[traefik] Moves traefik config into the repo

home-manager/features/development/nix.nix

@@ -10,7 +10,8 @@
 
   home.shellAliases = {
     # This assumes that the repository is in ~/system-config
-    rebuild = "sudo nixos-rebuild switch --flake ~/system-config --show-trace --print-build-logs --verbose";
+    rebuild-switch = "sudo nixos-rebuild switch --flake ~/system-config --show-trace --print-build-logs --verbose";
+    rebuild-boot = "sudo nixos-rebuild boot --flake ~/system-config --show-trace --print-build-logs --verbose";
   };
 }
  

system/hosts/mcp/containers.nix

@@ -17,6 +17,7 @@
     ./containers/searxng.nix
     ./containers/shared-postgres.nix
     ./containers/synapse.nix
+    ./containers/traefik.nix
   ];
 
   # Enable common container config files in /etc/containers
@@ -72,34 +73,6 @@
         havenisms;
     in
     {
-      traefik = {
-        image = "traefik";
-        autoStart = true;
-        cmd = [ ];
-        extraOptions = [
-          # Proxying Traefik itself
-          "-l=traefik.enable=true"
-          "-l=traefik.http.routers.traefik.rule=${localHostRuleHavenisms "proxy"}"
-          "-l=traefik.http.services.traefik.loadbalancer.server.port=8080"
-          "-l=homepage.group=Infra"
-          "-l=homepage.name=Traefik"
-          "-l=homepage.icon=traefik.svg"
-          "-l=homepage.href=https://proxy.${havenisms}"
-          "-l=homepage.description=Reverse proxy"
-          "-l=homepage.widget.type=traefik"
-          "-l=homepage.widget.url=http://traefik:8080"
-        ];
-        ports = [
-          "443:443"
-          "80:80"
-        ];
-        environmentFiles = [
-        ];
-        volumes = [
-          "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
-          "/tank/config/traefik:/etc/traefik"
-        ];
-      };
       jellyfin = {
         image = "lscr.io/linuxserver/jellyfin";
         autoStart = true;

system/hosts/mcp/containers/email.nix

@@ -1,6 +1,6 @@
 { config, ... }:
 let
-  inherit (import ../lib.nix config) blazestar;
+  inherit (import ./lib.nix config) blazestar;
 in {
   
   virtualisation.oci-containers.containers.docker-mailserver = {

system/hosts/mcp/containers/traefik.nix

@@ -0,0 +1,32 @@
+{ config, ... }:
+let
+  inherit (import ./lib.nix config) mkContainer blazestar;
+  traefikConfigDir = builtins.path {
+    name = "traefik-config";
+    path = ./traefik;
+  };
+in {
+  virtualisation.oci-containers.containers.traefik = mkContainer {
+      image = "traefik";
+      hostName = "proxy";
+      port = 8080;
+      domain = blazestar;
+      public = false;
+      ports = [
+        "443:443"
+        "80:80"
+      ];
+      volumes =
+      [
+        "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
+        "${traefikConfigDir}:/etc/traefik"
+        "/tank/config/traefik/acme:/etc/traefik/acme"
+      ];
+      homepageOpts = {
+        name = "Traefik";
+        icon = "traefik.svg";
+        group = "Infra";
+        description = "Reverse Proxy";
+      };
+    };
+  }

system/hosts/mcp/containers/traefik/static/dockerRegistry.yaml

@@ -0,0 +1,10 @@
+http:
+  services:
+    dockerRegistry:
+      loadBalancer:
+        servers:
+          - url: "http://10.88.0.1:5000/"
+  routers:
+    dockerRegistry:
+      service: dockerRegistry
+      rule: "ClientIP(`192.168.1.0/24`) && Host(`docker.havenisms.com`)"

system/hosts/mcp/containers/traefik/traefik.yaml

@@ -0,0 +1,39 @@
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entrypoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: letsencrypt
+  metrics:
+    address: ":8082"
+
+api:
+  insecure: true
+
+providers:
+  docker:
+    exposedByDefault: false
+  file:
+    directory: /etc/traefik/static
+    watch: true
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: drew.haven@gmail.com
+      storage: /etc/traefik/acme/acme.json
+      httpChallenge:
+        entryPoint: web
+
+metrics:
+  prometheus:
+    addEntryPointsLabels: true
+    addServicesLabels: true
+    entryPoint: "metrics"