{ config, containerCfg, pkgs, lib, builder, name,... }: let serverCfg = config.syscfg.server; image = pkgs.dockerTools.streamLayeredImage { name = "traefik"; tag = pkgs.traefik.version; contents = with pkgs;[ cacert tzdata ]; config = { Entrypoint = [ "${pkgs.traefik}/bin/traefik" ]; WorkingDir = "/"; }; }; in { sops = true; paths = [{ path="${serverCfg.configPath}/traefik"; owner = "1000:1000"; mode = "0755"; }]; containers = { server = builder.mkContainer { imageStream = image; subdomain = containerCfg.subdomain; port = 8080; secret = name; extraLabels = { "traefik.http.routers.${containerCfg.subdomain}.priority" = "10"; "traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal"; "traefik.http.routers.${containerCfg.subdomain}.middlewares" = if serverCfg.containers?authentik then "authentik" else ""; "traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760"; "traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"; "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true"; "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"; } // (if containerCfg.extra ? provider || serverCfg.hostDomain != "localhost" then { "traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default"; "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.hostDomain}"; "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.hostDomain}"; } else {}); extraEnv = { }; overrides = { cmd = [ "--api" "--log.level=INFO" "--providers.docker=true" "--global.checknewversion=false" "--global.sendanonymoususage=false" "--api.insecure=true" "--api.dashboard=true" "--providers.docker.exposedByDefault=false" "--entrypoints.web.address=:80" "--entrypoints.web-secure.address=:443" "--entrypoints.web.http.redirections.entrypoint.to=web-secure" "--entrypoints.web.http.redirections.entrypoint.scheme=https" "--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s" "--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16" ] ++ (if serverCfg.containers ? umami then [ "--experimental.plugins.umami-feeder.moduleName=github.com/astappiev/traefik-umami-feeder" "--experimental.plugins.umami-feeder.version=v1.4.1" "--entrypoints.web-secure.http.middlewares=umami-global@docker" ] else []) ++ (if containerCfg.extra ? provider then [ "--certificatesresolvers.default.acme.email=acme@${serverCfg.hostDomain}" "--certificatesresolvers.default.acme.dnschallenge=true" "--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}" "--certificatesresolvers.default.acme.storage=/custom/acme.json" ] else []) ++ (if serverCfg.hostDomain != "localhost" then [ "--certificatesresolvers.default.acme.httpchallenge=false" "--certificatesresolvers.default.acme.tlschallenge=true" ] else []); ports = [ "443:443" "80:80" ] ++ (if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else []); volumes = [ "/var/run/podman/podman.sock:/var/run/docker.sock" # "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log" "${serverCfg.configPath}/traefik:/custom" ]; }; }; }; }