From 6d70290289ca16fbeb116f78534d089c00e6e628 Mon Sep 17 00:00:00 2001 From: smayzy Date: Mon, 1 Sep 2025 15:51:54 +0200 Subject: [PATCH] add traefik basic nixos container config --- modules/nix/containers/nixos/default.nix | 1 + modules/nix/containers/nixos/traefik.nix | 98 ++++++++++++++++++++++++ secrets/secrets.nix | 2 + secrets/traefik-cf-tk.age | 10 +++ 4 files changed, 111 insertions(+) create mode 100644 modules/nix/containers/nixos/traefik.nix create mode 100644 secrets/traefik-cf-tk.age diff --git a/modules/nix/containers/nixos/default.nix b/modules/nix/containers/nixos/default.nix index b448ca4..4be7dd1 100644 --- a/modules/nix/containers/nixos/default.nix +++ b/modules/nix/containers/nixos/default.nix @@ -2,6 +2,7 @@ { imports = [ ./httpd.nix + ./traefik.nix ./unbound.nix ]; } diff --git a/modules/nix/containers/nixos/traefik.nix b/modules/nix/containers/nixos/traefik.nix new file mode 100644 index 0000000..2aa0a89 --- /dev/null +++ b/modules/nix/containers/nixos/traefik.nix @@ -0,0 +1,98 @@ +{ lib, config, ... }: +let + inherit (lib) mkIf mkOption types; + cfg = config.smayzy.containers.nixos.traefik; + net = config.smayzy.containers.networking; +in +{ + options.smayzy.containers.nixos.traefik = { + enable = mkOption { + type = types.bool; + default = false; + description = "traefik nixos ct"; + }; + bridge = mkOption { + type = types.str; + description = "the bridge to use e.g. (br0)"; + }; + ip = mkOption { + type = types.str; + description = "ip addr e.g. (192.168.1.20)"; + }; + }; + + config = mkIf cfg.enable { + age.secrets.traefik-cf-tk = { + file = ../../../../secrets/traefik-cf-tk.age; + owner = "root"; + group = "root"; + mode = "0400"; + }; + + + containers.traefik = { + bindMounts."/run/secrets/traefik-cf-tk" = { + hostPath = config.age.secrets.traefik-cf-tk.path; + isReadOnly = true; + }; + + autoStart = true; + privateNetwork = true; + hostBridge = net.bridge; + localAddress = cfg.ip; + config = { ... }: { + system.stateVersion = "25.11"; + + networking.defaultGateway = net.gateway; + networking.nameservers = net.dns; + networking.firewall.allowedTCPPorts = [ 8080 80 443 880 4443 ]; + + systemd.services.traefik.serviceConfig.EnvironmentFile = [ + "/run/secrets/traefik-cf-tk" + ]; + + services.traefik = { + enable = true; + staticConfigOptions = { + log = { + level = "WARN"; + }; + api = { + dashboard = true; + insecure = true; + }; + entryPoints = { + local = { + address = ":80"; + }; + localSec = { + address = ":443"; + }; + ext = { + address = ":880"; + }; + extSec = { + address = ":4443"; + }; + }; + certificatesResolvers = { + cloudflare = { + acme = { + email = "smayzy@smayzy.ovh"; + dnsChallenge = { + provider = "cloudflare"; + resolvers = [ "192.168.1.202" ]; + propagation.delayBeforeChecks = 15; + }; + }; + }; + }; + + }; + dynamicConfigOptions = { + }; + }; + }; + }; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 07fed04..c21d10d 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -46,4 +46,6 @@ in "servers.age" = mkKey servers; "systems.age" = mkKey systems; + + "traefik-cf-tk.age" = mkKey desktop1; } diff --git a/secrets/traefik-cf-tk.age b/secrets/traefik-cf-tk.age new file mode 100644 index 0000000..041d821 --- /dev/null +++ b/secrets/traefik-cf-tk.age @@ -0,0 +1,10 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IExwTFA3dyBaZTRB +UmhMWGEzTXVsbVg1cEI4a2NGOG01bDZINUtNWlhyemFRUUZWYjI4Cjh0b1ladXli +dmV6d0d6V1hmTk02YU8wVHpMNFNQMW1uVlNYeEx0SE1nUjAKLT4gc3NoLWVkMjU1 +MTkgR3Q0b2R3IFZCUUdKcGY2TTRSSWhqWllkd2RsVmw1M2h4RllZU0ZSM1N6eThG +UXVleXcKRUp0V0h2djdEMnpVVUlwUThXMENYWFhlM1I0R1FBcVNuWDRUNDFKazho +bwotLS0gTXJCQ2dDZkJod2Ezc3Y3VThXNGhpVHlkbHZGUlJOU1Q0SDZVTGFnZ1FB +awpkI4uVSv1v7+/Ad7Up8Uo6v7O8NRmLClI/08IzXPL0RrTvj55SO3Adct1qnknW +GPsNHiMUgWxAfYMAKjsoz95zxPmzLJrV6Fm5penyyRC8X3ssZgH8HLoBueQ= +-----END AGE ENCRYPTED FILE-----