{ lib, config, ... }: let inherit (lib) mkIf mkOption types; cfg = config.smayzy.containers.nixos.traefik; net = config.smayzy.containers.networking; in { options.smayzy.containers.nixos.traefik = { enable = mkOption { type = types.bool; default = false; description = "traefik nixos ct"; }; bridge = mkOption { type = types.str; description = "the bridge to use e.g. (br0)"; }; ip = mkOption { type = types.str; description = "ip addr e.g. (192.168.1.20)"; }; }; config = mkIf cfg.enable { age.secrets.traefik-cf-tk = { file = ../../../../secrets/traefik-cf-tk.age; owner = "root"; group = "root"; mode = "0400"; }; containers.traefik = { bindMounts."/run/secrets/traefik-cf-tk" = { hostPath = config.age.secrets.traefik-cf-tk.path; isReadOnly = true; }; autoStart = true; privateNetwork = true; hostBridge = net.bridge; localAddress = cfg.ip; config = { ... }: { system.stateVersion = "25.11"; networking.defaultGateway = net.gateway; networking.nameservers = net.dns; networking.firewall.allowedTCPPorts = [ 8080 80 443 880 4443 ]; systemd.services.traefik.serviceConfig.EnvironmentFile = [ "/run/secrets/traefik-cf-tk" ]; services.traefik = { enable = true; staticConfigOptions = { log = { level = "WARN"; }; api = { dashboard = true; insecure = true; }; entryPoints = { local = { address = ":80"; }; localSec = { address = ":443"; }; ext = { address = ":880"; }; extSec = { address = ":4443"; }; }; certificatesResolvers = { cloudflare = { acme = { email = "smayzy@smayzy.ovh"; dnsChallenge = { provider = "cloudflare"; resolvers = [ "192.168.1.202" ]; propagation.delayBeforeChecks = 15; }; }; }; }; }; dynamicConfigOptions = { }; }; }; }; }; }