nix-home/modules/cloud/traefik/default.nix

84 lines
2 KiB
Nix

{ pkgs, config, lib, ... } :
with lib;
let
# Copied from traefik.nix
jsonValue = with types;
let
valueType = nullOr (oneOf [
bool
int
float
str
(lazyAttrsOf valueType)
(listOf valueType)
]) // {
description = "JSON value";
emptyValue.value = { };
};
in valueType;
cfg = config.cloud.traefik;
in
{
imports = [ ./config.nix ];
options.cloud.traefik = {
cloudflareKeyFile = mkOption {
type = types.path;
description = "The cloudflake private key file, for Let's Encrypt DNS challenge";
};
config = mkOption {
type = jsonValue;
default = {};
description = "The dynamic configuration to be passed to traefik";
};
};
config.services.traefik = {
enable = true;
staticConfigOptions = {
# Entrypoints
# ------------
## HTTP entrypoint: always redirect to 443
entrypoints.http.address = ":80";
entrypoints.http.http.redirections.entryPoint = {
to = "https";
scheme = "https";
};
## HTTPS entrypoint: ok!
entrypoints.https.address = ":443";
## IMAP and SMTP
entrypoints.imap.address = ":993";
entrypoints.smtp-submission.address = ":587";
# Logging
# -------
accessLog = {};
log.level = "info";
# Dashboard
# ---------
api.dashboard = true;
# ACME Automatic SSL
# ------------------
certificatesResolvers.le.acme = {
email = "natsukagami@gmail.com";
storage = "/var/lib/traefik/acme.json";
dnsChallenge.provider = "cloudflare";
dnsChallenge.delayBeforeCheck = 10;
};
};
dynamicConfigOptions = cfg.config;
};
# Set up cloudflare key
config.systemd.services.traefik.environment.CF_DNS_API_TOKEN_FILE = cfg.cloudflareKeyFile;
# Set up firewall to allow traefik traffic.
config.networking.firewall.allowedTCPPorts = [ 80 443 993 587 ];
config.networking.firewall.allowedUDPPorts = [ 443 ]; # QUIC
}