nixpkgs/nixos/modules/services/web-servers/traefik.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

171 lines
4.5 KiB
Nix
Raw Normal View History

2017-09-27 16:30:49 +00:00
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.traefik;
jsonValue = with types;
let
valueType = nullOr (oneOf [
bool
int
float
str
(lazyAttrsOf valueType)
(listOf valueType)
]) // {
description = "JSON value";
emptyValue.value = { };
};
in valueType;
dynamicConfigFile = if cfg.dynamicConfigFile == null then
pkgs.runCommand "config.toml" {
buildInputs = [ pkgs.remarshal ];
preferLocalBuild = true;
} ''
remarshal -if json -of toml \
< ${
pkgs.writeText "dynamic_config.json"
(builtins.toJSON cfg.dynamicConfigOptions)
} \
> $out
''
else
cfg.dynamicConfigFile;
staticConfigFile = if cfg.staticConfigFile == null then
pkgs.runCommand "config.toml" {
buildInputs = [ pkgs.yj ];
preferLocalBuild = true;
} ''
yj -jt -i \
< ${
pkgs.writeText "static_config.json" (builtins.toJSON
(recursiveUpdate cfg.staticConfigOptions {
providers.file.filename = "${dynamicConfigFile}";
}))
} \
> $out
''
else
cfg.staticConfigFile;
2017-09-27 16:30:49 +00:00
in {
options.services.traefik = {
enable = mkEnableOption (lib.mdDoc "Traefik web server");
2017-09-27 16:30:49 +00:00
staticConfigFile = mkOption {
2017-09-27 16:30:49 +00:00
default = null;
example = literalExpression "/path/to/static_config.toml";
2017-09-27 16:30:49 +00:00
type = types.nullOr types.path;
description = lib.mdDoc ''
Path to traefik's static configuration to use.
(Using that option has precedence over `staticConfigOptions` and `dynamicConfigOptions`)
'';
2017-09-27 16:30:49 +00:00
};
staticConfigOptions = mkOption {
description = lib.mdDoc ''
Static configuration for Traefik.
2017-09-27 16:30:49 +00:00
'';
type = jsonValue;
default = { entryPoints.http.address = ":80"; };
2017-09-27 16:30:49 +00:00
example = {
entryPoints.web.address = ":8080";
entryPoints.http.address = ":80";
api = { };
};
};
dynamicConfigFile = mkOption {
default = null;
example = literalExpression "/path/to/dynamic_config.toml";
type = types.nullOr types.path;
description = lib.mdDoc ''
Path to traefik's dynamic configuration to use.
(Using that option has precedence over `dynamicConfigOptions`)
'';
};
dynamicConfigOptions = mkOption {
description = lib.mdDoc ''
Dynamic configuration for Traefik.
'';
type = jsonValue;
default = { };
example = {
http.routers.router1 = {
rule = "Host(`localhost`)";
service = "service1";
2017-09-27 16:30:49 +00:00
};
http.services.service1.loadBalancer.servers =
[{ url = "http://localhost:8080"; }];
2017-09-27 16:30:49 +00:00
};
};
dataDir = mkOption {
default = "/var/lib/traefik";
type = types.path;
description = lib.mdDoc ''
Location for any persistent data traefik creates, ie. acme
2017-09-27 16:30:49 +00:00
'';
};
group = mkOption {
default = "traefik";
type = types.str;
example = "docker";
description = lib.mdDoc ''
Set the group that traefik runs under.
For the docker backend this needs to be set to `docker` instead.
'';
};
2017-09-27 16:30:49 +00:00
package = mkOption {
default = pkgs.traefik;
defaultText = literalExpression "pkgs.traefik";
2017-09-27 16:30:49 +00:00
type = types.package;
description = lib.mdDoc "Traefik package to use.";
2017-09-27 16:30:49 +00:00
};
};
config = mkIf cfg.enable {
systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0700 traefik traefik - -" ];
2017-09-27 16:30:49 +00:00
systemd.services.traefik = {
description = "Traefik web server";
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
startLimitIntervalSec = 86400;
startLimitBurst = 5;
2017-09-27 16:30:49 +00:00
serviceConfig = {
ExecStart =
"${cfg.package}/bin/traefik --configfile=${staticConfigFile}";
2017-09-27 16:30:49 +00:00
Type = "simple";
User = "traefik";
Group = cfg.group;
2017-09-27 16:30:49 +00:00
Restart = "on-failure";
AmbientCapabilities = "cap_net_bind_service";
CapabilityBoundingSet = "cap_net_bind_service";
NoNewPrivileges = true;
LimitNPROC = 64;
LimitNOFILE = 1048576;
PrivateTmp = true;
PrivateDevices = true;
ProtectHome = true;
ProtectSystem = "full";
ReadWriteDirectories = cfg.dataDir;
};
};
users.users.traefik = {
2017-09-27 16:30:49 +00:00
group = "traefik";
home = cfg.dataDir;
createHome = true;
2019-10-12 20:25:28 +00:00
isSystemUser = true;
2017-09-27 16:30:49 +00:00
};
users.groups.traefik = { };
2017-09-27 16:30:49 +00:00
};
}