🔒 Setting Up Headscale & Tailscale on NixOS: A Zero-Trust Networking Guide for ❄️ NixOS - YouTube

ruffsl@programming.dev · 2 days ago

🔒 Setting Up Headscale & Tailscale on NixOS: A Zero-Trust Networking Guide for ❄️ NixOS - YouTube

DarkSirrush@lemmy.ca · 1 day ago

Note that its also possible to set up service auto discovery with traefik, the only traefik related config I do on new containers is

Traefik.enabled=true

Vendetta9076@sh.itjust.works · 16 hours ago

Shit there is? How do I set up auto discovery?

DarkSirrush@lemmy.ca · edit-2 15 hours ago

I can share my traefik setup - note I am doing this on my phone at work, so I might miss something

compose.yaml

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.middlewares=authwares@file"

  GNU nano 7.2                      /config/traefik/dynamic/middlewares.yaml
http:
  middlewares:

    limit:
      buffering:
        memRequestBodyBytes: 5000000000
        memResponseBodyBytes: 5000000000
        maxRequestBodyBytes: 5000000000
        maxResponseBodyBytes: 5000000000

    authwares:
      chain:
        middlewares:
          - default-headers
          - authelia
          - limit

    default-headers:
      headers:
        accessControlAllowHeaders: "content-type,authorization"
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
          - POST
          - DELETE
        frameDeny: true
        accessControlAllowOriginList: "*"
        accessControlMaxAge: 100
        addVaryHeader: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        referrerPolicy: "strict-origin-when-cross-origin"
        customRequestHeaders:
          X-Forwarded-Proto: https
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          server: ""
          X-Forwarded-Proto: "https,wss"
        hostsProxyHeaders:
          - "X-Forwarded-Host"

    authelia:
      forwardAuth:
        address: http://auth/api/verify?rd=https%3A%2F%2Fauth.example.com%2F
        trustForwardHeader: true
        authResponseHeaders:
          - "Remote-User"
          - "Remote-Groups"
          - "Remote-Email"
          - "Remote-Name"

  GNU nano 7.2                            /config/traefik/traefik.yaml
global:
  checkNewVersion: false
  sendAnonymousUsage: false

entryPoints:
  web:
    address: :80
    proxyProtocol:
      insecure: false
      trustedIPs:
        - 172.32.0.0/16
        - 192.168.1.0/24
    forwardedHeaders:
      insecure: false
      trustedIPs:
        - 172.32.0.0/16
        - 192.168.1.0/24
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: :443
    proxyProtocol:
      insecure: false
      trustedIPs:
        - 172.32.0.0/16
        - 192.168.1.0/24
    forwardedHeaders:
      insecure: false
      trustedIPs:
        - 172.32.0.0/16
        - 192.168.1.0/24
    http:
      tls:
        options: modern@file
        certResolver: letsencrypt
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  providers:
  docker:
    exposedByDefault: false
    network: compose_proxied
    allowEmptyServices: true
    endpoint: "http://socket:2375/"
    defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.example.com`)"
  file:
    directory: /config/dynamic
    watch: true

api:
  insecure: false
  dashboard: true

certificatesResolvers:
  letsencrypt:
    acme:
      email: acme@example.com
      storage: /certificates/acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

log:
  level: DEBUG
  filePath: /config/logs/traefik.log
  format: json
accesslog:
  filepath: /config/logs/access.log
  bufferingSize: 100
  format: json