{ config, lib, ... }: let serviceName = "baserow"; portUtils = import ../../../../lib/port-utils.nix {inherit lib;}; servicePort = portUtils.getPort serviceName "AZ-CLD-1"; in { virtualisation.oci-containers.containers.${serviceName} = { image = "docker.io/baserow/baserow:2.1.6"; environment = { BASEROW_AMOUNT_OF_GUNICORN_WORKERS = "4"; BASEROW_AMOUNT_OF_WORKERS = "2"; DATABASE_CONN_MAX_AGE = "60"; # Proxy: tell Django the connection is HTTPS so cookies get Secure flag BASEROW_ENABLE_SECURE_PROXY_SSL_HEADER = "yes"; # Published apps run on different origins — allow cross-origin cookie delivery BASEROW_FRONTEND_SAME_SITE_COOKIE = "none"; # Valid base domain for published app subdomains BASEROW_BUILDER_DOMAINS = "az-gruppe.com"; # Disable Caddy's on_demand TLS — Traefik handles TLS termination BASEROW_CADDY_GLOBAL_CONF = "auto_https off"; }; environmentFiles = [config.age.secrets.baserow-env.path]; ports = ["127.0.0.1:${toString servicePort}:80"]; volumes = ["baserow_data:/baserow/data"]; extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.10" "--network=web"]; }; # Traefik configuration services.traefik.dynamicConfigOptions.http = { services.${serviceName}.loadBalancer.servers = [ { url = "http://localhost:${toString servicePort}/"; } ]; middlewares."${serviceName}-headers".headers = { customRequestHeaders = { X-Forwarded-Proto = "https"; X-Forwarded-Port = "443"; }; }; routers.${serviceName} = { rule = "Host(`br.az-gruppe.com`)"; tls = { certResolver = "ionos"; }; service = serviceName; entrypoints = "websecure"; middlewares = ["${serviceName}-headers"]; }; routers.azubi = { rule = "Host(`azubi.az-gruppe.com`)"; tls = { certResolver = "ionos"; }; service = serviceName; entrypoints = "websecure"; middlewares = ["${serviceName}-headers"]; }; routers.ausbilder = { rule = "Host(`ausbilder.az-gruppe.com`)"; tls = { certResolver = "ionos"; }; service = serviceName; entrypoints = "websecure"; middlewares = ["${serviceName}-headers"]; }; }; }