traefik - Nix Podman Stacks

Path to the file containing the key for the Traefik bouncer. If this is set, a Bouncer will be setup in CrowdSec. Also a new crowdsec middleware will be registered in Traefik and added to the public chain. This will block requests to exposed services that are detected as malicious by Crowdsec.

Type: null or absolute path

Default: null

Declared by:

<nix-podman-stacks/modules/traefik>

nps.stacks.traefik.domain

Base domain handled by Traefik

Type: string

Declared by:

<nix-podman-stacks/modules/traefik>

nps.stacks.traefik.dynamicConfig

Dynamic configuration for Traefik. By default, the module will setup two middlewares: private & public. The private middleware (applied by default to all services) will only allow access from internal networks. The public middleware will allow access from the internet. It will be configured with a rate limit, security headers and a geoblock plugin (if enabled). If enabled, Crowdsec will also be added to the public middleware chain.

Type: YAML 1.1 value

Default: { }

Declared by:

<nix-podman-stacks/modules/traefik>

nps.stacks.traefik.extraEnv

Extra environment variables to set for the container. Variables can be either set directly or sourced from a file (e.g. for secrets).

Type: attribute set of (null or boolean or signed integer or string or absolute path or (submodule))

Default: { }

Example:

{
  CF_DNS_API_TOKEN = {
    fromFile = "/run/secrets/secret_name";
  };
  TRAEFIK_LOG_LEVEL = "ERROR";
}

Declared by:

<nix-podman-stacks/modules/traefik>

nps.stacks.traefik.geoblock.enable

Enable the geoblock plugin for Traefik. This will block access to the services based on the country code of the request. The plugin uses the IP2Location database to determine the country code. If enabled, the geoblock will be used in the public middleware, allowing only requests from the allowed countries.

Type: boolean

Default: true

Declared by:

<nix-podman-stacks/modules/traefik>

nps.stacks.traefik.geoblock.allowedCountries

List of allowed country codes (ISO 3166-1 alpha-2 format) See https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements

Type: list of string

Default: [ ]

Declared by:

<nix-podman-stacks/modules/traefik>

nps.stacks.traefik.network.name

Network name for Podman bridge network. Will be used by the Traefik Docker provider

Type: string

Default: "traefik-proxy"

Declared by:

<nix-podman-stacks/modules/traefik>

nps.stacks.traefik.staticConfig

Static configuration for Traefik. By default, for the configured domain, a wildcard certificate will be requested from Let’s Encrypt and used for all services that are registered with Traefik. By default Cloudflare with DNS challenge will be used to request the certificate. This requires the ‘CF_DNS_API_TOKEN’ environment variable to be present, e.g. by providing it via the extraEnv option.

The DNS provider as well as any other settings can be overwritten. For an example see https://github.com/Tarow/nix-podman-stacks/blob/main/examples/traefik-dns-provider.nix

Type: YAML 1.1 value

Declared by:

<nix-podman-stacks/modules/traefik>

nps.stacks.traefik.useSocketProxy

Whether to access the Podman socket through the read-only proxy for the traefik stack. Will be enabled by default if the ‘docker-socket-proxy’ stack is enabled.

Type: boolean

Default: config.nps.stacks.docker-socket-proxy.enable

Declared by:

<nix-podman-stacks/modules/traefik>