Enable proxyProtocol for drone and gitea
This commit is contained in:
parent
7c77a4c6f7
commit
e450e6cdf1
|
@ -159,26 +159,25 @@
|
||||||
gnome-initial-setup.enable = false;
|
gnome-initial-setup.enable = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
# nginx = {
|
nginx = {
|
||||||
# appendHttpConfig = ''
|
appendHttpConfig = ''
|
||||||
# log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] '
|
log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] '
|
||||||
# '"$request" $status $body_bytes_sent '
|
'"$request" $status $body_bytes_sent '
|
||||||
# '"$http_referer" "$http_user_agent"';
|
'"$http_referer" "$http_user_agent"';
|
||||||
|
|
||||||
# access_log /var/log/nginx/access.log proxyCombined;
|
access_log /var/log/nginx/access.log proxyCombined;
|
||||||
# '';
|
'';
|
||||||
# commonServerConfig = with zentralwerk.lib.config.site.net.serv; ''
|
commonServerConfig = with zentralwerk.lib.config.site.net.serv; ''
|
||||||
# # https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
|
# https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
|
||||||
# set_real_ip_from ${hosts4.public-access-proxy};
|
set_real_ip_from ${hosts4.public-access-proxy};
|
||||||
# set_real_ip_from ${hosts6.up4.public-access-proxy};
|
set_real_ip_from ${hosts6.up4.public-access-proxy};
|
||||||
|
|
||||||
# real_ip_header proxy_protocol;
|
real_ip_header proxy_protocol;
|
||||||
|
|
||||||
# proxy_set_header X-Real-IP $proxy_protocol_addr;
|
proxy_set_header X-Real-IP $proxy_protocol_addr;
|
||||||
# proxy_set_header X-Forwarded-For $proxy_protocol_addr;
|
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
|
||||||
# '';
|
'';
|
||||||
# defaultExtraParameters = [ "proxy_protocol" ];
|
};
|
||||||
# };
|
|
||||||
|
|
||||||
openssh = {
|
openssh = {
|
||||||
# Required for deployment and sops
|
# Required for deployment and sops
|
||||||
|
|
|
@ -225,6 +225,9 @@
|
||||||
|
|
||||||
inherit (import ./lib/network.nix { inherit lib zentralwerk; }) hostRegistry;
|
inherit (import ./lib/network.nix { inherit lib zentralwerk; }) hostRegistry;
|
||||||
|
|
||||||
|
libC = {
|
||||||
|
inherit (import ./lib/nginx.nix {}) defaultListen;
|
||||||
|
};
|
||||||
|
|
||||||
overlayList = [
|
overlayList = [
|
||||||
self.overlays
|
self.overlays
|
||||||
|
@ -243,7 +246,7 @@
|
||||||
modules = [
|
modules = [
|
||||||
(_: {
|
(_: {
|
||||||
_module.args = {
|
_module.args = {
|
||||||
inherit hostRegistry nixos zentralwerk;
|
inherit hostRegistry libC nixos zentralwerk;
|
||||||
};
|
};
|
||||||
|
|
||||||
nixpkgs.overlays = overlayList;
|
nixpkgs.overlays = overlayList;
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, libC, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
hostname = "drone.hq.c3d2.de";
|
hostname = "drone.hq.c3d2.de";
|
||||||
|
@ -16,6 +16,7 @@ in
|
||||||
virtualHosts.${hostname} = {
|
virtualHosts.${hostname} = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
listen = libC.defaultListen;
|
||||||
locations."/".proxyPass = "http://localhost:8080";
|
locations."/".proxyPass = "http://localhost:8080";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, pkgs, lib, libS, ... }:
|
{ config, pkgs, lib, libC, libS, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
c3d2.deployment.server = "server10";
|
c3d2.deployment.server = "server10";
|
||||||
|
@ -112,6 +112,7 @@
|
||||||
virtualHosts."gitea.c3d2.de" = {
|
virtualHosts."gitea.c3d2.de" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
listen = libC.defaultListen;
|
||||||
locations."/".proxyPass = "http://localhost:3000";
|
locations."/".proxyPass = "http://localhost:3000";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -70,6 +70,7 @@
|
||||||
} {
|
} {
|
||||||
hostNames = [ "gitea.c3d2.de" ];
|
hostNames = [ "gitea.c3d2.de" ];
|
||||||
proxyTo.host = hostRegistry.gitea.ip4;
|
proxyTo.host = hostRegistry.gitea.ip4;
|
||||||
|
proxyProtocol = true;
|
||||||
} {
|
} {
|
||||||
hostNames = [ "grafana.hq.c3d2.de" ];
|
hostNames = [ "grafana.hq.c3d2.de" ];
|
||||||
proxyTo.host = hostRegistry.grafana.ip4;
|
proxyTo.host = hostRegistry.grafana.ip4;
|
||||||
|
@ -140,6 +141,7 @@
|
||||||
} {
|
} {
|
||||||
hostNames = [ "drone.hq.c3d2.de" ];
|
hostNames = [ "drone.hq.c3d2.de" ];
|
||||||
proxyTo.host = hostRegistry.drone.ip4;
|
proxyTo.host = hostRegistry.drone.ip4;
|
||||||
|
proxyProtocol = true;
|
||||||
} {
|
} {
|
||||||
hostNames = [ "home-assistant.hq.c3d2.de" ];
|
hostNames = [ "home-assistant.hq.c3d2.de" ];
|
||||||
proxyTo.host = hostRegistry.home-assistant.ip4;
|
proxyTo.host = hostRegistry.home-assistant.ip4;
|
||||||
|
|
|
@ -49,6 +49,20 @@ in
|
||||||
Port to forward http to.
|
Port to forward http to.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
proxyHttpPort = lib.mkOption {
|
||||||
|
type = lib.types.port;
|
||||||
|
default = 8080;
|
||||||
|
description = ''
|
||||||
|
Port to forward http to when using the proxy protocol.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
proxyHttpsPort = lib.mkOption {
|
||||||
|
type = lib.types.port;
|
||||||
|
default = 8443;
|
||||||
|
description = ''
|
||||||
|
Port to forward http to when using the proxy protocol.
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
description = ''
|
description = ''
|
||||||
|
@ -106,8 +120,10 @@ in
|
||||||
${lib.concatMapStrings ({ proxyTo, proxyProtocol, hostNames, matchArg }:
|
${lib.concatMapStrings ({ proxyTo, proxyProtocol, hostNames, matchArg }:
|
||||||
lib.optionalString (hostNames != [ ] && proxyTo.host != null) (
|
lib.optionalString (hostNames != [ ] && proxyTo.host != null) (
|
||||||
lib.concatMapStrings (hostname: ''
|
lib.concatMapStrings (hostname: ''
|
||||||
|
|
||||||
use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }
|
use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }
|
||||||
server ${canonicalize hostname}-http ${proxyTo.host}:${toString proxyTo.httpPort} weight 1 check ${lib.optionalString proxyProtocol "send-proxy"}
|
server ${canonicalize hostname}-http ${proxyTo.host}:${toString proxyTo.httpPort} check ${lib.optionalString proxyProtocol "backup"}
|
||||||
|
${lib.optionalString proxyProtocol "server ${canonicalize hostname}-proxy-http ${proxyTo.host}:${toString proxyTo.proxyHttpPort} check send-proxy-v2"}
|
||||||
'') hostNames
|
'') hostNames
|
||||||
)
|
)
|
||||||
) cfg.proxyHosts
|
) cfg.proxyHosts
|
||||||
|
@ -127,7 +143,8 @@ in
|
||||||
${lib.concatMapStrings ({ proxyTo, proxyProtocol, ... }: ''
|
${lib.concatMapStrings ({ proxyTo, proxyProtocol, ... }: ''
|
||||||
|
|
||||||
backend ${canonicalize proxyTo.host}-https
|
backend ${canonicalize proxyTo.host}-https
|
||||||
server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${toString proxyTo.httpsPort} weight 1 check ${lib.optionalString proxyProtocol "send-proxy"}
|
server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${toString proxyTo.httpsPort} check ${lib.optionalString proxyProtocol "backup"}
|
||||||
|
${lib.optionalString proxyProtocol "server ${canonicalize proxyTo.host}-proxy-https ${proxyTo.host}:${toString proxyTo.proxyHttpsPort} check send-proxy-v2"}
|
||||||
'') cfg.proxyHosts}
|
'') cfg.proxyHosts}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue