2 changed files with 170 additions and 0 deletions
@ -0,0 +1,58 @@
|
||||
# Edit this configuration file to define what should be installed on |
||||
# your system. Help is available in the configuration.nix(5) man page |
||||
# and in the NixOS manual (accessible by running ‘nixos-help’). |
||||
|
||||
{ config, pkgs, lib, ... }: |
||||
|
||||
{ |
||||
imports = |
||||
[ <nixpkgs/nixos/modules/profiles/minimal.nix> |
||||
./proxy.nix |
||||
]; |
||||
nix.useSandbox = false; |
||||
nix.maxJobs = lib.mkDefault 2; |
||||
nix.buildCores = lib.mkDefault 16; |
||||
|
||||
boot.isContainer = true; |
||||
# /sbin/init |
||||
boot.loader.initScript.enable = true; |
||||
boot.loader.grub.enable = false; |
||||
|
||||
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; }; |
||||
|
||||
networking.hostName = "public-access-proxy"; |
||||
networking.defaultGateway = "172.22.99.4"; |
||||
|
||||
# Set your time zone. |
||||
time.timeZone = "Europe/Berlin"; |
||||
|
||||
services.openssh = { |
||||
enable = true; |
||||
permitRootLogin = "prohibit-password"; |
||||
ports = [ 1122 ]; |
||||
}; |
||||
|
||||
services.my.proxy = { |
||||
enable = true; |
||||
proxyHosts = [ |
||||
{ |
||||
hostNames = [ "mdm.arkom.men" ]; |
||||
proxyTo = { host = "cloud.bombenverleih.de"; httpPort = 80; httpsPort = 443; }; |
||||
} |
||||
]; |
||||
}; |
||||
|
||||
networking.firewall.allowedTCPPorts = [ |
||||
80 |
||||
443 |
||||
]; |
||||
|
||||
users.extraUsers.k-ot = { |
||||
inNormalUser = true; |
||||
uid = 1000; |
||||
extraGroups = [ "wheel" ]; |
||||
}; |
||||
|
||||
system.stateVersion = "18.09"; # Did you read the comment? |
||||
|
||||
} |
@ -0,0 +1,112 @@
|
||||
{ config, lib, pkgs, ... }: |
||||
|
||||
with lib; |
||||
let |
||||
cfg = config.my.services.proxy; |
||||
|
||||
in { |
||||
|
||||
options.my.serices.proxy = { |
||||
|
||||
enable = mkOption { |
||||
default = false; |
||||
description = "whether to enable proxy"; |
||||
type = types.bool; |
||||
}; |
||||
|
||||
proxyHosts = mkOption { |
||||
type = types.listOf (types.submodule ( |
||||
{ |
||||
options = { |
||||
hostNames = mkOption { |
||||
type = types.listOf types.str; |
||||
default = []; |
||||
description = '' |
||||
Proxy these hostnames. |
||||
''; |
||||
}; |
||||
proxyTo = mkOption { |
||||
type = types.submodule ( |
||||
{ |
||||
options = { |
||||
host = mkOption { |
||||
type = types.nullOr types.string; |
||||
default = null; |
||||
description = '' |
||||
Host to forward traffic to. |
||||
Any hostname may only be used once |
||||
''; |
||||
}; |
||||
httpPort = mkOption { |
||||
type = types.int; |
||||
default = 80; |
||||
description = '' |
||||
Port to forward http to. |
||||
''; |
||||
}; |
||||
httpsPort = mkOption { |
||||
type = types.int; |
||||
default = 443; |
||||
description = '' |
||||
Port to forward http to. |
||||
''; |
||||
}; |
||||
}; |
||||
}); |
||||
description = '' |
||||
{ host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to |
||||
''; |
||||
default = {}; |
||||
}; |
||||
|
||||
})); |
||||
default = []; |
||||
example = [ |
||||
{ hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ]; |
||||
proxyTo = { host = "172.22.99.99"; httpPort = 80; httpsPort = 443; }; |
||||
} |
||||
]; |
||||
}; |
||||
|
||||
}; |
||||
|
||||
config = mkIf cfg.enable { |
||||
|
||||
services.haproxy = { |
||||
enable = true; |
||||
config = '' |
||||
frontend http-in |
||||
bind *:80 |
||||
default_backend proxy-backend-http |
||||
|
||||
backend proxy-backend-http |
||||
${concatMapStringSep "\n" (proxyHost: |
||||
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) ( |
||||
concatMapStringSep "\n" (hostname: '' |
||||
use-server ${hostname}-http if { req.hdr(host) -i ${hostname} } |
||||
server ${hostname}-http ${proxyHost.proxyTo.host}:${proxyHost.proxyTo.httpPort} weight 0 |
||||
'' |
||||
) (attrValues proxyHost.hostnames) |
||||
) |
||||
) (attrValues cfg.proxyHosts) |
||||
} |
||||
|
||||
frontend https-in |
||||
bind *:443 |
||||
default_backend proxy-backend-https |
||||
|
||||
backend proxy-backend-https |
||||
${concatMapStringSep "\n" (proxyHost: |
||||
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) ( |
||||
concatMapStringSep "\n" (hostname: '' |
||||
use-server ${hostname}-https if { req.ssl_sni -i ${hostname} } |
||||
server ${hostname}-https ${proxyHost.proxyTo.host}:${proxyHost.proxyTo.httpsPort} weight 0 |
||||
'' |
||||
) (attrValues proxyHost.hostnames) |
||||
) |
||||
) (attrValues cfg.proxyHosts) |
||||
} |
||||
''; |
||||
}; |
||||
|
||||
} |
Loading…
Reference in new issue