webserver: Add traefik container

2022-07-31 12:23:30 +02:00 · 2022-07-31 12:23:30 +02:00 · 70381b00e0
commit 70381b00e0
parent e59b059f7c
5 changed files with 99 additions and 12 deletions
--- a/container/webserver/config/mosquitto.nix
+++ b/container/webserver/config/mosquitto.nix
@ -1,6 +1,5 @@
-let
-  secret = import ../../../secret/container/webserver.nix;
-in
+{ secret, ... }:
+
 {
  environment.etc."container-webserver/mosquitto/mosquitto.conf" = {
    text = ''
@ -9,14 +8,10 @@ in
    '';

    mode = "0644";
-    uid = 1883;
-    gid = 1883;
  };

  environment.etc."container-webserver/mosquitto/users.conf" = {
    text = secret.container.webserver.mosquitto.users;
    mode = "0644";
-    uid = 1883;
-    gid = 1883;
  };
 }
--- a/container/webserver/config/traefik.nix
+++ b/container/webserver/config/traefik.nix
@ -0,0 +1,64 @@
+{ secret, ... }:
+
+{
+  environment.etc."container-webserver/traefik/traefik.toml" = {
+    text = ''
+      [providers]
+        [providers.file]
+          directory = "/custom_config"
+          watch = true
+
+        [providers.docker]
+          exposedByDefault = false
+
+      [entryPoints]
+        [entryPoints.web]
+          address = ":80"
+
+        [entryPoints.websecure]
+          address = ":443"
+
+      [certificatesResolvers.cfresolver.acme]
+        email = "${secret.container.webserver.traefik.config.acme.email}"
+        storage = "/acme.json"
+        keyType = "EC384"
+
+        [certificatesResolvers.cfresolver.acme.dnsChallenge]
+          provider = "cloudflare"
+
+      [api]
+        dashboard = true
+    '';
+
+    mode = "0644";
+  };
+
+  environment.etc."container-webserver/traefik/custom/middlewares.toml" = {
+    text = ''
+      [http.middlewares]
+        [http.middlewares.non-www-redirect.redirectRegex]
+          regex = "^https://www.(.*)"
+          replacement = "https://${1}"
+          permanent = true
+
+        [http.middlewares.https-redirect.redirectScheme]
+          scheme = "https"
+          permanent = true
+
+        [http.middlewares.content-compression.compress]
+
+        [http.middlewares.very-low-request-rate.rateLimit]
+          average = 3
+          period = "1m"
+
+        [http.middlewares.security-headers.headers]
+          frameDeny = true
+          browserXssFilter = true
+          contentTypeNosniff = true
+          referrerPolicy = "no-referrer"
+          contentSecurityPolicy = "default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; font-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'self'"
+    '';
+
+    mode = "0644";
+  };
+}
--- a/container/webserver/default.nix
+++ b/container/webserver/default.nix
@ -1,5 +1,7 @@
 let
-  config-mosquitto = import ./config/mosquitto.nix;
+  secret = import ../../secret/container/webserver.nix;
+  config-mosquitto = import ./config/mosquitto.nix { inherit secret; };
+  config-traefik = import ./config/traefik.nix { inherit secret; };
 in
 {
  virtualisation.arion.projects.webserver.settings = {
@ -7,7 +9,7 @@ in
      ipv6nat = {
        service = {
          image = "robbertkl/ipv6nat:latest";
-          name = "ipv6nat";
+          container_name = "ipv6nat";
          restart = "always";
          capabilities = {
            ALL = false;
@ -29,13 +31,36 @@ in
          depends_on = [ "ipv6nat" ];
          networks = [ "webserver" ];
          ports = [ "1883:1883" ];
-          user = "1883";
+          user = "nobody";
          volumes = [
            "/etc/container-webserver/mosquitto:/mosquitto/config:ro"
          ];
        };
      };

+      traefik = {
+        service = {
+          image = "traefik:v2.8";
+          container_name = "traefik";
+          restart = "always";
+          depends_on = [ "ipv6nat" ];
+          networks = [ "webserver" ];
+          ports = [
+            "80:80"
+            "443:443"
+          ];
+          command = [ "--configFile=/traefik.toml" ];
+          environment = secret.container.webserver.traefik.environment;
+          volumes = [
+            "/var/run/docker.sock:/var/run/docker.sock:ro"
+            "/etc/container-webserver/traefik/traefik.toml:/traefik.toml:ro"
+            "/etc/container-webserver/traefik/acme.json:/acme.json"
+            "/etc/container-webserver/traefik/custom:/custom_config:ro"
+          ];
+          labels = secret.container.webserver.traefik.labels;
+        };
+      };
+
      ifconfig-sexy = {
        service = {
          image = "ghcr.io/nifoc/ifconfig.sexy-caddy:master";
@ -70,4 +95,4 @@ in
      };
    };
  };
-} // config-mosquitto
+} // config-mosquitto // config-traefik
--- a/secret/container/webserver.nix
+++ b/secret/container/webserver.nix
--- a/system/flakes/sail.nix
+++ b/system/flakes/sail.nix
@ -18,7 +18,10 @@ in
  nixosConfigurations.sail = nixpkgs.lib.nixosSystem {
    system = "x86_64-linux";
    modules = [
-      ({ nixpkgs = nixpkgsConfig; })
+      ({
+        nixpkgs.overlays = nixpkgsConfig.overlays;
+        nixpkgs.config = nixpkgsConfig.config;
+      })

      arion.nixosModules.arion