alo-cluster/hosts/alo-cloud-1/reverse-proxy.nix

{ pkgs, ... }:
{
  environment.systemPackages = [ pkgs.traefik ];
  environment.persistence."/persist".files = [
    "/acme/acme.json"
  ];

  services.traefik = {
    enable = true;

    staticConfigOptions = {
      global = {
        checkNewVersion = false;
        sendAnonymousUsage = false;
      };

      accessLog = {};

      api = {
        dashboard = true;
      };

      certificatesResolvers = {
        letsencrypt = {
          acme = {
            email = "petru@paler.net";
            storage = "/acme/acme.json";
            tlsChallenge = {};
          };
         };
       };

      entryPoints = {
        web = {
          address = ":80";
          http = {
            redirections = {
              entrypoint = {
                to = "websecure";
                scheme = "https";
                permanent = true;
              };
            };
          };
        };
        websecure = {
          address = ":443";
          http = {
            tls = {
              certResolver = "letsencrypt";
            };
          };
        };
        tailscale = {
          address = "100.75.147.49:8080";
        };
      };

      experimental.plugins = {
        souin = {
          moduleName = "github.com/darkweak/souin";
          version = "v1.6.44";
        };
      };
    };

    dynamicConfigOptions = {
      http = {
        services = {
          alo-cluster = {
            loadBalancer = {
              servers = [
                {
                  # edgy over Tailscale
                  url = "http://100.64.229.126:10080";
                }
              ];
            };
          };
        };

        middlewares = {
          cache.plugin.souin = {
            default_cache.ttl = "86400s";
            log_level = "info";
          };
        };

        routers = {
          api = {
            entryPoints = "tailscale";
            rule = "Host(`traefik-cloud.v.paler.net`)";
            service = "api@internal";
          };

          wordpress-paler-net = {
            entryPoints = "websecure";
            rule = "Host(`wordpress.paler.net`)";
            service = "alo-cluster";
            middlewares = [ "cache" ];
          };

          ines-paler-net = {
            entryPoints = "websecure";
            rule = "Host(`ines.paler.net`)";
            service = "alo-cluster";
            middlewares = [ "cache" ];
          };

          coachingfor-me = {
            entryPoints = "websecure";
            rule = "Host(`coachingfor.me`)";
            service = "alo-cluster";
            middlewares = [ "cache" ];
          };

          coachingfor-work = {
            entryPoints = "websecure";
            rule = "Host(`coachingfor.work`)";
            service = "alo-cluster";
            middlewares = [ "cache" ];
          };

          petru-ines-paler-net = {
            entryPoints = "websecure";
            rule = "Host(`petru.ines.paler.net`)";
            service = "alo-cluster";
            middlewares = [ "cache" ];
          };

          liam-paler-net = {
            entryPoints = "websecure";
            rule = "Host(`liam.paler.net`)";
            service = "alo-cluster";
            middlewares = [ "cache" ];
          };

          tomas-paler-net = {
            entryPoints = "websecure";
            rule = "Host(`tomas.paler.net`)";
            service = "alo-cluster";
            middlewares = [ "cache" ];
          };

          musictogethersilvercoast-pt = {
            entryPoints = "websecure";
            rule = "Host(`musictogethersilvercoast.pt`)";
            service = "alo-cluster";
            middlewares = [ "cache" ];
          };
        };
      };
    };
  };

  # to make the Souin plugin installable, cf. https://community.traefik.io/t/cant-use-plugins-error-mkdir-plugins-storage-permission-denied/16341/3
  systemd.services.traefik.serviceConfig.WorkingDirectory = "/var/lib/traefik";
}