nixos/roles/dockerserver.nix

# Module: roles/dockerserver
# Enables a Docker server with traefik
#
# Note that this module interacts with the traefik module, in that if traefik
# is enabled, it will add the traefik user to the docker group and enable the
# docker provider so that it can access containers through the docker socket
{
  config,
  lib,
  pkgs,
  pkgsUnstable,
  inputs,
  ...
}:

with lib;

let
  cfg = config.dockerserver;
  dockerSocketPath = "/run/docker.sock";
  dockerSocket = "unix://${dockerSocketPath}";
  dockerTraefikNetwork = "proxy";
in
{
  options.dockerserver = {
    enable = mkEnableOption "Enables dockerserver role";
  };

  config = mkIf cfg.enable {
    docker.enable = true;
    traefik.enable = true;

    services.traefik = {
      staticConfigOptions.providers.docker = {
        endpoint = dockerSocket;
        exposedByDefault = false;
        network = dockerTraefikNetwork;
        watch = true;
      };
    };

    systemd.services.traefik.serviceConfig = mkIf config.services.traefik.enable {
      SupplementaryGroups = [ "docker" ];
      BindReadOnlyPaths = [ dockerSocketPath ];
    };
  };
}