nix-configs/modules/services/traefik.nix

{
  pkgs,
  lib,
  config,
  ...
}:
let
  cfg = config.xyno.services.traefik;
  simpleProxyOpts = lib.mapAttrsToList (
    n: v:
    let
      router = "simpleproxy-${n}-router";
      service = "simpleproxy-${n}-service";
      spl = lib.splitString "." v.host;
      certDomain =
        if (builtins.length spl) > 2 then lib.concatStringsSep "." (builtins.tail spl) else spl;
    in
    {
      routers."${router}-robotstxt" = {
        service = "robotstxt";
        rule = "Host(`${v.host}`) && Path(`/robots.txt`)";
        tls.domains = [
          {
            main = certDomain;
            sans = [ "*.${certDomain}" ];
          }
        ];
        
      };
      routers.${router} = {
        inherit service;
        rule = "Host(`${v.host}`)";
        tls.domains = [
          {
            main = certDomain;
            sans = [ "*.${certDomain}" ];
          }
        ];
      };
      services.${service} = {
        loadBalancer.servers = [
          { url = v.internal; }
        ];
      };
      services.robotstxt = {
        loadBalancer.servers = [
          { url = "http://127.0.0.2"; }
        ];
      };
    }
  ) cfg.simpleProxy;
in
{
  options.xyno.services.traefik.enable = lib.mkEnableOption "enables traefik";
  options.xyno.services.traefik.noBots = lib.mkOption {
    type = lib.types.bool;
    default = true;
  };
  options.xyno.services.traefik.simpleProxy = lib.mkOption {
    example = {
      "example" = {
        host = "example.org";
        middlewares = [ "meow" ];
        internal = "http://127.0.0.1:8080";
      };
    };
    default = { };
    type = lib.types.attrsOf (
      lib.types.submodule {
        options = {
          middlewares = lib.mkOption {
            type = lib.types.nullOr (lib.types.listOf lib.types.str);
          };
          internal = lib.mkOption {
            type = lib.types.str;
          };
          host = lib.mkOption {
            type = lib.types.str;
          };
          
        };
      }
    );

  };
  config = lib.mkIf cfg.enable {
    services.nginx = {
      enable = lib.mkIf cfg.noBots true;
      defaultListenAddresses = lib.mkIf cfg.noBots [ "127.0.0.2" ];
      virtualHosts.localhost.locations."/".root = pkgs.runCommand "nginx-robots" ''
        mkdir $out
        echo "User-Agent: *\nDisallow: /" > $out/robots.txt
      '';
    };
    services.traefik = {
      enable = true;
      environmentFiles = [
        config.sops.templates."traefik.env".path
      ];
      staticConfigOptions = {
        metrics = lib.mkIf config.xyno.services.monitoring.enable {
          otlp.http.endpoint = "http://localhost:8429/v1/metrics";
        };
        entryponts.web = {
          address = ":80";
          redirections.entryPoint = {
            to = "websecure";
            scheme = "https";
            permanent = true;
          };
        };
        entryponts.websecure = {
          address = ":443";
          tls.certResolver = "letsencrypt";
          http3 = { };

        };
        log.level = "INFO";
        certificatesResolvers.letsencrypt.acme = {
          email = "ssl@xyno.systems";
          caServer = "https://acme-v02.api.letsencrypt.org/directory";
          dnsChallenge = {
            provider = "desec";
          };
        };
      };
      dynamicConfigOptions = {
        http = lib.mkMerge simpleProxyOpts;
        tls.options.default = {
          # mozilla modern
          minVersion = "VersionTLS13";
          curvePreferences = [
            "X25519"
            "CurveP256"
            "CurveP384"
          ];
        };
        tls.options.old = {
          # mozilla intermediate
          minVersion = "VersionTLS12";
          curvePreferences = [
            "X25519"
            "CurveP256"
            "CurveP384"
          ];
          cipherSuites = [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
          ];

        };
      };
    };
    networking.firewall.allowedTCPPorts = [
      80
      443
    ];
    networking.firewall.allowedUDPPorts = [ 443 ];
    xyno.impermanence.directories = [ config.services.traefik.dataDir ];
    sops.secrets."desec_token" = {
    };
    sops.templates."traefik.env".content = ''
      DESEC_TOKEN=${config.sops.placeholder.desec_token}
      DESEC_PROPAGATION_TIMEOUT=1200
    '';
    sops.templates."traefik.env".reloadUnits = [ "traefik.service" ];
    # services.borgmatic.settings.traefikql_databases = [
    #   {
    #     name = "all"; # gets run as root anyways so can log in
    #   }
    # ];

  };
}