s0me1newithhand7s/reNixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
reNixos/kyra/services/traefik.nix
s0me1newithhand7s af900ab6c0 kyra(hardening): traefik is now using consul catalog as provider 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
2026-05-03 16:06:55 +03:00

351 lines
7.5 KiB
Nix
Raw Blame History

{
config,
name,
...
}: {
services = {
traefik = {
enable = true;
environmentFiles = [
config.sops.templates."traefik.env".path
];
dynamicConfigOptions = {
providers = {
consulCatalog = {
endpoint = {
address = "127.0.0.1:8500";
exposedByDefault = false;
prefix = "traefik";
};
};
};
udp = {
routers = {
"ntp" = {
service = "ntp-svc";
entryPoints = [
"ntp"
];
};
};
services = {
"ntp-svc" = {
loadBalancer = {
servers = [
{
address = "127.0.0.1:123";
}
];
};
};
};
};
http = {
routers = {
"site" = {
rule = "Host(`hand7s.org`)";
service = "site-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
"loopback"
];
};
"ca" = {
rule = "Host(`ca.hand7s.org`)";
service = "ca-svc";
tls = {
certResolver = "cloudflare";
domain = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
};
"doh" = {
rule = "Host(`dns.hand7s.org`) && PathPrefix(`/dns-query`)";
service = "doh-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
};
services = {
"site-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:8180";
}
];
};
};
"ca-svc" = {
loadBalancer = {
servers = [
{
url = "http://127.0.0.1:8443";
}
];
};
};
"doh-svc" = {
loadBalancer = {
servers = [
{
url = "http://127.0.0.1:8053";
}
];
};
};
};
};
tcp = {
routers = {
"nts-ke" = {
rule = "HostSNI(`ntp.hand7s.org`)";
services = "nts-ke-svc";
tls = {
passthrough = true;
};
entryPoints = [
"nts-ke"
];
};
"dot" = {
rule = "HostSNI(`dns.hand7s.org`)";
services = "dot-svc";
entryPoints = [
"dot"
];
tls = {
certResolver = "cloudflare";
};
};
"vless" = {
rule = "HostSNI(`${name}.hand7s.org`)";
service = "vless-svc";
tls = {
passthrough = true;
};
entryPoints = [
"websecure"
];
};
};
services = {
"vless-svc" = {
loadBalancer = {
servers = [
{
address = "192.168.101.2:8443";
}
];
};
};
"nts-ke-svc" = {
loadBalancer = {
servers = [
{
address = "127.0.0.1:4460";
}
];
};
};
"dot-svc" = {
loadBalancer = {
servers = [
{
url = "http://127.0.0.1:8853";
}
];
};
};
};
};
};
staticConfigOptions = {
api = {
dashboard = true;
};
tracing = {
otlp = {
grpc = {
endpoint = "127.0.0.1:4317";
insecure = true;
};
};
};
certificatesResolvers = {
"cloudflare" = {
acme = {
email = "me@hand7s.com";
storage = "${config.services.traefik.dataDir}/acme.json";
dnsChallenge = {
provider = "cloudflare";
};
};
};
"step-ca" = {
caServer = "https://ca.hand7s.org";
acme = {
email = "me@hand7s.com";
storage = "${config.services.traefik.dataDir}/acme.json";
tlsChallenge = {};
};
};
};
log = {
level = "DEBUG";
};
entryPoints = {
"web" = {
address = ":80";
http = {
redirections = {
entryPoint = {
to = "websecure";
scheme = "https";
};
};
};
};
"websecure" = {
address = ":443";
http = {
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
};
};
"loopback" = {
address = "127.0.0.1:444";
http = {
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
};
};
"ntp" = {
address = ":123";
};
"nts-ke" = {
address = ":4460";
};
"dot" = {
address = ":853";
};
"minecraft" = {
address = ":25565";
};
"smtp" = {
address = ":25";
};
"pop3" = {
address = ":110";
};
"imap" = {
address = ":143";
};
"submissions" = {
address = ":465";
};
"submission" = {
address = ":587";
};
"imaptls" = {
address = ":993";
};
"pop3s" = {
address = ":995";
};
"managesieve" = {
address = ":4190";
};
};
};
};
};
}
Reference in a new issue View git blame Copy permalink