{ config, lib, pkgs, ... }: { # Traefik reverse proxy setup services.traefik = { enable = true; staticConfigOptions = { entryPoints = { web = { address = ":80"; asDefault = true; http.redirections.entrypoint = { to = "websecure"; scheme = "https"; }; }; websecure = { address = ":443"; asDefault = true; http.tls.certResolver = "letsencrypt"; }; metrics = { address = ":8082"; }; }; api.dashboard = true; api.insecure = true; # Enable Let's Encrypt certificatesResolvers = { letsencrypt = { acme = { email = "david.mikael@proton.me"; # Replace with your email storage = "/var/lib/traefik/acme.json"; # Location to store ACME certificates httpChallenge = { entryPoint = "web"; # Uses HTTP challenge (can also use DNS) }; # Uncomment the following for staging (testing) environment # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; }; }; # Enable Prometheus metrics metrics = { prometheus = { entryPoint = "metrics"; }; }; log = { level = "DEBUG"; filePath = "/var/log/traefik/traefik.log"; }; accessLog = { format = "json"; filePath = "/var/log/traefik/access.log"; }; # Enable access logs (you can customize the log format) # accessLog = { # filePath = "/var/log/traefik/access.log"; # Log to a file # format = "common"; # You can adjust this to `json` or `common` # }; # tracing = { # enabled = true; # provider = "jaeger"; # or zipkin, or other # jaeger = { # apiURL = "http://localhost:5775"; # Replace with your Jaeger instance URL # }; # }; }; dynamicConfigOptions = { # Add IP whitelisting middleware to restrict access to internal network only http.middlewares = { internal-whitelist = { ipWhiteList = { sourceRange = ["192.168.1.0/24"]; # Adjust to your internal network range # Alternatively use `127.0.0.1/32` for localhost access }; }; }; # Route to Proxmox UI http.routers.proxmox = { rule = "Host(`proxmox.procopius.dk`)"; service = "proxmox"; entryPoints = [ "web" "websecure" ]; tls = { certResolver = "letsencrypt"; # Use Let's Encrypt }; }; # Route to Traefik Dashboard http.routers.traefik = { rule = "Host(`traefik.procopius.dk`)"; service = "traefik"; entryPoints = [ "web" "websecure" ]; middlewares = ["internal-whitelist"]; tls = { certResolver = "letsencrypt"; # Use Let's Encrypt }; }; http.routers.forgejo = { rule = "Host(`git.procopius.dk`)"; service = "forgejo"; entryPoints = [ "web" "websecure" ]; tls = { certResolver = "letsencrypt"; # Use Let's Encrypt }; }; # Route to Traefik Dashboard http.routers.catchAll = { # rule = "Host(`jellyfin.procopius.dk`)"; rule = "HostRegexp(`.+`)"; # rule = "HostRegexp(`{host:.+}`)"; service = "nginx"; entryPoints = [ "web" "websecure" ]; tls = { certResolver = "letsencrypt"; # Use Let's Encrypt }; }; # Define the services http.services.proxmox.loadBalancer.servers = [ { url = "https://192.168.1.205:8006"; } # Proxmox ]; http.services.proxmox.loadBalancer.serversTransport = "insecureTransport"; http.services.traefik.loadBalancer.servers = [ { url = "http://traefik.local:8080"; } # Traefik Dashboard ]; http.services.forgejo.loadBalancer.servers = [ { url = "http://192.168.1.249:3000"; } # forgejo ]; http.services.nginx.loadBalancer.servers = [ { url = "https://192.168.1.226:4433"; } # nginx ]; http.services.nginx.loadBalancer.serversTransport = "insecureTransport"; http.serversTransports.insecureTransport.insecureSkipVerify = true; }; }; # Optionally, you can add Docker support if using Docker Compose virtualisation.docker.enable = true; }