c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

public-access-proxy: populate proxyHosts from other nixosConfigurations 

fixes gitea issue #8
This commit is contained in:
Astro 2021-10-06 21:55:43 +02:00
parent 2be650b93e
commit 4f20008ec9
3 changed files with 60 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
flake.nix
View File

@ -308,6 +308,9 @@
./lib/lxc-container.nix ./lib/lxc-container.nix
./hosts/containers/public-access-proxy ./hosts/containers/public-access-proxy
]; ];
extraArgs = {
inherit (self) nixosConfigurations;
};
system = "x86_64-linux"; system = "x86_64-linux";
}; };

65
hosts/containers/public-access-proxy/default.nix
View File

@ -1,4 +1,4 @@
{ hostRegistry, config, pkgs, lib, ... }: { hostRegistry, nixosConfigurations, config, pkgs, lib, ... }:
{ {
imports = [ imports = [
@ -19,47 +19,38 @@
my.services.proxy = { my.services.proxy = {
enable = true; enable = true;
proxyHosts = [ proxyHosts = [
{ # Manual forwarding configurations
hostNames = [ "grafana.hq.c3d2.de" ];
proxyTo.host = "grafana.serv.zentralwerk.org";
}
{
hostNames = [ "ticker.c3d2.de" ];
proxyTo.host = "ticker.serv.zentralwerk.org";
}
{
hostNames = [ "gitea.c3d2.de" ];
proxyTo.host = "172.20.73.53";
}
{ {
hostNames = [ "vps1.nixvita.de" "vps1.codetu.be" "nixvita.de" ]; hostNames = [ "vps1.nixvita.de" "vps1.codetu.be" "nixvita.de" ];
proxyTo.host = "172.20.73.51"; proxyTo.host = "172.20.73.51";
matchArg = "-m end";
} }
{ ] ++
hostNames = [ "stream.hq.c3d2.de" ]; # Generated forwarding configurations from other nixosConfigurations
proxyTo.host = hostRegistry.hosts.stream.ip4; map (host:
let
nixosConfig = nixosConfigurations.${host}.config;
in {
hostNames =
builtins.filter (vhost: vhost != "localhost") (
builtins.concatMap (vhost:
let
vhostConfig = nixosConfig.services.nginx.virtualHosts.${vhost};
in [ vhost ] ++ vhostConfig.serverAliases
) (builtins.attrNames nixosConfig.services.nginx.virtualHosts)
);
proxyTo.host =
if hostRegistry.hosts.${host} ? ip6
then "[${hostRegistry.hosts.${host}.ip6}]"
else if hostRegistry.hosts.${host} ? ip4
then hostRegistry.hosts.${host}.ip4
else throw "No known addresses for ${host}";
} }
{ ) (builtins.attrNames (
hostNames = [ "mobilizon.c3d2.de" ]; lib.filterAttrs (_: nixos:
proxyTo.host = hostRegistry.hosts.mobilizon.ip4; nixos.config.services.nginx.enable
} ) nixosConfigurations
{ ));
hostNames = [ "sdr.hq.c3d2.de" ];
proxyTo.host = hostRegistry.hosts.radiobert.ip4;
}
{
hostNames = [
"www.c3d2.de" "c3d2.de"
"c3dd.de" "www.c3dd.de"
"cccdd.de" "www.cccdd.de"
"dresden.ccc.de" "www.dresden.ccc.de"
"datenspuren.de" "www.datenspuren.de"
"datenspuren.c3d2.de" "ds.c3d2.de"
"autotopia.c3d2.de"
];
proxyTo.host = hostRegistry.hosts.c3d2-web.ip4;
}
];
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];

53
hosts/containers/public-access-proxy/proxy.nix
View File

@ -3,7 +3,7 @@
with lib; with lib;
let cfg = config.my.services.proxy; let cfg = config.my.services.proxy;
withoutWildcards = builtins.replaceStrings ["*"] ["all"]; canonicalize = builtins.replaceStrings ["*" "." ":" "[" "]"] ["all" "_" "_" "" ""];
in { in {
@ -57,6 +57,12 @@ in {
''; '';
default = { }; default = { };
}; };
matchArg = mkOption {
type = types.str;
default = "";
description = "Optional argument to HAProxy `req.ssl_sni -i`";
};
}; };
})); }));
@ -96,35 +102,34 @@ in {
http-request set-header X-Forwarded-Proto http http-request set-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Port 80 http-request set-header X-Forwarded-Port 80
${ ${
concatMapStringsSep "\n" (proxyHost: concatMapStrings ({ proxyTo, hostNames, matchArg }:
optionalString optionalString (hostNames != [ ] && proxyTo.host != null) (
(proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null) concatMapStrings (hostname: ''
(concatMapStringsSep "\n" (hostname: '' use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }
use-server ${withoutWildcards hostname}-http if { req.hdr(host) -i -m end ${hostname} } server ${canonicalize hostname}-http ${proxyTo.host}:${
server ${withoutWildcards hostname}-http ${proxyHost.proxyTo.host}:${ toString proxyTo.httpPort
toString proxyHost.proxyTo.httpPort } weight 1
} weight 0 '') hostNames
'') (proxyHost.hostNames))) (cfg.proxyHosts) )
) cfg.proxyHosts
} }
frontend https-in frontend https-in
bind :::443 v4v6 bind :::443 v4v6
tcp-request inspect-delay 5s tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 } tcp-request content accept if { req.ssl_hello_type 1 }
default_backend proxy-backend-https ${concatMapStrings ({ proxyTo, hostNames, matchArg }:
concatMapStrings (hostname: ''
use_backend ${canonicalize proxyTo.host}-https if { req.ssl_sni -i ${matchArg} ${hostname} }
'') hostNames
) cfg.proxyHosts}
backend proxy-backend-https ${concatMapStrings ({ proxyTo, hostNames, matchArg }: ''
${ backend ${canonicalize proxyTo.host}-https
concatMapStringsSep "\n" (proxyHost: server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${
optionalString toString proxyTo.httpsPort
(proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null) } weight 1
(concatMapStringsSep "\n" (hostname: '' '') cfg.proxyHosts}
use-server ${withoutWildcards hostname}-https if { req.ssl_sni -i -m end ${hostname} }
server ${withoutWildcards hostname}-https ${proxyHost.proxyTo.host}:${
toString proxyHost.proxyTo.httpsPort
} weight 0
'') (proxyHost.hostNames))) (cfg.proxyHosts)
}
''; '';
}; };
}; };