sora/nixconfig
1
0
Fork 1
Code Issues 2 Pull Requests Actions Releases Activity

fix tls

Browse Source
This commit is contained in:
soraefir
2026-05-09 09:55:30 +02:00
parent dda8409329
commit 8b75968f11
2 changed files with 10 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
modules/server/containers/builder.nix
View File

@@ -12,7 +12,7 @@ let
environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else []; environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
environment = {} // extraEnv; environment = {} // extraEnv;
labels = if subdomain!=null then ({ labels = (if subdomain!=null then ({
"traefik.enable" = "true"; "traefik.enable" = "true";
"traefik.http.routers.${subdomain}.entrypoints" = "web-secure"; "traefik.http.routers.${subdomain}.entrypoints" = "web-secure";
"traefik.http.routers.${subdomain}.rule" = "Host(`${subdomain}.${serverCfg.hostDomain}`)"; "traefik.http.routers.${subdomain}.rule" = "Host(`${subdomain}.${serverCfg.hostDomain}`)";
@@ -21,7 +21,7 @@ let
"traefik.http.services.${subdomain}.loadbalancer.server.port" = toString port; "traefik.http.services.${subdomain}.loadbalancer.server.port" = toString port;
}) else { }) else {
"traefik.enable" = "false"; "traefik.enable" = "false";
} // extraLabels; }) // extraLabels;
extraOptions = extraOptions ++ [ extraOptions = extraOptions ++ [
"--add-host=host.containers.internal:host-gateway" "--add-host=host.containers.internal:host-gateway"

10
modules/server/containers/defs/traefik.nix
View File

@@ -21,15 +21,21 @@ in {
"traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal"; "traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = "authentik"; "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "authentik";
"traefik.http.routers.${containerCfg.subdomain}.tls.certresolver=default"
"traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main=${serverCfg.hostDomain}"
"traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans=*.${serverCfg.hostDomain}"
"traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"; "traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
"traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true"; "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
"traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"; "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
};
extraEnv = {
}; };
# extraOptions = [ "--user=:994" ]; #PODMAN GROUP FOR SOCKET ACCESS # extraOptions = [ "--user=:994" ]; #PODMAN GROUP FOR SOCKET ACCESS
overrides = { overrides = {
cmd = [ cmd = [
"--api" "--api"
"--log.level=INFO" "--log.level=DEBUG"
"--providers.docker=true" "--providers.docker=true"
"--global.checknewversion=false" "--global.checknewversion=false"
"--global.sendanonymoususage=false" "--global.sendanonymoususage=false"
@@ -47,8 +53,8 @@ in {
"--certificatesresolvers.default.acme.tlschallenge=false" "--certificatesresolvers.default.acme.tlschallenge=false"
"--certificatesresolvers.default.acme.httpchallenge=false" "--certificatesresolvers.default.acme.httpchallenge=false"
"--certificatesresolvers.default.acme.dnschallenge=true" "--certificatesresolvers.default.acme.dnschallenge=true"
"--certificatesresolvers.default.acme.storage=/custom/acme.json"
"--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}" "--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
"--certificatesresolvers.default.acme.storage=/custom/acme.json"
"--entrypoints.web-secure.http.tls=true" "--entrypoints.web-secure.http.tls=true"
"--entrypoints.web-secure.http.tls.certresolver=default" "--entrypoints.web-secure.http.tls.certresolver=default"
"--entrypoints.web-secure.http.tls.domains[0].main=*.${serverCfg.hostDomain}" "--entrypoints.web-secure.http.tls.domains[0].main=*.${serverCfg.hostDomain}"