traefik
Examples
Simple (Cloudflare)
{config, ...}: {
traefik = {
enable = true;
domain = "example.com";
# Token will be used to fetch Letsencrypt wildcard certificates automatically (DNS challenge)
extraEnv = {
CF_DNS_API_TOKEN.fromFile = config.sops.secrets."traefik/cf_api_token".path;
};
};
}With different DNS provider
{config, ...}: {
traefik = {
enable = true;
domain = "example.com";
staticConfig.certificatesResolvers.letsencrypt.acme.dnsChallenge.provider = "porkbun";
extraEnv = {
PORKBUN_API_KEY.fromFile = config.sops.secrets."traefik/porkbun_api_key".path;
PORKBUN_SECRET_API_KEY.fromFile = config.sops.secrets."traefik/porkbun_secret_api_key".path;
};
};
}With Geoblock
{config, ...}: {
traefik = {
enable = true;
domain = "example.com";
extraEnv.CF_DNS_API_TOKEN.fromFile = config.sops.secrets."traefik/cf_api_token".path;
# For exposed services, we can limit access to certain countries using a geoblock middleware
geoblock.allowedCountries = ["DE"];
};
}Stack Options
nps.stacks.traefik.containers.traefik
Alias of {option}services.podman.containers.traefik.
nps.stacks.traefik.crowdsec.enableLogCollection
Whether logs from Traefik should be collected by CrowdSec. Enabling this will configure the acquis settings for CrowdSec.
nps.stacks.traefik.crowdsec.middleware.bouncerKeyFile
Path to the file containing the key for the Traefik bouncer.
If this is set, a Bouncer will be setup in CrowdSec. Also a new crowdsec middleware will be registered in Traefik and added to the public chain.
This will block requests to exposed services that are detected as malicious by Crowdsec.
nps.stacks.traefik.crowdsec.middleware.enable
Whether to setup a Traefik middleware.
Make sure to also configure the bouncerKeyFile option.
nps.stacks.traefik.domain
Base domain handled by Traefik
nps.stacks.traefik.dynamicConfig
Dynamic configuration for Traefik.
By default, the module will setup two middlewares: private & public.
The private middleware (applied by default to all services) will only allow access from internal networks.
The public middleware will allow access from the internet. It will be configured
with a rate limit, security headers and a geoblock plugin (if enabled). If enabled, Crowdsec will also
be added to the public middleware chain.
nps.stacks.traefik.enable
Wheter to enable Traefik. The Traefik stack ships preconfigured with a dynamic and static configuration.
nps.stacks.traefik.enableGrafanaAccessLogDashboard
Whether to enable Grafana Access Log Dashboard.
nps.stacks.traefik.enableGrafanaMetricsDashboard
Whether to enable Grafana Metrics Dashboard.
nps.stacks.traefik.enablePrometheusExport
Whether to enable Prometheus Export.
nps.stacks.traefik.extraEnv
Extra environment variables to set for the container. Variables can be either set directly or sourced from a file (e.g. for secrets).
attribute set of (null or boolean or signed integer or string or absolute path or (submodule)){ }{
CF_DNS_API_TOKEN = {
fromFile = "/run/secrets/secret_name";
};
TRAEFIK_LOG_LEVEL = "ERROR";
}nps.stacks.traefik.geoblock.allowedCountries
List of allowed country codes (ISO 3166-1 alpha-2 format) See https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
nps.stacks.traefik.geoblock.enable
Enable the geoblock plugin for Traefik.
This will block access to the services based on the country code of the request.
The plugin uses the IP2Location database to determine the country code.
If enabled, the geoblock will be used in the public middleware,
allowing only requests from the allowed countries.
nps.stacks.traefik.network.name
Network name for Podman bridge network. Will be used by the Traefik Docker provider
nps.stacks.traefik.staticConfig
Static configuration for Traefik.
By default, for the configured domain, a wildcard certificate will be requested from Let's Encrypt
and used for all services that are registered with Traefik.
By default Cloudflare with DNS challenge will be used to request the certificate.
This requires the 'CF_DNS_API_TOKEN' environment variable to be present, e.g. by providing it via the extraEnv option.
The DNS provider as well as any other settings can be overwritten. For an example see https://github.com/Tarow/nix-podman-stacks/blob/main/examples/traefik-dns-provider.nix
nps.stacks.traefik.useSocketProxy
Whether to access the Podman socket through the read-only proxy for the traefik stack. Will be enabled by default if the 'docker-socket-proxy' stack is enabled.
booleanconfig.nps.stacks.docker-socket-proxy.enable