s0me1newithhand7s/reNixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

kyra(hardening): traefik is now using consul catalog as provider

Browse source 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
This commit is contained in:
s0me1newithhand7s 2026-05-03 15:55:43 +03:00
parent fb737422c1
commit af900ab6c0
1 changed files with 138 additions and 246 deletions
Download patch file Download diff file Expand all files Collapse all files

384
kyra/services/traefik.nix
View file

@ -1,4 +1,8 @@
{config, ...}: { {
config,
name,
...
}: {
services = { services = {
traefik = { traefik = {
enable = true; enable = true;
@ -8,29 +12,44 @@
]; ];
dynamicConfigOptions = { dynamicConfigOptions = {
providers = {
consulCatalog = {
endpoint = {
address = "127.0.0.1:8500";
exposedByDefault = false;
prefix = "traefik";
};
};
};
udp = {
routers = {
"ntp" = {
service = "ntp-svc";
entryPoints = [
"ntp"
];
};
};
services = {
"ntp-svc" = {
loadBalancer = {
servers = [
{
address = "127.0.0.1:123";
}
];
};
};
};
};
http = { http = {
routers = { routers = {
"site" = { "site" = {
rule = "Host(`hand7s.org`)"; rule = "Host(`hand7s.org`)";
service = "site-svc"; service = "site-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = "*.hand7s.org";
}
];
};
entryPoints = [
"websecure"
];
};
"git" = {
rule = "Host(`git.hand7s.org`)";
service = "git-svc";
tls = { tls = {
certResolver = "cloudflare"; certResolver = "cloudflare";
domains = [ domains = [
@ -45,15 +64,16 @@
entryPoints = [ entryPoints = [
"websecure" "websecure"
"loopback"
]; ];
}; };
"cicd" = { "ca" = {
rule = "Host(`woodpecker.hand7s.org`)"; rule = "Host(`ca.hand7s.org`)";
service = "cicd-svc"; service = "ca-svc";
tls = { tls = {
certResolver = "cloudflare"; certResolver = "cloudflare";
domains = [ domain = [
{ {
main = "hand7s.org"; main = "hand7s.org";
sans = [ sans = [
@ -62,55 +82,11 @@
} }
]; ];
}; };
entryPoints = [
"websecure"
];
}; };
"oidc" = { "doh" = {
rule = "Host(`zitadel.hand7s.org`)"; rule = "Host(`dns.hand7s.org`) && PathPrefix(`/dns-query`)";
service = "oidc-svc"; service = "doh-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
"bin" = {
rule = "Host(`bin.hand7s.org`)";
service = "bin-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
"lgtm" = {
rule = "Host(`grafana.hand7s.org`)";
service = "lgtm-svc";
tls = { tls = {
certResolver = "cloudflare"; certResolver = "cloudflare";
domains = [ domains = [
@ -140,51 +116,21 @@
}; };
}; };
"git-svc" = { "ca-svc" = {
loadBalancer = { loadBalancer = {
servers = [ servers = [
{ {
url = "http://100.109.123.164:53350"; url = "http://127.0.0.1:8443";
} }
]; ];
}; };
}; };
"oidc-svc" = { "doh-svc" = {
loadBalancer = { loadBalancer = {
servers = [ servers = [
{ {
url = "http://100.109.123.164:8443"; url = "http://127.0.0.1:8053";
}
];
};
};
"bin-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:53352";
}
];
};
};
"cicd-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:53351";
}
];
};
};
"lgtm-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:3030";
} }
]; ];
}; };
@ -194,160 +140,72 @@
tcp = { tcp = {
routers = { routers = {
"minecraft" = { "nts-ke" = {
rule = "HostSNI(`*`)"; rule = "HostSNI(`ntp.hand7s.org`)";
service = "mc-svc"; services = "nts-ke-svc";
tls = {
passthrough = true;
};
entryPoints = [ entryPoints = [
"minecraft" "nts-ke"
]; ];
}; };
"smtp" = { "dot" = {
rule = "HostSNI(`*`)"; rule = "HostSNI(`dns.hand7s.org`)";
service = "smtp-svc"; services = "dot-svc";
entryPoints = [ entryPoints = [
"smtp" "dot"
]; ];
tls = {
certResolver = "cloudflare";
};
}; };
"pop3" = { "vless" = {
rule = "HostSNI(`*`)"; rule = "HostSNI(`${name}.hand7s.org`)";
service = "pop-svc"; service = "vless-svc";
tls = {
passthrough = true;
};
entryPoints = [ entryPoints = [
"pop3" "websecure"
];
};
"submissions" = {
rule = "HostSNI(`mail.hand7s.org`)";
service = "submissions-svc";
entryPoints = [
"submissions"
];
};
"submission" = {
rule = "HostSNI(`*`)";
service = "submission-svc";
entryPoints = [
"submission"
];
};
"imaptls" = {
rule = "HostSNI(`mail.hand7s.org`)";
service = "imaptls-svc";
entryPoints = [
"imaptls"
];
};
"pop3s" = {
rule = "HostSNI(`mail.hand7s.org`)";
service = "pop3s-svc";
entryPoints = [
"pop3s"
];
};
"managesieve" = {
rule = "HostSNI(`*`)";
service = "managesieve-svc";
entryPoints = [
"managesieve"
];
};
};
};
services = {
"mc-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:25565";
}
]; ];
}; };
}; };
"smtp-svc" = { services = {
loadBalancer = { "vless-svc" = {
servers = [ loadBalancer = {
{ servers = [
address = "100.109.123.164:25"; {
} address = "192.168.101.2:8443";
]; }
];
};
}; };
};
"pop3-svc" = { "nts-ke-svc" = {
loadBalancer = { loadBalancer = {
servers = [ servers = [
{ {
address = "100.109.123.164:110"; address = "127.0.0.1:4460";
} }
]; ];
};
}; };
};
"imap-svc" = { "dot-svc" = {
loadBalancer = { loadBalancer = {
servers = [ servers = [
{ {
address = "100.109.123.164:143"; url = "http://127.0.0.1:8853";
} }
]; ];
}; };
};
"submissions-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:465";
}
];
};
};
"submission-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:587";
}
];
};
};
"imaptls-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:993";
}
];
};
};
"pop3s-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:995";
}
];
};
};
"managesieve-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:4190";
}
];
}; };
}; };
}; };
@ -370,17 +228,22 @@
certificatesResolvers = { certificatesResolvers = {
"cloudflare" = { "cloudflare" = {
acme = { acme = {
email = "litvinovb0@gmail.com"; email = "me@hand7s.com";
storage = "${config.services.traefik.dataDir}/acme.json"; storage = "${config.services.traefik.dataDir}/acme.json";
dnsChallenge = { dnsChallenge = {
provider = "cloudflare"; provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"8.8.8.8:53"
];
}; };
}; };
}; };
"step-ca" = {
caServer = "https://ca.hand7s.org";
acme = {
email = "me@hand7s.com";
storage = "${config.services.traefik.dataDir}/acme.json";
tlsChallenge = {};
};
};
}; };
log = { log = {
@ -417,6 +280,35 @@
}; };
}; };
"loopback" = {
address = "127.0.0.1:444";
http = {
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
};
};
"ntp" = {
address = ":123";
};
"nts-ke" = {
address = ":4460";
};
"dot" = {
address = ":853";
};
"minecraft" = { "minecraft" = {
address = ":25565"; address = ":25565";
}; };