[traefik] Moves traefik config into the repo

2025-04-07 14:45:58 -07:00
parent a0987c0e11
commit 932f78bfe4
7 changed files with 86 additions and 31 deletions
--- a/home-manager/features/development/nix.nix
+++ b/home-manager/features/development/nix.nix
@@ -10,7 +10,8 @@

  home.shellAliases = {
    # This assumes that the repository is in ~/system-config
-    rebuild = "sudo nixos-rebuild switch --flake ~/system-config --show-trace --print-build-logs --verbose";
+    rebuild-switch = "sudo nixos-rebuild switch --flake ~/system-config --show-trace --print-build-logs --verbose";
+    rebuild-boot = "sudo nixos-rebuild boot --flake ~/system-config --show-trace --print-build-logs --verbose";
  };
 }
 
--- a/system/hosts/mcp/containers.nix
+++ b/system/hosts/mcp/containers.nix
@@ -17,6 +17,7 @@
    ./containers/searxng.nix
    ./containers/shared-postgres.nix
    ./containers/synapse.nix
+    ./containers/traefik.nix
  ];

  # Enable common container config files in /etc/containers
@@ -72,34 +73,6 @@
        havenisms;
    in
    {
-      traefik = {
-        image = "traefik";
-        autoStart = true;
-        cmd = [ ];
-        extraOptions = [
-          # Proxying Traefik itself
-          "-l=traefik.enable=true"
-          "-l=traefik.http.routers.traefik.rule=${localHostRuleHavenisms "proxy"}"
-          "-l=traefik.http.services.traefik.loadbalancer.server.port=8080"
-          "-l=homepage.group=Infra"
-          "-l=homepage.name=Traefik"
-          "-l=homepage.icon=traefik.svg"
-          "-l=homepage.href=https://proxy.${havenisms}"
-          "-l=homepage.description=Reverse proxy"
-          "-l=homepage.widget.type=traefik"
-          "-l=homepage.widget.url=http://traefik:8080"
-        ];
-        ports = [
-          "443:443"
-          "80:80"
-        ];
-        environmentFiles = [
-        ];
-        volumes = [
-          "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
-          "/tank/config/traefik:/etc/traefik"
-        ];
-      };
      jellyfin = {
        image = "lscr.io/linuxserver/jellyfin";
        autoStart = true;
--- a/system/hosts/mcp/containers/email.nix
+++ b/system/hosts/mcp/containers/email.nix
@@ -1,6 +1,6 @@
 { config, ... }:
 let
-  inherit (import ../lib.nix config) blazestar;
+  inherit (import ./lib.nix config) blazestar;
 in {
  
  virtualisation.oci-containers.containers.docker-mailserver = {
--- a/system/hosts/mcp/containers/lib.nix
+++ b/system/hosts/mcp/containers/lib.nix
@@ -36,7 +36,7 @@ in
    let routerRule = if public then hostRule hostName domain else localHostRule hostName domain;
    in
    {
-      inherit image dependsOn volumes environment environmentFiles;
+      inherit image dependsOn volumes environment environmentFiles ports;
      autoStart = true;
      extraOptions = [
        "-l=traefik.enable=true"
--- a/system/hosts/mcp/containers/traefik.nix
+++ b/system/hosts/mcp/containers/traefik.nix
@@ -0,0 +1,32 @@
+{ config, ... }:
+let
+  inherit (import ./lib.nix config) mkContainer blazestar;
+  traefikConfigDir = builtins.path {
+    name = "traefik-config";
+    path = ./traefik;
+  };
+in {
+  virtualisation.oci-containers.containers.traefik = mkContainer {
+      image = "traefik";
+      hostName = "proxy";
+      port = 8080;
+      domain = blazestar;
+      public = false;
+      ports = [
+        "80:80"
+        "443:443"
+      ];
+      volumes =
+      [
+        "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
+        "${traefikConfigDir}:/etc/traefik"
+        "/tank/config/traefik/acme:/etc/traefik/acme"
+      ];
+      homepageOpts = {
+        name = "Traefik";
+        icon = "traefik.svg";
+        group = "Infra";
+        description = "Reverse Proxy";
+      };
+    };
+  }
--- a/system/hosts/mcp/containers/traefik/static/dockerRegistry.yaml
+++ b/system/hosts/mcp/containers/traefik/static/dockerRegistry.yaml
@@ -0,0 +1,10 @@
+http:
+  services:
+    dockerRegistry:
+      loadBalancer:
+        servers:
+          - url: "http://10.88.0.1:5000/"
+  routers:
+    dockerRegistry:
+      service: dockerRegistry
+      rule: "ClientIP(`192.168.1.0/24`) && Host(`docker.havenisms.com`)"
--- a/system/hosts/mcp/containers/traefik/traefik.yaml
+++ b/system/hosts/mcp/containers/traefik/traefik.yaml
@@ -0,0 +1,39 @@
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entrypoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: letsencrypt
+  metrics:
+    address: ":8082"
+
+api:
+  insecure: true
+
+providers:
+  docker:
+    exposedByDefault: false
+  file:
+    directory: /etc/traefik/static
+    watch: true
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: drew.haven@gmail.com
+      storage: /etc/traefik/acme/acme.json
+      httpChallenge:
+        entryPoint: web
+
+metrics:
+  prometheus:
+    addEntryPointsLabels: true
+    addServicesLabels: true
+    entryPoint: "metrics"