{ lib, config, ... }: let inherit (lib) mkIf mkOption types; cfg = config.smayzy.containers.nixos.traefik; net = config.smayzy.containers.networking; in { options.smayzy.containers.nixos.traefik = { enable = mkOption { type = types.bool; default = false; description = "traefik nixos ct"; }; ip = mkOption { type = types.str; description = "ip addr e.g. (192.168.1.20)"; }; }; config = mkIf cfg.enable { age.secrets.traefik-cf-tk = { file = ../../../../secrets/traefik-cf-tk.age; owner = "root"; group = "root"; mode = "0400"; }; containers.traefik = { bindMounts."/run/secrets/traefik-cf-tk" = { hostPath = config.age.secrets.traefik-cf-tk.path; isReadOnly = true; }; autoStart = true; privateNetwork = true; hostBridge = net.bridge; localAddress = cfg.ip; config = { ... }: { system.stateVersion = "25.11"; networking.defaultGateway = net.gateway; networking.nameservers = net.dns; networking.firewall.allowedTCPPorts = [ 80 443 880 4443 ]; systemd.services.traefik.serviceConfig.EnvironmentFile = [ "/run/secrets/traefik-cf-tk" ]; services.traefik = { enable = true; staticConfigOptions = { log = { level = "WARN"; }; api = { dashboard = true; }; entryPoints = { local = { address = ":80"; }; localSec = { address = ":443"; }; ext = { address = ":880"; }; extSec = { address = ":4443"; }; }; certificatesResolvers = { cloudflare = { acme = { email = "smayzy@smayzy.ovh"; storage = "/var/lib/traefik/acme.json"; dnsChallenge = { provider = "cloudflare"; resolvers = [ "192.168.1.202" ]; propagation.delayBeforeChecks = 15; }; }; }; }; }; dynamicConfigOptions = { http = { routers = { traefik = { rule = "Host(`traefik.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "api@internal"; tls.certResolver = "cloudflare"; }; httpd = { rule = "Host(`httpd.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "httpd"; tls.certResolver = "cloudflare"; }; bazarr-anime = { rule = "Host(`bazarr-anime.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "bazarr-anime"; tls.certResolver = "cloudflare"; }; bazarr = { rule = "Host(`bazarr.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "bazarr"; tls.certResolver = "cloudflare"; }; lidarr = { rule = "Host(`lidarr.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "lidarr"; tls.certResolver = "cloudflare"; }; nzbget = { rule = "Host(`nzbget.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "nzbget"; tls.certResolver = "cloudflare"; }; prowlarr = { rule = "Host(`prowlarr.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "prowlarr"; tls.certResolver = "cloudflare"; }; qbittorrent = { rule = "Host(`qbittorrent.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "qbittorrent"; tls.certResolver = "cloudflare"; }; radarr = { rule = "Host(`radarr.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "radarr"; tls.certResolver = "cloudflare"; }; sonarr-anime = { rule = "Host(`sonarr-anime.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "sonarr-anime"; tls.certResolver = "cloudflare"; }; sonarr = { rule = "Host(`sonarr.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "sonarr"; tls.certResolver = "cloudflare"; }; srv1-proxmox = { rule = "Host(`srv1-proxmox.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "srv1-proxmox"; tls.certResolver = "cloudflare"; }; srv2-proxmox = { rule = "Host(`srv2-proxmox.internal.smayzy.ovh`)"; entryPoints = [ "localSec" ]; service = "srv2-proxmox"; tls.certResolver = "cloudflare"; }; }; services = { "httpd".loadBalancer.servers = [ { url = "http://192.168.1.201" ; } ]; "bazarr-anime".loadBalancer.servers = [ { url = "http://192.168.1.147:6768"; } ]; "bazarr".loadBalancer.servers = [ { url = "http://192.168.1.147:6767"; } ]; "lidarr".loadBalancer.servers = [ { url = "http://192.168.1.147:8686"; } ]; "nzbget".loadBalancer.servers = [ { url = "http://192.168.1.147:6789"; } ]; "prowlarr".loadBalancer.servers = [ { url = "http://192.168.1.147:9696"; } ]; "qbittorrent".loadBalancer.servers = [ { url = "http://192.168.1.147:8080"; } ]; "radarr".loadBalancer.servers = [ { url = "http://192.168.1.147:7878"; } ]; "sonarr-anime".loadBalancer.servers = [ { url = "http://192.168.1.147:8988"; } ]; "sonarr".loadBalancer.servers = [ { url = "http://192.168.1.147:8989"; } ]; "srv1-proxmox".loadBalancer.servers = [ { url = "http://192.168.1.193:8006"; } ]; "srv2-proxmox".loadBalancer.servers = [ { url = "http://192.168.1.113:8006"; } ]; }; }; }; }; }; }; }; }