migrate haproxy -> nginx

services/errorfiles/503.html

@@ -1,39 +0,0 @@
-HTTP/1.0 503 Service Unavailable
-Cache-Control: no-cache
-Connection: close
-Content-Type: text/html
-
-<!doctype html>
-
-<html lang="en">
-<head>
-  <meta charset="utf-8">
-
-  <title>503 Service Unavailable</title>
-  <meta name="description" content="Le serveur n'est pas joignable">
-  <meta name="author" content="Nyanloutre">
-  
-  <style>
-  body {
-    background-image: url("https://storage.sbg3.cloud.ovh.net/v1/AUTH_5b4f5a8f8ed04ddb9725f42ae798cfab/images/1548346925-data-center-shot.jpg");
-    background-size: 100%;
-    color: white;
-    text-shadow: 0px 0px 3px black, 0px 0px 4px black;
-    text-align: center;
-    font-size: 2rem;
-  }
-  #travolta {
-    position: fixed;
-    height: 70%;
-    bottom: 0;
-    left: 40%;
-  }
-  </style>
-</head>
-
-<body>
-  <h1>503 Service non disponible</h1>
-  <img id="travolta" src="https://storage.sbg3.cloud.ovh.net/v1/AUTH_5b4f5a8f8ed04ddb9725f42ae798cfab/images/7VE.gif">
-  <p>Impossible de contacter le serveur demandé</p>
-</body>
-</html>

services/haproxy-acme.nix

@@ -1,158 +0,0 @@
-{ lib, config, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.haproxy-acme;
-
-  nginx_port = 54321;
-
-  haproxyConf = ''
-    global
-      log /dev/log local0
-      log /dev/log local1 notice
-      user haproxy
-      group haproxy
-      ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-      ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
-      ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
-      ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-      ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
-      ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
-    defaults
-      mode http
-      option forwardfor
-      option http-server-close
-      option httplog
-      option dontlognull
-      timeout client 10s
-      timeout connect 4s
-      timeout server 30s
-      timeout tunnel 3600s
-      errorfile 503 ${./errorfiles/503.html}
-    userlist LOUTRE
-      user paul password $6$YNjCpiPABu9$.iEp.3BgoswHcX3SMjz1/CiyqFQn/fjnxtT9CWBqQHBKynvK2kh/i62ije0WmCvhKRUhy9gdVbJStM3ciGXnC1
-    frontend http-in
-      bind :::80 v4v6
-      acl letsencrypt-acl path_beg /.well-known/acme-challenge/
-      use_backend letsencrypt-backend if letsencrypt-acl
-      redirect scheme https code 301 if !letsencrypt-acl
-    frontend public
-      bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem alpn h2,http/1.1
-      http-response set-header Strict-Transport-Security max-age=15768000
-      http-request add-header X-Forwarded-Proto https
-      acl haproxy-acl path_beg /haproxy
-      use_backend haproxy_stats if haproxy-acl
-    ${concatStrings (
-      mapAttrsToList (name: value:
-        "  acl ${name}-acl hdr(host) -i ${name}\n"
-      + "  use_backend ${name}-backend if ${name}-acl\n"
-      ) cfg.services)}
-    backend letsencrypt-backend
-      mode http
-      server letsencrypt 127.0.0.1:${toString nginx_port}
-    backend haproxy_stats
-      mode http
-      stats enable
-      stats hide-version
-      acl AuthOK_LOUTRE http_auth(LOUTRE)
-      http-request auth realm LOUTRE if !AuthOK_LOUTRE
-    ${concatStrings (
-      mapAttrsToList (name: value:
-        ''
-        backend ${name}-backend
-          mode http
-          ${value.extraBackend}
-          ${(
-            if value.socket == "" then
-              ''
-                server ${name} ${value.ip}:${toString value.port}
-              ''
-            else
-              ''
-                server ${name} ${value.socket}
-              ''
-          )}
-          ${(if value.auth then (
-          value.extraAcls
-          + ''
-              acl AUTH_OK http_auth(LOUTRE)
-              http-request auth realm LOUTRE if ${value.aclBool}
-            ''
-          ) else "")}
-        ''
-      ) cfg.services)}
-  '';
-in
-{
-  options.services.haproxy-acme = {
-    enable = mkEnableOption "HAproxy + ACME";
-
-    domaine = mkOption {
-      type = types.str;
-      example = "example.com";
-      description = ''
-        Sous domaine à utiliser
-
-        Il est necessaire d'avoir un enregistrement pointant sur la wildcard de ce domaine vers le serveur
-      '';
-    };
-
-    services = mkOption {
-      type = with types; attrsOf (submodule { options = {
-        ip = mkOption { type = str; description = "IP address"; };
-        port = mkOption { type = int; description = "Port number"; };
-        socket = mkOption { type = str; description = "Emplacement du socket"; default = ""; };
-        auth = mkOption { type = bool; description = "Enable authentification"; default = false; };
-        extraBackend = mkOption { type = str; description = "Options backend HaProxy suplémentaires"; default = ""; };
-        extraAcls = mkOption { type = str; description = "ACL HaProxy suplémentaires"; default = ""; };
-        aclBool = mkOption { type = str; description = "Logique d'authentification"; default = "!AUTH_OK"; };
-      }; });
-      example = ''
-        haproxy_backends = {
-          example = { ip = "127.0.0.1"; port = 1234; auth = false; };
-        };
-      '';
-      description = "Liste des noms de domaines associés à leur backend";
-    };
-  };
-
-  config = mkIf cfg.enable {
-
-    services.haproxy.enable = true;
-
-    services.haproxy.config = haproxyConf;
-
-    services.nginx.enable = true;
-    services.nginx.virtualHosts = {
-      "acme" = {
-        listen = [ { addr = "127.0.0.1"; port = nginx_port; } ];
-        locations = { "/" = { root = "/var/www/challenges"; }; };
-      };
-    };
-
-    security.acme.acceptTerms = true;
-    security.acme.certs = {
-      ${cfg.domaine} = {
-        extraDomains = mapAttrs' (name: value:
-          nameValuePair ("${name}") (null)
-        ) cfg.services;
-        webroot = "/var/www/challenges";
-        email = "paul@nyanlout.re";
-        allowKeysForGroup = true;
-        group = "acme";
-        postRun = ''
-          systemctl reload haproxy.service
-          nixos-container run vsftpd -- systemctl restart vsftpd
-        '';
-      };
-    };
-
-    users.groups.acme.members = [ "haproxy" ];
-
-    networking.firewall.allowedTCPPorts = [
-      80 443
-    ];
-
-  };
-}

services/site-max.nix

@@ -1,42 +0,0 @@
-{ lib, config, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.site-max;
-in
-{
-  options.services.site-max = {
-    enable = mkEnableOption "Site Max Spiegel";
-
-    port = mkOption {
-      type = types.int;
-      example = 54321;
-      description = "Local listening port";
-    };
-
-    domaine = mkOption {
-      type = types.str;
-      example = "example.com";
-      description = "Domaine à utiliser";
-    };
-  };
-
-  config = mkIf cfg.enable {
-
-    services.haproxy-acme.services = {
-      ${cfg.domaine} = { ip = "127.0.0.1"; port = cfg.port; auth = false; };
-    };
-
-    services.nginx = {
-      virtualHosts = {
-        "max" = {
-          listen = [ { addr = "127.0.0.1"; port = cfg.port; } ];
-          locations."/" = {
-            root = "/run/python-ci/nyanloutre/site-max";
-          };
-        };
-      };
-    };
-  };
-}