nix-config/hosts/public-access-proxy/proxy.nix

{ config, lib, ... }:

let
  cfg = config.services.proxy;
  canonicalize = builtins.replaceStrings [ "*" "." ":" "[" "]" ] [ "all" "_" "_" "" "" ];
in
{

  options.services.proxy = {
    enable = lib.mkOption {
      default = false;
      description = "whether to enable proxy";
      type = lib.types.bool;
    };

    proxyHosts = lib.mkOption {
      type = lib.types.listOf (lib.types.submodule {
        options = {
          hostNames = lib.mkOption {
            type = with lib.types; listOf str;
            default = [ ];
            description = ''
              Proxy these hostNames.
            '';
          };

          proxyTo = lib.mkOption {
            type = lib.types.submodule {
              options = {
                host = lib.mkOption {
                  type = with lib.types; nullOr string;
                  default = null;
                  description = ''
                    Host to forward traffic to.
                    Any hostname may only be used once
                  '';
                };
                httpPort = lib.mkOption {
                  type = lib.types.port;
                  default = 80;
                  description = ''
                    Port to forward http to.
                  '';
                };
                httpsPort = lib.mkOption {
                  type = lib.types.port;
                  default = 443;
                  description = ''
                    Port to forward http to.
                  '';
                };
              };
            };
            description = ''
              { host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
            '';
            default = { };
          };

          proxyProtocol = lib.mkOption {
            type = lib.types.bool;
            default = false;
            description = "Whether to use proxy protocol to connect to the server.";
          };

          matchArg = lib.mkOption {
            type = lib.types.str;
            default = "";
            description = "Optional argument to HAProxy `req.ssl_sni -i`";
          };
        };
      });
      default = [ ];
      example = [{
        hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
        proxyTo = {
          host = "172.22.99.99";
          httpPort = 80;
          httpsPort = 443;
        };
      }];
    };
  };

  config = lib.mkIf cfg.enable {
    services.haproxy = {
      enable = true;
      config = ''
        defaults
          timeout client 30000
          timeout connect 5000
          timeout check 5000
          timeout server 30000

        frontend http-in
          bind :::80 v4v6
          option http-keep-alive
          default_backend proxy-backend-http

        backend proxy-backend-http
          mode http
          option http-server-close
          option forwardfor
          http-request set-header X-Forwarded-Proto http
          http-request set-header X-Forwarded-Port 80
          ${lib.concatMapStrings ({ proxyTo, proxyProtocol, hostNames, matchArg }:
              lib.optionalString (hostNames != [ ] && proxyTo.host != null) (
                lib.concatMapStrings (hostname: ''
                  use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }
                  server ${canonicalize hostname}-http ${proxyTo.host}:${toString proxyTo.httpPort} weight 1 check ${lib.optionalString proxyProtocol "send-proxy"}
                '') hostNames
              )
            ) cfg.proxyHosts
          }

        frontend https-in
          bind :::443 v4v6
          tcp-request inspect-delay 5s
          tcp-request content accept if { req.ssl_hello_type 1 }
          ${lib.concatMapStrings ({ proxyTo, hostNames, matchArg, ... }:
              lib.concatMapStrings (hostname: ''
                use_backend ${canonicalize proxyTo.host}-https if { req.ssl_sni -i ${matchArg} ${hostname} }
              '') hostNames
          ) cfg.proxyHosts}

        ${lib.concatMapStrings ({ proxyTo, proxyProtocol, ...  }: ''
          backend ${canonicalize proxyTo.host}-https
            server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${toString proxyTo.httpsPort} weight 1 check ${lib.optionalString proxyProtocol "send-proxy"}
        '') cfg.proxyHosts}
      '';
    };
  };
}
Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`{ config, lib, ... }:`
storage-ng/public-address-proxy: proxy different fqdns to different hosts 2019-03-31 21:46:51 +02:00
Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`let`
			`cfg = config.services.proxy;`
			`canonicalize = builtins.replaceStrings [ "*" "." ":" "[" "]" ] [ "all" "_" "_" "" "" ];`
			`in`
			`{`
storage-ng/public-address-proxy: proxy different fqdns to different hosts 2019-03-31 21:46:51 +02:00
Drop my prefix 2022-06-20 20:17:13 +02:00			`options.services.proxy = {`
Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`enable = lib.mkOption {`
storage-ng/public-address-proxy: proxy different fqdns to different hosts 2019-03-31 21:46:51 +02:00			`default = false;`
			`description = "whether to enable proxy";`
Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`type = lib.types.bool;`
storage-ng/public-address-proxy: proxy different fqdns to different hosts 2019-03-31 21:46:51 +02:00			`};`

Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`proxyHosts = lib.mkOption {`
			`type = lib.types.listOf (lib.types.submodule {`
Nixfmt everything 2021-02-22 11:45:12 +01:00			`options = {`
Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`hostNames = lib.mkOption {`
			`type = with lib.types; listOf str;`
Nixfmt everything 2021-02-22 11:45:12 +01:00			`default = [ ];`
			`description = ''`
			`Proxy these hostNames.`
			`'';`
storage-ng/public-address-proxy: fixed errors 2019-04-01 03:15:39 +02:00			`};`
Test proxy protocol 2023-01-18 01:52:47 +01:00
Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`proxyTo = lib.mkOption {`
			`type = lib.types.submodule {`
Nixfmt everything 2021-02-22 11:45:12 +01:00			`options = {`
Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`host = lib.mkOption {`
			`type = with lib.types; nullOr string;`
Nixfmt everything 2021-02-22 11:45:12 +01:00			`default = null;`
			`description = ''`
			`Host to forward traffic to.`
			`Any hostname may only be used once`
			`'';`
			`};`
Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`httpPort = lib.mkOption {`
Correct module type 2023-03-10 20:25:47 +01:00			`type = lib.types.port;`
Nixfmt everything 2021-02-22 11:45:12 +01:00			`default = 80;`
			`description = ''`
			`Port to forward http to.`
			`'';`
			`};`
Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`httpsPort = lib.mkOption {`
Correct module type 2023-03-10 20:25:47 +01:00			`type = lib.types.port;`
Nixfmt everything 2021-02-22 11:45:12 +01:00			`default = 443;`
			`description = ''`
			`Port to forward http to.`
			`'';`
			`};`
			`};`
Run statix fix 2021-10-31 19:00:03 +01:00			`};`
Nixfmt everything 2021-02-22 11:45:12 +01:00			`description = ''`
			`{ host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to`
			`'';`
			`default = { };`
			`};`
Test proxy protocol 2023-01-18 01:52:47 +01:00
			`proxyProtocol = lib.mkOption {`
			`type = lib.types.bool;`
			`default = false;`
			`description = "Whether to use proxy protocol to connect to the server.";`
			`};`

Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`matchArg = lib.mkOption {`
			`type = lib.types.str;`
public-access-proxy: populate proxyHosts from other nixosConfigurations fixes gitea issue #8 2021-10-06 21:55:43 +02:00			`default = "";`
			description = "Optional argument to HAProxy `req.ssl_sni -i`";
			`};`
Nixfmt everything 2021-02-22 11:45:12 +01:00			`};`
Run statix fix 2021-10-31 19:00:03 +01:00			`});`
Nixfmt everything 2021-02-22 11:45:12 +01:00			`default = [ ];`
			`example = [{`
			`hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];`
			`proxyTo = {`
			`host = "172.22.99.99";`
			`httpPort = 80;`
			`httpsPort = 443;`
			`};`
			`}];`
storage-ng/public-address-proxy: proxy different fqdns to different hosts 2019-03-31 21:46:51 +02:00			`};`
			`};`

Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`config = lib.mkIf cfg.enable {`
storage-ng/public-address-proxy: proxy different fqdns to different hosts 2019-03-31 21:46:51 +02:00			`services.haproxy = {`
			`enable = true;`
			`config = ''`
public-access-proxy: fix settings 2021-07-14 18:53:12 +02:00			`defaults`
			`timeout client 30000`
			`timeout connect 5000`
			`timeout check 5000`
			`timeout server 30000`

storage-ng/public-address-proxy: proxy different fqdns to different hosts 2019-03-31 21:46:51 +02:00			`frontend http-in`
storage-ng/public-access-proxy: listen to v4 and v6 2019-04-02 01:55:40 +02:00			`bind :::80 v4v6`
public-access-proxy: update haproxy settings to 2.1 2020-12-03 16:48:28 +01:00			`option http-keep-alive`
storage-ng/public-address-proxy: proxy different fqdns to different hosts 2019-03-31 21:46:51 +02:00			`default_backend proxy-backend-http`
Nixfmt everything 2021-02-22 11:45:12 +01:00
storage-ng/public-address-proxy: proxy different fqdns to different hosts 2019-03-31 21:46:51 +02:00			`backend proxy-backend-http`
contains/public-access-proxy: fixed forwarding 2019-06-22 15:05:13 +02:00			`mode http`
			`option http-server-close`
			`option forwardfor`
public-access-proxy: fix haproxy conf syntax 2020-12-03 16:52:12 +01:00			`http-request set-header X-Forwarded-Proto http`
			`http-request set-header X-Forwarded-Port 80`
Test proxy protocol 2023-01-18 01:52:47 +01:00			`${lib.concatMapStrings ({ proxyTo, proxyProtocol, hostNames, matchArg }:`
Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`lib.optionalString (hostNames != [ ] && proxyTo.host != null) (`
			`lib.concatMapStrings (hostname: ''`
public-access-proxy: populate proxyHosts from other nixosConfigurations fixes gitea issue #8 2021-10-06 21:55:43 +02:00			`use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }`
Test proxy protocol 2023-01-18 01:52:47 +01:00			`server ${canonicalize hostname}-http ${proxyTo.host}:${toString proxyTo.httpPort} weight 1 check ${lib.optionalString proxyProtocol "send-proxy"}`
public-access-proxy: populate proxyHosts from other nixosConfigurations fixes gitea issue #8 2021-10-06 21:55:43 +02:00			`'') hostNames`
			`)`
			`) cfg.proxyHosts`
storage-ng/public-address-proxy: proxy different fqdns to different hosts 2019-03-31 21:46:51 +02:00			`}`

			`frontend https-in`
storage-ng/public-access-proxy: listen to v4 and v6 2019-04-02 01:55:40 +02:00			`bind :::443 v4v6`
public-access-proxy: fix settings 2021-07-14 18:53:12 +02:00			`tcp-request inspect-delay 5s`
public-access-proxy: populate proxyHosts from other nixosConfigurations fixes gitea issue #8 2021-10-06 21:55:43 +02:00			`tcp-request content accept if { req.ssl_hello_type 1 }`
Test proxy protocol 2023-01-18 01:52:47 +01:00			`${lib.concatMapStrings ({ proxyTo, hostNames, matchArg, ... }:`
Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`lib.concatMapStrings (hostname: ''`
public-access-proxy: populate proxyHosts from other nixosConfigurations fixes gitea issue #8 2021-10-06 21:55:43 +02:00			`use_backend ${canonicalize proxyTo.host}-https if { req.ssl_sni -i ${matchArg} ${hostname} }`
			`'') hostNames`
			`) cfg.proxyHosts}`
storage-ng/public-address-proxy: proxy different fqdns to different hosts 2019-03-31 21:46:51 +02:00
Test proxy protocol 2023-01-18 01:52:47 +01:00			`${lib.concatMapStrings ({ proxyTo, proxyProtocol, ... }: ''`
public-access-proxy: populate proxyHosts from other nixosConfigurations fixes gitea issue #8 2021-10-06 21:55:43 +02:00			`backend ${canonicalize proxyTo.host}-https`
Test proxy protocol 2023-01-18 01:52:47 +01:00			`server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${toString proxyTo.httpsPort} weight 1 check ${lib.optionalString proxyProtocol "send-proxy"}`
public-access-proxy: populate proxyHosts from other nixosConfigurations fixes gitea issue #8 2021-10-06 21:55:43 +02:00			`'') cfg.proxyHosts}`
storage-ng/public-address-proxy: proxy different fqdns to different hosts 2019-03-31 21:46:51 +02:00			`'';`
			`};`
storage-ng/public-address-proxy: fixed errors 2019-04-01 03:15:39 +02:00			`};`
storage-ng/public-address-proxy: proxy different fqdns to different hosts 2019-03-31 21:46:51 +02:00			`}`