feat(nix): extract traefik config to shared module

nix/modules/darwin/nix/default.nix

@@ -54,7 +54,6 @@ in {
         build-users-group = "nixbld";
         substituters = [
           "https://cache.nixos.org"
-          "https://khanelinix.cachix.org"
           "https://nix-community.cachix.org"
           "https://nixpkgs-unfree.cachix.org"
           "https://numtide.cachix.org"
@@ -63,7 +62,6 @@ in {
 
         trusted-public-keys = [
           "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-          "khanelinix.cachix.org-1:FTmbv7OqlMsmJEOFvAlz7PVkoGtstbwLC2OldAiJZ10="
           "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
           "nixpkgs-unfree.cachix.org-1:hqvoInulhbV4nJ9yJOEr+4wxhDV4xq2d1DK7S6Nj6rs="
           "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="

nix/modules/nixos/containers/adguard/default.nix

@@ -16,6 +16,15 @@ in {
     rewriteAddress = mkOpt str "192.168.89.206" "IP address or CNAME to create DNS rewrites(local DNS entries) to";
   };
 
+  imports = [
+    (import ../shared/shared-traefik-route.nix
+      {
+        app = "adguard";
+        host = "${cfg.host}";
+        url = "http://${cfg.localAddress}:3000";
+      })
+  ];
+
   config = mkIf cfg.enable {
     networking.nat = {
       enable = true;
@@ -81,27 +90,5 @@ in {
         system.stateVersion = "24.11";
       };
     };
-
-    containers.traefik.config.services.traefik.dynamicConfigOptions.http = lib.mkIf config.${namespace}.containers.traefik.enable {
-      routers.adguard = {
-        entrypoints = ["websecure"];
-        rule = "Host(`${cfg.host}`)";
-        service = "adguard";
-        middlewares = ["auth-chain"];
-        tls = {
-          certResolver = "production";
-        };
-      };
-      services.adguard = {
-        loadBalancer = {
-          passHostHeader = true;
-          servers = [
-            {
-              url = "http://${cfg.localAddress}:3000";
-            }
-          ];
-        };
-      };
-    };
   };
 }

nix/modules/nixos/containers/authelia/default.nix

@@ -2,7 +2,6 @@
   config,
   lib,
   namespace,
-  inputs,
   ...
 }:
 with lib;
@@ -19,6 +18,16 @@ in {
     localAddress = mkOpt str "172.16.64.103" "With privateNetwork, which address to use in container";
   };
 
+  imports = [
+    (import ../shared/shared-traefik-route.nix
+      {
+        app = "authelia";
+        host = "${cfg.host}";
+        url = "http://${cfg.localAddress}:9091";
+        middleware = "secure-headers";
+      })
+  ];
+
   config = mkIf cfg.enable {
     sops.secrets = {
       authelia-env = {
@@ -140,30 +149,6 @@ in {
       };
     };
 
-    containers.traefik.config.services.traefik.dynamicConfigOptions.http = lib.mkIf config.${namespace}.containers.traefik.enable {
-      routers.authelia = {
-        entrypoints = ["websecure"];
-        rule = "Host(`${cfg.host}`)";
-        service = "authelia";
-        middlewares = [
-          "secure-headers"
-        ];
-        tls = {
-          certResolver = "production";
-        };
-      };
-      services.authelia = {
-        loadBalancer = {
-          passHostHeader = true;
-          servers = [
-            {
-              url = "http://${cfg.localAddress}:9091";
-            }
-          ];
-        };
-      };
-    };
-
     containers.adguard.config.services.adguardhome.settings.filtering.rewrites =
       lib.mkIf config.${namespace}.containers.adguard.enable
       [

nix/modules/nixos/containers/flood/default.nix

@@ -14,6 +14,14 @@ in {
     hostAddress = mkOpt str "172.16.64.10" "With private network, which address to use on Host";
     localAddress = mkOpt str "172.16.64.105" "With privateNetwork, which address to use in container";
   };
+  imports = [
+    (import ../shared/shared-traefik-route.nix
+      {
+        app = "flood";
+        host = "${cfg.host}";
+        url = "http://${cfg.localAddress}:3000";
+      })
+  ];
 
   config = mkIf cfg.enable {
     networking.nat = {
@@ -68,28 +76,6 @@ in {
       };
     };
 
-    containers.traefik.config.services.traefik.dynamicConfigOptions.http = lib.mkIf config.${namespace}.containers.traefik.enable {
-      routers.flood = {
-        entrypoints = ["websecure"];
-        rule = "Host(`${cfg.host}`)";
-        service = "flood";
-        middlewares = ["auth-chain"];
-        tls = {
-          certResolver = "production";
-        };
-      };
-      services.flood = {
-        loadBalancer = {
-          passHostHeader = true;
-          servers = [
-            {
-              url = "http://${cfg.localAddress}:3000";
-            }
-          ];
-        };
-      };
-    };
-
     containers.adguard.config.services.adguardhome.settings.filtering.rewrites =
       lib.mkIf config.${namespace}.containers.flood.enable
       [

nix/modules/nixos/containers/homepage/default.nix

@@ -15,6 +15,14 @@ in {
     localAddress = mkOpt str "172.16.64.101" "With privateNetwork, which address to use in container";
   };
 
+  imports = [
+    (import ../shared/shared-traefik-route.nix
+      {
+        app = "homepage";
+        host = "${cfg.host}";
+        url = "http://${cfg.localAddress}:8082";
+      })
+  ];
   config = mkIf cfg.enable {
     containers.homepage = {
       ephemeral = true;
@@ -116,28 +124,6 @@ in {
       };
     };
 
-    containers.traefik.config.services.traefik.dynamicConfigOptions.http = lib.mkIf config.${namespace}.containers.traefik.enable {
-      routers.homepage = {
-        entrypoints = ["websecure"];
-        rule = "Host(`${cfg.host}`)";
-        service = "homepage";
-        middlewares = ["auth-chain"];
-        tls = {
-          certResolver = "production";
-        };
-      };
-      services.homepage = {
-        loadBalancer = {
-          passHostHeader = true;
-          servers = [
-            {
-              url = "http://${cfg.localAddress}:8082";
-            }
-          ];
-        };
-      };
-    };
-
     containers.adguard.config.services.adguardhome.settings.filtering.rewrites =
       lib.mkIf config.${namespace}.containers.adguard.enable
       [

nix/modules/nixos/containers/nextcloud/default.nix

@@ -18,6 +18,14 @@ in {
     localAddress = mkOpt str "172.16.64.106" "With privateNetwork, which address to use in container";
   };
 
+  imports = [
+    (import ../shared/shared-traefik-route.nix
+      {
+        app = "nextcloud";
+        host = "${cfg.host}";
+        url = "http://${cfg.localAddress}:80";
+      })
+  ];
   config = mkIf cfg.enable {
     networking.nat = {
       enable = true;
@@ -150,28 +158,6 @@ in {
       };
     };
 
-    containers.traefik.config.services.traefik.dynamicConfigOptions.http = lib.mkIf config.${namespace}.containers.traefik.enable {
-      routers.nextcloud = {
-        entrypoints = ["websecure"];
-        rule = "Host(`${cfg.host}`)";
-        service = "nextcloud";
-        middlewares = ["auth-chain"];
-        tls = {
-          certResolver = "production";
-        };
-      };
-      services.nextcloud = {
-        loadBalancer = {
-          passHostHeader = true;
-          servers = [
-            {
-              url = "http://${cfg.localAddress}:80";
-            }
-          ];
-        };
-      };
-    };
-
     containers.adguard.config.services.adguardhome.settings.filtering.rewrites =
       lib.mkIf config.${namespace}.containers.adguard.enable
       [

nix/modules/nixos/containers/shared/shared-traefik-route.nix

@@ -0,0 +1,30 @@
+# Typical route with authentication via authelia and cert via cloudflare
+{
+  app ? "test",
+  host ? "test.sbulav.ru",
+  url ? "http://localhost:80",
+  middleware ? "auth-chain",
+  ...
+}: {
+  containers.traefik.config.services.traefik.dynamicConfigOptions.http = {
+    routers.${app} = {
+      entrypoints = ["websecure"];
+      rule = "Host(`${host}`)";
+      service = "${app}";
+      middlewares = ["${middleware}"];
+      tls = {
+        certResolver = "production";
+      };
+    };
+    services.${app} = {
+      loadBalancer = {
+        passHostHeader = true;
+        servers = [
+          {
+            url = "${url}";
+          }
+        ];
+      };
+    };
+  };
+}

nix/modules/nixos/containers/traefik/default.nix

@@ -14,6 +14,7 @@ in {
     domain = mkOpt str "" "The domain to get certificates to";
     dataPath = mkOpt str "/tank/traefik" "Traefik data path on host machine";
   };
+
   imports = [
     # Middlewares
     ./middleware_authelia.nix

nix/modules/nixos/system/nix/default.nix

@@ -49,7 +49,6 @@ in {
         warn-dirty = false;
         substituters = [
           "https://cache.nixos.org"
-          "https://khanelinix.cachix.org"
           "https://nix-community.cachix.org"
           "https://nixpkgs-unfree.cachix.org"
           "https://numtide.cachix.org"
@@ -58,7 +57,6 @@ in {
 
         trusted-public-keys = [
           "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-          "khanelinix.cachix.org-1:FTmbv7OqlMsmJEOFvAlz7PVkoGtstbwLC2OldAiJZ10="
           "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
           "nixpkgs-unfree.cachix.org-1:hqvoInulhbV4nJ9yJOEr+4wxhDV4xq2d1DK7S6Nj6rs="
           "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="

nix/systems/x86_64-linux/serverz/default.nix

@@ -67,7 +67,7 @@ in {
       localAddress = "172.16.64.105";
     };
     nextcloud = {
-      enable = true;
+      enable = false;
       host = "nextcloud2.sbulav.ru";
       hostAddress = "172.16.64.10";
       localAddress = "172.16.64.106";