Implement more proper working Traefik configuration with ACME support ("thanks" and thanks Cloudflare)

nix-system-configs/traefik/traefik-config.nix

@@ -1,6 +1,6 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
+# and in the NixOS manual (accessible by running 'nixos-help').
 {
   config,
   pkgs,
@@ -124,55 +124,87 @@ in {
   };
 
 
-  # Enable Traefik service (from https://wiki.nixos.org/wiki/Traefik)
+  # Enable Traefik service
-    services.traefik = {
+  services.traefik = {
-      enable = true;
+    enable = true;
+    group = "acme";  # Add traefik to acme group so it can read certificates
 
-      staticConfigOptions = {
+    staticConfigOptions = {
-        entryPoints = {
+      entryPoints = {
-          web = {
+        web = {
-            address = ":80";
+          address = ":80";
-            asDefault = true;
+          asDefault = true;
-            http.redirections.entrypoint = {
+          http.redirections.entrypoint = {
-              to = "websecure";
+            to = "websecure";
-              scheme = "https";
+            scheme = "https";
-            };
-          };
-
-          websecure = {
-            address = ":443";
-            asDefault = true;
-            http.tls.certResolver = "letsencrypt";
           };
         };
 
-        log = {
+        websecure = {
-          level = "INFO";
+          address = ":443";
-          filePath = "${config.services.traefik.dataDir}/traefik.log";
+          asDefault = true;
-          format = "json";
+          http.tls = {
+            # Use the certificates from the file provider
+            domains = [
+              {
+                main = "prg-radio.org";
+                sans = ["*.prg-radio.org"];
+              }
+            ];
+          };
         };
-
-        api.dashboard = true;
-        # Access the Traefik dashboard on <Traefik IP>:8080 of your server
-        api.insecure = true;
       };
 
-      dynamicConfigOptions = {
+      log = {
-        http.routers = {};
+        level = "INFO";
-        http.services = {};
+        filePath = "${config.services.traefik.dataDir}/traefik.log";
+        format = "json";
       };
+
+      # Enable file provider for TLS certificates
+      providers.file = {
+        directory = "${config.services.traefik.dataDir}/conf";
+        watch = true;
+      };
+
+      api.dashboard = true;
+      # Access the Traefik dashboard on <Traefik IP>:8080 of your server
+      api.insecure = true;
     };
 
-    security.acme = {
+    dynamicConfigOptions = {
-      acceptTerms = true;
+      # Configure TLS to use the ACME certificates
-      defaults.email = "dtu.prg@gmail.com";
+      tls.certificates = [
-      certs."prg-radio.org" = {
+        {
-        domain = "*.prg-radio.org";
+          certFile = "/var/lib/acme/prg-radio.org/cert.pem";
-        group = "nginx";
+          keyFile = "/var/lib/acme/prg-radio.org/key.pem";
-        dnsProvider = "cloudflare";
+        }
-        environmentFile = "/etc/cloudflare.env";
+      ];
-      };
+
+      http.routers = {};
+      http.services = {};
     };
+  };
+
+  # ACME certificate configuration
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "dtu.prg@gmail.com";
+    certs."prg-radio.org" = {
+      domain = "*.prg-radio.org";
+      group = "acme";  # Use acme group
+      dnsProvider = "cloudflare";
+      environmentFile = "/home/traefikprg/cloudflare/cloudflare.env";
+      # Reload traefik when certificate is renewed
+      reloadServices = [ "traefik.service" ];
+    };
+  };
+
+  # Ensure traefik service waits for ACME certificates
+  systemd.services.traefik = {
+    after = [ "acme-finished-prg-radio.org.target" ];
+    wants = [ "acme-finished-prg-radio.org.target" ];
+  };
 
 
   # Add extra system packages from example.nix (appended to existing list)
@@ -215,8 +247,7 @@ in {
     enable = true;
     ports = [22];
     settings = {
-      PasswordAuthentication = false;
+      PasswordAuthentication = true;
-      AllowUsers = null;
       UseDns = true;
       PermitRootLogin = "no";
     };
@@ -235,7 +266,7 @@ in {
   users.users.traefikprg = {
     isNormalUser = true;
     description = "NixOS PRG Traefik Service";
-    extraGroups = ["networkmanager" "wheel" "seat"];
+    extraGroups = ["acme" "networkmanager" "wheel" "seat"];
     packages = with pkgs; [];
   };
 
@@ -314,6 +345,12 @@ in {
     nameserver 10.1.1.2
   '';
 
+    # Open ports in the firewall.
+   networking.firewall.allowedTCPPorts = [ 443 ];
+   networking.firewall.allowedUDPPorts = [ 443 ];
+    # Or disable the firewall altogether.
+    # networking.firewall.enable = false;
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave