2022-12-04 08:53:28 +01:00
|
|
|
{ config, lib, ... }:
|
2019-03-31 21:46:51 +02:00
|
|
|
|
2022-12-04 08:53:28 +01:00
|
|
|
let
|
|
|
|
cfg = config.services.proxy;
|
|
|
|
canonicalize = builtins.replaceStrings [ "*" "." ":" "[" "]" ] [ "all" "_" "_" "" "" ];
|
|
|
|
in
|
|
|
|
{
|
2019-03-31 21:46:51 +02:00
|
|
|
|
2022-06-20 20:17:13 +02:00
|
|
|
options.services.proxy = {
|
2022-12-04 08:53:28 +01:00
|
|
|
enable = lib.mkOption {
|
2019-03-31 21:46:51 +02:00
|
|
|
default = false;
|
|
|
|
description = "whether to enable proxy";
|
2022-12-04 08:53:28 +01:00
|
|
|
type = lib.types.bool;
|
2019-03-31 21:46:51 +02:00
|
|
|
};
|
|
|
|
|
2022-12-04 08:53:28 +01:00
|
|
|
proxyHosts = lib.mkOption {
|
|
|
|
type = lib.types.listOf (lib.types.submodule {
|
2021-02-22 11:45:12 +01:00
|
|
|
options = {
|
2022-12-04 08:53:28 +01:00
|
|
|
hostNames = lib.mkOption {
|
|
|
|
type = with lib.types; listOf str;
|
2021-02-22 11:45:12 +01:00
|
|
|
default = [ ];
|
|
|
|
description = ''
|
|
|
|
Proxy these hostNames.
|
|
|
|
'';
|
2019-04-01 03:15:39 +02:00
|
|
|
};
|
2022-12-04 08:53:28 +01:00
|
|
|
proxyTo = lib.mkOption {
|
|
|
|
type = lib.types.submodule {
|
2021-02-22 11:45:12 +01:00
|
|
|
options = {
|
2022-12-04 08:53:28 +01:00
|
|
|
host = lib.mkOption {
|
|
|
|
type = with lib.types; nullOr string;
|
2021-02-22 11:45:12 +01:00
|
|
|
default = null;
|
|
|
|
description = ''
|
|
|
|
Host to forward traffic to.
|
|
|
|
Any hostname may only be used once
|
|
|
|
'';
|
|
|
|
};
|
2022-12-04 08:53:28 +01:00
|
|
|
httpPort = lib.mkOption {
|
|
|
|
type = lib.types.int;
|
2021-02-22 11:45:12 +01:00
|
|
|
default = 80;
|
|
|
|
description = ''
|
|
|
|
Port to forward http to.
|
|
|
|
'';
|
|
|
|
};
|
2022-12-04 08:53:28 +01:00
|
|
|
httpsPort = lib.mkOption {
|
|
|
|
type = lib.types.int;
|
2021-02-22 11:45:12 +01:00
|
|
|
default = 443;
|
|
|
|
description = ''
|
|
|
|
Port to forward http to.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
2021-10-31 19:00:03 +01:00
|
|
|
};
|
2021-02-22 11:45:12 +01:00
|
|
|
description = ''
|
|
|
|
{ host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
|
|
|
|
'';
|
|
|
|
default = { };
|
|
|
|
};
|
2022-12-04 08:53:28 +01:00
|
|
|
matchArg = lib.mkOption {
|
|
|
|
type = lib.types.str;
|
2021-10-06 21:55:43 +02:00
|
|
|
default = "";
|
|
|
|
description = "Optional argument to HAProxy `req.ssl_sni -i`";
|
|
|
|
};
|
|
|
|
|
2021-02-22 11:45:12 +01:00
|
|
|
};
|
2019-03-31 21:46:51 +02:00
|
|
|
|
2021-10-31 19:00:03 +01:00
|
|
|
});
|
2021-02-22 11:45:12 +01:00
|
|
|
default = [ ];
|
|
|
|
example = [{
|
|
|
|
hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
|
|
|
|
proxyTo = {
|
|
|
|
host = "172.22.99.99";
|
|
|
|
httpPort = 80;
|
|
|
|
httpsPort = 443;
|
|
|
|
};
|
|
|
|
}];
|
2019-03-31 21:46:51 +02:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2022-12-04 08:53:28 +01:00
|
|
|
config = lib.mkIf cfg.enable {
|
2019-03-31 21:46:51 +02:00
|
|
|
services.haproxy = {
|
|
|
|
enable = true;
|
|
|
|
config = ''
|
2021-07-14 18:53:12 +02:00
|
|
|
defaults
|
|
|
|
timeout client 30000
|
|
|
|
timeout connect 5000
|
|
|
|
timeout check 5000
|
|
|
|
timeout server 30000
|
|
|
|
|
2019-03-31 21:46:51 +02:00
|
|
|
frontend http-in
|
2019-04-02 01:55:40 +02:00
|
|
|
bind :::80 v4v6
|
2020-12-03 16:48:28 +01:00
|
|
|
option http-keep-alive
|
2019-03-31 21:46:51 +02:00
|
|
|
default_backend proxy-backend-http
|
2021-02-22 11:45:12 +01:00
|
|
|
|
2019-03-31 21:46:51 +02:00
|
|
|
backend proxy-backend-http
|
2019-06-22 15:05:13 +02:00
|
|
|
mode http
|
|
|
|
option http-server-close
|
|
|
|
option forwardfor
|
2020-12-03 16:52:12 +01:00
|
|
|
http-request set-header X-Forwarded-Proto http
|
|
|
|
http-request set-header X-Forwarded-Port 80
|
2022-12-04 08:53:28 +01:00
|
|
|
${lib.concatMapStrings ({ proxyTo, hostNames, matchArg }:
|
|
|
|
lib.optionalString (hostNames != [ ] && proxyTo.host != null) (
|
|
|
|
lib.concatMapStrings (hostname: ''
|
2021-10-06 21:55:43 +02:00
|
|
|
use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }
|
|
|
|
server ${canonicalize hostname}-http ${proxyTo.host}:${
|
|
|
|
toString proxyTo.httpPort
|
|
|
|
} weight 1
|
|
|
|
'') hostNames
|
|
|
|
)
|
|
|
|
) cfg.proxyHosts
|
2019-03-31 21:46:51 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
frontend https-in
|
2019-04-02 01:55:40 +02:00
|
|
|
bind :::443 v4v6
|
2021-07-14 18:53:12 +02:00
|
|
|
tcp-request inspect-delay 5s
|
2021-10-06 21:55:43 +02:00
|
|
|
tcp-request content accept if { req.ssl_hello_type 1 }
|
2022-12-04 08:53:28 +01:00
|
|
|
${lib.concatMapStrings ({ proxyTo, hostNames, matchArg }:
|
|
|
|
lib.concatMapStrings (hostname: ''
|
2021-10-06 21:55:43 +02:00
|
|
|
use_backend ${canonicalize proxyTo.host}-https if { req.ssl_sni -i ${matchArg} ${hostname} }
|
|
|
|
'') hostNames
|
|
|
|
) cfg.proxyHosts}
|
2019-03-31 21:46:51 +02:00
|
|
|
|
2022-12-04 08:53:28 +01:00
|
|
|
${lib.concatMapStrings ({ proxyTo, ... }: ''
|
2021-10-06 21:55:43 +02:00
|
|
|
backend ${canonicalize proxyTo.host}-https
|
|
|
|
server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${
|
|
|
|
toString proxyTo.httpsPort
|
|
|
|
} weight 1
|
|
|
|
'') cfg.proxyHosts}
|
2019-03-31 21:46:51 +02:00
|
|
|
'';
|
|
|
|
};
|
2019-04-01 03:15:39 +02:00
|
|
|
};
|
2019-03-31 21:46:51 +02:00
|
|
|
}
|