feat(elcafe): add new server configuration

2025-11-02 00:00:12 +01:00
parent 2958cc4c7a
commit ef8d666b26
8 changed files with 205 additions and 3 deletions
--- a/system/services/traefik.nix
+++ b/system/services/traefik.nix
@@ -0,0 +1,65 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.services.traefik;
+in {
+  options.mySystem.services.traefik = {
+    enable = mkEnableOption "Enable Traefikse";
+    email = mkOption {
+      type = types.str;
+      default = "lucien@phundrak.com";
+      example = "admin@example.com";
+    };
+    envFiles = mkOption {
+      type = types.listOf types.path;
+      example = ["/run/secrets/traefik.env"];
+      default = [];
+    };
+    dynConf = mkOption {
+      type = types.path;
+      example = "/var/traefik/dynamic.yaml";
+    };
+  };
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [80 443];
+    services.traefik = {
+      inherit (cfg) enable;
+      environmentFiles = cfg.envFiles;
+      dynamicConfigFile = cfg.dynConf;
+      staticConfigOptions = {
+        log = {
+          level = "WARN";
+          filePath = "/var/log/traefik/traefik.log";
+        };
+        accessLog.filePath = "/var/log/traefik/access.log";
+        api.dashboard = true;
+        entryPoints = {
+          web = {
+            address = ":80";
+            http.redirections.entryPoint = {
+              to = "websecure";
+              scheme = "https";
+            };
+          };
+          websecure.address = ":443";
+        };
+        certificatesResolvers.cloudflare.acme = {
+          inherit (cfg) email;
+          storage = "/var/lib/traefik/acme.json";
+          dnsChallenge = {
+            provider = "cloudflare";
+            resolvers = ["1.1.1.1:53" "1.0.0.1:53"];
+            propagation.delayBeforeChecks = 60;
+          };
+        };
+        providers.docker = {
+          endpoint = "unix:///var/run/docker.sock";
+          exposedByDefault = false;
+        };
+      };
+    };
+  };
+}