nix-home/modules/cloud/traefik/default.nix

{ pkgs, config, lib, ... }:

with lib;
let
  # Copied from traefik.nix
  jsonValue = with types;
    let
      valueType = nullOr
        (oneOf [
          bool
          int
          float
          str
          (lazyAttrsOf valueType)
          (listOf valueType)
        ]) // {
        description = "JSON value";
        emptyValue.value = { };
      };
    in
    valueType;

  cfg = config.cloud.traefik;
in
{
  imports = [ ./config.nix ./dashboard.nix ./certs-dumper.nix ];
  options.cloud.traefik = {
    cloudflareKeyFile = mkOption {
      type = types.path;
      description = "The cloudflake private key file, for Let's Encrypt DNS challenge";
    };

    config = mkOption {
      type = jsonValue;
      default = { };
      description = "The dynamic configuration to be passed to traefik";
    };

    certsPath = mkOption {
      type = types.str;
      default = "/var/lib/traefik/acme.json";
      description = "The location to read and write the certificates file onto";
    };
  };

  config.services.traefik = {
    enable = true;

    staticConfigOptions = {
      # Entrypoints
      # ------------
      ## HTTP entrypoint: always redirect to 443
      entrypoints.http.address = ":80";
      entrypoints.http.http.redirections.entryPoint = {
        to = "https";
        scheme = "https";
      };
      ## HTTPS entrypoint: ok!
      entrypoints.https.address = ":443";
      ## IMAP and SMTP
      entrypoints.imap.address = ":993";
      entrypoints.smtp-submission.address = ":587";
      entrypoints.smtp-submission-ssl.address = ":465";
      ## Wireguard
      entrypoints.wireguard.address = ":51820/udp";

      # Logging
      # -------
      accessLog = { };
      log.level = "info";

      # ACME Automatic SSL
      # ------------------
      certificatesResolvers.le.acme = {
        email = "natsukagami@gmail.com";
        storage = cfg.certsPath;
        dnsChallenge.provider = "cloudflare";
        dnsChallenge.delayBeforeCheck = 10;
      };
    };

    dynamicConfigOptions = cfg.config;
  };
  # Set up cloudflare key
  config.systemd.services.traefik.environment.CF_DNS_API_TOKEN_FILE = cfg.cloudflareKeyFile;

  # Set up firewall to allow traefik traffic.
  config.networking.firewall.allowedTCPPorts = [ 80 443 993 587 465 ];
  config.networking.firewall.allowedUDPPorts = [
    443 # QUIC
    51820 # Wireguard
  ];
}
Set up formatting 2022-05-31 16:45:33 +00:00			`{ pkgs, config, lib, ... }:`
Priliminary support for traefik 2021-10-31 21:37:04 +00:00
			`with lib;`
			`let`
			`# Copied from traefik.nix`
			`jsonValue = with types;`
			`let`
Set up formatting 2022-05-31 16:45:33 +00:00			`valueType = nullOr`
			`(oneOf [`
			`bool`
			`int`
			`float`
			`str`
			`(lazyAttrsOf valueType)`
			`(listOf valueType)`
			`]) // {`
Priliminary support for traefik 2021-10-31 21:37:04 +00:00			`description = "JSON value";`
			`emptyValue.value = { };`
			`};`
Set up formatting 2022-05-31 16:45:33 +00:00			`in`
			`valueType;`
Priliminary support for traefik 2021-10-31 21:37:04 +00:00
			`cfg = config.cloud.traefik;`
			`in`
			`{`
Add cert-resolver 2021-11-01 19:50:30 +00:00			`imports = [ ./config.nix ./dashboard.nix ./certs-dumper.nix ];`
Priliminary support for traefik 2021-10-31 21:37:04 +00:00			`options.cloud.traefik = {`
			`cloudflareKeyFile = mkOption {`
			`type = types.path;`
			`description = "The cloudflake private key file, for Let's Encrypt DNS challenge";`
			`};`

			`config = mkOption {`
			`type = jsonValue;`
Set up formatting 2022-05-31 16:45:33 +00:00			`default = { };`
Priliminary support for traefik 2021-10-31 21:37:04 +00:00			`description = "The dynamic configuration to be passed to traefik";`
			`};`
Add cert-resolver 2021-11-01 19:50:30 +00:00
			`certsPath = mkOption {`
			`type = types.str;`
			`default = "/var/lib/traefik/acme.json";`
			`description = "The location to read and write the certificates file onto";`
			`};`
Priliminary support for traefik 2021-10-31 21:37:04 +00:00			`};`
Set up formatting 2022-05-31 16:45:33 +00:00
Priliminary support for traefik 2021-10-31 21:37:04 +00:00			`config.services.traefik = {`
			`enable = true;`

			`staticConfigOptions = {`
			`# Entrypoints`
			`# ------------`
			`## HTTP entrypoint: always redirect to 443`
			`entrypoints.http.address = ":80";`
			`entrypoints.http.http.redirections.entryPoint = {`
			`to = "https";`
			`scheme = "https";`
			`};`
			`## HTTPS entrypoint: ok!`
			`entrypoints.https.address = ":443";`
			`## IMAP and SMTP`
			`entrypoints.imap.address = ":993";`
			`entrypoints.smtp-submission.address = ":587";`
Add cert-resolver 2021-11-01 19:50:30 +00:00			`entrypoints.smtp-submission-ssl.address = ":465";`
Set up firezone 2023-04-27 00:32:10 +00:00			`## Wireguard`
			`entrypoints.wireguard.address = ":51820/udp";`
Priliminary support for traefik 2021-10-31 21:37:04 +00:00
			`# Logging`
			`# -------`
Set up formatting 2022-05-31 16:45:33 +00:00			`accessLog = { };`
Priliminary support for traefik 2021-10-31 21:37:04 +00:00			`log.level = "info";`

			`# ACME Automatic SSL`
			`# ------------------`
			`certificatesResolvers.le.acme = {`
			`email = "natsukagami@gmail.com";`
Add cert-resolver 2021-11-01 19:50:30 +00:00			`storage = cfg.certsPath;`
Priliminary support for traefik 2021-10-31 21:37:04 +00:00			`dnsChallenge.provider = "cloudflare";`
			`dnsChallenge.delayBeforeCheck = 10;`
			`};`
			`};`

Bitwarden WIP 2021-11-01 01:41:29 +00:00			`dynamicConfigOptions = cfg.config;`
Priliminary support for traefik 2021-10-31 21:37:04 +00:00			`};`
			`# Set up cloudflare key`
			`config.systemd.services.traefik.environment.CF_DNS_API_TOKEN_FILE = cfg.cloudflareKeyFile;`

			`# Set up firewall to allow traefik traffic.`
Add cert-resolver 2021-11-01 19:50:30 +00:00			`config.networking.firewall.allowedTCPPorts = [ 80 443 993 587 465 ];`
Set up firezone 2023-04-27 00:32:10 +00:00			`config.networking.firewall.allowedUDPPorts = [`
			`443 # QUIC`
			`51820 # Wireguard`
			`];`
Priliminary support for traefik 2021-10-31 21:37:04 +00:00			`}`