Traefik: Difference between revisions

From NixOS Wiki
← Older edit
VisualWikitext
Dander (talk | contribs)
29 edits
m be more specific that "Using files"
m moved a closing bracket in the config example, previous example does not build because "log" and "certificateResolvers" are listed under "entryPoints", rather than "staticConigOptions"
 
Line 29: Line 29:
           http.tls.certResolver = "letsencrypt";
           http.tls.certResolver = "letsencrypt";
         };
         };
      };


        log = {
      log = {
          level = "INFO";
        level = "INFO";
          filePath = "${config.services.traefik.dataDir}/traefik.log";
        filePath = "${config.services.traefik.dataDir}/traefik.log";
          format = "json";
        format = "json";
        };
      };


        certificatesResolvers.letsencrypt.acme = {
      certificatesResolvers.letsencrypt.acme = {
          email = "postmaster@YOUR.DOMAIN";
        email = "postmaster@YOUR.DOMAIN";
          storage = "${config.services.traefik.dataDir}/acme.json";
        storage = "${config.services.traefik.dataDir}/acme.json";
          httpChallenge.entryPoint = "web";
        httpChallenge.entryPoint = "web";
        };
       };
       };


Latest revision as of 22:26, 26 November 2024

Traefik is a reverse proxy and load balancer.

Installation

To install Traefik, add the following to your NixOS configuration:

services.traefik.enable = true;

More options are available.

Configuration

Using Nix

  services.traefik = {
    enable = true;

    staticConfigOptions = {
      entryPoints = {
        web = {
          address = ":80";
          asDefault = true;
          http.redirections.entrypoint = {
            to = "websecure";
            scheme = "https";
          };
        };

        websecure = {
          address = ":443";
          asDefault = true;
          http.tls.certResolver = "letsencrypt";
        };
      };

      log = {
        level = "INFO";
        filePath = "${config.services.traefik.dataDir}/traefik.log";
        format = "json";
      };

      certificatesResolvers.letsencrypt.acme = {
        email = "postmaster@YOUR.DOMAIN";
        storage = "${config.services.traefik.dataDir}/acme.json";
        httpChallenge.entryPoint = "web";
      };

      api.dashboard = true;
      # Access the Traefik dashboard on <Traefik IP>:8080 of your server
      # api.insecure = true;
    };

    dynamicConfigOptions = {
      http.routers = {};
      http.services = {};
    };
  };

Using non-Nix configuration files

If you are migrating from a Non-NixOS system, you might be interested in the staticConfigFile and dynamicConfigFile options.

You can set staticConfigFile like this:

services.traefik.staticConfigFile = ./static_config.toml;

But you need to be careful about how you set the services.traefik.dynamicConfigFile option, if you use a path like shown above, your file will end up in the Nix store, and it will change every time you update your configuration, which means Traefik won't be able to reload with your changes automatically, which defeats the point of using the dynamic config file. A way to avoid this is to use etc.environment:

# Note the quotes around the path!
services.traefik.dynamicConfigFile = "/etc/traefik/dynamic_config.toml";
# If you use staticConfigFile instead, update your file provider accordingly.
services.traefik.staticConfigOptions.providers.file.watch = true;

environment.etc."traefik/dynamic_config.toml" = {
    user = config.systemd.services.traefik.serviceConfig.User;
    group = config.systemd.services.traefik.serviceConfig.Group;
    mode = "400";
    text = ''
        # ...
    '';
    # Or,
    # source = ./dynamic_config.toml     
};

Additionally, you can not use a ...ConfigFile option and a ...ConfigOptions for either static or dynamic configuration. The file options always take precedence over the options options, which are ignored.

Retrieved from "https://wiki.nixos.org/w/index.php?title=Traefik&oldid=18924"