Refactor the Nix config management.

2026-06-14 10:48:56 +02:00 · 2026-02-06 21:31:22 +01:00 · 2026-02-06 21:31:22 +01:00 · aca053b4e1
commit aca053b4e1
parent 55fe63bcdb
23 changed files with 954 additions and 1764 deletions
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@ -0,0 +1,101 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  local.hostname = "nixos-traefik";
+  local.username = "traefikprg";
+  local.userDescription = "NixOS PRG Traefik Service";
+  local.address = "10.1.1.250";
+
+  services.traefik = {
+    enable = true;
+    group = "acme";
+    staticConfigOptions = {
+      entryPoints = {
+        web = {
+          address = ":80";
+          asDefault = true;
+          http.redirections.entrypoint = {
+            to = "websecure";
+            scheme = "https";
+          };
+        };
+        websecure = {
+          address = ":443";
+          asDefault = true;
+          http.tls = {
+            domains = [
+              {
+                main = "prg-radio.org";
+                sans = ["*.prg-radio.org"];
+              }
+            ];
+          };
+        };
+      };
+      log = {
+        level = "INFO";
+        filePath = "${config.services.traefik.dataDir}/traefik.log";
+        format = "json";
+      };
+      api.dashboard = true;
+      api.insecure = true;
+    };
+    dynamicConfigOptions = {
+      tls.certificates = [
+        {
+          certFile = "/var/lib/acme/prg-radio.org/cert.pem";
+          keyFile = "/var/lib/acme/prg-radio.org/key.pem";
+        }
+      ];
+      http.routers = {
+        forgejo = {
+          rule = "Host(`git.prg-radio.org`)";
+          service = "forgejo";
+          entryPoints = ["websecure"];
+          tls = {};
+        };
+      };
+      http.services = {
+        forgejo.loadBalancer = {
+          servers = [
+            {url = "http://10.1.1.4:3000";}
+          ];
+        };
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "dtu.prg@gmail.com";
+    certs."prg-radio.org" = {
+      domain = "*.prg-radio.org";
+      group = "acme";
+      dnsProvider = "cloudflare";
+      environmentFile = "/home/traefikprg/cloudflare/cloudflare.env";
+      reloadServices = ["traefik.service"];
+    };
+  };
+
+  systemd.services.traefik = {
+    after = ["acme-finished-prg-radio.org.target"];
+    wants = ["acme-finished-prg-radio.org.target"];
+  };
+
+  networking.firewall.allowedTCPPorts = [80 443];
+  networking.firewall.allowedUDPPorts = [80 443];
+
+  imports = [
+    ./modules/desktop-manager/sway_greetd_homemanager.nix
+    ./modules/local/hostname_username.nix
+    ./modules/local/networking_local.nix
+    ./modules/bootloader/seabios.nix
+    ./modules/lix-default.nix
+    # Optionally: ./modules/toolsets/remote_building.nix
+  ];
+
+  system.stateVersion = "25.11";
+}