{ lib, config, ... }: let inherit (lib) mkIf mkOption types; cfg = config.smayzy.containers.nixos.traefik; net = config.smayzy.containers.networking; in { options.smayzy.containers.nixos.traefik = { enable = mkOption { type = types.bool; default = false; description = "traefik nixos ct"; }; ip = mkOption { type = types.str; description = "ip addr e.g. (192.168.1.20)"; }; }; config = mkIf cfg.enable { age.secrets.traefik-cf-tk = { file = ../../../../secrets/traefik-cf-tk.age; owner = "root"; group = "root"; mode = "0400"; }; containers.traefik = { bindMounts."/run/secrets/traefik-cf-tk" = { hostPath = config.age.secrets.traefik-cf-tk.path; isReadOnly = true; }; autoStart = true; privateNetwork = true; hostBridge = net.bridge; localAddress = cfg.ip; config = { ... }: { system.stateVersion = "25.11"; networking.defaultGateway = net.gateway; networking.nameservers = net.dns; networking.firewall.allowedTCPPorts = [ 80 443 880 4443 ]; systemd.services.traefik.serviceConfig.EnvironmentFile = [ "/run/secrets/traefik-cf-tk" ]; services.traefik = { enable = true; staticConfigOptions = { log = { level = "WARN"; }; api = { dashboard = true; }; entryPoints = { local = { address = ":80"; }; localSec = { address = ":443"; }; ext = { address = ":880"; }; extSec = { address = ":4443"; }; }; certificatesResolvers = { cloudflare = { acme = { email = "smayzy@smayzy.ovh"; storage = "/var/lib/traefik/acme.json"; dnsChallenge = { provider = "cloudflare"; resolvers = [ "192.168.1.202" ]; propagation.delayBeforeChecks = 15; }; }; }; }; }; dynamicConfigOptions = { http = { routers = { traefik = { rule = "Host(`traefik.internal.smayzy.ovh`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"; entryPoints = [ "localSec" ]; service = "api@internal"; tls.certResolver = "cloudflare"; }; }; }; }; }; }; }; }; }