Implement more proper working Traefik configuration with ACME support ("thanks" and thanks Cloudflare)

2026-02-06 15:41:59 +01:00 · 2026-02-06 15:41:59 +01:00 · 58c6478876
commit 58c6478876
parent 3d1e813fe9
1 changed files with 80 additions and 43 deletions
--- a/nix-system-configs/traefik/traefik-config.nix
+++ b/nix-system-configs/traefik/traefik-config.nix
@ -1,6 +1,6 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
+# and in the NixOS manual (accessible by running 'nixos-help').
 {
  config,
  pkgs,
@ -124,9 +124,10 @@ in {
  };


-  # Enable Traefik service (from https://wiki.nixos.org/wiki/Traefik)
+  # Enable Traefik service
  services.traefik = {
    enable = true;
+    group = "acme";  # Add traefik to acme group so it can read certificates

    staticConfigOptions = {
      entryPoints = {
@ -142,7 +143,15 @@ in {
        websecure = {
          address = ":443";
          asDefault = true;
-            http.tls.certResolver = "letsencrypt";
+          http.tls = {
+            # Use the certificates from the file provider
+            domains = [
+              {
+                main = "prg-radio.org";
+                sans = ["*.prg-radio.org"];
+              }
+            ];
+          };
        };
      };

@ -152,28 +161,51 @@ in {
        format = "json";
      };

+      # Enable file provider for TLS certificates
+      providers.file = {
+        directory = "${config.services.traefik.dataDir}/conf";
+        watch = true;
+      };
+
      api.dashboard = true;
      # Access the Traefik dashboard on <Traefik IP>:8080 of your server
      api.insecure = true;
    };

    dynamicConfigOptions = {
+      # Configure TLS to use the ACME certificates
+      tls.certificates = [
+        {
+          certFile = "/var/lib/acme/prg-radio.org/cert.pem";
+          keyFile = "/var/lib/acme/prg-radio.org/key.pem";
+        }
+      ];
+
      http.routers = {};
      http.services = {};
    };
  };

+  # ACME certificate configuration
  security.acme = {
    acceptTerms = true;
    defaults.email = "dtu.prg@gmail.com";
    certs."prg-radio.org" = {
      domain = "*.prg-radio.org";
-        group = "nginx";
+      group = "acme";  # Use acme group
      dnsProvider = "cloudflare";
-        environmentFile = "/etc/cloudflare.env";
+      environmentFile = "/home/traefikprg/cloudflare/cloudflare.env";
+      # Reload traefik when certificate is renewed
+      reloadServices = [ "traefik.service" ];
    };
  };

+  # Ensure traefik service waits for ACME certificates
+  systemd.services.traefik = {
+    after = [ "acme-finished-prg-radio.org.target" ];
+    wants = [ "acme-finished-prg-radio.org.target" ];
+  };
+

  # Add extra system packages from example.nix (appended to existing list)
  environment.systemPackages = with pkgs; [
@ -215,8 +247,7 @@ in {
    enable = true;
    ports = [22];
    settings = {
-      PasswordAuthentication = false;
-      AllowUsers = null;
+      PasswordAuthentication = true;
      UseDns = true;
      PermitRootLogin = "no";
    };
@ -235,7 +266,7 @@ in {
  users.users.traefikprg = {
    isNormalUser = true;
    description = "NixOS PRG Traefik Service";
-    extraGroups = ["networkmanager" "wheel" "seat"];
+    extraGroups = ["acme" "networkmanager" "wheel" "seat"];
    packages = with pkgs; [];
  };

@ -314,6 +345,12 @@ in {
    nameserver 10.1.1.2
  '';

+    # Open ports in the firewall.
+   networking.firewall.allowedTCPPorts = [ 443 ];
+   networking.firewall.allowedUDPPorts = [ 443 ];
+    # Or disable the firewall altogether.
+    # networking.firewall.enable = false;
+
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave