satr14/nix-flake
1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add traefik for docker routing

Browse source
This commit is contained in:
Satria 2026-03-10 17:49:24 +07:00
commit c54f44c63c
1 changed files with 67 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

107
modules/system/homelab/proxy.nix
View file

@ -22,8 +22,26 @@
"dash" = "https://${homelab.domain}"; "dash" = "https://${homelab.domain}";
"immich" = "https://gallery.proxy${homelab.domain}"; "immich" = "https://gallery.proxy${homelab.domain}";
}; };
exta-conf = ''
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# proxy_set_header X-Auth-User $remote_user;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_buffering off;
proxy_cache off;
send_timeout 600s;
client_max_body_size 50000M;
'';
in { in {
users.users.nginx.extraGroups = [ "acme" ]; users.users = {
nginx.extraGroups = [ "acme" ];
traefik.extraGroups = [ "docker" ];
};
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = "admin@${homelab.domain}"; defaults.email = "admin@${homelab.domain}";
@ -36,47 +54,58 @@ in {
}; };
}; };
services.nginx = { services = {
enable = true; nginx = {
recommendedProxySettings = true; enable = true;
recommendedTlsSettings = true; recommendedProxySettings = true;
virtualHosts = { recommendedTlsSettings = true;
"_" = { virtualHosts = {
default = true; "_" = {
forceSSL = true; default = true;
forceSSL = true;
useACMEHost = base;
# locations."/".return = "404";
locations."/" = {
proxyPass = "http://127.0.0.1:81"; # traefik for docker container dynamic proxy
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
'' + exta-conf;
};
};
} // lib.mapAttrs' (subdomain: cfg: lib.nameValuePair "${subdomain}.${base}" {
useACMEHost = base; useACMEHost = base;
locations."/".return = "404"; forceSSL = true;
}; locations."/".return = "301 https://${base}$request_uri";
} // lib.mapAttrs' (subdomain: cfg: lib.nameValuePair "${subdomain}.${base}" { }) redirects // lib.mapAttrs' (subdomain: cfg: lib.nameValuePair (if subdomain == "@" then base else "${subdomain}.${base}") {
useACMEHost = base; useACMEHost = base;
forceSSL = true; forceSSL = true;
locations."/".return = "301 https://${base}$request_uri";
}) redirects // lib.mapAttrs' (subdomain: cfg: lib.nameValuePair (if subdomain == "@" then base else "${subdomain}.${base}") {
useACMEHost = base;
forceSSL = true;
extraConfig = ''
access_log /var/log/nginx/${subdomain}.access.log;
error_log /var/log/nginx/${subdomain}.error.log;
'';
locations."/" = {
proxyPass = cfg.dest;
proxyWebsockets = true;
basicAuthFile = if cfg.auth then "/var/lib/nginx/.htpasswd" else null;
extraConfig = '' extraConfig = ''
proxy_set_header Upgrade $http_upgrade; access_log /var/log/nginx/${subdomain}.access.log;
proxy_set_header Connection "upgrade"; error_log /var/log/nginx/${subdomain}.error.log;
# proxy_set_header X-Auth-User $remote_user;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_buffering off;
proxy_cache off;
send_timeout 600s;
client_max_body_size 50000M;
''; '';
locations."/" = {
proxyPass = cfg.dest;
proxyWebsockets = true;
basicAuthFile = if cfg.auth then "/var/lib/nginx/.htpasswd" else null;
extraConfig = exta-conf;
};
}) hosts;
};
traefik = {
enable = true;
staticConfigOptions = {
entryPoints.web.address = "127.0.0.1:81";
global = {
checkNewVersion = false;
sendAnonymousUsage = false;
};
providers.docker = {
endpoint = "unix:///var/run/docker.sock";
exposedByDefault = false;
defaultRule = "Host(`ct-{{ normalize .Name }}.${base}`)";
};
}; };
}) hosts; };
}; };
} }