/webserver.nix;
config-mosquitto = import ./config/mosquitto.nix { inherit secret; };
config-traefik = import ./config/traefik.nix { inherit secret; };
in
{
virtualisation.arion.projects.webserver.settings = {
@ -7,7 +9,7 @@ in
ipv6nat = {
service = {
image = "robbertkl/ipv6nat:latest";
name = "ipv6nat";
container_name = "ipv6nat";
restart = "always";
capabilities = {
ALL = false;
@ -29,13 +31,36 @@ in
depends_on = [ "ipv6nat" ];
networks = [ "webserver" ];
ports = [ "1883:1883" ];
user = "1883";
user = "nobody";
volumes = [
"/etc/container-webserver/mosquitto:/mosquitto/config:ro"
];
};
};
traefik = {
service = {
image = "traefik:v2.8";
container_name = "traefik";
restart = "always";
depends_on = [ "ipv6nat" ];
networks = [ "webserver" ];
ports = [
"80:80"
"443:443"
];
command = [ "--configFile=/traefik.toml" ];
environment = secret.container.webserver.traefik.environment;
volumes = [
"/var/run/docker.sock:/var/run/docker.sock:ro"
"/etc/container-webserver/traefik/traefik.toml:/traefik.toml:ro"
"/etc/container-webserver/traefik/acme.json:/acme.json"
"/etc/container-webserver/traefik/custom:/custom_config:ro"
];
labels = secret.container.webserver.traefik.labels;
};
};
ifconfig-sexy = {
service = {
image = "ghcr.io/nifoc/ifconfig.sexy-caddy:master";
@ -70,4 +95,4 @@ in
};
};
};
} // config-mosquitto
} // config-mosquitto // config-traefik

Binary file not shown.

View file

@ -18,7 +18,10 @@ in
nixosConfigurations.sail = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
({ nixpkgs = nixpkgsConfig; })
({
nixpkgs.overlays = nixpkgsConfig.overlays;
nixpkgs.config = nixpkgsConfig.config;
})
arion.nixosModules.arion