nix-config/hosts/containers/public-access-proxy/proxy.nix

126 lines
3.7 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.my.services.proxy;
in {
options.my.services.proxy = {
enable = mkOption {
default = false;
description = "whether to enable proxy";
type = types.bool;
};
proxyHosts = mkOption {
type = types.listOf (types.submodule (
{
options = {
hostNames = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Proxy these hostNames.
'';
};
proxyTo = mkOption {
type = types.submodule (
{
options = {
host = mkOption {
type = types.nullOr types.string;
default = null;
description = ''
Host to forward traffic to.
Any hostname may only be used once
'';
};
httpPort = mkOption {
type = types.int;
default = 80;
description = ''
Port to forward http to.
'';
};
httpsPort = mkOption {
type = types.int;
default = 443;
description = ''
Port to forward http to.
'';
};
};
});
description = ''
{ host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
'';
default = {};
};
};
}));
default = [];
example = [
{ hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
proxyTo = { host = "172.22.99.99"; httpPort = 80; httpsPort = 443; };
}
];
};
};
config = mkIf cfg.enable {
services.haproxy = {
enable = true;
config = ''
resolvers dns
nameserver quad9 9.9.9.9:53
hold valid 1s
frontend http-in
bind :::80 v4v6
default_backend proxy-backend-http
backend proxy-backend-http
timeout connect 5000
timeout check 5000
timeout client 30000
timeout server 30000
${concatMapStringsSep "\n" (proxyHost:
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
concatMapStringsSep "\n" (hostname: ''
use-server ${hostname}-http if { req.hdr(host) -i ${hostname} }
server ${hostname}-http ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpPort} resolvers dns check inter 1000
''
) (proxyHost.hostNames)
)
) (cfg.proxyHosts)
}
frontend https-in
bind :::443 v4v6
default_backend proxy-backend-https
backend proxy-backend-https
timeout connect 5000
timeout check 5000
timeout client 30000
timeout server 30000
${concatMapStringsSep "\n" (proxyHost:
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
concatMapStringsSep "\n" (hostname: ''
use-server ${hostname}-https if { req.ssl_sni -i ${hostname} }
server ${hostname}-https ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpsPort} resolvers dns check inter 1000
''
) (proxyHost.hostNames)
)
) (cfg.proxyHosts)
}
'';
};
};
}