system-config/system/hosts/mcp/containers/traefik.nix

{ config, ... }:
let
  inherit (import ./lib.nix config) mkContainer blazestar;
  traefikConfigDir = builtins.path {
    name = "traefik-config";
    path = ./traefik;
  };
in
{

  sops.secrets = {
    "traefik/oauth2-client-secret" = {
      restartUnits = [ "${config.local.container-backend}-traefik.service" ];
      mode = "0400";
    };
    "traefik/oauth2-plugin-secret" = {
      restartUnits = [ "${config.local.container-backend}-traefik.service" ];
      mode = "0400";
    };
  };

  sops.templates."traefik/oauth2-config.yaml".content = ''
    http:
      middlewares:
        oidc-auth:
          plugin:
            traefik-oidc-auth:
              LogLevel: DEBUG
              Secret: "${config.sops.placeholder."traefik/oauth2-plugin-secret"}"
              # Omitting the Callback URL means it will use the current domain for the callback.
              # CallbackUri: "https://oidc.blazestar.net/oidc/callback"
              Provider:
                Url: "https://auth.blazestar.net/"
                ClientId: "3e3f7d9a-a684-4412-866c-ea7281954a9f"
                ClientSecret: "${config.sops.placeholder."traefik/oauth2-client-secret"}"
                TokenValidation: "IdToken"
                UsePkce: false
              Scopes: ["openid", "profile", "email"]
              Headers:
                - Name: "X-Oidc-Username"
                  Value: "{{`{{ .claims.preferred_username }}`}}"
                - Name: "X-Oidc-Email"
                  Value: "{{`{{ .claims.email }}`}}"
                - Name: "X-Oidc-Subject"
                  Value: "sub"
                - Name: "Authorization"
                  Value: "{{`Bearer {{ .accessToken }}`}}"
                - Name: "IdToken"
                  Value: "{{`Bearer {{ .idToken }}`}}"
  '';

  virtualisation.oci-containers.containers.traefik = mkContainer {
    image = "traefik";
    hostName = "proxy";
    port = 8080;
    domain = blazestar;
    public = false;
    ports = [
      "80:80"
      "443:443"
      "8448:8448"
    ];
    volumes = [
      "${config.local.container-socket}:/var/run/docker.sock:ro"
      # All the configs from the config directory
      "${traefikConfigDir}:/etc/traefik"
      # Oauth2 config containing secrets
      "${config.sops.templates."traefik/oauth2-config.yaml".path}:/etc/traefik/dynamic/oauth2-config.yaml"
      # Persistent storage for acme certificates
      # TODO: It may be possible to just use docker storage because persistence
      # is not critical when the cert can just be renewed.
      "/tank/config/traefik/acme:/etc/traefik/acme"
    ];
    homepageOpts = {
      name = "Traefik";
      icon = "traefik.svg";
      group = "Infra";
      description = "Reverse Proxy";
    };
  };
}