webserver: Add traefik container
This commit is contained in:
parent
e59b059f7c
commit
70381b00e0
5 changed files with 99 additions and 12 deletions
|
@ -1,6 +1,5 @@
|
|||
let
|
||||
secret = import ../../../secret/container/webserver.nix;
|
||||
in
|
||||
{ secret, ... }:
|
||||
|
||||
{
|
||||
environment.etc."container-webserver/mosquitto/mosquitto.conf" = {
|
||||
text = ''
|
||||
|
@ -9,14 +8,10 @@ in
|
|||
'';
|
||||
|
||||
mode = "0644";
|
||||
uid = 1883;
|
||||
gid = 1883;
|
||||
};
|
||||
|
||||
environment.etc."container-webserver/mosquitto/users.conf" = {
|
||||
text = secret.container.webserver.mosquitto.users;
|
||||
mode = "0644";
|
||||
uid = 1883;
|
||||
gid = 1883;
|
||||
};
|
||||
}
|
||||
|
|
64
container/webserver/config/traefik.nix
Normal file
64
container/webserver/config/traefik.nix
Normal file
|
@ -0,0 +1,64 @@
|
|||
{ secret, ... }:
|
||||
|
||||
{
|
||||
environment.etc."container-webserver/traefik/traefik.toml" = {
|
||||
text = ''
|
||||
[providers]
|
||||
[providers.file]
|
||||
directory = "/custom_config"
|
||||
watch = true
|
||||
|
||||
[providers.docker]
|
||||
exposedByDefault = false
|
||||
|
||||
[entryPoints]
|
||||
[entryPoints.web]
|
||||
address = ":80"
|
||||
|
||||
[entryPoints.websecure]
|
||||
address = ":443"
|
||||
|
||||
[certificatesResolvers.cfresolver.acme]
|
||||
email = "${secret.container.webserver.traefik.config.acme.email}"
|
||||
storage = "/acme.json"
|
||||
keyType = "EC384"
|
||||
|
||||
[certificatesResolvers.cfresolver.acme.dnsChallenge]
|
||||
provider = "cloudflare"
|
||||
|
||||
[api]
|
||||
dashboard = true
|
||||
'';
|
||||
|
||||
mode = "0644";
|
||||
};
|
||||
|
||||
environment.etc."container-webserver/traefik/custom/middlewares.toml" = {
|
||||
text = ''
|
||||
[http.middlewares]
|
||||
[http.middlewares.non-www-redirect.redirectRegex]
|
||||
regex = "^https://www.(.*)"
|
||||
replacement = "https://${1}"
|
||||
permanent = true
|
||||
|
||||
[http.middlewares.https-redirect.redirectScheme]
|
||||
scheme = "https"
|
||||
permanent = true
|
||||
|
||||
[http.middlewares.content-compression.compress]
|
||||
|
||||
[http.middlewares.very-low-request-rate.rateLimit]
|
||||
average = 3
|
||||
period = "1m"
|
||||
|
||||
[http.middlewares.security-headers.headers]
|
||||
frameDeny = true
|
||||
browserXssFilter = true
|
||||
contentTypeNosniff = true
|
||||
referrerPolicy = "no-referrer"
|
||||
contentSecurityPolicy = "default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; font-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'self'"
|
||||
'';
|
||||
|
||||
mode = "0644";
|
||||
};
|
||||
}
|
|
@ -1,5 +1,7 @@
|
|||
let
|
||||
config-mosquitto = import ./config/mosquitto.nix;
|
||||
secret = import ../../secret/container/webserver.nix;
|
||||
config-mosquitto = import ./config/mosquitto.nix { inherit secret; };
|
||||
config-traefik = import ./config/traefik.nix { inherit secret; };
|
||||
in
|
||||
{
|
||||
virtualisation.arion.projects.webserver.settings = {
|
||||
|
@ -7,7 +9,7 @@ in
|
|||
ipv6nat = {
|
||||
service = {
|
||||
image = "robbertkl/ipv6nat:latest";
|
||||
name = "ipv6nat";
|
||||
container_name = "ipv6nat";
|
||||
restart = "always";
|
||||
capabilities = {
|
||||
ALL = false;
|
||||
|
@ -29,13 +31,36 @@ in
|
|||
depends_on = [ "ipv6nat" ];
|
||||
networks = [ "webserver" ];
|
||||
ports = [ "1883:1883" ];
|
||||
user = "1883";
|
||||
user = "nobody";
|
||||
volumes = [
|
||||
"/etc/container-webserver/mosquitto:/mosquitto/config:ro"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
traefik = {
|
||||
service = {
|
||||
image = "traefik:v2.8";
|
||||
container_name = "traefik";
|
||||
restart = "always";
|
||||
depends_on = [ "ipv6nat" ];
|
||||
networks = [ "webserver" ];
|
||||
ports = [
|
||||
"80:80"
|
||||
"443:443"
|
||||
];
|
||||
command = [ "--configFile=/traefik.toml" ];
|
||||
environment = secret.container.webserver.traefik.environment;
|
||||
volumes = [
|
||||
"/var/run/docker.sock:/var/run/docker.sock:ro"
|
||||
"/etc/container-webserver/traefik/traefik.toml:/traefik.toml:ro"
|
||||
"/etc/container-webserver/traefik/acme.json:/acme.json"
|
||||
"/etc/container-webserver/traefik/custom:/custom_config:ro"
|
||||
];
|
||||
labels = secret.container.webserver.traefik.labels;
|
||||
};
|
||||
};
|
||||
|
||||
ifconfig-sexy = {
|
||||
service = {
|
||||
image = "ghcr.io/nifoc/ifconfig.sexy-caddy:master";
|
||||
|
@ -70,4 +95,4 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
} // config-mosquitto
|
||||
} // config-mosquitto // config-traefik
|
||||
|
|
Binary file not shown.
|
@ -18,7 +18,10 @@ in
|
|||
nixosConfigurations.sail = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
({ nixpkgs = nixpkgsConfig; })
|
||||
({
|
||||
nixpkgs.overlays = nixpkgsConfig.overlays;
|
||||
nixpkgs.config = nixpkgsConfig.config;
|
||||
})
|
||||
|
||||
arion.nixosModules.arion
|
||||
|
||||
|
|
Loading…
Reference in a new issue