From 4f20008ec94515051aa3ae7ab1f14d6671bf3c3e Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 6 Oct 2021 21:55:43 +0200 Subject: [PATCH] public-access-proxy: populate proxyHosts from other nixosConfigurations fixes gitea issue #8 --- flake.nix | 3 + .../public-access-proxy/default.nix | 65 ++++++++----------- .../containers/public-access-proxy/proxy.nix | 53 ++++++++------- 3 files changed, 60 insertions(+), 61 deletions(-) diff --git a/flake.nix b/flake.nix index 5a7c205f..ba2e9c2a 100644 --- a/flake.nix +++ b/flake.nix @@ -308,6 +308,9 @@ ./lib/lxc-container.nix ./hosts/containers/public-access-proxy ]; + extraArgs = { + inherit (self) nixosConfigurations; + }; system = "x86_64-linux"; }; diff --git a/hosts/containers/public-access-proxy/default.nix b/hosts/containers/public-access-proxy/default.nix index 7f9e8db9..a1f66029 100644 --- a/hosts/containers/public-access-proxy/default.nix +++ b/hosts/containers/public-access-proxy/default.nix @@ -1,4 +1,4 @@ -{ hostRegistry, config, pkgs, lib, ... }: +{ hostRegistry, nixosConfigurations, config, pkgs, lib, ... }: { imports = [ @@ -19,47 +19,38 @@ my.services.proxy = { enable = true; proxyHosts = [ - { - hostNames = [ "grafana.hq.c3d2.de" ]; - proxyTo.host = "grafana.serv.zentralwerk.org"; - } - { - hostNames = [ "ticker.c3d2.de" ]; - proxyTo.host = "ticker.serv.zentralwerk.org"; - } - { - hostNames = [ "gitea.c3d2.de" ]; - proxyTo.host = "172.20.73.53"; - } + # Manual forwarding configurations { hostNames = [ "vps1.nixvita.de" "vps1.codetu.be" "nixvita.de" ]; proxyTo.host = "172.20.73.51"; + matchArg = "-m end"; } - { - hostNames = [ "stream.hq.c3d2.de" ]; - proxyTo.host = hostRegistry.hosts.stream.ip4; + ] ++ + # Generated forwarding configurations from other nixosConfigurations + map (host: + let + nixosConfig = nixosConfigurations.${host}.config; + in { + hostNames = + builtins.filter (vhost: vhost != "localhost") ( + builtins.concatMap (vhost: + let + vhostConfig = nixosConfig.services.nginx.virtualHosts.${vhost}; + in [ vhost ] ++ vhostConfig.serverAliases + ) (builtins.attrNames nixosConfig.services.nginx.virtualHosts) + ); + proxyTo.host = + if hostRegistry.hosts.${host} ? ip6 + then "[${hostRegistry.hosts.${host}.ip6}]" + else if hostRegistry.hosts.${host} ? ip4 + then hostRegistry.hosts.${host}.ip4 + else throw "No known addresses for ${host}"; } - { - hostNames = [ "mobilizon.c3d2.de" ]; - proxyTo.host = hostRegistry.hosts.mobilizon.ip4; - } - { - hostNames = [ "sdr.hq.c3d2.de" ]; - proxyTo.host = hostRegistry.hosts.radiobert.ip4; - } - { - hostNames = [ - "www.c3d2.de" "c3d2.de" - "c3dd.de" "www.c3dd.de" - "cccdd.de" "www.cccdd.de" - "dresden.ccc.de" "www.dresden.ccc.de" - "datenspuren.de" "www.datenspuren.de" - "datenspuren.c3d2.de" "ds.c3d2.de" - "autotopia.c3d2.de" - ]; - proxyTo.host = hostRegistry.hosts.c3d2-web.ip4; - } - ]; + ) (builtins.attrNames ( + lib.filterAttrs (_: nixos: + nixos.config.services.nginx.enable + ) nixosConfigurations + )); }; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/hosts/containers/public-access-proxy/proxy.nix b/hosts/containers/public-access-proxy/proxy.nix index e23360f3..e20fce60 100644 --- a/hosts/containers/public-access-proxy/proxy.nix +++ b/hosts/containers/public-access-proxy/proxy.nix @@ -3,7 +3,7 @@ with lib; let cfg = config.my.services.proxy; - withoutWildcards = builtins.replaceStrings ["*"] ["all"]; + canonicalize = builtins.replaceStrings ["*" "." ":" "[" "]"] ["all" "_" "_" "" ""]; in { @@ -57,6 +57,12 @@ in { ''; default = { }; }; + matchArg = mkOption { + type = types.str; + default = ""; + description = "Optional argument to HAProxy `req.ssl_sni -i`"; + }; + }; })); @@ -96,35 +102,34 @@ in { http-request set-header X-Forwarded-Proto http http-request set-header X-Forwarded-Port 80 ${ - concatMapStringsSep "\n" (proxyHost: - optionalString - (proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null) - (concatMapStringsSep "\n" (hostname: '' - use-server ${withoutWildcards hostname}-http if { req.hdr(host) -i -m end ${hostname} } - server ${withoutWildcards hostname}-http ${proxyHost.proxyTo.host}:${ - toString proxyHost.proxyTo.httpPort - } weight 0 - '') (proxyHost.hostNames))) (cfg.proxyHosts) + concatMapStrings ({ proxyTo, hostNames, matchArg }: + optionalString (hostNames != [ ] && proxyTo.host != null) ( + concatMapStrings (hostname: '' + use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} } + server ${canonicalize hostname}-http ${proxyTo.host}:${ + toString proxyTo.httpPort + } weight 1 + '') hostNames + ) + ) cfg.proxyHosts } frontend https-in bind :::443 v4v6 tcp-request inspect-delay 5s - tcp-request content accept if { req_ssl_hello_type 1 } - default_backend proxy-backend-https + tcp-request content accept if { req.ssl_hello_type 1 } + ${concatMapStrings ({ proxyTo, hostNames, matchArg }: + concatMapStrings (hostname: '' + use_backend ${canonicalize proxyTo.host}-https if { req.ssl_sni -i ${matchArg} ${hostname} } + '') hostNames + ) cfg.proxyHosts} - backend proxy-backend-https - ${ - concatMapStringsSep "\n" (proxyHost: - optionalString - (proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null) - (concatMapStringsSep "\n" (hostname: '' - use-server ${withoutWildcards hostname}-https if { req.ssl_sni -i -m end ${hostname} } - server ${withoutWildcards hostname}-https ${proxyHost.proxyTo.host}:${ - toString proxyHost.proxyTo.httpsPort - } weight 0 - '') (proxyHost.hostNames))) (cfg.proxyHosts) - } + ${concatMapStrings ({ proxyTo, hostNames, matchArg }: '' + backend ${canonicalize proxyTo.host}-https + server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${ + toString proxyTo.httpsPort + } weight 1 + '') cfg.proxyHosts} ''; }; };