From f4b14c94fab2cae335bb5f816bd4d1b45f3aeaaf Mon Sep 17 00:00:00 2001
From: Markus Schmidl <markus.schmidl@ymail.com>
Date: Sun, 31 Mar 2019 21:46:51 +0200
Subject: [PATCH] storage-ng/public-address-proxy: proxy different fqdns to
 different hosts

---
 .../public-access-proxy/configuration.nix     |  58 +++++++++
 .../storage-ng/public-access-proxy/proxy.nix  | 112 ++++++++++++++++++
 2 files changed, 170 insertions(+)
 create mode 100644 hosts/storage-ng/public-access-proxy/configuration.nix
 create mode 100644 hosts/storage-ng/public-access-proxy/proxy.nix

diff --git a/hosts/storage-ng/public-access-proxy/configuration.nix b/hosts/storage-ng/public-access-proxy/configuration.nix
new file mode 100644
index 00000000..06ddd17d
--- /dev/null
+++ b/hosts/storage-ng/public-access-proxy/configuration.nix
@@ -0,0 +1,58 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/profiles/minimal.nix>
+      ./proxy.nix
+    ];
+  nix.useSandbox = false;
+  nix.maxJobs = lib.mkDefault 2;
+  nix.buildCores = lib.mkDefault 16;
+
+  boot.isContainer = true;
+  # /sbin/init
+  boot.loader.initScript.enable = true;
+  boot.loader.grub.enable = false;
+
+  fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
+
+  networking.hostName = "public-access-proxy";
+  networking.defaultGateway = "172.22.99.4";
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "prohibit-password";
+    ports = [ 1122 ];
+  };
+
+  services.my.proxy = {
+    enable = true;
+    proxyHosts = [
+      {
+        hostNames = [ "mdm.arkom.men" ];
+        proxyTo = { host = "cloud.bombenverleih.de"; httpPort = 80; httpsPort = 443; };
+      }
+    ];
+  };
+
+  networking.firewall.allowedTCPPorts = [ 
+    80
+    443
+   ];
+
+  users.extraUsers.k-ot = {
+    inNormalUser = true;
+    uid = 1000;
+    extraGroups = [ "wheel" ];
+  };
+
+  system.stateVersion = "18.09"; # Did you read the comment?
+
+}
diff --git a/hosts/storage-ng/public-access-proxy/proxy.nix b/hosts/storage-ng/public-access-proxy/proxy.nix
new file mode 100644
index 00000000..d7d59360
--- /dev/null
+++ b/hosts/storage-ng/public-access-proxy/proxy.nix
@@ -0,0 +1,112 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.my.services.proxy;
+
+in {
+
+  options.my.serices.proxy = {
+
+    enable = mkOption {
+      default = false;
+      description = "whether to enable proxy";
+      type = types.bool;
+    };
+
+    proxyHosts = mkOption {
+      type = types.listOf (types.submodule (
+        {
+          options = {
+            hostNames = mkOption {
+              type = types.listOf types.str;
+              default = [];
+              description = ''
+                Proxy these hostnames.
+              '';
+            };
+            proxyTo = mkOption {
+              type = types.submodule (
+                {
+                  options = {
+                    host = mkOption {
+                      type = types.nullOr types.string;
+                      default = null;
+                      description = ''
+                        Host to forward traffic to.
+                        Any hostname may only be used once
+                      '';
+                    };
+                    httpPort = mkOption {
+                      type = types.int;
+                      default = 80;
+                      description = ''
+                        Port to forward http to.
+                      '';
+                    };
+                    httpsPort = mkOption {
+                      type = types.int;
+                      default = 443;
+                      description = ''
+                        Port to forward http to.
+                      '';
+                    };
+                  };
+                });
+              description = ''
+                { host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
+              '';
+              default = {};
+            };
+
+        }));
+      default = [];
+      example = [
+        { hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
+          proxyTo = { host = "172.22.99.99"; httpPort = 80; httpsPort = 443; };
+        }
+      ];
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+
+    services.haproxy = {
+      enable = true;
+      config = ''
+        frontend http-in
+          bind *:80
+          default_backend proxy-backend-http
+  
+        backend proxy-backend-http
+          ${concatMapStringSep "\n" (proxyHost:
+            optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
+              concatMapStringSep "\n" (hostname: ''
+                use-server ${hostname}-http if { req.hdr(host) -i ${hostname} }
+                server ${hostname}-http ${proxyHost.proxyTo.host}:${proxyHost.proxyTo.httpPort} weight 0
+              ''
+              ) (attrValues proxyHost.hostnames)
+            )
+          ) (attrValues cfg.proxyHosts)
+          }
+
+        frontend https-in
+          bind *:443
+          default_backend proxy-backend-https
+
+        backend proxy-backend-https
+          ${concatMapStringSep "\n" (proxyHost:
+            optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
+              concatMapStringSep "\n" (hostname: ''
+                use-server ${hostname}-https if { req.ssl_sni -i ${hostname} }
+                server ${hostname}-https ${proxyHost.proxyTo.host}:${proxyHost.proxyTo.httpsPort} weight 0
+              ''
+              ) (attrValues proxyHost.hostnames)
+            )
+          ) (attrValues cfg.proxyHosts)
+          }
+      '';
+    };
+
+}