Implement more proper working Traefik configuration with ACME support ("thanks" and thanks Cloudflare)

2026-02-06 15:41:59 +01:00 · 2026-02-06 15:41:59 +01:00 · 58c6478876
commit 58c6478876
parent 3d1e813fe9
1 changed files with 80 additions and 43 deletions
--- a/nix-system-configs/traefik/traefik-config.nix
+++ b/nix-system-configs/traefik/traefik-config.nix
@ -1,6 +1,6 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
+# and in the NixOS manual (accessible by running 'nixos-help').
 {
  config,
  pkgs,
@ -124,55 +124,87 @@ in {
  };


-  # Enable Traefik service (from https://wiki.nixos.org/wiki/Traefik)
-    services.traefik = {
-      enable = true;
+  # Enable Traefik service
+  services.traefik = {
+    enable = true;
+    group = "acme";  # Add traefik to acme group so it can read certificates

-      staticConfigOptions = {
-        entryPoints = {
-          web = {
-            address = ":80";
-            asDefault = true;
-            http.redirections.entrypoint = {
-              to = "websecure";
-              scheme = "https";
-            };
-          };
-
-          websecure = {
-            address = ":443";
-            asDefault = true;
-            http.tls.certResolver = "letsencrypt";
+    staticConfigOptions = {
+      entryPoints = {
+        web = {
+          address = ":80";
+          asDefault = true;
+          http.redirections.entrypoint = {
+            to = "websecure";
+            scheme = "https";
          };
        };

-        log = {
-          level = "INFO";
-          filePath = "${config.services.traefik.dataDir}/traefik.log";
-          format = "json";
+        websecure = {
+          address = ":443";
+          asDefault = true;
+          http.tls = {
+            # Use the certificates from the file provider
+            domains = [
+              {
+                main = "prg-radio.org";
+                sans = ["*.prg-radio.org"];
+              }
+            ];
+          };
        };
-
-        api.dashboard = true;
-        # Access the Traefik dashboard on <Traefik IP>:8080 of your server
-        api.insecure = true;
      };

-      dynamicConfigOptions = {
-        http.routers = {};
-        http.services = {};
+      log = {
+        level = "INFO";
+        filePath = "${config.services.traefik.dataDir}/traefik.log";
+        format = "json";
      };
+
+      # Enable file provider for TLS certificates
+      providers.file = {
+        directory = "${config.services.traefik.dataDir}/conf";
+        watch = true;
+      };
+
+      api.dashboard = true;
+      # Access the Traefik dashboard on <Traefik IP>:8080 of your server
+      api.insecure = true;
    };

-    security.acme = {
-      acceptTerms = true;
-      defaults.email = "dtu.prg@gmail.com";
-      certs."prg-radio.org" = {
-        domain = "*.prg-radio.org";
-        group = "nginx";
-        dnsProvider = "cloudflare";
-        environmentFile = "/etc/cloudflare.env";
-      };
+    dynamicConfigOptions = {
+      # Configure TLS to use the ACME certificates
+      tls.certificates = [
+        {
+          certFile = "/var/lib/acme/prg-radio.org/cert.pem";
+          keyFile = "/var/lib/acme/prg-radio.org/key.pem";
+        }
+      ];
+
+      http.routers = {};
+      http.services = {};
    };
+  };
+
+  # ACME certificate configuration
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "dtu.prg@gmail.com";
+    certs."prg-radio.org" = {
+      domain = "*.prg-radio.org";
+      group = "acme";  # Use acme group
+      dnsProvider = "cloudflare";
+      environmentFile = "/home/traefikprg/cloudflare/cloudflare.env";
+      # Reload traefik when certificate is renewed
+      reloadServices = [ "traefik.service" ];
+    };
+  };
+
+  # Ensure traefik service waits for ACME certificates
+  systemd.services.traefik = {
+    after = [ "acme-finished-prg-radio.org.target" ];
+    wants = [ "acme-finished-prg-radio.org.target" ];
+  };


  # Add extra system packages from example.nix (appended to existing list)
@ -215,8 +247,7 @@ in {
    enable = true;
    ports = [22];
    settings = {
-      PasswordAuthentication = false;
-      AllowUsers = null;
+      PasswordAuthentication = true;
      UseDns = true;
      PermitRootLogin = "no";
    };
@ -235,7 +266,7 @@ in {
  users.users.traefikprg = {
    isNormalUser = true;
    description = "NixOS PRG Traefik Service";
-    extraGroups = ["networkmanager" "wheel" "seat"];
+    extraGroups = ["acme" "networkmanager" "wheel" "seat"];
    packages = with pkgs; [];
  };

@ -314,6 +345,12 @@ in {
    nameserver 10.1.1.2
  '';

+    # Open ports in the firewall.
+   networking.firewall.allowedTCPPorts = [ 443 ];
+   networking.firewall.allowedUDPPorts = [ 443 ];
+    # Or disable the firewall altogether.
+    # networking.firewall.enable = false;
+
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
@ -321,4 +358,4 @@ in {
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "25.11"; # Did you read the comment?
-}
+}