From ac47ec4689a227d71c928250589409be0db60ca9 Mon Sep 17 00:00:00 2001
From: Tibo De Peuter <tibo@depeuter.dev>
Date: Thu, 4 Sep 2025 10:39:02 +0200
Subject: [PATCH] fix(traefik): Add proxy network

---
 modules/apps/arr/default.nix     |  8 +++
 modules/apps/traefik/default.nix | 90 ++++++++++++++++++++++++++++++++
 2 files changed, 98 insertions(+)
 create mode 100644 modules/apps/traefik/default.nix

diff --git a/modules/apps/arr/default.nix b/modules/apps/arr/default.nix
index 2687e2a..de696f5 100644
--- a/modules/apps/arr/default.nix
+++ b/modules/apps/arr/default.nix
@@ -4,6 +4,8 @@ let
   cfg = config.homelab.apps.arr;
 
   networkName = "arrStack";
+  proxyNet = config.homelab.apps.traefik.sharedNetworkName;
+
   appNames = [ "bazarr" "lidarr" "prowlarr" "qbittorrent" "radarr" "sonarr" ];
   inUse = builtins.any (app: cfg.${app}.enable) appNames;
 
@@ -233,6 +235,7 @@ in {
         ];
         extraOptions = [
           "--network=${networkName}"
+          "--network=${proxyNet}"
         ];
         environment = {
           PUID = toString config.users.users.bazarr.uid;
@@ -267,6 +270,7 @@ in {
         ];
         extraOptions = [
           "--network=${networkName}"
+          "--network=${proxyNet}"
         ];
         environment = {
           PUID = toString config.users.users.lidarr.uid;
@@ -293,6 +297,7 @@ in {
         ];
         extraOptions = [
           "--network=${networkName}"
+          "--network=${proxyNet}"
         ];
         environment = {
           PUID = toString config.users.users.prowlarr.uid;
@@ -324,6 +329,7 @@ in {
         ];
         extraOptions = [
           "--network=${networkName}"
+          "--network=${proxyNet}"
         ];
         environment = {
           PUID = toString config.users.users.qbittorrent.uid;
@@ -355,6 +361,7 @@ in {
         ];
         extraOptions = [
           "--network=${networkName}"
+          "--network=${proxyNet}"
         ];
         environment = {
           PUID = toString config.users.users.radarr.uid;
@@ -388,6 +395,7 @@ in {
         ];
         extraOptions = [
           "--network=${networkName}"
+          "--network=${proxyNet}"
         ];
         environment = {
           PUID = toString config.users.users.sonarr.uid;
diff --git a/modules/apps/traefik/default.nix b/modules/apps/traefik/default.nix
new file mode 100644
index 0000000..7f6ce38
--- /dev/null
+++ b/modules/apps/traefik/default.nix
@@ -0,0 +1,90 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.homelab.apps.traefik;
+
+  port = 8080;
+in {
+  options.homelab.apps.traefik = {
+    enable = lib.mkEnableOption "Traefik Reverse Proxy";
+    sharedNetworkName = lib.mkOption {
+      type = lib.types.str;
+      default = "traefik";
+      description = "The name of the shared network to connect the container to.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    homelab.virtualisation.containers.enable = true;
+
+    # Make sure the Docker network exists.
+    systemd.services."docker-${cfg.sharedNetworkName}-create-network" = {
+      description = "Create Docker network for ${cfg.sharedNetworkName}";
+      requiredBy = [
+        "docker-traefik.service"
+      ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      script = ''
+        if ! ${pkgs.docker}/bin/docker network ls | grep -q ${cfg.sharedNetworkName}; then
+          ${pkgs.docker}/bin/docker network create ${cfg.sharedNetworkName}
+        fi
+      '';
+    };
+
+    virtualisation.oci-containers.containers.traefik = {
+      hostname = "traefik";
+      image = "traefik:v3.4.3";
+      autoStart = true;
+      ports = [
+        "80:80/tcp"
+        "443:443/tcp"
+        "${toString port}:${toString port}/tcp" # Web UI (enabled by --api.insecure=true)
+      ];
+      extraOptions = [
+        "--network=${cfg.sharedNetworkName}"
+      ];
+      environmentFiles = [
+        /home/admin/.cloudflare.secret
+      ];
+      cmd = [
+        "--api.insecure=true"
+
+        # Add Docker provider
+        "--providers.docker=true"
+        "--providers.docker.exposedByDefault=false"
+
+        # Add web entrypoint
+        "--entrypoints.web.address=:80/tcp"
+        "--entrypoints.web.http.redirections.entrypoint.to=websecure"
+        "--entrypoints.web.http.redirections.entrypoint.scheme=https"
+
+        # Add websecure entrypoint
+        "--entrypoints.websecure.address=:443/tcp"
+        "--entrypoints.websecure.http.tls=true"
+        "--entrypoints.websecure.http.tls.certResolver=letsencrypt"
+        "--entrypoints.websecure.http.tls.domains[0].main=depeuter.dev"
+        "--entrypoints.websecure.http.tls.domains[0].sans=*.depeuter.dev"
+        "--entrypoints.websecure.http.tls.domains[1].sans=*.${config.networking.hostName}.depeuter.dev"
+
+        # Certificates
+        "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
+        "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
+        "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
+        "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
+      ];
+      volumes = [
+        "letsencryp:/letsencrypt"
+
+        "/var/run/docker.sock:/var/run/docker.sock:ro"
+      ];
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.traefik.rule" = "Host(`traefik.${config.networking.hostName}.depeuter.dev`)";
+        "traefik.http.services.traefik.loadbalancer.server.port" = toString port;
+      };
+    };
+  };
+}