nix-config/hosts/containers/public-access-proxy/default.nix

{ zentralwerk, nixosConfigurations, config, pkgs, lib, ... }:

{
  imports = [
    ./proxy.nix
    ./stats.nix
  ];

  networking.hostName = "public-access-proxy";
  networking.useNetworkd = true;
  networking.interfaces.eth0 = {
    ipv4.addresses = [{
      address = "172.20.73.45";
      prefixLength = zentralwerk.lib.config.site.net.serv.subnet4Len;
    }];
  };
  networking.defaultGateway = "172.20.73.1";

  my.services.proxy = {
    enable = true;
    proxyHosts = [
      # Manual forwarding configurations
      {
        hostNames = [ "vps1.nixvita.de" "vps1.codetu.be" "nixvita.de" ];
        proxyTo.host = "172.20.73.51";
        matchArg = "-m end";
      }
      {
        hostNames = [ "jabber.c3d2.de" ];
        proxyTo = {
          host = config.c3d2.hosts.jabber.ip4;
        };
        matchArg = "-m end";
      }
      {
        hostNames = [ "zw.poelzi.org" ];
        proxyTo.host = "172.20.73.162";
        matchArg = "-m end";
      }
      {
        hostNames = [ "direkthilfe.c3d2.de" ];
        proxyTo = {
          host = config.c3d2.hosts.direkthilfe.ip4;
        };
        matchArg = "-m end";
      }
    ] ++
    # Generated forwarding configurations from other nixosConfigurations
    map (host:
      let
        nixosConfig = nixosConfigurations."${host}".config;
      in {
        hostNames =
          builtins.filter (vhost: vhost != "localhost") (
            builtins.concatMap (vhost:
              let
                vhostConfig = nixosConfig.services.nginx.virtualHosts."${vhost}";
              in [ vhost ] ++ vhostConfig.serverAliases
            ) (builtins.attrNames nixosConfig.services.nginx.virtualHosts)
          );
        proxyTo.host =
          if config.c3d2.hosts.${host} ? ip4 && config.c3d2.hosts.${host}.ip4 != null
          then config.c3d2.hosts.${host}.ip4
          else if config.c3d2.hosts.${host} ? ip6 && config.c3d2.hosts.${host}.ip6 != null
          then "[${config.c3d2.hosts.${host}.ip6}]"
          else throw "No known addresses for ${host}";
      }
    ) (builtins.attrNames (
      lib.filterAttrs (_: nixos:
        nixos.config.services.nginx.enable
      ) nixosConfigurations
    ));
  };

  networking.firewall.allowedTCPPorts = [
    # haproxy
    80 443
    # gemini
    1965
  ];

  # DNS records IN AAAA {www.,}c3d2.de point to this host but
  # gemini:// is served on c3d2-web only
  systemd.services.gemini-forward = {
    wantedBy = [ "multi-user.target" ];
    path = with pkgs; [ socat ];
    script = ''
      socat tcp6-listen:1965,fork "tcp6:[${zentralwerk.lib.config.site.net.serv.hosts6.dn42.c3d2-web}]:1965"
    '';
    serviceConfig = {
      ProtectSystem = "strict";
      DynamicUser = true;
    };
  };

  system.stateVersion = "18.09";
}