{ config, ... }: let inherit (import ./lib.nix config) mkContainer blazestar; traefikConfigDir = builtins.path { name = "traefik-config"; path = ./traefik; }; in { sops.secrets = { "traefik/oauth2-client-secret" = { restartUnits = [ "${config.local.container-backend}-traefik.service" ]; mode = "0400"; }; "traefik/oauth2-plugin-secret" = { restartUnits = [ "${config.local.container-backend}-traefik.service" ]; mode = "0400"; }; }; sops.templates."traefik/oauth2-config.yaml".content = '' http: middlewares: oidc-auth: plugin: traefik-oidc-auth: Secret: "${config.sops.placeholder."traefik/oauth2-plugin-secret"}" CallbackUri: "https://auth.blazestar.net/oidc/callback" Provider: Url: "https://auth.blazestar.net/" ClientId: "3e3f7d9a-a684-4412-866c-ea7281954a9f" ClientSecret: "${config.sops.placeholder."traefik/oauth2-client-secret"}" TokenValidation: "IdToken" Scopes: ["openid", "profile", "email"] ''; virtualisation.oci-containers.containers.traefik = mkContainer { image = "traefik"; hostName = "proxy"; port = 8080; domain = blazestar; public = false; ports = [ "80:80" "443:443" "8448:8448" ]; volumes = [ "${config.local.container-socket}:/var/run/docker.sock:ro" # All the configs from the config directory "${traefikConfigDir}:/etc/traefik" # Oauth2 config containing secrets "${config.sops.templates."traefik/oauth2-config.yaml".path}:/etc/traefik/dynamic/oauth2-config.yaml" # Persistent storage for acme certificates # TODO: It may be possible to just use docker storage because persistence # is not critical when the cert can just be renewed. "/tank/config/traefik/acme:/etc/traefik/acme" ]; homepageOpts = { name = "Traefik"; icon = "traefik.svg"; group = "Infra"; description = "Reverse Proxy"; }; }; }