67 lines
1.9 KiB
Nix
67 lines
1.9 KiB
Nix
{ config, ... }:
|
|
let
|
|
inherit (import ./lib.nix config) mkContainer blazestar;
|
|
traefikConfigDir = builtins.path {
|
|
name = "traefik-config";
|
|
path = ./traefik;
|
|
};
|
|
in
|
|
{
|
|
|
|
sops.secrets = {
|
|
"traefik/oauth2-client-secret" = {
|
|
restartUnits = [ "podman-traefik.service" ];
|
|
mode = "0400";
|
|
};
|
|
};
|
|
|
|
sops.templates."traefik/oauth2-config.yaml".content = ''
|
|
experimental:
|
|
plugins:
|
|
traefik-oidc-auth:
|
|
moduleName: "github.com/sevensolutions/traefik-oidc-auth"
|
|
version: "v0.11.0"
|
|
|
|
http:
|
|
middlewares:
|
|
oidc-auth:
|
|
plugin:
|
|
traefik-oidc-auth:
|
|
Provider:
|
|
Url: "https://auth.blazestar.net/"
|
|
ClientId: "3e3f7d9a-a684-4412-866c-ea7281954a9f"
|
|
ClientSecret: "${config.sops.placeholder."traefik/oauth2-client-secret"}"
|
|
TokenValidation: "IdToken"
|
|
Scopes: ["openid", "profile", "email"]
|
|
'';
|
|
|
|
virtualisation.oci-containers.containers.traefik = mkContainer {
|
|
image = "traefik";
|
|
hostName = "proxy";
|
|
port = 8080;
|
|
domain = blazestar;
|
|
public = false;
|
|
ports = [
|
|
"80:80"
|
|
"443:443"
|
|
];
|
|
volumes = [
|
|
"/var/run/podman/podman.sock:/var/run/docker.sock:ro"
|
|
# All the configs from the config directory
|
|
"${traefikConfigDir}:/etc/traefik"
|
|
# Oauth2 config containing secrets
|
|
"${config.sops.templates."traefik/oauth2-config.yaml".path}:/etc/traefik/dynamic/oauth2-config.yaml"
|
|
# Persistent storage for acme certificates
|
|
# TODO: It may be possible to just use docker storage because persistence
|
|
# is not critical when the cert can just be renewed.
|
|
"/tank/config/traefik/acme:/etc/traefik/acme"
|
|
];
|
|
homepageOpts = {
|
|
name = "Traefik";
|
|
icon = "traefik.svg";
|
|
group = "Infra";
|
|
description = "Reverse Proxy";
|
|
};
|
|
};
|
|
}
|