From 8b75968f110302d86067b2223c2650c71c628f42 Mon Sep 17 00:00:00 2001 From: soraefir Date: Sat, 9 May 2026 09:55:30 +0200 Subject: [PATCH] fix tls --- modules/server/containers/builder.nix | 4 ++-- modules/server/containers/defs/traefik.nix | 10 ++++++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/modules/server/containers/builder.nix b/modules/server/containers/builder.nix index c689b85..1366740 100644 --- a/modules/server/containers/builder.nix +++ b/modules/server/containers/builder.nix @@ -12,7 +12,7 @@ let environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else []; environment = {} // extraEnv; - labels = if subdomain!=null then ({ + labels = (if subdomain!=null then ({ "traefik.enable" = "true"; "traefik.http.routers.${subdomain}.entrypoints" = "web-secure"; "traefik.http.routers.${subdomain}.rule" = "Host(`${subdomain}.${serverCfg.hostDomain}`)"; @@ -21,7 +21,7 @@ let "traefik.http.services.${subdomain}.loadbalancer.server.port" = toString port; }) else { "traefik.enable" = "false"; - } // extraLabels; + }) // extraLabels; extraOptions = extraOptions ++ [ "--add-host=host.containers.internal:host-gateway" diff --git a/modules/server/containers/defs/traefik.nix b/modules/server/containers/defs/traefik.nix index 9de37a7..02b7ab9 100644 --- a/modules/server/containers/defs/traefik.nix +++ b/modules/server/containers/defs/traefik.nix @@ -21,15 +21,21 @@ in { "traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal"; "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "authentik"; + "traefik.http.routers.${containerCfg.subdomain}.tls.certresolver=default" + "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main=${serverCfg.hostDomain}" + "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans=*.${serverCfg.hostDomain}" "traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"; "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true"; "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"; + }; + extraEnv = { + }; # extraOptions = [ "--user=:994" ]; #PODMAN GROUP FOR SOCKET ACCESS overrides = { cmd = [ "--api" - "--log.level=INFO" + "--log.level=DEBUG" "--providers.docker=true" "--global.checknewversion=false" "--global.sendanonymoususage=false" @@ -47,8 +53,8 @@ in { "--certificatesresolvers.default.acme.tlschallenge=false" "--certificatesresolvers.default.acme.httpchallenge=false" "--certificatesresolvers.default.acme.dnschallenge=true" - "--certificatesresolvers.default.acme.storage=/custom/acme.json" "--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}" + "--certificatesresolvers.default.acme.storage=/custom/acme.json" "--entrypoints.web-secure.http.tls=true" "--entrypoints.web-secure.http.tls.certresolver=default" "--entrypoints.web-secure.http.tls.domains[0].main=*.${serverCfg.hostDomain}"