{ lib, config, ... }: let inherit (lib) mkIf mkOption types; cfg = config.smayzy.containers.nixos.traefik; net = config.smayzy.containers.networking; in { options.smayzy.containers.nixos.traefik = { enable = mkOption { type = types.bool; default = false; description = "traefik nixos ct"; }; ip = mkOption { type = types.str; description = "ip addr e.g. (192.168.1.20)"; }; }; config = mkIf cfg.enable { age.secrets = { traefik-cf-tk = { file = ../../../../secrets/traefik-cf-tk.age; owner = "root"; group = "root"; mode = "0400"; }; traefik-dashboard-auth = { file = ../../../../secrets/traefik-dashboard-auth.age; mode = "0444"; }; }; containers.traefik = { bindMounts = { "/run/secrets/traefik-cf-tk" = { hostPath = config.age.secrets.traefik-cf-tk.path; isReadOnly = true; }; "/run/secrets/traefik-dashboard-auth" = { hostPath = config.age.secrets.traefik-dashboard-auth.path; isReadOnly = true; }; }; autoStart = true; privateNetwork = true; hostBridge = net.bridge; localAddress = cfg.ip; config = { ... }: { system.stateVersion = "25.11"; networking.defaultGateway = net.gateway; networking.nameservers = net.dns; networking.firewall.allowedTCPPorts = [ 80 443 880 4443 ]; systemd.services.traefik.serviceConfig.EnvironmentFile = [ "/run/secrets/traefik-cf-tk" ]; services.traefik = { enable = true; staticConfigOptions = { global = { checkNewVersion = false; sendAnonymousUsage = false; }; log = { level = "WARN"; }; api = { dashboard = true; disabledashboardad = true; }; entryPoints = { local = { address = ":80"; }; localSec = { address = ":443"; }; ext = { address = ":880"; }; extSec = { address = ":4443"; }; }; certificatesResolvers = { cloudflare = { acme = { email = "smayzy@smayzy.ovh"; storage = "/var/lib/traefik/acme.json"; dnsChallenge = { provider = "cloudflare"; resolvers = [ "192.168.1.202" ]; propagation.delayBeforeChecks = 15; }; }; }; }; }; dynamicConfigOptions = { http = { routers = { traefik = { rule = "Host(`traefik.internal.smayzy.ovh`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"; entryPoints = [ "localSec" ]; service = "api@internal"; tls.certResolver = "cloudflare"; middlewares = [ "dashboard-auth" ]; }; bazarr-anime = { rule = "Host(`bazarr-anime.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "bazarr-anime"; tls.certResolver = "cloudflare"; }; bazarr = { rule = "Host(`bazarr.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "bazarr"; tls.certResolver = "cloudflare"; }; lidarr = { rule = "Host(`lidarr.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "lidarr"; tls.certResolver = "cloudflare"; }; nzbget = { rule = "Host(`nzbget.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "nzbget"; tls.certResolver = "cloudflare"; }; prowlarr = { rule = "Host(`prowlarr.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "prowlarr"; tls.certResolver = "cloudflare"; }; qbittorrent = { rule = "Host(`qbittorrent.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "qbittorrent"; tls.certResolver = "cloudflare"; }; radarr = { rule = "Host(`radarr.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "radarr"; tls.certResolver = "cloudflare"; }; sonarr-anime = { rule = "Host(`sonarr-anime.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "sonarr-anime"; tls.certResolver = "cloudflare"; }; sonarr = { rule = "Host(`sonarr.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "sonarr"; tls.certResolver = "cloudflare"; }; srv1-proxmox = { rule = "Host(`srv1-proxmox.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "srv1-proxmox"; tls.certResolver = "cloudflare"; }; srv2-proxmox = { rule = "Host(`srv2-proxmox.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "srv2-proxmox"; tls.certResolver = "cloudflare"; }; chat = { rule = "Host(`chat.smayzy.ovh`)"; entryPoints = [ "ext" "extSec" ]; service = "chat"; tls.certResolver = "cloudflare"; }; crafty = { rule = "Host(`crafty.smayzy.ovh`)"; entryPoints = [ "ext" "extSec" ]; service = "crafty"; tls.certResolver = "cloudflare"; }; cyberchef = { rule = "Host(`cyberchef.smayzy.ovh`)"; entryPoints = [ "ext" "extSec" ]; service = "cyberchef"; tls.certResolver = "cloudflare"; }; gitea = { rule = "Host(`gitea.smayzy.ovh`)"; entryPoints = [ "ext" "extSec" ]; service = "gitea"; tls.certResolver = "cloudflare"; }; jellyfin = { rule = "Host(`jellyfin.smayzy.ovh`)"; entryPoints = [ "ext" "extSec" ]; service = "jellyfin"; tls.certResolver = "cloudflare"; }; kuma = { rule = "Host(`kuma.smayzy.ovh`)"; entryPoints = [ "ext" "extSec" ]; service = "kuma"; tls.certResolver = "cloudflare"; }; kutt = { rule = "Host(`kutt.smayzy.ovh`)"; entryPoints = [ "ext" "extSec" ]; service = "kutt"; tls.certResolver = "cloudflare"; }; matrix = { rule = "Host(`matrix.smayzy.ovh`)"; entryPoints = [ "ext" "extSec" ]; service = "matrix"; tls.certResolver = "cloudflare"; }; mirror = { rule = "Host(`mirror.smayzy.ovh`)"; entryPoints = [ "ext" "extSec" ]; service = "mirror"; tls.certResolver = "cloudflare"; }; ombi-anime = { rule = "Host(`ombi-anime.smayzy.ovh`)"; entryPoints = [ "ext" "extSec" ]; service = "ombi-anime"; tls.certResolver = "cloudflare"; }; ombi = { rule = "Host(`ombi.smayzy.ovh`)"; entryPoints = [ "ext" "extSec" ]; service = "ombi"; tls.certResolver = "cloudflare"; }; share = { rule = "Host(`share.smayzy.ovh`)"; entryPoints = [ "ext" "extSec" ]; service = "share"; tls.certResolver = "cloudflare"; }; vault = { rule = "Host(`vault.smayzy.ovh`)"; entryPoints = [ "ext" "extSec" ]; service = "vault"; tls.certResolver = "cloudflare"; }; wordpress = { rule = "Host(`wordpress.smayzy.ovh`)"; entryPoints = [ "ext" "extSec" ]; service = "wordpress"; tls.certResolver = "cloudflare"; }; mail = { rule = "Host(`autoconfig.smayzy.ovh`) || Host(`autodiscover.smayzy.ovh`) || Host(`mail.smayzy.ovh`) || Host(`mta-sts.mail.smayzy.ovh`) || Host(`mta-sts.smayzy.ovh`) || Host(`smayzy.ovh`) || Host(`www.smayzy.ovh`)"; entryPoints = [ "ext" "extSec" ]; service = "mail"; tls.certResolver = "cloudflare"; }; }; services = { "bazarr-anime".loadBalancer = { servers = [ { url = "http://192.168.1.147:6768"; } ]; }; "bazarr".loadBalancer = { servers = [ { url = "http://192.168.1.147:6767"; } ]; }; "lidarr".loadBalancer = { servers = [ { url = "http://192.168.1.147:8686"; } ]; }; "nzbget".loadBalancer = { servers = [ { url = "http://192.168.1.147:6789"; } ]; }; "prowlarr".loadBalancer = { servers = [ { url = "http://192.168.1.147:9696"; } ]; }; "qbittorrent".loadBalancer = { servers = [ { url = "http://192.168.1.147:8080"; } ]; }; "radarr".loadBalancer = { servers = [ { url = "http://192.168.1.147:7878"; } ]; }; "sonarr-anime".loadBalancer = { servers = [ { url = "http://192.168.1.147:8988"; } ]; }; "sonarr".loadBalancer = { servers = [ { url = "http://192.168.1.147:8989"; } ]; }; "srv1-proxmox".loadBalancer = { servers = [ { url = "https://192.168.1.193:8006"; } ]; serversTransport = "srv1-proxmox"; }; "srv2-proxmox".loadBalancer = { servers = [ { url = "https://192.168.1.113:8006"; } ]; serversTransport = "srv2-proxmox"; }; "chat".loadBalancer = { servers = [ { url = "http://192.168.1.114:80"; } ]; }; "crafty".loadBalancer = { servers = [ { url = "https://192.168.1.34:8443"; } ]; }; "cyberchef".loadBalancer = { servers = [ { url = "http://192.168.1.197:6900"; } ]; }; "gitea".loadBalancer = { servers = [ { url = "http://192.168.1.28:3000"; } ]; }; "jellyfin".loadBalancer = { servers = [ { url = "http://192.168.1.147:8096"; } ]; }; "kuma".loadBalancer = { servers = [ { url = "http://192.168.1.176:80"; } ]; }; "kutt".loadBalancer = { servers = [ { url = "http://192.168.1.132:80"; } ]; }; "matrix".loadBalancer = { servers = [ { url = "http://192.168.1.114:80"; } ]; }; "mirror".loadBalancer = { servers = [ { url = "http://192.168.1.185:80"; } ]; }; "ombi-anime".loadBalancer = { servers = [ { url = "http://192.168.1.147:3580"; } ]; }; "ombi".loadBalancer = { servers = [ { url = "http://192.168.1.147:3579"; } ]; }; "share".loadBalancer = { servers = [ { url = "http://192.168.1.98:80"; } ]; }; "vault".loadBalancer = { servers = [ { url = "http://192.168.1.160:80"; } ]; }; "wordpress".loadBalancer = { servers = [ { url = "http://192.168.1.16:80"; } ]; }; "mail".loadBalancer = { servers = [ { url = "https://192.168.1.128:443"; } ]; }; }; serversTransports = { srv1-proxmox = { serverName = "srv1-proxmox.internal.smayzy.ovh"; }; srv2-proxmox = { serverName = "srv2-proxmox.internal.smayzy.ovh"; }; }; middlewares = { dashboard-auth = { basicAuth = { usersFile = "/run/secrets/traefik-dashboard-auth"; }; }; }; }; # http }; # dyna config }; # services.traefik }; # config }; # ct traefik }; # config }