config/roles/traefik.nix

128 lines
3.3 KiB
Nix
Raw Normal View History

2024-12-26 19:20:22 +01:00
{
name = "Traefik";
description = ''
Runs the Traefik reverse proxy.
'';
nixosModule =
{
lib,
pkgs,
config,
hosts,
...
}:
with lib;
{
options.traefik = {
wildcardDomains = mkOption {
type = types.listOf types.str;
default = [ ];
};
};
config =
let
cfg = config.traefik;
routes = concatMap (
hostname:
concatMap (
role:
role.traefikRoutes {
inherit hostname;
config = hosts.${hostname}.config;
}
) hosts.${hostname}.roles
) (builtins.attrNames hosts);
in
{
sops.secrets = {
2024-12-26 20:22:43 +01:00
"traefik/acmeEmail" = {
2024-12-26 19:20:22 +01:00
owner = "traefik";
};
2024-12-26 20:22:43 +01:00
"traefik/CLOUDFLARE_EMAIL" = {
2024-12-26 19:20:22 +01:00
owner = "traefik";
};
2024-12-26 20:22:43 +01:00
"traefik/CLOUDFLARE_DNS_API_TOKEN" = {
2024-12-26 19:20:22 +01:00
owner = "traefik";
};
};
2024-12-26 20:48:00 +01:00
sops.templates."traefik.env" = {
owner = "traefik";
content = ''
acmeEmail="${config.sops.placeholder."traefik/acmeEmail"}"
CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/CLOUDFLARE_EMAIL"}"
CLOUDFLARE_DNS_API_TOKEN="${config.sops.placeholder."traefik/CLOUDFLARE_DNS_API_TOKEN"}"
'';
};
2024-12-26 19:20:22 +01:00
services.traefik = {
enable = true;
environmentFiles = [
2024-12-26 20:48:00 +01:00
config.sops.templates."traefik.env".path
2024-12-26 19:20:22 +01:00
];
2024-12-26 19:24:31 +01:00
staticConfigOptions = {
2024-12-26 19:20:22 +01:00
entryPoints = {
web = {
address = ":80";
http = {
redirections = {
entryPoint = {
to = "websecure";
scheme = "https";
};
};
};
};
websecure = {
address = ":443";
tls = {
certResolver = "letsencrypt";
domains = map (domain: {
main = domain;
sans = [ "*.${domain}" ];
}) cfg.wildcardDomains;
2024-12-26 19:20:22 +01:00
};
};
};
certificatesResolvers = {
letsencrypt = {
acme = {
email = "$acmeEmail";
storage = "acme.json";
dnsChallenge = {
provider = "cloudflare";
};
};
};
};
http = {
routers = listToAttrs (
map (route: {
name = route.name;
value = {
entrypoints = [ "websecure" ];
service = route.name;
rule = route.rule;
};
}) routes
);
services = listToAttrs (
map (route: {
name = route.name;
value.loadBalancer.servers.url = [ route.target ];
}) routes
);
};
};
};
};
};
}