{ config, lib, ... }: { options.sysconfig.opts.virtualization.traefik.enable = lib.options.mkOption { type = lib.types.bool; default = false; }; config = lib.mkIf config.sysconfig.opts.virtualization.traefik.enable { containers.traefik = { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.11"; forwardPorts = [ { containerPort = 80; hostPort = 80; } { containerPort = 443; hostPort = 443; } { containerPort = 9080; hostPort = 9080; } { containerPort = 9443; hostPort = 9443; } { containerPort = 8002; hostPort = 8002; } { containerPort = 8003; hostPort = 8003; } { containerPort = 8004; hostPort = 8004; } { containerPort = 8005; hostPort = 8005; } ]; bindMounts = { "/etc/traefik/data" = { hostPath = "/ssd1/Traefik/data"; isReadOnly = false; }; }; config = { services.traefik = { enable = true; dataDir = "/etc/traefik/data"; environmentFiles = [ "/etc/traefik/data/traefik.env" ]; staticConfigOptions = { serversTransport.insecureSkipVerify = true; api = { dashboard = true; debug = true; }; global = { checknewversion = false; sendanonymoususage = false; }; entryPoints = { local = { address = ":9080"; http.redirections.entryPoint = { to = "localsecure"; scheme = "https"; }; }; localsecure = { address = ":9443"; http.tls.certResolver = "cloudflare"; }; web = { address = ":80"; http.redirections.entryPoint = { to = "websecure"; scheme = "https"; }; }; websecure = { address = ":443"; asDefault = true; http.tls = { certResolver = "cloudflare"; domains = { main = "blunkall.us"; sans = [ "*.local.blunkall.us" "*.blunkall.us" "blunkall.us" ]; }; }; }; openWakeWord = { address = ":8002"; }; faster-whisper = { address = ":8003"; }; ollama = { address = ":8004"; }; piper = { address = ":8005"; }; }; log = { level = "DEBUG"; filePath = "/etc/traefik/data/traefik.log"; format = "json"; }; certificatesResolvers = { cloudflare = { acme = { email = "nathanblunkall5@gmail.com"; storage = "/etc/traefik/data/acme.json"; keyType = "EC256"; dnsChallenge = { provider = "cloudflare"; resolvers = [ "1.1.1.1:53" "1.0.0.1:53" ]; }; }; }; /*letsencrypt.acme = { email = "postmaster@blunkall.us"; storage = "/root/data/acme.json"; httpChallenge.entryPoint = "web"; };*/ }; }; dynamicConfigOptions = { tcp = { routers = { openWakeWord = { entryPoints = [ "openWakeWord" ]; service = "openWakeWord"; tls.certResolver = "cloudflare"; }; faster-whisper = { entryPoints = [ "faster-whisper" ]; service = "faster-whisper"; tls.certResolver = "cloudflare"; }; ollama = { entryPoints = [ "ollama" ]; service = "ollama"; tls.certResolver = "cloudflare"; }; piper = { entryPoints = [ "piper" ]; service = "piper"; tls.certResolver = "cloudflare"; }; }; }; http = { routers = { homepageSecure = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`blunkall.us`) || Host(`www.blunkall.us`)"; service = "homepage"; tls.certResolver = "cloudflare"; middlewares = [ "authentik" ]; priority = 1; }; nathan = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`nathan.blunkall.us`)"; service = "homepage"; tls.certResolver = "cloudflare"; }; remote = { entryPoints = [ "websecure" ]; rule = "Host(`remote.blunkall.us`)"; service = "novnc"; middlewares = [ "authentik" ]; tls.certResolver = "cloudflare"; }; homeassistant = { entryPoints = [ "websecure" ]; rule = "Host(`hass.blunkall.us`)"; service = "homeassistant"; tls.certResolver = "cloudflare"; }; jellyfin = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`jellyfin.blunkall.us`)"; service = "jellyfin"; tls.certResolver = "cloudflare"; }; auth = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`auth.blunkall.us`)"; service = "authentik"; tls.certResolver = "cloudflare"; }; gitlab = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`gitlab.blunkall.us`)"; service = "gitlab"; tls.certResolver = "cloudflare"; }; gitea = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`gitea.blunkall.us`)"; service = "gitea"; tls.certResolver = "cloudflare"; }; nextcloud = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`nextcloud.blunkall.us`)"; service = "nextcloud"; tls.certResolver = "cloudflare"; middlewares = [ "nextcloud_redirectregex" ]; }; traefik = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`traefik.blunkall.us`)"; service = "api@internal"; tls.certResolver = "cloudflare"; middlewares = [ "authentik" ]; }; ntfy = { entryPoints = [ "websecure" ]; rule = "Host(`ntfy.blunkall.us`)"; service = "ntfy"; tls.certResolver = "cloudflare"; }; /*pihole = { entryPoints = [ "localsecure" ]; rule = "Host(`pihole.blunkall.us`)"; service = "pihole"; tls.certResolver = "cloudflare"; };*/ }; middlewares = { authentik.forwardAuth = { address = "http://192.168.100.10:9000/outpost.goauthentik.io/auth/traefik"; trustForwardHeader = true; authResponseHeaders = [ "X-authentik-username" "X-authentik-groups" "X-authentik-email" "X-authentik-name" "X-authentik-uid" "X-authentik-jwt" "X-authentik-meta-jwks" "X-authentik-meta-outpost" "X-authentik-meta-provider" "X-authentik-meta-app" "X-authentik-meta-version" ]; }; nextcloud_redirectregex.redirectregex = { permanent = true; regex = "https://nextcloud.blunkall.us/.well-known/(?:card|cal)dav"; replacement = "https://nextcloud.blunkall.us/remote.php/dav"; }; }; services = { gitlab.loadBalancer.servers = [ { url = "http://192.168.100.16:80"; } ]; gitea.loadBalancer.servers = [ { url = "http://192.168.100.20:3000"; } ]; homepage.loadBalancer.servers = [ { url = "http://192.168.100.13:80"; } ]; jellyfin.loadBalancer.servers = [ { url = "http://192.168.100.14:8096"; } ]; authentik.loadBalancer.servers = [ { url = "http://192.168.100.10:9000"; } ]; pihole.loadBalancer.servers = [ { url = "http://192.168.100.10:8080"; } ]; novnc.loadBalancer.servers = [ { url = "http://192.168.100.10:6080"; } ]; nextcloud.loadBalancer.servers = [ { url = "http://192.168.100.15:80"; } ]; ntfy.loadBalancer.servers = [ { url = "http://192.168.100.19"; } ]; homeassistant.loadBalancer.servers = [ { url = "http://192.168.100.10:8123"; } ]; openWakeWord.loadBalancer.servers = [ { url = "tcp://192.168.100.10:11432"; } ]; faster-whisper.loadBalancer.servers = [ { url = "tcp://192.168.100.10:11433"; } ]; ollama.loadBalancer.servers = [ { url = "tcp://192.168.100.10:11434"; } ]; piper.loadBalancer.servers = [ { url = "tcp://192.168.100.10:11435"; } ]; }; }; }; }; networking.firewall.allowedTCPPorts = [ 80 443 9080 9443 ]; networking.firewall.allowedUDPPorts = [ 80 443 ]; system.stateVersion = "24.05"; }; }; }; }