fix tls

2026-05-09 09:55:30 +02:00
parent dda8409329
commit 8b75968f11
2 changed files with 10 additions and 4 deletions
--- a/modules/server/containers/builder.nix
+++ b/modules/server/containers/builder.nix
@@ -12,7 +12,7 @@ let
    environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
    environment = {} // extraEnv;

-    labels = if subdomain!=null then ({
+    labels = (if subdomain!=null then ({
      "traefik.enable" = "true";
      "traefik.http.routers.${subdomain}.entrypoints" = "web-secure";
      "traefik.http.routers.${subdomain}.rule" = "Host(`${subdomain}.${serverCfg.hostDomain}`)";
@@ -21,7 +21,7 @@ let
      "traefik.http.services.${subdomain}.loadbalancer.server.port" = toString port;
    }) else {
      "traefik.enable" = "false";
-    } // extraLabels;
+    }) // extraLabels;

    extraOptions = extraOptions ++ [
      "--add-host=host.containers.internal:host-gateway"
--- a/modules/server/containers/defs/traefik.nix
+++ b/modules/server/containers/defs/traefik.nix
@@ -21,15 +21,21 @@ in {
        "traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "authentik";

+        "traefik.http.routers.${containerCfg.subdomain}.tls.certresolver=default"
+        "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main=${serverCfg.hostDomain}"
+        "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans=*.${serverCfg.hostDomain}"
        "traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
        "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
        "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
+      };
+      extraEnv = {
+
      };
      # extraOptions = [ "--user=:994" ]; #PODMAN GROUP FOR SOCKET ACCESS
      overrides = {
        cmd = [ 
          "--api"
-          "--log.level=INFO"
+          "--log.level=DEBUG"
          "--providers.docker=true"
          "--global.checknewversion=false"
          "--global.sendanonymoususage=false"
@@ -47,8 +53,8 @@ in {
          "--certificatesresolvers.default.acme.tlschallenge=false"
          "--certificatesresolvers.default.acme.httpchallenge=false"
          "--certificatesresolvers.default.acme.dnschallenge=true"
-          "--certificatesresolvers.default.acme.storage=/custom/acme.json"
          "--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
+          "--certificatesresolvers.default.acme.storage=/custom/acme.json"
          "--entrypoints.web-secure.http.tls=true"
          "--entrypoints.web-secure.http.tls.certresolver=default"
          "--entrypoints.web-secure.http.tls.domains[0].main=*.${serverCfg.hostDomain}"