public-access-proxy: populate proxyHosts from other nixosConfigurations
fixes gitea issue #8
This commit is contained in:
parent
2be650b93e
commit
4f20008ec9
|
@ -308,6 +308,9 @@
|
|||
./lib/lxc-container.nix
|
||||
./hosts/containers/public-access-proxy
|
||||
];
|
||||
extraArgs = {
|
||||
inherit (self) nixosConfigurations;
|
||||
};
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ hostRegistry, config, pkgs, lib, ... }:
|
||||
{ hostRegistry, nixosConfigurations, config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
|
@ -19,47 +19,38 @@
|
|||
my.services.proxy = {
|
||||
enable = true;
|
||||
proxyHosts = [
|
||||
{
|
||||
hostNames = [ "grafana.hq.c3d2.de" ];
|
||||
proxyTo.host = "grafana.serv.zentralwerk.org";
|
||||
}
|
||||
{
|
||||
hostNames = [ "ticker.c3d2.de" ];
|
||||
proxyTo.host = "ticker.serv.zentralwerk.org";
|
||||
}
|
||||
{
|
||||
hostNames = [ "gitea.c3d2.de" ];
|
||||
proxyTo.host = "172.20.73.53";
|
||||
}
|
||||
# Manual forwarding configurations
|
||||
{
|
||||
hostNames = [ "vps1.nixvita.de" "vps1.codetu.be" "nixvita.de" ];
|
||||
proxyTo.host = "172.20.73.51";
|
||||
matchArg = "-m end";
|
||||
}
|
||||
{
|
||||
hostNames = [ "stream.hq.c3d2.de" ];
|
||||
proxyTo.host = hostRegistry.hosts.stream.ip4;
|
||||
] ++
|
||||
# Generated forwarding configurations from other nixosConfigurations
|
||||
map (host:
|
||||
let
|
||||
nixosConfig = nixosConfigurations.${host}.config;
|
||||
in {
|
||||
hostNames =
|
||||
builtins.filter (vhost: vhost != "localhost") (
|
||||
builtins.concatMap (vhost:
|
||||
let
|
||||
vhostConfig = nixosConfig.services.nginx.virtualHosts.${vhost};
|
||||
in [ vhost ] ++ vhostConfig.serverAliases
|
||||
) (builtins.attrNames nixosConfig.services.nginx.virtualHosts)
|
||||
);
|
||||
proxyTo.host =
|
||||
if hostRegistry.hosts.${host} ? ip6
|
||||
then "[${hostRegistry.hosts.${host}.ip6}]"
|
||||
else if hostRegistry.hosts.${host} ? ip4
|
||||
then hostRegistry.hosts.${host}.ip4
|
||||
else throw "No known addresses for ${host}";
|
||||
}
|
||||
{
|
||||
hostNames = [ "mobilizon.c3d2.de" ];
|
||||
proxyTo.host = hostRegistry.hosts.mobilizon.ip4;
|
||||
}
|
||||
{
|
||||
hostNames = [ "sdr.hq.c3d2.de" ];
|
||||
proxyTo.host = hostRegistry.hosts.radiobert.ip4;
|
||||
}
|
||||
{
|
||||
hostNames = [
|
||||
"www.c3d2.de" "c3d2.de"
|
||||
"c3dd.de" "www.c3dd.de"
|
||||
"cccdd.de" "www.cccdd.de"
|
||||
"dresden.ccc.de" "www.dresden.ccc.de"
|
||||
"datenspuren.de" "www.datenspuren.de"
|
||||
"datenspuren.c3d2.de" "ds.c3d2.de"
|
||||
"autotopia.c3d2.de"
|
||||
];
|
||||
proxyTo.host = hostRegistry.hosts.c3d2-web.ip4;
|
||||
}
|
||||
];
|
||||
) (builtins.attrNames (
|
||||
lib.filterAttrs (_: nixos:
|
||||
nixos.config.services.nginx.enable
|
||||
) nixosConfigurations
|
||||
));
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
with lib;
|
||||
let cfg = config.my.services.proxy;
|
||||
|
||||
withoutWildcards = builtins.replaceStrings ["*"] ["all"];
|
||||
canonicalize = builtins.replaceStrings ["*" "." ":" "[" "]"] ["all" "_" "_" "" ""];
|
||||
|
||||
in {
|
||||
|
||||
|
@ -57,6 +57,12 @@ in {
|
|||
'';
|
||||
default = { };
|
||||
};
|
||||
matchArg = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = "Optional argument to HAProxy `req.ssl_sni -i`";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}));
|
||||
|
@ -96,35 +102,34 @@ in {
|
|||
http-request set-header X-Forwarded-Proto http
|
||||
http-request set-header X-Forwarded-Port 80
|
||||
${
|
||||
concatMapStringsSep "\n" (proxyHost:
|
||||
optionalString
|
||||
(proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null)
|
||||
(concatMapStringsSep "\n" (hostname: ''
|
||||
use-server ${withoutWildcards hostname}-http if { req.hdr(host) -i -m end ${hostname} }
|
||||
server ${withoutWildcards hostname}-http ${proxyHost.proxyTo.host}:${
|
||||
toString proxyHost.proxyTo.httpPort
|
||||
} weight 0
|
||||
'') (proxyHost.hostNames))) (cfg.proxyHosts)
|
||||
concatMapStrings ({ proxyTo, hostNames, matchArg }:
|
||||
optionalString (hostNames != [ ] && proxyTo.host != null) (
|
||||
concatMapStrings (hostname: ''
|
||||
use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }
|
||||
server ${canonicalize hostname}-http ${proxyTo.host}:${
|
||||
toString proxyTo.httpPort
|
||||
} weight 1
|
||||
'') hostNames
|
||||
)
|
||||
) cfg.proxyHosts
|
||||
}
|
||||
|
||||
frontend https-in
|
||||
bind :::443 v4v6
|
||||
tcp-request inspect-delay 5s
|
||||
tcp-request content accept if { req_ssl_hello_type 1 }
|
||||
default_backend proxy-backend-https
|
||||
tcp-request content accept if { req.ssl_hello_type 1 }
|
||||
${concatMapStrings ({ proxyTo, hostNames, matchArg }:
|
||||
concatMapStrings (hostname: ''
|
||||
use_backend ${canonicalize proxyTo.host}-https if { req.ssl_sni -i ${matchArg} ${hostname} }
|
||||
'') hostNames
|
||||
) cfg.proxyHosts}
|
||||
|
||||
backend proxy-backend-https
|
||||
${
|
||||
concatMapStringsSep "\n" (proxyHost:
|
||||
optionalString
|
||||
(proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null)
|
||||
(concatMapStringsSep "\n" (hostname: ''
|
||||
use-server ${withoutWildcards hostname}-https if { req.ssl_sni -i -m end ${hostname} }
|
||||
server ${withoutWildcards hostname}-https ${proxyHost.proxyTo.host}:${
|
||||
toString proxyHost.proxyTo.httpsPort
|
||||
} weight 0
|
||||
'') (proxyHost.hostNames))) (cfg.proxyHosts)
|
||||
}
|
||||
${concatMapStrings ({ proxyTo, hostNames, matchArg }: ''
|
||||
backend ${canonicalize proxyTo.host}-https
|
||||
server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${
|
||||
toString proxyTo.httpsPort
|
||||
} weight 1
|
||||
'') cfg.proxyHosts}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue