public-access-proxy: populate proxyHosts from other nixosConfigurations

fixes gitea issue #8
This commit is contained in:
Astro 2021-10-06 21:55:43 +02:00
parent 2be650b93e
commit 4f20008ec9
3 changed files with 60 additions and 61 deletions

View File

@ -308,6 +308,9 @@
./lib/lxc-container.nix
./hosts/containers/public-access-proxy
];
extraArgs = {
inherit (self) nixosConfigurations;
};
system = "x86_64-linux";
};

View File

@ -1,4 +1,4 @@
{ hostRegistry, config, pkgs, lib, ... }:
{ hostRegistry, nixosConfigurations, config, pkgs, lib, ... }:
{
imports = [
@ -19,47 +19,38 @@
my.services.proxy = {
enable = true;
proxyHosts = [
{
hostNames = [ "grafana.hq.c3d2.de" ];
proxyTo.host = "grafana.serv.zentralwerk.org";
}
{
hostNames = [ "ticker.c3d2.de" ];
proxyTo.host = "ticker.serv.zentralwerk.org";
}
{
hostNames = [ "gitea.c3d2.de" ];
proxyTo.host = "172.20.73.53";
}
# Manual forwarding configurations
{
hostNames = [ "vps1.nixvita.de" "vps1.codetu.be" "nixvita.de" ];
proxyTo.host = "172.20.73.51";
matchArg = "-m end";
}
{
hostNames = [ "stream.hq.c3d2.de" ];
proxyTo.host = hostRegistry.hosts.stream.ip4;
] ++
# Generated forwarding configurations from other nixosConfigurations
map (host:
let
nixosConfig = nixosConfigurations.${host}.config;
in {
hostNames =
builtins.filter (vhost: vhost != "localhost") (
builtins.concatMap (vhost:
let
vhostConfig = nixosConfig.services.nginx.virtualHosts.${vhost};
in [ vhost ] ++ vhostConfig.serverAliases
) (builtins.attrNames nixosConfig.services.nginx.virtualHosts)
);
proxyTo.host =
if hostRegistry.hosts.${host} ? ip6
then "[${hostRegistry.hosts.${host}.ip6}]"
else if hostRegistry.hosts.${host} ? ip4
then hostRegistry.hosts.${host}.ip4
else throw "No known addresses for ${host}";
}
{
hostNames = [ "mobilizon.c3d2.de" ];
proxyTo.host = hostRegistry.hosts.mobilizon.ip4;
}
{
hostNames = [ "sdr.hq.c3d2.de" ];
proxyTo.host = hostRegistry.hosts.radiobert.ip4;
}
{
hostNames = [
"www.c3d2.de" "c3d2.de"
"c3dd.de" "www.c3dd.de"
"cccdd.de" "www.cccdd.de"
"dresden.ccc.de" "www.dresden.ccc.de"
"datenspuren.de" "www.datenspuren.de"
"datenspuren.c3d2.de" "ds.c3d2.de"
"autotopia.c3d2.de"
];
proxyTo.host = hostRegistry.hosts.c3d2-web.ip4;
}
];
) (builtins.attrNames (
lib.filterAttrs (_: nixos:
nixos.config.services.nginx.enable
) nixosConfigurations
));
};
networking.firewall.allowedTCPPorts = [ 80 443 ];

View File

@ -3,7 +3,7 @@
with lib;
let cfg = config.my.services.proxy;
withoutWildcards = builtins.replaceStrings ["*"] ["all"];
canonicalize = builtins.replaceStrings ["*" "." ":" "[" "]"] ["all" "_" "_" "" ""];
in {
@ -57,6 +57,12 @@ in {
'';
default = { };
};
matchArg = mkOption {
type = types.str;
default = "";
description = "Optional argument to HAProxy `req.ssl_sni -i`";
};
};
}));
@ -96,35 +102,34 @@ in {
http-request set-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Port 80
${
concatMapStringsSep "\n" (proxyHost:
optionalString
(proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null)
(concatMapStringsSep "\n" (hostname: ''
use-server ${withoutWildcards hostname}-http if { req.hdr(host) -i -m end ${hostname} }
server ${withoutWildcards hostname}-http ${proxyHost.proxyTo.host}:${
toString proxyHost.proxyTo.httpPort
} weight 0
'') (proxyHost.hostNames))) (cfg.proxyHosts)
concatMapStrings ({ proxyTo, hostNames, matchArg }:
optionalString (hostNames != [ ] && proxyTo.host != null) (
concatMapStrings (hostname: ''
use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }
server ${canonicalize hostname}-http ${proxyTo.host}:${
toString proxyTo.httpPort
} weight 1
'') hostNames
)
) cfg.proxyHosts
}
frontend https-in
bind :::443 v4v6
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
default_backend proxy-backend-https
tcp-request content accept if { req.ssl_hello_type 1 }
${concatMapStrings ({ proxyTo, hostNames, matchArg }:
concatMapStrings (hostname: ''
use_backend ${canonicalize proxyTo.host}-https if { req.ssl_sni -i ${matchArg} ${hostname} }
'') hostNames
) cfg.proxyHosts}
backend proxy-backend-https
${
concatMapStringsSep "\n" (proxyHost:
optionalString
(proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null)
(concatMapStringsSep "\n" (hostname: ''
use-server ${withoutWildcards hostname}-https if { req.ssl_sni -i -m end ${hostname} }
server ${withoutWildcards hostname}-https ${proxyHost.proxyTo.host}:${
toString proxyHost.proxyTo.httpsPort
} weight 0
'') (proxyHost.hostNames))) (cfg.proxyHosts)
}
${concatMapStrings ({ proxyTo, hostNames, matchArg }: ''
backend ${canonicalize proxyTo.host}-https
server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${
toString proxyTo.httpsPort
} weight 1
'') cfg.proxyHosts}
'';
};
};