reverse proxy stuff

lib/default.nix

@@ -10,6 +10,9 @@
     # Import system utilities
     system = import ./system { inherit inputs; };
 
+    # Import reverse proxy utilities
+    reverseproxy = import ./reverseproxy { inherit inputs; };
+
     # Import examples
     examples = import ./examples { inherit inputs; };
   };

lib/examples/reverseproxy.nix

@@ -0,0 +1,113 @@
+# Example usage of the reverse proxy utilities
+{ inputs, lib, ... }:
+let
+  inherit (lib.mjallen-lib.reverseproxy)
+    mkReverseProxy
+    mkReverseProxies
+    templates
+    middlewares
+    urls
+    ;
+in
+{
+  # Example 1: Simple reverse proxy for a local service
+  simpleProxy = mkReverseProxy {
+    name = "myapp";
+    subdomain = "myapp";
+    url = "http://127.0.0.1:3000";
+  };
+
+  # Example 2: Authenticated service with custom middlewares
+  authProxy = mkReverseProxy {
+    name = "admin-panel";
+    subdomain = "admin";
+    url = "http://127.0.0.1:8080";
+    middlewares = middlewares.authBasic;
+  };
+
+  # Example 3: Container-based service
+  containerProxy = mkReverseProxy {
+    name = "nextcloud";
+    subdomain = "cloud";
+    url = urls.container "nextcloud" 80;
+    middlewares = middlewares.basic;
+  };
+
+  # Example 4: Multiple proxies at once
+  multipleProxies = mkReverseProxies [
+    {
+      name = "grafana";
+      subdomain = "grafana";
+      url = urls.localhost 3000;
+      middlewares = middlewares.authBasic;
+    }
+    {
+      name = "prometheus";
+      subdomain = "prometheus";
+      url = urls.localhost 9090;
+      middlewares = middlewares.internal;
+    }
+    {
+      name = "alertmanager";
+      subdomain = "alerts";
+      url = urls.localhost 9093;
+      middlewares = middlewares.authBasic;
+    }
+  ];
+
+  # Example 5: Using templates for common patterns
+  webappExample = templates.webapp {
+    name = "webapp";
+    subdomain = "app";
+    port = 8080;
+  };
+
+  authWebappExample = templates.authWebapp {
+    name = "secure-app";
+    subdomain = "secure";
+    port = 9000;
+  };
+
+  containerExample = templates.containerService {
+    name = "gitea";
+    subdomain = "git";
+    containerName = "gitea";
+    port = 3000;
+  };
+
+  internalExample = templates.internalService {
+    name = "internal-api";
+    subdomain = "api-internal";
+    port = 8000;
+  };
+
+  # Example 6: Custom domain and advanced configuration
+  customProxy = mkReverseProxy {
+    name = "custom-service";
+    subdomain = "custom";
+    url = "http://10.0.1.100:8080";
+    domain = "example.com";
+    priority = 20;
+    rule = "Host(`custom.example.com`) && PathPrefix(`/api`)";
+    middlewares = [ "crowdsec" "whitelist-geoblock" "rate-limit" ];
+  };
+
+  # Example usage in a Traefik configuration:
+  # 
+  # mjallen.services.traefik = {
+  #   enable = true;
+  #   extraServices = multipleProxies.extraServices;
+  #   extraRouters = multipleProxies.extraRouters;
+  # };
+  #
+  # Or for individual proxies:
+  #
+  # mjallen.services.traefik = {
+  #   enable = true;
+  #   extraServices = [ simpleProxy.service ];
+  #   extraRouters = [{
+  #     inherit (simpleProxy.router) subdomain entryPoints middlewares;
+  #     service = simpleProxy.router.service;
+  #   }];
+  # };
+}

lib/module/default.nix

@@ -90,6 +90,14 @@ rec {
 
   mkBoolOpt' = mkOpt' types.bool;
 
+  mkReverseProxyOpt = {
+    enable = mkBoolOpt false "Enable reverse proxy support";
+
+    subdomain = mkOpt types.str "" "subdomain of the service";
+
+    middlewares = mkOpt (types.listOf types.str) [ ] "List of middlewares to use";
+  };
+
   # Standard enable/disable patterns
   enabled = {
     enable = true;

lib/reverseproxy/default.nix

@@ -0,0 +1,153 @@
+{ inputs }:
+let
+  inherit (inputs.nixpkgs.lib)
+    mkOption
+    types
+    listToAttrs
+    nameValuePair
+    ;
+in
+rec {
+  # Create a service configuration for Traefik
+  mkService = {
+    name,
+    url,
+    loadBalancer ? { },
+  }: {
+    inherit name url;
+    config = {
+      loadBalancer = {
+        servers = [{ inherit url; }];
+      } // loadBalancer;
+    };
+  };
+
+  # Create a router configuration for Traefik
+  mkRouter = {
+    subdomain,
+    domain ? "mjallen.dev",
+    service,
+    entryPoints ? [ "websecure" ],
+    middlewares ? [ "crowdsec" "whitelist-geoblock" ],
+    priority ? null,
+    rule ? null,
+    tls ? { certResolver = "letsencrypt"; },
+  }: {
+    inherit subdomain service entryPoints middlewares;
+    config = {
+      inherit entryPoints service middlewares tls;
+      rule = if rule != null then rule else "Host(`${subdomain}.${domain}`)";
+    } // (if priority != null then { inherit priority; } else { });
+  };
+
+  # Create both service and router for a simple reverse proxy setup
+  mkReverseProxy = {
+    name,
+    subdomain,
+    url,
+    domain ? "mjallen.dev",
+    entryPoints ? [ "websecure" ],
+    middlewares ? [ "crowdsec" "whitelist-geoblock" ],
+    priority ? null,
+    rule ? null,
+    tls ? { certResolver = "letsencrypt"; },
+    loadBalancer ? { },
+  }: {
+    service = mkService {
+      inherit name url loadBalancer;
+    };
+    router = mkRouter {
+      inherit subdomain domain entryPoints middlewares priority rule tls;
+      service = name;
+    };
+  };
+
+  # Convert a list of services to the format expected by Traefik module
+  servicesToConfig = services:
+    listToAttrs (map (service: nameValuePair service.name service.config) services);
+
+  # Convert a list of routers to the format expected by Traefik module
+  routersToConfig = routers:
+    listToAttrs (map (router: nameValuePair router.subdomain router.config) routers);
+
+  # Helper to create multiple reverse proxies at once
+  mkReverseProxies = proxies:
+    let
+      results = map mkReverseProxy proxies;
+      services = map (result: result.service) results;
+      routers = map (result: result.router) results;
+    in
+    {
+      services = servicesToConfig services;
+      routers = routersToConfig routers;
+      extraServices = services;
+      extraRouters = map (router: {
+        inherit (router) subdomain entryPoints middlewares;
+        service = router.service;
+      }) routers;
+    };
+
+  # Common middleware configurations
+  middlewares = {
+    # Authentication middleware
+    auth = [ "authentik" ];
+    
+    # Basic security (default)
+    basic = [ "crowdsec" "whitelist-geoblock" ];
+    
+    # Internal only access
+    internal = [ "crowdsec" "whitelist-geoblock" "internal-ipallowlist" ];
+    
+    # WebSocket support
+    websocket = [ "crowdsec" "whitelist-geoblock" "onlyoffice-websocket" ];
+    
+    # Authenticated with basic security
+    authBasic = [ "crowdsec" "whitelist-geoblock" "authentik" ];
+  };
+
+  # Common service URL builders
+  urls = {
+    # Local container service
+    container = containerName: port: "http://\${config.containers.${containerName}.localAddress}:${toString port}";
+    
+    # Local host service
+    localhost = port: "http://127.0.0.1:${toString port}";
+    
+    # Network service
+    network = ip: port: "http://${ip}:${toString port}";
+    
+    # Server IP service (using your server IP pattern)
+    server = port: "http://\${serverIp}:${toString port}";
+  };
+
+  # Pre-configured reverse proxy templates
+  templates = {
+    # Standard web application
+    webapp = { name, subdomain, port, ... }@args:
+      mkReverseProxy ({
+        url = urls.localhost port;
+        middlewares = middlewares.basic;
+      } // args);
+
+    # Authenticated web application  
+    authWebapp = { name, subdomain, port, ... }@args:
+      mkReverseProxy ({
+        url = urls.localhost port;
+        middlewares = middlewares.authBasic;
+      } // args);
+
+    # Container-based service
+    containerService = { name, subdomain, containerName, port, ... }@args:
+      mkReverseProxy ({
+        url = urls.container containerName port;
+        middlewares = middlewares.basic;
+      } // args);
+
+    # Internal-only service
+    internalService = { name, subdomain, port, ... }@args:
+      mkReverseProxy ({
+        url = urls.localhost port;
+        middlewares = middlewares.internal;
+      } // args);
+  };
+}