c3d2
/
nix-config
22
6
Fork 2
Code Issues 16 Pull Requests 1 Releases Wiki Activity

storage-ng/public-address-proxy: proxy different fqdns to different hosts

container/radius
Markus Schmidl 2019-03-31 21:46:51 +02:00
parent bde5a3d467
commit f4b14c94fa
2 changed files with 170 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
hosts/storage-ng/public-access-proxy/configuration.nix Normal file
View File

@ -0,0 +1,58 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
./proxy.nix
];
nix.useSandbox = false;
nix.maxJobs = lib.mkDefault 2;
nix.buildCores = lib.mkDefault 16;
boot.isContainer = true;
# /sbin/init
boot.loader.initScript.enable = true;
boot.loader.grub.enable = false;
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
networking.hostName = "public-access-proxy";
networking.defaultGateway = "172.22.99.4";
# Set your time zone.
time.timeZone = "Europe/Berlin";
services.openssh = {
enable = true;
permitRootLogin = "prohibit-password";
ports = [ 1122 ];
};
services.my.proxy = {
enable = true;
proxyHosts = [
{
hostNames = [ "mdm.arkom.men" ];
proxyTo = { host = "cloud.bombenverleih.de"; httpPort = 80; httpsPort = 443; };
}
];
};
networking.firewall.allowedTCPPorts = [
80
443
];
users.extraUsers.k-ot = {
inNormalUser = true;
uid = 1000;
extraGroups = [ "wheel" ];
};
system.stateVersion = "18.09"; # Did you read the comment?
}

112
hosts/storage-ng/public-access-proxy/proxy.nix Normal file
View File

@ -0,0 +1,112 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.my.services.proxy;
in {
options.my.serices.proxy = {
enable = mkOption {
default = false;
description = "whether to enable proxy";
type = types.bool;
};
proxyHosts = mkOption {
type = types.listOf (types.submodule (
{
options = {
hostNames = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Proxy these hostnames.
'';
};
proxyTo = mkOption {
type = types.submodule (
{
options = {
host = mkOption {
type = types.nullOr types.string;
default = null;
description = ''
Host to forward traffic to.
Any hostname may only be used once
'';
};
httpPort = mkOption {
type = types.int;
default = 80;
description = ''
Port to forward http to.
'';
};
httpsPort = mkOption {
type = types.int;
default = 443;
description = ''
Port to forward http to.
'';
};
};
});
description = ''
{ host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
'';
default = {};
};
}));
default = [];
example = [
{ hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
proxyTo = { host = "172.22.99.99"; httpPort = 80; httpsPort = 443; };
}
];
};
};
config = mkIf cfg.enable {
services.haproxy = {
enable = true;
config = ''
frontend http-in
bind *:80
default_backend proxy-backend-http
backend proxy-backend-http
${concatMapStringSep "\n" (proxyHost:
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
concatMapStringSep "\n" (hostname: ''
use-server ${hostname}-http if { req.hdr(host) -i ${hostname} }
server ${hostname}-http ${proxyHost.proxyTo.host}:${proxyHost.proxyTo.httpPort} weight 0
''
) (attrValues proxyHost.hostnames)
)
) (attrValues cfg.proxyHosts)
}
frontend https-in
bind *:443
default_backend proxy-backend-https
backend proxy-backend-https
${concatMapStringSep "\n" (proxyHost:
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
concatMapStringSep "\n" (hostname: ''
use-server ${hostname}-https if { req.ssl_sni -i ${hostname} }
server ${hostname}-https ${proxyHost.proxyTo.host}:${proxyHost.proxyTo.httpsPort} weight 0
''
) (attrValues proxyHost.hostnames)
)
) (attrValues cfg.proxyHosts)
}
'';
};
}