public-access-proxy: populate proxyHosts from other nixosConfigurations
fixes gitea issue #8
This commit is contained in:
parent
2be650b93e
commit
4f20008ec9
|
@ -308,6 +308,9 @@
|
||||||
./lib/lxc-container.nix
|
./lib/lxc-container.nix
|
||||||
./hosts/containers/public-access-proxy
|
./hosts/containers/public-access-proxy
|
||||||
];
|
];
|
||||||
|
extraArgs = {
|
||||||
|
inherit (self) nixosConfigurations;
|
||||||
|
};
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ hostRegistry, config, pkgs, lib, ... }:
|
{ hostRegistry, nixosConfigurations, config, pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
@ -19,47 +19,38 @@
|
||||||
my.services.proxy = {
|
my.services.proxy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
proxyHosts = [
|
proxyHosts = [
|
||||||
{
|
# Manual forwarding configurations
|
||||||
hostNames = [ "grafana.hq.c3d2.de" ];
|
|
||||||
proxyTo.host = "grafana.serv.zentralwerk.org";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
hostNames = [ "ticker.c3d2.de" ];
|
|
||||||
proxyTo.host = "ticker.serv.zentralwerk.org";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
hostNames = [ "gitea.c3d2.de" ];
|
|
||||||
proxyTo.host = "172.20.73.53";
|
|
||||||
}
|
|
||||||
{
|
{
|
||||||
hostNames = [ "vps1.nixvita.de" "vps1.codetu.be" "nixvita.de" ];
|
hostNames = [ "vps1.nixvita.de" "vps1.codetu.be" "nixvita.de" ];
|
||||||
proxyTo.host = "172.20.73.51";
|
proxyTo.host = "172.20.73.51";
|
||||||
|
matchArg = "-m end";
|
||||||
}
|
}
|
||||||
{
|
] ++
|
||||||
hostNames = [ "stream.hq.c3d2.de" ];
|
# Generated forwarding configurations from other nixosConfigurations
|
||||||
proxyTo.host = hostRegistry.hosts.stream.ip4;
|
map (host:
|
||||||
|
let
|
||||||
|
nixosConfig = nixosConfigurations.${host}.config;
|
||||||
|
in {
|
||||||
|
hostNames =
|
||||||
|
builtins.filter (vhost: vhost != "localhost") (
|
||||||
|
builtins.concatMap (vhost:
|
||||||
|
let
|
||||||
|
vhostConfig = nixosConfig.services.nginx.virtualHosts.${vhost};
|
||||||
|
in [ vhost ] ++ vhostConfig.serverAliases
|
||||||
|
) (builtins.attrNames nixosConfig.services.nginx.virtualHosts)
|
||||||
|
);
|
||||||
|
proxyTo.host =
|
||||||
|
if hostRegistry.hosts.${host} ? ip6
|
||||||
|
then "[${hostRegistry.hosts.${host}.ip6}]"
|
||||||
|
else if hostRegistry.hosts.${host} ? ip4
|
||||||
|
then hostRegistry.hosts.${host}.ip4
|
||||||
|
else throw "No known addresses for ${host}";
|
||||||
}
|
}
|
||||||
{
|
) (builtins.attrNames (
|
||||||
hostNames = [ "mobilizon.c3d2.de" ];
|
lib.filterAttrs (_: nixos:
|
||||||
proxyTo.host = hostRegistry.hosts.mobilizon.ip4;
|
nixos.config.services.nginx.enable
|
||||||
}
|
) nixosConfigurations
|
||||||
{
|
));
|
||||||
hostNames = [ "sdr.hq.c3d2.de" ];
|
|
||||||
proxyTo.host = hostRegistry.hosts.radiobert.ip4;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
hostNames = [
|
|
||||||
"www.c3d2.de" "c3d2.de"
|
|
||||||
"c3dd.de" "www.c3dd.de"
|
|
||||||
"cccdd.de" "www.cccdd.de"
|
|
||||||
"dresden.ccc.de" "www.dresden.ccc.de"
|
|
||||||
"datenspuren.de" "www.datenspuren.de"
|
|
||||||
"datenspuren.c3d2.de" "ds.c3d2.de"
|
|
||||||
"autotopia.c3d2.de"
|
|
||||||
];
|
|
||||||
proxyTo.host = hostRegistry.hosts.c3d2-web.ip4;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
with lib;
|
with lib;
|
||||||
let cfg = config.my.services.proxy;
|
let cfg = config.my.services.proxy;
|
||||||
|
|
||||||
withoutWildcards = builtins.replaceStrings ["*"] ["all"];
|
canonicalize = builtins.replaceStrings ["*" "." ":" "[" "]"] ["all" "_" "_" "" ""];
|
||||||
|
|
||||||
in {
|
in {
|
||||||
|
|
||||||
|
@ -57,6 +57,12 @@ in {
|
||||||
'';
|
'';
|
||||||
default = { };
|
default = { };
|
||||||
};
|
};
|
||||||
|
matchArg = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "";
|
||||||
|
description = "Optional argument to HAProxy `req.ssl_sni -i`";
|
||||||
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
}));
|
}));
|
||||||
|
@ -96,35 +102,34 @@ in {
|
||||||
http-request set-header X-Forwarded-Proto http
|
http-request set-header X-Forwarded-Proto http
|
||||||
http-request set-header X-Forwarded-Port 80
|
http-request set-header X-Forwarded-Port 80
|
||||||
${
|
${
|
||||||
concatMapStringsSep "\n" (proxyHost:
|
concatMapStrings ({ proxyTo, hostNames, matchArg }:
|
||||||
optionalString
|
optionalString (hostNames != [ ] && proxyTo.host != null) (
|
||||||
(proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null)
|
concatMapStrings (hostname: ''
|
||||||
(concatMapStringsSep "\n" (hostname: ''
|
use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }
|
||||||
use-server ${withoutWildcards hostname}-http if { req.hdr(host) -i -m end ${hostname} }
|
server ${canonicalize hostname}-http ${proxyTo.host}:${
|
||||||
server ${withoutWildcards hostname}-http ${proxyHost.proxyTo.host}:${
|
toString proxyTo.httpPort
|
||||||
toString proxyHost.proxyTo.httpPort
|
} weight 1
|
||||||
} weight 0
|
'') hostNames
|
||||||
'') (proxyHost.hostNames))) (cfg.proxyHosts)
|
)
|
||||||
|
) cfg.proxyHosts
|
||||||
}
|
}
|
||||||
|
|
||||||
frontend https-in
|
frontend https-in
|
||||||
bind :::443 v4v6
|
bind :::443 v4v6
|
||||||
tcp-request inspect-delay 5s
|
tcp-request inspect-delay 5s
|
||||||
tcp-request content accept if { req_ssl_hello_type 1 }
|
tcp-request content accept if { req.ssl_hello_type 1 }
|
||||||
default_backend proxy-backend-https
|
${concatMapStrings ({ proxyTo, hostNames, matchArg }:
|
||||||
|
concatMapStrings (hostname: ''
|
||||||
|
use_backend ${canonicalize proxyTo.host}-https if { req.ssl_sni -i ${matchArg} ${hostname} }
|
||||||
|
'') hostNames
|
||||||
|
) cfg.proxyHosts}
|
||||||
|
|
||||||
backend proxy-backend-https
|
${concatMapStrings ({ proxyTo, hostNames, matchArg }: ''
|
||||||
${
|
backend ${canonicalize proxyTo.host}-https
|
||||||
concatMapStringsSep "\n" (proxyHost:
|
server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${
|
||||||
optionalString
|
toString proxyTo.httpsPort
|
||||||
(proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null)
|
} weight 1
|
||||||
(concatMapStringsSep "\n" (hostname: ''
|
'') cfg.proxyHosts}
|
||||||
use-server ${withoutWildcards hostname}-https if { req.ssl_sni -i -m end ${hostname} }
|
|
||||||
server ${withoutWildcards hostname}-https ${proxyHost.proxyTo.host}:${
|
|
||||||
toString proxyHost.proxyTo.httpsPort
|
|
||||||
} weight 0
|
|
||||||
'') (proxyHost.hostNames))) (cfg.proxyHosts)
|
|
||||||
}
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue