sora/nixconfig
1
0
Fork 1
Code Issues 2 Pull Requests Actions Releases Activity

Add authentik blueprints

Browse Source
This commit is contained in:
soraefir
2026-05-10 18:29:53 +02:00
parent 9813e7d49a
commit c637fea0d0
9 changed files with 170 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
modules/server/containers/apps/authentik.nix Normal file
View File

@@ -0,0 +1,93 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "2026.2.2";
serverCfg = config.syscfg.server;
authentikData = ${builder.mkData {
name = "authentik"; dir = "authentik"; vars = {
NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain or "nextcloud"}.${serverCfg.hostDomain}";
AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
COOKIE_DOMAIN = "*.${serverCfg.hostDomain}";
};
}};
in {
paths = [{
path="${serverCfg.configPath}/authentik/media";
owner = "1000:1000";
mode = "0755";
}{
path="${serverCfg.configPath}/authentik/templates";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/goauthentik/server:${version}";
port = containerCfg.port;
ip = containerCfg.ip;
secret = name;
extraEnv = {
"AUTHENTIK_REDIS__HOST" = builder.host;
"AUTHENTIK_POSTGRESQL__HOST" = builder.host;
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
"AUTHENTIK_EMAIL__HOST" = serverCfg.mailDomain;
"AUTHENTIK_EMAIL__PORT" = "587";
"AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
"AUTHENTIK_EMAIL__USE_TLS" = "true";
"AUTHENTIK_EMAIL__USE_SSL" = "false";
"AUTHENTIK_EMAIL__TIMEOUT" = "10";
"AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
"AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
"AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
};
overrides = {
cmd = [ "server" ];
ports = if containerCfg.pubPort!=null && containerCfg.port!=null then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
volumes = [
"${serverCfg.configPath}/authentik/media:/media"
"${serverCfg.configPath}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
];
};
};
worker = builder.mkContainer {
image = "ghcr.io/goauthentik/server:${version}";
secret = "authentik";
extraEnv = {
"AUTHENTIK_REDIS__HOST" = builder.host;
"AUTHENTIK_POSTGRESQL__HOST" = builder.host;
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
"AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
"AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
};
# extraOptions = [ "--user=:994" ]; #PODMAN GROUP FOR SOCKET ACCESS
overrides = {
cmd = [ "worker" ];
volumes = [
"${serverCfg.configPath}/authentik/media:/media"
"${serverCfg.configPath}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
# "/var/run/podman/podman.sock:/var/run/docker.sock" #PODMAN GROUP FOR SOCKET ACCESS
];
};
};
};
setup = {
trigger="worker";
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
AK="${pkgs.podman}/bin/podman --events-backend=none exec -u root authentik-worker ak"
$AK blueprint_apply /blueprints/custom/traefik.yaml
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK blueprint_apply /blueprints/custom/nextcloud.yaml''}
echo "Completed Authentik Setup"
'';
};
}

33
modules/server/containers/apps/collabora.nix Normal file
View File

@@ -0,0 +1,33 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "latest";
serverCfg = config.syscfg.server;
in {
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "collabora/code:${version}";
port = containerCfg.port;
ip = containerCfg.ip;
secret = name;
extraEnv = {
"aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.hostDomain}";
"server_name" = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
"VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
"VIRTUAL_PORT" = "${toString containerCfg.port}";
"VIRTUAL_PROTO" = "http";
"DONT_GEN_SSL_CERT" = "true";
"RESOLVE_TO_PROXY_IP" = "true";
"extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
"dictionaries" = "en fr de jp no";
};
overrides = {
volumes = [
"${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro"
"${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro"
];
};
};
};
}

138
modules/server/containers/apps/etherpad.nix Normal file
View File

@@ -0,0 +1,138 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
etherpad_exe = pkgs.etherpad-lite;/*.override {
plugins = [ pkgs.nodePackages.ep_proxy_auth ]; # Ensure this is in your nixpkgs
};*/
settings = pkgs.writeTextDir"etc/etherpad/settings.json" (builtins.toJSON {
title= "\${TITLE:Etherpad}";
showRecentPads = "\${SHOW_RECENT_PADS:true}";
favicon = "\${FAVICON:null}";
publicURL = "\${PUBLIC_URL:null}";
skinName = "\${SKIN_NAME:colibris}";
skinVariants = "\${SKIN_VARIANTS:super-light-toolbar super-light-editor light-background}";
ip = "\${IP:0.0.0.0}";
port = "\${PORT:9001}";
showSettingsInAdminPage = "\${SHOW_SETTINGS_IN_ADMIN_PAGE:true}";
enableMetrics = "\${ENABLE_METRICS:true}";
updates.tier = "off";
cleanup.enabled = false;
gdprAuthorErasure.enabled = "\${GDPR_AUTHOR_ERASURE_ENABLED:false}";
authenticationMethod = "\${AUTHENTICATION_METHOD:sso}";
enableDarkMode = "\${ENABLE_DARK_MODE:true}";
enablePadWideSettings = "\${ENABLE_PAD_WIDE_SETTINGS:true}";
dbType = "\${DB_TYPE:dirty}";
dbSettings = {
host = "\${DB_HOST:undefined}";
port = "\${DB_PORT:undefined}";
database = "\${DB_NAME:undefined}";
user = "\${DB_USER:undefined}";
password = "\${DB_PASS:undefined}";
charset = "\${DB_CHARSET:undefined}";
filename = "\${DB_FILENAME:var/dirty.db}";
collection = "\${DB_COLLECTION:undefined}";
url = "\${DB_URL:undefined}";
};
defaultPadText = "\${DEFAULT_PAD_TEXT:P A D}";
padOptions = {
noColors = "\${PAD_OPTIONS_NO_COLORS:false}";
showControls = "\${PAD_OPTIONS_SHOW_CONTROLS:true}";
showChat = "\${PAD_OPTIONS_SHOW_CHAT:true}";
showLineNumbers = "\${PAD_OPTIONS_SHOW_LINE_NUMBERS:true}";
useMonospaceFont = "\${PAD_OPTIONS_USE_MONOSPACE_FONT:false}";
userName = "\${PAD_OPTIONS_USER_NAME:null}";
userColor = "\${PAD_OPTIONS_USER_COLOR:null}";
rtl = "\${PAD_OPTIONS_RTL:false}";
alwaysShowChat = "\${PAD_OPTIONS_ALWAYS_SHOW_CHAT:false}";
chatAndUsers = "\${PAD_OPTIONS_CHAT_AND_USERS:false}";
lang = "\${PAD_OPTIONS_LANG:null}";
fadeInactiveAuthorColors = "\${PAD_OPTIONS_FADE_INACTIVE_AUTHOR_COLORS:true}";
enforceReadableAuthorColors = "\${PAD_OPTIONS_ENFORCE_READABLE_AUTHOR_COLORS:true}";
};
requireSession = "\${REQUIRE_SESSION:false}";
editOnly = "\${EDIT_ONLY:false}";
minify = "\${MINIFY:true}";
requireAuthentication = "\${REQUIRE_AUTHENTICATION:false}";
requireAuthorization = "\${REQUIRE_AUTHORIZATION:false}";
trustProxy = "\${TRUST_PROXY:true}";
ep_headerauth.username_header = "X-authentik-username";
users.admin = {
password = "\${ADMIN_PASSWORD:null}";
is_admin = true;
};
socketTransportProtocols = ["websocket" "polling"];
socketIo.maxHttpBufferSize = "\${SOCKETIO_MAX_HTTP_BUFFER_SIZE:1000000}";
indentationOnNewLine = true;
loglevel = "\${LOGLEVEL:INFO}";
lowerCasePadIds = "\${LOWER_CASE_PAD_IDS:true}";
});
image = pkgs.dockerTools.streamLayeredImage {
name = "etherpad";
tag = etherpad_exe.version;
contents = with pkgs;[cacert tzdata bash coreutils curl settings ];
fakeRootCommands = ''
mkdir -p ./var/lib/etherpad
chown -R 1000:1000 ./var/lib/etherpad
mkdir -p ./tmp
chmod 1777 ./tmp
'';
config = {
Cmd = [ "${etherpad_exe}/bin/etherpad-lite" "--settings" "/etc/etherpad/settings.json" ];
User = "1000:1000";
WorkingDir = "/var/lib/etherpad";
ExposedPorts = { "${toString containerCfg.port}/tcp" = {}; };
Env = [
"NODE_ENV=production"
"HOME=/opt/etherpad-lite/var"
"DB_FILENAME=/opt/etherpad-lite/var/dirty.db"
];
};
};
in {
paths = [{
path="${serverCfg.configPath}/etherpad/data";
owner = "1000:1000";
mode = "0755";
}{
path="${serverCfg.configPath}/etherpad/APIKEY.txt";
owner = "1000:1000";
mode = "0755";
backup = true;
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = containerCfg.port;
ip = containerCfg.ip;
secret = name;
extraEnv = {
TITLE = "Pad";
PORT = toString containerCfg.port;
DB_TYPE = "postgres";
DB_HOST = builder.host;
DB_NAME = "etherpad_db";
DB_USER = "etherpad_user";
TRUST_PROXY = "true";
DB_CHARSET = "utf8mb4";
DEFAULT_PAD_TEXT = "";
PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
};
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = "authentik";
};
overrides = {
volumes = [
"${serverCfg.configPath}/etherpad/data:/opt/etherpad-lite/var"
"${serverCfg.configPath}/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
];
};
};
};
}

191
modules/server/containers/apps/nextcloud.nix Normal file
View File

@@ -0,0 +1,191 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "31";
serverCfg = config.syscfg.server;
in {
paths = [{
path="${serverCfg.dataPath}/nextcloud/www";
owner = "33:33";
mode = "0755";
}{
path="${serverCfg.dataPath}/nextcloud/data";
owner = "33:33";
mode = "0755";
backup = true;
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "nextcloud:${version}";
port = containerCfg.port;
ip = containerCfg.ip;
secret = name;
extraEnv = {
REDIS_HOST = builder.host;
POSTGRES_HOST = builder.host;
POSTGRES_USER = "nextcloud_user";
POSTGRES_DB = "nextcloud_db";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
"NEXTCLOUD_TRUSTED_DOMAINS " = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
"SMTP_HOST" = serverCfg.mailServer;
"SMTP_NAME" = "mail_user";
"SMTP_PASSWORD" = "mail_password";
"MAIL_FROM_ADDRESS" = "${containerCfg.subdomain}@${serverCfg.hostDomain}";
"MAIL_DOMAIN" = serverCfg.mailDomain;
"TRUSTED_PROXIES" = "10.10.0.0/16 192.168.0.0/16";
};
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
"traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
"traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
};
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides = {
ports = if containerCfg.pubPort!=null && containerCfg.port!=null then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
volumes = [
"${serverCfg.dataPath}/nextcloud/www:/var/www/html"
"${serverCfg.dataPath}/nextcloud/data:/var/www/html/data"
];
};
};
};
setup = {
trigger="server";
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
OCC="${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php occ"
echo "Waiting for Nextcloud container to start..."
until $OCC status > /dev/null 2>&1; do
sleep 2
done
INSTALLED=$($OCC status --output=json | grep -o '"installed":false')
if [ -z "$INSTALLED" ]; then
echo "Running first-time setup..."
# $OCC maintenance:install \
# --admin-user "admin" \
# --admin-pass "adminpassword"
echo "Applying Settings..."
$OCC config:system:set default_phone_region --value="CH"
$OCC config:system:set overwriteprotocol --value="https"
$OCC config:app:set core backgroundjobs_mode --value="cron"
$OCC config:system:set maintenance_window_start --type=integer --value=1
$OCC config:system:set default_language --value="en"
$OCC config:system:set default_locale --value="en_CH"
echo "Applying Apps..."
$OCC app:disable activity || true
$OCC app:disable app_api || true
$OCC app:disable comments || true
$OCC app:disable firstrunwizard || true
$OCC config:system:set show_first_run_wizard --type=bool --value=false
$OCC app:disable nextcloud_announcements || true
$OCC app:disable oauth2 || true
$OCC app:disable recommendations || true
$OCC app:disable sharebymail || true
$OCC app:disable support || true
$OCC app:disable survey_client || true
$OCC app:disable updatenotification || true
$OCC app:disable user_status || true
$OCC app:install calendar || true
$OCC app:install calendar || true
$OCC app:install contacts || true
$OCC app:install camerarawpreviews || true
$OCC app:install cospend || true
$OCC app:install deck || true
$OCC app:install files_markdown || true
$OCC app:install forms || true
$OCC app:install groupfolders || true
$OCC app:install ownpad || true
$OCC app:install previewgenerator || true
$OCC app:install richdocuments || true
${lib.optionalString (serverCfg.containers ? collabora == false) ''$OCC app:install richdocumentscode || true''}
# $OCC app:install side_menu || true
$OCC app:install spreed || true
${lib.optionalString (serverCfg.containers ? authentik) ''$OCC app:install user_saml || true''}
echo "Applying Apps Settings..."
$OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json
$OCC config:app:set cospend allow_federation --value="yes"
${lib.optionalString (serverCfg.containers ? ethercalc) ''
$OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes"
$OCC config:app:set ownpad ownpad_ethercalc_host --value="https:\/\/${serverCfg.containers.ethercalc.subdomain}.${serverCfg.hostDomain}"
''}
${lib.optionalString (serverCfg.containers ? etherpad) ''
$OCC config:app:set ownpad ownpad_etherpad_enable --value="yes"
$OCC config:app:set ownpad ownpad_etherpad_host --value="https:\/\/${serverCfg.containers.etherpad.subdomain}.${serverCfg.hostDomain}"
''}
${lib.optionalString (serverCfg.containers ? collabora) ''
$OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}/"
$OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}"
$OCC config:app:set richdocuments wopi_allowlist --value="10.0.0.0/8"
''}
${lib.optionalString (serverCfg.containers ? authentik) ''
$OCC saml:config:set --general-idp0_display_name="authentik"
$OCC saml:config:set --general-uid_mapping="http://schemas.goauthentik.io/2021/02/saml/username"
$OCC saml:config:set --idp-entityId="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}"
$OCC saml:config:set --idp-singleSignOnService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/application/saml/${containerCfg.subdomain}/sso/binding/redirect/"
$OCC saml:config:set --idp-singleLogoutService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/application/saml/${containerCfg.subdomain}/slo/binding/redirect/"
$OCC saml:config:set --idp-x509cert="MII..."
$OCC saml:config:set --saml-attribute-mapping-displayName_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
$OCC saml:config:set --saml-attribute-mapping-email_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
$OCC saml:config:set --saml-attribute-mapping-group_mapping="http://schemas.xmlsoap.org/claims/Group"
$OCC saml:config:set --general-group_provisioning="0"
$OCC config:app:set user_saml general-require_provisioning_groups --value="0"
# $OCC saml:config:set --general-allowed_groups="cloud,admin"
''}
# configure side_menu ...
FOLDERS=$($OCC teamfolders:list --format=json)
${builtins.concatStringsSep "\n" (map (name: ''
if ! echo "$FOLDERS" | grep -q '"name":"${name}"'; then
$OCC teamfolders:create "${name}"
fi
'') containerCfg.extra.teamFolders or [])}
SERVERS=$($OCC federation:list-servers --format=json)
${builtins.concatStringsSep "\n" (map (domain: ''
if ! echo "$SERVERS" | grep -q "${domain}"; then
$OCC federation:add-server "https://${domain}"
fi
'') containerCfg.extra.federatedServers or [])}
$OCC config:app:set systemtags allow_user_creating --value="no"
echo "Applying Theme..."
$OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.hostDomain}"
${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''}
${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''}
$OCC config:app:set theming background_color --value="${serverCfg.colorScheme.palette.base0C}"
$OCC config:app:set theming primary_color --value="${serverCfg.colorScheme.palette.base0C}"
#$OCC theming:config logo {serverCfg.colorScheme.logo}
#$OCC theming:config logoheader {serverCfg.colorScheme.logo}
#$OCC theming:config background {serverCfg.colorScheme.bg}
else
echo "Nextcloud is already installed. Skipping setup."
fi
echo "Maintenance..."
$OCC app:update --all
$OCC maintenance:repair --include-expensive --no-interaction
$OCC db:add-missing-indices --no-interaction
echo "Completed Setup"
'';
};
cron = [ "*/5 * * * * root ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
}

75
modules/server/containers/apps/traefik.nix Normal file
View File

@@ -0,0 +1,75 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
image = pkgs.dockerTools.streamLayeredImage {
name = "traefik";
tag = pkgs.traefik.version;
contents = with pkgs;[ cacert tzdata ];
config = {
Entrypoint = [ "${pkgs.traefik}/bin/traefik" ];
WorkingDir = "/";
};
};
in {
paths = [{
path="${serverCfg.configPath}/traefik";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
imageStream = image;
subdomain = containerCfg.subdomain;
ip = containerCfg.ip;
port = 8080;
secret = name;
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
"traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = "authentik";
"traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
"traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.hostDomain}";
"traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.hostDomain}";
"traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760";
"traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
"traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
"traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
};
extraEnv = { };
overrides = {
cmd = [
"--api"
"--log.level=INFO"
"--providers.docker=true"
"--global.checknewversion=false"
"--global.sendanonymoususage=false"
"--api.insecure=true"
"--api.dashboard=true"
"--providers.docker.exposedByDefault=false"
"--entrypoints.web.address=:80"
"--entrypoints.web-secure.address=:443"
"--entrypoints.web.http.redirections.entrypoint.to=web-secure"
"--entrypoints.web.http.redirections.entrypoint.scheme=https"
"--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
"--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
"--certificatesresolvers.default.acme.email=acme@${serverCfg.hostDomain}"
"--certificatesresolvers.default.acme.tlschallenge=false"
"--certificatesresolvers.default.acme.httpchallenge=false"
"--certificatesresolvers.default.acme.dnschallenge=true"
"--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
"--certificatesresolvers.default.acme.storage=/custom/acme.json"
];
ports = [ "443:443" "80:80" ];
volumes = [
"/var/run/podman/podman.sock:/var/run/docker.sock"
# "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
"${serverCfg.configPath}/traefik:/custom"
];
};
};
};
}