storage-ng/public-address-proxy: proxy different fqdns to different hosts

4 years ago · f4b14c94fa
parent bde5a3d467
commit f4b14c94fa
2 changed files with 170 additions and 0 deletions
--- a/hosts/storage-ng/public-access-proxy/configuration.nix
+++ b/hosts/storage-ng/public-access-proxy/configuration.nix
@ -0,0 +1,58 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/profiles/minimal.nix>
+      ./proxy.nix
+    ];
+  nix.useSandbox = false;
+  nix.maxJobs = lib.mkDefault 2;
+  nix.buildCores = lib.mkDefault 16;
+
+  boot.isContainer = true;
+  # /sbin/init
+  boot.loader.initScript.enable = true;
+  boot.loader.grub.enable = false;
+
+  fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
+
+  networking.hostName = "public-access-proxy";
+  networking.defaultGateway = "172.22.99.4";
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "prohibit-password";
+    ports = [ 1122 ];
+  };
+
+  services.my.proxy = {
+    enable = true;
+    proxyHosts = [
+      {
+        hostNames = [ "mdm.arkom.men" ];
+        proxyTo = { host = "cloud.bombenverleih.de"; httpPort = 80; httpsPort = 443; };
+      }
+    ];
+  };
+
+  networking.firewall.allowedTCPPorts = [ 
+    80
+    443
+   ];
+
+  users.extraUsers.k-ot = {
+    inNormalUser = true;
+    uid = 1000;
+    extraGroups = [ "wheel" ];
+  };
+
+  system.stateVersion = "18.09"; # Did you read the comment?
+
+}
--- a/hosts/storage-ng/public-access-proxy/proxy.nix
+++ b/hosts/storage-ng/public-access-proxy/proxy.nix
@ -0,0 +1,112 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.my.services.proxy;
+
+in {
+
+  options.my.serices.proxy = {
+
+    enable = mkOption {
+      default = false;
+      description = "whether to enable proxy";
+      type = types.bool;
+    };
+
+    proxyHosts = mkOption {
+      type = types.listOf (types.submodule (
+        {
+          options = {
+            hostNames = mkOption {
+              type = types.listOf types.str;
+              default = [];
+              description = ''
+                Proxy these hostnames.
+              '';
+            };
+            proxyTo = mkOption {
+              type = types.submodule (
+                {
+                  options = {
+                    host = mkOption {
+                      type = types.nullOr types.string;
+                      default = null;
+                      description = ''
+                        Host to forward traffic to.
+                        Any hostname may only be used once
+                      '';
+                    };
+                    httpPort = mkOption {
+                      type = types.int;
+                      default = 80;
+                      description = ''
+                        Port to forward http to.
+                      '';
+                    };
+                    httpsPort = mkOption {
+                      type = types.int;
+                      default = 443;
+                      description = ''
+                        Port to forward http to.
+                      '';
+                    };
+                  };
+                });
+              description = ''
+                { host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
+              '';
+              default = {};
+            };
+
+        }));
+      default = [];
+      example = [
+        { hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
+          proxyTo = { host = "172.22.99.99"; httpPort = 80; httpsPort = 443; };
+        }
+      ];
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+
+    services.haproxy = {
+      enable = true;
+      config = ''
+        frontend http-in
+          bind *:80
+          default_backend proxy-backend-http
+  
+        backend proxy-backend-http
+          ${concatMapStringSep "\n" (proxyHost:
+            optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
+              concatMapStringSep "\n" (hostname: ''
+                use-server ${hostname}-http if { req.hdr(host) -i ${hostname} }
+                server ${hostname}-http ${proxyHost.proxyTo.host}:${proxyHost.proxyTo.httpPort} weight 0
+              ''
+              ) (attrValues proxyHost.hostnames)
+            )
+          ) (attrValues cfg.proxyHosts)
+          }
+
+        frontend https-in
+          bind *:443
+          default_backend proxy-backend-https
+
+        backend proxy-backend-https
+          ${concatMapStringSep "\n" (proxyHost:
+            optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
+              concatMapStringSep "\n" (hostname: ''
+                use-server ${hostname}-https if { req.ssl_sni -i ${hostname} }
+                server ${hostname}-https ${proxyHost.proxyTo.host}:${proxyHost.proxyTo.httpsPort} weight 0
+              ''
+              ) (attrValues proxyHost.hostnames)
+            )
+          ) (attrValues cfg.proxyHosts)
+          }
+      '';
+    };
+
+}